[Freeipa-devel] [PATCH] 134 Improve handling of GIDs when migrating groups

Rob Crittenden rcritten at redhat.com
Fri Oct 7 01:31:59 UTC 2011


Martin Kosek wrote:
> On Wed, 2011-10-05 at 13:44 -0400, Rob Crittenden wrote:
>> Martin Kosek wrote:
>>> Since IPA v2 server already contain predefined groups that may collide
>>> with groups in migrated (IPA v1) server (for example admins, ipausers),
>>> users having colliding group as their primary group may happen to belong
>>> to an unknown group on new IPA v2 server.
>>>
>>> Implement --group-overwrite-gid option to overwrite GID of already
>>> existing groups to prevent this issue.
>>>
>>> https://fedorahosted.org/freeipa/ticket/1866
>>
>> For argument's sake, what is the user going to see the first time they
>> run this? I assume they won't think about these duplicate groups and
>> just do the migration. This means that the result may be some users
>> pointing to non-existent GIDs.
>
> At first I was thinking about making the GID the default behavior and
> just add flag "--dont-overwrite-gid. But I was afraid this could do some
> damage and change GIDs where it is not required. However, I made some
> improvements in this area, please see below.
>
>>
>> If they re-run the migration with this option will it then fix
>> everything up?
>
> Yep.
>
>>
>> I'm wondering if we need a --test argument so people can run the
>> migration w/o writing entries to look for problems like this.
>>
>> rob
>
> If we want to do this, we would have to add a lot of LDAP query checks
> since mostly try doing the LDAP write and write failures in case of an
> exception.
>
> However, I updated the patch so that user is notified about existence of
> --group-overwrite-gid option better. If a migration of a group with a
> GID number fails because of DuplicateError, a notice about GID is
> displayed. This should make him check this situation and either use
> group-mod --gidnumber=... or re-run the migration with
> --group-overwrite-gid.
>
> I also updated the Password option not to ask user for LDAP password
> twice, because it makes me really mad :-)
>
> Martin

# ipa migrate-ds ldap://panther.greyoak.com 
--user-container=cn=users,cn=accounts 
--group-container=cn=groups,cn=accounts 
--user-ignore-objectclass=radiusprofile
Password:
ipa: ERROR: an internal error has occurred

[Thu Oct 06 21:28:49 2011] [error] ipa: ERROR: non-public: TypeError: 
_post_migrate_user() got an unexpected keyword argument 'options'
[Thu Oct 06 21:28:49 2011] [error] Traceback (most recent call last):
[Thu Oct 06 21:28:49 2011] [error]   File 
"/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 223, in 
wsgi_execute
[Thu Oct 06 21:28:49 2011] [error]     result = 
self.Command[name](*args, **options)
[Thu Oct 06 21:28:49 2011] [error]   File 
"/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 432, in __call__
[Thu Oct 06 21:28:49 2011] [error]     ret = self.run(*args, **options)
[Thu Oct 06 21:28:49 2011] [error]   File 
"/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 738, in run
[Thu Oct 06 21:28:49 2011] [error]     return self.execute(*args, **options)
[Thu Oct 06 21:28:49 2011] [error]   File 
"/usr/lib/python2.7/site-packages/ipalib/plugins/migration.py", line 
633, in execute
[Thu Oct 06 21:28:49 2011] [error]     ldap, config, ds_ldap, 
ds_base_dn, options
[Thu Oct 06 21:28:49 2011] [error]   File 
"/usr/lib/python2.7/site-packages/ipalib/plugins/migration.py", line 
602, in migrate
[Thu Oct 06 21:28:49 2011] [error]     options = options,
[Thu Oct 06 21:28:49 2011] [error] TypeError: _post_migrate_user() got 
an unexpected keyword argument 'options'

rob




More information about the Freeipa-devel mailing list