From 290e6c08c9eccb585e8b0b760115a0d442e72787 Mon Sep 17 00:00:00 2001 From: Martin Basti Date: Jun 21 2016 15:09:51 +0000 Subject: Replica promotion: use the correct IPA domain for replica IPA domain is detected from LDAP for replica promote installation. If local domain and IPA domain does not match, installer refuses to install replica. IPA versions 4.3.0 and 4.3.1 allow to specify different domain for replica. Only one IPA domain is allowed (domain used with master) and different domain may cause issues. This commit prevents to install new replica if multiple domains was used in past. User action is required to fix this issue and remove incorrect IPA domains from LDAP. https://fedorahosted.org/freeipa/ticket/5976 Reviewed-By: Petr Spacek --- diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py index 495baef..fa23fe8 100644 --- a/ipaserver/install/server/replicainstall.py +++ b/ipaserver/install/server/replicainstall.py @@ -939,6 +939,33 @@ def ensure_enrolled(installer): except Exception: sys.exit("Configuration of client side components failed!") + +def promotion_check_ipa_domain(master_ldap_conn, basedn): + entry = master_ldap_conn.get_entry(basedn, ['associatedDomain']) + if not 'associatedDomain' in entry: + raise RuntimeError('IPA domain not found in LDAP.') + + if len(entry['associatedDomain']) > 1: + root_logger.critical( + "Multiple IPA domains found. We are so sorry :-(, you are " + "probably experiencing this bug " + "https://fedorahosted.org/freeipa/ticket/5976. Please contact us " + "for help.") + raise RuntimeError( + 'Multiple IPA domains found in LDAP database ({domains}). ' + 'Only one domain is allowed.'.format( + domains=u', '.join(entry['associatedDomain']) + )) + + if entry['associatedDomain'][0] != api.env.domain: + raise RuntimeError( + "Cannot promote this client to a replica. Local domain " + "'{local}' does not match IPA domain '{ipadomain}'. ".format( + local=api.env.domain, + ipadomain=entry['associatedDomain'][0] + )) + + @common_cleanup @preserve_enrollment_state def promote_check(installer): @@ -1137,6 +1164,8 @@ def promote_check(installer): conn.disconnect() conn.connect(ccache=ccache) + promotion_check_ipa_domain(conn, remote_api.env.basedn) + # Check that we don't already have a replication agreement try: (acn, adn) = replman.agreement_dn(config.host_name)