freeipa

Clone
Source Code
GIT

d29b475 Upgrade: fix replica agreement

Authored and Committed by frenaud 7 days ago
raw patch tree parent
1 file changed. 38 lines added. 42 lines removed.
ipaserver/install/plugins/fix_replica_agreements.py
file modified
+38 -42 
    Upgrade: fix replica agreement
    
    The upgrade checks the replication agreements to ensure that
    some attributes are excluded from replication. The agreements
    are stored in entries like
    cn=serverToreplica,cn=replica,cn=_suffix_,cn=mapping tree,cn=config
    but those entries are managed by the replication topology plugin
    and should not be updated directly. The consequence is that the update
    of the attributes fails and ipa-server-update prints an error message:
    
    Error caught updating nsDS5ReplicatedAttributeList: Server is unwilling
    to perform: Entry and attributes are managed by topology plugin.No direct
    modifications allowed.
    Error caught updating nsDS5ReplicatedAttributeListTotal: Server is
    unwilling to perform: Entry and attributes are managed by topology
    plugin.No direct modifications allowed.
    
    The upgrade continues but the replication is not excluding
    passwordgraceusertime.
    
    Instead of editing the agreements, perform the modifications on
    the topology segments.
    
    Fixes: https://pagure.io/freeipa/issue/9385
    Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
    Reviewed-By: Rob Crittenden <rcritten@redhat.com>
file modified
+38 -42
Powered by Pagure 5.13.3
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.
From 93d97b59600c15e5028ee39b0e98450544165158 Mon Sep 17 00:00:00 2001 From: Florence Blanc-Renaud Date: Jun 22 2023 15:49:40 +0000 Subject: Integration tests: add a test to ipa-server-upgrade Add an integration test ensuring that the upgrade properly updates the attributes to be excluded from replication. Related: https://pagure.io/freeipa/issue/9385 Signed-off-by: Florence Blanc-Renaud Reviewed-By: Rob Crittenden --- diff --git a/ipatests/test_integration/test_simple_replication.py b/ipatests/test_integration/test_simple_replication.py index 17092a4..d1e65ef 100644 --- a/ipatests/test_integration/test_simple_replication.py +++ b/ipatests/test_integration/test_simple_replication.py @@ -23,8 +23,10 @@ import pytest from ipaplatform.paths import paths from ipapython.dn import DN +from ipaserver.install.replication import EXCLUDES from ipatests.pytest_ipa.integration import tasks from ipatests.test_integration.base import IntegrationTest +from ipatests.test_integration.test_topology import find_segment def check_replication(source_host, dest_host, login): @@ -104,6 +106,34 @@ class TestSimpleReplication(IntegrationTest): [paths.IPA_CUSTODIA_CHECK, self.master.hostname] ) + def test_fix_agreements(self): + """Test that upgrade fixes the list of attributes excluded from repl + + Test for ticket 9385 + """ + # Prepare the server by removing some values from + # from the nsDS5ReplicatedAttributeList + segment = find_segment(self.master, self.replicas[0], "domain") + self.master.run_command([ + "ipa", "topologysegment-mod", "domain", segment, + "--replattrs", + "(objectclass=*) $ EXCLUDE memberof idnssoaserial entryusn"]) + # Run the upgrade + result = self.master.run_command(["ipa-server-upgrade"]) + # Ensure that the upgrade updated the attribute without error + errmsg = "Error caught updating nsDS5ReplicatedAttributeList" + assert errmsg not in result.stdout_text + # Check the updated value + suffix = DN(self.master.domain.basedn) + dn = DN(('cn', str(suffix)), ('cn', 'mapping tree'), ('cn', 'config')) + result = tasks.ldapsearch_dm(self.master, str(dn), + ["nsDS5ReplicatedAttributeList"]) + output = result.stdout_text.lower() + + template = 'nsDS5ReplicatedAttributeList: (objectclass=*) $ EXCLUDE %s' + expected_value = template % " ".join(EXCLUDES) + assert expected_value.lower() in output + def test_replica_removal(self): """Test replica removal""" result = self.master.run_command(['ipa-replica-manage', 'list'])