IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-02-25 18:55:28 -06:00
Code Issues Packages Projects Releases Wiki Activity

Fix detection of deleted masters

Browse Source 
When setting up agreements we need to be careful in not allowing to
'reconnect' a master that was previously completely deleted as it would
misses entries that are vital for proper functioning.  This change in code
fixes 2 problems with the current approach.
1) it removes false positives when we are tryig to reconnect a replica that
was previosuly merely disconnected but was still part of the domain and just
replicating via a different topology and not a direct link
2) adds checks for entries that are deleted when an actual removal is
performed. so that we cannot 'reconnect' previously unrelated replicas when
one of the 2 has been permanently deleted from the masters tree.

Second part of ticket https://fedorahosted.org/freeipa/ticket/2925
This commit is contained in:
Simo Sorce 2012-07-12 15:04:03 -04:00 committed by Rob Crittenden
parent 87040c0af1
commit 32c1aa45b3
1 changed files with 15 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
install/tools/ipa-replica-manage
View File

@ -401,18 +401,24 @@ def add_link(realm, replica1, replica2, dirman_passwd, options):
options.passsync, options.win_subtree, options.passsync, options.win_subtree,
options.cacert) options.cacert)
else: else:
# First see if we already exist on the remote master. If so this was # Check if the master entry exists for both servers.
# a previously deleted connection. # If one of the tree misses one of the entries, it means one of the
# replicas was fully deleted previously and needs to be reinstalled
# from scratch
try: try:
masters_dn = DN(('cn', 'masters'), ('cn', 'ipa'), ('cn', 'etc'), (api.env.basedn))
master1_dn = str(DN(('cn', replica1), masters_dn))
master2_dn = str(DN(('cn', replica2), masters_dn))
repl1.conn.getEntry(master1_dn, ldap.SCOPE_BASE)
repl1.conn.getEntry(master2_dn, ldap.SCOPE_BASE)
repl2 = replication.ReplicationManager(realm, replica2, dirman_passwd) repl2 = replication.ReplicationManager(realm, replica2, dirman_passwd)
master_dn = repl2.replica_dn() repl2.conn.getEntry(master1_dn, ldap.SCOPE_BASE)
binddn = str(DN(('krbprincipalname','ldap/%s@%s' % (replica1, api.env.realm)),(api.env.container_service),(api.env.basedn))) repl2.conn.getEntry(master2_dn, ldap.SCOPE_BASE)
master = repl2.conn.getEntry(master_dn, ldap.SCOPE_BASE)
binddns = master.getValues('nsDS5ReplicaBindDN')
if binddns and binddn in binddns:
sys.exit("You cannot connect to a previously deleted master")
except errors.NotFound: except errors.NotFound:
pass sys.exit("You cannot connect to a previously deleted master")
repl1.setup_gssapi_replication(replica2, "cn=Directory Manager", dirman_passwd) repl1.setup_gssapi_replication(replica2, "cn=Directory Manager", dirman_passwd)
print "Connected '%s' to '%s'" % (replica1, replica2) print "Connected '%s' to '%s'" % (replica1, replica2)