https://fedorahosted.org/freeipa/ticket/5175
-- Martin^3 Babinsky
From 4c344b832432e59dcfe7a32bb7c4ea31470d26af Mon Sep 17 00:00:00 2001 From: Martin Babinsky <mbabi...@redhat.com> Date: Thu, 15 Oct 2015 16:07:48 +0200 Subject: [PATCH] disable ipa-replica-prepare in non-zero IPA domain level the original replica installation path (ipa-replica-prepare + ipa-replica-install) remains valid only when IPA domain level is zero. When this is not the case, ipa-replica-prepare will print out an error message which instructs the user to use the new replica promotion machinery to setup replicas. https://fedorahosted.org/freeipa/ticket/5175 --- ipaserver/install/ipa_replica_prepare.py | 37 +++++++++++++++++++++++++++++++- 1 file changed, 36 insertions(+), 1 deletion(-) diff --git a/ipaserver/install/ipa_replica_prepare.py b/ipaserver/install/ipa_replica_prepare.py index 2b4a60e16bd23f9d4c8e0135708950a6cc40db9a..7f762efa58ed2636777fe29f92ba9c02be5974eb 100644 --- a/ipaserver/install/ipa_replica_prepare.py +++ b/ipaserver/install/ipa_replica_prepare.py @@ -41,7 +41,20 @@ from ipapython import version from ipalib import api from ipalib import errors from ipaplatform.paths import paths -from ipalib.constants import CACERT +from ipalib.constants import CACERT, MIN_DOMAIN_LEVEL + + +UNSUPPORTED_DOMAIN_LEVEL_TEMPLATE = """ +Replica creation using '{}' to generate replica file is supported only +in {}-level IPA domain. + +The current IPA domain level is {} and thus the replica must be created by +promoting an existing IPA client. + +To set up a replica use the following precedure: + 1.) set up a client on the host using `ipa-client-install` + 2.) promote the client to replica running `ipa-replica-install --promote` +""" class ReplicaPrepare(admintool.AdminTool): @@ -161,6 +174,8 @@ class ReplicaPrepare(admintool.AdminTool): api.bootstrap(in_server=True) api.finalize() + self.check_domainlevel(api) + if api.env.host == self.replica_fqdn: raise admintool.ScriptError("You can't create a replica on itself") @@ -673,3 +688,23 @@ class ReplicaPrepare(admintool.AdminTool): '-w', dm_pwd_fd.name, '-o', ca_file ]) + + def check_domainlevel(self, api): + connected = api.Backend.ldap2.isconnected() + try: + if not connected: + api.Backend.ldap2.connect() + + domain_level = api.Command.domainlevel_get()['result'] + except Exception as e: + raise RuntimeError( + "Cannot determine current domain level: {}".format(e)) + finally: + if connected: + api.Backend.ldap2.disconnect() + + if domain_level > MIN_DOMAIN_LEVEL: + raise RuntimeError( + UNSUPPORTED_DOMAIN_LEVEL_TEMPLATE.format( + self.command_name, MIN_DOMAIN_LEVEL, domain_level) + ) -- 2.4.3
-- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code