From ce2bb47cca03eda1ff85f4725abb92c639f34ecc Mon Sep 17 00:00:00 2001
From: Martin Babinsky <mbabinsk@redhat.com>
Date: Wed, 9 Nov 2016 14:48:56 +0100
Subject: [PATCH] Use common procedure to setup initial replication in both
 domain levels

Set up initial replication using GSSAPI also in domin level 0. For this to
work, the supplied DM password is used to connect to remote master and set up
agreements. The workflow is unchanged in DL1 where GSSAPI bind as host or
admin is used.

This obsoletes the conversion of replication agreements to GSSAPI made in DL0
during KDC installation.

https://fedorahosted.org/freeipa/ticket/6406

Reviewed-By: Martin Basti <mbasti@redhat.com>
---
 ipaserver/install/dsinstance.py  | 25 ++++++++++++++++++++-----
 ipaserver/install/krbinstance.py |  3 ---
 2 files changed, 20 insertions(+), 8 deletions(-)

diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py
index a604010da..f76378ea1 100644
--- a/ipaserver/install/dsinstance.py
+++ b/ipaserver/install/dsinstance.py
@@ -410,6 +410,16 @@ class DsInstance(service.Service):
 
 
     def __setup_replica(self):
+        """
+        Setup initial replication between replica and remote master.
+        GSSAPI is always used as a replication bind method. Note, however,
+        that the bind method for the replication differs between domain levels:
+            * in domain level 0, Directory Manager credentials are used to bind
+              to remote master
+            * in domain level 1, GSSAPI using admin/privileged host credentials
+              is used (we do not have access to masters' DM password in this
+              stage)
+        """
         replication.enable_replication_version_checking(
             self.realm,
             self.dm_password)
@@ -421,12 +431,17 @@ class DsInstance(service.Service):
         repl = replication.ReplicationManager(self.realm,
                                               self.fqdn,
                                               self.dm_password, conn=conn)
-        if self.promote:
-            repl.setup_promote_replication(self.master_fqdn)
+
+        if self.dm_password is not None and not self.promote:
+            bind_dn = DN(('cn', 'Directory Manager'))
+            bind_pw = self.dm_password
         else:
-            repl.setup_replication(self.master_fqdn,
-                                   r_binddn=DN(('cn', 'Directory Manager')),
-                                   r_bindpw=self.dm_password)
+            bind_dn = bind_pw = None
+
+        repl.setup_promote_replication(self.master_fqdn,
+                                       r_binddn=bind_dn,
+                                       r_bindpw=bind_pw,
+                                       cacert=self.ca_file)
         self.run_init_memberof = repl.needs_memberof_fixup()
 
     def __configure_sasl_mappings(self):
diff --git a/ipaserver/install/krbinstance.py b/ipaserver/install/krbinstance.py
index b7ae38f70..b5cfd79c2 100644
--- a/ipaserver/install/krbinstance.py
+++ b/ipaserver/install/krbinstance.py
@@ -180,9 +180,6 @@ class KrbInstance(service.Service):
         self.step("adding the password extension to the directory", self.__add_pwd_extop_module)
         if setup_pkinit:
             self.step("installing X509 Certificate for PKINIT", self.__setup_pkinit)
-        if not promote:
-            self.step("enable GSSAPI for replication",
-                      self.__convert_to_gssapi_replication)
 
         self.__common_post_setup()