winsync-migrate: Require explicit specification of the target server and validate existing agreement

https://fedorahosted.org/freeipa/ticket/4524 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2025-02-25 18:55:28 -06:00 · 2015-04-29 08:16:06 +02:00 · 2015-04-29 08:16:06 +02:00 · d584eb7001
commit d584eb7001
parent bff7a748d6
1 changed files with 33 additions and 0 deletions
--- a/ipaserver/winsync_migrate/base.py
+++ b/ipaserver/winsync_migrate/base.py
@ -26,6 +26,7 @@ from ipapython import admintool
 from ipapython.dn import DN
 from ipapython.ipa_log_manager import log_mgr
 from ipaserver.plugins.ldap2 import ldap2
+from ipaserver.install import replication

 DEFAULT_TRUST_VIEW_NAME = u'Default Trust View'

@ -57,6 +58,10 @@ class MigrateWinsync(admintool.AdminTool):
            "--realm",
            dest="realm",
            help="The AD realm the winsynced users belong to")
+        parser.add_option(
+            "--server",
+            dest="server",
+            help="The AD DC the winsync agreement is established with")
        parser.add_option(
            "-U", "--unattended",
            dest="interactive",
@ -91,6 +96,34 @@ class MigrateWinsync(admintool.AdminTool):
                    "An error occured during detection of the established "
                    "trust with %s: %s" % (self.options.realm, str(e)))

+        if self.options.server is None:
+            raise admintool.ScriptError(
+                "The AD DC the winsync agreement is established with "
+                "needs to be specified.")
+        else:
+            # Validate the replication agreement between given host and localhost
+            try:
+                manager = replication.ReplicationManager(
+                    api.env.realm,
+                    api.env.host,
+                    None)  # Use GSSAPI instead of raw directory manager access
+
+                replica_type = manager.get_agreement_type(self.options.server)
+            except errors.ACIError as e:
+                raise admintool.ScriptError(
+                    "Used Kerberos account does not have privileges to access "
+                    "the replication agreement info: %s" % str(e))
+            except errors.NotFound as e:
+                raise admintool.ScriptError(
+                    "The replication agreement between %s and %s could not "
+                    "be detected" % (api.env.host, self.options.server))
+
+            # Check that the replication agreement is indeed WINSYNC
+            if replica_type != replication.WINSYNC:
+                raise admintool.ScriptError(
+                    "Replication agreement between %s and %s is not winsync."
+                    % (api.env.host, self.options.server))
+
    def create_id_user_override(self, entry):
        """
        Creates ID override corresponding to this user entry.