Use common procedure to setup initial replication in both domain levels

Set up initial replication using GSSAPI also in domin level 0. For this to work, the supplied DM password is used to connect to remote master and set up agreements. The workflow is unchanged in DL1 where GSSAPI bind as host or admin is used. This obsoletes the conversion of replication agreements to GSSAPI made in DL0 during KDC installation. https://fedorahosted.org/freeipa/ticket/6406 Reviewed-By: Martin Basti <mbasti@redhat.com>
2024-12-23 07:33:27 -06:00 · 2016-11-09 14:48:56 +01:00 · 2016-11-09 14:48:56 +01:00 · ce2bb47cca
commit ce2bb47cca
parent 8378e1e39f
2 changed files with 20 additions and 8 deletions
--- a/ipaserver/install/dsinstance.py
+++ b/ipaserver/install/dsinstance.py
@ -410,6 +410,16 @@ class DsInstance(service.Service):


    def __setup_replica(self):
+        """
+        Setup initial replication between replica and remote master.
+        GSSAPI is always used as a replication bind method. Note, however,
+        that the bind method for the replication differs between domain levels:
+            * in domain level 0, Directory Manager credentials are used to bind
+              to remote master
+            * in domain level 1, GSSAPI using admin/privileged host credentials
+              is used (we do not have access to masters' DM password in this
+              stage)
+        """
        replication.enable_replication_version_checking(
            self.realm,
            self.dm_password)
@ -421,12 +431,17 @@ class DsInstance(service.Service):
        repl = replication.ReplicationManager(self.realm,
                                              self.fqdn,
                                              self.dm_password, conn=conn)
-        if self.promote:
-            repl.setup_promote_replication(self.master_fqdn)
+
+        if self.dm_password is not None and not self.promote:
+            bind_dn = DN(('cn', 'Directory Manager'))
+            bind_pw = self.dm_password
        else:
-            repl.setup_replication(self.master_fqdn,
-                                   r_binddn=DN(('cn', 'Directory Manager')),
-                                   r_bindpw=self.dm_password)
+            bind_dn = bind_pw = None
+
+        repl.setup_promote_replication(self.master_fqdn,
+                                       r_binddn=bind_dn,
+                                       r_bindpw=bind_pw,
+                                       cacert=self.ca_file)
        self.run_init_memberof = repl.needs_memberof_fixup()

    def __configure_sasl_mappings(self):
--- a/ipaserver/install/krbinstance.py
+++ b/ipaserver/install/krbinstance.py
@ -180,9 +180,6 @@ class KrbInstance(service.Service):
        self.step("adding the password extension to the directory", self.__add_pwd_extop_module)
        if setup_pkinit:
            self.step("installing X509 Certificate for PKINIT", self.__setup_pkinit)
-        if not promote:
-            self.step("enable GSSAPI for replication",
-                      self.__convert_to_gssapi_replication)

        self.__common_post_setup()