On 02/28/2012 10:52 PM, Rob Crittenden wrote:
Ondrej Hamada wrote:
On 02/27/2012 09:47 PM, Rob Crittenden wrote:
Ondrej Hamada wrote:
On 02/21/2012 02:32 PM, Ondrej Hamada wrote:
On 02/20/2012 06:53 PM, Rob Crittenden wrote:
Ondrej Hamada wrote:

Added check into migration plugin to warn user when compat is
If compat is enabled, the migration fails and user is warned that he
must turn the compat off or run the script with (the newly
option '--compat'.

'--compat' is just a flag, by default set to false. If it is set, the
compat check is skipped.

Interesting approach. I think this is probably good, preventing
migration when the compat plugin is enabled unless you specifically
decide to.

I think the option may need another name, maybe --with-compat or

I think in the message we should use "enabled" instead of "on". That
is the language of ipa-compat-manage.

The migration help should have a discussion of why this is a problem
too, and what compat really is (provides a different view of the data
to be compatible with non RFC2703bis systems).



Freeipa-devel mailing list
I forget to update the commit message about the change of flag name.
Corrected patch attached.

This works ok it just seems to be making an assumption on the client
when to print this. I think a similar value like enabled needs to be
created to explicitly say why we are returning.

sorry for that, value created


I think you need to define beter what compat means in the output, it coudl be very confusing. You can return a value for it without testing whether it is actually a problem or not.

I think what compat is supposed to mean is "Am I failing because of compat" and not an indication of whether compat is enabled or not.

Some documentation at a minimum should be added.

It otherwise seems to work ok.

You could return a value for compat here without
I've updated the description of 'compat' value in output and also changed the condition when this value is set to False. Now it is set to False only when the migration fails because of compatibility plugin.


Ondrej Hamada
FreeIPA team
jabber: oh...@jabbim.cz
IRC: ohamada

From f88df9859c1ea7a04a63b3c9d18d561c8aeee75d Mon Sep 17 00:00:00 2001
From: Ondrej Hamada <oham...@redhat.com>
Date: Wed, 29 Feb 2012 15:21:24 +0100
Subject: [PATCH] Migration warning when compat enabled

Added check into migration plugin to warn user when compat is enabled.
If compat is enabled, the migration fails and user is warned that he
must turn the compat off or run the script with (the newly introduced)
option '--with-compat'.

'--with-compat' is new flag. If it is set, the compat status is ignored.

 API.txt                     |    4 +++-
 VERSION                     |    2 +-
 ipalib/plugins/migration.py |   34 ++++++++++++++++++++++++++++++++--
 3 files changed, 36 insertions(+), 4 deletions(-)

diff --git a/API.txt b/API.txt
index 548fc93d48128aab5cebd60dda7fd304b569785b..a44e391e2ab79cb566455defffff3299ed25714e 100644
--- a/API.txt
+++ b/API.txt
@@ -1893,7 +1893,7 @@ output: Output('summary', (<type 'unicode'>, <type 'NoneType'>), None)
 output: Entry('result', <type 'dict'>, Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None))
 output: Output('value', <type 'unicode'>, None)
 command: migrate_ds
-args: 2,14,3
+args: 2,15,4
 arg: Str('ldapuri', cli_name='ldap_uri')
 arg: Password('bindpw', cli_name='password', confirm=False)
 option: Str('binddn?', autofill=True, cli_name='bind_dn', default=u'cn=directory manager')
@@ -1908,11 +1908,13 @@ option: Str('groupignoreattribute*', autofill=True, cli_name='group_ignore_attri
 option: Flag('groupoverwritegid', autofill=True, cli_name='group_overwrite_gid', default=False)
 option: StrEnum('schema?', autofill=True, cli_name='schema', default=u'RFC2307bis', values=(u'RFC2307bis', u'RFC2307'))
 option: Flag('continue?', autofill=True, default=False)
+option: Flag('compat?', autofill=True, cli_name='with_compat', default=False)
 option: Str('exclude_groups*', autofill=True, cli_name='exclude_groups', csv=True, default=())
 option: Str('exclude_users*', autofill=True, cli_name='exclude_users', csv=True, default=())
 output: Output('result', <type 'dict'>, None)
 output: Output('failed', <type 'dict'>, None)
 output: Output('enabled', <type 'bool'>, None)
+output: Output('compat', <type 'bool'>, None)
 command: netgroup_add
 args: 1,9,3
 arg: Str('cn', attribute=True, cli_name='name', multivalue=False, pattern='^[a-zA-Z0-9_.][a-zA-Z0-9_.-]+$', pattern_errmsg='may only include letters, numbers, _, -, and .', primary_key=True, required=True)
diff --git a/VERSION b/VERSION
index 523bde4a8ecdcac4c3a451c0e09ef75b156d7831..381e3088c0bcb0e64304a2ed1ad12bfe6be95c51 100644
@@ -79,4 +79,4 @@ IPA_DATA_VERSION=20100614120000
 #                                                      #
diff --git a/ipalib/plugins/migration.py b/ipalib/plugins/migration.py
index 688265fd3ea7f62bb22bf78abbc7f26e64f7470b..206648565a7a5943acf3f2b285423cfaf6f71d83 100644
--- a/ipalib/plugins/migration.py
+++ b/ipalib/plugins/migration.py
@@ -52,6 +52,11 @@ Two LDAP schemas define how group members are stored: RFC2307 and
 RFC2307bis. RFC2307bis uses member and uniquemember to specify group
 members, RFC2307 uses memberUid. The default schema is RFC2307bis.
+In order to use other schema than RFC2307bis the compatibility plug-in
+must be enabled. Migration with enabled compatibility plug-in causes
+a lot of overhead. Because of that it is disabled by default but it can
+be overridden by the '--with-compat' option.
 Migrated users do not have Kerberos credentials, they have only their
 LDAP password. To complete the migration process, users need to go
 to http://ipa.example.com/ipa/migration and authenticate using their
@@ -67,6 +72,10 @@ EXAMPLES:
  The simplest migration, accepting all defaults:
    ipa migrate-ds ldap://ds.example.com:389
+ The simplest migration, accepting all defaults and ignoring the status
+ of compatibility plug-in:
+   ipa migrate-ds --with-compat ldap://ds.example.com:389
  Specify the user and group container. This can be used to migrate user
  and group data from an IPA v1 server:
    ipa migrate-ds --user-container='cn=users,cn=accounts' \\
@@ -103,6 +112,8 @@ _dn_err_msg = _('Malformed DN')
 _supported_schemas = (u'RFC2307bis', u'RFC2307')
+_compat_dn = "cn=Schema Compatibility,cn=plugins,cn=config"
 def _pre_migrate_user(ldap, pkey, dn, entry_attrs, failed, config, ctx, **kwargs):
     attr_blacklist = ['krbprincipalkey','memberofindirect','memberindirect']
@@ -431,6 +442,12 @@ class migrate_ds(Command):
             doc=_('Continuous operation mode. Errors are reported but the process continues'),
+        Flag('compat?',
+            cli_name='with_compat',
+            label=_('Ignore compat plugin'),
+            doc=_('Allows migration despite the usage of compat plugin'),
+            default=False,
+        ),
     has_output = (
@@ -446,6 +463,10 @@ class migrate_ds(Command):
             doc=_('False if migration mode was disabled.'),
+        output.Output('compat',
+            type=bool,
+            doc=_('False if migration fails because the compatibility plug-in is enabled.'),
+        ),
     exclude_doc = _('comma-separated list of %s to exclude from migration')
@@ -629,12 +650,18 @@ can use their Kerberos accounts.''')
         # check if migration mode is enabled
         if config.get('ipamigrationenabled', ('FALSE', ))[0] == 'FALSE':
-            return dict(result={}, failed={}, enabled=False)
+            return dict(result={}, failed={}, enabled=False, compat=True)
         # connect to DS
         ds_ldap = ldap2(shared_instance=False, ldap_uri=ldapuri, base_dn='')
         ds_ldap.connect(bind_dn=options['binddn'], bind_pw=bindpw)
+        #check whether the compat plugin is enabled
+        if not options.get('compat'):
+            (dn,check_compat) = ds_ldap.get_entry(_compat_dn, normalize=False)
+            if check_compat is not None and check_compat.get('nsslapd-pluginenabled', [''])[0].lower() == 'on':
+                return dict(result={},failed={},enabled=True, compat=False)
         # retrieve DS base DN
         (entries, truncated) = ds_ldap.find_entries(
             '', ['namingcontexts'], '', ds_ldap.SCOPE_BASE,
@@ -650,13 +677,16 @@ can use their Kerberos accounts.''')
             ldap, config, ds_ldap, ds_base_dn, options
-        return dict(result=migrated, failed=failed, enabled=True)
+        return dict(result=migrated, failed=failed, enabled=True, compat=True)
     def output_for_cli(self, textui, result, ldapuri, bindpw, **options):
         if not result['enabled']:
             return 1
+        if not result['compat']:
+            textui.print_plain("Compatibility plug-in is enabled. This might cause troubles during migration. Disable the compat plug-in or run this script with \'--with-compat\' option.")
+            return 1
             result['result'], attr_order=self.migrate_order,

Freeipa-devel mailing list

Reply via email to