On 06/10/2015 04:39 PM, Petr Vobornik wrote:
On 06/10/2015 04:06 PM, Petr Vobornik wrote:
On 06/02/2015 02:24 PM, Ludwig Krispenz wrote:
hi,
is there a real replacement for "del", it is not in the scope of the
topology commands, the removal of teh agreement is rejected and later
done by the plugin, but what about removal of the host, services,
cleanruv ?
Ludwig
On 06/02/2015 02:10 PM, Tomas Babej wrote:
Hi,
With Domain Level 1 and above, the usage of ipa-replica-manage commands
that alter the replica topology is deprecated. Following commands
are prohibited:
* connect
* disconnect
* del
Upon executing any of these commands, users are pointed out to the
ipa topologysegment-* replacements.
Part of: https://fedorahosted.org/freeipa/ticket/4302
Tomas is on vacation. I've removed 'del' from his patch and will create
a new one for handling of 'del'.
If that's OK, we can push this one.
NACK
'connect' and 'disconnect' serve also for setting up/removing of winsync
replication agreements. This patch forbids it.
attaching patch which addresses this issue and replaces Tomas'
patch(which was used as a basis). Patch for 'del' will follow.
I've not tested if topology plugin ignores winsync agreements. Does it?
--
Petr Vobornik
From 5a1ff2debb2b529e03a668d15aabc2cb40cd9f8d Mon Sep 17 00:00:00 2001
From: Petr Vobornik <pvobo...@redhat.com>
Date: Wed, 10 Jun 2015 18:23:37 +0200
Subject: [PATCH] ipa-replica-manage: Do not allow topology altering commands
from DL 1
With Domain Level 1 and above, the usage of ipa-replica-manage commands
that alter the replica topology is deprecated. Following commands
are prohibited:
* connect
* disconnect
Upon executing any of these commands, users are pointed out to the
ipa topologysegment-* replacements.
Exception is creation/deletion of winsync agreement.
Part of: https://fedorahosted.org/freeipa/ticket/4302
---
install/tools/ipa-replica-manage | 53 ++++++++++++++++++++++++++++------------
1 file changed, 37 insertions(+), 16 deletions(-)
diff --git a/install/tools/ipa-replica-manage b/install/tools/ipa-replica-manage
index 0d2688e6d73b1591c5e386656b7198c20d71558a..36efda88cf24c5692faf6d948270622350cbd56e 100755
--- a/install/tools/ipa-replica-manage
+++ b/install/tools/ipa-replica-manage
@@ -241,23 +241,32 @@ def del_link(realm, replica1, replica2, dirman_passwd, force=False):
"""
repl2 = None
+ what = "Removal of IPA replication agreement"
+ managed_topology = has_managed_topology()
try:
repl1 = replication.ReplicationManager(realm, replica1, dirman_passwd)
-
type1 = repl1.get_agreement_type(replica2)
-
- repl_list = repl1.find_ipa_replication_agreements()
- if not force and len(repl_list) <= 1 and type1 == replication.IPA_REPLICA:
- print "Cannot remove the last replication link of '%s'" % replica1
- print "Please use the 'del' command to remove it from the domain"
- return False
-
except errors.NotFound:
- print "'%s' has no replication agreement for '%s'" % (replica1, replica2)
+ # it's possible that the agreement could not have been found because of
+ # the new topology plugin naming convention: <A>-to-<B> instead of
+ # meTo<B>.
+ if managed_topology:
+ print "'%s' has no winsync replication agreement for '%s'" % (replica1, replica2)
+ exit_on_managed_topology(what)
+ else:
+ print "'%s' has no replication agreement for '%s'" % (replica1, replica2)
return False
except Exception, e:
- print "Failed to determine agreement type for '%s': %s" % (replica1, e)
+ print "Failed to determine agreement type for '%s': %s" % (replica2, e)
+
+ if type1 == replication.IPA_REPLICA and managed_topology:
+ exit_on_managed_topology(what)
+
+ repl_list = repl1.find_ipa_replication_agreements()
+ if not force and len(repl_list) <= 1 and type1 == replication.IPA_REPLICA:
+ print "Cannot remove the last replication link of '%s'" % replica1
+ print "Please use the 'del' command to remove it from the domain"
return False
if type1 == replication.IPA_REPLICA:
@@ -747,12 +756,6 @@ def del_master(realm, hostname, options):
try:
if bindinstance.dns_container_exists(options.host, thisrepl.suffix,
dm_password=options.dirman_passwd):
- if options.dirman_passwd:
- api.Backend.ldap2.connect(bind_dn=DN(('cn', 'Directory Manager')),
- bind_pw=options.dirman_passwd)
- else:
- ccache = krbV.default_context().default_ccache()
- api.Backend.ldap2.connect(ccache=ccache)
bind = bindinstance.BindInstance()
bind.remove_master_dns_records(hostname, realm, realm.lower())
bind.remove_ipa_ca_dns_records(hostname, realm.lower())
@@ -777,6 +780,8 @@ def add_link(realm, replica1, replica2, dirman_passwd, options):
if os.getegid() != 0:
root_logger.error("winsync agreements need to be created as root")
sys.exit(1)
+ elif has_managed_topology():
+ exit_on_managed_topology("Creation of IPA replication agreement")
try:
repl = replication.ReplicationManager(realm, replica1, dirman_passwd)
@@ -1167,6 +1172,14 @@ def set_DNA_range(hostname, range, realm, dirman_passwd, next_range=False,
except Exception, e:
sys.exit("Updating range failed: %s" % e)
+def has_managed_topology():
+ domainlevel = api.Command['domainlevel_get']().get('result', 0)
+ return domainlevel > 0
+
+def exit_on_managed_topology(what):
+ sys.exit("{0} is deprecated with managed IPA replication topology. "
+ "Please use `ipa topologysegment-*` commands to manage "
+ "the topology.".format(what))
def main():
if os.getegid() == 0:
@@ -1209,6 +1222,14 @@ def main():
options.dirman_passwd = dirman_passwd
+ # Initialize the LDAP connection
+ if options.dirman_passwd:
+ api.Backend.ldap2.connect(bind_dn=DN(('cn', 'Directory Manager')),
+ bind_pw=options.dirman_passwd)
+ else:
+ ccache = krbV.default_context().default_ccache()
+ api.Backend.ldap2.connect(ccache=ccache)
+
if args[0] == "list":
replica = None
if len(args) == 2:
--
2.1.0
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
