diff options
author | Tomas Babej <tbabej@redhat.com> | 2015-05-05 12:41:12 +0200 |
---|---|---|
committer | Tomas Babej <tbabej@redhat.com> | 2015-07-02 13:23:21 +0200 |
commit | e5fe79a0f427c117a6ecd8f7870cb43eb5be0c84 (patch) | |
tree | 5285481d1ef9665d634da802002900ceeb40a098 | |
parent | 199358112eb1fe2da61de42c207396646067cb87 (diff) | |
download | freeipa-e5fe79a0f427c117a6ecd8f7870cb43eb5be0c84.tar.gz freeipa-e5fe79a0f427c117a6ecd8f7870cb43eb5be0c84.tar.xz freeipa-e5fe79a0f427c117a6ecd8f7870cb43eb5be0c84.zip |
winsync_migrate: Migrate memberships of the winsynced users
https://fedorahosted.org/freeipa/ticket/4524
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
-rw-r--r-- | ipaserver/install/ipa_winsync_migrate.py | 51 |
1 files changed, 51 insertions, 0 deletions
diff --git a/ipaserver/install/ipa_winsync_migrate.py b/ipaserver/install/ipa_winsync_migrate.py index cb62c7e11..bf03dce66 100644 --- a/ipaserver/install/ipa_winsync_migrate.py +++ b/ipaserver/install/ipa_winsync_migrate.py @@ -198,6 +198,56 @@ class WinsyncMigrate(admintool.AdminTool): return entries + def migrate_memberships(self, entry): + """ + Migrates user memberships to the external identity. + """ + + def winsync_group_name(group_entry): + """ + Returns the generated name of group containing migrated external users + """ + + return u"%s_winsync_external" % group_entry['cn'][0] + + def create_winsync_group(group_entry): + """ + Creates the group containing migrated external users that were + previously available via winsync. + """ + + name = winsync_group_name(group_entry) + api.Command['group_add'](name, external=True) + api.Command['group_add_member'](group_entry['cn'][0], group=[name]) + + # Search for all groups containing the given user as a direct member + member_filter = self.ldap.make_filter_from_attr('member', entry.dn) + + try: + groups, _ = self.ldap.find_entries(member_filter, + base_dn=api.env.basedn) + except errors.EmptyResult: + # If there's nothing to migrate, then let's get out of here + return + + # The external user cannot be added directly to the IPA groups, hence + # we need to wrap all the external users into one new external group, + # which will be then added to the original IPA group as a member. + + for group in groups: + # Check for existence of winsync external group + name = winsync_group_name(group) + info = api.Command['group_show'](group['cn'][0])['result'] + + # If it was not created yet, do it now + if name not in info.get('member_group', []): + create_winsync_group(group) + + # Add the user to the external group. Membership is migrated + # at this point. + user_identifier = u"%s@%s" % (entry['uid'][0], self.options.realm) + api.Command['group_add_member'](name, ipaexternalmember=[user_identifier]) + @classmethod def main(cls, argv): """ @@ -234,4 +284,5 @@ class WinsyncMigrate(admintool.AdminTool): entries = self.find_winsync_users() for entry in entries: self.create_id_user_override(entry) + self.migrate_memberships(entry) self.ldap.delete_entry(entry) |