On 10/19/2015 02:47 PM, Martin Basti wrote:

On 15.10.2015 16:29, Martin Babinsky wrote:


with domain level 0

ipa-replica-prepare <replica_hostname>

ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: DEBUG: File
"/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 169, in
line 215, in ask_for_options
   File "/usr/lib/python2.7/site-packages/ipalib/backend.py", line 61,
in connect
     self.id, threading.currentThread().getName()
ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: DEBUG: The
ipa-replica-prepare command failed, exception: Exception: connect:
'context.ldap2_140616703529424' already exists in thread 'MainThread'
ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: ERROR:
connect: 'context.ldap2_140616703529424' already exists in thread
ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: ERROR: The
ipa-replica-prepare command failed.

without your patch it works


The function was leaking opened backend connection due to incorrect disconnect logic. Updated patch should fix this.

Martin^3 Babinsky
From 99f42975f478eabf7bd6ebfbf403d04db2ab6866 Mon Sep 17 00:00:00 2001
From: Martin Babinsky <mbabi...@redhat.com>
Date: Thu, 15 Oct 2015 16:07:48 +0200
Subject: [PATCH] disable ipa-replica-prepare in non-zero IPA domain level

the original replica installation path (ipa-replica-prepare +
ipa-replica-install) remains valid only when IPA domain level is zero. When
this is not the case, ipa-replica-prepare will print out an error message which
instructs the user to use the new replica promotion machinery to setup

 ipaserver/install/ipa_replica_prepare.py | 38 +++++++++++++++++++++++++++++++-
 1 file changed, 37 insertions(+), 1 deletion(-)

diff --git a/ipaserver/install/ipa_replica_prepare.py b/ipaserver/install/ipa_replica_prepare.py
index 2b4a60e16bd23f9d4c8e0135708950a6cc40db9a..f4214c8b3c9f084bfe2557b6e750bfe7c1670ee6 100644
--- a/ipaserver/install/ipa_replica_prepare.py
+++ b/ipaserver/install/ipa_replica_prepare.py
@@ -41,7 +41,21 @@ from ipapython import version
 from ipalib import api
 from ipalib import errors
 from ipaplatform.paths import paths
-from ipalib.constants import CACERT
+from ipalib.constants import CACERT, MIN_DOMAIN_LEVEL
+Replica creation using '{}' to generate replica file is supported only
+in {}-level IPA domain.
+The current IPA domain level is {} and thus the replica must be created by
+promoting an existing IPA client.
+To set up a replica use the following procedure:
+    1.) set up a client on the host using 'ipa-client-install'
+    2.) promote the client to replica running 'ipa-replica-install' *without*
+        replica file specified
 class ReplicaPrepare(admintool.AdminTool):
@@ -161,6 +175,8 @@ class ReplicaPrepare(admintool.AdminTool):
+        self.check_domainlevel(api)
         if api.env.host == self.replica_fqdn:
             raise admintool.ScriptError("You can't create a replica on itself")
@@ -673,3 +689,23 @@ class ReplicaPrepare(admintool.AdminTool):
             '-w', dm_pwd_fd.name,
             '-o', ca_file
+    def check_domainlevel(self, api):
+        was_connected = api.Backend.ldap2.isconnected()
+        try:
+            if not was_connected:
+                api.Backend.ldap2.connect()
+            domain_level = api.Command.domainlevel_get()['result']
+        except Exception as e:
+            raise RuntimeError(
+                "Cannot determine current domain level: {}".format(e))
+        finally:
+            if not was_connected:
+                api.Backend.ldap2.disconnect()
+        if domain_level > MIN_DOMAIN_LEVEL:
+            raise RuntimeError(
+                self.command_name, MIN_DOMAIN_LEVEL, domain_level)
+            )

Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to