freeipa

Clone
Source Code
GIT

30f3816 DL0 replica install: fix nsDS5ReplicaBindDN config

1 file Authored by frenaud 4 years ago, Committed by François Cami 4 years ago,
raw patch tree parent
1 file changed. 6 lines added. 1 lines removed.
ipaserver/install/replication.py
file modified
+6 -1 
    DL0 replica install: fix nsDS5ReplicaBindDN config
    
    When setting up a 4.x replica in DL0 from a 3.x replica, the first 4.x
    replica installation succeeds but if a second 4.x replica is configured,
    the replication is not properly set.
    
    This happens because the replica setup needs to add nsDS5ReplicaBindDN:
    krbprincipalname=ldap/replica@DOMAIN to the entry
    cn=replica,cn=...,cn=mapping tree,cn=config in order to allow replication
    (on the 3.x master, the replication manager group is not supported yet).
    
    The issue is that this attribute is added only when the entry
    cn=replication managers,cn=sysaccounts,cn=etc,$BASEDN
    does not exist. This condition is true for the first replica install but
    false for the second replica install.
    
    The fix consists in checking if the remote server has ds version < 1.3.3
    (in this case it is a 3.x server). If it's the case, the installer
    will use nsDS5ReplicaBindDN attribute with the replica krbprincipalname.
    Otherwise the nsDS5ReplicaBindDN attribute will use the replication manager
    group.
    
    Fixes: https://pagure.io/freeipa/issue/7976
    Reviewed-By: François Cami <fcami@redhat.com>
file modified
+6 -1
Powered by Pagure 5.14.1
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.