From f6ce0099adc7c8508b3bf2f82102c1dd70fa08dc Mon Sep 17 00:00:00 2001
From: Felipe Barreto <fbarreto@redhat.com>
Date: Fri, 13 Oct 2017 09:19:43 +0200
Subject: [PATCH] Checks if replica-s4u2proxy.ldif should be applied

Before applying replica-s3u2proxy.ldif, we check
if the values are already there. The values can be
there if a replica installation was done in the past
and some info was left behind. Also, the code checks
the values independently.

https://pagure.io/freeipa/issue/7174

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
---
 ipaserver/install/dsinstance.py | 19 ++++++++++++++++++-
 1 file changed, 18 insertions(+), 1 deletion(-)

diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py
index c9db8ac28c3ca10539b745ca09f4d8aaece02e0c..f7edcffc5904d8c9ce46f5862d496a4df3ad8d75 100644
--- a/ipaserver/install/dsinstance.py
+++ b/ipaserver/install/dsinstance.py
@@ -930,7 +930,24 @@ class DsInstance(service.Service):
         self._ldap_mod("replica-acis.ldif", self.sub_dict)
 
     def __setup_s4u2proxy(self):
-        self._ldap_mod("replica-s4u2proxy.ldif", self.sub_dict)
+
+        def __add_principal(last_cn, principal, self):
+            dn = DN(('cn', last_cn), ('cn', 's4u2proxy'),
+                    ('cn', 'etc'), self.suffix)
+
+            value = '{principal}/{fqdn}@{realm}'.format(fqdn=self.fqdn,
+                                                        realm=self.realm,
+                                                        principal=principal)
+
+            entry = api.Backend.ldap2.get_entry(dn, ['memberPrincipal'])
+            try:
+                entry['memberPrincipal'].append(value)
+                api.Backend.ldap2.update_entry(entry)
+            except errors.EmptyModlist:
+                pass
+
+        __add_principal('ipa-http-delegation', 'HTTP', self)
+        __add_principal('ipa-ldap-delegation-targets', 'ldap', self)
 
     def __create_indices(self):
         self._ldap_mod("indices.ldif")
-- 
2.13.5