Remove memberPrincipal for deleted replicas

When a replica is deleted, its memberPrincipal entries in cn=s4u2proxy,cn=etc,SUFFIX were not removed. Then, if the replica is reinstalled and connected again, the installer would report an error with duplicate value in LDAP. This patch extends replica cleanup procedure to remove replica principal from s4u2proxy configuration. https://fedorahosted.org/freeipa/ticket/2451
2025-02-25 18:55:28 -06:00 · 2012-03-02 12:10:27 +01:00
parent d5c9f7bcaa
commit b7d092a0f4
2 changed files with 23 additions and 2 deletions
--- a/ipalib/constants.py
+++ b/ipalib/constants.py
@@ -100,6 +100,7 @@ DEFAULT_CONFIG = (
    ('container_entitlements', 'cn=entitlements,cn=etc'),
    ('container_automember', 'cn=automember,cn=etc'),
    ('container_selinux', 'cn=usermap,cn=selinux'),
+    ('container_s4u2proxy', 'cn=s4u2proxy,cn=etc'),

    # Ports, hosts, and URIs:
    # FIXME: let's renamed xmlrpc_uri to rpc_xml_uri
--- a/ipaserver/install/replication.py
+++ b/ipaserver/install/replication.py
@@ -27,8 +27,7 @@ from ipaserver import ipaldap
 from ipapython import services as ipaservices
 import installutils
 from ldap import modlist
-from ipalib import util
-from ipalib import errors
+from ipalib import api, util, errors
 from ipapython import ipautil
 from ipalib.dn import DN

@@ -941,6 +940,27 @@ class ReplicationManager(object):
            else:
                err = e

+        # remove replica memberPrincipal from s4u2proxy configuration
+        dn1 = DN(u'cn=ipa-http-delegation', api.env.container_s4u2proxy, self.suffix)
+        member_principal1 = "HTTP/%(fqdn)s@%(realm)s" % dict(fqdn=replica, realm=realm)
+
+        dn2 = DN(u'cn=ipa-ldap-delegation-targets', api.env.container_s4u2proxy, self.suffix)
+        member_principal2 = "ldap/%(fqdn)s@%(realm)s" % dict(fqdn=replica, realm=realm)
+
+        for (dn, member_principal) in ((str(dn1), member_principal1),
+                                       (str(dn2), member_principal2)):
+            try:
+                mod = [(ldap.MOD_DELETE, 'memberPrincipal', member_principal)]
+                self.conn.modify_s(dn, mod)
+            except (ldap.NO_SUCH_OBJECT, ldap.NO_SUCH_ATTRIBUTE):
+                root_logger.debug("Replica (%s) memberPrincipal (%s) not found in %s" % \
+                        (replica, member_principal, dn))
+            except Exception, e:
+                if not force:
+                    raise e
+                elif not err:
+                    err = e
+
        # delete master entry with all active services
        try:
            dn = 'cn=%s,cn=masters,cn=ipa,cn=etc,%s' % (replica, self.suffix)