From 772d4e3d4e9a2756e6a34e265a1219599688cde3 Mon Sep 17 00:00:00 2001 From: felipe Date: Mar 22 2017 14:31:40 +0000 Subject: Fixing replica install: fix ldap connection in domlvl 0 Now, at the domain level 0, the replica install always uses Directory Manager credentials to create the LDAP connection. Since ACIs permitting hosts to manage their own services were added in 4.2 release, the old master denies this operations. https://pagure.io/freeipa/issue/6549 Reviewed-By: Martin Basti Reviewed-By: Jan Cholasta --- diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py index b4463fd..f489e69 100644 --- a/ipaserver/install/server/replicainstall.py +++ b/ipaserver/install/server/replicainstall.py @@ -1391,7 +1391,16 @@ def install(installer): dsinstance.create_ds_user() try: - conn.connect(ccache=ccache) + if promote: + conn.connect(ccache=ccache) + else: + # dmlvl 0 replica install should always use DM credentials + # to create remote LDAP connection. Since ACIs permitting hosts + # to manage their own services were added in 4.2 release, + # the master denies this operations. + conn.connect(bind_dn=ipaldap.DIRMAN_DN, cacert=cafile, + bind_pw=config.dirman_password) + # Update and istall updated CA file cafile = install_ca_cert(conn, api.env.basedn, api.env.realm, cafile)