We don't want to create private groups automatically for migrated users, there could be namespace overlap (and race conditions prevent us from trying to check in advance).

Check the sanity of groups in general, warn if the group for the gidnumber doesn't exist at least on the remote server.


Fill in the user's shell as well.

This will migrate users that are non-POSIX on the remote server.

rob
>From 1d4bd6ef48948b7f21e3087a91173384cc5f2ff5 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcrit...@redhat.com>
Date: Thu, 22 Mar 2012 13:40:54 -0400
Subject: [PATCH] Don't create private groups for migrated users, check for
 valid gidnumber

Migrated users don't get a private group, there is no safe way to verify
that the namespace is correct without redoing the uidnumber as well.

Verify that the GID at least points to a valid group on the remote server
and warn if it doesn't (this doesn't guarantee that the group gets migrated
but at least we try).

If the remote entry has no gidNumber and the default user's group is
non-POSIX then don't migrate that user.

Add a loginshell if the remote user doesn't have one.

https://fedorahosted.org/freeipa/ticket/2562
---
 ipalib/plugins/migration.py |   69 ++++++++++++++++++++++++++++++++----------
 1 files changed, 52 insertions(+), 17 deletions(-)

diff --git a/ipalib/plugins/migration.py b/ipalib/plugins/migration.py
index 4b104a8edc62f6876be1186fbc7bdda924472bf3..c2f8fe6030ee9799324f9f84dfaca4c86d611d8a 100644
--- a/ipalib/plugins/migration.py
+++ b/ipalib/plugins/migration.py
@@ -24,6 +24,7 @@ from ipalib import api, errors, output
 from ipalib import Command, Password, Str, Flag, StrEnum
 from ipalib.cli import to_cli
 from ipalib.dn import *
+from ipalib.plugins.user import NO_UPG_MAGIC
 if api.env.in_server and api.env.context in ['lite', 'server']:
     try:
         from ipaserver.plugins.ldap2 import ldap2
@@ -126,21 +127,35 @@ def is_DN_syntax(ldap, attr):
 def _pre_migrate_user(ldap, pkey, dn, entry_attrs, failed, config, ctx, **kwargs):
     attr_blacklist = ['krbprincipalkey','memberofindirect','memberindirect']
     attr_blacklist.extend(kwargs.get('attr_blacklist', []))
+    ds_ldap = ctx['ds_ldap']
+    search_bases = kwargs.get('search_bases', None)
+
+    if 'def_group_gid' in ctx:
+        entry_attrs.setdefault('gidnumber', ctx['def_group_gid'])
 
-    # get default primary group for new users
-    if 'def_group_dn' not in ctx:
-        def_group = config.get('ipadefaultprimarygroup')
-        ctx['def_group_dn'] = api.Object.group.get_dn(def_group)
+    # migrated user is not already POSIX, make it so
+    if 'uidnumber' not in entry_attrs:
+        entry_attrs['uidnumber'] = entry_attrs['gidnumber'] = [999]
+
+    # User by now should have a gidnumber, if not log specific error. User
+    # will fail to migrate missing gidNumber.
+    if 'gidnumber' not in entry_attrs:
+        api.log.error('Migrated user does not have a GID number and the default users group is not POSIX')
+    else:
+        # See if the gidNumber at least points to a valid group on the remote
+        # server.
         try:
-            (g_dn, g_attrs) = ldap.get_entry(ctx['def_group_dn'], ['gidnumber'])
+            (remote_dn, remote_entry) = ds_ldap.find_entry_by_attr(
+                'gidnumber', entry_attrs['gidnumber'][0], 'posixgroup', [''],
+                 search_bases['group']
+            )
         except errors.NotFound:
-            error_msg = _('Default group for new users not found.')
-            raise errors.NotFound(reason=error_msg)
-        if not ldap.has_upg():
-            if 'gidnumber' in g_attrs:
-                ctx['def_group_gid'] = g_attrs['gidnumber'][0]
-            else:
-                raise errors.NotFound(reason=_('User Private Groups are disabled and the default users group is not POSIX'))
+            api.log.warn('Migrated user\'s GID number %s does not point to a known group.' % entry_attrs['gidnumber'][0])
+
+    # We don't want to create a UPG so set the magic value in description
+    # to let the DS plugin know.
+    entry_attrs.setdefault('description', [])
+    entry_attrs['description'].append(NO_UPG_MAGIC)
 
     # fill in required attributes by IPA
     entry_attrs['ipauniqueid'] = 'autogenerate'
@@ -149,8 +164,10 @@ def _pre_migrate_user(ldap, pkey, dn, entry_attrs, failed, config, ctx, **kwargs
         home_dir = '%s/%s' % (homes_root, pkey)
         home_dir = home_dir.replace('//', '/').rstrip('/')
         entry_attrs['homedirectory'] = home_dir
-    if 'def_group_gid' in ctx:
-        entry_attrs.setdefault('gidnumber', ctx['def_group_gid'])
+
+    if 'loginshell' not in entry_attrs:
+        default_shell = config.get('ipadefaultloginshell', ['/bin/sh'])[0]
+        entry_attrs.setdefault('loginshell', default_shell)
 
     # do not migrate all attributes
     for attr in entry_attrs.keys():
@@ -178,8 +195,6 @@ def _pre_migrate_user(ldap, pkey, dn, entry_attrs, failed, config, ctx, **kwargs
 
     # Fix any attributes with DN syntax that point to entries in the old
     # tree
-    search_bases = kwargs.get('search_bases', None)
-    ds_ldap = ctx['ds_ldap']
 
     for attr in entry_attrs.keys():
         if is_DN_syntax(ldap, attr):
@@ -219,7 +234,15 @@ def _post_migrate_user(ldap, pkey, dn, entry_attrs, failed, config, ctx):
         ldap.add_entry_to_group(dn, ctx['def_group_dn'])
     except errors.ExecutionError, e:
         failed[pkey] = unicode(_grp_err_msg)
-
+    (dn, desc_attr) = ldap.get_entry(dn, ['description'])
+    entry_attrs.update(desc_attr)
+    if 'description' in entry_attrs and NO_UPG_MAGIC in entry_attrs['description']:
+        entry_attrs['description'].remove(NO_UPG_MAGIC)
+        kw = {'setattr': unicode('description=%s' % ','.join(entry_attrs['description']))}
+        try:
+            api.Command['user_mod'](pkey, **kw)
+        except (errors.EmptyModlist, errors.NotFound):
+            pass
 
 # GROUP MIGRATION CALLBACKS AND VARS
 
@@ -626,6 +649,18 @@ can use their Kerberos accounts.''')
                 else:
                     blacklists[blacklist] = tuple()
 
+            # get default primary group for new users
+            if 'def_group_dn' not in context:
+                def_group = config.get('ipadefaultprimarygroup')
+                context['def_group_dn'] = api.Object.group.get_dn(def_group)
+                try:
+                    (g_dn, g_attrs) = ldap.get_entry(context['def_group_dn'], ['gidnumber', 'cn'])
+                except errors.NotFound:
+                    error_msg = _('Default group for new users not found.')
+                    raise errors.NotFound(reason=error_msg)
+                if 'gidnumber' in g_attrs:
+                    context['def_group_gid'] = g_attrs['gidnumber'][0]
+
             for (dn, entry_attrs) in entries:
                 if dn is None:  # LDAP search reference
                     failed[ldap_obj_name][entry_attrs[0]] = unicode(_ref_err_msg)
-- 
1.7.6

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to