IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-02-25 18:55:28 -06:00
Code Issues Packages Projects Releases Wiki Activity

ipa-replica-manage: Do not allow topology altering commands from DL 1

Browse Source 
With Domain Level 1 and above, the usage of ipa-replica-manage commands
that alter the replica topology is deprecated. Following commands
are prohibited:

* connect
* disconnect

Upon executing any of these commands, users are pointed out to the
ipa topologysegment-* replacements.

Exception is creation/deletion of winsync agreement.

Part of: https://fedorahosted.org/freeipa/ticket/4302

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
This commit is contained in:
Petr Vobornik 2015-06-10 18:23:37 +02:00
parent 4137f2a8ed
commit 45dccedd12
1 changed files with 37 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

53
install/tools/ipa-replica-manage
View File

@ -241,23 +241,32 @@ def del_link(realm, replica1, replica2, dirman_passwd, force=False):
""" """
repl2 = None repl2 = None
what = "Removal of IPA replication agreement"
managed_topology = has_managed_topology()
try: try:
repl1 = replication.ReplicationManager(realm, replica1, dirman_passwd) repl1 = replication.ReplicationManager(realm, replica1, dirman_passwd)
type1 = repl1.get_agreement_type(replica2) type1 = repl1.get_agreement_type(replica2)
repl_list = repl1.find_ipa_replication_agreements()
if not force and len(repl_list) <= 1 and type1 == replication.IPA_REPLICA:
print "Cannot remove the last replication link of '%s'" % replica1
print "Please use the 'del' command to remove it from the domain"
return False
except errors.NotFound: except errors.NotFound:
print "'%s' has no replication agreement for '%s'" % (replica1, replica2) # it's possible that the agreement could not have been found because of
# the new topology plugin naming convention: <A>-to-<B> instead of
# meTo<B>.
if managed_topology:
print "'%s' has no winsync replication agreement for '%s'" % (replica1, replica2)
exit_on_managed_topology(what)
else:
print "'%s' has no replication agreement for '%s'" % (replica1, replica2)
return False return False
except Exception, e: except Exception, e:
print "Failed to determine agreement type for '%s': %s" % (replica1, e) print "Failed to determine agreement type for '%s': %s" % (replica2, e)
if type1 == replication.IPA_REPLICA and managed_topology:
exit_on_managed_topology(what)
repl_list = repl1.find_ipa_replication_agreements()
if not force and len(repl_list) <= 1 and type1 == replication.IPA_REPLICA:
print "Cannot remove the last replication link of '%s'" % replica1
print "Please use the 'del' command to remove it from the domain"
return False return False
if type1 == replication.IPA_REPLICA: if type1 == replication.IPA_REPLICA:
@ -747,12 +756,6 @@ def del_master(realm, hostname, options):
try: try:
if bindinstance.dns_container_exists(options.host, thisrepl.suffix, if bindinstance.dns_container_exists(options.host, thisrepl.suffix,
dm_password=options.dirman_passwd): dm_password=options.dirman_passwd):
if options.dirman_passwd:
api.Backend.ldap2.connect(bind_dn=DN(('cn', 'Directory Manager')),
bind_pw=options.dirman_passwd)
else:
ccache = krbV.default_context().default_ccache()
api.Backend.ldap2.connect(ccache=ccache)
bind = bindinstance.BindInstance() bind = bindinstance.BindInstance()
bind.remove_master_dns_records(hostname, realm, realm.lower()) bind.remove_master_dns_records(hostname, realm, realm.lower())
bind.remove_ipa_ca_dns_records(hostname, realm.lower()) bind.remove_ipa_ca_dns_records(hostname, realm.lower())
@ -777,6 +780,8 @@ def add_link(realm, replica1, replica2, dirman_passwd, options):
if os.getegid() != 0: if os.getegid() != 0:
root_logger.error("winsync agreements need to be created as root") root_logger.error("winsync agreements need to be created as root")
sys.exit(1) sys.exit(1)
elif has_managed_topology():
exit_on_managed_topology("Creation of IPA replication agreement")
try: try:
repl = replication.ReplicationManager(realm, replica1, dirman_passwd) repl = replication.ReplicationManager(realm, replica1, dirman_passwd)
@ -1167,6 +1172,14 @@ def set_DNA_range(hostname, range, realm, dirman_passwd, next_range=False,
except Exception, e: except Exception, e:
sys.exit("Updating range failed: %s" % e) sys.exit("Updating range failed: %s" % e)
def has_managed_topology():
domainlevel = api.Command['domainlevel_get']().get('result', 0)
return domainlevel > 0
def exit_on_managed_topology(what):
sys.exit("{0} is deprecated with managed IPA replication topology. "
"Please use `ipa topologysegment-*` commands to manage "
"the topology.".format(what))
def main(): def main():
if os.getegid() == 0: if os.getegid() == 0:
@ -1209,6 +1222,14 @@ def main():
options.dirman_passwd = dirman_passwd options.dirman_passwd = dirman_passwd
# Initialize the LDAP connection
if options.dirman_passwd:
api.Backend.ldap2.connect(bind_dn=DN(('cn', 'Directory Manager')),
bind_pw=options.dirman_passwd)
else:
ccache = krbV.default_context().default_ccache()
api.Backend.ldap2.connect(ccache=ccache)
if args[0] == "list": if args[0] == "list":
replica = None replica = None
if len(args) == 2: if len(args) == 2: