def __convert_to_gssapi_replication(self): repl = replication.ReplicationManager(self.realm, self.fqdn, self.dm_password) repl.convert_to_gssapi_replication(self.master_fqdn, r_binddn=DN( ('cn', 'Directory Manager')), r_bindpw=self.dm_password)
def __setup_replica(self): """ Setup initial replication between replica and remote master. GSSAPI is always used as a replication bind method. Note, however, that the bind method for the replication differs between domain levels: * in domain level 0, Directory Manager credentials are used to bind to remote master * in domain level 1, GSSAPI using admin/privileged host credentials is used (we do not have access to masters' DM password in this stage) """ replication.enable_replication_version_checking( self.realm, self.dm_password) # Always connect to self over ldapi ldap_uri = ipaldap.get_ldap_uri(protocol='ldapi', realm=self.realm) conn = ipaldap.LDAPClient(ldap_uri) conn.external_bind() repl = replication.ReplicationManager(self.realm, self.fqdn, self.dm_password, conn=conn) if self.dm_password is not None and not self.promote: bind_dn = DN(('cn', 'Directory Manager')) bind_pw = self.dm_password else: bind_dn = bind_pw = None repl.setup_promote_replication(self.master_fqdn, r_binddn=bind_dn, r_bindpw=bind_pw, cacert=self.ca_file) self.run_init_memberof = repl.needs_memberof_fixup()
def execute(self, **options): # We need an IPAdmin connection to the backend self.log.debug("Start replication agreement exclude list update task") conn = ipaldap.IPAdmin(api.env.host, ldapi=True, realm=api.env.realm) conn.do_external_bind(pwd.getpwuid(os.geteuid()).pw_name) repl = replication.ReplicationManager(api.env.realm, api.env.host, None, conn=conn) entries = repl.find_replication_agreements() self.log.debug("Found %d agreement(s)", len(entries)) for replica in entries: self.log.debug(replica.getValue('description')) self._update_attr(repl, replica, 'nsDS5ReplicatedAttributeList', replication.EXCLUDES, template=EXCLUDE_TEMPLATE) self._update_attr(repl, replica, 'nsDS5ReplicatedAttributeListTotal', replication.TOTAL_EXCLUDES, template=EXCLUDE_TEMPLATE) self._update_attr(repl, replica, 'nsds5ReplicaStripAttrs', replication.STRIP_ATTRS) self.log.debug("Done updating agreements") return (False, False, []) # No restart, no apply now, no updates
def execute(self, **options): # We need an LDAPClient connection to the backend self.log.debug("Start replication agreement exclude list update task") conn = self.api.Backend.ldap2 repl = replication.ReplicationManager(self.api.env.realm, self.api.env.host, None, conn=conn) # We need to update only IPA replica agreements, not winsync ipa_replicas = repl.find_ipa_replication_agreements() self.log.debug("Found %d agreement(s)", len(ipa_replicas)) for replica in ipa_replicas: for desc in replica.get('description', []): self.log.debug(desc) self._update_attr(repl, replica, 'nsDS5ReplicatedAttributeList', replication.EXCLUDES, template=EXCLUDE_TEMPLATE) self._update_attr(repl, replica, 'nsDS5ReplicatedAttributeListTotal', replication.TOTAL_EXCLUDES, template=EXCLUDE_TEMPLATE) self._update_attr(repl, replica, 'nsds5ReplicaStripAttrs', replication.STRIP_ATTRS) self.log.debug("Done updating agreements") return False, [] # No restart, no updates
def validate_options(self): """ Validates the options passed by the user: - Checks that trust has been established with the realm passed via --realm option """ super(WinsyncMigrate, self).validate_options(needs_root=True) if self.options.realm is None: raise admintool.ScriptError( "AD realm the winsynced users belong to needs to be " "specified.") else: try: api.Command['trust_show'](unicode(self.options.realm)) except errors.NotFound: raise admintool.ScriptError( "Trust with the given realm %s could not be found. " "Please establish the trust prior to migration." % self.options.realm) except Exception as e: raise admintool.ScriptError( "An error occured during detection of the established " "trust with %s: %s" % (self.options.realm, str(e))) if self.options.server is None: raise admintool.ScriptError( "The AD DC the winsync agreement is established with " "needs to be specified.") else: # Validate the replication agreement between given host and localhost try: manager = replication.ReplicationManager( api.env.realm, api.env.host, None) # Use GSSAPI instead of raw directory manager access replica_type = manager.get_agreement_type(self.options.server) except errors.ACIError as e: raise admintool.ScriptError( "Used Kerberos account does not have privileges to access " "the replication agreement info: %s" % str(e)) except errors.NotFound as e: raise admintool.ScriptError( "The replication agreement between %s and %s could not " "be detected" % (api.env.host, self.options.server)) # Check that the replication agreement is indeed WINSYNC if replica_type != replication.WINSYNC: raise admintool.ScriptError( "Replication agreement between %s and %s is not winsync." % (api.env.host, self.options.server)) # Save the reference to the replication manager in the object self.manager = manager
def __setup_replica(self): replication.enable_replication_version_checking( self.fqdn, self.realm_name, self.dm_password) repl = replication.ReplicationManager(self.realm_name, self.fqdn, self.dm_password) repl.setup_replication(self.master_fqdn, r_binddn=DN(('cn', 'Directory Manager')), r_bindpw=self.dm_password) self.run_init_memberof = repl.needs_memberof_fixup()
def check(self): agmt = replication.ReplicationManager(api.env.realm, api.env.host) (range_start, range_max) = agmt.get_DNA_range(api.env.host) (next_start, next_max) = agmt.get_DNA_next_range(api.env.host) if range_start is not None: yield Result(self, constants.SUCCESS, range_start=range_start, range_max=range_max, next_start=next_start or 0, next_max=next_max or 0) else: yield Result(self, constants.WARNING, key='no_dna_range_defined', range_start=0, range_max=0, next_start=0, next_max=0, msg='No DNA range defined. If no masters define a ' 'range then users and groups cannot be ' 'created.')
def uninstall_check(installer): options = installer tasks.check_selinux_status() installer._installation_cleanup = False if not is_ipa_configured(): print("WARNING:\nIPA server is not configured on this system. " "If you want to install the\nIPA server, please install " "it using 'ipa-server-install'.") fstore = sysrestore.FileStore(SYSRESTORE_DIR_PATH) sstore = sysrestore.StateFile(SYSRESTORE_DIR_PATH) # Configuration for ipalib, we will bootstrap and finalize later, after # we are sure we have the configuration file ready. cfg = dict( context='installer', confdir=paths.ETC_IPA, in_server=True, ) # We will need at least api.env, finalize api now. This system is # already installed, so the configuration file is there. api.bootstrap(**cfg) api.finalize() if installer.interactive: print( "\nThis is a NON REVERSIBLE operation and will delete all data " "and configuration!\nIt is highly recommended to take a backup of " "existing data and configuration using ipa-backup utility " "before proceeding.\n") if not user_input( "Are you sure you want to continue with the " "uninstall procedure?", False): raise ScriptError("Aborting uninstall operation.") try: api.Backend.ldap2.connect(autobind=True) domain_level = dsinstance.get_domain_level(api) except Exception: msg = ("\nWARNING: Failed to connect to Directory Server to find " "information about replication agreements. Uninstallation " "will continue despite the possible existing replication " "agreements.\n\n" "If this server is the last instance of CA, KRA, or DNSSEC " "master, uninstallation may result in data loss.\n\n") print(textwrap.fill(msg, width=80, replace_whitespace=False)) if (installer.interactive and not user_input( "Are you sure you want to continue with the uninstall " "procedure?", False)): raise ScriptError("Aborting uninstall operation.") else: dns.uninstall_check(options) if domain_level == DOMAIN_LEVEL_0: rm = replication.ReplicationManager(realm=api.env.realm, hostname=api.env.host, dirman_passwd=None, conn=api.Backend.ldap2) agreements = rm.find_ipa_replication_agreements() if agreements: other_masters = [a.get('cn')[0][4:] for a in agreements] msg = ( "\nReplication agreements with the following IPA masters " "found: %s. Removing any replication agreements before " "uninstalling the server is strongly recommended. You can " "remove replication agreements by running the following " "command on any other IPA master:\n" % ", ".join(other_masters)) cmd = "$ ipa-replica-manage del %s\n" % api.env.host print(textwrap.fill(msg, width=80, replace_whitespace=False)) print(cmd) if (installer.interactive and not user_input( "Are you sure you want to continue with" " the uninstall procedure?", False)): raise ScriptError("Aborting uninstall operation.") else: remove_master_from_managed_topology(api, options) api.Backend.ldap2.disconnect() installer._fstore = fstore installer._sstore = sstore