[Freeipa-devel] [freeipa PR#1477][opened] preventing ldap principal to be deleted

Wed, 17 Jan 2018 02:32:20 -0800 

   URL: https://github.com/freeipa/freeipa/pull/1477
Author: akokshar
 Title: #1477: preventing ldap principal to be deleted
Action: opened

PR body:
"""
ipa-server-install --uninstall command is calling server-del to
delete replica. This scenario does not work since server-del
is also deleting all principals from and ldap breaking ldap
replication. As a result, only part of deletions are propagated
to the other replicals leaving a lot of orphaned data there.

https://pagure.io/freeipa/issue/7371
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/1477/head:pr1477
git checkout pr1477

From eb8059fe45ebbaca73e81293c755fc130df3c10e Mon Sep 17 00:00:00 2001
From: Alexander Koksharov <koksharov.alexan...@gmail.com>
Date: Wed, 17 Jan 2018 11:01:38 +0100
Subject: [PATCH] preventing ldap principal to be deleted

ipa-server-install --uninstall command is calling server-del to
delete replica. This scenario does not work since server-del
is also deleting all principals from and ldap breaking ldap
replication. As a result, only part of deletions are propagated
to the other replicals leaving a lot of orphaned data there.

https://pagure.io/freeipa/issue/7371
---
 ipaserver/plugins/server.py | 20 +++++++++++++++++---
 1 file changed, 17 insertions(+), 3 deletions(-)

diff --git a/ipaserver/plugins/server.py b/ipaserver/plugins/server.py
index 94ada8b9da..3e900f05fb 100644
--- a/ipaserver/plugins/server.py
+++ b/ipaserver/plugins/server.py
@@ -659,10 +659,24 @@ def _remove_server_host_services(self, ldap, master):
         delete server kerberos key and all its svc principals
         """
         try:
-            entries = ldap.get_entries(
-                self.api.env.basedn, ldap.SCOPE_SUBTREE,
+            # do not delete ldap principal if server-del command 
+            # has been called on a machine which is being deleted
+            # since this will break replication.
+            # ldap principal to be cleaned later by topology plugin
+            if master == self. api.env.host:
+                filter=(
+                    '(&(!(krbprincipalname=ldap/*))'
+                    '(krbprincipalname=*/{}@{}))'
+                    .format(master, self.api.env.realm)
+                )
+            else:
                 filter='(krbprincipalname=*/{}@{})'.format(
-                    master, self.api.env.realm))
+                    master, self.api.env.realm
+                )
+
+            entries = ldap.get_entries(
+                self.api.env.basedn, ldap.SCOPE_SUBTREE, filter=filter
+            )
 
             if entries:
                 entries.sort(key=lambda x: len(x.dn), reverse=True)

_______________________________________________
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

Reply via email to