[Freeipa-devel] [PATCH] 134 Improve handling of GIDs when migrating groups

Martin Kosek mkosek at redhat.com
Fri Oct 7 06:39:12 UTC 2011 

On Thu, 2011-10-06 at 21:31 -0400, Rob Crittenden wrote:
> Martin Kosek wrote:
> > On Wed, 2011-10-05 at 13:44 -0400, Rob Crittenden wrote:
> >> Martin Kosek wrote:
> >>> Since IPA v2 server already contain predefined groups that may collide
> >>> with groups in migrated (IPA v1) server (for example admins, ipausers),
> >>> users having colliding group as their primary group may happen to belong
> >>> to an unknown group on new IPA v2 server.
> >>>
> >>> Implement --group-overwrite-gid option to overwrite GID of already
> >>> existing groups to prevent this issue.
> >>>
> >>> https://fedorahosted.org/freeipa/ticket/1866
> >>
> >> For argument's sake, what is the user going to see the first time they
> >> run this? I assume they won't think about these duplicate groups and
> >> just do the migration. This means that the result may be some users
> >> pointing to non-existent GIDs.
> >
> > At first I was thinking about making the GID the default behavior and
> > just add flag "--dont-overwrite-gid. But I was afraid this could do some
> > damage and change GIDs where it is not required. However, I made some
> > improvements in this area, please see below.
> >
> >>
> >> If they re-run the migration with this option will it then fix
> >> everything up?
> >
> > Yep.
> >
> >>
> >> I'm wondering if we need a --test argument so people can run the
> >> migration w/o writing entries to look for problems like this.
> >>
> >> rob
> >
> > If we want to do this, we would have to add a lot of LDAP query checks
> > since mostly try doing the LDAP write and write failures in case of an
> > exception.
> >
> > However, I updated the patch so that user is notified about existence of
> > --group-overwrite-gid option better. If a migration of a group with a
> > GID number fails because of DuplicateError, a notice about GID is
> > displayed. This should make him check this situation and either use
> > group-mod --gidnumber=... or re-run the migration with
> > --group-overwrite-gid.
> >
> > I also updated the Password option not to ask user for LDAP password
> > twice, because it makes me really mad :-)
> >
> > Martin
> 
> # ipa migrate-ds ldap://panther.greyoak.com 
> --user-container=cn=users,cn=accounts 
> --group-container=cn=groups,cn=accounts 
> --user-ignore-objectclass=radiusprofile
> Password:
> ipa: ERROR: an internal error has occurred
> 
> [Thu Oct 06 21:28:49 2011] [error] ipa: ERROR: non-public: TypeError: 
> _post_migrate_user() got an unexpected keyword argument 'options'
> [Thu Oct 06 21:28:49 2011] [error] Traceback (most recent call last):
> [Thu Oct 06 21:28:49 2011] [error]   File 
> "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 223, in 
> wsgi_execute
> [Thu Oct 06 21:28:49 2011] [error]     result = 
> self.Command[name](*args, **options)
> [Thu Oct 06 21:28:49 2011] [error]   File 
> "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 432, in __call__
> [Thu Oct 06 21:28:49 2011] [error]     ret = self.run(*args, **options)
> [Thu Oct 06 21:28:49 2011] [error]   File 
> "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 738, in run
> [Thu Oct 06 21:28:49 2011] [error]     return self.execute(*args, **options)
> [Thu Oct 06 21:28:49 2011] [error]   File 
> "/usr/lib/python2.7/site-packages/ipalib/plugins/migration.py", line 
> 633, in execute
> [Thu Oct 06 21:28:49 2011] [error]     ldap, config, ds_ldap, 
> ds_base_dn, options
> [Thu Oct 06 21:28:49 2011] [error]   File 
> "/usr/lib/python2.7/site-packages/ipalib/plugins/migration.py", line 
> 602, in migrate
> [Thu Oct 06 21:28:49 2011] [error]     options = options,
> [Thu Oct 06 21:28:49 2011] [error] TypeError: _post_migrate_user() got 
> an unexpected keyword argument 'options'
> 
> rob

Ouch. This one must have come from some previous tries. And since the
users were already migrated in my testing, it was left undiscovered. I
wonder why pylint was quiet.

Sending a fixed version, it should work fine now.

Martin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-mkosek-134-3-improve-handling-of-gids-when-migrating-groups.patch
Type: text/x-patch
Size: 10163 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20111007/d3276f1c/attachment.bin>

More information about the Freeipa-devel mailing list