When a replication agreement is removed also make sure to remove
referrals to the replicas to avoid dangling referrals.

This patch also fixes acis related to replica as the fix is also
required to be able to change the referrals attributes.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York
>From 7a7436a36b618f4364f7220f3d532fa901ce660a Mon Sep 17 00:00:00 2001
From: Simo Sorce <sso...@redhat.com>
Date: Mon, 20 Dec 2010 10:05:17 -0500
Subject: [PATCH] Remove referrals when removing agreements

Part of this fix requires also giving proper permission to change the
replication agreements root.
While there also fix replica-related permissions to have the classic
add/modify/remove triplet of permissions.

Fixes: https://fedorahosted.org/freeipa/ticket/630
---
 install/share/delegation.ldif    |   20 ++++++++++++++------
 install/share/replica-acis.ldif  |    9 +++++++--
 install/tools/ipa-replica-manage |    2 ++
 ipaserver/install/replication.py |   13 +++++++++++++
 4 files changed, 36 insertions(+), 8 deletions(-)

diff --git a/install/share/delegation.ldif b/install/share/delegation.ldif
index 7a634821cd43558f3846649862a5a5c1b81d9f5b..79533fda7c245cbbcec0eb2fb08fb6b4b853ea34 100644
--- a/install/share/delegation.ldif
+++ b/install/share/delegation.ldif
@@ -441,20 +441,28 @@ member: cn=enrollhost,cn=privileges,cn=accounts,$SUFFIX
 
 # Replica administration
 
-dn: cn=managereplica,cn=permissions,cn=accounts,$SUFFIX
+dn: cn=addreplica,cn=permissions,cn=accounts,$SUFFIX
 changetype: add
 objectClass: top
 objectClass: groupofnames
-cn: managereplica
-description: Manage Replication Agreements
+cn: addreplica
+description: Add Replication Agreements
 member: cn=replicaadmin,cn=privileges,cn=accounts,$SUFFIX
 
-dn: cn=deletereplica,cn=permissions,cn=accounts,$SUFFIX
+dn: cn=modifyreplica,cn=permissions,cn=accounts,$SUFFIX
 changetype: add
 objectClass: top
 objectClass: groupofnames
-cn: deletereplica
-description: Delete Replication Agreements
+cn: modifyreplica
+description: Modify Replication Agreements
+member: cn=replicaadmin,cn=privileges,cn=accounts,$SUFFIX
+
+dn: cn=removereplica,cn=permissions,cn=accounts,$SUFFIX
+changetype: add
+objectClass: top
+objectClass: groupofnames
+cn: removereplica
+description: Remove Replication Agreements
 member: cn=replicaadmin,cn=privileges,cn=accounts,$SUFFIX
 
 # Entitlement management
diff --git a/install/share/replica-acis.ldif b/install/share/replica-acis.ldif
index 931163cfe8b5cf9ba5250bdfaa33097b1fc79590..feda1d9b74962447f2d909923097d6d69dcae88f 100644
--- a/install/share/replica-acis.ldif
+++ b/install/share/replica-acis.ldif
@@ -3,10 +3,15 @@
 dn: cn="$SUFFIX",cn=mapping tree,cn=config
 changetype: modify
 add: aci
-aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5Replica)(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement))")(version 3.0; acl "Manage Replication Agreements"; allow (read, write, search) groupdn = "ldap:///cn=managereplica,cn=permissions,cn=accounts,$SUFFIX";;)
+aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement))")(version 3.0;acl "Add Replication Agreements";allow (add) groupdn = "ldap:///cn=addreplica,cn=permissions,cn=accounts,$SUFFIX";;)
 
 dn: cn="$SUFFIX",cn=mapping tree,cn=config
 changetype: modify
 add: aci
-aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement))")(version 3.0;acl "Delete Replication Agreements";allow (delete) groupdn = "ldap:///cn=deletereplica,cn=permissions,cn=accounts,$SUFFIX";;)
+aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5Replica)(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement)(objectClass=nsMappingTree))")(version 3.0; acl "Modify Replication Agreements"; allow (read, write, search) groupdn = "ldap:///cn=modifyreplica,cn=permissions,cn=accounts,$SUFFIX";;)
+
+dn: cn="$SUFFIX",cn=mapping tree,cn=config
+changetype: modify
+add: aci
+aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement))")(version 3.0;acl "Remove Replication Agreements";allow (delete) groupdn = "ldap:///cn=removereplica,cn=permissions,cn=accounts,$SUFFIX";;)
 
diff --git a/install/tools/ipa-replica-manage b/install/tools/ipa-replica-manage
index cbb2cad1db4692e3f861bc0762798a8d3e372d5e..17089e614454f712a17a6275209ce37df53ee1a0 100755
--- a/install/tools/ipa-replica-manage
+++ b/install/tools/ipa-replica-manage
@@ -219,6 +219,7 @@ def del_link(replica1, replica2, dirman_passwd, force=False):
         failed = False
         try:
             repl2.delete_agreement(replica1)
+            repl2.delete_referral(replica1)
         except ldap.LDAPError, e:
             desc = e.args[0]['desc'].strip()
             info = e.args[0].get('info', '').strip()
@@ -238,6 +239,7 @@ def del_link(replica1, replica2, dirman_passwd, force=False):
         print "Forcing removal on '%s'" % replica1
 
     repl1.delete_agreement(replica2)
+    repl1.delete_referral(replica2)
 
 def del_master(replman, hostname, force=False):
     has_repl_agreement = True
diff --git a/ipaserver/install/replication.py b/ipaserver/install/replication.py
index 743eda8589e3aee19cd64d7d022c8fdd31c7f59b..c107aa661eaa2c531fcfd87af2b55d120d593d0c 100644
--- a/ipaserver/install/replication.py
+++ b/ipaserver/install/replication.py
@@ -407,6 +407,19 @@ class ReplicationManager:
         cn, dn = self.agreement_dn(hostname)
         return self.conn.deleteEntry(dn)
 
+    def delete_referral(self, hostname):
+        esc1_suffix = self.suffix.replace('=', '\\3D').replace(',', '\\2C')
+        esc2_suffix = self.suffix.replace('=', '%3D').replace(',', '%2C')
+        dn = 'cn=%s,cn=mapping tree,cn=config' % esc1_suffix
+        # TODO: should we detect proto/port somehow ?
+        mod = [(ldap.MOD_DELETE, 'nsslapd-referral',
+                'ldap://%s:389/%s' % (hostname, esc2_suffix))]
+
+        try:
+            self.conn.modify_s(dn, mod)
+        except Exception, e:
+            logging.debug("Failed to remove referral value: %s" % str(e))
+
     def check_repl_init(self, conn, agmtdn):
         done = False
         hasError = 0
-- 
1.7.3.3

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to