From f6ce0099adc7c8508b3bf2f82102c1dd70fa08dc Mon Sep 17 00:00:00 2001

From: Felipe Barreto <fbarreto@redhat.com>

Date: Fri, 13 Oct 2017 09:19:43 +0200

Subject: [PATCH] Checks if replica-s4u2proxy.ldif should be applied

Before applying replica-s3u2proxy.ldif, we check

if the values are already there. The values can be

there if a replica installation was done in the past

and some info was left behind. Also, the code checks

the values independently.

https://pagure.io/freeipa/issue/7174

Reviewed-By: Rob Crittenden <rcritten@redhat.com>

---

 ipaserver/install/dsinstance.py | 19 ++++++++++++++++++-

 1 file changed, 18 insertions(+), 1 deletion(-)

diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py

index c9db8ac28c3ca10539b745ca09f4d8aaece02e0c..f7edcffc5904d8c9ce46f5862d496a4df3ad8d75 100644

--- a/ipaserver/install/dsinstance.py

+++ b/ipaserver/install/dsinstance.py

@@ -930,7 +930,24 @@ class DsInstance(service.Service):

         self._ldap_mod("replica-acis.ldif", self.sub_dict)

     def __setup_s4u2proxy(self):

-        self._ldap_mod("replica-s4u2proxy.ldif", self.sub_dict)

+

+        def __add_principal(last_cn, principal, self):

+            dn = DN(('cn', last_cn), ('cn', 's4u2proxy'),

+                    ('cn', 'etc'), self.suffix)

+

+            value = '{principal}/{fqdn}@{realm}'.format(fqdn=self.fqdn,

+                                                        realm=self.realm,

+                                                        principal=principal)

+

+            entry = api.Backend.ldap2.get_entry(dn, ['memberPrincipal'])

+            try:

+                entry['memberPrincipal'].append(value)

+                api.Backend.ldap2.update_entry(entry)

+            except errors.EmptyModlist:

+                pass

+

+        __add_principal('ipa-http-delegation', 'HTTP', self)

+        __add_principal('ipa-ldap-delegation-targets', 'ldap', self)

     def __create_indices(self):

         self._ldap_mod("indices.ldif")

-- 

2.13.5