From 405446b0f08551fa82fd0f6d71f219d68641732b Mon Sep 17 00:00:00 2001

From: Martin Babinsky <mbabinsk@redhat.com>

Date: Wed, 23 Nov 2016 16:58:39 +0100

Subject: [PATCH] replication: ensure bind DN group check interval is set on

 replica config

This is a safeguard ensuring valid replica configuration against incorrectly

upgraded masters lacking 'nsds5replicabinddngroupcheckinterval' attribute on

their domain/ca topology config.

https://fedorahosted.org/freeipa/ticket/6508

Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>

---

 ipaserver/install/replication.py | 6 ++++++

 1 file changed, 6 insertions(+)

diff --git a/ipaserver/install/replication.py b/ipaserver/install/replication.py

index b8b665267ea8debba9f0ce01f54a78cd67d88292..e9624894d7d1e745be8072268fa76d51a8c117e3 100644

--- a/ipaserver/install/replication.py

+++ b/ipaserver/install/replication.py

@@ -452,6 +452,12 @@ class ReplicationManager(object):

             if replica_groupdn not in binddn_groups:

                 mod.append((ldap.MOD_ADD, 'nsds5replicabinddngroup',

                             replica_groupdn))

+

+            if 'nsds5replicabinddngroupcheckinterval' not in entry:

+                mod.append(

+                    (ldap.MOD_ADD,

+                     'nsds5replicabinddngroupcheckinterval',

+                     '60'))

             if mod:

                 conn.modify_s(dn, mod)

-- 

2.7.4