IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-01-13 09:41:55 -06:00
Code Issues Packages Projects Releases Wiki Activity

Pick new CA renewal master when deleting a replica.

Browse Source 
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
This commit is contained in:
Jan Cholasta 2014-04-10 14:14:10 +02:00 committed by Petr Viktorin
parent baa665fe40
commit d1386be4d5
2 changed files with 20 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
install/tools/ipa-csreplica-manage
View File

@ -25,7 +25,8 @@ import os
import krbV import krbV
from ipapython.ipa_log_manager import * from ipapython.ipa_log_manager import *
from ipaserver.install import replication, installutils, bindinstance from ipaserver.install import (replication, installutils, bindinstance,
cainstance, certs)
from ipalib import api, errors, util from ipalib import api, errors, util
from ipalib.constants import CACERT from ipalib.constants import CACERT
from ipapython import ipautil, ipaldap, version, dogtag from ipapython import ipautil, ipaldap, version, dogtag
@ -272,7 +273,12 @@ def del_master(realm, hostname, options):
except Exception, e: except Exception, e:
sys.exit("There were issues removing a connection: %s" % e) sys.exit("There were issues removing a connection: %s" % e)
# 6. And clean up the removed replica DNS entries if any. # 6. Pick CA renewal master
ca = cainstance.CAInstance(api.env.realm, certs.NSS_DIR)
if ca.is_renewal_master(hostname):
ca.set_renewal_master(options.host)
# 7. And clean up the removed replica DNS entries if any.
try: try:
if bindinstance.dns_container_exists(options.host, api.env.basedn, if bindinstance.dns_container_exists(options.host, api.env.basedn,
dm_password=options.dirman_passwd): dm_password=options.dirman_passwd):

13
install/tools/ipa-replica-manage
View File

@ -28,7 +28,7 @@ import socket
from ipapython import ipautil from ipapython import ipautil
from ipaserver.install import replication, dsinstance, installutils from ipaserver.install import replication, dsinstance, installutils
from ipaserver.install import bindinstance from ipaserver.install import bindinstance, cainstance, certs
from ipaserver.plugins import ldap2 from ipaserver.plugins import ldap2
from ipapython import version, ipaldap from ipapython import version, ipaldap
from ipalib import api, errors, util from ipalib import api, errors, util
@ -665,6 +665,7 @@ def del_master(realm, hostname, options):
# Check that we are not leaving the installation without CA and/or DNS # Check that we are not leaving the installation without CA and/or DNS
this_services = [] this_services = []
other_services = [] other_services = []
ca_hostname = None
for master_cn in [m.single_value['cn'] for m in masters]: for master_cn in [m.single_value['cn'] for m in masters]:
master_dn = DN(('cn', master_cn), ('cn', 'masters'), ('cn', 'ipa'), ('cn', 'etc'), ipautil.realm_to_suffix(realm)) master_dn = DN(('cn', master_cn), ('cn', 'masters'), ('cn', 'ipa'), ('cn', 'etc'), ipautil.realm_to_suffix(realm))
@ -679,6 +680,8 @@ def del_master(realm, hostname, options):
this_services = services_cns this_services = services_cns
else: else:
other_services.append(services_cns) other_services.append(services_cns)
if ca_hostname is None and 'CA' in services_cns:
ca_hostname = master_cn
if 'CA' in this_services and not any(['CA' in o for o in other_services]): if 'CA' in this_services and not any(['CA' in o for o in other_services]):
print "Deleting this server is not allowed as it would leave your installation without a CA." print "Deleting this server is not allowed as it would leave your installation without a CA."
@ -688,6 +691,14 @@ def del_master(realm, hostname, options):
print "Deleting this server will leave your installation without a DNS." print "Deleting this server will leave your installation without a DNS."
if not options.force and not ipautil.user_input("Continue to delete?", False): if not options.force and not ipautil.user_input("Continue to delete?", False):
sys.exit("Deletion aborted") sys.exit("Deletion aborted")
# Pick CA renewal master
ca = cainstance.CAInstance(api.env.realm, certs.NSS_DIR)
if ca.is_renewal_master(hostname):
try:
ca.set_renewal_master(options.host)
except errors.NotFound:
ca.set_renewal_master(ca_hostname)
else: else:
print "Skipping calculation to determine if one or more masters would be orphaned." print "Skipping calculation to determine if one or more masters would be orphaned."