Fixing replica install: fix ldap connection in domlvl 0

Now, at the domain level 0, the replica install always uses Directory Manager credentials to create the LDAP connection. Since ACIs permitting hosts to manage their own services were added in 4.2 release, the old master denies this operations. https://pagure.io/freeipa/issue/6549 Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2025-02-25 18:55:28 -06:00 · 2017-03-21 09:05:56 -03:00
parent fe17d187f9
commit 772d4e3d4e
1 changed files with 10 additions and 1 deletions
--- a/ipaserver/install/server/replicainstall.py
+++ b/ipaserver/install/server/replicainstall.py
@@ -1391,7 +1391,16 @@ def install(installer):
    dsinstance.create_ds_user()

    try:
-        conn.connect(ccache=ccache)
+        if promote:
+            conn.connect(ccache=ccache)
+        else:
+            # dmlvl 0 replica install should always use DM credentials
+            # to create remote LDAP connection. Since ACIs permitting hosts
+            # to manage their own services were added in 4.2 release,
+            # the master denies this operations.
+            conn.connect(bind_dn=ipaldap.DIRMAN_DN, cacert=cafile,
+                         bind_pw=config.dirman_password)
+
        # Update and istall updated CA file
        cafile = install_ca_cert(conn, api.env.basedn, api.env.realm, cafile)