Replication: Adjust replica installation to omit processing memberof computations

https://fedorahosted.org/freeipa/ticket/1794 If the master does not yet support the total update list feature we still run the memberof fixup task and not fail to replicate due to the new attribute not being settable. Jointly-developed-with: Simo Sorce <ssorce@redhat.com> Jointly-developed-with: Nathank Kinder <nkinder@redhat.com>
2025-02-25 18:55:28 -06:00 · 2011-09-16 10:23:02 -07:00
parent 20ad8fe1ba
commit 714b0d11ec
4 changed files with 30 additions and 6 deletions
--- a/install/tools/ipa-replica-install
+++ b/install/tools/ipa-replica-install
@@ -469,7 +469,6 @@ def main():
        raise RuntimeError("Failed to configure the client")

    ds.replica_populate()
-    ds.init_memberof()

    #Everything installed properly, activate ipa service.
    ipaservices.knownservices.ipa.enable()
--- a/install/ui/test/data/json_metadata.json
+++ b/install/ui/test/data/json_metadata.json
@@ -3273,6 +3273,7 @@
                    "nsds5replicaroot",
                    "nsds5replicasessionpausetime",
                    "nsds5replicatedattributelist",
+                    "nsds5replicatedattributelisttotal",
                    "nsds5replicatimeout",
                    "nsds5replicatombstonepurgeinterval",
                    "nsds5replicatransportinfo",
--- a/ipaserver/install/dsinstance.py
+++ b/ipaserver/install/dsinstance.py
@@ -149,6 +149,7 @@ class DsInstance(service.Service):
        self.idmax = None
        self.subject_base = None
        self.open_ports = []
+        self.run_init_memberof = True
        if realm_name:
            self.suffix = util.realm_to_suffix(self.realm_name)
            self.__setup_sub_dict()
@@ -275,6 +276,7 @@ class DsInstance(service.Service):
        repl.setup_replication(self.master_fqdn,
                               r_binddn="cn=Directory Manager",
                               r_bindpw=self.dm_password)
+        self.run_init_memberof = repl.needs_memberof_fixup()

    def __enable(self):
        self.backup_state("enabled", self.is_enabled())
@@ -413,6 +415,10 @@ class DsInstance(service.Service):
        self._ldap_mod("memberof-conf.ldif")

    def init_memberof(self):
+
+        if not self.run_init_memberof:
+            return
+
        self._ldap_mod("memberof-task.ldif", self.sub_dict)
        # Note, keep dn in sync with dn in install/share/memberof-task.ldif
        dn = "cn=IPA install %s,cn=memberof task,cn=tasks,cn=config" % self.sub_dict["TIME"]
--- a/ipaserver/install/replication.py
+++ b/ipaserver/install/replication.py
@@ -107,6 +107,7 @@ class ReplicationManager(object):
        self.starttls = starttls
        tmp = util.realm_to_suffix(realm)
        self.suffix = str(DN(tmp)).lower()
+        self.need_memberof_fixup = False

        # If we are passed a password we'll use it as the DM password
        # otherwise we'll do a GSSAPI bind.
@@ -433,6 +434,7 @@ class ReplicationManager(object):
        which use a different name on each side. If master is None then
        isn't a dogtag replication agreement.
        """
+
        cn, dn = self.agreement_dn(b_hostname, master=master)
        try:
            a_conn.getEntry(dn, ldap.SCOPE_BASE)
@@ -440,11 +442,14 @@ class ReplicationManager(object):
        except errors.NotFound:
            pass

-        # List of attributes that need to be excluded from replication.
-        excludes = ('memberof', 'entryusn',
-                    'krblastsuccessfulauth',
-                    'krblastfailedauth',
-                    'krbloginfailedcount')
+        # List of attributes that need to be excluded from replication initialization.
+        totalexcludes = ('entryusn',
+                         'krblastsuccessfulauth',
+                         'krblastfailedauth',
+                         'krbloginfailedcount')
+
+        # List of attributes that need to be excluded from normal replication.
+        excludes = ('memberof', ) + totalexcludes

        entry = ipaldap.Entry(dn)
        entry.setValues('objectclass', "nsds5replicationagreement")
@@ -472,8 +477,21 @@ class ReplicationManager(object):

        a_conn.add_s(entry)

+        try:
+            mod = [(ldap.MOD_ADD, 'nsDS5ReplicatedAttributeListTotal',
+                   '(objectclass=*) $ EXCLUDE %s' % " ".join(totalexcludes))]
+            a_conn.modify_s(dn, mod)
+        except ldap.LDAPError, e:
+            # Apparently there are problems set the total list
+            # Probably the master is an old 389-ds server, tell the caller
+            # that we will have to set the memberof fixup task
+            self.need_memberof_fixup = True
+
        entry = a_conn.waitForEntry(entry)

+    def needs_memberof_fixup(self):
+        return self.need_memberof_fixup
+
    def setup_krb_princs_as_replica_binddns(self, a, b):
        """
        Search the appropriate principal names so we can get