URL: https://github.com/freeipa/freeipa/pull/620
Author: felipevolpone
 Title: #620: [WIP] Fixing 6549
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/620/head:pr620
git checkout pr620
From 473e95bcf41fbe78d61d89cef66733874cb86508 Mon Sep 17 00:00:00 2001
From: felipe <fbarreto@localhost.localdomain>
Date: Tue, 21 Mar 2017 09:05:56 -0300
Subject: [PATCH] Fixing replica install: fix ldap connection in domlvl 0

Now, at the domain level 0, the replica install always uses
Directory Manager credentials to create the LDAP connection.
Since ACIs permitting hosts to manage their own services were
added in 4.2 release,  the old master denies this operations.

https://pagure.io/freeipa/issue/6549
---
 ipaserver/install/server/replicainstall.py | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py
index b4463fd..f489e69 100644
--- a/ipaserver/install/server/replicainstall.py
+++ b/ipaserver/install/server/replicainstall.py
@@ -1391,7 +1391,16 @@ def install(installer):
     dsinstance.create_ds_user()
 
     try:
-        conn.connect(ccache=ccache)
+        if promote:
+            conn.connect(ccache=ccache)
+        else:
+            # dmlvl 0 replica install should always use DM credentials
+            # to create remote LDAP connection. Since ACIs permitting hosts
+            # to manage their own services were added in 4.2 release,
+            # the master denies this operations.
+            conn.connect(bind_dn=ipaldap.DIRMAN_DN, cacert=cafile,
+                         bind_pw=config.dirman_password)
+
         # Update and istall updated CA file
         cafile = install_ca_cert(conn, api.env.basedn, api.env.realm, cafile)
 
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to