def check_replication_error(self, host):
status = r'Error \(19\) Replication error acquiring replica: ' \
'Replica has different database generation ID'
tasks.wait_for_replication(
host.ldap_connect(), target_status_re=status,
raise_on_timeout=True)
def test_replica_install_after_restore(self):
master = self.master
replica1 = self.replicas[0]
replica2 = self.replicas[1]
tasks.install_master(master)
tasks.install_replica(master, replica1)
check_replication(master, replica1, "testuser1")
# backup master.
backup_path = backup(master)
suffix = ipautil.realm_to_suffix(master.domain.realm)
suffix = escape_dn_chars(str(suffix))
tf = NamedTemporaryFile()
ldif_file = tf.name
entry_ldif = ("dn: cn=meTo{hostname},cn=replica,"
"cn={suffix},"
"cn=mapping tree,cn=config\n"
"changetype: modify\n"
"replace: nsds5ReplicaEnabled\n"
"nsds5ReplicaEnabled: off\n\n"
"dn: cn=caTo{hostname},cn=replica,"
"cn=o\\3Dipaca,cn=mapping tree,cn=config\n"
"changetype: modify\n"
"replace: nsds5ReplicaEnabled\n"
"nsds5ReplicaEnabled: off").format(
hostname=replica1.hostname, suffix=suffix)
master.put_file_contents(ldif_file, entry_ldif)
# disable replication agreement
arg = [
'ldapmodify',
'-h',
master.hostname,
'-p',
'389',
'-D',
str(master.config.dirman_dn), # pylint: disable=no-member
'-w',
master.config.dirman_password,
'-f',
ldif_file
]
master.run_command(arg)
# uninstall master.
tasks.uninstall_master(master)
# master restore.
dirman_password = master.config.dirman_password
master.run_command(['ipa-restore', backup_path],
stdin_text=dirman_password + '\nyes')
# re-initialize topology after restore.
topo_name = "{}-to-{}".format(master.hostname, replica1.hostname)
for topo_suffix in 'domain', 'ca':
arg = [
'ipa', 'topologysegment-reinitialize', topo_suffix, topo_name,
'--left'
]
replica1.run_command(arg)
# wait sometime for re-initialization
tasks.wait_for_replication(replica1.ldap_connect())
# install second replica after restore
tasks.install_replica(master, replica2)
check_replication(master, replica2, "testuser2")
def check_replication_success(self, host):
status = r'Error \(0\) Replica acquired successfully: ' \
'Incremental update succeeded'
tasks.wait_for_replication(host.ldap_connect(),
target_status_re=status,
raise_on_timeout=True)
def test_rolecheck_Trust(self):
"""ipa-backup rolecheck: add Trust controllers/agents.
"""
# install AD Trust packages on replica first
tasks.install_packages(self.replicas[0], ['*ipa-server-trust-ad'])
self._check_rolecheck_backup_success(self.replicas[0])
self._check_rolecheck_backup_success(self.master)
tasks.install_packages(self.master, ['*ipa-server-trust-ad'])
# make replicas[0] become Trust Controller
self.replicas[0].run_command([
'ipa-adtrust-install', '-U', '--netbios-name', 'IPA', '-a',
self.master.config.admin_password, '--add-sids'
])
# wait for replication to propagate the change on
# cn=adtrust agents,cn=sysaccounts,cn=etc,dc=ipa,dc=test
# as the ipa server-role-find call is using this entry to
# build its output
tasks.wait_for_replication(self.replicas[0].ldap_connect())
# double-check
assert self._ipa_replica_role_check(self.replicas[0].hostname,
self.serverroles['ADTC'])
# check that master has no AD Trust-related role
assert not self._ipa_replica_role_check(self.master.hostname,
self.serverroles['ADTA'])
self._check_rolecheck_backup_success(self.replicas[0])
self._check_rolecheck_backup_failure(self.master)
# make master become Trust Agent
cmd_input = (
# admin password:
self.master.config.admin_password + '\n' +
# WARNING: The smb.conf already exists. Running ipa-adtrust-install
# will break your existing samba configuration.
# Do you wish to continue? [no]:
'yes\n'
# Enable trusted domains support in slapi-nis? [no]:
'\n' +
# WARNING: 1 IPA masters are not yet able to serve information
# about users from trusted forests.
# Installer can add them to the list of IPA masters allowed to
# access information about trusts.
# If you choose to do so, you also need to restart LDAP service on
# those masters.
# Refer to ipa-adtrust-install(1) man page for details.
# IPA master[replica1.testrelm.test]?[no]:
'yes\n')
self.replicas[0].run_command(['ipa-adtrust-install', '--add-agents'],
stdin_text=cmd_input)
# wait for replication to propagate the change on
# cn=adtrust agents,cn=sysaccounts,cn=etc,dc=ipa,dc=test
# as the ipa server-role-find call is using this entry to
# build its output
tasks.wait_for_replication(self.replicas[0].ldap_connect())
# check that master is now an AD Trust agent
assert self._ipa_replica_role_check(self.master.hostname,
self.serverroles['ADTA'])
# but not an AD Trust controller
assert not self._ipa_replica_role_check(self.master.hostname,
self.serverroles['ADTC'])
self._check_rolecheck_backup_success(self.replicas[0])
self._check_rolecheck_backup_failure(self.master)
# make master become Trust Controller
self.master.run_command([
'ipa-adtrust-install', '-U', '--netbios-name', 'IPA', '-a',
self.master.config.admin_password, '--add-sids'
])
# wait for replication to propagate the change on
# cn=adtrust agents,cn=sysaccounts,cn=etc,dc=ipa,dc=test
# as the ipa server-role-find call is using this entry to
# build its output
tasks.wait_for_replication(self.master.ldap_connect())
# master and replicas[0] are both AD Trust Controllers now.
for hostname in [self.master.hostname, self.replicas[0].hostname]:
assert self._ipa_replica_role_check(hostname,
self.serverroles['ADTC'])
self._check_rolecheck_backup_success(self.master)
self._check_rolecheck_backup_success(self.replicas[0])
# switch replicas[0] to hidden
self.replicas[0].run_command([
'ipa', 'server-state', self.replicas[0].hostname, '--state=hidden'
])
self._check_rolecheck_backup_success(self.master)
self._check_rolecheck_backup_success(self.replicas[0])
