Backport #5212 for deployment failures with 389-ds-base 1.4.4.6+

2020-10-28 15:16:06 -07:00 · 2020-10-28 15:16:06 -07:00 · f5ffc4abf3
commit f5ffc4abf3
parent deafacd653
2 changed files with 63 additions and 1 deletions
--- a/5212.patch
+++ b/5212.patch
@ -0,0 +1,56 @@
+From 2695789db45c2e7fe92e53a49521dc22fdffe317 Mon Sep 17 00:00:00 2001
+From: Mark Reynolds <mreynolds@redhat.com>
+Date: Wed, 28 Oct 2020 10:34:31 -0400
+Subject: [PATCH] New validation efforts in 389-ds-base require that the
+ backend entry for a database be created before the mapping tree entry. This
+ enforces that the mapping tree entry (the suffix) actually belongs to an
+ existing backend.
+
+For IPA we simply need to reverse the order of the backend vs mapping tree
+creation in cainstance.py -> __create_ds_db()
+
+Fixes: https://pagure.io/freeipa/issue/8558
+---
+ ipaserver/install/cainstance.py | 22 +++++++++++-----------
+ 1 file changed, 11 insertions(+), 11 deletions(-)
+
+diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
+index fca829de094..1c2fab1dffb 100644
+--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
+@@ -1162,17 +1162,6 @@ def __create_ds_db(self):
+         backend = 'ipaca'
+         suffix = DN(('o', 'ipaca'))
+ 
+-        # replication
+-        dn = DN(('cn', str(suffix)), ('cn', 'mapping tree'), ('cn', 'config'))
+-        entry = api.Backend.ldap2.make_entry(
+-            dn,
+-            objectclass=["top", "extensibleObject", "nsMappingTree"],
+-            cn=[suffix],
+-        )
+-        entry['nsslapd-state'] = ['Backend']
+-        entry['nsslapd-backend'] = [backend]
+-        api.Backend.ldap2.add_entry(entry)
+-
+         # database
+         dn = DN(('cn', 'ipaca'), ('cn', 'ldbm database'), ('cn', 'plugins'),
+                 ('cn', 'config'))
+@@ -1184,6 +1173,17 @@ def __create_ds_db(self):
+         entry['nsslapd-suffix'] = [suffix]
+         api.Backend.ldap2.add_entry(entry)
+ 
+        # replication
+        dn = DN(('cn', str(suffix)), ('cn', 'mapping tree'), ('cn', 'config'))
+        entry = api.Backend.ldap2.make_entry(
+            dn,
+            objectclass=["top", "extensibleObject", "nsMappingTree"],
+            cn=[suffix],
+        )
+        entry['nsslapd-state'] = ['Backend']
+        entry['nsslapd-backend'] = [backend]
+        api.Backend.ldap2.add_entry(entry)
+
+     def __setup_replication(self):
+         repl = replication.CAReplicationManager(self.realm, self.fqdn)
+         repl.setup_cs_replication(self.master_host)
--- a/freeipa.spec
+++ b/freeipa.spec
@ -161,7 +161,7 @@

 Name:           %{package_name}
 Version:        %{IPA_VERSION}
-Release:        6%{?dist}
+Release:        7%{?dist}
 Summary:        The Identity, Policy and Audit system

 License:        GPLv3+
@ -171,6 +171,9 @@ Source1:        https://releases.pagure.org/freeipa/freeipa-%{version}.tar.gz.as
 Patch0:         freeipa-4.8.10-systemd-resolved.patch
 Patch1:         freeipa-4.8.10-systemd-resolved-configuration.patch
 Patch2:         freeipa-4.8.10-systemd-resolved-selinux-fixes.patch
+# https://github.com/freeipa/freeipa/pull/5212
+# Fix deployment errors with 389-ds-base 1.4.4.6+
+Patch3:         5212.patch

 # For the timestamp trick in patch application
 BuildRequires:  diffstat
@ -1542,6 +1545,9 @@ fi
 %endif

 %changelog
+* Wed Oct 28 2020 Adam Williamson <awilliam@redhat.com> - 4.8.10-7
+- Backport #5212 for deployment failures with 389-ds-base 1.4.4.6+
+
 * Tue Oct 13 2020 Alexander Bokovoy <abokovoy@redhat.com> - 4.8.10-6
 - Handle sshd_config upgrade properly
  Fixes: rhbz#1887928