From d810e1ff2f1fcee41131e359235540e8cada7d47 Mon Sep 17 00:00:00 2001
From: Christian Heimes <cheimes@redhat.com>
Date: Mon, 25 Mar 2019 15:58:07 +0100
Subject: [PATCH] Consider hidden servers as role provider

Hidden services are now considered as associated role providers, too. This
fixes the issue of:

    invalid 'PKINIT enabled server': all masters must have IPA
    master role enabled

and similar issues with CA and DNS.

Fixes: https://pagure.io/freeipa/issue/7892
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
---
 ipaserver/servroles.py | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/ipaserver/servroles.py b/ipaserver/servroles.py
index 5959db442..e0e684272 100644
--- a/ipaserver/servroles.py
+++ b/ipaserver/servroles.py
@@ -338,12 +338,13 @@ class ServerAttribute(LDAPBasedProperty):
         ldap.update_entry(service_entry)
 
     def _get_assoc_role_providers(self, api_instance):
-        """
-        get list of all servers on which the associated role is enabled
+        """get list of all servers on which the associated role is enabled
+
+        Consider a hidden server as a valid provider for a role.
         """
         return [
             r[u'server_server'] for r in self.associated_role.status(
-                api_instance) if r[u'status'] == ENABLED]
+                api_instance) if r[u'status'] in {ENABLED, HIDDEN}]
 
     def _remove(self, api_instance, masters):
         """