rpms / ipa

Clone
Source Code
GIT

Files

  1.   eaa59994f9cede51d0196d154e7b127f898199f1
  2.   SOURCES
  3.   0062-DL0-replica-install-fix-nsDS5ReplicaBindDN-config.patch
Blob Blame History Raw 
From 542297d937d538e3353e06dd052a2e77d594dae8 Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud <flo@redhat.com>
Date: Thu, 13 Jun 2019 21:54:58 +0200
Subject: [PATCH] DL0 replica install: fix nsDS5ReplicaBindDN config
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

When setting up a 4.x replica in DL0 from a 3.x replica, the first 4.x
replica installation succeeds but if a second 4.x replica is configured,
the replication is not properly set.

This happens because the replica setup needs to add nsDS5ReplicaBindDN:
krbprincipalname=ldap/replica@DOMAIN to the entry
cn=replica,cn=...,cn=mapping tree,cn=config in order to allow replication
(on the 3.x master, the replication manager group is not supported yet).

The issue is that this attribute is added only when the entry
cn=replication managers,cn=sysaccounts,cn=etc,$BASEDN
does not exist. This condition is true for the first replica install but
false for the second replica install.

The fix consists in checking if the remote server has ds version < 1.3.3
(in this case it is a 3.x server). If it's the case, the installer
will use nsDS5ReplicaBindDN attribute with the replica krbprincipalname.
Otherwise the nsDS5ReplicaBindDN attribute will use the replication manager
group.

Fixes: https://pagure.io/freeipa/issue/7976
Reviewed-By: François Cami <fcami@redhat.com>
---
 ipaserver/install/replication.py | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/ipaserver/install/replication.py b/ipaserver/install/replication.py
index 8644b9ff618d28614a319d6da6a2041fea3c1c1f..c188bd6f5e4d13af7b12f5e0528ee135772af7ab 100644
--- a/ipaserver/install/replication.py
+++ b/ipaserver/install/replication.py
@@ -1730,9 +1730,14 @@ class ReplicationManager(object):
         try:
             conn.get_entry(self.repl_man_group_dn)
         except errors.NotFound:
-            self._add_replica_bind_dn(conn, my_dn)
             self._add_replication_managers(conn)
 
+        # On IPA 3.x masters (ds version < 1.3.3),
+        # add replica bind DN directly into the replica entry
+        vendor_version = get_ds_version(conn)
+        if vendor_version < (1, 3, 3):
+            self._add_replica_bind_dn(conn, my_dn)
+
         self._add_dn_to_replication_managers(conn, my_dn)
         self._add_dn_to_replication_managers(conn, remote_dn)
 
-- 
2.23.0

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation