Fix a couple of issues found with migration. I made a second patch just to keep things separate even though its just a one-liner.

991 fixes a problem where we have attributes which point to other entries and these weren't being migrated. This is things like secretary and manager. This was actually causing things to blow up badly.


992 makes the primary key lower-case to match the rest of IPA.

I've attached an LDIF with a couple of users to demonstrate the fix.

rob
>From 1d84c3ee9c6ed956c2b77499b942e65d0f6f4d0b Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcrit...@redhat.com>
Date: Tue, 20 Mar 2012 22:37:27 -0400
Subject: [PATCH 1/2] Fix attributes that contain DNs when migrating.

Some attributes, like secretary and manager, may point to other LDAP
entries. We need to fix these during migration.

https://fedorahosted.org/freeipa/ticket/2562
---
 ipalib/plugins/migration.py |   45 ++++++++++++++++++++++++++++++++++++++++++-
 1 files changed, 44 insertions(+), 1 deletions(-)

diff --git a/ipalib/plugins/migration.py b/ipalib/plugins/migration.py
index 7adddb5aa03b6543babcc2d1458d48c3cff1a506..7e76c38c71202724823bdf33a3bd82570b209cd9 100644
--- a/ipalib/plugins/migration.py
+++ b/ipalib/plugins/migration.py
@@ -114,6 +114,14 @@ _supported_schemas = (u'RFC2307bis', u'RFC2307')
 
 _compat_dn = "cn=Schema Compatibility,cn=plugins,cn=config"
 
+def get_DN_syntax(ldap, attr):
+    """
+    Check the schema to see if the attribute uses DN syntax.
+
+    Returns True/False
+    """
+    obj = ldap.schema.get_obj(_ldap.schema.AttributeType, attr)
+    return obj and obj.syntax == '1.3.6.1.4.1.1466.115.121.1.12'
 
 def _pre_migrate_user(ldap, pkey, dn, entry_attrs, failed, config, ctx, **kwargs):
     attr_blacklist = ['krbprincipalkey','memberofindirect','memberindirect']
@@ -168,6 +176,41 @@ def _pre_migrate_user(ldap, pkey, dn, entry_attrs, failed, config, ctx, **kwargs
     else:
         failed[pkey] = unicode(_krb_err_msg % principal)
 
+    # Fix any attributes with DN syntax that point to entries in the old
+    # tree
+    search_bases = kwargs.get('search_bases', None)
+    ds_ldap = ctx['ds_ldap']
+
+    for attr in entry_attrs.keys():
+        if get_DN_syntax(ldap, attr):
+            for ind in xrange(len(entry_attrs[attr])):
+                value = entry_attrs[attr][ind]
+                try:
+                    (remote_dn, remote_entry) = ds_ldap.get_entry(value, [api.Object.user.primary_key.name, api.Object.group.primary_key.name])
+                except errors.NotFound:
+                    api.log.error('In %s the attribute %s refers to non-existent entry %s' % (dn, attr, value))
+                    continue
+                if value.lower().endswith(search_bases['user']):
+                    primary_key = api.Object.user.primary_key.name
+                    container = api.env.container_user
+                elif value.lower().endswith(search_bases['group']):
+                    primary_key = api.Object.group.primary_key.name
+                    container = api.env.container_group
+                else:
+                    api.log.error('In entry %s value %s in attribute %s does not belong into any known container' % (dn, value, attr))
+                    continue
+
+                if not remote_entry.get(primary_key):
+                    api.log.error('In %s there is no primary key %s to migrate for %s' % (value, primary_key, attr))
+                    continue
+
+                api.log.info('converting DN value %s for %s in %s' % (value, attr, dn))
+                rdnval = remote_entry[primary_key][0]
+                entry_attrs[attr][ind] = \
+                    str(DN((primary_key, rdnval),
+                    container,
+                    api.env.basedn))
+
     return dn
 
 
@@ -549,7 +592,7 @@ can use their Kerberos accounts.''')
             search_filter = construct_filter(self.migrate_objects[ldap_obj_name]['filter_template'],
                                              options[to_cli(self.migrate_objects[ldap_obj_name]['oc_option'])])
             exclude = options['exclude_%ss' % to_cli(ldap_obj_name)]
-            context = {}
+            context = dict(ds_ldap = ds_ldap)
 
             migrated[ldap_obj_name] = []
             failed[ldap_obj_name] = {}
-- 
1.7.6

>From aad591e36a58304d030184fe376cb08f30bfa515 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcrit...@redhat.com>
Date: Tue, 20 Mar 2012 22:50:17 -0400
Subject: [PATCH 2/2] Normalize the primary key value to lowercase during
 migration.

https://bugzilla.redhat.com/show_bug.cgi?id=804609
---
 ipalib/plugins/migration.py |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

diff --git a/ipalib/plugins/migration.py b/ipalib/plugins/migration.py
index 8bd3c529f8f977f45221cb95292f087d03219b22..3c88e67bf9ce0c41ef10b0487ca44ac34c4efd5a 100644
--- a/ipalib/plugins/migration.py
+++ b/ipalib/plugins/migration.py
@@ -658,6 +658,7 @@ can use their Kerberos accounts.''')
                         ) + [o.lower() for o in entry_attrs['objectclass']]
                     )
                 )
+                entry_attrs[ldap_obj.primary_key.name][0] = entry_attrs[ldap_obj.primary_key.name][0].lower()
 
                 callback = self.migrate_objects[ldap_obj_name]['pre_callback']
                 if callable(callback):
-- 
1.7.6

dn: cn=Darcee Leeson,ou=People,dc=greyoak,dc=com
carLicense: 2CGORU4
cn: Darcee Leeson
departmentNumber: 9466
description: This is Darcee Leeson's description
employeeType: Normal
facsimileTelephoneNumber: +1 408 553-4571
givenName: Darcee
homePhone: +1 206 217-8241
initials: D. L.
l: Sunnyvale
mail: darcee_lee...@greyoak.com
manager: cn=Mollee Weisenberg,ou=People,dc=greyoak,dc=com
mobile: +1 818 264-2444
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
ou: Product Testing
pager: +1 510 405-3251
postalAddress: greyoak.com, Product Testing Dept #795, Room#250
roomNumber: 9844
secretary: cn=Ayaz Kreiger,ou=People,dc=greyoak,dc=com
sn: Leeson
telephoneNumber: +1 804 913-8558
title: Supreme Product Testing Visionary
uid: Darcee_Leeson
uidNumber: 11731
gidNumber: 21731
homeDirectory: /home/Darcee_Leeson
userPassword:: e1NTSEF9VzMySTlBaFBkT0dMa201QU9DQThobW5LSC9RV296RWpCMFJ6TXc9PQ=
 =

dn: cn=Mollee Weisenberg,ou=People,dc=greyoak,dc=com
carLicense: 2CGORU4
cn: Mollee Weisenberg
departmentNumber: 9466
description: This is Mollee Weisenberg's description
employeeType: Normal
facsimileTelephoneNumber: +1 408 553-4571
givenName: Darcee
homePhone: +1 206 217-8241
initials: D. L.
l: Sunnyvale
mail: mollee_weisenb...@greyoak.com
mobile: +1 818 264-2444
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
ou: Product Testing
pager: +1 510 405-3251
postalAddress: greyoak.com, Product Testing Dept #795, Room#250
roomNumber: 9844
secretary: cn=Ayaz Kreiger,ou=People,dc=greyoak,dc=com
sn: Leeson
telephoneNumber: +1 804 913-8558
title: Supreme Product Testing Visionary
uid: Mollee_Weisenberg
uidNumber: 11732
gidNumber: 21731
homeDirectory: /home/Mollee_Weisenberg
userPassword:: e1NTSEF9VzMySTlBaFBkT0dMa201QU9DQThobW5LSC9RV296RWpCMFJ6TXc9PQ=
 =

dn: cn=Ayaz Kreiger,ou=People,dc=greyoak,dc=com
carLicense: 2CGORU4
cn: Ayaz Kreiger
departmentNumber: 9466
description: This is Ayaz Kreiger's description
employeeType: Normal
facsimileTelephoneNumber: +1 408 553-4571
givenName: Darcee
homePhone: +1 206 217-8241
initials: D. L.
l: Sunnyvale
mail: ayaz_krei...@greyoak.com
mobile: +1 818 264-2444
manager: cn=Mollee Weisenberg,ou=People,dc=greyoak,dc=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
ou: Product Testing
pager: +1 510 405-3251
postalAddress: greyoak.com, Product Testing Dept #795, Room#250
roomNumber: 9844
sn: Leeson
telephoneNumber: +1 804 913-8558
title: Supreme Product Testing Visionary
uid: Ayaz_Kreiger
uidNumber: 11733
gidNumber: 21731
homeDirectory: /home/Ayaz_Kreiger
userPassword:: e1NTSEF9VzMySTlBaFBkT0dMa201QU9DQThobW5LSC9RV296RWpCMFJ6TXc9PQ=
 =
_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to