correctly set LDAP bind related attributes when setting up replication

when CA replica configures 'cn=replica,cn=o\=ipaca,cn=mapping tree,cn=config' entry on remote master during replica installation, the 'nsds5replicabinddn' and 'nsds5replicabinddngroup' attributes are not correctly updated when this entry already existed on the master (e.g. when existing domain-level 0 topology was promoted to domain level 1). This patch ensures that these attributes are always set correctly regardless of existence of the replica entry. https://fedorahosted.org/freeipa/ticket/5412 Reviewed-By: Martin Basti <mbasti@redhat.com>
2025-02-25 18:55:28 -06:00 · 2016-01-19 17:46:57 +01:00
parent d726da3ba2
commit f2b22ec017
1 changed files with 15 additions and 7 deletions
--- a/ipaserver/install/replication.py
+++ b/ipaserver/install/replication.py
@@ -435,13 +435,21 @@ class ReplicationManager(object):

        try:
            entry = conn.get_entry(dn)
-            managers = entry.get('nsDS5ReplicaBindDN')
-            for m in managers:
-                if replica_binddn == DN(m):
-                    return
-            # Add the new replication manager
-            mod = [(ldap.MOD_ADD, 'nsDS5ReplicaBindDN', replica_binddn)]
-            conn.modify_s(dn, mod)
+            managers = {DN(m) for m in entry.get('nsDS5ReplicaBindDN', [])}
+            binddn_groups = {
+                DN(p) for p in entry.get('nsds5replicabinddngroup', [])}
+
+            mod = []
+            if replica_binddn not in managers:
+                # Add the new replication manager
+                mod.append((ldap.MOD_ADD, 'nsDS5ReplicaBindDN',
+                            replica_binddn))
+
+            if replica_groupdn not in binddn_groups:
+                mod.append((ldap.MOD_ADD, 'nsds5replicabinddngroup',
+                            replica_groupdn))
+            if mod:
+                conn.modify_s(dn, mod)

            # replication is already configured
            return