On 11/16/2012 02:25 PM, Martin Kosek wrote:
> On 11/16/2012 11:23 AM, Martin Kosek wrote:
>> On 11/15/2012 07:17 PM, Petr Viktorin wrote:
>>> On 11/15/2012 05:09 PM, Martin Kosek wrote:
>>>> On 11/15/2012 03:19 PM, Petr Viktorin wrote:
>>>>> Recently, the specfile changed (dce53e4) and the patch for changed Dogtag
>>>>> defaults made it to master independently (91e477b). Attaching rebased 
>>>>> patch.
>>>>>
>>>>> Note that to continue development on f17, you will need to use the
>>>>> dogtag-devel
>>>>> repo:
>>>>>    sudo yum-config-manager
>>>>> --add-repo=http://nkinder.fedorapeople.org/dogtag-devel/dogtag-devel-fedora.repo
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> On 11/13/2012 03:57 PM, Petr Viktorin wrote:
>>>>> [...]
>>>>>>
>>>>>> For convenience, I've also pushed the changes to a personal repository.
>>>>>> To fetch to branch "pviktori-dogtag-10" you can do:
>>>>>>
>>>>>>       git fetch -f git://github.com/encukou/freeipa.git
>>>>>> dogtag-10:pviktori-dogtag-10
>>>>>>
>>>>>
>>>>
>>>> I started reviewing the patches, and found the first thing that looks
>>>> suspicious. I had IPA with 2 databases, then upgraded it to single-database
>>>> IPA, the upgrade was OK.
>>>>
>>>> But when I uninstalled the IPA, PKI-IPA dirsrv instance was not removed
>>>> because
>>>> when I installed single-db IPA afterwards, I had 2 dirsrv instances 
>>>> running.
>>>
>>> You're right. This is an uninstaller error already present in 2.2:
>>> https://fedorahosted.org/freeipa/ticket/3258
>>>
>>> I'll start looking into it tomorrow, if nothing more important shows up.
>>>
>>
>> Thanks for the pointer. But this is definitely not a show stopper, running
>> additional DS instance seems more or less benign and as you pointed out, it 
>> is
>> rather an old bug.
>>
>> There are bigger issues. Now I focused on ipa-replica-manage and
>> ipa-csreplica-manage tools. ipa-replica-manage gets confused with the
>> additional replication agreements in IPA dirsrv instance (although targeted 
>> to
>> nsDS5ReplicaRoot: o=ipaca).
>>
>> First scenario: 3 IPA servers with CA in this topology:
>>
>> B - A - C
>>
>> On A:
>> # ipa-replica-manage list `hostname`
>> vm-055.idm.lab.bos.redhat.com: replica
>> vm-070.idm.lab.bos.redhat.com: replica
>> vm-055.idm.lab.bos.redhat.com: replica
>> vm-070.idm.lab.bos.redhat.com: replica
>>
>> it should not display agreements that are for IPA only, not IPA CA ones.
>>
>> Now, when I try to connect B to C, ipa-replica-manage succeeded:
>> [B] # ipa-replica-manage connect C
>> Connected 'B' to 'C'
>>
>> This changed the topology to:
>>      A
>>    /   \
>> B   -  C
>>
>> But ipa-csreplica-manage connect did not succeed then:
>> [B] # ipa-csreplica-manage connect C
>> Directory Manager password:
>>
>> This replication agreement already exists.
>>
>> Del command also failed for me:
>> [A] ipa-replica-manage del [C]
>>
>> Still trying to investigate why. If I manage to get some workable fix during 
>> my
>> investigations, I will attach it later.
>>
>> Martin
> 
> The fix for that for easier than expected. Attached patch restored the 
> previous
> functionality for ipa-(cs)replica-manage. I tried that with all basic commands
> - add, del, connect, disconnect and it worked fine so far.
> 
> But this was a case with all D10 masters, I will need to try if that flies 
> with
> D9->D10 replicas or upgraded D9 masters.
> 
> Martin
> 

I managed to create a 2.2 (F17) -> 3.1 (F18) replica, everything seem to work
well. I just think we will need to also backport the previous patch at least to
3.0 and 2.2 versions to fix errors with ipa-replica-manage replication
management tool. I created a ticket for this purpose:

https://fedorahosted.org/freeipa/ticket/3262

Attaching a patch for IPA 2.2 branch in case somebody is also testing it. With
this patch, I was able to list, force-sync, re-initialize, connect, disconnect
from 2.2 to 3.1 replica without any errors.

Martin
From 3b444b05a13f8552e13bd1bf840f5b26ebbf8482 Mon Sep 17 00:00:00 2001
From: Martin Kosek <mko...@redhat.com>
Date: Mon, 19 Nov 2012 13:44:47 +0100
Subject: [PATCH] Filter suffix in replication management tools

With the new unified Dogtag10 LDAP database, PKI-CA data and the
agreements themselves are now in the main LDAP instance.

Replication management tools now need to properly filter replication
agreements based on the suffix to avoid clashing of agreements of
different types.

https://fedorahosted.org/freeipa/ticket/3262
---
 install/tools/ipa-csreplica-manage |  2 +-
 ipaserver/install/replication.py   | 36 ++++++++++++++++++++++++++++++------
 2 files changed, 31 insertions(+), 7 deletions(-)

diff --git a/install/tools/ipa-csreplica-manage b/install/tools/ipa-csreplica-manage
index 97c504552c0763e351ef6ae7e197a0acb684a83b..1656aefe3fd1ae3fb585b8e9bbbebe2ee3da8ce9 100755
--- a/install/tools/ipa-csreplica-manage
+++ b/install/tools/ipa-csreplica-manage
@@ -354,7 +354,7 @@ def re_initialize(realm, options):
 
     thishost = installutils.get_fqdn()
 
-    filter = "(&(nsDS5ReplicaHost=%s)(|(objectclass=nsDSWindowsReplicationAgreement)(objectclass=nsds5ReplicationAgreement)))" % thishost
+    filter = repl.get_agreement_filter(host=thishost)
     entry = repl.conn.search_s("cn=config", ldap.SCOPE_SUBTREE, filter)
     if len(entry) == 0:
         root_logger.error("Unable to find %s -> %s replication agreement" % (options.fromhost, thishost))
diff --git a/ipaserver/install/replication.py b/ipaserver/install/replication.py
index c8c5bc139b402328e6918a0a5c264aff8e966762..c08e07fb3a3e52e5112108dff38f6e027010ad7f 100644
--- a/ipaserver/install/replication.py
+++ b/ipaserver/install/replication.py
@@ -175,6 +175,32 @@ class ReplicationManager(object):
 
         return retval
 
+    def get_agreement_filter(self, agreement_types=None, host=None):
+        """
+        Get an LDAP replication agreement filter with a possibility to filter
+        the agreements by their type and a host
+        """
+        if agreement_types is None:
+            agreement_types = (IPA_REPLICA, WINSYNC)
+        elif not isinstance(agreement_types, (list, tuple)):
+            agreement_types = (agreement_types,)
+
+        agreement_types_filters = []
+        if IPA_REPLICA in agreement_types:
+            agreement_types_filters.append('(&(objectclass=nsds5ReplicationAgreement)(nsDS5ReplicaRoot=%s))'
+                % self.suffix)
+        if WINSYNC in agreement_types:
+            agreement_types_filters.append('(objectclass=nsDSWindowsReplicationAgreement)')
+        if len(agreement_types_filters) > 1:
+            agreement_filter = '(|%s)' % ''.join(agreement_types_filters)
+        else:
+            agreement_filter = ''.join(agreement_types_filters)
+
+        if host is not None:
+            agreement_filter = '(&%s(nsDS5ReplicaHost=%s))' % (agreement_filter, host)
+
+        return agreement_filter
+
     def find_replication_agreements(self):
         """
         The replication agreements are stored in
@@ -186,7 +212,7 @@ class ReplicationManager(object):
         response. For now just return "No entries" even if the user may
         not be allowed to see them.
         """
-        filt = "(|(objectclass=nsDSWindowsReplicationAgreement)(objectclass=nsds5ReplicationAgreement))"
+        filt = self.get_agreement_filter()
         try:
             ents = self.conn.search_s("cn=mapping tree,cn=config", ldap.SCOPE_SUBTREE, filt)
         except ldap.NO_SUCH_OBJECT:
@@ -203,7 +229,7 @@ class ReplicationManager(object):
 
         res = []
 
-        filt = "(objectclass=nsds5ReplicationAgreement)"
+        filt = self.get_agreement_filter(IPA_REPLICA)
         try:
             ents = self.conn.search_s("cn=mapping tree,cn=config",
                                       ldap.SCOPE_SUBTREE, filt)
@@ -225,7 +251,7 @@ class ReplicationManager(object):
         Returns None if not found.
         """
 
-        filt = "(&(|(objectclass=nsds5ReplicationAgreement)(objectclass=nsDSWindowsReplicationAgreement))(nsDS5ReplicaHost=%s))" % hostname
+        filt = self.get_agreement_filter(host=hostname)
         try:
             entry = self.conn.search_s("cn=mapping tree,cn=config",
                                        ldap.SCOPE_SUBTREE, filt)
@@ -867,9 +893,7 @@ class ReplicationManager(object):
 
         newschedule = '2358-2359 0'
 
-        filter = '(&(nsDS5ReplicaHost=%s)' \
-                   '(|(objectclass=nsDSWindowsReplicationAgreement)' \
-                     '(objectclass=nsds5ReplicationAgreement)))' % hostname
+        filter = self.get_agreement_filter(host=hostname)
         entry = conn.search_s("cn=config", ldap.SCOPE_SUBTREE, filter)
         if len(entry) == 0:
             root_logger.error("Unable to find replication agreement for %s" %
-- 
1.7.11.7

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to