URL: https://github.com/freeipa/freeipa/pull/269 Author: martbab Title: #269: Prevent denial of replication updates during CA replica install Action: opened
PR body: """ This PR fixes a case when CA replica install against upgraded topology hangs due to incorrectly configured ipaca replica entry. https://fedorahosted.org/freeipa/ticket/6508 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/269/head:pr269 git checkout pr269
From 9f37af887e90ce54ad657678e40c848e2a6cb40f Mon Sep 17 00:00:00 2001 From: Martin Babinsky <[email protected]> Date: Wed, 23 Nov 2016 16:55:38 +0100 Subject: [PATCH 1/2] upgrade: add replica bind DN group check interval to CA topology config Without this attribute explicitly set the replication plugin won't recognize updates from members of 'replication managers' sysaccount group, leading to stuck replica CA installation. https://fedorahosted.org/freeipa/ticket/6508 --- install/share/ca-topology.uldif | 1 + 1 file changed, 1 insertion(+) diff --git a/install/share/ca-topology.uldif b/install/share/ca-topology.uldif index fea591b..8fe38e7 100644 --- a/install/share/ca-topology.uldif +++ b/install/share/ca-topology.uldif @@ -12,3 +12,4 @@ default: cn: ca dn: cn=replica,cn=o\3Dipaca,cn=mapping tree,cn=config onlyifexist: nsds5replicabinddngroup: cn=replication managers,cn=sysaccounts,cn=etc,$SUFFIX +add: nsds5replicabinddngroupcheckinterval: 60 From 769244cd8bf3336e4543bf2f62202af0d9b46500 Mon Sep 17 00:00:00 2001 From: Martin Babinsky <[email protected]> Date: Wed, 23 Nov 2016 16:58:39 +0100 Subject: [PATCH 2/2] replication: ensure bind DN group check interval is set on replica config This is a safeguard ensuring valid replica configuration against incorrectly upgraded masters lacking 'nsds5replicabinddngroupcheckinterval' attribute on their domain/ca topology config. https://fedorahosted.org/freeipa/ticket/6508 --- ipaserver/install/replication.py | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/ipaserver/install/replication.py b/ipaserver/install/replication.py index ba35c49..e39e6d3 100644 --- a/ipaserver/install/replication.py +++ b/ipaserver/install/replication.py @@ -457,6 +457,12 @@ def replica_config(self, conn, replica_id, replica_binddn): if self.repl_man_group_dn not in binddn_groups: mod.append((ldap.MOD_ADD, 'nsds5replicabinddngroup', self.repl_man_group_dn)) + + if 'nsds5replicabinddngroupcheckinterval' not in entry: + mod.append( + (ldap.MOD_ADD, + 'nsds5replicabinddngroupcheckinterval', + '60')) if mod: conn.modify_s(dn, mod)
-- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
