[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [Freeipa-devel] [PATCH] 12 When migrating warn user if compat is enabled



On 02/27/2012 09:47 PM, Rob Crittenden wrote:
Ondrej Hamada wrote:
On 02/21/2012 02:32 PM, Ondrej Hamada wrote:
On 02/20/2012 06:53 PM, Rob Crittenden wrote:
Ondrej Hamada wrote:
https://fedorahosted.org/freeipa/ticket/2274

Added check into migration plugin to warn user when compat is enabled.
If compat is enabled, the migration fails and user is warned that he
must turn the compat off or run the script with (the newly introduced)
option '--compat'.

'--compat' is just a flag, by default set to false. If it is set, the
compat check is skipped.


Interesting approach. I think this is probably good, preventing
migration when the compat plugin is enabled unless you specifically
decide to.

I think the option may need another name, maybe --with-compat or
something.

I think in the message we should use "enabled" instead of "on". That
is the language of ipa-compat-manage.

The migration help should have a discussion of why this is a problem
too, and what compat really is (provides a different view of the data
to be compatible with non RFC2703bis systems).

rob
corrected

Ondra



_______________________________________________
Freeipa-devel mailing list
Freeipa-devel redhat com
https://www.redhat.com/mailman/listinfo/freeipa-devel
I forget to update the commit message about the change of flag name.
Corrected patch attached.


This works ok it just seems to be making an assumption on the client when to print this. I think a similar value like enabled needs to be created to explicitly say why we are returning.

rob
sorry for that, value created

Ondra

--
Regards,

Ondrej Hamada
FreeIPA team
jabber: ohama jabbim cz
IRC: ohamada

From 06688d4f9f1950d0e83f85240acf0ff09df73175 Mon Sep 17 00:00:00 2001
From: Ondrej Hamada <ohamada redhat com>
Date: Tue, 28 Feb 2012 13:41:36 +0100
Subject: [PATCH] Migration warning when compat enabled

Added check into migration plugin to warn user when compat is enabled.
If compat is enabled, the migration fails and user is warned that he
must turn the compat off or run the script with (the newly introduced)
option '--with-compat'.

'--with-compat' is new flag. If it is set, the compat status is ignored.

https://fedorahosted.org/freeipa/ticket/2274
---
 API.txt                     |    4 +++-
 VERSION                     |    2 +-
 ipalib/plugins/migration.py |   34 ++++++++++++++++++++++++++++++++--
 3 files changed, 36 insertions(+), 4 deletions(-)

diff --git a/API.txt b/API.txt
index 548fc93d48128aab5cebd60dda7fd304b569785b..a44e391e2ab79cb566455defffff3299ed25714e 100644
--- a/API.txt
+++ b/API.txt
@@ -1893,7 +1893,7 @@ output: Output('summary', (<type 'unicode'>, <type 'NoneType'>), None)
 output: Entry('result', <type 'dict'>, Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None))
 output: Output('value', <type 'unicode'>, None)
 command: migrate_ds
-args: 2,14,3
+args: 2,15,4
 arg: Str('ldapuri', cli_name='ldap_uri')
 arg: Password('bindpw', cli_name='password', confirm=False)
 option: Str('binddn?', autofill=True, cli_name='bind_dn', default=u'cn=directory manager')
@@ -1908,11 +1908,13 @@ option: Str('groupignoreattribute*', autofill=True, cli_name='group_ignore_attri
 option: Flag('groupoverwritegid', autofill=True, cli_name='group_overwrite_gid', default=False)
 option: StrEnum('schema?', autofill=True, cli_name='schema', default=u'RFC2307bis', values=(u'RFC2307bis', u'RFC2307'))
 option: Flag('continue?', autofill=True, default=False)
+option: Flag('compat?', autofill=True, cli_name='with_compat', default=False)
 option: Str('exclude_groups*', autofill=True, cli_name='exclude_groups', csv=True, default=())
 option: Str('exclude_users*', autofill=True, cli_name='exclude_users', csv=True, default=())
 output: Output('result', <type 'dict'>, None)
 output: Output('failed', <type 'dict'>, None)
 output: Output('enabled', <type 'bool'>, None)
+output: Output('compat', <type 'bool'>, None)
 command: netgroup_add
 args: 1,9,3
 arg: Str('cn', attribute=True, cli_name='name', multivalue=False, pattern='^[a-zA-Z0-9_.][a-zA-Z0-9_.-]+$', pattern_errmsg='may only include letters, numbers, _, -, and .', primary_key=True, required=True)
diff --git a/VERSION b/VERSION
index 523bde4a8ecdcac4c3a451c0e09ef75b156d7831..381e3088c0bcb0e64304a2ed1ad12bfe6be95c51 100644
--- a/VERSION
+++ b/VERSION
@@ -79,4 +79,4 @@ IPA_DATA_VERSION=20100614120000
 #                                                      #
 ########################################################
 IPA_API_VERSION_MAJOR=2
-IPA_API_VERSION_MINOR=27
+IPA_API_VERSION_MINOR=28
diff --git a/ipalib/plugins/migration.py b/ipalib/plugins/migration.py
index 688265fd3ea7f62bb22bf78abbc7f26e64f7470b..ab4e523e5b505577f83be4f95724bd9a9a50f8b6 100644
--- a/ipalib/plugins/migration.py
+++ b/ipalib/plugins/migration.py
@@ -52,6 +52,11 @@ Two LDAP schemas define how group members are stored: RFC2307 and
 RFC2307bis. RFC2307bis uses member and uniquemember to specify group
 members, RFC2307 uses memberUid. The default schema is RFC2307bis.
 
+In order to use other schema than RFC2307bis the compatibility plug-in
+must be enabled. Migration with enabled compatibility plug-in causes
+a lot of overhead. Because of that it is disabled by default but it can
+be overridden by the '--with-compat' option.
+
 Migrated users do not have Kerberos credentials, they have only their
 LDAP password. To complete the migration process, users need to go
 to http://ipa.example.com/ipa/migration and authenticate using their
@@ -67,6 +72,10 @@ EXAMPLES:
  The simplest migration, accepting all defaults:
    ipa migrate-ds ldap://ds.example.com:389
 
+ The simplest migration, accepting all defaults and ignoring the status
+ of compatibility plug-in:
+   ipa migrate-ds --with-compat ldap://ds.example.com:389
+
  Specify the user and group container. This can be used to migrate user
  and group data from an IPA v1 server:
    ipa migrate-ds --user-container='cn=users,cn=accounts' \\
@@ -103,6 +112,8 @@ _dn_err_msg = _('Malformed DN')
 
 _supported_schemas = (u'RFC2307bis', u'RFC2307')
 
+_compat_dn = "cn=Schema Compatibility,cn=plugins,cn=config"
+
 
 def _pre_migrate_user(ldap, pkey, dn, entry_attrs, failed, config, ctx, **kwargs):
     attr_blacklist = ['krbprincipalkey','memberofindirect','memberindirect']
@@ -431,6 +442,12 @@ class migrate_ds(Command):
             doc=_('Continuous operation mode. Errors are reported but the process continues'),
             default=False,
         ),
+        Flag('compat?',
+            cli_name='with_compat',
+            label=_('Ignore compat plugin'),
+            doc=_('Allows migration despite the usage of compat plugin'),
+            default=False,
+        ),
     )
 
     has_output = (
@@ -446,6 +463,10 @@ class migrate_ds(Command):
             type=bool,
             doc=_('False if migration mode was disabled.'),
         ),
+        output.Output('compat',
+            type=bool,
+            doc=_('False if compatibility plug-in and checking of its status is enabled.'),
+        ),
     )
 
     exclude_doc = _('comma-separated list of %s to exclude from migration')
@@ -629,12 +650,18 @@ can use their Kerberos accounts.''')
 
         # check if migration mode is enabled
         if config.get('ipamigrationenabled', ('FALSE', ))[0] == 'FALSE':
-            return dict(result={}, failed={}, enabled=False)
+            return dict(result={}, failed={}, enabled=False, compat=False)
 
         # connect to DS
         ds_ldap = ldap2(shared_instance=False, ldap_uri=ldapuri, base_dn='')
         ds_ldap.connect(bind_dn=options['binddn'], bind_pw=bindpw)
 
+        #check whether the compat plugin is enabled
+        if not options.get('compat'):
+            (dn,check_compat) = ds_ldap.get_entry(_compat_dn, normalize=False)
+            if check_compat is not None and check_compat.get('nsslapd-pluginenabled', [''])[0].lower() == 'on':
+                return dict(result={},failed={},enabled=True, compat=False)
+
         # retrieve DS base DN
         (entries, truncated) = ds_ldap.find_entries(
             '', ['namingcontexts'], '', ds_ldap.SCOPE_BASE,
@@ -650,13 +677,16 @@ can use their Kerberos accounts.''')
             ldap, config, ds_ldap, ds_base_dn, options
         )
 
-        return dict(result=migrated, failed=failed, enabled=True)
+        return dict(result=migrated, failed=failed, enabled=True, compat=True)
 
     def output_for_cli(self, textui, result, ldapuri, bindpw, **options):
         textui.print_name(self.name)
         if not result['enabled']:
             textui.print_plain(self.migration_disabled_msg)
             return 1
+        if not result['compat']:
+            textui.print_plain("Compatibility plug-in is enabled. This might cause troubles during migration. Disable the compat plug-in or run this script with \'--with-compat\' option.")
+            return 1
         textui.print_plain('Migrated:')
         textui.print_entry1(
             result['result'], attr_order=self.migrate_order,
-- 
1.7.6.5


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]