URL: https://github.com/freeipa/freeipa/pull/320 Author: martbab Title: #320: add missing attribute to ipaca replica during CA topology update Action: opened
PR body: """ The previous fix for missing 'nsds5replicabinddngroupcheckinterval' fails when the first CA master is being set up. The attribute addition from update file has to be moved to the update plugin with a proper logic that determines the presence of o=ipaca replica entry. https://fedorahosted.org/freeipa/ticket/6508 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/320/head:pr320 git checkout pr320
From eb099a0fbcd4738e03f1e85e3ac35416ac3eac4b Mon Sep 17 00:00:00 2001 From: Martin Babinsky <[email protected]> Date: Wed, 7 Dec 2016 13:47:14 +0100 Subject: [PATCH 1/2] Revert "upgrade: add replica bind DN group check interval to CA topology config" This reverts commit 8c6a10ceddb4fce9a3dd4a334e6804800b5c89f9 since it leads to errors in upgrade of first master. https://fedorahosted.org/freeipa/ticket/6508 --- install/share/ca-topology.uldif | 1 - 1 file changed, 1 deletion(-) diff --git a/install/share/ca-topology.uldif b/install/share/ca-topology.uldif index 8fe38e7..fea591b 100644 --- a/install/share/ca-topology.uldif +++ b/install/share/ca-topology.uldif @@ -12,4 +12,3 @@ default: cn: ca dn: cn=replica,cn=o\3Dipaca,cn=mapping tree,cn=config onlyifexist: nsds5replicabinddngroup: cn=replication managers,cn=sysaccounts,cn=etc,$SUFFIX -add: nsds5replicabinddngroupcheckinterval: 60 From fb073be6c7d1aab0778c3e46c192409ca6d4243f Mon Sep 17 00:00:00 2001 From: Martin Babinsky <[email protected]> Date: Wed, 7 Dec 2016 14:00:09 +0100 Subject: [PATCH 2/2] add missing attribute to ipaca replica during CA topology update 'nsds5replicabinddngroupcheckinterval' attribute was not properly added to 'o=ipaca' replica attribute during upgrade. The CA topology update plugin should now add it to the entry if it exists. https://fedorahosted.org/freeipa/ticket/6508 --- ipaserver/install/plugins/update_ca_topology.py | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) diff --git a/ipaserver/install/plugins/update_ca_topology.py b/ipaserver/install/plugins/update_ca_topology.py index d76849b..f82926b 100644 --- a/ipaserver/install/plugins/update_ca_topology.py +++ b/ipaserver/install/plugins/update_ca_topology.py @@ -2,8 +2,10 @@ # Copyright (C) 2015 FreeIPA Contributors see COPYING for license # +from ipalib import errors from ipalib import Registry from ipalib import Updater +from ipapython.dn import DN from ipaserver.install import certs, cainstance from ipaserver.install import ldapupdate from ipaplatform.paths import paths @@ -31,4 +33,24 @@ def execute(self, **options): ld.update([paths.CA_TOPOLOGY_ULDIF]) + ldap = self.api.Backend.ldap2 + + ca_replica_dn = DN( + ('cn', 'replica'), + ('cn', 'o=ipaca'), + ('cn', 'mapping tree'), + ('cn', 'config')) + + check_interval_attr = 'nsds5replicabinddngroupcheckinterval' + default_check_interval = ['60'] + + try: + ca_replica_entry = ldap.get_entry(ca_replica_dn) + except errors.NotFound: + pass + else: + if check_interval_attr not in ca_replica_entry: + ca_replica_entry[check_interval_attr] = default_check_interval + ldap.update_entry(ca_replica_entry) + return False, []
-- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
