fixes https://fedorahosted.org/freeipa/ticket/5584

In order to ensure consistent behavior with ipa-client-install, I opted to reuse the configure_openldap_conf() function and restoring the config from client sysrestore before modifying it.

If you think this approach is not optimal please propose an alternative solution.

--
Martin^3 Babinsky
From 7850644ce33c213d362b0ba61b866e1c240a6fb1 Mon Sep 17 00:00:00 2001
From: Martin Babinsky <mbabi...@redhat.com>
Date: Wed, 13 Jan 2016 17:11:05 +0100
Subject: [PATCH 2/2] reset ldap.conf to point to newly installer replica after
 promotion

When promoting a client to replica reset openldap client config so that it no
longer uses remote master as default LDAP hosts but uses local connection to
replica. Also make sure that the behavior regarding editing of user-customized
config is consistent with the client installer.

https://fedorahosted.org/freeipa/ticket/5488
---
 ipaserver/install/server/replicainstall.py | 22 ++++++++++++++++++++++
 1 file changed, 22 insertions(+)

diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py
index 7edee88e101ff59b516c97934e201bed69671cdb..adeae8ee2026b707ad64ec91f236ad1bd5fc4840 100644
--- a/ipaserver/install/server/replicainstall.py
+++ b/ipaserver/install/server/replicainstall.py
@@ -412,6 +412,27 @@ def uninstall_client():
     print()
 
 
+def promote_openldap_conf(basedn, hostname):
+    """
+    set ldap.conf file so that URI directive points to the replica being
+    promoted. Restore the original file first so that any user settings are
+    not touched.
+
+    :param basedn: LDAP base DN
+    :param hostname: hostname of replica being promoted
+    """
+
+    client_fstore = sysrestore.FileStore(paths.IPA_CLIENT_SYSRESTORE,
+                                         paths.SYSRESTORE_INDEX)
+    ldap_conf = paths.OPENLDAP_LDAP_CONF
+    root_logger.debug("Configuring {}".format(ldap_conf))
+
+    if client_fstore.has_file(ldap_conf):
+        client_fstore.restore_file(ldap_conf)
+
+    ipautil.configure_openldap_conf(client_fstore, basedn, [hostname])
+
+
 def promote_sssd(host_name):
     sssdconfig = SSSDConfig.SSSDConfig()
     sssdconfig.import_config()
@@ -1373,6 +1394,7 @@ def promote(installer):
     custodia.import_dm_password(config.master_host_name)
 
     promote_sssd(config.host_name)
+    promote_openldap_conf(api.env.basedn, config.host_name)
 
     # Switch API so that it uses the new servr configuration
     server_api = create_api(mode=None)
-- 
2.5.0

From e308f22601f78da14e9486da4c7cc63c906a5df7 Mon Sep 17 00:00:00 2001
From: Martin Babinsky <mbabi...@redhat.com>
Date: Wed, 13 Jan 2016 17:10:18 +0100
Subject: [PATCH 1/2] ipa client: move configure_openldap_conf to
 ipapython.ipautil

https://fedorahosted.org/freeipa/ticket/5488
---
 ipa-client/ipa-install/ipa-client-install | 59 +-----------------------------
 ipapython/ipautil.py                      | 61 +++++++++++++++++++++++++++++++
 2 files changed, 62 insertions(+), 58 deletions(-)

diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install
index af8d27bd0da9b847fef917d3bcc2ebd1837c5fb0..b774e14e8a672b8bd426aa4c46c4f9db79fea559 100755
--- a/ipa-client/ipa-install/ipa-client-install
+++ b/ipa-client/ipa-install/ipa-client-install
@@ -980,63 +980,6 @@ def configure_nslcd_conf(fstore, cli_basedn, cli_realm, cli_domain, cli_server,
 
     return (0, 'NSLCD', ', '.join(files))
 
-def configure_openldap_conf(fstore, cli_basedn, cli_server):
-    ldapconf = ipaclient.ipachangeconf.IPAChangeConf("IPA Installer")
-    ldapconf.setOptionAssignment((" ", "\t"))
-
-    opts = [{'name':'comment', 'type':'comment',
-                'value':' File modified by ipa-client-install'},
-            {'name':'empty', 'type':'empty'},
-            {'name':'comment', 'type':'comment',
-                'value':' We do not want to break your existing configuration, '
-                        'hence:'},
-            # this needs to be kept updated if we change more options
-            {'name':'comment', 'type':'comment',
-                'value':'   URI, BASE and TLS_CACERT have been added if they '
-                        'were not set.'},
-            {'name':'comment', 'type':'comment',
-                'value':'   In case any of them were set, a comment with '
-                         'trailing note'},
-            {'name':'comment', 'type':'comment',
-                'value':'   "# modified by IPA" note has been inserted.'},
-            {'name':'comment', 'type':'comment',
-                'value':' To use IPA server with openLDAP tools, please comment '
-                        'out your'},
-            {'name':'comment', 'type':'comment',
-                'value':' existing configuration for these options and '
-                        'uncomment the'},
-            {'name':'comment', 'type':'comment',
-                'value':' corresponding lines generated by IPA.'},
-            {'name':'empty', 'type':'empty'},
-            {'name':'empty', 'type':'empty'},
-            {'action':'addifnotset', 'name':'URI', 'type':'option',
-                'value':'ldaps://'+  cli_server[0]},
-            {'action':'addifnotset', 'name':'BASE', 'type':'option',
-                'value':str(cli_basedn)},
-            {'action':'addifnotset', 'name':'TLS_CACERT', 'type':'option',
-                'value':CACERT},]
-
-    target_fname = paths.OPENLDAP_LDAP_CONF
-    fstore.backup_file(target_fname)
-
-    error_msg = "Configuring {path} failed with: {err}"
-
-    try:
-        ldapconf.changeConf(target_fname, opts)
-    except SyntaxError as e:
-        root_logger.info("Could not parse {path}".format(path=target_fname))
-        root_logger.debug(error_msg.format(path=target_fname, err=str(e)))
-        return False
-    except IOError as e :
-        root_logger.info("{path} does not exist.".format(path=target_fname))
-        root_logger.debug(error_msg.format(path=target_fname, err=str(e)))
-        return False
-    except Exception as e: #  we do not want to fail in an optional step
-        root_logger.debug(error_msg.format(path=target_fname, err=str(e)))
-        return False
-
-    os.chmod(target_fname, 0o644)
-    return True
 
 def hardcode_ldap_server(cli_server):
     """
@@ -3005,7 +2948,7 @@ def install(options, env, fstore, statestore):
                         "%s configured using configuration file(s) %s",
                         conf, filenames)
 
-        if configure_openldap_conf(fstore, cli_basedn, cli_server):
+        if ipautil.configure_openldap_conf(fstore, cli_basedn, cli_server):
             root_logger.info("Configured /etc/openldap/ldap.conf")
         else:
             root_logger.info("Failed to configure /etc/openldap/ldap.conf")
diff --git a/ipapython/ipautil.py b/ipapython/ipautil.py
index 7949bdf05cd72c512e6c2bc24b1bc52012e63317..016b8746e770b1f36ae5b21b62df5f9ae710dbdd 100644
--- a/ipapython/ipautil.py
+++ b/ipapython/ipautil.py
@@ -46,6 +46,8 @@ import six
 from six.moves import input
 from six.moves import urllib
 
+from ipaclient.ipachangeconf import IPAChangeConf
+from ipalib.constants import CACERT
 from ipapython.ipa_log_manager import root_logger
 from ipapython import config
 from ipaplatform.paths import paths
@@ -1597,3 +1599,62 @@ if six.PY2:
                 type(value).__name__))
 else:
     fsdecode = os.fsdecode  #pylint: disable=no-member
+
+
+def configure_openldap_conf(fstore, cli_basedn, cli_server):
+    ldapconf = IPAChangeConf("IPA Installer")
+    ldapconf.setOptionAssignment((" ", "\t"))
+
+    opts = [{'name': 'comment', 'type': 'comment',
+            'value': ' File modified by ipa-client-install'},
+            {'name': 'empty', 'type': 'empty'},
+            {'name': 'comment', 'type': 'comment',
+            'value': ' We do not want to break your existing configuration, '
+                'hence:'},
+            # this needs to be kept updated if we change more options
+            {'name': 'comment', 'type': 'comment',
+                'value': '   URI, BASE and TLS_CACERT have been added if they '
+                'were not set.'},
+            {'name': 'comment', 'type': 'comment',
+            'value': '   In case any of them were set, a comment with '
+                'trailing note'},
+            {'name': 'comment', 'type': 'comment',
+                'value': '   "# modified by IPA" note has been inserted.'},
+            {'name': 'comment', 'type': 'comment',
+                'value': ' To use IPA server with openLDAP tools, please '
+                         'comment out your'},
+            {'name': 'comment', 'type': 'comment',
+                'value': ' existing configuration for these options and '
+                         'uncomment the'},
+            {'name': 'comment', 'type': 'comment',
+                'value': ' corresponding lines generated by IPA.'},
+            {'name': 'empty', 'type': 'empty'},
+            {'name': 'empty', 'type': 'empty'},
+            {'action': 'addifnotset', 'name': 'URI', 'type': 'option',
+                'value': 'ldaps://' + cli_server[0]},
+            {'action': 'addifnotset', 'name': 'BASE', 'type': 'option',
+                'value': str(cli_basedn)},
+            {'action': 'addifnotset', 'name': 'TLS_CACERT', 'type': 'option',
+                'value': CACERT}]
+
+    target_fname = paths.OPENLDAP_LDAP_CONF
+    fstore.backup_file(target_fname)
+
+    error_msg = "Configuring {path} failed with: {err}"
+
+    try:
+        ldapconf.changeConf(target_fname, opts)
+    except SyntaxError as e:
+        root_logger.info("Could not parse {path}".format(path=target_fname))
+        root_logger.debug(error_msg.format(path=target_fname, err=str(e)))
+        return False
+    except IOError as e:
+        root_logger.info("{path} does not exist.".format(path=target_fname))
+        root_logger.debug(error_msg.format(path=target_fname, err=str(e)))
+        return False
+    except Exception as e:  # we do not want to fail in an optional step
+        root_logger.debug(error_msg.format(path=target_fname, err=str(e)))
+        return False
+
+    os.chmod(target_fname, 0o644)
+    return True
-- 
2.5.0

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to