If no bind password is provided it is not possible to create the basic
replication user. Creating this user is not necessary for winsync
agreements or to create new replica connections that use gssapi auth so
make it optional if krb credentials are used.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York
>From 8c7678a59094fba99e4f1b22c7193f8a94e31fa1 Mon Sep 17 00:00:00 2001
From: Simo Sorce <sso...@redhat.com>
Date: Fri, 25 Feb 2011 18:23:10 -0500
Subject: [PATCH 7/8] Fix replica setup using replication admin kerberos credentials

Fixes: https://fedorahosted.org/freeipa/ticket/1022
---
 install/share/replica-acis.ldif  |    5 +++++
 ipaserver/install/replication.py |    3 ++-
 2 files changed, 7 insertions(+), 1 deletions(-)

diff --git a/install/share/replica-acis.ldif b/install/share/replica-acis.ldif
index a2f4cc22b9d58e06efeb0a984ac17096d24ba121..baa6216166eb3c661f771b8ef8346e7ee685f4f2 100644
--- a/install/share/replica-acis.ldif
+++ b/install/share/replica-acis.ldif
@@ -1,5 +1,10 @@
 # Replica administration
 
+dn: cn=config
+changetype: modify
+add: aci
+aci: (targetattr != aci)(version 3.0; aci "replica admins read access"; allow (read, search, compare) groupdn = "ldap:///cn=Modify Replication Agreements,cn=permissions,cn=pbac,$SUFFIX";)
+
 dn: cn="$SUFFIX",cn=mapping tree,cn=config
 changetype: modify
 add: aci
diff --git a/ipaserver/install/replication.py b/ipaserver/install/replication.py
index 0a8a65e0562b774366f5e1ff7b1c4fa920f98059..516878cbf53fe7b1b34a066360ae634d99efde8c 100644
--- a/ipaserver/install/replication.py
+++ b/ipaserver/install/replication.py
@@ -592,7 +592,8 @@ class ReplicationManager:
         return self.wait_for_repl_init(conn, dn)
 
     def basic_replication_setup(self, conn, replica_id, repldn, replpw):
-        self.add_replication_manager(conn, repldn, replpw)
+        if replpw is not None:
+            self.add_replication_manager(conn, repldn, replpw)
         self.replica_config(conn, replica_id, repldn)
         self.setup_changelog(conn)
 
-- 
1.7.4

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to