#5199 Trust agent install does not detect available replicas to add to master
Closed: Fixed None Opened 8 years ago by pvoborni.

Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1252414

Description of problem:
=======================
"ipa-adtrust-install --add-agents" command fails to identify the available
replica's (installed replica's) to be added to the master.


ipa version:
=============
ipa-server-4.2.0-3.el7.x86_64
sssd-1.13.0-11.el7.x86_64


Additional info:
================
Discussed with Ab about this behavior via email. Please find below his response
and possible fix to address this issue.
Ab's response (root cause analysis):
===================================
AD Trust agents feature requires RHEL7.2 masters for the agents' side.
We cannot enable older masters as they wouldn't have proper SSSD and
proper IPA to work in such mode. To do filtration of the older/newer
masters, we rely on the following filter:

"(&(objectclass=ipaSupportedDomainLevelConfig)(!(ipaMaxDomainLevel=0)))"

e.g. these should be masters which records have object class for
topology plugin and configured to serve topology plugin. If only
objectclass is there, it might simply be a replica that got
configuration but no actual code from FreeIPA 4.2.

What has happened with IPA in RHEL7.2 is that we decided to not enable
topology plugin until its functionality will be full. As result, the
filter above is not giving any output because all replicas now have
ipaMaxDomainLevel equal to 0:

# replica1.btestrelm.test, masters, ipa, etc, btestrelm.test
dn: cn=replica1.btestrelm.test,cn=masters,cn=ipa,cn=etc,dc=btestrelm,dc=test
objectClass: top
objectClass: nsContainer
objectClass: ipaReplTopoManagedServer
objectClass: ipaConfigObject
objectClass: ipaSupportedDomainLevelConfig
cn: replica1.btestrelm.test
ipaReplTopoManagedSuffix: dc=btestrelm,dc=test
ipaMinDomainLevel: 0
ipaMaxDomainLevel: 0


We need to find out any other way to differentiate between new and old
replicas and change the filter accordingly.

Ab's Proposed Idea to fix the issue:
====================================
We need to get list of those IPA replicas which run IPA 4.2, unrelated
to whether they were configured with ipa-adtrust-install or not. We need
to know that master was upgraded to 4.2, reliably.

That said, we add ipaMinDomainLevel/ipaMaxDomainLevel in 72-domainlevels.update
which means you have to update your replica to actually receive these
values in your replica's entry. We could simply change the filter to
make sure that both attributes exist and don't care about the value.

I tried to change the filter in ipa-adtrust-install to

filter="(&(objectclass=ipaSupportedDomainLevelConfig)(ipaMaxDomainLevel=*)(ipaM
inDomainLevel=*))",

and it detected there are three replicas to add agents on.

master:

  • 1fc21e9 adtrust-install: Correctly determine 4.2 FreeIPA servers

ipa-4-2:

  • ef192fb adtrust-install: Correctly determine 4.2 FreeIPA servers

Metadata Update from @pvoborni:
- Issue assigned to someone
- Issue set to the milestone: FreeIPA 4.2.1

7 years ago

Login to comment on this ticket.

Metadata