From f2b22ec0172243ae2c388dad012112ff0fd843c6 Mon Sep 17 00:00:00 2001 From: Martin Babinsky Date: Jan 21 2016 17:16:01 +0000 Subject: correctly set LDAP bind related attributes when setting up replication when CA replica configures 'cn=replica,cn=o\=ipaca,cn=mapping tree,cn=config' entry on remote master during replica installation, the 'nsds5replicabinddn' and 'nsds5replicabinddngroup' attributes are not correctly updated when this entry already existed on the master (e.g. when existing domain-level 0 topology was promoted to domain level 1). This patch ensures that these attributes are always set correctly regardless of existence of the replica entry. https://fedorahosted.org/freeipa/ticket/5412 Reviewed-By: Martin Basti --- diff --git a/ipaserver/install/replication.py b/ipaserver/install/replication.py index 19592e2..4985390 100644 --- a/ipaserver/install/replication.py +++ b/ipaserver/install/replication.py @@ -435,13 +435,21 @@ class ReplicationManager(object): try: entry = conn.get_entry(dn) - managers = entry.get('nsDS5ReplicaBindDN') - for m in managers: - if replica_binddn == DN(m): - return - # Add the new replication manager - mod = [(ldap.MOD_ADD, 'nsDS5ReplicaBindDN', replica_binddn)] - conn.modify_s(dn, mod) + managers = {DN(m) for m in entry.get('nsDS5ReplicaBindDN', [])} + binddn_groups = { + DN(p) for p in entry.get('nsds5replicabinddngroup', [])} + + mod = [] + if replica_binddn not in managers: + # Add the new replication manager + mod.append((ldap.MOD_ADD, 'nsDS5ReplicaBindDN', + replica_binddn)) + + if replica_groupdn not in binddn_groups: + mod.append((ldap.MOD_ADD, 'nsds5replicabinddngroup', + replica_groupdn)) + if mod: + conn.modify_s(dn, mod) # replication is already configured return