[Freeipa-devel] [PATCH] Make the migration plugin more configurable
Rob Crittenden
rcritten at redhat.com
Tue Dec 7 15:39:21 UTC 2010
Jakub Hrozek wrote:
> On Wed, Nov 24, 2010 at 04:54:19PM -0500, Rob Crittenden wrote:
>> Jakub Hrozek wrote:
>>> -----BEGIN PGP SIGNED MESSAGE-----
>>> Hash: SHA1
>>>
>>> On 11/22/2010 04:21 PM, Jakub Hrozek wrote:
>>>> On 11/22/2010 04:16 PM, Jakub Hrozek wrote:
>>>>> The code handles it (I just ran a quick test with --schema=RFC2307bis).
>>>>
>>>>> It just iterates through all members of a group -- be it user member of
>>>>> group member, it's just a DN for the plugin.
>>>>
>>>>> Jakub
>>>>
>>>> Sorry, I found another bug in the plugin. I'll send a new patch shortly,
>>>> so please don't waste time reviewing this one.
>>>
>>> New patch is attached. It fixes two more bugs of the original plugin -
>>> determines whether a group member is a user or a nested group by
>>> checking the DN, not just the RDN attribute name and does not hardcode
>>> primary keys.
>>
>> Will this blow up in convert_members_rfc2307bis() if a member isn't
>> contained in the users and groups containers? Should there be a
>> failsafe to skip over things that don't match (along with
>> appropriate reporting)?
>
> It wouldn't blow up but add the original DN into the member attribute
> which is probably worse. Thanks for catching this. I modified the patch
> to log all migrated users and groups with info() and skip those that
> don't match any of the containers while logging these entries with
> error().
>
>> Or if one of users or groups search bases
>> isn't provided?
>>
>
> If one of them isn't provided, a default would be used.
>
>> It definitely doesn't like this:
>> # ipa migrate-ds --user-container=''
>> --group-container='cn=groups,cn=accounts' ldap://ds.example.com:389
>>
>> When passed the right set of options it does seem to do the right thing.
>>
>
> Sorry, but I don't quite understand the "--user-container=''" switch.
> Does it mean the users are rooted at the Base DN? Can you post the error
> or relevant log info? Please note that the default objectclass is
> person.
The empty user-container isn't related to this patch so ACK, pushed to
master.
The error I'm seeing in the Apache error log is:
[Tue Dec 07 10:38:10 2010] [error] [client 192.168.166.32] Traceback
(most recent call last):
[Tue Dec 07 10:38:10 2010] [error] [client 192.168.166.32] File
"/usr/share/ipa/wsgi.py", line 27, in application
[Tue Dec 07 10:38:10 2010] [error] [client 192.168.166.32] return
api.Backend.session(environ, start_response)
[Tue Dec 07 10:38:10 2010] [error] [client 192.168.166.32] File
"/usr/lib/python2.6/site-packages/ipaserver/rpcserver.py", line 142, in
__call__
[Tue Dec 07 10:38:10 2010] [error] [client 192.168.166.32] return
self.route(environ, start_response)
[Tue Dec 07 10:38:10 2010] [error] [client 192.168.166.32] File
"/usr/lib/python2.6/site-packages/ipaserver/rpcserver.py", line 154, in
route
[Tue Dec 07 10:38:10 2010] [error] [client 192.168.166.32] return
app(environ, start_response)
[Tue Dec 07 10:38:10 2010] [error] [client 192.168.166.32] File
"/usr/lib/python2.6/site-packages/ipaserver/rpcserver.py", line 234, in
__call__
[Tue Dec 07 10:38:10 2010] [error] [client 192.168.166.32] response
= self.wsgi_execute(environ)
[Tue Dec 07 10:38:10 2010] [error] [client 192.168.166.32] File
"/usr/lib/python2.6/site-packages/ipaserver/rpcserver.py", line 211, in
wsgi_execute
[Tue Dec 07 10:38:10 2010] [error] [client 192.168.166.32] result =
self.Command[name](*args, **options)
[Tue Dec 07 10:38:10 2010] [error] [client 192.168.166.32] File
"/usr/lib/python2.6/site-packages/ipalib/frontend.py", line 417, in __call__
[Tue Dec 07 10:38:10 2010] [error] [client 192.168.166.32] ret =
self.run(*args, **options)
[Tue Dec 07 10:38:10 2010] [error] [client 192.168.166.32] File
"/usr/lib/python2.6/site-packages/ipalib/frontend.py", line 690, in run
[Tue Dec 07 10:38:10 2010] [error] [client 192.168.166.32] return
self.execute(*args, **options)
[Tue Dec 07 10:38:10 2010] [error] [client 192.168.166.32] File
"/usr/lib/python2.6/site-packages/ipalib/plugins/migration.py", line
380, in execute
[Tue Dec 07 10:38:10 2010] [error] [client 192.168.166.32] ldap,
config, ds_ldap, ds_base_dn, options
[Tue Dec 07 10:38:10 2010] [error] [client 192.168.166.32] File
"/usr/lib/python2.6/site-packages/ipalib/plugins/migration.py", line
300, in migrate
[Tue Dec 07 10:38:10 2010] [error] [client 192.168.166.32]
search_filter, ['*'], search_base, ds_ldap.SCOPE_ONELEVEL#,
[Tue Dec 07 10:38:10 2010] [error] [client 192.168.166.32] File
"/usr/lib/python2.6/site-packages/ipalib/encoder.py", line 188, in new_f
[Tue Dec 07 10:38:10 2010] [error] [client 192.168.166.32] return
f(*new_args, **kwargs)
[Tue Dec 07 10:38:10 2010] [error] [client 192.168.166.32] File
"/usr/lib/python2.6/site-packages/ipalib/encoder.py", line 199, in new_f
[Tue Dec 07 10:38:10 2010] [error] [client 192.168.166.32] return
args[0].decode(f(*args, **kwargs))
[Tue Dec 07 10:38:10 2010] [error] [client 192.168.166.32] File
"/usr/lib/python2.6/site-packages/ipaserver/plugins/ldap2.py", line 516,
in find_entries
[Tue Dec 07 10:38:10 2010] [error] [client 192.168.166.32] base_dn =
self.normalize_dn(base_dn)
[Tue Dec 07 10:38:10 2010] [error] [client 192.168.166.32] File
"/usr/lib/python2.6/site-packages/ipaserver/plugins/ldap2.py", line 343,
in normalize_dn
[Tue Dec 07 10:38:10 2010] [error] [client 192.168.166.32] rdns =
explode_dn(dn)
[Tue Dec 07 10:38:10 2010] [error] [client 192.168.166.32] File
"/usr/lib64/python2.6/site-packages/ldap/dn.py", line 79, in explode_dn
[Tue Dec 07 10:38:10 2010] [error] [client 192.168.166.32] dn_decomp
= str2dn(dn,flags)
[Tue Dec 07 10:38:10 2010] [error] [client 192.168.166.32] File
"/usr/lib64/python2.6/site-packages/ldap/dn.py", line 53, in str2dn
[Tue Dec 07 10:38:10 2010] [error] [client 192.168.166.32] return
ldap.functions._ldap_function_call(_ldap.str2dn,dn,flags)
[Tue Dec 07 10:38:10 2010] [error] [client 192.168.166.32] File
"/usr/lib64/python2.6/site-packages/ldap/functions.py", line 57, in
_ldap_function_call
[Tue Dec 07 10:38:10 2010] [error] [client 192.168.166.32] result =
func(*args,**kwargs)
[Tue Dec 07 10:38:10 2010] [error] [client 192.168.166.32] DECODING_ERROR
rob
More information about the Freeipa-devel
mailing list