diff options
author | John Dennis <jdennis@redhat.com> | 2012-04-16 08:33:26 +0200 |
---|---|---|
committer | Martin Kosek <mkosek@redhat.com> | 2012-04-16 08:35:03 +0200 |
commit | d317c2a0d1114cb0c53c9a333538f579624e4a9b (patch) | |
tree | b7a25b9ce35a8ad4ff3e0cf3c6f0efda3e391a37 | |
parent | 98e662b96f4e533693465131675ae01f777bde4e (diff) | |
download | freeipa-d317c2a0d1114cb0c53c9a333538f579624e4a9b.tar.gz freeipa-d317c2a0d1114cb0c53c9a333538f579624e4a9b.tar.xz freeipa-d317c2a0d1114cb0c53c9a333538f579624e4a9b.zip |
Validate DN & RDN parameters for migrate command
Ticket #2555
We were generating a traceback (server error) if a malformed RDN was
passed as a parameter to the migrate command.
* add parameter validation functions validate_dn_param() and
validate_rdn_param() to ipalib.util. Those functions simply invoke
the DN or RDN constructor from our dn module passing it the string
representation. If the constructor does not throw an error it's
valid.
* Add the parameter validation function pointers to the Param objects
in the migrate command.
* Make the usercontainer and groupcontainer parameters required.
passing --usercontainer= on the command line will produce
ipa: ERROR: 'user_container' is required
* Fix _get_search_bases() so if a container dn is empty it it just
uses the base dn alone instead of faulting (currently
bullet-proofing because now the containers are required).
* Update the doc for usercontainer and groupcontainer to reflect the
fact they are DN's not RDN's. A RDN can only be one level and it
should be possible to have a container more than one RDN removed
from the base.
-rw-r--r-- | API.txt | 4 | ||||
-rw-r--r-- | ipalib/plugins/migration.py | 20 | ||||
-rw-r--r-- | ipalib/util.py | 15 |
3 files changed, 29 insertions, 10 deletions
@@ -1900,8 +1900,8 @@ args: 2,16,4 arg: Str('ldapuri', cli_name='ldap_uri') arg: Password('bindpw', cli_name='password', confirm=False) option: Str('binddn?', autofill=True, cli_name='bind_dn', default=u'cn=directory manager') -option: Str('usercontainer?', autofill=True, cli_name='user_container', default=u'ou=people') -option: Str('groupcontainer?', autofill=True, cli_name='group_container', default=u'ou=groups') +option: Str('usercontainer', autofill=True, cli_name='user_container', default=u'ou=people') +option: Str('groupcontainer', autofill=True, cli_name='group_container', default=u'ou=groups') option: Str('userobjectclass*', autofill=True, cli_name='user_objectclass', csv=True, default=(u'person',)) option: Str('groupobjectclass*', autofill=True, cli_name='group_objectclass', csv=True, default=(u'groupOfUniqueNames', u'groupOfNames')) option: Str('userignoreobjectclass*', autofill=True, cli_name='user_ignore_objectclass', csv=True, default=()) diff --git a/ipalib/plugins/migration.py b/ipalib/plugins/migration.py index 873ff4c4a..89076f64d 100644 --- a/ipalib/plugins/migration.py +++ b/ipalib/plugins/migration.py @@ -23,6 +23,7 @@ import ldap as _ldap from ipalib import api, errors, output from ipalib import Command, Password, Str, Flag, StrEnum from ipalib.cli import to_cli +from ipalib.util import validate_dn_param from ipalib.dn import * from ipalib.plugins.user import NO_UPG_MAGIC if api.env.in_server and api.env.context in ['lite', 'server']: @@ -418,23 +419,23 @@ class migrate_ds(Command): ) takes_options = ( - Str('binddn?', + Str('binddn?', validate_dn_param, cli_name='bind_dn', label=_('Bind DN'), default=u'cn=directory manager', autofill=True, ), - Str('usercontainer?', + Str('usercontainer', validate_dn_param, cli_name='user_container', label=_('User container'), - doc=_('RDN of container for users in DS relative to base DN'), + doc=_('DN of container for users in DS relative to base DN'), default=u'ou=people', autofill=True, ), - Str('groupcontainer?', + Str('groupcontainer', validate_dn_param, cli_name='group_container', label=_('Group container'), - doc=_('RDN of container for groups in DS relative to base DN'), + doc=_('DN of container for groups in DS relative to base DN'), default=u'ou=groups', autofill=True, ), @@ -589,9 +590,12 @@ can use their Kerberos accounts.''') def _get_search_bases(self, options, ds_base_dn, migrate_order): search_bases = dict() for ldap_obj_name in migrate_order: - search_bases[ldap_obj_name] = '%s,%s' % ( - options['%scontainer' % to_cli(ldap_obj_name)], ds_base_dn - ) + container = options.get('%scontainer' % to_cli(ldap_obj_name)) + if container: + search_base = str(DN(container, ds_base_dn)) + else: + search_base = ds_base_dn + search_bases[ldap_obj_name] = search_base return search_bases def migrate(self, ldap, config, ds_ldap, ds_base_dn, options): diff --git a/ipalib/util.py b/ipalib/util.py index a79f41cc3..659e178df 100644 --- a/ipalib/util.py +++ b/ipalib/util.py @@ -31,6 +31,7 @@ from weakref import WeakKeyDictionary from ipalib import errors from ipalib.text import _ +from ipalib.dn import DN, RDN from ipapython import dnsclient from ipapython.ipautil import decode_ssh_pubkey @@ -484,3 +485,17 @@ def gen_dns_update_policy(realm, rrtypes=('A', 'AAAA', 'SSHFP')): policy += ";" return policy + +def validate_rdn_param(ugettext, value): + try: + rdn = RDN(value) + except Exception, e: + return str(e) + return None + +def validate_dn_param(ugettext, value): + try: + rdn = DN(value) + except Exception, e: + return str(e) + return None |