[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [Freeipa-devel] [PATCH] 12 When migrating warn user if compat is enabled

On 02/20/2012 06:53 PM, Rob Crittenden wrote:
Ondrej Hamada wrote:

Added check into migration plugin to warn user when compat is enabled.
If compat is enabled, the migration fails and user is warned that he
must turn the compat off or run the script with (the newly introduced)
option '--compat'.

'--compat' is just a flag, by default set to false. If it is set, the
compat check is skipped.

Interesting approach. I think this is probably good, preventing migration when the compat plugin is enabled unless you specifically decide to.

I think the option may need another name, maybe --with-compat or something.

I think in the message we should use "enabled" instead of "on". That is the language of ipa-compat-manage.

The migration help should have a discussion of why this is a problem too, and what compat really is (provides a different view of the data to be compatible with non RFC2703bis systems).




Ondrej Hamada
FreeIPA team
jabber: ohama jabbim cz
IRC: ohamada

From b4c368fc1c404c4a520c814f10d522b5b8e909aa Mon Sep 17 00:00:00 2001
From: Ondrej Hamada <ohamada redhat com>
Date: Tue, 21 Feb 2012 11:13:38 +0100
Subject: [PATCH] Migration warning when compat enabled

Added check into migration plugin to warn user when compat is enabled.
If compat is enabled, the migration fails and user is warned that he
must turn the compat off or run the script with (the newly introduced)
option '--compat'.

'--compat' is new flag. If it is set, the compat status is ignored.

 API.txt                     |    3 ++-
 VERSION                     |    2 +-
 ipalib/plugins/migration.py |   26 ++++++++++++++++++++++++++
 3 files changed, 29 insertions(+), 2 deletions(-)

diff --git a/API.txt b/API.txt
index 66713317c9b11057f12676c2afc7bc36d0ca3969..9eec33d4597cb96af870088eb827e39973d66fb6 100644
--- a/API.txt
+++ b/API.txt
@@ -1925,7 +1925,7 @@ output: Output('summary', (<type 'unicode'>, <type 'NoneType'>), None)
 output: Entry('result', <type 'dict'>, Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None))
 output: Output('value', <type 'unicode'>, None)
 command: migrate_ds
-args: 2,14,3
+args: 2,15,3
 arg: Str('ldapuri', cli_name='ldap_uri')
 arg: Password('bindpw', cli_name='password', confirm=False)
 option: Str('binddn?', autofill=True, cli_name='bind_dn', default=u'cn=directory manager')
@@ -1940,6 +1940,7 @@ option: Str('groupignoreattribute*', autofill=True, cli_name='group_ignore_attri
 option: Flag('groupoverwritegid', autofill=True, cli_name='group_overwrite_gid', default=False)
 option: StrEnum('schema?', autofill=True, cli_name='schema', default=u'RFC2307bis', values=(u'RFC2307bis', u'RFC2307'))
 option: Flag('continue?', autofill=True, default=False)
+option: Flag('compat?', autofill=True, cli_name='with_compat', default=False)
 option: Str('exclude_groups*', autofill=True, cli_name='exclude_groups', csv=True, default=())
 option: Str('exclude_users*', autofill=True, cli_name='exclude_users', csv=True, default=())
 output: Output('result', <type 'dict'>, None)
diff --git a/VERSION b/VERSION
index eba6b75cdd57e8ee4024b4e6aa2960022007bd0e..523bde4a8ecdcac4c3a451c0e09ef75b156d7831 100644
@@ -79,4 +79,4 @@ IPA_DATA_VERSION=20100614120000
 #                                                      #
diff --git a/ipalib/plugins/migration.py b/ipalib/plugins/migration.py
index 688265fd3ea7f62bb22bf78abbc7f26e64f7470b..a31fff8597d856cbf67825f6ed990cb9f16725a6 100644
--- a/ipalib/plugins/migration.py
+++ b/ipalib/plugins/migration.py
@@ -52,6 +52,11 @@ Two LDAP schemas define how group members are stored: RFC2307 and
 RFC2307bis. RFC2307bis uses member and uniquemember to specify group
 members, RFC2307 uses memberUid. The default schema is RFC2307bis.
+In order to use other schema than RFC2307bis the compatibility plug-in
+must be enabled. Migration with enabled compatibility plug-in causes
+a lot of overhead. Because of that it is disabled by default but it can
+be overridden by the '--with-compat' option.
 Migrated users do not have Kerberos credentials, they have only their
 LDAP password. To complete the migration process, users need to go
 to http://ipa.example.com/ipa/migration and authenticate using their
@@ -67,6 +72,10 @@ EXAMPLES:
  The simplest migration, accepting all defaults:
    ipa migrate-ds ldap://ds.example.com:389
+ The simplest migration, accepting all defaults and ignoring the status
+ of compatibility plug-in:
+   ipa migrate-ds --with-compat ldap://ds.example.com:389
  Specify the user and group container. This can be used to migrate user
  and group data from an IPA v1 server:
    ipa migrate-ds --user-container='cn=users,cn=accounts' \\
@@ -94,6 +103,8 @@ EXAMPLES:
+compat_dn = "cn=Schema Compatibility,cn=plugins,cn=config"
 _krb_err_msg = _('Kerberos principal %s already exists. Use \'ipa user-mod\' to set it manually.')
@@ -431,6 +442,12 @@ class migrate_ds(Command):
             doc=_('Continuous operation mode. Errors are reported but the process continues'),
+        Flag('compat?',
+            cli_name='with_compat',
+            label=_('Ignore compat plugin'),
+            doc=_('Allows migration despite the usage of compat plugin'),
+            default=False,
+        ),
     has_output = (
@@ -635,6 +652,12 @@ can use their Kerberos accounts.''')
         ds_ldap = ldap2(shared_instance=False, ldap_uri=ldapuri, base_dn='')
         ds_ldap.connect(bind_dn=options['binddn'], bind_pw=bindpw)
+        #check whether the compat plugin is enabled
+        if not options.get('compat'):
+            (dn,check_compat) = ds_ldap.get_entry(compat_dn, normalize=False)
+            if check_compat is not None and check_compat.get('nsslapd-pluginenabled', [''])[0].lower() == 'on':
+                return dict(result={},failed={},enabled=True)
         # retrieve DS base DN
         (entries, truncated) = ds_ldap.find_entries(
             '', ['namingcontexts'], '', ds_ldap.SCOPE_BASE,
@@ -657,6 +680,9 @@ can use their Kerberos accounts.''')
         if not result['enabled']:
             return 1
+        if not result['result'] and not result['failed']:
+            textui.print_plain("Compatibility plug-in is enabled. This might cause troubles during migration. Disable the compat plug-in or run this script with \'--with-compat\' option.")
+            return 1
             result['result'], attr_order=self.migrate_order,

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]