From 4caf0c14ad38a1dae494489b13f4109cdb3ba340 Mon Sep 17 00:00:00 2001

From: Christian Heimes <cheimes@redhat.com>

Date: Fri, 6 Jul 2018 00:04:39 +0200

Subject: [PATCH] Delay enabling services until end of installer

Service entries in cn=FQDN,cn=masters,cn=ipa,cn=etc are no longer

created as enabled. Instead they are flagged as configuredService. At

the very end of the installer, the service entries are switched from

configured to enabled service.

- SRV records are created at the very end of the installer.

- Dogtag installer only picks fully installed servers

- Certmonger ignores all configured but not yet enabled servers.

Fixes: https://pagure.io/freeipa/issue/7566

Signed-off-by: Christian Heimes <cheimes@redhat.com>

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>

---

 install/tools/ipa-adtrust-install          |  6 +-

 install/tools/ipa-ca-install               | 12 ++-

 install/tools/ipa-dns-install              |  4 +

 ipaserver/dns_data_management.py           | 18 +++--

 ipaserver/install/adtrustinstance.py       |  6 +-

 ipaserver/install/bindinstance.py          |  8 +-

 ipaserver/install/cainstance.py            |  2 +-

 ipaserver/install/dnskeysyncinstance.py    |  4 +-

 ipaserver/install/httpinstance.py          |  4 +-

 ipaserver/install/ipa_kra_install.py       |  7 ++

 ipaserver/install/krainstance.py           |  2 +-

 ipaserver/install/krbinstance.py           |  4 +-

 ipaserver/install/odsexporterinstance.py   |  4 +-

 ipaserver/install/opendnssecinstance.py    |  6 +-

 ipaserver/install/server/install.py        | 18 +++--

 ipaserver/install/server/replicainstall.py |  8 +-

 ipaserver/install/service.py               | 88 ++++++++++++++++++++--

 ipaserver/plugins/serverrole.py            |  7 +-

 18 files changed, 161 insertions(+), 47 deletions(-)

diff --git a/install/tools/ipa-adtrust-install b/install/tools/ipa-adtrust-install

index d4e5d4c09cf6b7c1521bcecb79bb6fd7235fc799..a870d136e242affe6627cd4c44a173a80a9ab1c6 100755

--- a/install/tools/ipa-adtrust-install

+++ b/install/tools/ipa-adtrust-install

@@ -32,7 +32,7 @@ import six

 from optparse import SUPPRESS_HELP  # pylint: disable=deprecated-module

 from ipalib.install import sysrestore

-from ipaserver.install import adtrust

+from ipaserver.install import adtrust, service

 from ipaserver.install.installutils import (

     read_password,

     check_server_configuration,

@@ -212,6 +212,10 @@ def main():

     adtrust.install_check(True, options, api)

     adtrust.install(True, options, fstore, api)

+    # Enable configured services and update DNS SRV records

+    service.enable_services(api.env.host)

+    api.Command.dns_update_system_records()

+

     print("""

 =============================================================================

 Setup complete

diff --git a/install/tools/ipa-ca-install b/install/tools/ipa-ca-install

index e4e24fb8c5261e77dd9d3e89cbe42dba519b932e..f78f43d94981d29939a247f3c492c5e7340298ea 100755

--- a/install/tools/ipa-ca-install

+++ b/install/tools/ipa-ca-install

@@ -332,18 +332,26 @@ def main():

     )

     api.finalize()

     api.Backend.ldap2.connect()

-

     domain_level = dsinstance.get_domain_level(api)

+

     if domain_level > DOMAIN_LEVEL_0:

         promote(safe_options, options, filename)

     else:

         install(safe_options, options, filename)

+    # pki-spawn restarts 389-DS, reconnect

+    api.Backend.ldap2.close()

+    api.Backend.ldap2.connect()

+

+    # Enable configured services and update DNS SRV records

+    service.enable_services(api.env.host)

+    api.Command.dns_update_system_records()

+    api.Backend.ldap2.disconnect()

+

     # execute ipactl to refresh services status

     ipautil.run(['ipactl', 'start', '--ignore-service-failures'],

                 raiseonerr=False)

-    api.Backend.ldap2.disconnect()

 fail_message = '''

 Your system may be partly configured.

diff --git a/install/tools/ipa-dns-install b/install/tools/ipa-dns-install

index a7f136b16ab4871518f5fd776d49e55c2364c54e..57dde5a5da4fad162c93e9e0416b54961de4c1e3 100755

--- a/install/tools/ipa-dns-install

+++ b/install/tools/ipa-dns-install

@@ -37,6 +37,7 @@ from ipapython.config import IPAOptionParser

 from ipapython.ipa_log_manager import standard_logging_setup

 from ipaserver.install import dns as dns_installer

+from ipaserver.install import service

 logger = logging.getLogger(os.path.basename(__file__))

@@ -148,6 +149,9 @@ def main():

     dns_installer.install_check(True, api, False, options, hostname=api.env.host)

     dns_installer.install(True, False, options)

+    # Enable configured services and update DNS SRV records

+    service.enable_services(api.env.host)

+    api.Command.dns_update_system_records()

     # execute ipactl to refresh services status

     ipautil.run(['ipactl', 'start', '--ignore-service-failures'],

diff --git a/ipaserver/dns_data_management.py b/ipaserver/dns_data_management.py

index 675dd481b461aa14d8adf8393a2168ac84ecac86..673397ef2b2252f431eec1f3e1f71dc45ff87511 100644

--- a/ipaserver/dns_data_management.py

+++ b/ipaserver/dns_data_management.py

@@ -68,11 +68,11 @@ class IPASystemRecords(object):

     PRIORITY_HIGH = 0

     PRIORITY_LOW = 50

-    def __init__(self, api_instance):

+    def __init__(self, api_instance, all_servers=False):

         self.api_instance = api_instance

         self.domain_abs = DNSName(self.api_instance.env.domain).make_absolute()

         self.servers_data = {}

-        self.__init_data()

+        self.__init_data(all_servers=all_servers)

     def reload_data(self):

         """

@@ -92,14 +92,16 @@ class IPASystemRecords(object):

     def __get_location_suffix(self, location):

         return location + DNSName('_locations') + self.domain_abs

-    def __init_data(self):

+    def __init_data(self, all_servers=False):

         self.servers_data = {}

-        servers_result = self.api_instance.Command.server_find(

-            no_members=False,

-            servrole=u"IPA master",  # only active, fully installed masters

-        )['result']

-        for s in servers_result:

+        kwargs = dict(no_members=False)

+        if not all_servers:

+            # only active, fully installed masters]

+            kwargs["servrole"] = u"IPA master"

+        servers = self.api_instance.Command.server_find(**kwargs)

+

+        for s in servers['result']:

             weight, location, roles = self.__get_server_attrs(s)

             self.servers_data[s['cn'][0]] = {

                 'weight': weight,

diff --git a/ipaserver/install/adtrustinstance.py b/ipaserver/install/adtrustinstance.py

index a075801ebec20ea8277445e0bac788c06e0b0a91..2da46d67495014fb38e5ee8c6a98ede93ef8762d 100644

--- a/ipaserver/install/adtrustinstance.py

+++ b/ipaserver/install/adtrustinstance.py

@@ -581,7 +581,7 @@ class ADTRUSTInstance(service.Service):

             self.print_msg(err_msg)

             self.print_msg("Add the following service records to your DNS " \

                            "server for DNS zone %s: " % zone)

-            system_records = IPASystemRecords(api)

+            system_records = IPASystemRecords(api, all_servers=True)

             adtrust_records = system_records.get_base_records(

                 [self.fqdn], ["AD trust controller"],

                 include_master_role=False, include_kerberos_realm=False)

@@ -736,12 +736,12 @@ class ADTRUSTInstance(service.Service):

         # Note that self.dm_password is None for ADTrustInstance because

         # we ensure to be called as root and using ldapi to use autobind

         try:

-            self.ldap_enable('ADTRUST', self.fqdn, None, self.suffix)

+            self.ldap_configure('ADTRUST', self.fqdn, None, self.suffix)

         except (ldap.ALREADY_EXISTS, errors.DuplicateEntry):

             logger.info("ADTRUST Service startup entry already exists.")

         try:

-            self.ldap_enable('EXTID', self.fqdn, None, self.suffix)

+            self.ldap_configure('EXTID', self.fqdn, None, self.suffix)

         except (ldap.ALREADY_EXISTS, errors.DuplicateEntry):

             logger.info("EXTID Service startup entry already exists.")

diff --git a/ipaserver/install/bindinstance.py b/ipaserver/install/bindinstance.py

index 203a6405f815d47c0dc33977e77012a2c85916ff..7c858aab4417ccf3a4999fcaaa1c7e0f93464e4d 100644

--- a/ipaserver/install/bindinstance.py

+++ b/ipaserver/install/bindinstance.py

@@ -669,7 +669,7 @@ class BindInstance(service.Service):

         return normalize_zone(self.host_domain) == normalize_zone(self.domain)

     def create_file_with_system_records(self):

-        system_records = IPASystemRecords(self.api)

+        system_records = IPASystemRecords(self.api, all_servers=True)

         text = u'\n'.join(

             IPASystemRecords.records_list_from_zone(

                 system_records.get_base_records()

@@ -746,7 +746,7 @@ class BindInstance(service.Service):

         # Instead we reply on the IPA init script to start only enabled

         # components as found in our LDAP configuration tree

         try:

-            self.ldap_enable('DNS', self.fqdn, None, self.suffix)

+            self.ldap_configure('DNS', self.fqdn, None, self.suffix)

         except errors.DuplicateEntry:

             # service already exists (forced DNS reinstall)

             # don't crash, just report error

@@ -1180,7 +1180,9 @@ class BindInstance(service.Service):

             except ValueError as error:

                 logger.debug('%s', error)

-        # disabled by default, by ldap_enable()

+        installutils.rmtree(paths.BIND_LDAP_DNS_IPA_WORKDIR)

+

+        # disabled by default, by ldap_configure()

         if enabled:

             self.enable()

         else:

diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py

index b58fbb4c881d247d6b5fb661f4085ec82c3cc811..51fdbe9c61e06ab9d72d78aee8786f9bceca137b 100644

--- a/ipaserver/install/cainstance.py

+++ b/ipaserver/install/cainstance.py

@@ -1258,7 +1258,7 @@ class CAInstance(DogtagInstance):

             config = ['caRenewalMaster']

         else:

             config = []

-        self.ldap_enable('CA', self.fqdn, None, basedn, config)

+        self.ldap_configure('CA', self.fqdn, None, basedn, config)

     def setup_lightweight_ca_key_retrieval(self):

         if sysupgrade.get_upgrade_state('dogtag', 'setup_lwca_key_retrieval'):

diff --git a/ipaserver/install/dnskeysyncinstance.py b/ipaserver/install/dnskeysyncinstance.py

index b865ee8aa79c17502a3784878f8f6f45d05213a6..2e773f3adae8130f578e6f3fbfe8c3a414d523cb 100644

--- a/ipaserver/install/dnskeysyncinstance.py

+++ b/ipaserver/install/dnskeysyncinstance.py

@@ -382,8 +382,8 @@ class DNSKeySyncInstance(service.Service):

     def __enable(self):

         try:

-            self.ldap_enable('DNSKeySync', self.fqdn, None,

-                             self.suffix, self.extra_config)

+            self.ldap_configure('DNSKeySync', self.fqdn, None,

+                                self.suffix, self.extra_config)

         except errors.DuplicateEntry:

             logger.error("DNSKeySync service already exists")

diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py

index bdd79b1dafda7de664eed664a18bf36c541212bc..0b7023c2f1b0feb996e0dd0adbefbd49c51da757 100644

--- a/ipaserver/install/httpinstance.py

+++ b/ipaserver/install/httpinstance.py

@@ -196,7 +196,7 @@ class HTTPInstance(service.Service):

         # We do not let the system start IPA components on its own,

         # Instead we reply on the IPA init script to start only enabled

         # components as found in our LDAP configuration tree

-        self.ldap_enable('HTTP', self.fqdn, None, self.suffix)

+        self.ldap_configure('HTTP', self.fqdn, None, self.suffix)

     def configure_selinux_for_httpd(self):

         try:

@@ -609,7 +609,7 @@ class HTTPInstance(service.Service):

         if running:

             self.restart()

-        # disabled by default, by ldap_enable()

+        # disabled by default, by ldap_configure()

         if enabled:

             self.enable()

diff --git a/ipaserver/install/ipa_kra_install.py b/ipaserver/install/ipa_kra_install.py

index 07e11ea69ded8832015dd69ea43ff338c5f9df95..b536685f5f1f3fccab07fd37aa001958e2d38420 100644

--- a/ipaserver/install/ipa_kra_install.py

+++ b/ipaserver/install/ipa_kra_install.py

@@ -227,4 +227,11 @@ class KRAInstaller(KRAInstall):

             logger.error('%s', dedent(self.FAIL_MESSAGE))

             raise

+        # pki-spawn restarts 389-DS, reconnect

+        api.Backend.ldap2.close()

+        api.Backend.ldap2.connect()

+

+        # Enable configured services and update DNS SRV records

+        service.enable_services(api.env.host)

+        api.Command.dns_update_system_records()

         api.Backend.ldap2.disconnect()

diff --git a/ipaserver/install/krainstance.py b/ipaserver/install/krainstance.py

index 9483f0ec4edbabea0f7eff0dd5dd223377653536..c1daa2869b7cba79e29d2db61c090c145304397f 100644

--- a/ipaserver/install/krainstance.py

+++ b/ipaserver/install/krainstance.py

@@ -392,4 +392,4 @@ class KRAInstance(DogtagInstance):

                 directives[nickname], cert)

     def __enable_instance(self):

-        self.ldap_enable('KRA', self.fqdn, None, self.suffix)

+        self.ldap_configure('KRA', self.fqdn, None, self.suffix)

diff --git a/ipaserver/install/krbinstance.py b/ipaserver/install/krbinstance.py

index a356d5e0c1b96dc6511c335fc22a326a2133bdd8..33d66fb94b0a1f7571b22120e5159a0e0ad2e675 100644

--- a/ipaserver/install/krbinstance.py

+++ b/ipaserver/install/krbinstance.py

@@ -242,7 +242,7 @@ class KrbInstance(service.Service):

         # We do not let the system start IPA components on its own,

         # Instead we reply on the IPA init script to start only enabled

         # components as found in our LDAP configuration tree

-        self.ldap_enable('KDC', self.fqdn, None, self.suffix)

+        self.ldap_configure('KDC', self.fqdn, None, self.suffix)

     def __start_instance(self):

         try:

@@ -607,7 +607,7 @@ class KrbInstance(service.Service):

             except ValueError as error:

                 logger.debug("%s", error)

-        # disabled by default, by ldap_enable()

+        # disabled by default, by ldap_configure()

         if enabled:

             self.enable()

diff --git a/ipaserver/install/odsexporterinstance.py b/ipaserver/install/odsexporterinstance.py

index b301a167f80d171c0dd0e6282a6021fcbdca8f9e..4856f5642d8e2c4c9e9089cd44a85e759c4c6ca0 100644

--- a/ipaserver/install/odsexporterinstance.py

+++ b/ipaserver/install/odsexporterinstance.py

@@ -73,8 +73,8 @@ class ODSExporterInstance(service.Service):

     def __enable(self):

         try:

-            self.ldap_enable('DNSKeyExporter', self.fqdn, None,

-                             self.suffix)

+            self.ldap_configure('DNSKeyExporter', self.fqdn, None,

+                                self.suffix)

         except errors.DuplicateEntry:

             logger.error("DNSKeyExporter service already exists")

diff --git a/ipaserver/install/opendnssecinstance.py b/ipaserver/install/opendnssecinstance.py

index d608294cbbab9179d95b2333323f5d378940a936..0337bb22fea44f95ee9077423136353a991325db 100644

--- a/ipaserver/install/opendnssecinstance.py

+++ b/ipaserver/install/opendnssecinstance.py

@@ -140,8 +140,8 @@ class OpenDNSSECInstance(service.Service):

     def __enable(self):

         try:

-            self.ldap_enable('DNSSEC', self.fqdn, None,

-                             self.suffix, self.extra_config)

+            self.ldap_configure('DNSSEC', self.fqdn, None,

+                                self.suffix, self.extra_config)

         except errors.DuplicateEntry:

             logger.error("DNSSEC service already exists")

@@ -372,7 +372,7 @@ class OpenDNSSECInstance(service.Service):

         self.restore_state("kasp_db_configured")  # just eat state

-        # disabled by default, by ldap_enable()

+        # disabled by default, by ldap_configure()

         if enabled:

             self.enable()

diff --git a/ipaserver/install/server/install.py b/ipaserver/install/server/install.py

index e96ae97c74ee1598683d1ef3f2570e8de93c9943..a341408f78f24055d807ae49c8a0cda81bfb3ec4 100644

--- a/ipaserver/install/server/install.py

+++ b/ipaserver/install/server/install.py

@@ -870,14 +870,6 @@ def install(installer):

     if options.setup_dns:

         dns.install(False, False, options)

-    else:

-        # Create a BIND instance

-        bind = bindinstance.BindInstance(fstore)

-        bind.setup(host_name, ip_addresses, realm_name,

-                   domain_name, (), 'first', (),

-                   zonemgr=options.zonemgr,

-                   no_dnssec_validation=options.no_dnssec_validation)

-        bind.create_file_with_system_records()

     if options.setup_adtrust:

         adtrust.install(False, options, fstore, api)

@@ -906,6 +898,16 @@ def install(installer):

     except Exception:

         raise ScriptError("Configuration of client side components failed!")

+    # Enable configured services and update DNS SRV records

+    service.enable_services(host_name)

+    api.Command.dns_update_system_records()

+

+    if not options.setup_dns:

+        # After DNS and AD trust are configured and services are

+        # enabled, create a dummy instance to dump DNS configuration.

+        bind = bindinstance.BindInstance(fstore)

+        bind.create_file_with_system_records()

+

     # Everything installed properly, activate ipa service.

     services.knownservices.ipa.enable()

diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py

index 33f3ae9e616b34a3ab0ff8e4257552855e817e7c..0bf3568a300a133fa505dc8fc339c6677f9c5f73 100644

--- a/ipaserver/install/server/replicainstall.py

+++ b/ipaserver/install/server/replicainstall.py

@@ -1520,14 +1520,11 @@ def install(installer):

     if options.setup_dns:

         dns.install(False, True, options, api)

-    else:

-        api.Command.dns_update_system_records()

     if options.setup_adtrust:

         adtrust.install(False, options, fstore, api)

     ca_servers = service.find_providing_servers('CA', api.Backend.ldap2, api)

-    api.Backend.ldap2.disconnect()

     if not promote:

         # Call client install script

@@ -1556,6 +1553,11 @@ def install(installer):

         # remove the extracted replica file

         remove_replica_info_dir(installer)

+    # Enable configured services and update DNS SRV records

+    service.enable_services(config.host_name)

+    api.Command.dns_update_system_records()

+    api.Backend.ldap2.disconnect()

+

     # Everything installed properly, activate ipa service.

     services.knownservices.ipa.enable()

diff --git a/ipaserver/install/service.py b/ipaserver/install/service.py

index 4c320de9d64676373cd41ff839889f2448a19a46..0106379ea38e4a3fef8436256d6f315f524b8dee 100644

--- a/ipaserver/install/service.py

+++ b/ipaserver/install/service.py

@@ -27,6 +27,7 @@ import socket

 import datetime

 import traceback

 import tempfile

+import warnings

 import six

@@ -62,6 +63,10 @@ SERVICE_LIST = {

     'DNSKeySync': ('ipa-dnskeysyncd', 110),

 }

+CONFIGURED_SERVICE = u'configuredService'

+ENABLED_SERVICE = 'enabledService'

+

+

 def print_msg(message, output_fd=sys.stdout):

     logger.debug("%s", message)

     output_fd.write(message)

@@ -123,7 +128,7 @@ def find_providing_servers(svcname, conn, api):

     """

     dn = DN(('cn', 'masters'), ('cn', 'ipa'), ('cn', 'etc'), api.env.basedn)

     query_filter = conn.make_filter({'objectClass': 'ipaConfigObject',

-                                     'ipaConfigString': 'enabledService',

+                                     'ipaConfigString': ENABLED_SERVICE,

                                      'cn': svcname}, rules='&')

     try:

         entries, _trunc = conn.find_entries(filter=query_filter, base_dn=dn)

@@ -232,6 +237,51 @@ def set_service_entry_config(name, fqdn, config_values,

         raise e

+def enable_services(fqdn):

+    """Change all configured services to enabled

+

+    Server.ldap_configure() only marks a service as configured. Services

+    are enabled at the very end of installation.

+

+    Note: DNS records must be updated with dns_update_system_records, too.

+

+    :param fqdn: hostname of server

+    """

+    ldap2 = api.Backend.ldap2

+    search_base = DN(('cn', fqdn), api.env.container_masters, api.env.basedn)

+    search_filter = ldap2.make_filter(

+        {

+            'objectClass': 'ipaConfigObject',

+            'ipaConfigString': CONFIGURED_SERVICE

+        },

+        rules='&'

+    )

+    entries = ldap2.get_entries(

+        search_base,

+        filter=search_filter,

+        scope=api.Backend.ldap2.SCOPE_ONELEVEL,

+        attrs_list=['cn', 'ipaConfigString']

+    )

+    for entry in entries:

+        name = entry['cn']

+        cfgstrings = entry.setdefault('ipaConfigString', [])

+        for value in list(cfgstrings):

+            if value.lower() == CONFIGURED_SERVICE.lower():

+                cfgstrings.remove(value)

+        if not case_insensitive_attr_has_value(cfgstrings, ENABLED_SERVICE):

+            cfgstrings.append(ENABLED_SERVICE)

+

+        try:

+            ldap2.update_entry(entry)

+        except errors.EmptyModlist:

+            logger.debug("Nothing to do for service %s", name)

+        except Exception:

+            logger.exception("failed to set service %s config values", name)

+            raise

+        else:

+            logger.debug("Enabled service %s for %s", name, fqdn)

+

+

 class Service(object):

     def __init__(self, service_name, service_desc=None, sstore=None,

                  fstore=None, api=api, realm_name=None,

@@ -538,7 +588,35 @@ class Service(object):

         self.steps = []

     def ldap_enable(self, name, fqdn, dm_password=None, ldap_suffix='',

-                    config=[]):

+                    config=()):

+        """Legacy function, all services should use ldap_configure()

+        """

+        warnings.warn(

+            "ldap_enable is deprecated, use ldap_configure instead.",

+            DeprecationWarning,

+            stacklevel=2

+        )

+        self._ldap_enable(ENABLED_SERVICE, name, fqdn, ldap_suffix, config)

+

+    def ldap_configure(self, name, fqdn, dm_password=None, ldap_suffix='',

+                       config=()):

+        """Create or modify service entry in cn=masters,cn=ipa,cn=etc

+

+        Contrary to ldap_enable(), the method only sets

+        ipaConfigString=configuredService. ipaConfigString=enabledService

+        is set at the very end of the installation process, to ensure that

+        other machines see this master/replica after it is fully installed.

+

+        To switch all configured services to enabled, use::

+

+            ipaserver.install.service.enable_services(api.env.host)

+            api.Command.dns_update_system_records()

+        """

+        self._ldap_enable(

+            CONFIGURED_SERVICE, name, fqdn, ldap_suffix, config

+        )

+

+    def _ldap_enable(self, value, name, fqdn, ldap_suffix, config):

         extra_config_opts = [

             ' '.join([u'startOrder', unicode(SERVICE_LIST[name][1])])

         ]

@@ -549,7 +627,7 @@ class Service(object):

         set_service_entry_config(

             name,

             fqdn,

-            [u'enabledService'],

+            [value],

             ldap_suffix=ldap_suffix,

             post_add_config=extra_config_opts)

@@ -575,7 +653,7 @@ class Service(object):

         # case insensitive

         for value in entry.get('ipaConfigString', []):

-            if value.lower() == u'enabledservice':

+            if value.lower() == ENABLED_SERVICE:

                 entry['ipaConfigString'].remove(value)

                 break

@@ -688,7 +766,7 @@ class SimpleServiceInstance(Service):

         if self.gensvc_name == None:

             self.enable()

         else:

-            self.ldap_enable(self.gensvc_name, self.fqdn, None, self.suffix)

+            self.ldap_configure(self.gensvc_name, self.fqdn, None, self.suffix)

     def is_installed(self):

         return self.service.is_installed()

diff --git a/ipaserver/plugins/serverrole.py b/ipaserver/plugins/serverrole.py

index 5b7ccfb342d0a54bfd6f2cdc53c7d31201ed5989..199978000ce8cf783bda50c46b7c9fa109f70ad6 100644

--- a/ipaserver/plugins/serverrole.py

+++ b/ipaserver/plugins/serverrole.py

@@ -15,16 +15,21 @@ IPA server roles

 """) + _("""

 Get status of roles (DNS server, CA, etc.) provided by IPA masters.

 """) + _("""

+The status of a role is either enabled, configured, or absent.

+""") + _("""

 EXAMPLES:

 """) + _("""

   Show status of 'DNS server' role on a server:

     ipa server-role-show ipa.example.com "DNS server"

 """) + _("""

   Show status of all roles containing 'AD' on a server:

-    ipa server-role-find --server ipa.example.com --role='AD'

+    ipa server-role-find --server ipa.example.com --role="AD trust controller"

 """) + _("""

   Show status of all configured roles on a server:

     ipa server-role-find ipa.example.com

+""") + _("""

+  Show implicit IPA master role:

+    ipa server-role-find --include-master

 """)

-- 

2.17.1