From 28ffd3d8c32e9c83cd28529e78e42d79737bc11b Mon Sep 17 00:00:00 2001
From: Jr Aquino <jr.aquino@citrix.com>
Date: Tue, 28 Feb 2012 22:50:31 -0800
Subject: [PATCH] 43 Inherit nssldap security access settings during replica
 install

Inherit the following bind security settings when performing a replica install:
'nsslapd-allow-unauthenticated-binds',
'nsslapd-require-secure-binds',
'nsslapd-allow-anonymous-access',
'nsslapd-minssf'

https://fedorahosted.org/freeipa/ticket/1930
---
 install/tools/ipa-replica-install |   17 +++++++++++++++++
 ipaserver/install/dsinstance.py   |    9 +++++++++
 2 files changed, 26 insertions(+), 0 deletions(-)

diff --git a/install/tools/ipa-replica-install b/install/tools/ipa-replica-install
index e4e4a8d..d2fb3d1 100755
--- a/install/tools/ipa-replica-install
+++ b/install/tools/ipa-replica-install
@@ -407,6 +407,17 @@ def main():
             sys.exit(3)
         except errors.NotFound:
             pass
+        # Fetch bind security settings
+        inherited_settings = {}
+        sec_attrs = ['nsslapd-allow-unauthenticated-binds',
+                    'nsslapd-require-secure-binds',
+                    'nsslapd-allow-anonymous-access',
+                    'nsslapd-minssf']
+        try:
+            for attr in sec_attrs:
+                inherited_settings.update(conn.get_entry(u'cn=config', [attr])[1])
+        except errors.NotFound:
+            pass
         conn.disconnect()
     except errors.ACIError:
         sys.exit("\nThe password provided is incorrect for LDAP server %s" % config.master_host_name)
@@ -449,6 +460,10 @@ def main():
     service.print_msg("Applying LDAP updates")
     ds.apply_updates()
 
+    # Inherit bind security settings
+    service.print_msg("Inheriting bind security settings")
+    ds.inherit_security_settings(inherited_settings)
+
     # Restart ds and krb after configurations have been changed
     service.print_msg("Restarting the directory server")
     ds.restart()
@@ -478,6 +493,8 @@ def main():
         print "ipa-client-install returned: " + str(e)
         raise RuntimeError("Failed to configure the client")
 
+    ds.ldapi = True
+    ds.realm = ds.realm_name
     ds.replica_populate()
 
     #Everything installed properly, activate ipa service.
diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py
index c66f2a7..73b6ec2 100644
--- a/ipaserver/install/dsinstance.py
+++ b/ipaserver/install/dsinstance.py
@@ -478,6 +478,15 @@ class DsInstance(service.Service):
     def generate_random(self):
         return ipautil.ipa_generate_password()
 
+    def inherit_security_settings(self, inherited_settings):
+
+        conn = ipaldap.IPAdmin("127.0.0.1")
+        conn.simple_bind_s("cn=directory manager", self.dm_password)
+        mod = [(ldap.MOD_REPLACE, key, str(inherited_settings[key][0])) for key in inherited_settings]
+        conn.modify_s("cn=config", mod)
+
+        conn.unbind()
+
     def __enable_ssl(self):
         dirname = config_dirname(self.serverid)
         dsdb = certs.CertDB(self.realm_name, nssdir=dirname, subject_base=self.subject_base)
-- 
1.7.6.5