URL: https://github.com/freeipa/freeipa/pull/620 Author: felipevolpone Title: #620: [WIP] Fixing 6549 Action: synchronized
To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/620/head:pr620 git checkout pr620
From 473e95bcf41fbe78d61d89cef66733874cb86508 Mon Sep 17 00:00:00 2001 From: felipe <fbarreto@localhost.localdomain> Date: Tue, 21 Mar 2017 09:05:56 -0300 Subject: [PATCH] Fixing replica install: fix ldap connection in domlvl 0 Now, at the domain level 0, the replica install always uses Directory Manager credentials to create the LDAP connection. Since ACIs permitting hosts to manage their own services were added in 4.2 release, the old master denies this operations. https://pagure.io/freeipa/issue/6549 --- ipaserver/install/server/replicainstall.py | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py index b4463fd..f489e69 100644 --- a/ipaserver/install/server/replicainstall.py +++ b/ipaserver/install/server/replicainstall.py @@ -1391,7 +1391,16 @@ def install(installer): dsinstance.create_ds_user() try: - conn.connect(ccache=ccache) + if promote: + conn.connect(ccache=ccache) + else: + # dmlvl 0 replica install should always use DM credentials + # to create remote LDAP connection. Since ACIs permitting hosts + # to manage their own services were added in 4.2 release, + # the master denies this operations. + conn.connect(bind_dn=ipaldap.DIRMAN_DN, cacert=cafile, + bind_pw=config.dirman_password) + # Update and istall updated CA file cafile = install_ca_cert(conn, api.env.basedn, api.env.realm, cafile)
-- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
