URL: https://github.com/freeipa/freeipa/pull/283 Author: martbab Title: #283: [ipa-4-4] Prevent denial of replication updates during CA replica install Action: opened
PR body: """ This is https://github.com/freeipa/freeipa/pull/269 rebased on top of ipa-4-4 branch. https://fedorahosted.org/freeipa/ticket/6508 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/283/head:pr283 git checkout pr283
From 9c97bd9d566c74220c1ca695378dc6caf60e5f85 Mon Sep 17 00:00:00 2001 From: Martin Babinsky <mbabi...@redhat.com> Date: Wed, 23 Nov 2016 16:55:38 +0100 Subject: [PATCH 1/2] upgrade: add replica bind DN group check interval to CA topology config Without this attribute explicitly set the replication plugin won't recognize updates from members of 'replication managers' sysaccount group, leading to stuck replica CA installation. https://fedorahosted.org/freeipa/ticket/6508 --- install/share/ca-topology.uldif | 1 + 1 file changed, 1 insertion(+) diff --git a/install/share/ca-topology.uldif b/install/share/ca-topology.uldif index fea591b..8fe38e7 100644 --- a/install/share/ca-topology.uldif +++ b/install/share/ca-topology.uldif @@ -12,3 +12,4 @@ default: cn: ca dn: cn=replica,cn=o\3Dipaca,cn=mapping tree,cn=config onlyifexist: nsds5replicabinddngroup: cn=replication managers,cn=sysaccounts,cn=etc,$SUFFIX +add: nsds5replicabinddngroupcheckinterval: 60 From e58c23d29d1c9b163f1538ecabb6cbb482cbf881 Mon Sep 17 00:00:00 2001 From: Martin Babinsky <mbabi...@redhat.com> Date: Wed, 23 Nov 2016 16:58:39 +0100 Subject: [PATCH 2/2] replication: ensure bind DN group check interval is set on replica config This is a safeguard ensuring valid replica configuration against incorrectly upgraded masters lacking 'nsds5replicabinddngroupcheckinterval' attribute on their domain/ca topology config. https://fedorahosted.org/freeipa/ticket/6508 --- ipaserver/install/replication.py | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/ipaserver/install/replication.py b/ipaserver/install/replication.py index 56c75e7..42ee303 100644 --- a/ipaserver/install/replication.py +++ b/ipaserver/install/replication.py @@ -454,6 +454,12 @@ def replica_config(self, conn, replica_id, replica_binddn): if replica_groupdn not in binddn_groups: mod.append((ldap.MOD_ADD, 'nsds5replicabinddngroup', replica_groupdn)) + + if 'nsds5replicabinddngroupcheckinterval' not in entry: + mod.append( + (ldap.MOD_ADD, + 'nsds5replicabinddngroupcheckinterval', + '60')) if mod: conn.modify_s(dn, mod)
-- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
