On Fri, 2012-03-02 at 09:39 -0500, Simo Sorce wrote:
On Fri, 2012-03-02 at 12:34 +0100, Martin Kosek wrote:
+principals.remove(member_principal)
+mod = [(ldap.MOD_REPLACE, 'memberPrincipal',
principals)]
Any special reason why you use a search and then a replace instead of a
delete by value ?
A delete by value seem a lot less error prone to me, and should give you
the same resuls.
Simo.
Hm, thanks, that's a good point and much better approach. Updated patch
is attached.
Martin
From 1427ad4c03f883ddb99711e477671a7a4e4f7a95 Mon Sep 17 00:00:00 2001
From: Martin Kosek mko...@redhat.com
Date: Fri, 2 Mar 2012 12:10:27 +0100
Subject: [PATCH] Remove memberPrincipal for deleted replicas
When a replica is deleted, its memberPrincipal entries in
cn=s4u2proxy,cn=etc,SUFFIX were not removed. Then, if the replica
is reinstalled and connected again, the installer would report
an error with duplicate value in LDAP.
This patch extends replica cleanup procedure to remove replica
principal from s4u2proxy configuration.
https://fedorahosted.org/freeipa/ticket/2451
---
ipalib/constants.py |1 +
ipaserver/install/replication.py | 24 ++--
2 files changed, 23 insertions(+), 2 deletions(-)
diff --git a/ipalib/constants.py b/ipalib/constants.py
index 3c63739faf67b3131e94d929e3c95e5af1d64e8b..dc32533ee9f4be7785b35ace1cd412c2fbaf11d0 100644
--- a/ipalib/constants.py
+++ b/ipalib/constants.py
@@ -100,6 +100,7 @@ DEFAULT_CONFIG = (
('container_entitlements', 'cn=entitlements,cn=etc'),
('container_automember', 'cn=automember,cn=etc'),
('container_selinux', 'cn=usermap,cn=selinux'),
+('container_s4u2proxy', 'cn=s4u2proxy,cn=etc'),
# Ports, hosts, and URIs:
# FIXME: let's renamed xmlrpc_uri to rpc_xml_uri
diff --git a/ipaserver/install/replication.py b/ipaserver/install/replication.py
index 9247b58fc22a8492a8d27d0d596bdb8c8d14bb3c..7e89eeb47f50b1138e6cca078c05eab4468989e4 100644
--- a/ipaserver/install/replication.py
+++ b/ipaserver/install/replication.py
@@ -27,8 +27,7 @@ from ipaserver import ipaldap
from ipapython import services as ipaservices
import installutils
from ldap import modlist
-from ipalib import util
-from ipalib import errors
+from ipalib import api, util, errors
from ipapython import ipautil
from ipalib.dn import DN
@@ -941,6 +940,27 @@ class ReplicationManager(object):
else:
err = e
+# remove replica memberPrincipal from s4u2proxy configuration
+dn1 = DN(u'cn=ipa-http-delegation', api.env.container_s4u2proxy, self.suffix)
+member_principal1 = HTTP/%(fqdn)s@%(realm)s % dict(fqdn=replica, realm=realm)
+
+dn2 = DN(u'cn=ipa-ldap-delegation-targets', api.env.container_s4u2proxy, self.suffix)
+member_principal2 = ldap/%(fqdn)s@%(realm)s % dict(fqdn=replica, realm=realm)
+
+for (dn, member_principal) in ((str(dn1), member_principal1),
+ (str(dn2), member_principal2)):
+try:
+mod = [(ldap.MOD_DELETE, 'memberPrincipal', member_principal)]
+self.conn.modify_s(dn, mod)
+except (ldap.NO_SUCH_OBJECT, ldap.NO_SUCH_ATTRIBUTE):
+root_logger.debug(Replica (%s) memberPrincipal (%s) not found in %s % \
+(replica, member_principal, dn))
+except Exception, e:
+if not force:
+raise e
+elif not err:
+err = e
+
# delete master entry with all active services
try:
dn = 'cn=%s,cn=masters,cn=ipa,cn=etc,%s' % (replica, self.suffix)
--
1.7.7.6
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
