Make ipa-csreplica-manage work with both merged and non-merged DBs

The ipa-csreplica-manage tool often assumed that the port numbers are the same on both sides of a replication agreement. This assumption doesn't hold in a cluster with both old-style hosts and ones with merged DBs. When managing agreements, determine the port with the PKI (or merged) DS on each master, and use it. Also, in CSReplicationManager, always use starttls rather than ldaps://.
2025-02-25 18:55:28 -06:00 · 2012-11-20 07:47:00 -05:00
parent 994563bfe9
commit bef251a13c
2 changed files with 84 additions and 35 deletions
--- a/ipaserver/install/replication.py
+++ b/ipaserver/install/replication.py
@@ -128,8 +128,8 @@ class ReplicationManager(object):
            # If we are passed a password we'll use it as the DM password
            # otherwise we'll do a GSSAPI bind.
            if starttls:
-                self.conn = ipaldap.IPAdmin(hostname, port=port)
-                ldap.set_option(ldap.OPT_X_TLS_CACERTFILE, CACERT)
+                self.conn = ipaldap.IPAdmin(hostname, port=port, cacert=CACERT,
+                                            protocol='ldap')
                self.conn.start_tls_s()
            else:
                self.conn = ipaldap.IPAdmin(hostname, port=port, cacert=CACERT)
@@ -815,17 +815,16 @@ class ReplicationManager(object):
        self.setup_changelog(conn)

    def setup_replication(self, r_hostname, r_port=389, r_sslport=636,
-                          r_binddn=None, r_bindpw=None, starttls=False,
-                          is_cs_replica=False):
+                          r_binddn=None, r_bindpw=None,
+                          is_cs_replica=False, local_port=None):
        assert isinstance(r_binddn, DN)
+        if local_port is None:
+            local_port = r_port
        # note - there appears to be a bug in python-ldap - it does not
        # allow connections using two different CA certs
-        if starttls:
-            r_conn = ipaldap.IPAdmin(r_hostname, port=r_port)
-            ldap.set_option(ldap.OPT_X_TLS_CACERTFILE, CACERT)
-            r_conn.start_tls_s()
-        else:
-            r_conn = ipaldap.IPAdmin(r_hostname, port=r_sslport, cacert=CACERT)
+        r_conn = ipaldap.IPAdmin(r_hostname, port=r_port, cacert=CACERT,
+                                 protocol='ldap')
+        r_conn.start_tls_s()

        if r_bindpw:
            r_conn.do_simple_bind(binddn=r_binddn, bindpw=r_bindpw)
@@ -843,7 +842,7 @@ class ReplicationManager(object):
                                     self.repl_man_dn, self.repl_man_passwd)

        if is_cs_replica:
-            self.setup_agreement(r_conn, self.conn.host, port=r_port,
+            self.setup_agreement(r_conn, self.conn.host, port=local_port,
                                 repl_man_dn=self.repl_man_dn,
                                 repl_man_passwd=self.repl_man_passwd,
                                 master=False)
@@ -852,7 +851,7 @@ class ReplicationManager(object):
                                 repl_man_passwd=self.repl_man_passwd,
                                 master=True)
        else:
-            self.setup_agreement(r_conn, self.conn.host, port=r_port,
+            self.setup_agreement(r_conn, self.conn.host, port=local_port,
                                 repl_man_dn=self.repl_man_dn,
                                 repl_man_passwd=self.repl_man_passwd)
            self.setup_agreement(self.conn, r_hostname, port=r_port,
@@ -1207,4 +1206,3 @@ class ReplicationManager(object):
        print "This may be safely interrupted with Ctrl+C"

        self.conn.checkTask(dn, dowait=True)
-