URL: https://github.com/freeipa/freeipa/pull/1477 Author: akokshar Title: #1477: preventing ldap principal to be deleted Action: opened
PR body: """ ipa-server-install --uninstall command is calling server-del to delete replica. This scenario does not work since server-del is also deleting all principals from and ldap breaking ldap replication. As a result, only part of deletions are propagated to the other replicals leaving a lot of orphaned data there. https://pagure.io/freeipa/issue/7371 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/1477/head:pr1477 git checkout pr1477
From eb8059fe45ebbaca73e81293c755fc130df3c10e Mon Sep 17 00:00:00 2001 From: Alexander Koksharov <koksharov.alexan...@gmail.com> Date: Wed, 17 Jan 2018 11:01:38 +0100 Subject: [PATCH] preventing ldap principal to be deleted ipa-server-install --uninstall command is calling server-del to delete replica. This scenario does not work since server-del is also deleting all principals from and ldap breaking ldap replication. As a result, only part of deletions are propagated to the other replicals leaving a lot of orphaned data there. https://pagure.io/freeipa/issue/7371 --- ipaserver/plugins/server.py | 20 +++++++++++++++++--- 1 file changed, 17 insertions(+), 3 deletions(-) diff --git a/ipaserver/plugins/server.py b/ipaserver/plugins/server.py index 94ada8b9da..3e900f05fb 100644 --- a/ipaserver/plugins/server.py +++ b/ipaserver/plugins/server.py @@ -659,10 +659,24 @@ def _remove_server_host_services(self, ldap, master): delete server kerberos key and all its svc principals """ try: - entries = ldap.get_entries( - self.api.env.basedn, ldap.SCOPE_SUBTREE, + # do not delete ldap principal if server-del command + # has been called on a machine which is being deleted + # since this will break replication. + # ldap principal to be cleaned later by topology plugin + if master == self. api.env.host: + filter=( + '(&(!(krbprincipalname=ldap/*))' + '(krbprincipalname=*/{}@{}))' + .format(master, self.api.env.realm) + ) + else: filter='(krbprincipalname=*/{}@{})'.format( - master, self.api.env.realm)) + master, self.api.env.realm + ) + + entries = ldap.get_entries( + self.api.env.basedn, ldap.SCOPE_SUBTREE, filter=filter + ) if entries: entries.sort(key=lambda x: len(x.dn), reverse=True)
_______________________________________________ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org