Setting up a winsync agreement was broken. This patch fixes the code to allow setting up a winsync agreement that requires access to a non-IPA ldap server.
Simo. -- Simo Sorce * Red Hat, Inc * New York
>From 0c31c0db73239b74752a7ca807798b7632a5ab85 Mon Sep 17 00:00:00 2001 From: Simo Sorce <sso...@redhat.com> Date: Thu, 24 Feb 2011 11:36:32 -0500 Subject: [PATCH 2/8] Fix winsync agreements setup Fixes: https://fedorahosted.org/freeipa/ticket/1006 --- ipaserver/install/replication.py | 61 +++++++++++++++++++++++-------------- 1 files changed, 38 insertions(+), 23 deletions(-) diff --git a/ipaserver/install/replication.py b/ipaserver/install/replication.py index 0bf0e218a2cb315c720f1928c0f775e452936dc5..86a42b16b4f0820c0ceb10b726fc37664913edba 100644 --- a/ipaserver/install/replication.py +++ b/ipaserver/install/replication.py @@ -363,7 +363,7 @@ class ReplicationManager: def setup_winsync_agmt(self, entry, win_subtree=None): if win_subtree is None: - win_subtree = WIN_USER_CONTAINER + "," + self.suffix + win_subtree = WIN_USER_CONTAINER + "," + self.ad_suffix ds_subtree = IPA_USER_CONTAINER + "," + self.suffix windomain = '.'.join(ldap.explode_dn(self.suffix, 1)) @@ -381,12 +381,12 @@ class ReplicationManager: return (cn, dn) - def setup_agreement(self, a, b, + def setup_agreement(self, a_conn, b_hostname, repl_man_dn=None, repl_man_passwd=None, iswinsync=False, win_subtree=None, isgssapi=False): - cn, dn = self.agreement_dn(b.host) + cn, dn = self.agreement_dn(b_hostname) try: - a.getEntry(dn, ldap.SCOPE_BASE) + a_conn.getEntry(dn, ldap.SCOPE_BASE) return except errors.NotFound: pass @@ -402,14 +402,14 @@ class ReplicationManager: entry = ipaldap.Entry(dn) entry.setValues('objectclass', "nsds5replicationagreement") entry.setValues('cn', cn) - entry.setValues('nsds5replicahost', b.host) + entry.setValues('nsds5replicahost', b_hostname) entry.setValues('nsds5replicaport', str(port)) entry.setValues('nsds5replicatimeout', str(TIMEOUT)) entry.setValues('nsds5replicaroot', self.suffix) entry.setValues('nsds5replicaupdateschedule', '0000-2359 0123456') entry.setValues('nsDS5ReplicatedAttributeList', '(objectclass=*) $ EXCLUDE %s' % " ".join(excludes)) - entry.setValues('description', "me to %s" % b.host) + entry.setValues('description', "me to %s" % b_hostname) if isgssapi: entry.setValues('nsds5replicatransportinfo', 'LDAP') entry.setValues('nsds5replicabindmethod', 'SASL/GSSAPI') @@ -422,9 +422,9 @@ class ReplicationManager: if iswinsync: self.setup_winsync_agmt(entry, win_subtree) - a.add_s(entry) + a_conn.add_s(entry) - entry = a.waitForEntry(entry) + entry = a_conn.waitForEntry(entry) def setup_krb_princs_as_replica_binddns(self, a, b): """ @@ -582,16 +582,16 @@ class ReplicationManager: haserror = 1 return haserror - def start_replication(self, other_conn, conn=None): + def start_replication(self, conn, hostname=None): print "Starting replication, please wait until this has completed." - if conn == None: - conn = self.conn - cn, dn = self.agreement_dn(conn.host) + if hostname == None: + hostname = self.conn.host + cn, dn = self.agreement_dn(hostname) mod = [(ldap.MOD_ADD, 'nsds5BeginReplicaRefresh', 'start')] - other_conn.modify_s(dn, mod) + conn.modify_s(dn, mod) - return self.wait_for_repl_init(other_conn, dn) + return self.wait_for_repl_init(conn, dn) def basic_replication_setup(self, conn, replica_id, repldn, replpw): self.add_replication_manager(conn, repldn, replpw) @@ -617,10 +617,10 @@ class ReplicationManager: self.basic_replication_setup(r_conn, r_id, self.repl_man_dn, self.repl_man_passwd) - self.setup_agreement(r_conn, self.conn, + self.setup_agreement(r_conn, self.conn.host, repl_man_dn=self.repl_man_dn, repl_man_passwd=self.repl_man_passwd) - self.setup_agreement(self.conn, r_conn, + self.setup_agreement(self.conn, r_hostname, repl_man_dn=self.repl_man_dn, repl_man_passwd=self.repl_man_passwd) @@ -633,14 +633,29 @@ class ReplicationManager: ad_dc_name, ad_binddn, ad_pwd, passsync_pw, ad_subtree, cacert=CACERT): + self.ad_suffix = "" try: # Validate AD connection - ad_conn = ipaldap.IPAdmin(ad_dc_name, port=636, cacert=cacert) - ad_conn.do_simple_bind(binddn=ad_binddn, bindpw=ad_pwd) + ad_conn = ldap.initialize('ldap://%s' % ad_dc_name) + #the next one is to workaround bugs arounf opendalp libs+NSS db + ad_conn.set_option(ldap.OPT_X_TLS_NEWCTX, 0) + ad_conn.set_option(ldap.OPT_X_TLS_CACERTFILE, cacert) + ad_conn.start_tls_s() + ad_conn.simple_bind_s(ad_binddn, ad_pwd) + res = ad_conn.search_s("", ldap.SCOPE_BASE, '(objectClass=*)', + ['defaultNamingContext']) + for dn,entry in res: + if dn == "": + self.ad_suffix = entry['defaultNamingContext'][0] + logging.info("AD Suffix is: %s" % self.ad_suffix) + if self.ad_suffix == "": + raise RuntimeError("Failed to lookup AD's Ldap suffix") + ad_conn.unbind_s() + del ad_conn except Exception, e: logging.info("Failed to connect to AD server %s" % ad_dc_name) logging.info("The error was: %s" % e) - logging.info("Continuning ...") + raise RuntimeError("Failed to setup winsync replication") # Setup the only half. # there is no other side to get a replica ID from @@ -651,7 +666,7 @@ class ReplicationManager: #now add a passync user allowed to access the AD server self.add_passsync_user(self.conn, passsync_pw) - self.setup_agreement(self.conn, ad_conn, + self.setup_agreement(self.conn, ad_dc_name, repl_man_dn=ad_binddn, repl_man_passwd=ad_pwd, iswinsync=True, win_subtree=ad_subtree) logging.info("Added new sync agreement, waiting for it to become ready . . .") @@ -660,7 +675,7 @@ class ReplicationManager: logging.info("Agreement is ready, starting replication . . .") #Finally start replication - ret = self.start_replication(ad_conn) + ret = self.start_replication(self.conn, ad_dc_name) if ret != 0: raise RuntimeError("Failed to start replication") @@ -705,8 +720,8 @@ class ReplicationManager: self.setup_krb_princs_as_replica_binddns(self.conn, r_conn) # Create mutual replication agreementsausiung SASL/GSSAPI - self.setup_agreement(self.conn, r_conn, isgssapi=True) - self.setup_agreement(r_conn, self.conn, isgssapi=True) + self.setup_agreement(self.conn, r_hostname, isgssapi=True) + self.setup_agreement(r_conn, self.conn.host, isgssapi=True) def initialize_replication(self, dn, conn): mod = [(ldap.MOD_ADD, 'nsds5BeginReplicaRefresh', 'start')] -- 1.7.4
_______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
