[Freeipa-devel] [PATCH] 993 disable UPG for migration
Martin Kosek
mkosek at redhat.com
Fri Mar 23 09:12:27 UTC 2012
On Thu, 2012-03-22 at 15:21 -0400, Rob Crittenden wrote:
> We don't want to create private groups automatically for migrated users,
> there could be namespace overlap (and race conditions prevent us from
> trying to check in advance).
>
> Check the sanity of groups in general, warn if the group for the
> gidnumber doesn't exist at least on the remote server.
>
> Fill in the user's shell as well.
>
> This will migrate users that are non-POSIX on the remote server.
>
> rob
This patch fixes the problem of creating UPGs for migrated users, but
there are several parts which confused me.
1) Confusing defaults
+ if 'def_group_gid' in ctx:
+ entry_attrs.setdefault('gidnumber', ctx['def_group_gid'])
This statement seems redundant, because the account either is posix and
has both uidnumber and gidnumber or it is non-posix and does not have
any.
Now, we don't touch gidNumber for posix user, and non-posix users are
made posix with this statement:
+ # migrated user is not already POSIX, make it so
+ if 'uidnumber' not in entry_attrs:
+ entry_attrs['uidnumber'] = entry_attrs['gidnumber'] = [999]
2) Missing UPG
When UPG is disabled, the following statement will result in a user with
a GID pointing to non-existent group.
+ # migrated user is not already POSIX, make it so
+ if 'uidnumber' not in entry_attrs:
+ entry_attrs['uidnumber'] = entry_attrs['gidnumber'] = [999]
We may want to run ldap.has_upg() and report a add this user to "failed
users" with appropriate error.
3) Check for GID
The patch implements a check if a group with the gidNumber exists on a
remote LDAP server and the result is a warning:
- (g_dn, g_attrs) = ldap.get_entry(ctx['def_group_dn'], ['gidnumber'])
+ (remote_dn, remote_entry) = ds_ldap.find_entry_by_attr(
+ 'gidnumber', entry_attrs['gidnumber'][0], 'posixgroup', [''],
+ search_bases['group']
+ )
I have few (minor-ish) questions there:
a) Is the warning in a apache log enough? Maybe it should be included in
migrate-ds output.
b) This will be a one more remote LDAP call for every user, we may want
to optimize it with something like that:
valid_gids = []
if user.gidnumber not in valid_gids:
run the check in remote LDAP
valid_gids.append(user.gidnumber)
That would save us 999 LDAP queries for 1000 migrated with the same
primary group.
4) Extraneous Warning:
When non-posix user is migrated and thus we make it a posix user, we
still produce a warning for non-existent group:
[Fri Mar 23 04:21:36 2012] [error] ipa: WARNING: Migrated user's GID
number 999 does not point to a known group.
5) Extraneous LDAP call
Isn't the following call to LDAP to get a description redundant? We
already have the description in entry_attrs.
+ (dn, desc_attr) = ldap.get_entry(dn, ['description'])
+ entry_attrs.update(desc_attr)
+ if 'description' in entry_attrs and NO_UPG_MAGIC in
entry_attrs['description']:
Martin
More information about the Freeipa-devel
mailing list