[Freeipa-devel] [PATCHES] 495 Fix ipa-replica-manage issues

Simo Sorce Thu, 12 Jul 2012 13:30:57 -0700

These 2 patches fix issues found with ipa-replica-manage and
connect/disconnect commands.


Fixes ticket #2925

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

>From e83ea2fb1d66213db40fbc6b33b6164906041c6b Mon Sep 17 00:00:00 2001
From: Simo Sorce <sso...@redhat.com>
Date: Thu, 12 Jul 2012 14:27:55 -0400
Subject: [PATCH 1/2] Fix safety checks to prevent orphaning replicas

This is just a typo, we were checking one side twice and never the other side.
So depending on which side you run the command you'd be able or not to remove
the replication agreement even if it was the last one.

First part of ticket: #2925
---
 install/tools/ipa-replica-manage |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/install/tools/ipa-replica-manage b/install/tools/ipa-replica-manage
index e2378173821457ed05dae2722223d148266ef822..a039ccaa26976262d8f05ac068403b73c6ca735b 100755
--- a/install/tools/ipa-replica-manage
+++ b/install/tools/ipa-replica-manage
@@ -211,7 +211,7 @@ def del_link(realm, replica1, replica2, dirman_passwd, force=False):
         try:
             repl2 = replication.ReplicationManager(realm, replica2, dirman_passwd)
 
-            repl_list = repl1.find_ipa_replication_agreements()
+            repl_list = repl2.find_ipa_replication_agreements()
             if not force and len(repl_list) <= 1:
                 print "Cannot remove the last replication link of '%s'" % replica2
                 print "Please use the 'del' command to remove it from the domain"
-- 
1.7.10.4

>From 00a1ccadccff82d96e0af9cf86c8ad8da1ddd657 Mon Sep 17 00:00:00 2001
From: Simo Sorce <sso...@redhat.com>
Date: Thu, 12 Jul 2012 15:04:03 -0400
Subject: [PATCH 2/2] Fix detection of deleted masters

When setting up agreements we need to be careful in not allowing to 'reconnect'
a master that was previously completely deleted as it would misses entries that
are vital for proper functioning.
This change in code fixes 2 problems with the current approach.
1) it removes false positives when we are tryig to reconnect a replica that was
previosuly merely disconnected but was still part of the domain and just
replicating via a different topology and not a direct link
2) adds checks for entries that are deleted when an actual removal is
performed. so that we cannot 'reconnect' previously unrelated replicas when one
of the 2 has been permanently deleted from the masters tree.

Second part of ticket #2925
---
 install/tools/ipa-replica-manage |   24 +++++++++++++++---------
 1 file changed, 15 insertions(+), 9 deletions(-)

diff --git a/install/tools/ipa-replica-manage b/install/tools/ipa-replica-manage
index a039ccaa26976262d8f05ac068403b73c6ca735b..b095daf03aa0dfd7dd93f4809496467c83cfc5e3 100755
--- a/install/tools/ipa-replica-manage
+++ b/install/tools/ipa-replica-manage
@@ -401,18 +401,24 @@ def add_link(realm, replica1, replica2, dirman_passwd, options):
                                         options.passsync, options.win_subtree,
                                         options.cacert)
     else:
-        # First see if we already exist on the remote master. If so this was
-        # a previously deleted connection.
+        # Check if the master entry exists for both servers.
+        # If one of the tree misses one of the entries, it means one of the
+        # replicas was fully deleted previously and needs to be reinstalled
+        # from scratch
         try:
+            masters_dn = DN(('cn', 'masters'), ('cn', 'ipa'), ('cn', 'etc'), (api.env.basedn))
+            master1_dn = str(DN(('cn', replica1), masters_dn))
+            master2_dn = str(DN(('cn', replica2), masters_dn))
+
+            repl1.conn.getEntry(master1_dn, ldap.SCOPE_BASE)
+            repl1.conn.getEntry(master2_dn, ldap.SCOPE_BASE)
+
             repl2 = replication.ReplicationManager(realm, replica2, dirman_passwd)
-            master_dn = repl2.replica_dn()
-            binddn = str(DN(('krbprincipalname','ldap/%s@%s' % (replica1, api.env.realm)),(api.env.container_service),(api.env.basedn)))
-            master = repl2.conn.getEntry(master_dn, ldap.SCOPE_BASE)
-            binddns = master.getValues('nsDS5ReplicaBindDN')
-            if binddns and binddn in binddns:
-                sys.exit("You cannot connect to a previously deleted master")
+            repl2.conn.getEntry(master1_dn, ldap.SCOPE_BASE)
+            repl2.conn.getEntry(master2_dn, ldap.SCOPE_BASE)
+
         except errors.NotFound:
-            pass
+            sys.exit("You cannot connect to a previously deleted master")
         repl1.setup_gssapi_replication(replica2, "cn=Directory Manager", dirman_passwd)
     print "Connected '%s' to '%s'" % (replica1, replica2)
 
-- 
1.7.10.4

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

[Freeipa-devel] [PATCHES] 495 Fix ipa-replica-manage issues

Reply via email to