[Freeipa-devel] [PATCH] Make the migration plugin more configurable

Rob Crittenden rcritten at redhat.com
Tue Dec 7 15:39:21 UTC 2010 

Jakub Hrozek wrote:
> On Wed, Nov 24, 2010 at 04:54:19PM -0500, Rob Crittenden wrote:
>> Jakub Hrozek wrote:
>>> -----BEGIN PGP SIGNED MESSAGE-----
>>> Hash: SHA1
>>>
>>> On 11/22/2010 04:21 PM, Jakub Hrozek wrote:
>>>> On 11/22/2010 04:16 PM, Jakub Hrozek wrote:
>>>>> The code handles it (I just ran a quick test with --schema=RFC2307bis).
>>>>
>>>>> It just iterates through all members of a group -- be it user member of
>>>>> group member, it's just a DN for the plugin.
>>>>
>>>>> 	Jakub
>>>>
>>>> Sorry, I found another bug in the plugin. I'll send a new patch shortly,
>>>> so please don't waste time reviewing this one.
>>>
>>> New patch is attached. It fixes two more bugs of the original plugin -
>>> determines whether a group member is a user or a nested group by
>>> checking the DN, not just the RDN attribute name and does not hardcode
>>> primary keys.
>>
>> Will this blow up in convert_members_rfc2307bis() if a member isn't
>> contained in the users and groups containers? Should there be a
>> failsafe to skip over things that don't match (along with
>> appropriate reporting)?
>
> It wouldn't blow up but add the original DN into the member attribute
> which is probably worse. Thanks for catching this. I modified the patch
> to log all migrated users and groups with info() and skip those that
> don't match any of the containers while logging these entries with
> error().
>
>> Or if one of users or groups search bases
>> isn't provided?
>>
>
> If one of them isn't provided, a default would be used.
>
>> It definitely doesn't like this:
>> # ipa migrate-ds --user-container=''
>> --group-container='cn=groups,cn=accounts' ldap://ds.example.com:389
>>
>> When passed the right set of options it does seem to do the right thing.
>>
>
> Sorry, but I don't quite understand the "--user-container=''" switch.
> Does it mean the users are rooted at the Base DN? Can you post the error
> or relevant log info? Please note that the default objectclass is
> person.

The empty user-container isn't related to this patch so ACK, pushed to 
master.

The error I'm seeing in the Apache error log is:


[Tue Dec 07 10:38:10 2010] [error] [client 192.168.166.32] Traceback 
(most recent call last):
[Tue Dec 07 10:38:10 2010] [error] [client 192.168.166.32]   File 
"/usr/share/ipa/wsgi.py", line 27, in application
[Tue Dec 07 10:38:10 2010] [error] [client 192.168.166.32]     return 
api.Backend.session(environ, start_response)
[Tue Dec 07 10:38:10 2010] [error] [client 192.168.166.32]   File 
"/usr/lib/python2.6/site-packages/ipaserver/rpcserver.py", line 142, in 
__call__
[Tue Dec 07 10:38:10 2010] [error] [client 192.168.166.32]     return 
self.route(environ, start_response)
[Tue Dec 07 10:38:10 2010] [error] [client 192.168.166.32]   File 
"/usr/lib/python2.6/site-packages/ipaserver/rpcserver.py", line 154, in 
route
[Tue Dec 07 10:38:10 2010] [error] [client 192.168.166.32]     return 
app(environ, start_response)
[Tue Dec 07 10:38:10 2010] [error] [client 192.168.166.32]   File 
"/usr/lib/python2.6/site-packages/ipaserver/rpcserver.py", line 234, in 
__call__
[Tue Dec 07 10:38:10 2010] [error] [client 192.168.166.32]     response 
= self.wsgi_execute(environ)
[Tue Dec 07 10:38:10 2010] [error] [client 192.168.166.32]   File 
"/usr/lib/python2.6/site-packages/ipaserver/rpcserver.py", line 211, in 
wsgi_execute
[Tue Dec 07 10:38:10 2010] [error] [client 192.168.166.32]     result = 
self.Command[name](*args, **options)
[Tue Dec 07 10:38:10 2010] [error] [client 192.168.166.32]   File 
"/usr/lib/python2.6/site-packages/ipalib/frontend.py", line 417, in __call__
[Tue Dec 07 10:38:10 2010] [error] [client 192.168.166.32]     ret = 
self.run(*args, **options)
[Tue Dec 07 10:38:10 2010] [error] [client 192.168.166.32]   File 
"/usr/lib/python2.6/site-packages/ipalib/frontend.py", line 690, in run
[Tue Dec 07 10:38:10 2010] [error] [client 192.168.166.32]     return 
self.execute(*args, **options)
[Tue Dec 07 10:38:10 2010] [error] [client 192.168.166.32]   File 
"/usr/lib/python2.6/site-packages/ipalib/plugins/migration.py", line 
380, in execute
[Tue Dec 07 10:38:10 2010] [error] [client 192.168.166.32]     ldap, 
config, ds_ldap, ds_base_dn, options
[Tue Dec 07 10:38:10 2010] [error] [client 192.168.166.32]   File 
"/usr/lib/python2.6/site-packages/ipalib/plugins/migration.py", line 
300, in migrate
[Tue Dec 07 10:38:10 2010] [error] [client 192.168.166.32] 
search_filter, ['*'], search_base, ds_ldap.SCOPE_ONELEVEL#,
[Tue Dec 07 10:38:10 2010] [error] [client 192.168.166.32]   File 
"/usr/lib/python2.6/site-packages/ipalib/encoder.py", line 188, in new_f
[Tue Dec 07 10:38:10 2010] [error] [client 192.168.166.32]     return 
f(*new_args, **kwargs)
[Tue Dec 07 10:38:10 2010] [error] [client 192.168.166.32]   File 
"/usr/lib/python2.6/site-packages/ipalib/encoder.py", line 199, in new_f
[Tue Dec 07 10:38:10 2010] [error] [client 192.168.166.32]     return 
args[0].decode(f(*args, **kwargs))
[Tue Dec 07 10:38:10 2010] [error] [client 192.168.166.32]   File 
"/usr/lib/python2.6/site-packages/ipaserver/plugins/ldap2.py", line 516, 
in find_entries
[Tue Dec 07 10:38:10 2010] [error] [client 192.168.166.32]     base_dn = 
self.normalize_dn(base_dn)
[Tue Dec 07 10:38:10 2010] [error] [client 192.168.166.32]   File 
"/usr/lib/python2.6/site-packages/ipaserver/plugins/ldap2.py", line 343, 
in normalize_dn
[Tue Dec 07 10:38:10 2010] [error] [client 192.168.166.32]     rdns = 
explode_dn(dn)
[Tue Dec 07 10:38:10 2010] [error] [client 192.168.166.32]   File 
"/usr/lib64/python2.6/site-packages/ldap/dn.py", line 79, in explode_dn
[Tue Dec 07 10:38:10 2010] [error] [client 192.168.166.32]     dn_decomp 
= str2dn(dn,flags)
[Tue Dec 07 10:38:10 2010] [error] [client 192.168.166.32]   File 
"/usr/lib64/python2.6/site-packages/ldap/dn.py", line 53, in str2dn
[Tue Dec 07 10:38:10 2010] [error] [client 192.168.166.32]     return 
ldap.functions._ldap_function_call(_ldap.str2dn,dn,flags)
[Tue Dec 07 10:38:10 2010] [error] [client 192.168.166.32]   File 
"/usr/lib64/python2.6/site-packages/ldap/functions.py", line 57, in 
_ldap_function_call
[Tue Dec 07 10:38:10 2010] [error] [client 192.168.166.32]     result = 
func(*args,**kwargs)
[Tue Dec 07 10:38:10 2010] [error] [client 192.168.166.32] DECODING_ERROR

rob

More information about the Freeipa-devel mailing list