From 45dccedd12e6d26e146ad9c30c2c304e6b2eded1 Mon Sep 17 00:00:00 2001 From: Petr Vobornik Date: Jun 15 2015 13:02:06 +0000 Subject: ipa-replica-manage: Do not allow topology altering commands from DL 1 With Domain Level 1 and above, the usage of ipa-replica-manage commands that alter the replica topology is deprecated. Following commands are prohibited: * connect * disconnect Upon executing any of these commands, users are pointed out to the ipa topologysegment-* replacements. Exception is creation/deletion of winsync agreement. Part of: https://fedorahosted.org/freeipa/ticket/4302 Reviewed-By: Martin Babinsky --- diff --git a/install/tools/ipa-replica-manage b/install/tools/ipa-replica-manage index 0d2688e..36efda8 100755 --- a/install/tools/ipa-replica-manage +++ b/install/tools/ipa-replica-manage @@ -241,23 +241,32 @@ def del_link(realm, replica1, replica2, dirman_passwd, force=False): """ repl2 = None + what = "Removal of IPA replication agreement" + managed_topology = has_managed_topology() try: repl1 = replication.ReplicationManager(realm, replica1, dirman_passwd) - type1 = repl1.get_agreement_type(replica2) - - repl_list = repl1.find_ipa_replication_agreements() - if not force and len(repl_list) <= 1 and type1 == replication.IPA_REPLICA: - print "Cannot remove the last replication link of '%s'" % replica1 - print "Please use the 'del' command to remove it from the domain" - return False - except errors.NotFound: - print "'%s' has no replication agreement for '%s'" % (replica1, replica2) + # it's possible that the agreement could not have been found because of + # the new topology plugin naming convention: -to- instead of + # meTo. + if managed_topology: + print "'%s' has no winsync replication agreement for '%s'" % (replica1, replica2) + exit_on_managed_topology(what) + else: + print "'%s' has no replication agreement for '%s'" % (replica1, replica2) return False except Exception, e: - print "Failed to determine agreement type for '%s': %s" % (replica1, e) + print "Failed to determine agreement type for '%s': %s" % (replica2, e) + + if type1 == replication.IPA_REPLICA and managed_topology: + exit_on_managed_topology(what) + + repl_list = repl1.find_ipa_replication_agreements() + if not force and len(repl_list) <= 1 and type1 == replication.IPA_REPLICA: + print "Cannot remove the last replication link of '%s'" % replica1 + print "Please use the 'del' command to remove it from the domain" return False if type1 == replication.IPA_REPLICA: @@ -747,12 +756,6 @@ def del_master(realm, hostname, options): try: if bindinstance.dns_container_exists(options.host, thisrepl.suffix, dm_password=options.dirman_passwd): - if options.dirman_passwd: - api.Backend.ldap2.connect(bind_dn=DN(('cn', 'Directory Manager')), - bind_pw=options.dirman_passwd) - else: - ccache = krbV.default_context().default_ccache() - api.Backend.ldap2.connect(ccache=ccache) bind = bindinstance.BindInstance() bind.remove_master_dns_records(hostname, realm, realm.lower()) bind.remove_ipa_ca_dns_records(hostname, realm.lower()) @@ -777,6 +780,8 @@ def add_link(realm, replica1, replica2, dirman_passwd, options): if os.getegid() != 0: root_logger.error("winsync agreements need to be created as root") sys.exit(1) + elif has_managed_topology(): + exit_on_managed_topology("Creation of IPA replication agreement") try: repl = replication.ReplicationManager(realm, replica1, dirman_passwd) @@ -1167,6 +1172,14 @@ def set_DNA_range(hostname, range, realm, dirman_passwd, next_range=False, except Exception, e: sys.exit("Updating range failed: %s" % e) +def has_managed_topology(): + domainlevel = api.Command['domainlevel_get']().get('result', 0) + return domainlevel > 0 + +def exit_on_managed_topology(what): + sys.exit("{0} is deprecated with managed IPA replication topology. " + "Please use `ipa topologysegment-*` commands to manage " + "the topology.".format(what)) def main(): if os.getegid() == 0: @@ -1209,6 +1222,14 @@ def main(): options.dirman_passwd = dirman_passwd + # Initialize the LDAP connection + if options.dirman_passwd: + api.Backend.ldap2.connect(bind_dn=DN(('cn', 'Directory Manager')), + bind_pw=options.dirman_passwd) + else: + ccache = krbV.default_context().default_ccache() + api.Backend.ldap2.connect(ccache=ccache) + if args[0] == "list": replica = None if len(args) == 2: