[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

[Freeipa-devel] [PATCH] 074 Handle LDAP search references



LDAP search operation may return a search reference pointing to
an LDAP resource. As the framework does not handle search
references, skip these results to prevent result processing
failures.

Migrate operation crashed when the migrated DS contained search
references. Now, it correctly skips these records and prints the
failed references to user.

https://fedorahosted.org/freeipa/ticket/1209

>From 3310419e3d20c570a0601386038c1bc02e1c230e Mon Sep 17 00:00:00 2001
From: Martin Kosek <mkosek redhat com>
Date: Wed, 1 Jun 2011 18:04:24 +0200
Subject: [PATCH] Handle LDAP search references

LDAP search operation may return a search reference pointing to
an LDAP resource. As the framework does not handle search
references, skip these results to prevent result processing
failures.

Migrate operation crashed when the migrated DS contained search
references. Now, it correctly skips these records and prints the
failed references to user.

https://fedorahosted.org/freeipa/ticket/1209
---
 ipalib/plugins/migration.py |   12 +++++++++---
 ipaserver/plugins/ldap2.py  |    7 +++++--
 2 files changed, 14 insertions(+), 5 deletions(-)

diff --git a/ipalib/plugins/migration.py b/ipalib/plugins/migration.py
index ea591d31ee5af2e167866dcc31aa59d0e95caa94..67eaf0e8905f49983651a4738d5090c4e19c4747 100644
--- a/ipalib/plugins/migration.py
+++ b/ipalib/plugins/migration.py
@@ -77,6 +77,7 @@ from ipalib.text import Gettext # FIXME: remove once the other Gettext FIXME is
 
 _krb_err_msg = _('Kerberos principal %s already exists. Use \'ipa user-mod\' to set it manually.')
 _grp_err_msg = _('Failed to add user to the default group. Use \'ipa group-add-member\' to add manually.')
+_ref_err_msg = _('Migration of LDAP search reference is not supported.')
 
 _supported_schemas = (u'RFC2307bis', u'RFC2307')
 
@@ -118,7 +119,7 @@ def _pre_migrate_user(ldap, pkey, dn, entry_attrs, failed, config, ctx, **kwargs
     except errors.NotFound:
         entry_attrs['krbprincipalname'] = principal
     else:
-        failed[pkey] = _krb_err_msg % principal
+        failed[pkey] = unicode(_krb_err_msg % principal)
 
     return dn
 
@@ -128,7 +129,7 @@ def _post_migrate_user(ldap, pkey, dn, entry_attrs, failed, config, ctx):
     try:
         ldap.add_entry_to_group(dn, ctx['def_group_dn'])
     except errors.ExecutionError, e:
-        failed[pkey] = _grp_err_msg
+        failed[pkey] = unicode(_grp_err_msg)
 
 
 # GROUP MIGRATION CALLBACKS AND VARS
@@ -417,7 +418,8 @@ can use their Kerberos accounts.''')
                 (entries, truncated) = ds_ldap.find_entries(
                     search_filter, ['*'], search_bases[ldap_obj_name],
                     ds_ldap.SCOPE_ONELEVEL,
-                    time_limit=0, size_limit=-1
+                    time_limit=0, size_limit=-1,
+                    search_refs=True    # migrated DS may contain search references
                 )
             except errors.NotFound:
                 if not options.get('continue',False):
@@ -435,6 +437,10 @@ can use their Kerberos accounts.''')
                 )
 
             for (dn, entry_attrs) in entries:
+                if dn is None:  # LDAP search reference
+                    failed[ldap_obj_name][entry_attrs[0]] = unicode(_ref_err_msg)
+                    continue
+
                 pkey = entry_attrs[ldap_obj.primary_key.name][0].lower()
                 if pkey in exclude:
                     continue
diff --git a/ipaserver/plugins/ldap2.py b/ipaserver/plugins/ldap2.py
index 5556773c95d58b5a891610dc22529e9a981017ea..b0a5c2c2c2eae9aa54a0a65946c442c0b594092b 100644
--- a/ipaserver/plugins/ldap2.py
+++ b/ipaserver/plugins/ldap2.py
@@ -516,7 +516,7 @@ class ldap2(CrudBackend, Encoder):
     @decode_retval()
     def find_entries(self, filter=None, attrs_list=None, base_dn='',
             scope=_ldap.SCOPE_SUBTREE, time_limit=None, size_limit=None,
-            normalize=True):
+            normalize=True, search_refs=False):
         """
         Return a list of entries and indication of whteher the results where
         truncated ([(dn, entry_attrs)], truncated) matching specified search
@@ -530,6 +530,7 @@ class ldap2(CrudBackend, Encoder):
         time_limit -- time limit in seconds (default use IPA config values)
         size_limit -- size (number of entries returned) limit (default use IPA config values)
         normalize -- normalize the DN (default True)
+        search_refs -- allow search references to be returned (default skips these entries)
         """
         if normalize:
             base_dn = self.normalize_dn(base_dn)
@@ -564,7 +565,9 @@ class ldap2(CrudBackend, Encoder):
                 (objtype, res_list) = self.conn.result(id, 0)
                 if not res_list:
                     break
-                res.append(res_list[0])
+                if objtype == _ldap.RES_SEARCH_ENTRY or \
+                   (search_refs and objtype == _ldap.RES_SEARCH_REFERENCE):
+                    res.append(res_list[0])
         except (_ldap.ADMINLIMIT_EXCEEDED, _ldap.TIMELIMIT_EXCEEDED,
                 _ldap.SIZELIMIT_EXCEEDED), e:
             truncated = True
-- 
1.7.5.2


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]