From d12cca47fbd28ea9da09b2b84cd1bdbcf28ac0a5 Mon Sep 17 00:00:00 2001
From: Christian Heimes <cheimes@redhat.com>
Date: Mar 29 2019 08:54:03 +0000
Subject: Consider hidden servers as role provider


Hidden services are now considered as associated role providers, too. This
fixes the issue of:

    invalid 'PKINIT enabled server': all masters must have IPA
    master role enabled

and similar issues with CA and DNS.

Fixes: https://pagure.io/freeipa/issue/7892
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>

---

diff --git a/ipaserver/servroles.py b/ipaserver/servroles.py
index 02a22e7..9c963be 100644
--- a/ipaserver/servroles.py
+++ b/ipaserver/servroles.py
@@ -338,12 +338,13 @@ class ServerAttribute(LDAPBasedProperty):
         ldap.update_entry(service_entry)
 
     def _get_assoc_role_providers(self, api_instance):
-        """
-        get list of all servers on which the associated role is enabled
+        """get list of all servers on which the associated role is enabled
+
+        Consider a hidden server as a valid provider for a role.
         """
         return [
             r[u'server_server'] for r in self.associated_role.status(
-                api_instance) if r[u'status'] == ENABLED]
+                api_instance) if r[u'status'] in {ENABLED, HIDDEN}]
 
     def _remove(self, api_instance, masters):
         """