def __convert_to_gssapi_replication(self):
repl = replication.ReplicationManager(self.realm, self.fqdn,
self.dm_password)
repl.convert_to_gssapi_replication(self.master_fqdn,
r_binddn=DN(
('cn', 'Directory Manager')),
r_bindpw=self.dm_password)
def __setup_replica(self):
"""
Setup initial replication between replica and remote master.
GSSAPI is always used as a replication bind method. Note, however,
that the bind method for the replication differs between domain levels:
* in domain level 0, Directory Manager credentials are used to bind
to remote master
* in domain level 1, GSSAPI using admin/privileged host credentials
is used (we do not have access to masters' DM password in this
stage)
"""
replication.enable_replication_version_checking(
self.realm,
self.dm_password)
# Always connect to self over ldapi
ldap_uri = ipaldap.get_ldap_uri(protocol='ldapi', realm=self.realm)
conn = ipaldap.LDAPClient(ldap_uri)
conn.external_bind()
repl = replication.ReplicationManager(self.realm,
self.fqdn,
self.dm_password, conn=conn)
if self.dm_password is not None and not self.promote:
bind_dn = DN(('cn', 'Directory Manager'))
bind_pw = self.dm_password
else:
bind_dn = bind_pw = None
repl.setup_promote_replication(self.master_fqdn,
r_binddn=bind_dn,
r_bindpw=bind_pw,
cacert=self.ca_file)
self.run_init_memberof = repl.needs_memberof_fixup()
def execute(self, **options):
# We need an IPAdmin connection to the backend
self.log.debug("Start replication agreement exclude list update task")
conn = ipaldap.IPAdmin(api.env.host, ldapi=True, realm=api.env.realm)
conn.do_external_bind(pwd.getpwuid(os.geteuid()).pw_name)
repl = replication.ReplicationManager(api.env.realm,
api.env.host,
None,
conn=conn)
entries = repl.find_replication_agreements()
self.log.debug("Found %d agreement(s)", len(entries))
for replica in entries:
self.log.debug(replica.getValue('description'))
self._update_attr(repl,
replica,
'nsDS5ReplicatedAttributeList',
replication.EXCLUDES,
template=EXCLUDE_TEMPLATE)
self._update_attr(repl,
replica,
'nsDS5ReplicatedAttributeListTotal',
replication.TOTAL_EXCLUDES,
template=EXCLUDE_TEMPLATE)
self._update_attr(repl, replica, 'nsds5ReplicaStripAttrs',
replication.STRIP_ATTRS)
self.log.debug("Done updating agreements")
return (False, False, []) # No restart, no apply now, no updates
def execute(self, **options):
# We need an LDAPClient connection to the backend
self.log.debug("Start replication agreement exclude list update task")
conn = self.api.Backend.ldap2
repl = replication.ReplicationManager(self.api.env.realm,
self.api.env.host,
None, conn=conn)
# We need to update only IPA replica agreements, not winsync
ipa_replicas = repl.find_ipa_replication_agreements()
self.log.debug("Found %d agreement(s)", len(ipa_replicas))
for replica in ipa_replicas:
for desc in replica.get('description', []):
self.log.debug(desc)
self._update_attr(repl, replica,
'nsDS5ReplicatedAttributeList',
replication.EXCLUDES, template=EXCLUDE_TEMPLATE)
self._update_attr(repl, replica,
'nsDS5ReplicatedAttributeListTotal',
replication.TOTAL_EXCLUDES, template=EXCLUDE_TEMPLATE)
self._update_attr(repl, replica,
'nsds5ReplicaStripAttrs', replication.STRIP_ATTRS)
self.log.debug("Done updating agreements")
return False, [] # No restart, no updates
def validate_options(self):
"""
Validates the options passed by the user:
- Checks that trust has been established with
the realm passed via --realm option
"""
super(WinsyncMigrate, self).validate_options(needs_root=True)
if self.options.realm is None:
raise admintool.ScriptError(
"AD realm the winsynced users belong to needs to be "
"specified.")
else:
try:
api.Command['trust_show'](unicode(self.options.realm))
except errors.NotFound:
raise admintool.ScriptError(
"Trust with the given realm %s could not be found. "
"Please establish the trust prior to migration."
% self.options.realm)
except Exception as e:
raise admintool.ScriptError(
"An error occured during detection of the established "
"trust with %s: %s" % (self.options.realm, str(e)))
if self.options.server is None:
raise admintool.ScriptError(
"The AD DC the winsync agreement is established with "
"needs to be specified.")
else:
# Validate the replication agreement between given host and localhost
try:
manager = replication.ReplicationManager(
api.env.realm,
api.env.host,
None) # Use GSSAPI instead of raw directory manager access
replica_type = manager.get_agreement_type(self.options.server)
except errors.ACIError as e:
raise admintool.ScriptError(
"Used Kerberos account does not have privileges to access "
"the replication agreement info: %s" % str(e))
except errors.NotFound as e:
raise admintool.ScriptError(
"The replication agreement between %s and %s could not "
"be detected" % (api.env.host, self.options.server))
# Check that the replication agreement is indeed WINSYNC
if replica_type != replication.WINSYNC:
raise admintool.ScriptError(
"Replication agreement between %s and %s is not winsync."
% (api.env.host, self.options.server))
# Save the reference to the replication manager in the object
self.manager = manager
def __setup_replica(self):
replication.enable_replication_version_checking(
self.fqdn, self.realm_name, self.dm_password)
repl = replication.ReplicationManager(self.realm_name, self.fqdn,
self.dm_password)
repl.setup_replication(self.master_fqdn,
r_binddn=DN(('cn', 'Directory Manager')),
r_bindpw=self.dm_password)
self.run_init_memberof = repl.needs_memberof_fixup()
def check(self):
agmt = replication.ReplicationManager(api.env.realm, api.env.host)
(range_start, range_max) = agmt.get_DNA_range(api.env.host)
(next_start, next_max) = agmt.get_DNA_next_range(api.env.host)
if range_start is not None:
yield Result(self, constants.SUCCESS,
range_start=range_start,
range_max=range_max,
next_start=next_start or 0,
next_max=next_max or 0)
else:
yield Result(self, constants.WARNING,
key='no_dna_range_defined',
range_start=0,
range_max=0,
next_start=0,
next_max=0,
msg='No DNA range defined. If no masters define a '
'range then users and groups cannot be '
'created.')
def uninstall_check(installer):
options = installer
tasks.check_selinux_status()
installer._installation_cleanup = False
if not is_ipa_configured():
print("WARNING:\nIPA server is not configured on this system. "
"If you want to install the\nIPA server, please install "
"it using 'ipa-server-install'.")
fstore = sysrestore.FileStore(SYSRESTORE_DIR_PATH)
sstore = sysrestore.StateFile(SYSRESTORE_DIR_PATH)
# Configuration for ipalib, we will bootstrap and finalize later, after
# we are sure we have the configuration file ready.
cfg = dict(
context='installer',
confdir=paths.ETC_IPA,
in_server=True,
)
# We will need at least api.env, finalize api now. This system is
# already installed, so the configuration file is there.
api.bootstrap(**cfg)
api.finalize()
if installer.interactive:
print(
"\nThis is a NON REVERSIBLE operation and will delete all data "
"and configuration!\nIt is highly recommended to take a backup of "
"existing data and configuration using ipa-backup utility "
"before proceeding.\n")
if not user_input(
"Are you sure you want to continue with the "
"uninstall procedure?", False):
raise ScriptError("Aborting uninstall operation.")
try:
api.Backend.ldap2.connect(autobind=True)
domain_level = dsinstance.get_domain_level(api)
except Exception:
msg = ("\nWARNING: Failed to connect to Directory Server to find "
"information about replication agreements. Uninstallation "
"will continue despite the possible existing replication "
"agreements.\n\n"
"If this server is the last instance of CA, KRA, or DNSSEC "
"master, uninstallation may result in data loss.\n\n")
print(textwrap.fill(msg, width=80, replace_whitespace=False))
if (installer.interactive and not user_input(
"Are you sure you want to continue with the uninstall "
"procedure?", False)):
raise ScriptError("Aborting uninstall operation.")
else:
dns.uninstall_check(options)
if domain_level == DOMAIN_LEVEL_0:
rm = replication.ReplicationManager(realm=api.env.realm,
hostname=api.env.host,
dirman_passwd=None,
conn=api.Backend.ldap2)
agreements = rm.find_ipa_replication_agreements()
if agreements:
other_masters = [a.get('cn')[0][4:] for a in agreements]
msg = (
"\nReplication agreements with the following IPA masters "
"found: %s. Removing any replication agreements before "
"uninstalling the server is strongly recommended. You can "
"remove replication agreements by running the following "
"command on any other IPA master:\n" %
", ".join(other_masters))
cmd = "$ ipa-replica-manage del %s\n" % api.env.host
print(textwrap.fill(msg, width=80, replace_whitespace=False))
print(cmd)
if (installer.interactive and not user_input(
"Are you sure you want to continue with"
" the uninstall procedure?", False)):
raise ScriptError("Aborting uninstall operation.")
else:
remove_master_from_managed_topology(api, options)
api.Backend.ldap2.disconnect()
installer._fstore = fstore
installer._sstore = sstore
