Re: [Freeipa-devel] [PATCH 0126-0127] reset openldap client config to point to freshly promote replica
On 29.01.2016 18:06, Martin Basti wrote: On 29.01.2016 09:01, Martin Babinsky wrote: On 01/20/2016 09:40 AM, Martin Babinsky wrote: On 01/14/2016 05:29 PM, Martin Babinsky wrote: On 01/13/2016 05:59 PM, Rob Crittenden wrote: Martin Babinsky wrote: fixes https://fedorahosted.org/freeipa/ticket/5584 In order to ensure consistent behavior with ipa-client-install, I opted to reuse the configure_openldap_conf() function and restoring the config from client sysrestore before modifying it. If you think this approach is not optimal please propose an alternative solution. You could also just do an action set on URI to change the value, right? It would need a new function but it would be very small. If you do end up keeping this I'd want a new commit message for moving the code to include why you're moving it (to avoid the need to deference the ticket). rob Here's the patch that implements the change in URI directive. Please keep in mind that we not only have to change the URI to point to ourselves, we also have to do it in a way consistent with ipa-client-install, i.e. leave a comment with new URI if it was already set by third party. Plain 'addifnotset' directive will not do, however, because then we end up with two comments, one original, and one pointing to ourselves. Plain 'set' may rewrite the URI set by user and thus we would have to test its value anyway. The correct handling of these cases coupled with a way IPAChangeConf is written results in a solution presented here. The fact that it is not much shorter than configure_openldap_conf and is additionally pretty ugly (a fact at least partially caused by me not being very fluent in IPAChangeConf usage) led me to the conclusion that restoring original ldap.conf and reusing already wirrten code for reediting it anew with replica as URI is actually not that bad idea. Bump for review/discussion. Another bump. Works for me, ACK Pushed to: master: 23f5edb4be08b359c6acd8a18a5e23c3dd784136 ipa-4-3: c61bc48de6a75a948adad2032bd69d96007be444 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0126-0127] reset openldap client config to point to freshly promote replica
On 29.01.2016 09:01, Martin Babinsky wrote: On 01/20/2016 09:40 AM, Martin Babinsky wrote: On 01/14/2016 05:29 PM, Martin Babinsky wrote: On 01/13/2016 05:59 PM, Rob Crittenden wrote: Martin Babinsky wrote: fixes https://fedorahosted.org/freeipa/ticket/5584 In order to ensure consistent behavior with ipa-client-install, I opted to reuse the configure_openldap_conf() function and restoring the config from client sysrestore before modifying it. If you think this approach is not optimal please propose an alternative solution. You could also just do an action set on URI to change the value, right? It would need a new function but it would be very small. If you do end up keeping this I'd want a new commit message for moving the code to include why you're moving it (to avoid the need to deference the ticket). rob Here's the patch that implements the change in URI directive. Please keep in mind that we not only have to change the URI to point to ourselves, we also have to do it in a way consistent with ipa-client-install, i.e. leave a comment with new URI if it was already set by third party. Plain 'addifnotset' directive will not do, however, because then we end up with two comments, one original, and one pointing to ourselves. Plain 'set' may rewrite the URI set by user and thus we would have to test its value anyway. The correct handling of these cases coupled with a way IPAChangeConf is written results in a solution presented here. The fact that it is not much shorter than configure_openldap_conf and is additionally pretty ugly (a fact at least partially caused by me not being very fluent in IPAChangeConf usage) led me to the conclusion that restoring original ldap.conf and reusing already wirrten code for reediting it anew with replica as URI is actually not that bad idea. Bump for review/discussion. Another bump. Works for me, ACK -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0126-0127] reset openldap client config to point to freshly promote replica
On 01/20/2016 09:40 AM, Martin Babinsky wrote: On 01/14/2016 05:29 PM, Martin Babinsky wrote: On 01/13/2016 05:59 PM, Rob Crittenden wrote: Martin Babinsky wrote: fixes https://fedorahosted.org/freeipa/ticket/5584 In order to ensure consistent behavior with ipa-client-install, I opted to reuse the configure_openldap_conf() function and restoring the config from client sysrestore before modifying it. If you think this approach is not optimal please propose an alternative solution. You could also just do an action set on URI to change the value, right? It would need a new function but it would be very small. If you do end up keeping this I'd want a new commit message for moving the code to include why you're moving it (to avoid the need to deference the ticket). rob Here's the patch that implements the change in URI directive. Please keep in mind that we not only have to change the URI to point to ourselves, we also have to do it in a way consistent with ipa-client-install, i.e. leave a comment with new URI if it was already set by third party. Plain 'addifnotset' directive will not do, however, because then we end up with two comments, one original, and one pointing to ourselves. Plain 'set' may rewrite the URI set by user and thus we would have to test its value anyway. The correct handling of these cases coupled with a way IPAChangeConf is written results in a solution presented here. The fact that it is not much shorter than configure_openldap_conf and is additionally pretty ugly (a fact at least partially caused by me not being very fluent in IPAChangeConf usage) led me to the conclusion that restoring original ldap.conf and reusing already wirrten code for reediting it anew with replica as URI is actually not that bad idea. Bump for review/discussion. Another bump. -- Martin^3 Babinsky -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0126-0127] reset openldap client config to point to freshly promote replica
On 01/14/2016 05:29 PM, Martin Babinsky wrote: On 01/13/2016 05:59 PM, Rob Crittenden wrote: Martin Babinsky wrote: fixes https://fedorahosted.org/freeipa/ticket/5584 In order to ensure consistent behavior with ipa-client-install, I opted to reuse the configure_openldap_conf() function and restoring the config from client sysrestore before modifying it. If you think this approach is not optimal please propose an alternative solution. You could also just do an action set on URI to change the value, right? It would need a new function but it would be very small. If you do end up keeping this I'd want a new commit message for moving the code to include why you're moving it (to avoid the need to deference the ticket). rob Here's the patch that implements the change in URI directive. Please keep in mind that we not only have to change the URI to point to ourselves, we also have to do it in a way consistent with ipa-client-install, i.e. leave a comment with new URI if it was already set by third party. Plain 'addifnotset' directive will not do, however, because then we end up with two comments, one original, and one pointing to ourselves. Plain 'set' may rewrite the URI set by user and thus we would have to test its value anyway. The correct handling of these cases coupled with a way IPAChangeConf is written results in a solution presented here. The fact that it is not much shorter than configure_openldap_conf and is additionally pretty ugly (a fact at least partially caused by me not being very fluent in IPAChangeConf usage) led me to the conclusion that restoring original ldap.conf and reusing already wirrten code for reediting it anew with replica as URI is actually not that bad idea. Bump for review/discussion. -- Martin^3 Babinsky -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0126-0127] reset openldap client config to point to freshly promote replica
On 01/13/2016 05:59 PM, Rob Crittenden wrote: Martin Babinsky wrote: fixes https://fedorahosted.org/freeipa/ticket/5584 In order to ensure consistent behavior with ipa-client-install, I opted to reuse the configure_openldap_conf() function and restoring the config from client sysrestore before modifying it. If you think this approach is not optimal please propose an alternative solution. You could also just do an action set on URI to change the value, right? It would need a new function but it would be very small. If you do end up keeping this I'd want a new commit message for moving the code to include why you're moving it (to avoid the need to deference the ticket). rob Here's the patch that implements the change in URI directive. Please keep in mind that we not only have to change the URI to point to ourselves, we also have to do it in a way consistent with ipa-client-install, i.e. leave a comment with new URI if it was already set by third party. Plain 'addifnotset' directive will not do, however, because then we end up with two comments, one original, and one pointing to ourselves. Plain 'set' may rewrite the URI set by user and thus we would have to test its value anyway. The correct handling of these cases coupled with a way IPAChangeConf is written results in a solution presented here. The fact that it is not much shorter than configure_openldap_conf and is additionally pretty ugly (a fact at least partially caused by me not being very fluent in IPAChangeConf usage) led me to the conclusion that restoring original ldap.conf and reusing already wirrten code for reediting it anew with replica as URI is actually not that bad idea. -- Martin^3 Babinsky From 41d0441d19756a6809fa0c522f7c61980df127d6 Mon Sep 17 00:00:00 2001 From: Martin Babinsky Date: Thu, 14 Jan 2016 17:15:31 +0100 Subject: [PATCH] reset ldap.conf to point to newly installer replica after promotion When promoting a client to replica reset openldap client config so that it no longer uses remote master as default LDAP hosts but uses local connection to replica. Also make sure that the behavior regarding editing of user-customized config is consistent with the client installer. https://fedorahosted.org/freeipa/ticket/5488 --- ipaserver/install/server/replicainstall.py | 44 ++ 1 file changed, 44 insertions(+) diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py index 7edee88e101ff59b516c97934e201bed69671cdb..f0f973160467b2c2b603302949e5c30a46d96953 100644 --- a/ipaserver/install/server/replicainstall.py +++ b/ipaserver/install/server/replicainstall.py @@ -443,6 +443,49 @@ def promote_sssd(host_name): root_logger.warning("SSSD service restart was unsuccessful.") +def promote_openldap_conf(hostname, master): +""" +Reset the URI directive in openldap-client configuration file to point to +newly promoted replica. If this directive was set by third party, then +replace the added comment with the one pointing to replica + +:param hostname: replica FQDN +:param master: FQDN of remote master +""" + +ldap_conf = paths.OPENLDAP_LDAP_CONF + +ldap_change_conf = ipaclient.ipachangeconf.IPAChangeConf( +"IPA replica installer") +ldap_change_conf.setOptionAssignment((" ", "\t")) + +new_opts = [] + +with open(ldap_conf, 'r') as f: +old_opts = ldap_change_conf.parse(f) + +for opt in old_opts: +if opt['type'] == 'comment' and master in opt['value']: +continue +elif (opt['type'] == 'option' and opt['name'] == 'URI' and +master in opt['value']): +continue +new_opts.append(opt) + +change_opts = [ +{'action': 'addifnotset', + 'name': 'URI', + 'type': 'option', + 'value': 'ldaps://' + hostname} +] + +try: +ldap_change_conf.newConf(ldap_conf, new_opts) +ldap_change_conf.changeConf(ldap_conf, change_opts) +except Exception as e: +root_logger.info("Failed to update {}: {}".format(ldap_conf, e)) + + @common_cleanup def install_check(installer): options = installer @@ -1373,6 +1416,7 @@ def promote(installer): custodia.import_dm_password(config.master_host_name) promote_sssd(config.host_name) +promote_openldap_conf(config.host_name, config.master_host_name) # Switch API so that it uses the new servr configuration server_api = create_api(mode=None) -- 2.5.0 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0126-0127] reset openldap client config to point to freshly promote replica
On 01/13/2016 05:59 PM, Rob Crittenden wrote: Martin Babinsky wrote: fixes https://fedorahosted.org/freeipa/ticket/5584 In order to ensure consistent behavior with ipa-client-install, I opted to reuse the configure_openldap_conf() function and restoring the config from client sysrestore before modifying it. If you think this approach is not optimal please propose an alternative solution. You could also just do an action set on URI to change the value, right? It would need a new function but it would be very small. If you do end up keeping this I'd want a new commit message for moving the code to include why you're moving it (to avoid the need to deference the ticket). rob In the hindsight my approach is probably overkill for this case. I will rework the patches to only set the URI directive after promotion. -- Martin^3 Babinsky -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0126-0127] reset openldap client config to point to freshly promote replica
On 13.01.2016 17:59, Rob Crittenden wrote: Martin Babinsky wrote: fixes https://fedorahosted.org/freeipa/ticket/5584 In order to ensure consistent behavior with ipa-client-install, I opted to reuse the configure_openldap_conf() function and restoring the config from client sysrestore before modifying it. If you think this approach is not optimal please propose an alternative solution. You could also just do an action set on URI to change the value, right? It would need a new function but it would be very small. If you do end up keeping this I'd want a new commit message for moving the code to include why you're moving it (to avoid the need to deference the ticket). rob NACK Traceback (most recent call last): File "./makeapi", line 459, in sys.exit(main()) File "./makeapi", line 430, in main api.finalize() File "/root/freeipa/ipalib/plugable.py", line 658, in finalize self.__do_if_not_done('load_plugins') File "/root/freeipa/ipalib/plugable.py", line 372, in __do_if_not_done getattr(self, name)() File "/root/freeipa/ipalib/plugable.py", line 536, in load_plugins self.import_plugins(module) File "/root/freeipa/ipalib/plugable.py", line 574, in import_plugins module = importlib.import_module(name) File "/usr/lib64/python2.7/importlib/__init__.py", line 37, in import_module __import__(name) File "/root/freeipa/ipalib/plugins/baseuser.py", line 33, in from ipapython.ipautil import ipa_generate_password File "/root/freeipa/ipapython/ipautil.py", line 49, in from ipaclient.ipachangeconf import IPAChangeConf ImportError: No module named ipaclient.ipachangeconf Traceback (most recent call last): File "./makeaci", line 35, in from ipapython.ipaldap import LDAPClient File "/root/freeipa/ipapython/ipaldap.py", line 41, in from ipapython.ipautil import ( File "/root/freeipa/ipapython/ipautil.py", line 49, in from ipaclient.ipachangeconf import IPAChangeConf ImportError: No module named ipaclient.ipachangeconf Makefile:138: recipe for target 'version-update' failed -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0126-0127] reset openldap client config to point to freshly promote replica
Martin Babinsky wrote: > fixes https://fedorahosted.org/freeipa/ticket/5584 > > In order to ensure consistent behavior with ipa-client-install, I opted > to reuse the configure_openldap_conf() function and restoring the config > from client sysrestore before modifying it. > > If you think this approach is not optimal please propose an alternative > solution. You could also just do an action set on URI to change the value, right? It would need a new function but it would be very small. If you do end up keeping this I'd want a new commit message for moving the code to include why you're moving it (to avoid the need to deference the ticket). rob -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0126-0127] reset openldap client config to point to freshly promote replica
On 01/13/2016 05:42 PM, Martin Babinsky wrote: fixes https://fedorahosted.org/freeipa/ticket/5584 In order to ensure consistent behavior with ipa-client-install, I opted to reuse the configure_openldap_conf() function and restoring the config from client sysrestore before modifying it. If you think this approach is not optimal please propose an alternative solution. messed up the mail again oh well. This is the correct ticket URL: https://fedorahosted.org/freeipa/ticket/5488 -- Martin^3 Babinsky -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code