Re: [Freeipa-devel] [PATCH 0086] disable ipa-replica prepare in non-zero domain levels
> One more point: > > +if domain_level > MIN_DOMAIN_LEVEL: > +raise RuntimeError( > +UNSUPPORTED_DOMAIN_LEVEL_TEMPLATE.format( > > It is kind of weird that error happens if domain level is greater than some > minimal value. Better naming is badly needed. > Actually, this is not about naming, MIN_DOMAIN_LEVEL constant should not be used at all. The constant can be increased to 2 or 3 in later releases, which will allow the usage of ipa-replica-prepare even if the domain level of the IPA domain is 1. Unlike other issues with this patch, which could be considered cosmetic, this actually is a real bug in the implementation. Tomas -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0086] disable ipa-replica prepare in non-zero domain levels
On 22.10.2015 14:29, Petr Spacek wrote: On 22.10.2015 14:24, Tomas Babej wrote: On 10/22/2015 02:15 PM, Petr Spacek wrote: On 20.10.2015 17:47, Martin Babinsky wrote: +def check_domainlevel(self, api): +domain_level = dsinstance.get_domain_level(api) +if domain_level > MIN_DOMAIN_LEVEL: +raise RuntimeError( +UNSUPPORTED_DOMAIN_LEVEL_TEMPLATE.format( +command_name=self.command_name, +min_domain_level=MIN_DOMAIN_LEVEL, +curr_domain_level=domain_level) +) NACK. This is very very weird function because it compares two values which are not passed as parameters, and also the parameter "api" seems to be unused. At very least a explanatory doc string is needed, but a new name might be even better. Check domain level of what against what? It would be great if function name could answer this question. Also note we have a dedicated exception InvalidDomainLevelError which should be used in such situations. Additionally, I'm not sure if putting this huge blob of text (with instructions) into the exception is the best way forward, imho we can either document it somewhere else ('ipa help something?' wiki?) and reference it here. Alternatively, we can just use a logger to log these instructions instead of passing them in the exception itself. One more point: +if domain_level > MIN_DOMAIN_LEVEL: +raise RuntimeError( +UNSUPPORTED_DOMAIN_LEVEL_TEMPLATE.format( It is kind of weird that error happens if domain level is greater than some minimal value. Better naming is badly needed. I acked and pushed this patch 2 days ago, and probably my email has been lost forever, so I did bad review, please sent fix as new patch :( Original patch pushed d81260ef60b64c312e3a164e90ac4faad75c5d82 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0086] disable ipa-replica prepare in non-zero domain levels
On 20.10.2015 17:47, Martin Babinsky wrote: > +def check_domainlevel(self, api): > +domain_level = dsinstance.get_domain_level(api) > +if domain_level > MIN_DOMAIN_LEVEL: > +raise RuntimeError( > +UNSUPPORTED_DOMAIN_LEVEL_TEMPLATE.format( > +command_name=self.command_name, > +min_domain_level=MIN_DOMAIN_LEVEL, > +curr_domain_level=domain_level) > +) NACK. This is very very weird function because it compares two values which are not passed as parameters, and also the parameter "api" seems to be unused. At very least a explanatory doc string is needed, but a new name might be even better. Check domain level of what against what? It would be great if function name could answer this question. -- Petr^2 Spacek -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0086] disable ipa-replica prepare in non-zero domain levels
On 22.10.2015 14:24, Tomas Babej wrote: > > > On 10/22/2015 02:15 PM, Petr Spacek wrote: >> On 20.10.2015 17:47, Martin Babinsky wrote: >>> +def check_domainlevel(self, api): >>> +domain_level = dsinstance.get_domain_level(api) >>> +if domain_level > MIN_DOMAIN_LEVEL: >>> +raise RuntimeError( >>> +UNSUPPORTED_DOMAIN_LEVEL_TEMPLATE.format( >>> +command_name=self.command_name, >>> +min_domain_level=MIN_DOMAIN_LEVEL, >>> +curr_domain_level=domain_level) >>> +) >> >> NACK. >> >> This is very very weird function because it compares two values which are not >> passed as parameters, and also the parameter "api" seems to be unused. >> >> At very least a explanatory doc string is needed, but a new name might be >> even >> better. >> >> Check domain level of what against what? It would be great if function name >> could answer this question. >> > > Also note we have a dedicated exception InvalidDomainLevelError which > should be used in such situations. > > Additionally, I'm not sure if putting this huge blob of text (with > instructions) into the exception is the best way forward, imho we can > either document it somewhere else ('ipa help something?' wiki?) and > reference it here. > > Alternatively, we can just use a logger to log these instructions > instead of passing them in the exception itself. One more point: +if domain_level > MIN_DOMAIN_LEVEL: +raise RuntimeError( +UNSUPPORTED_DOMAIN_LEVEL_TEMPLATE.format( It is kind of weird that error happens if domain level is greater than some minimal value. Better naming is badly needed. -- Petr^2 Spacek -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0086] disable ipa-replica prepare in non-zero domain levels
On 10/22/2015 02:15 PM, Petr Spacek wrote: > On 20.10.2015 17:47, Martin Babinsky wrote: >> +def check_domainlevel(self, api): >> +domain_level = dsinstance.get_domain_level(api) >> +if domain_level > MIN_DOMAIN_LEVEL: >> +raise RuntimeError( >> +UNSUPPORTED_DOMAIN_LEVEL_TEMPLATE.format( >> +command_name=self.command_name, >> +min_domain_level=MIN_DOMAIN_LEVEL, >> +curr_domain_level=domain_level) >> +) > > NACK. > > This is very very weird function because it compares two values which are not > passed as parameters, and also the parameter "api" seems to be unused. > > At very least a explanatory doc string is needed, but a new name might be even > better. > > Check domain level of what against what? It would be great if function name > could answer this question. > Also note we have a dedicated exception InvalidDomainLevelError which should be used in such situations. Additionally, I'm not sure if putting this huge blob of text (with instructions) into the exception is the best way forward, imho we can either document it somewhere else ('ipa help something?' wiki?) and reference it here. Alternatively, we can just use a logger to log these instructions instead of passing them in the exception itself. HTH, Tomas -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0086] disable ipa-replica prepare in non-zero domain levels
On 10/19/2015 04:51 PM, Martin Babinsky wrote: On 10/19/2015 02:47 PM, Martin Basti wrote: On 15.10.2015 16:29, Martin Babinsky wrote: https://fedorahosted.org/freeipa/ticket/5175 NACK with domain level 0 ipa-replica-prepare ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: DEBUG: File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 169, in execute self.ask_for_options() File "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_replica_prepare.py", line 215, in ask_for_options bind_pw=self.dirman_password) File "/usr/lib/python2.7/site-packages/ipalib/backend.py", line 61, in connect self.id, threading.currentThread().getName() ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: DEBUG: The ipa-replica-prepare command failed, exception: Exception: connect: 'context.ldap2_140616703529424' already exists in thread 'MainThread' ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: ERROR: connect: 'context.ldap2_140616703529424' already exists in thread 'MainThread' ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: ERROR: The ipa-replica-prepare command failed. without your patch it works Martin^2 The function was leaking opened backend connection due to incorrect disconnect logic. Updated patch should fix this. Reworked patch attached which used existing function in dsinstance.py to check domain level. However, note that it may require my patch 0088 to function correctly. -- Martin^3 Babinsky From ff54c17fdd39cc06e5cc0241a12edb0a22f7caac Mon Sep 17 00:00:00 2001 From: Martin BabinskyDate: Thu, 15 Oct 2015 16:07:48 +0200 Subject: [PATCH] disable ipa-replica-prepare in non-zero IPA domain level the original replica installation path (ipa-replica-prepare + ipa-replica-install) remains valid only when IPA domain level is zero. When this is not the case, ipa-replica-prepare will print out an error message which instructs the user to use the new replica promotion machinery to setup replicas. https://fedorahosted.org/freeipa/ticket/5175 --- ipaserver/install/ipa_replica_prepare.py | 26 +- 1 file changed, 25 insertions(+), 1 deletion(-) diff --git a/ipaserver/install/ipa_replica_prepare.py b/ipaserver/install/ipa_replica_prepare.py index 2b4a60e16bd23f9d4c8e0135708950a6cc40db9a..df79bdfcee71ea9675007d6f80d97f29106624bf 100644 --- a/ipaserver/install/ipa_replica_prepare.py +++ b/ipaserver/install/ipa_replica_prepare.py @@ -41,7 +41,21 @@ from ipapython import version from ipalib import api from ipalib import errors from ipaplatform.paths import paths -from ipalib.constants import CACERT +from ipalib.constants import CACERT, MIN_DOMAIN_LEVEL + + +UNSUPPORTED_DOMAIN_LEVEL_TEMPLATE = """ +Replica creation using '{}' to generate replica file is supported only +in {}-level IPA domain. + +The current IPA domain level is {} and thus the replica must be created by +promoting an existing IPA client. + +To set up a replica use the following procedure: +1.) set up a client on the host using 'ipa-client-install' +2.) promote the client to replica running 'ipa-replica-install' *without* +replica file specified +""" class ReplicaPrepare(admintool.AdminTool): @@ -161,6 +175,8 @@ class ReplicaPrepare(admintool.AdminTool): api.bootstrap(in_server=True) api.finalize() +self.check_domainlevel(api) + if api.env.host == self.replica_fqdn: raise admintool.ScriptError("You can't create a replica on itself") @@ -673,3 +689,11 @@ class ReplicaPrepare(admintool.AdminTool): '-w', dm_pwd_fd.name, '-o', ca_file ]) + +def check_domainlevel(self, api): +domain_level = dsinstance.get_domain_level(api) +if domain_level > MIN_DOMAIN_LEVEL: +raise RuntimeError( +UNSUPPORTED_DOMAIN_LEVEL_TEMPLATE.format( +self.command_name, MIN_DOMAIN_LEVEL, domain_level) +) -- 2.4.3 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0086] disable ipa-replica prepare in non-zero domain levels
On 10/20/2015 04:27 PM, Martin Babinsky wrote: On 10/19/2015 04:51 PM, Martin Babinsky wrote: On 10/19/2015 02:47 PM, Martin Basti wrote: On 15.10.2015 16:29, Martin Babinsky wrote: https://fedorahosted.org/freeipa/ticket/5175 NACK with domain level 0 ipa-replica-prepare ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: DEBUG: File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 169, in execute self.ask_for_options() File "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_replica_prepare.py", line 215, in ask_for_options bind_pw=self.dirman_password) File "/usr/lib/python2.7/site-packages/ipalib/backend.py", line 61, in connect self.id, threading.currentThread().getName() ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: DEBUG: The ipa-replica-prepare command failed, exception: Exception: connect: 'context.ldap2_140616703529424' already exists in thread 'MainThread' ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: ERROR: connect: 'context.ldap2_140616703529424' already exists in thread 'MainThread' ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: ERROR: The ipa-replica-prepare command failed. without your patch it works Martin^2 The function was leaking opened backend connection due to incorrect disconnect logic. Updated patch should fix this. Reworked patch attached which used existing function in dsinstance.py to check domain level. However, note that it may require my patch 0088 to function correctly. Attaching updated patch. -- Martin^3 Babinsky From b5bcfdc951c7072a0f70d71f26e9a3ce87bbe3ce Mon Sep 17 00:00:00 2001 From: Martin BabinskyDate: Thu, 15 Oct 2015 16:07:48 +0200 Subject: [PATCH 1/2] disable ipa-replica-prepare in non-zero IPA domain level the original replica installation path (ipa-replica-prepare + ipa-replica-install) remains valid only when IPA domain level is zero. When this is not the case, ipa-replica-prepare will print out an error message which instructs the user to use the new replica promotion machinery to setup replicas. https://fedorahosted.org/freeipa/ticket/5175 --- ipaserver/install/ipa_replica_prepare.py | 28 +++- 1 file changed, 27 insertions(+), 1 deletion(-) diff --git a/ipaserver/install/ipa_replica_prepare.py b/ipaserver/install/ipa_replica_prepare.py index 2b4a60e16bd23f9d4c8e0135708950a6cc40db9a..c573428ed59147cbfe22944787726fc817284680 100644 --- a/ipaserver/install/ipa_replica_prepare.py +++ b/ipaserver/install/ipa_replica_prepare.py @@ -41,7 +41,21 @@ from ipapython import version from ipalib import api from ipalib import errors from ipaplatform.paths import paths -from ipalib.constants import CACERT +from ipalib.constants import CACERT, MIN_DOMAIN_LEVEL + + +UNSUPPORTED_DOMAIN_LEVEL_TEMPLATE = """ +Replica creation using '{command_name}' to generate replica file +is supported only in {min_domain_level}-level IPA domain. + +The current IPA domain level is {curr_domain_level} and thus the replica must +be created by promoting an existing IPA client. + +To set up a replica use the following procedure: +1.) set up a client on the host using 'ipa-client-install' +2.) promote the client to replica running 'ipa-replica-install' +*without* replica file specified +""" class ReplicaPrepare(admintool.AdminTool): @@ -161,6 +175,8 @@ class ReplicaPrepare(admintool.AdminTool): api.bootstrap(in_server=True) api.finalize() +self.check_domainlevel(api) + if api.env.host == self.replica_fqdn: raise admintool.ScriptError("You can't create a replica on itself") @@ -673,3 +689,13 @@ class ReplicaPrepare(admintool.AdminTool): '-w', dm_pwd_fd.name, '-o', ca_file ]) + +def check_domainlevel(self, api): +domain_level = dsinstance.get_domain_level(api) +if domain_level > MIN_DOMAIN_LEVEL: +raise RuntimeError( +UNSUPPORTED_DOMAIN_LEVEL_TEMPLATE.format( +command_name=self.command_name, +min_domain_level=MIN_DOMAIN_LEVEL, +curr_domain_level=domain_level) +) -- 2.4.3 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0086] disable ipa-replica prepare in non-zero domain levels
On 15.10.2015 16:29, Martin Babinsky wrote: https://fedorahosted.org/freeipa/ticket/5175 NACK with domain level 0 ipa-replica-prepare ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: DEBUG: File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 169, in execute self.ask_for_options() File "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_replica_prepare.py", line 215, in ask_for_options bind_pw=self.dirman_password) File "/usr/lib/python2.7/site-packages/ipalib/backend.py", line 61, in connect self.id, threading.currentThread().getName() ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: DEBUG: The ipa-replica-prepare command failed, exception: Exception: connect: 'context.ldap2_140616703529424' already exists in thread 'MainThread' ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: ERROR: connect: 'context.ldap2_140616703529424' already exists in thread 'MainThread' ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: ERROR: The ipa-replica-prepare command failed. without your patch it works Martin^2 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0086] disable ipa-replica prepare in non-zero domain levels
On 10/15/2015 04:29 PM, Martin Babinsky wrote: https://fedorahosted.org/freeipa/ticket/5175 Updated patch attached -- Martin^3 Babinsky From aa899aa5f9d9f55c1f3dcaebf79c3460f937815b Mon Sep 17 00:00:00 2001 From: Martin BabinskyDate: Thu, 15 Oct 2015 16:07:48 +0200 Subject: [PATCH] disable ipa-replica-prepare in non-zero IPA domain level the original replica installation path (ipa-replica-prepare + ipa-replica-install) remains valid only when IPA domain level is zero. When this is not the case, ipa-replica-prepare will print out an error message which instructs the user to use the new replica promotion machinery to setup replicas. https://fedorahosted.org/freeipa/ticket/5175 --- ipaserver/install/ipa_replica_prepare.py | 37 +++- 1 file changed, 36 insertions(+), 1 deletion(-) diff --git a/ipaserver/install/ipa_replica_prepare.py b/ipaserver/install/ipa_replica_prepare.py index 2b4a60e16bd23f9d4c8e0135708950a6cc40db9a..becfdc300e6bc77d521aa789081aa0cc4f748afb 100644 --- a/ipaserver/install/ipa_replica_prepare.py +++ b/ipaserver/install/ipa_replica_prepare.py @@ -41,7 +41,20 @@ from ipapython import version from ipalib import api from ipalib import errors from ipaplatform.paths import paths -from ipalib.constants import CACERT +from ipalib.constants import CACERT, MIN_DOMAIN_LEVEL + + +UNSUPPORTED_DOMAIN_LEVEL_TEMPLATE = """ +Replica creation using '{}' to generate replica file is supported only +in {}-level IPA domain. + +The current IPA domain level is {} and thus the replica must be created by +promoting an existing IPA client. + +To set up a replica use the following precedure: +1.) set up a client on the host using 'ipa-client-install' +2.) promote the client to replica running 'ipa-replica-install --promote' +""" class ReplicaPrepare(admintool.AdminTool): @@ -161,6 +174,8 @@ class ReplicaPrepare(admintool.AdminTool): api.bootstrap(in_server=True) api.finalize() +self.check_domainlevel(api) + if api.env.host == self.replica_fqdn: raise admintool.ScriptError("You can't create a replica on itself") @@ -673,3 +688,23 @@ class ReplicaPrepare(admintool.AdminTool): '-w', dm_pwd_fd.name, '-o', ca_file ]) + +def check_domainlevel(self, api): +connected = api.Backend.ldap2.isconnected() +try: +if not connected: +api.Backend.ldap2.connect() + +domain_level = api.Command.domainlevel_get()['result'] +except Exception as e: +raise RuntimeError( +"Cannot determine current domain level: {}".format(e)) +finally: +if connected: +api.Backend.ldap2.disconnect() + +if domain_level > MIN_DOMAIN_LEVEL: +raise RuntimeError( +UNSUPPORTED_DOMAIN_LEVEL_TEMPLATE.format( +self.command_name, MIN_DOMAIN_LEVEL, domain_level) +) -- 2.4.3 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0086] disable ipa-replica prepare in non-zero domain levels
On 10/19/2015 02:47 PM, Martin Basti wrote: On 15.10.2015 16:29, Martin Babinsky wrote: https://fedorahosted.org/freeipa/ticket/5175 NACK with domain level 0 ipa-replica-prepare ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: DEBUG: File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 169, in execute self.ask_for_options() File "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_replica_prepare.py", line 215, in ask_for_options bind_pw=self.dirman_password) File "/usr/lib/python2.7/site-packages/ipalib/backend.py", line 61, in connect self.id, threading.currentThread().getName() ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: DEBUG: The ipa-replica-prepare command failed, exception: Exception: connect: 'context.ldap2_140616703529424' already exists in thread 'MainThread' ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: ERROR: connect: 'context.ldap2_140616703529424' already exists in thread 'MainThread' ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: ERROR: The ipa-replica-prepare command failed. without your patch it works Martin^2 The function was leaking opened backend connection due to incorrect disconnect logic. Updated patch should fix this. -- Martin^3 Babinsky From 99f42975f478eabf7bd6ebfbf403d04db2ab6866 Mon Sep 17 00:00:00 2001 From: Martin BabinskyDate: Thu, 15 Oct 2015 16:07:48 +0200 Subject: [PATCH] disable ipa-replica-prepare in non-zero IPA domain level the original replica installation path (ipa-replica-prepare + ipa-replica-install) remains valid only when IPA domain level is zero. When this is not the case, ipa-replica-prepare will print out an error message which instructs the user to use the new replica promotion machinery to setup replicas. https://fedorahosted.org/freeipa/ticket/5175 --- ipaserver/install/ipa_replica_prepare.py | 38 +++- 1 file changed, 37 insertions(+), 1 deletion(-) diff --git a/ipaserver/install/ipa_replica_prepare.py b/ipaserver/install/ipa_replica_prepare.py index 2b4a60e16bd23f9d4c8e0135708950a6cc40db9a..f4214c8b3c9f084bfe2557b6e750bfe7c1670ee6 100644 --- a/ipaserver/install/ipa_replica_prepare.py +++ b/ipaserver/install/ipa_replica_prepare.py @@ -41,7 +41,21 @@ from ipapython import version from ipalib import api from ipalib import errors from ipaplatform.paths import paths -from ipalib.constants import CACERT +from ipalib.constants import CACERT, MIN_DOMAIN_LEVEL + + +UNSUPPORTED_DOMAIN_LEVEL_TEMPLATE = """ +Replica creation using '{}' to generate replica file is supported only +in {}-level IPA domain. + +The current IPA domain level is {} and thus the replica must be created by +promoting an existing IPA client. + +To set up a replica use the following procedure: +1.) set up a client on the host using 'ipa-client-install' +2.) promote the client to replica running 'ipa-replica-install' *without* +replica file specified +""" class ReplicaPrepare(admintool.AdminTool): @@ -161,6 +175,8 @@ class ReplicaPrepare(admintool.AdminTool): api.bootstrap(in_server=True) api.finalize() +self.check_domainlevel(api) + if api.env.host == self.replica_fqdn: raise admintool.ScriptError("You can't create a replica on itself") @@ -673,3 +689,23 @@ class ReplicaPrepare(admintool.AdminTool): '-w', dm_pwd_fd.name, '-o', ca_file ]) + +def check_domainlevel(self, api): +was_connected = api.Backend.ldap2.isconnected() +try: +if not was_connected: +api.Backend.ldap2.connect() + +domain_level = api.Command.domainlevel_get()['result'] +except Exception as e: +raise RuntimeError( +"Cannot determine current domain level: {}".format(e)) +finally: +if not was_connected: +api.Backend.ldap2.disconnect() + +if domain_level > MIN_DOMAIN_LEVEL: +raise RuntimeError( +UNSUPPORTED_DOMAIN_LEVEL_TEMPLATE.format( +self.command_name, MIN_DOMAIN_LEVEL, domain_level) +) -- 2.4.3 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code