[Freeipa-devel] [PATCH] 0066 remove binddn when using GSSAPI for replication

Simo Sorce Wed, 19 Jan 2011 16:44:46 -0800

See ticket #817

Simo.


-- 
Simo Sorce * Red Hat, Inc * New York

>From b259558cd6b8f4147fb7e0f6777b38d4a6097835 Mon Sep 17 00:00:00 2001
From: Simo Sorce <sso...@redhat.com>
Date: Wed, 19 Jan 2011 19:17:48 -0500
Subject: [PATCH] Do not set a replication dn when using SASL/GSSAPI replication

Fixes: https://fedorahosted.org/freeipa/ticket/817
---
 ipaserver/install/replication.py |   39 +++++++++++++++----------------------
 1 files changed, 16 insertions(+), 23 deletions(-)

diff --git a/ipaserver/install/replication.py b/ipaserver/install/replication.py
index 547746592bab9b90cb85d35f76c597d714bc8fbe..21e6bcc4970f5d534df882f98327ace9119db983 100644
--- a/ipaserver/install/replication.py
+++ b/ipaserver/install/replication.py
@@ -371,10 +371,6 @@ class ReplicationManager:
             pass
 
         port = 389
-        if repl_man_dn is None:
-            repl_man_dn = self.repl_man_dn
-        if repl_man_passwd is None:
-            repl_man_passwd = self.repl_man_passwd
 
         # List of attributes that need to be excluded from replication.
         excludes = ('memberof', 'entryusn',
@@ -393,11 +389,11 @@ class ReplicationManager:
         entry.setValues('nsDS5ReplicatedAttributeList',
                         '(objectclass=*) $ EXCLUDE %s' % " ".join(excludes))
         entry.setValues('description', "me to %s" % b.host)
-        entry.setValues('nsds5replicabinddn', repl_man_dn)
         if isgssapi:
             entry.setValues('nsds5replicatransportinfo', 'LDAP')
             entry.setValues('nsds5replicabindmethod', 'SASL/GSSAPI')
         else:
+            entry.setValues('nsds5replicabinddn', repl_man_dn)
             entry.setValues('nsds5replicacredentials', repl_man_passwd)
             entry.setValues('nsds5replicatransportinfo', 'TLS')
             entry.setValues('nsds5replicabindmethod', 'simple')
@@ -436,25 +432,20 @@ class ReplicationManager:
         except ldap.TYPE_OR_VALUE_EXISTS:
             pass
 
-        return (a_pn[0].dn, b_pn[0].dn)
-
     def gssapi_update_agreements(self, a, b):
 
-        (a_pn_dn, b_pn_dn) = self.setup_krb_princs_as_replica_binddns(a, b)
+        self.setup_krb_princs_as_replica_binddns(a, b)
 
         #change replication agreements to connect to other host using GSSAPI
+        mod = [(ldap.MOD_REPLACE, "nsds5replicatransportinfo", "LDAP"),
+               (ldap.MOD_REPLACE, "nsds5replicabindmethod", "SASL/GSSAPI"),
+               (ldap.MOD_DELETE, "nsds5replicabinddn", None),
+               (ldap.MOD_DELETE, "nsds5replicacredentials", None)]
+
         cn, a_ag_dn = self.agreement_dn(b.host)
-        mod = [(ldap.MOD_REPLACE, "nsds5replicabinddn", a_pn_dn),
-               (ldap.MOD_DELETE, "nsds5replicacredentials", None),
-               (ldap.MOD_REPLACE, "nsds5replicatransportinfo", "LDAP"),
-               (ldap.MOD_REPLACE, "nsds5replicabindmethod", "SASL/GSSAPI")]
         a.modify_s(a_ag_dn, mod)
 
         cn, b_ag_dn = self.agreement_dn(a.host)
-        mod = [(ldap.MOD_REPLACE, "nsds5replicabinddn", b_pn_dn),
-               (ldap.MOD_DELETE, "nsds5replicacredentials", None),
-               (ldap.MOD_REPLACE, "nsds5replicatransportinfo", "LDAP"),
-               (ldap.MOD_REPLACE, "nsds5replicabindmethod", "SASL/GSSAPI")]
         b.modify_s(b_ag_dn, mod)
 
         # Finally remove the temporary replication manager user
@@ -605,8 +596,12 @@ class ReplicationManager:
         self.basic_replication_setup(r_conn, r_id,
                                      self.repl_man_dn, self.repl_man_passwd)
 
-        self.setup_agreement(r_conn, self.conn)
-        self.setup_agreement(self.conn, r_conn)
+        self.setup_agreement(r_conn, self.conn,
+                             repl_man_dn=self.repl_man_dn,
+                             repl_man_passwd=self.repl_man_passwd)
+        self.setup_agreement(self.conn, r_conn,
+                             repl_man_dn=self.repl_man_dn,
+                             repl_man_passwd=self.repl_man_passwd)
 
         #Finally start replication
         ret = self.start_replication(r_conn)
@@ -690,13 +685,11 @@ class ReplicationManager:
             r_conn.sasl_interactive_bind_s('', SASL_AUTH)
 
         # Allow krb principals to act as replicas
-        (self_dn, r_dn) = self.setup_krb_princs_as_replica_binddns(self.conn, r_conn)
+        self.setup_krb_princs_as_replica_binddns(self.conn, r_conn)
 
         # Create mutual replication agreementsausiung SASL/GSSAPI
-        self.setup_agreement(self.conn, r_conn,
-                             repl_man_dn=self_dn, isgssapi=True)
-        self.setup_agreement(r_conn, self.conn,
-                             repl_man_dn=r_dn, isgssapi=True)
+        self.setup_agreement(self.conn, r_conn, isgssapi=True)
+        self.setup_agreement(r_conn, self.conn, isgssapi=True)
 
     def initialize_replication(self, dn, conn):
         mod = [(ldap.MOD_ADD, 'nsds5BeginReplicaRefresh', 'start')]
-- 
1.7.3.4

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

[Freeipa-devel] [PATCH] 0066 remove binddn when using GSSAPI for replication

Reply via email to