Replica promotion: use the correct IPA domain for replica

IPA domain is detected from LDAP for replica promote installation. If local domain and IPA domain does not match, installer refuses to install replica. IPA versions 4.3.0 and 4.3.1 allow to specify different domain for replica. Only one IPA domain is allowed (domain used with master) and different domain may cause issues. This commit prevents to install new replica if multiple domains was used in past. User action is required to fix this issue and remove incorrect IPA domains from LDAP. https://fedorahosted.org/freeipa/ticket/5976 Reviewed-By: Petr Spacek <pspacek@redhat.com>
2025-02-25 18:55:28 -06:00 · 2016-06-21 12:37:26 +02:00
parent cc6a3325d4
commit 9ae98420e9
1 changed files with 29 additions and 0 deletions
--- a/ipaserver/install/server/replicainstall.py
+++ b/ipaserver/install/server/replicainstall.py
@@ -931,6 +931,33 @@ def ensure_enrolled(installer):
    except Exception:
        sys.exit("Configuration of client side components failed!")

+
+def promotion_check_ipa_domain(master_ldap_conn, basedn):
+    entry = master_ldap_conn.get_entry(basedn, ['associatedDomain'])
+    if not 'associatedDomain' in entry:
+        raise RuntimeError('IPA domain not found in LDAP.')
+
+    if len(entry['associatedDomain']) > 1:
+        root_logger.critical(
+            "Multiple IPA domains found. We are so sorry :-(, you are "
+            "probably experiencing this bug "
+            "https://fedorahosted.org/freeipa/ticket/5976. Please contact us "
+            "for help.")
+        raise RuntimeError(
+            'Multiple IPA domains found in LDAP database ({domains}). '
+            'Only one domain is allowed.'.format(
+                domains=u', '.join(entry['associatedDomain'])
+            ))
+
+    if entry['associatedDomain'][0] != api.env.domain:
+        raise RuntimeError(
+            "Cannot promote this client to a replica. Local domain "
+            "'{local}' does not match IPA domain '{ipadomain}'. ".format(
+                local=api.env.domain,
+                ipadomain=entry['associatedDomain'][0]
+        ))
+
+
@common_cleanup
@preserve_enrollment_state
 def promote_check(installer):
@@ -1129,6 +1156,8 @@ def promote_check(installer):
                conn.disconnect()
                conn.connect(ccache=ccache)

+        promotion_check_ipa_domain(conn, remote_api.env.basedn)
+
        # Check that we don't already have a replication agreement
        try:
            (acn, adn) = replman.agreement_dn(config.host_name)