On 11/16/2012 11:23 AM, Martin Kosek wrote:
On 11/15/2012 07:17 PM, Petr Viktorin wrote:
On 11/15/2012 05:09 PM, Martin Kosek wrote:
On 11/15/2012 03:19 PM, Petr Viktorin wrote:
Recently, the specfile changed (dce53e4) and the patch for changed Dogtag
defaults made it to master independently (91e477b). Attaching rebased patch.

Note that to continue development on f17, you will need to use the
   sudo yum-config-manager

On 11/13/2012 03:57 PM, Petr Viktorin wrote:

For convenience, I've also pushed the changes to a personal repository.
To fetch to branch "pviktori-dogtag-10" you can do:

      git fetch -f git://github.com/encukou/freeipa.git

I started reviewing the patches, and found the first thing that looks
suspicious. I had IPA with 2 databases, then upgraded it to single-database
IPA, the upgrade was OK.

But when I uninstalled the IPA, PKI-IPA dirsrv instance was not removed because
when I installed single-db IPA afterwards, I had 2 dirsrv instances running.

You're right. This is an uninstaller error already present in 2.2:

I'll start looking into it tomorrow, if nothing more important shows up.

Thanks for the pointer. But this is definitely not a show stopper, running
additional DS instance seems more or less benign and as you pointed out, it is
rather an old bug.

There are bigger issues. Now I focused on ipa-replica-manage and
ipa-csreplica-manage tools. ipa-replica-manage gets confused with the
additional replication agreements in IPA dirsrv instance (although targeted to
nsDS5ReplicaRoot: o=ipaca).

First scenario: 3 IPA servers with CA in this topology:

B - A - C

On A:
# ipa-replica-manage list `hostname`
vm-055.idm.lab.bos.redhat.com: replica
vm-070.idm.lab.bos.redhat.com: replica
vm-055.idm.lab.bos.redhat.com: replica
vm-070.idm.lab.bos.redhat.com: replica

it should not display agreements that are for IPA only, not IPA CA ones.

Now, when I try to connect B to C, ipa-replica-manage succeeded:
[B] # ipa-replica-manage connect C
Connected 'B' to 'C'

This changed the topology to:
   /   \
B   -  C

But ipa-csreplica-manage connect did not succeed then:
[B] # ipa-csreplica-manage connect C
Directory Manager password:

This replication agreement already exists.

Del command also failed for me:
[A] ipa-replica-manage del [C]

Still trying to investigate why. If I manage to get some workable fix during my
investigations, I will attach it later.


The fix for that for easier than expected. Attached patch restored the previous functionality for ipa-(cs)replica-manage. I tried that with all basic commands - add, del, connect, disconnect and it worked fine so far.

But this was a case with all D10 masters, I will need to try if that flies with D9->D10 replicas or upgraded D9 masters.

From 3d75b2f16dc98826b2fd8ab7a7e1406d123b5a78 Mon Sep 17 00:00:00 2001
From: Martin Kosek <mko...@redhat.com>
Date: Fri, 16 Nov 2012 13:59:11 +0100
Subject: [PATCH] Filter suffix in replication management tools

With the new unified Dogtag10 LDAP database, PKI-CA data and the
agreements themselves are now in the main LDAP instance.

Replication management tools now need to properly filter replication
agreements based on the suffix to avoid clashing of agreements of
different types.
 install/tools/ipa-csreplica-manage |  2 +-
 ipaserver/install/replication.py   | 37 ++++++++++++++++++++++++++++++-------
 2 files changed, 31 insertions(+), 8 deletions(-)

diff --git a/install/tools/ipa-csreplica-manage b/install/tools/ipa-csreplica-manage
index f2924993f0e2944cf718abcb31743870048472f6..55edd1a23a2d43b02790477486677135dbf34a61 100755
--- a/install/tools/ipa-csreplica-manage
+++ b/install/tools/ipa-csreplica-manage
@@ -376,7 +376,7 @@ def re_initialize(realm, options):
     thishost = installutils.get_fqdn()
-    filter = "(&(nsDS5ReplicaHost=%s)(|(objectclass=nsDSWindowsReplicationAgreement)(objectclass=nsds5ReplicationAgreement)))" % thishost
+    filter = repl.get_agreement_filter(host=thishost)
     entry = repl.conn.search_s(DN(('cn', 'config')), ldap.SCOPE_SUBTREE, filter)
     if len(entry) == 0:
         root_logger.error("Unable to find %s -> %s replication agreement" % (options.fromhost, thishost))
diff --git a/ipaserver/install/replication.py b/ipaserver/install/replication.py
index e1968a2f68717e126908bb153b9e950ebe16d73d..88edb913bcf3ac8c688ecd88a4ad1682db98276b 100644
--- a/ipaserver/install/replication.py
+++ b/ipaserver/install/replication.py
@@ -191,6 +191,32 @@ class ReplicationManager(object):
         return retval
+    def get_agreement_filter(self, agreement_types=None, host=None):
+        """
+        Get an LDAP replication agreement filter with a possibility to filter
+        the agreements by their type and a host
+        """
+        if agreement_types is None:
+            agreement_types = (IPA_REPLICA, WINSYNC)
+        elif not isinstance(agreement_types, (list, tuple)):
+            agreement_types = (agreement_types,)
+        agreement_types_filters = []
+        if IPA_REPLICA in agreement_types:
+            agreement_types_filters.append('(&(objectclass=nsds5ReplicationAgreement)(nsDS5ReplicaRoot=%s))'
+                % self.suffix)
+        if WINSYNC in agreement_types:
+            agreement_types_filters.append('(objectclass=nsDSWindowsReplicationAgreement)')
+        if len(agreement_types_filters) > 1:
+            agreement_filter = '(|%s)' % ''.join(agreement_types_filters)
+        else:
+            agreement_filter = ''.join(agreement_types_filters)
+        if host is not None:
+            agreement_filter = '(&%s(nsDS5ReplicaHost=%s))' % (agreement_filter, host)
+        return agreement_filter
     def find_replication_agreements(self):
         The replication agreements are stored in
@@ -202,7 +228,7 @@ class ReplicationManager(object):
         response. For now just return "No entries" even if the user may
         not be allowed to see them.
-        filt = "(|(objectclass=nsDSWindowsReplicationAgreement)(objectclass=nsds5ReplicationAgreement))"
+        filt = self.get_agreement_filter()
             ents = self.conn.getList(DN(('cn', 'mapping tree'), ('cn', 'config')),
                                      ldap.SCOPE_SUBTREE, filt)
@@ -220,7 +246,7 @@ class ReplicationManager(object):
         res = []
-        filt = "(objectclass=nsds5ReplicationAgreement)"
+        filt = self.get_agreement_filter(IPA_REPLICA)
             ents = self.conn.getList(DN(('cn', 'mapping tree'), ('cn', 'config')),
                                      ldap.SCOPE_SUBTREE, filt)
@@ -242,7 +268,7 @@ class ReplicationManager(object):
         Returns None if not found.
-        filt = "(&(|(objectclass=nsds5ReplicationAgreement)(objectclass=nsDSWindowsReplicationAgreement))(nsDS5ReplicaHost=%s))" % hostname
+        filt = self.get_agreement_filter(host=hostname)
             entries = self.conn.getList(DN(('cn', 'mapping tree'), ('cn', 'config')),
                                       ldap.SCOPE_SUBTREE, filt)
@@ -958,10 +984,7 @@ class ReplicationManager(object):
         newschedule = '2358-2359 0'
-        filter = ('(&(nsDS5ReplicaHost=%s)'
-                   '(&(!(nsDS5ReplicaRoot=o=ipaca))'
-                    '(|(objectclass=nsDSWindowsReplicationAgreement)'
-                     '(objectclass=nsds5ReplicationAgreement))))' % hostname)
+        filter = self.get_agreement_filter(host=hostname)
         entries = conn.getList(
             DN(('cn', 'config')), ldap.SCOPE_SUBTREE, filter)
         if len(entries) == 0:

Freeipa-devel mailing list

Reply via email to