URL: https://github.com/freeipa/freeipa/pull/1508
Author: tiran
 Title: #1508: [Backport][ipa-4-6] preventing ldap principal to be deleted
Action: opened

PR body:
This PR was opened automatically because PR #1477 was pushed to master and 
backport to ipa-4-6 is required.

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/1508/head:pr1508
git checkout pr1508
From 9f8a0dab7b052b763658b07322aa1329fc791be1 Mon Sep 17 00:00:00 2001
From: Alexander Koksharov <akoks...@redhat.com>
Date: Tue, 30 Jan 2018 16:38:16 +0100
Subject: [PATCH] preventing ldap principal to be deleted

ipa-server-install --uninstall command is calling server-del to
delete replica. This scenario does not work since server-del
is also deleting all principals from and ldap breaking ldap
replication. As a result, only part of deletions are propagated
to the other replicals leaving a lot of orphaned data there.


This patch won't fully fix the issue with left-over data
but more data is cleaned up and only ldap principal is left
thus ending in a better state.
Issue will be fully fixed only when topology plugin is patched
as well. The following pagure ticket is created to track
topology plugin change:
 ipaserver/plugins/server.py | 22 +++++++++++++++++++---
 1 file changed, 19 insertions(+), 3 deletions(-)

diff --git a/ipaserver/plugins/server.py b/ipaserver/plugins/server.py
index 94ada8b9da..cb200ba68d 100644
--- a/ipaserver/plugins/server.py
+++ b/ipaserver/plugins/server.py
@@ -659,10 +659,26 @@ def _remove_server_host_services(self, ldap, master):
         delete server kerberos key and all its svc principals
+            # do not delete ldap principal if server-del command
+            # has been called on a machine which is being deleted
+            # since this will break replication.
+            # ldap principal to be cleaned later by topology plugin
+            # necessary changes to a topology plugin are tracked
+            # under https://pagure.io/freeipa/issue/7359
+            if master == self.api.env.host:
+                filter = (
+                    '(&(krbprincipalname=*/{}@{})'
+                    '(!(krbprincipalname=ldap/*)))'
+                    .format(master, self.api.env.realm)
+                )
+            else:
+                filter = '(krbprincipalname=*/{}@{})'.format(
+                    master, self.api.env.realm
+                )
             entries = ldap.get_entries(
-                self.api.env.basedn, ldap.SCOPE_SUBTREE,
-                filter='(krbprincipalname=*/{}@{})'.format(
-                    master, self.api.env.realm))
+                self.api.env.basedn, ldap.SCOPE_SUBTREE, filter=filter
+            )
             if entries:
                 entries.sort(key=lambda x: len(x.dn), reverse=True)
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

Reply via email to