subject:"Re\: \[Freeipa\-devel\] \[PATCH 0086\] disable ipa\-replica prepare in non\-zero domain levels"

Re: [Freeipa-devel] [PATCH 0086] disable ipa-replica prepare in non-zero domain levels

2015-10-23 Thread Tomas Babej

> One more point:
> 
> +if domain_level > MIN_DOMAIN_LEVEL:
> +raise RuntimeError(
> +UNSUPPORTED_DOMAIN_LEVEL_TEMPLATE.format(
> 
> It is kind of weird that error happens if domain level is greater than some
> minimal value. Better naming is badly needed.
> 

Actually, this is not about naming, MIN_DOMAIN_LEVEL constant should not
be used at all.

The constant can be increased to 2 or 3 in later releases, which will
allow the usage of ipa-replica-prepare even if the domain level of the
IPA domain is 1.

Unlike other issues with this patch, which could be considered cosmetic,
this actually is a real bug in the implementation.

Tomas

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0086] disable ipa-replica prepare in non-zero domain levels

2015-10-22 Thread Martin Basti




On 22.10.2015 14:29, Petr Spacek wrote:

On 22.10.2015 14:24, Tomas Babej wrote:


On 10/22/2015 02:15 PM, Petr Spacek wrote:

On 20.10.2015 17:47, Martin Babinsky wrote:

+def check_domainlevel(self, api):
+domain_level = dsinstance.get_domain_level(api)
+if domain_level > MIN_DOMAIN_LEVEL:
+raise RuntimeError(
+UNSUPPORTED_DOMAIN_LEVEL_TEMPLATE.format(
+command_name=self.command_name,
+min_domain_level=MIN_DOMAIN_LEVEL,
+curr_domain_level=domain_level)
+)

NACK.

This is very very weird function because it compares two values which are not
passed as parameters, and also the parameter "api" seems to be unused.

At very least a explanatory doc string is needed, but a new name might be even
better.

Check domain level of what against what? It would be great if function name
could answer this question.


Also note we have a dedicated exception InvalidDomainLevelError which
should be used in such situations.

Additionally, I'm not sure if putting this huge blob of text (with
instructions) into the exception is the best way forward, imho we can
either document it somewhere else ('ipa help something?' wiki?) and
reference it here.

Alternatively, we can just use a logger to log these instructions
instead of passing them in the exception itself.

One more point:

+if domain_level > MIN_DOMAIN_LEVEL:
+raise RuntimeError(
+UNSUPPORTED_DOMAIN_LEVEL_TEMPLATE.format(

It is kind of weird that error happens if domain level is greater than some
minimal value. Better naming is badly needed.

I acked and pushed this patch 2 days ago, and probably my email has been 
lost forever, so I did bad review, please sent fix as new patch :(


Original patch pushed d81260ef60b64c312e3a164e90ac4faad75c5d82

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0086] disable ipa-replica prepare in non-zero domain levels

2015-10-22 Thread Petr Spacek

On 20.10.2015 17:47, Martin Babinsky wrote:
> +def check_domainlevel(self, api):
> +domain_level = dsinstance.get_domain_level(api)
> +if domain_level > MIN_DOMAIN_LEVEL:
> +raise RuntimeError(
> +UNSUPPORTED_DOMAIN_LEVEL_TEMPLATE.format(
> +command_name=self.command_name,
> +min_domain_level=MIN_DOMAIN_LEVEL,
> +curr_domain_level=domain_level)
> +)

NACK.

This is very very weird function because it compares two values which are not
passed as parameters, and also the parameter "api" seems to be unused.

At very least a explanatory doc string is needed, but a new name might be even
better.

Check domain level of what against what? It would be great if function name
could answer this question.

-- 
Petr^2 Spacek

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0086] disable ipa-replica prepare in non-zero domain levels

2015-10-22 Thread Petr Spacek

On 22.10.2015 14:24, Tomas Babej wrote:
> 
> 
> On 10/22/2015 02:15 PM, Petr Spacek wrote:
>> On 20.10.2015 17:47, Martin Babinsky wrote:
>>> +def check_domainlevel(self, api):
>>> +domain_level = dsinstance.get_domain_level(api)
>>> +if domain_level > MIN_DOMAIN_LEVEL:
>>> +raise RuntimeError(
>>> +UNSUPPORTED_DOMAIN_LEVEL_TEMPLATE.format(
>>> +command_name=self.command_name,
>>> +min_domain_level=MIN_DOMAIN_LEVEL,
>>> +curr_domain_level=domain_level)
>>> +)
>>
>> NACK.
>>
>> This is very very weird function because it compares two values which are not
>> passed as parameters, and also the parameter "api" seems to be unused.
>>
>> At very least a explanatory doc string is needed, but a new name might be 
>> even
>> better.
>>
>> Check domain level of what against what? It would be great if function name
>> could answer this question.
>>
> 
> Also note we have a dedicated exception InvalidDomainLevelError which
> should be used in such situations.
> 
> Additionally, I'm not sure if putting this huge blob of text (with
> instructions) into the exception is the best way forward, imho we can
> either document it somewhere else ('ipa help something?' wiki?) and
> reference it here.
> 
> Alternatively, we can just use a logger to log these instructions
> instead of passing them in the exception itself.

One more point:

+if domain_level > MIN_DOMAIN_LEVEL:
+raise RuntimeError(
+UNSUPPORTED_DOMAIN_LEVEL_TEMPLATE.format(

It is kind of weird that error happens if domain level is greater than some
minimal value. Better naming is badly needed.

-- 
Petr^2 Spacek

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0086] disable ipa-replica prepare in non-zero domain levels

2015-10-22 Thread Tomas Babej

On 10/22/2015 02:15 PM, Petr Spacek wrote:
> On 20.10.2015 17:47, Martin Babinsky wrote:
>> +def check_domainlevel(self, api):
>> +domain_level = dsinstance.get_domain_level(api)
>> +if domain_level > MIN_DOMAIN_LEVEL:
>> +raise RuntimeError(
>> +UNSUPPORTED_DOMAIN_LEVEL_TEMPLATE.format(
>> +command_name=self.command_name,
>> +min_domain_level=MIN_DOMAIN_LEVEL,
>> +curr_domain_level=domain_level)
>> +)
> 
> NACK.
> 
> This is very very weird function because it compares two values which are not
> passed as parameters, and also the parameter "api" seems to be unused.
> 
> At very least a explanatory doc string is needed, but a new name might be even
> better.
> 
> Check domain level of what against what? It would be great if function name
> could answer this question.
> 

Also note we have a dedicated exception InvalidDomainLevelError which
should be used in such situations.

Additionally, I'm not sure if putting this huge blob of text (with
instructions) into the exception is the best way forward, imho we can
either document it somewhere else ('ipa help something?' wiki?) and
reference it here.

Alternatively, we can just use a logger to log these instructions
instead of passing them in the exception itself.

HTH,

Tomas

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0086] disable ipa-replica prepare in non-zero domain levels

2015-10-20 Thread Martin Babinsky


On 10/19/2015 04:51 PM, Martin Babinsky wrote:

On 10/19/2015 02:47 PM, Martin Basti wrote:



On 15.10.2015 16:29, Martin Babinsky wrote:

https://fedorahosted.org/freeipa/ticket/5175




NACK

with domain level 0

ipa-replica-prepare 

ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: DEBUG: File
"/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 169, in
execute
 self.ask_for_options()
   File
"/usr/lib/python2.7/site-packages/ipaserver/install/ipa_replica_prepare.py",

line 215, in ask_for_options
 bind_pw=self.dirman_password)
   File "/usr/lib/python2.7/site-packages/ipalib/backend.py", line 61,
in connect
 self.id, threading.currentThread().getName()
ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: DEBUG: The
ipa-replica-prepare command failed, exception: Exception: connect:
'context.ldap2_140616703529424' already exists in thread 'MainThread'
ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: ERROR:
connect: 'context.ldap2_140616703529424' already exists in thread
'MainThread'
ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: ERROR: The
ipa-replica-prepare command failed.

without your patch it works

Martin^2


The function was leaking opened backend connection due to incorrect
disconnect logic. Updated patch should fix this.



Reworked patch attached which used existing function in dsinstance.py to 
check domain level.


However, note that it may require my patch 0088 to function correctly.

--
Martin^3 Babinsky
From ff54c17fdd39cc06e5cc0241a12edb0a22f7caac Mon Sep 17 00:00:00 2001
From: Martin Babinsky 
Date: Thu, 15 Oct 2015 16:07:48 +0200
Subject: [PATCH] disable ipa-replica-prepare in non-zero IPA domain level

the original replica installation path (ipa-replica-prepare +
ipa-replica-install) remains valid only when IPA domain level is zero. When
this is not the case, ipa-replica-prepare will print out an error message which
instructs the user to use the new replica promotion machinery to setup
replicas.

https://fedorahosted.org/freeipa/ticket/5175
---
 ipaserver/install/ipa_replica_prepare.py | 26 +-
 1 file changed, 25 insertions(+), 1 deletion(-)

diff --git a/ipaserver/install/ipa_replica_prepare.py b/ipaserver/install/ipa_replica_prepare.py
index 2b4a60e16bd23f9d4c8e0135708950a6cc40db9a..df79bdfcee71ea9675007d6f80d97f29106624bf 100644
--- a/ipaserver/install/ipa_replica_prepare.py
+++ b/ipaserver/install/ipa_replica_prepare.py
@@ -41,7 +41,21 @@ from ipapython import version
 from ipalib import api
 from ipalib import errors
 from ipaplatform.paths import paths
-from ipalib.constants import CACERT
+from ipalib.constants import CACERT, MIN_DOMAIN_LEVEL
+
+
+UNSUPPORTED_DOMAIN_LEVEL_TEMPLATE = """
+Replica creation using '{}' to generate replica file is supported only
+in {}-level IPA domain.
+
+The current IPA domain level is {} and thus the replica must be created by
+promoting an existing IPA client.
+
+To set up a replica use the following procedure:
+1.) set up a client on the host using 'ipa-client-install'
+2.) promote the client to replica running 'ipa-replica-install' *without*
+replica file specified
+"""
 
 
 class ReplicaPrepare(admintool.AdminTool):
@@ -161,6 +175,8 @@ class ReplicaPrepare(admintool.AdminTool):
 api.bootstrap(in_server=True)
 api.finalize()
 
+self.check_domainlevel(api)
+
 if api.env.host == self.replica_fqdn:
 raise admintool.ScriptError("You can't create a replica on itself")
 
@@ -673,3 +689,11 @@ class ReplicaPrepare(admintool.AdminTool):
 '-w', dm_pwd_fd.name,
 '-o', ca_file
 ])
+
+def check_domainlevel(self, api):
+domain_level = dsinstance.get_domain_level(api)
+if domain_level > MIN_DOMAIN_LEVEL:
+raise RuntimeError(
+UNSUPPORTED_DOMAIN_LEVEL_TEMPLATE.format(
+self.command_name, MIN_DOMAIN_LEVEL, domain_level)
+)
-- 
2.4.3

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0086] disable ipa-replica prepare in non-zero domain levels

2015-10-20 Thread Martin Babinsky


On 10/20/2015 04:27 PM, Martin Babinsky wrote:

On 10/19/2015 04:51 PM, Martin Babinsky wrote:

On 10/19/2015 02:47 PM, Martin Basti wrote:



On 15.10.2015 16:29, Martin Babinsky wrote:

https://fedorahosted.org/freeipa/ticket/5175




NACK

with domain level 0

ipa-replica-prepare 

ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: DEBUG: File
"/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 169, in
execute
 self.ask_for_options()
   File
"/usr/lib/python2.7/site-packages/ipaserver/install/ipa_replica_prepare.py",


line 215, in ask_for_options
 bind_pw=self.dirman_password)
   File "/usr/lib/python2.7/site-packages/ipalib/backend.py", line 61,
in connect
 self.id, threading.currentThread().getName()
ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: DEBUG: The
ipa-replica-prepare command failed, exception: Exception: connect:
'context.ldap2_140616703529424' already exists in thread 'MainThread'
ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: ERROR:
connect: 'context.ldap2_140616703529424' already exists in thread
'MainThread'
ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: ERROR: The
ipa-replica-prepare command failed.

without your patch it works

Martin^2


The function was leaking opened backend connection due to incorrect
disconnect logic. Updated patch should fix this.




Reworked patch attached which used existing function in dsinstance.py to
check domain level.

However, note that it may require my patch 0088 to function correctly.




Attaching updated patch.

--
Martin^3 Babinsky
From b5bcfdc951c7072a0f70d71f26e9a3ce87bbe3ce Mon Sep 17 00:00:00 2001
From: Martin Babinsky 
Date: Thu, 15 Oct 2015 16:07:48 +0200
Subject: [PATCH 1/2] disable ipa-replica-prepare in non-zero IPA domain level

the original replica installation path (ipa-replica-prepare +
ipa-replica-install) remains valid only when IPA domain level is zero. When
this is not the case, ipa-replica-prepare will print out an error message which
instructs the user to use the new replica promotion machinery to setup
replicas.

https://fedorahosted.org/freeipa/ticket/5175
---
 ipaserver/install/ipa_replica_prepare.py | 28 +++-
 1 file changed, 27 insertions(+), 1 deletion(-)

diff --git a/ipaserver/install/ipa_replica_prepare.py b/ipaserver/install/ipa_replica_prepare.py
index 2b4a60e16bd23f9d4c8e0135708950a6cc40db9a..c573428ed59147cbfe22944787726fc817284680 100644
--- a/ipaserver/install/ipa_replica_prepare.py
+++ b/ipaserver/install/ipa_replica_prepare.py
@@ -41,7 +41,21 @@ from ipapython import version
 from ipalib import api
 from ipalib import errors
 from ipaplatform.paths import paths
-from ipalib.constants import CACERT
+from ipalib.constants import CACERT, MIN_DOMAIN_LEVEL
+
+
+UNSUPPORTED_DOMAIN_LEVEL_TEMPLATE = """
+Replica creation using '{command_name}' to generate replica file
+is supported only in {min_domain_level}-level IPA domain.
+
+The current IPA domain level is {curr_domain_level} and thus the replica must
+be created by promoting an existing IPA client.
+
+To set up a replica use the following procedure:
+1.) set up a client on the host using 'ipa-client-install'
+2.) promote the client to replica running 'ipa-replica-install'
+*without* replica file specified
+"""
 
 
 class ReplicaPrepare(admintool.AdminTool):
@@ -161,6 +175,8 @@ class ReplicaPrepare(admintool.AdminTool):
 api.bootstrap(in_server=True)
 api.finalize()
 
+self.check_domainlevel(api)
+
 if api.env.host == self.replica_fqdn:
 raise admintool.ScriptError("You can't create a replica on itself")
 
@@ -673,3 +689,13 @@ class ReplicaPrepare(admintool.AdminTool):
 '-w', dm_pwd_fd.name,
 '-o', ca_file
 ])
+
+def check_domainlevel(self, api):
+domain_level = dsinstance.get_domain_level(api)
+if domain_level > MIN_DOMAIN_LEVEL:
+raise RuntimeError(
+UNSUPPORTED_DOMAIN_LEVEL_TEMPLATE.format(
+command_name=self.command_name,
+min_domain_level=MIN_DOMAIN_LEVEL,
+curr_domain_level=domain_level)
+)
-- 
2.4.3

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0086] disable ipa-replica prepare in non-zero domain levels

2015-10-19 Thread Martin Basti




On 15.10.2015 16:29, Martin Babinsky wrote:

https://fedorahosted.org/freeipa/ticket/5175




NACK

with domain level 0

ipa-replica-prepare 

ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: DEBUG: File 
"/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 169, in 
execute

self.ask_for_options()
  File 
"/usr/lib/python2.7/site-packages/ipaserver/install/ipa_replica_prepare.py", 
line 215, in ask_for_options

bind_pw=self.dirman_password)
  File "/usr/lib/python2.7/site-packages/ipalib/backend.py", line 61, 
in connect

self.id, threading.currentThread().getName()
ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: DEBUG: The 
ipa-replica-prepare command failed, exception: Exception: connect: 
'context.ldap2_140616703529424' already exists in thread 'MainThread'
ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: ERROR: 
connect: 'context.ldap2_140616703529424' already exists in thread 
'MainThread'
ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: ERROR: The 
ipa-replica-prepare command failed.


without your patch it works

Martin^2
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0086] disable ipa-replica prepare in non-zero domain levels

2015-10-19 Thread Martin Babinsky


On 10/15/2015 04:29 PM, Martin Babinsky wrote:

https://fedorahosted.org/freeipa/ticket/5175




Updated patch attached

--
Martin^3 Babinsky
From aa899aa5f9d9f55c1f3dcaebf79c3460f937815b Mon Sep 17 00:00:00 2001
From: Martin Babinsky 
Date: Thu, 15 Oct 2015 16:07:48 +0200
Subject: [PATCH] disable ipa-replica-prepare in non-zero IPA domain level

the original replica installation path (ipa-replica-prepare +
ipa-replica-install) remains valid only when IPA domain level is zero. When
this is not the case, ipa-replica-prepare will print out an error message which
instructs the user to use the new replica promotion machinery to setup
replicas.

https://fedorahosted.org/freeipa/ticket/5175
---
 ipaserver/install/ipa_replica_prepare.py | 37 +++-
 1 file changed, 36 insertions(+), 1 deletion(-)

diff --git a/ipaserver/install/ipa_replica_prepare.py b/ipaserver/install/ipa_replica_prepare.py
index 2b4a60e16bd23f9d4c8e0135708950a6cc40db9a..becfdc300e6bc77d521aa789081aa0cc4f748afb 100644
--- a/ipaserver/install/ipa_replica_prepare.py
+++ b/ipaserver/install/ipa_replica_prepare.py
@@ -41,7 +41,20 @@ from ipapython import version
 from ipalib import api
 from ipalib import errors
 from ipaplatform.paths import paths
-from ipalib.constants import CACERT
+from ipalib.constants import CACERT, MIN_DOMAIN_LEVEL
+
+
+UNSUPPORTED_DOMAIN_LEVEL_TEMPLATE = """
+Replica creation using '{}' to generate replica file is supported only
+in {}-level IPA domain.
+
+The current IPA domain level is {} and thus the replica must be created by
+promoting an existing IPA client.
+
+To set up a replica use the following precedure:
+1.) set up a client on the host using 'ipa-client-install'
+2.) promote the client to replica running 'ipa-replica-install --promote'
+"""
 
 
 class ReplicaPrepare(admintool.AdminTool):
@@ -161,6 +174,8 @@ class ReplicaPrepare(admintool.AdminTool):
 api.bootstrap(in_server=True)
 api.finalize()
 
+self.check_domainlevel(api)
+
 if api.env.host == self.replica_fqdn:
 raise admintool.ScriptError("You can't create a replica on itself")
 
@@ -673,3 +688,23 @@ class ReplicaPrepare(admintool.AdminTool):
 '-w', dm_pwd_fd.name,
 '-o', ca_file
 ])
+
+def check_domainlevel(self, api):
+connected = api.Backend.ldap2.isconnected()
+try:
+if not connected:
+api.Backend.ldap2.connect()
+
+domain_level = api.Command.domainlevel_get()['result']
+except Exception as e:
+raise RuntimeError(
+"Cannot determine current domain level: {}".format(e))
+finally:
+if connected:
+api.Backend.ldap2.disconnect()
+
+if domain_level > MIN_DOMAIN_LEVEL:
+raise RuntimeError(
+UNSUPPORTED_DOMAIN_LEVEL_TEMPLATE.format(
+self.command_name, MIN_DOMAIN_LEVEL, domain_level)
+)
-- 
2.4.3

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0086] disable ipa-replica prepare in non-zero domain levels

2015-10-19 Thread Martin Babinsky


On 10/19/2015 02:47 PM, Martin Basti wrote:



On 15.10.2015 16:29, Martin Babinsky wrote:

https://fedorahosted.org/freeipa/ticket/5175




NACK

with domain level 0

ipa-replica-prepare 

ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: DEBUG: File
"/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 169, in
execute
 self.ask_for_options()
   File
"/usr/lib/python2.7/site-packages/ipaserver/install/ipa_replica_prepare.py",
line 215, in ask_for_options
 bind_pw=self.dirman_password)
   File "/usr/lib/python2.7/site-packages/ipalib/backend.py", line 61,
in connect
 self.id, threading.currentThread().getName()
ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: DEBUG: The
ipa-replica-prepare command failed, exception: Exception: connect:
'context.ldap2_140616703529424' already exists in thread 'MainThread'
ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: ERROR:
connect: 'context.ldap2_140616703529424' already exists in thread
'MainThread'
ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: ERROR: The
ipa-replica-prepare command failed.

without your patch it works

Martin^2


The function was leaking opened backend connection due to incorrect 
disconnect logic. Updated patch should fix this.


--
Martin^3 Babinsky
From 99f42975f478eabf7bd6ebfbf403d04db2ab6866 Mon Sep 17 00:00:00 2001
From: Martin Babinsky 
Date: Thu, 15 Oct 2015 16:07:48 +0200
Subject: [PATCH] disable ipa-replica-prepare in non-zero IPA domain level

the original replica installation path (ipa-replica-prepare +
ipa-replica-install) remains valid only when IPA domain level is zero. When
this is not the case, ipa-replica-prepare will print out an error message which
instructs the user to use the new replica promotion machinery to setup
replicas.

https://fedorahosted.org/freeipa/ticket/5175
---
 ipaserver/install/ipa_replica_prepare.py | 38 +++-
 1 file changed, 37 insertions(+), 1 deletion(-)

diff --git a/ipaserver/install/ipa_replica_prepare.py b/ipaserver/install/ipa_replica_prepare.py
index 2b4a60e16bd23f9d4c8e0135708950a6cc40db9a..f4214c8b3c9f084bfe2557b6e750bfe7c1670ee6 100644
--- a/ipaserver/install/ipa_replica_prepare.py
+++ b/ipaserver/install/ipa_replica_prepare.py
@@ -41,7 +41,21 @@ from ipapython import version
 from ipalib import api
 from ipalib import errors
 from ipaplatform.paths import paths
-from ipalib.constants import CACERT
+from ipalib.constants import CACERT, MIN_DOMAIN_LEVEL
+
+
+UNSUPPORTED_DOMAIN_LEVEL_TEMPLATE = """
+Replica creation using '{}' to generate replica file is supported only
+in {}-level IPA domain.
+
+The current IPA domain level is {} and thus the replica must be created by
+promoting an existing IPA client.
+
+To set up a replica use the following procedure:
+1.) set up a client on the host using 'ipa-client-install'
+2.) promote the client to replica running 'ipa-replica-install' *without*
+replica file specified
+"""
 
 
 class ReplicaPrepare(admintool.AdminTool):
@@ -161,6 +175,8 @@ class ReplicaPrepare(admintool.AdminTool):
 api.bootstrap(in_server=True)
 api.finalize()
 
+self.check_domainlevel(api)
+
 if api.env.host == self.replica_fqdn:
 raise admintool.ScriptError("You can't create a replica on itself")
 
@@ -673,3 +689,23 @@ class ReplicaPrepare(admintool.AdminTool):
 '-w', dm_pwd_fd.name,
 '-o', ca_file
 ])
+
+def check_domainlevel(self, api):
+was_connected = api.Backend.ldap2.isconnected()
+try:
+if not was_connected:
+api.Backend.ldap2.connect()
+
+domain_level = api.Command.domainlevel_get()['result']
+except Exception as e:
+raise RuntimeError(
+"Cannot determine current domain level: {}".format(e))
+finally:
+if not was_connected:
+api.Backend.ldap2.disconnect()
+
+if domain_level > MIN_DOMAIN_LEVEL:
+raise RuntimeError(
+UNSUPPORTED_DOMAIN_LEVEL_TEMPLATE.format(
+self.command_name, MIN_DOMAIN_LEVEL, domain_level)
+)
-- 
2.4.3

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0086] disable ipa-replica prepare in non-zero domain levels

Re: [Freeipa-devel] [PATCH 0086] disable ipa-replica prepare in non-zero domain levels

Re: [Freeipa-devel] [PATCH 0086] disable ipa-replica prepare in non-zero domain levels

Re: [Freeipa-devel] [PATCH 0086] disable ipa-replica prepare in non-zero domain levels

Re: [Freeipa-devel] [PATCH 0086] disable ipa-replica prepare in non-zero domain levels

Re: [Freeipa-devel] [PATCH 0086] disable ipa-replica prepare in non-zero domain levels

Re: [Freeipa-devel] [PATCH 0086] disable ipa-replica prepare in non-zero domain levels

Re: [Freeipa-devel] [PATCH 0086] disable ipa-replica prepare in non-zero domain levels

Re: [Freeipa-devel] [PATCH 0086] disable ipa-replica prepare in non-zero domain levels

Re: [Freeipa-devel] [PATCH 0086] disable ipa-replica prepare in non-zero domain levels

10 matches

Site Navigation

Mail list logo

Footer information