Re: [Freeipa-devel] [PATCH 0158] FIX: upgrade refential integrity plugin configuration

[Martin Basti]

On 12/11/14 16:55, David Kupka wrote:

On 11/07/2014 03:22 PM, Martin Basti wrote:

Ticket: https://fedorahosted.org/freeipa/ticket/4622
Patch attached.



___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel


LGTM, please rebase to ipa-4-0.


Thanks.
Rebased patch for 4.0 attached.
Original patch for 4.1 and master attached.

--
Martin Basti

From f3c19b3719b9e9e25e8f45a1787de8e46ed5e1b7 Mon Sep 17 00:00:00 2001
From: Martin Basti mba...@redhat.com
Date: Fri, 7 Nov 2014 13:28:01 +0100
Subject: [PATCH] Fix upgrade referint plugin

Mixing 'Old' and 'New' attr style for referential integrity plugin causes errors.
Now old setting are migrated to new style setting before upgrade

Ticket: https://fedorahosted.org/freeipa/ticket/4622
---
 install/updates/25-referint.update   | 13 +---
 ipaserver/install/plugins/Makefile.am|  1 +
 ipaserver/install/plugins/update_referint.py | 90 
 3 files changed, 92 insertions(+), 12 deletions(-)
 create mode 100644 ipaserver/install/plugins/update_referint.py

diff --git a/install/updates/25-referint.update b/install/updates/25-referint.update
index c4bff5dac4956eb0ef4b132a2ce5dafdb53e286e..2cb8782263a51caf99c3b33d94bbb3f76372de2c 100644
--- a/install/updates/25-referint.update
+++ b/install/updates/25-referint.update
@@ -1,19 +1,8 @@
 # Expand attributes checked by Referential Integrity plugin
 # pres and eq indexes defined in 20-indices.update must be set for all these
 # attributes
+# NOTE: migration to new style is done in update_referint.py
 dn: cn=referential integrity postoperation,cn=plugins,cn=config
-remove: nsslapd-pluginArg7: manager
-remove: nsslapd-pluginArg8: secretary
-remove: nsslapd-pluginArg9: memberuser
-remove: nsslapd-pluginArg10: memberhost
-remove: nsslapd-pluginArg11: sourcehost
-remove: nsslapd-pluginArg12: memberservice
-remove: nsslapd-pluginArg13: managedby
-remove: nsslapd-pluginArg14: memberallowcmd
-remove: nsslapd-pluginArg15: memberdenycmd
-remove: nsslapd-pluginArg16: ipasudorunas
-remove: nsslapd-pluginArg17: ipasudorunasgroup
-remove: nsslapd-pluginArg18: ipatokenradiusconfiglink
 add: referint-membership-attr: manager
 add: referint-membership-attr: secretary
 add: referint-membership-attr: memberuser
diff --git a/ipaserver/install/plugins/Makefile.am b/ipaserver/install/plugins/Makefile.am
index 7cf0495131b2108ee78a79758cee42ec344652c7..90c59b3caf4f6e1c92563f7750051ee255b79c5b 100644
--- a/ipaserver/install/plugins/Makefile.am
+++ b/ipaserver/install/plugins/Makefile.am
@@ -11,6 +11,7 @@ app_PYTHON = 			\
 	update_services.py	\
 	update_anonymous_aci.py	\
 	update_pacs.py		\
+	update_referint.py	\
 	ca_renewal_master.py	\
 	$(NULL)
 
diff --git a/ipaserver/install/plugins/update_referint.py b/ipaserver/install/plugins/update_referint.py
new file mode 100644
index ..1b7411035b27ebba04246a7ee6f220d470b46688
--- /dev/null
+++ b/ipaserver/install/plugins/update_referint.py
@@ -0,0 +1,90 @@
+#
+# Copyright (C) 2014  FreeIPA Contributors see COPYING for license
+#
+
+from ipaserver.install.plugins import MIDDLE
+from ipaserver.install.plugins.baseupdate import PreUpdate
+from ipalib import api, errors
+from ipapython.dn import DN
+from ipapython.ipa_log_manager import root_logger
+
+class update_referint(PreUpdate):
+
+Update referential integrity configuration to new style
+http://directory.fedoraproject.org/docs/389ds/design/ri-plugin-configuration.html
+
+old attr  - new attr
+nsslapd-pluginArg0- referint-update-delay
+nsslapd-pluginArg1- referint-logfile
+nsslapd-pluginArg2- referint-logchanges
+nsslapd-pluginArg3..N - referint-membership-attr [3..N]
+
+Old and new style cannot be mixed, all nslapd-pluginArg* attrs have to be removed
+
+
+order = MIDDLE
+
+referint_dn = DN(('cn', 'referential integrity postoperation'),
+   ('cn', 'plugins'), ('cn', 'config'))
+
+def execute(self, **options):
+
+root_logger.debug(Upgrading referential integrity plugin configuration)
+ldap = self.obj.backend
+try:
+entry = ldap.get_entry(self.referint_dn)
+except errors.NotFound:
+root_logger.error(Referential integrity configuration not found)
+return False, False, []
+
+referint_membership_attrs = []
+
+root_logger.debug(Initial value: %s, repr(entry))
+
+# nsslapd-pluginArg0- referint-update-delay
+update_delay = entry.get('nsslapd-pluginArg0')
+if update_delay:
+root_logger.debug(add: referint-update-delay: %s, update_delay)
+entry['referint-update-delay'] = update_delay
+entry['nsslapd-pluginArg0'] = None
+else:
+root_logger.info(Plugin already uses new style, skipping)
+return False, False, []

Re: [Freeipa-devel] [PATCH 0158] FIX: upgrade refential integrity plugin configuration

[thierry bordaz]

On 11/13/2014 10:18 AM, Martin Basti wrote:

On 12/11/14 16:55, David Kupka wrote:

On 11/07/2014 03:22 PM, Martin Basti wrote:

Ticket: https://fedorahosted.org/freeipa/ticket/4622
Patch attached.



___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel


LGTM, please rebase to ipa-4-0.


Thanks.
Rebased patch for 4.0 attached.
Original patch for 4.1 and master attached.



___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Hello,

   Just a novice question. If the RI config entry was something like:

   dn: cn=referential integrity postoperation,cn=plugins,cn=config
   objectClass: top
   ...
   nsslapd-pluginArg0: xxx
   nsslapd-pluginArg1: yyy
   nsslapd-pluginArg2: zzz
   nsslapd-pluginArg3: +++

   Will it create an entry like

   dn: cn=referential integrity postoperation,cn=plugins,cn=config
   objectClass: top
   ...

   referint-update-delay: xxx
   referint-logfile: yyy
   referint-logchanges: zzz
   referint-membership-attr: +++

   or like

   dn: cn=referential integrity postoperation,cn=plugins,cn=config
   objectClass: top
   ...

   referint-update-delay: xxx
   referint-logfile: yyy
   referint-logchanges: zzz
   referint-membership-attr: +++
   nsslapd-pluginArg0:
   nsslapd-pluginArg1:
   nsslapd-pluginArg2:
   nsslapd-pluginArg3:

   Thanks
   thierry


___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH 0158] FIX: upgrade refential integrity plugin configuration

[Martin Basti]

On 13/11/14 12:02, thierry bordaz wrote:

On 11/13/2014 10:18 AM, Martin Basti wrote:

On 12/11/14 16:55, David Kupka wrote:

On 11/07/2014 03:22 PM, Martin Basti wrote:

Ticket: https://fedorahosted.org/freeipa/ticket/4622
Patch attached.



___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel


LGTM, please rebase to ipa-4-0.


Thanks.
Rebased patch for 4.0 attached.
Original patch for 4.1 and master attached.



___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Hello,

Just a novice question. If the RI config entry was something like:

dn: cn=referential integrity postoperation,cn=plugins,cn=config
objectClass: top
...
nsslapd-pluginArg0: xxx
nsslapd-pluginArg1: yyy
nsslapd-pluginArg2: zzz
nsslapd-pluginArg3: +++

Will it create an entry like

dn: cn=referential integrity postoperation,cn=plugins,cn=config
objectClass: top
...

referint-update-delay: xxx
referint-logfile: yyy
referint-logchanges: zzz
referint-membership-attr: +++

or like

dn: cn=referential integrity postoperation,cn=plugins,cn=config
objectClass: top
...

referint-update-delay: xxx
referint-logfile: yyy
referint-logchanges: zzz
referint-membership-attr: +++
nsslapd-pluginArg0:
nsslapd-pluginArg1:
nsslapd-pluginArg2:
nsslapd-pluginArg3:

Thanks
thierry



Hello,

It removes all nsslapd-pluginArg*

referint-update-delay: xxx
referint-logfile: yyy
referint-logchanges: zzz
referint-membership-attr: +++

But I can check it again if you have any doubts.

Martin^2

--
Martin Basti

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH 0158] FIX: upgrade refential integrity plugin configuration

[David Kupka]

On 11/13/2014 10:18 AM, Martin Basti wrote:

On 12/11/14 16:55, David Kupka wrote:

On 11/07/2014 03:22 PM, Martin Basti wrote:

Ticket: https://fedorahosted.org/freeipa/ticket/4622
Patch attached.



___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel


LGTM, please rebase to ipa-4-0.


Thanks.
Rebased patch for 4.0 attached.
Original patch for 4.1 and master attached.



Thanks, ACK.

--
David Kupka

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH 0158] FIX: upgrade refential integrity plugin configuration

[thierry bordaz]

On 11/13/2014 12:16 PM, Martin Basti wrote:

On 13/11/14 12:02, thierry bordaz wrote:

On 11/13/2014 10:18 AM, Martin Basti wrote:

On 12/11/14 16:55, David Kupka wrote:

On 11/07/2014 03:22 PM, Martin Basti wrote:

Ticket: https://fedorahosted.org/freeipa/ticket/4622
Patch attached.



___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel


LGTM, please rebase to ipa-4-0.


Thanks.
Rebased patch for 4.0 attached.
Original patch for 4.1 and master attached.



___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Hello,

Just a novice question. If the RI config entry was something like:

dn: cn=referential integrity postoperation,cn=plugins,cn=config
objectClass: top
...
nsslapd-pluginArg0: xxx
nsslapd-pluginArg1: yyy
nsslapd-pluginArg2: zzz
nsslapd-pluginArg3: +++

Will it create an entry like

dn: cn=referential integrity postoperation,cn=plugins,cn=config
objectClass: top
...

referint-update-delay: xxx
referint-logfile: yyy
referint-logchanges: zzz
referint-membership-attr: +++

or like

dn: cn=referential integrity postoperation,cn=plugins,cn=config
objectClass: top
...

referint-update-delay: xxx
referint-logfile: yyy
referint-logchanges: zzz
referint-membership-attr: +++
nsslapd-pluginArg0:
nsslapd-pluginArg1:
nsslapd-pluginArg2:
nsslapd-pluginArg3:

Thanks
thierry



Hello,

It removes all nsslapd-pluginArg*
referint-update-delay: xxx
referint-logfile: yyy
referint-logchanges: zzz
referint-membership-attr: +++

But I can check it again if you have any doubts.
Martin^2
--
Martin Basti

Hi Martin,

Thanks for the explanation. Reading generate_modlist(), I realize that 
it will do a mod/del on each 'nsslapd-pluginarg*' so they will be 
clearly removed.


Thanks
thierry
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH 0158] FIX: upgrade refential integrity plugin configuration

[Petr Vobornik]

On 13.11.2014 13:08, David Kupka wrote:

On 11/13/2014 10:18 AM, Martin Basti wrote:

On 12/11/14 16:55, David Kupka wrote:

On 11/07/2014 03:22 PM, Martin Basti wrote:

Ticket: https://fedorahosted.org/freeipa/ticket/4622
Patch attached.


LGTM, please rebase to ipa-4-0.


Thanks.
Rebased patch for 4.0 attached.
Original patch for 4.1 and master attached.



Thanks, ACK.



Pushed to:

ipa-4-0:
* 9a9eccb94bcade97edb8aa877aedc35c191745e5 Fix upgrade referint plugin
ipa-4-1:
* 65624c9d61ba0bf8a1e5e040357406712dd42245 Fix upgrade referint plugin
master:
* f62c7843ffeda1e841719cb35f9f773f186780a6 Fix upgrade referint plugin

--
Petr Vobornik

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH 0158] FIX: upgrade refential integrity plugin configuration

[David Kupka]

On 11/07/2014 03:22 PM, Martin Basti wrote:

Ticket: https://fedorahosted.org/freeipa/ticket/4622
Patch attached.



___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel


LGTM, please rebase to ipa-4-0.

--
David Kupka

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel