Re: [Freeipa-devel] [PATCH 0126-0127] reset openldap client config to point to freshly promote replica
On 29.01.2016 18:06, Martin Basti wrote: On 29.01.2016 09:01, Martin Babinsky wrote: On 01/20/2016 09:40 AM, Martin Babinsky wrote: On 01/14/2016 05:29 PM, Martin Babinsky wrote: On 01/13/2016 05:59 PM, Rob Crittenden wrote: Martin Babinsky wrote: fixes https://fedorahosted.org/freeipa/ticket/5584 In order to ensure consistent behavior with ipa-client-install, I opted to reuse the configure_openldap_conf() function and restoring the config from client sysrestore before modifying it. If you think this approach is not optimal please propose an alternative solution. You could also just do an action set on URI to change the value, right? It would need a new function but it would be very small. If you do end up keeping this I'd want a new commit message for moving the code to include why you're moving it (to avoid the need to deference the ticket). rob Here's the patch that implements the change in URI directive. Please keep in mind that we not only have to change the URI to point to ourselves, we also have to do it in a way consistent with ipa-client-install, i.e. leave a comment with new URI if it was already set by third party. Plain 'addifnotset' directive will not do, however, because then we end up with two comments, one original, and one pointing to ourselves. Plain 'set' may rewrite the URI set by user and thus we would have to test its value anyway. The correct handling of these cases coupled with a way IPAChangeConf is written results in a solution presented here. The fact that it is not much shorter than configure_openldap_conf and is additionally pretty ugly (a fact at least partially caused by me not being very fluent in IPAChangeConf usage) led me to the conclusion that restoring original ldap.conf and reusing already wirrten code for reediting it anew with replica as URI is actually not that bad idea. Bump for review/discussion. Another bump. Works for me, ACK Pushed to: master: 23f5edb4be08b359c6acd8a18a5e23c3dd784136 ipa-4-3: c61bc48de6a75a948adad2032bd69d96007be444 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0126-0127] reset openldap client config to point to freshly promote replica
On 29.01.2016 09:01, Martin Babinsky wrote: On 01/20/2016 09:40 AM, Martin Babinsky wrote: On 01/14/2016 05:29 PM, Martin Babinsky wrote: On 01/13/2016 05:59 PM, Rob Crittenden wrote: Martin Babinsky wrote: fixes https://fedorahosted.org/freeipa/ticket/5584 In order to ensure consistent behavior with ipa-client-install, I opted to reuse the configure_openldap_conf() function and restoring the config from client sysrestore before modifying it. If you think this approach is not optimal please propose an alternative solution. You could also just do an action set on URI to change the value, right? It would need a new function but it would be very small. If you do end up keeping this I'd want a new commit message for moving the code to include why you're moving it (to avoid the need to deference the ticket). rob Here's the patch that implements the change in URI directive. Please keep in mind that we not only have to change the URI to point to ourselves, we also have to do it in a way consistent with ipa-client-install, i.e. leave a comment with new URI if it was already set by third party. Plain 'addifnotset' directive will not do, however, because then we end up with two comments, one original, and one pointing to ourselves. Plain 'set' may rewrite the URI set by user and thus we would have to test its value anyway. The correct handling of these cases coupled with a way IPAChangeConf is written results in a solution presented here. The fact that it is not much shorter than configure_openldap_conf and is additionally pretty ugly (a fact at least partially caused by me not being very fluent in IPAChangeConf usage) led me to the conclusion that restoring original ldap.conf and reusing already wirrten code for reediting it anew with replica as URI is actually not that bad idea. Bump for review/discussion. Another bump. Works for me, ACK -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0126-0127] reset openldap client config to point to freshly promote replica
On 01/20/2016 09:40 AM, Martin Babinsky wrote: On 01/14/2016 05:29 PM, Martin Babinsky wrote: On 01/13/2016 05:59 PM, Rob Crittenden wrote: Martin Babinsky wrote: fixes https://fedorahosted.org/freeipa/ticket/5584 In order to ensure consistent behavior with ipa-client-install, I opted to reuse the configure_openldap_conf() function and restoring the config from client sysrestore before modifying it. If you think this approach is not optimal please propose an alternative solution. You could also just do an action set on URI to change the value, right? It would need a new function but it would be very small. If you do end up keeping this I'd want a new commit message for moving the code to include why you're moving it (to avoid the need to deference the ticket). rob Here's the patch that implements the change in URI directive. Please keep in mind that we not only have to change the URI to point to ourselves, we also have to do it in a way consistent with ipa-client-install, i.e. leave a comment with new URI if it was already set by third party. Plain 'addifnotset' directive will not do, however, because then we end up with two comments, one original, and one pointing to ourselves. Plain 'set' may rewrite the URI set by user and thus we would have to test its value anyway. The correct handling of these cases coupled with a way IPAChangeConf is written results in a solution presented here. The fact that it is not much shorter than configure_openldap_conf and is additionally pretty ugly (a fact at least partially caused by me not being very fluent in IPAChangeConf usage) led me to the conclusion that restoring original ldap.conf and reusing already wirrten code for reediting it anew with replica as URI is actually not that bad idea. Bump for review/discussion. Another bump. -- Martin^3 Babinsky -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0126-0127] reset openldap client config to point to freshly promote replica
On 01/14/2016 05:29 PM, Martin Babinsky wrote: On 01/13/2016 05:59 PM, Rob Crittenden wrote: Martin Babinsky wrote: fixes https://fedorahosted.org/freeipa/ticket/5584 In order to ensure consistent behavior with ipa-client-install, I opted to reuse the configure_openldap_conf() function and restoring the config from client sysrestore before modifying it. If you think this approach is not optimal please propose an alternative solution. You could also just do an action set on URI to change the value, right? It would need a new function but it would be very small. If you do end up keeping this I'd want a new commit message for moving the code to include why you're moving it (to avoid the need to deference the ticket). rob Here's the patch that implements the change in URI directive. Please keep in mind that we not only have to change the URI to point to ourselves, we also have to do it in a way consistent with ipa-client-install, i.e. leave a comment with new URI if it was already set by third party. Plain 'addifnotset' directive will not do, however, because then we end up with two comments, one original, and one pointing to ourselves. Plain 'set' may rewrite the URI set by user and thus we would have to test its value anyway. The correct handling of these cases coupled with a way IPAChangeConf is written results in a solution presented here. The fact that it is not much shorter than configure_openldap_conf and is additionally pretty ugly (a fact at least partially caused by me not being very fluent in IPAChangeConf usage) led me to the conclusion that restoring original ldap.conf and reusing already wirrten code for reediting it anew with replica as URI is actually not that bad idea. Bump for review/discussion. -- Martin^3 Babinsky -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0126-0127] reset openldap client config to point to freshly promote replica
On 01/13/2016 05:59 PM, Rob Crittenden wrote:
Martin Babinsky wrote:
fixes https://fedorahosted.org/freeipa/ticket/5584
In order to ensure consistent behavior with ipa-client-install, I opted
to reuse the configure_openldap_conf() function and restoring the config
from client sysrestore before modifying it.
If you think this approach is not optimal please propose an alternative
solution.
You could also just do an action set on URI to change the value, right?
It would need a new function but it would be very small.
If you do end up keeping this I'd want a new commit message for moving
the code to include why you're moving it (to avoid the need to deference
the ticket).
rob
Here's the patch that implements the change in URI directive. Please
keep in mind that we not only have to change the URI to point to
ourselves, we also have to do it in a way consistent with
ipa-client-install, i.e. leave a comment with new URI if it was already
set by third party.
Plain 'addifnotset' directive will not do, however, because then we end
up with two comments, one original, and one pointing to ourselves. Plain
'set' may rewrite the URI set by user and thus we would have to test its
value anyway.
The correct handling of these cases coupled with a way IPAChangeConf is
written results in a solution presented here.
The fact that it is not much shorter than configure_openldap_conf and is
additionally pretty ugly (a fact at least partially caused by me not
being very fluent in IPAChangeConf usage) led me to the conclusion that
restoring original ldap.conf and reusing already wirrten code for
reediting it anew with replica as URI is actually not that bad idea.
--
Martin^3 Babinsky
From 41d0441d19756a6809fa0c522f7c61980df127d6 Mon Sep 17 00:00:00 2001
From: Martin Babinsky
Date: Thu, 14 Jan 2016 17:15:31 +0100
Subject: [PATCH] reset ldap.conf to point to newly installer replica after
promotion
When promoting a client to replica reset openldap client config so that it no
longer uses remote master as default LDAP hosts but uses local connection to
replica. Also make sure that the behavior regarding editing of user-customized
config is consistent with the client installer.
https://fedorahosted.org/freeipa/ticket/5488
---
ipaserver/install/server/replicainstall.py | 44 ++
1 file changed, 44 insertions(+)
diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py
index 7edee88e101ff59b516c97934e201bed69671cdb..f0f973160467b2c2b603302949e5c30a46d96953 100644
--- a/ipaserver/install/server/replicainstall.py
+++ b/ipaserver/install/server/replicainstall.py
@@ -443,6 +443,49 @@ def promote_sssd(host_name):
root_logger.warning("SSSD service restart was unsuccessful.")
+def promote_openldap_conf(hostname, master):
+"""
+Reset the URI directive in openldap-client configuration file to point to
+newly promoted replica. If this directive was set by third party, then
+replace the added comment with the one pointing to replica
+
+:param hostname: replica FQDN
+:param master: FQDN of remote master
+"""
+
+ldap_conf = paths.OPENLDAP_LDAP_CONF
+
+ldap_change_conf = ipaclient.ipachangeconf.IPAChangeConf(
+"IPA replica installer")
+ldap_change_conf.setOptionAssignment((" ", "\t"))
+
+new_opts = []
+
+with open(ldap_conf, 'r') as f:
+old_opts = ldap_change_conf.parse(f)
+
+for opt in old_opts:
+if opt['type'] == 'comment' and master in opt['value']:
+continue
+elif (opt['type'] == 'option' and opt['name'] == 'URI' and
+master in opt['value']):
+continue
+new_opts.append(opt)
+
+change_opts = [
+{'action': 'addifnotset',
+ 'name': 'URI',
+ 'type': 'option',
+ 'value': 'ldaps://' + hostname}
+]
+
+try:
+ldap_change_conf.newConf(ldap_conf, new_opts)
+ldap_change_conf.changeConf(ldap_conf, change_opts)
+except Exception as e:
+root_logger.info("Failed to update {}: {}".format(ldap_conf, e))
+
+
@common_cleanup
def install_check(installer):
options = installer
@@ -1373,6 +1416,7 @@ def promote(installer):
custodia.import_dm_password(config.master_host_name)
promote_sssd(config.host_name)
+promote_openldap_conf(config.host_name, config.master_host_name)
# Switch API so that it uses the new servr configuration
server_api = create_api(mode=None)
--
2.5.0
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0126-0127] reset openldap client config to point to freshly promote replica
On 01/13/2016 05:59 PM, Rob Crittenden wrote: Martin Babinsky wrote: fixes https://fedorahosted.org/freeipa/ticket/5584 In order to ensure consistent behavior with ipa-client-install, I opted to reuse the configure_openldap_conf() function and restoring the config from client sysrestore before modifying it. If you think this approach is not optimal please propose an alternative solution. You could also just do an action set on URI to change the value, right? It would need a new function but it would be very small. If you do end up keeping this I'd want a new commit message for moving the code to include why you're moving it (to avoid the need to deference the ticket). rob In the hindsight my approach is probably overkill for this case. I will rework the patches to only set the URI directive after promotion. -- Martin^3 Babinsky -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0126-0127] reset openldap client config to point to freshly promote replica
On 13.01.2016 17:59, Rob Crittenden wrote:
Martin Babinsky wrote:
fixes https://fedorahosted.org/freeipa/ticket/5584
In order to ensure consistent behavior with ipa-client-install, I opted
to reuse the configure_openldap_conf() function and restoring the config
from client sysrestore before modifying it.
If you think this approach is not optimal please propose an alternative
solution.
You could also just do an action set on URI to change the value, right?
It would need a new function but it would be very small.
If you do end up keeping this I'd want a new commit message for moving
the code to include why you're moving it (to avoid the need to deference
the ticket).
rob
NACK
Traceback (most recent call last):
File "./makeapi", line 459, in
sys.exit(main())
File "./makeapi", line 430, in main
api.finalize()
File "/root/freeipa/ipalib/plugable.py", line 658, in finalize
self.__do_if_not_done('load_plugins')
File "/root/freeipa/ipalib/plugable.py", line 372, in __do_if_not_done
getattr(self, name)()
File "/root/freeipa/ipalib/plugable.py", line 536, in load_plugins
self.import_plugins(module)
File "/root/freeipa/ipalib/plugable.py", line 574, in import_plugins
module = importlib.import_module(name)
File "/usr/lib64/python2.7/importlib/__init__.py", line 37, in
import_module
__import__(name)
File "/root/freeipa/ipalib/plugins/baseuser.py", line 33, in
from ipapython.ipautil import ipa_generate_password
File "/root/freeipa/ipapython/ipautil.py", line 49, in
from ipaclient.ipachangeconf import IPAChangeConf
ImportError: No module named ipaclient.ipachangeconf
Traceback (most recent call last):
File "./makeaci", line 35, in
from ipapython.ipaldap import LDAPClient
File "/root/freeipa/ipapython/ipaldap.py", line 41, in
from ipapython.ipautil import (
File "/root/freeipa/ipapython/ipautil.py", line 49, in
from ipaclient.ipachangeconf import IPAChangeConf
ImportError: No module named ipaclient.ipachangeconf
Makefile:138: recipe for target 'version-update' failed
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0126-0127] reset openldap client config to point to freshly promote replica
Martin Babinsky wrote: > fixes https://fedorahosted.org/freeipa/ticket/5584 > > In order to ensure consistent behavior with ipa-client-install, I opted > to reuse the configure_openldap_conf() function and restoring the config > from client sysrestore before modifying it. > > If you think this approach is not optimal please propose an alternative > solution. You could also just do an action set on URI to change the value, right? It would need a new function but it would be very small. If you do end up keeping this I'd want a new commit message for moving the code to include why you're moving it (to avoid the need to deference the ticket). rob -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0126-0127] reset openldap client config to point to freshly promote replica
On 01/13/2016 05:42 PM, Martin Babinsky wrote: fixes https://fedorahosted.org/freeipa/ticket/5584 In order to ensure consistent behavior with ipa-client-install, I opted to reuse the configure_openldap_conf() function and restoring the config from client sysrestore before modifying it. If you think this approach is not optimal please propose an alternative solution. messed up the mail again oh well. This is the correct ticket URL: https://fedorahosted.org/freeipa/ticket/5488 -- Martin^3 Babinsky -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
