https://fedorahosted.org/freeipa/ticket/5976

Client must have properly set domain to allow install replica

Patch attached.

From c26362fcdd1e35ed736aeb1ed3d3ac2f6b336c87 Mon Sep 17 00:00:00 2001
From: Martin Basti <mba...@redhat.com>
Date: Tue, 21 Jun 2016 12:37:26 +0200
Subject: [PATCH] Replica promotion: use the correct IPA domain for replica

IPA domain is detected from LDAP for replica promote installation.
If local domain and IPA domain does not match, installer refuses
to install replica.

IPA versions 4.3.0 and 4.3.1 allow to specify different domain for
replica. Only one IPA domain is allowed (domain used with master)
and different domain may cause issues.

This commit prevents to install new replica if multiple domains was
used in past. User action is required to fix this issue and remove
incorrect IPA domains from LDAP.

https://fedorahosted.org/freeipa/ticket/5976
---
 ipaserver/install/server/replicainstall.py | 29 +++++++++++++++++++++++++++++
 1 file changed, 29 insertions(+)

diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py
index 1464e26db3f456efa4a18cd1449141c2c92c9ffc..52b2ea5b0691cd99c6cb566af5a15af3b2dffb14 100644
--- a/ipaserver/install/server/replicainstall.py
+++ b/ipaserver/install/server/replicainstall.py
@@ -931,6 +931,33 @@ def ensure_enrolled(installer):
     except Exception:
         sys.exit("Configuration of client side components failed!")
 
+
+def promotion_check_ipa_domain(master_ldap_conn, basedn):
+    entry = master_ldap_conn.get_entry(basedn, ['associatedDomain'])
+    if not 'associatedDomain' in entry:
+        raise RuntimeError('IPA domain not found in LDAP.')
+
+    if len(entry['associatedDomain']) > 1:
+        root_logger.critical(
+            "Multiple IPA domains found. We are so sorry :-(, you are "
+            "probably experiencing this bug "
+            "https://fedorahosted.org/freeipa/ticket/5976. Please contact us "
+            "for help.")
+        raise RuntimeError(
+            'Multiple IPA domains found in LDAP database ({domains}). '
+            'Only one domain is allowed.'.format(
+                domains=u', '.join(entry['associatedDomain'])
+            ))
+
+    if entry['associatedDomain'][0] != api.env.domain:
+        raise RuntimeError(
+            "Cannot promote this client to a replica. Local domain "
+            "'{local}' does not match IPA domain '{ipadomain}'. ".format(
+                local=api.env.domain,
+                ipadomain=entry['associatedDomain'][0]
+        ))
+
+
 @common_cleanup
 @preserve_enrollment_state
 def promote_check(installer):
@@ -1129,6 +1156,8 @@ def promote_check(installer):
                 conn.disconnect()
                 conn.connect(ccache=ccache)
 
+        promotion_check_ipa_domain(conn, remote_api.env.basedn)
+
         # Check that we don't already have a replication agreement
         try:
             (acn, adn) = replman.agreement_dn(config.host_name)
-- 
2.5.5

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to