Remove referrals when removing agreements

Part of this fix requires also giving proper permission to change the replication agreements root. While there also fix replica-related permissions to have the classic add/modify/remove triplet of permissions. Fixes: https://fedorahosted.org/freeipa/ticket/630
2025-02-25 18:55:28 -06:00 · 2010-12-20 10:05:17 -05:00 · 2010-12-20 10:05:17 -05:00 · 91f3e79d81
commit 91f3e79d81
parent efd8b03ccf
4 changed files with 37 additions and 8 deletions
--- a/install/share/delegation.ldif
+++ b/install/share/delegation.ldif
@ -441,20 +441,28 @@ member: cn=enrollhost,cn=privileges,cn=accounts,$SUFFIX

 # Replica administration

-dn: cn=managereplica,cn=permissions,cn=accounts,$SUFFIX
+dn: cn=addreplica,cn=permissions,cn=accounts,$SUFFIX
 changetype: add
 objectClass: top
 objectClass: groupofnames
-cn: managereplica
-description: Manage Replication Agreements
+cn: addreplica
+description: Add Replication Agreements
 member: cn=replicaadmin,cn=privileges,cn=accounts,$SUFFIX

-dn: cn=deletereplica,cn=permissions,cn=accounts,$SUFFIX
+dn: cn=modifyreplica,cn=permissions,cn=accounts,$SUFFIX
 changetype: add
 objectClass: top
 objectClass: groupofnames
-cn: deletereplica
-description: Delete Replication Agreements
+cn: modifyreplica
+description: Modify Replication Agreements
+member: cn=replicaadmin,cn=privileges,cn=accounts,$SUFFIX
+
+dn: cn=removereplica,cn=permissions,cn=accounts,$SUFFIX
+changetype: add
+objectClass: top
+objectClass: groupofnames
+cn: removereplica
+description: Remove Replication Agreements
 member: cn=replicaadmin,cn=privileges,cn=accounts,$SUFFIX

 # Entitlement management
--- a/install/share/replica-acis.ldif
+++ b/install/share/replica-acis.ldif
@ -3,9 +3,15 @@
 dn: cn="$SUFFIX",cn=mapping tree,cn=config
 changetype: modify
 add: aci
-aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5Replica)(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement))")(version 3.0; acl "Manage Replication Agreements"; allow (read, write, search) groupdn = "ldap:///cn=managereplica,cn=permissions,cn=accounts,$SUFFIX";)
+aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement))")(version 3.0;acl "Add Replication Agreements";allow (add) groupdn = "ldap:///cn=addreplica,cn=permissions,cn=accounts,$SUFFIX";)

 dn: cn="$SUFFIX",cn=mapping tree,cn=config
 changetype: modify
 add: aci
-aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement))")(version 3.0;acl "Delete Replication Agreements";allow (delete) groupdn = "ldap:///cn=deletereplica,cn=permissions,cn=accounts,$SUFFIX";)
+aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5Replica)(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement)(objectClass=nsMappingTree))")(version 3.0; acl "Modify Replication Agreements"; allow (read, write, search) groupdn = "ldap:///cn=modifyreplica,cn=permissions,cn=accounts,$SUFFIX";)
+
+dn: cn="$SUFFIX",cn=mapping tree,cn=config
+changetype: modify
+add: aci
+aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement))")(version 3.0;acl "Remove Replication Agreements";allow (delete) groupdn = "ldap:///cn=removereplica,cn=permissions,cn=accounts,$SUFFIX";)
+
--- a/install/tools/ipa-replica-manage
+++ b/install/tools/ipa-replica-manage
@ -219,6 +219,7 @@ def del_link(replica1, replica2, dirman_passwd, force=False):
        failed = False
        try:
            repl2.delete_agreement(replica1)
+            repl2.delete_referral(replica1)
        except ldap.LDAPError, e:
            desc = e.args[0]['desc'].strip()
            info = e.args[0].get('info', '').strip()
@ -238,6 +239,7 @@ def del_link(replica1, replica2, dirman_passwd, force=False):
        print "Forcing removal on '%s'" % replica1

    repl1.delete_agreement(replica2)
+    repl1.delete_referral(replica2)

 def del_master(replman, hostname, force=False):
    has_repl_agreement = True
--- a/ipaserver/install/replication.py
+++ b/ipaserver/install/replication.py
@ -407,6 +407,19 @@ class ReplicationManager:
        cn, dn = self.agreement_dn(hostname)
        return self.conn.deleteEntry(dn)

+    def delete_referral(self, hostname):
+        esc1_suffix = self.suffix.replace('=', '\\3D').replace(',', '\\2C')
+        esc2_suffix = self.suffix.replace('=', '%3D').replace(',', '%2C')
+        dn = 'cn=%s,cn=mapping tree,cn=config' % esc1_suffix
+        # TODO: should we detect proto/port somehow ?
+        mod = [(ldap.MOD_DELETE, 'nsslapd-referral',
+                'ldap://%s:389/%s' % (hostname, esc2_suffix))]
+
+        try:
+            self.conn.modify_s(dn, mod)
+        except Exception, e:
+            logging.debug("Failed to remove referral value: %s" % str(e))
+
    def check_repl_init(self, conn, agmtdn):
        done = False
        hasError = 0