|
 |
b58328 |
From 542297d937d538e3353e06dd052a2e77d594dae8 Mon Sep 17 00:00:00 2001
|
|
|
b58328 |
From: Florence Blanc-Renaud <flo@redhat.com>
|
|
|
b58328 |
Date: Thu, 13 Jun 2019 21:54:58 +0200
|
|
|
b58328 |
Subject: [PATCH] DL0 replica install: fix nsDS5ReplicaBindDN config
|
|
|
b58328 |
MIME-Version: 1.0
|
|
|
b58328 |
Content-Type: text/plain; charset=UTF-8
|
|
|
b58328 |
Content-Transfer-Encoding: 8bit
|
|
|
b58328 |
|
|
|
b58328 |
When setting up a 4.x replica in DL0 from a 3.x replica, the first 4.x
|
|
|
b58328 |
replica installation succeeds but if a second 4.x replica is configured,
|
|
|
b58328 |
the replication is not properly set.
|
|
|
b58328 |
|
|
|
b58328 |
This happens because the replica setup needs to add nsDS5ReplicaBindDN:
|
|
|
b58328 |
krbprincipalname=ldap/replica@DOMAIN to the entry
|
|
|
b58328 |
cn=replica,cn=...,cn=mapping tree,cn=config in order to allow replication
|
|
|
b58328 |
(on the 3.x master, the replication manager group is not supported yet).
|
|
|
b58328 |
|
|
|
b58328 |
The issue is that this attribute is added only when the entry
|
|
|
b58328 |
cn=replication managers,cn=sysaccounts,cn=etc,$BASEDN
|
|
|
b58328 |
does not exist. This condition is true for the first replica install but
|
|
|
b58328 |
false for the second replica install.
|
|
|
b58328 |
|
|
|
b58328 |
The fix consists in checking if the remote server has ds version < 1.3.3
|
|
|
b58328 |
(in this case it is a 3.x server). If it's the case, the installer
|
|
|
b58328 |
will use nsDS5ReplicaBindDN attribute with the replica krbprincipalname.
|
|
|
b58328 |
Otherwise the nsDS5ReplicaBindDN attribute will use the replication manager
|
|
|
b58328 |
group.
|
|
|
b58328 |
|
|
|
b58328 |
Fixes: https://pagure.io/freeipa/issue/7976
|
|
|
b58328 |
Reviewed-By: François Cami <fcami@redhat.com>
|
|
|
b58328 |
---
|
|
|
b58328 |
ipaserver/install/replication.py | 7 ++++++-
|
|
|
b58328 |
1 file changed, 6 insertions(+), 1 deletion(-)
|
|
|
b58328 |
|
|
|
b58328 |
diff --git a/ipaserver/install/replication.py b/ipaserver/install/replication.py
|
|
|
b58328 |
index 8644b9ff618d28614a319d6da6a2041fea3c1c1f..c188bd6f5e4d13af7b12f5e0528ee135772af7ab 100644
|
|
|
b58328 |
--- a/ipaserver/install/replication.py
|
|
|
b58328 |
+++ b/ipaserver/install/replication.py
|
|
|
b58328 |
@@ -1730,9 +1730,14 @@ class ReplicationManager(object):
|
|
|
b58328 |
try:
|
|
|
b58328 |
conn.get_entry(self.repl_man_group_dn)
|
|
|
b58328 |
except errors.NotFound:
|
|
|
b58328 |
- self._add_replica_bind_dn(conn, my_dn)
|
|
|
b58328 |
self._add_replication_managers(conn)
|
|
|
b58328 |
|
|
|
b58328 |
+ # On IPA 3.x masters (ds version < 1.3.3),
|
|
|
b58328 |
+ # add replica bind DN directly into the replica entry
|
|
|
b58328 |
+ vendor_version = get_ds_version(conn)
|
|
|
b58328 |
+ if vendor_version < (1, 3, 3):
|
|
|
b58328 |
+ self._add_replica_bind_dn(conn, my_dn)
|
|
|
b58328 |
+
|
|
|
b58328 |
self._add_dn_to_replication_managers(conn, my_dn)
|
|
|
b58328 |
self._add_dn_to_replication_managers(conn, remote_dn)
|
|
|
b58328 |
|
|
|
b58328 |
--
|
|
|
b58328 |
2.23.0
|
|
|
b58328 |
|