Migration warning when compat enabled

Added check into migration plugin to warn user when compat is enabled. If compat is enabled, the migration fails and user is warned that he must turn the compat off or run the script with (the newly introduced) option '--with-compat'. '--with-compat' is new flag. If it is set, the compat status is ignored. https://fedorahosted.org/freeipa/ticket/2274
author: Ondrej Hamada <ohamada@redhat.com> 2012-03-01 11:41:53 +0100
committer: Rob Crittenden <rcritten@redhat.com> 2012-02-29 18:30:03 -0500
commit: 73249140fce64e56ddf5cd70441804a627b0cc34 (patch)
tree: 7b10ac3973dd1e3f228798774ff0fc7f818d4d7a /ipalib/plugins/migration.py
parent: 0099ccbea829203a14013255aa0a4058d4d58a36 (diff)
download: freeipa-73249140fce64e56ddf5cd70441804a627b0cc34.tar.gz
freeipa-73249140fce64e56ddf5cd70441804a627b0cc34.tar.xz
freeipa-73249140fce64e56ddf5cd70441804a627b0cc34.zip
1 files changed, 28 insertions, 2 deletions
diff --git a/ipalib/plugins/migration.py b/ipalib/plugins/migration.py
index 82100ee35..a3baf97fe 100644
--- a/ipalib/plugins/migration.py
+++ b/ipalib/plugins/migration.py
@@ -52,6 +52,11 @@ Two LDAP schemas define how group members are stored: RFC2307 and
 RFC2307bis. RFC2307bis uses member and uniquemember to specify group
 members, RFC2307 uses memberUid. The default schema is RFC2307bis.
 
+The schema compat feature allows IPA to reformat data for systems that
+do not support RFC2307bis. It is recommended that this feature is disabled
+during migration to reduce system overhead. It can be re-enabled after
+migration. To migrate with it enabled use the "--with-compat" option.
+
 Migrated users do not have Kerberos credentials, they have only their
 LDAP password. To complete the migration process, users need to go
 to http://ipa.example.com/ipa/migration and authenticate using their
@@ -107,6 +112,8 @@ _dn_err_msg = _('Malformed DN')
 
 _supported_schemas = (u'RFC2307bis', u'RFC2307')
 
+_compat_dn = "cn=Schema Compatibility,cn=plugins,cn=config"
+
 
 def _pre_migrate_user(ldap, pkey, dn, entry_attrs, failed, config, ctx, **kwargs):
     attr_blacklist = ['krbprincipalkey','memberofindirect','memberindirect']
@@ -445,6 +452,12 @@ class migrate_ds(Command):
             label=_('Base DN'),
             doc=_('Base DN on remote LDAP server'),
         ),
+        Flag('compat?',
+            cli_name='with_compat',
+            label=_('Ignore compat plugin'),
+            doc=_('Allows migration despite the usage of compat plugin'),
+            default=False,
+        ),
     )
 
     has_output = (
@@ -460,6 +473,10 @@ class migrate_ds(Command):
             type=bool,
             doc=_('False if migration mode was disabled.'),
         ),
+        output.Output('compat',
+            type=bool,
+            doc=_('False if migration fails because the compatibility plug-in is enabled.'),
+        ),
     )
 
     exclude_doc = _('comma-separated list of %s to exclude from migration')
@@ -645,12 +662,18 @@ can use their Kerberos accounts.''')
 
         # check if migration mode is enabled
         if config.get('ipamigrationenabled', ('FALSE', ))[0] == 'FALSE':
-            return dict(result={}, failed={}, enabled=False)
+            return dict(result={}, failed={}, enabled=False, compat=True)
 
         # connect to DS
         ds_ldap = ldap2(shared_instance=False, ldap_uri=ldapuri, base_dn='')
         ds_ldap.connect(bind_dn=options['binddn'], bind_pw=bindpw)
 
+        #check whether the compat plugin is enabled
+        if not options.get('compat'):
+            (dn,check_compat) = ds_ldap.get_entry(_compat_dn, normalize=False)
+            if check_compat is not None and check_compat.get('nsslapd-pluginenabled', [''])[0].lower() == 'on':
+                return dict(result={},failed={},enabled=True, compat=False)
+
         if not ds_base_dn:
             # retrieve base DN from remote LDAP server
             (entries, truncated) = ds_ldap.find_entries(
@@ -670,13 +693,16 @@ can use their Kerberos accounts.''')
             ldap, config, ds_ldap, ds_base_dn, options
         )
 
-        return dict(result=migrated, failed=failed, enabled=True)
+        return dict(result=migrated, failed=failed, enabled=True, compat=True)
 
     def output_for_cli(self, textui, result, ldapuri, bindpw, **options):
         textui.print_name(self.name)
         if not result['enabled']:
             textui.print_plain(self.migration_disabled_msg)
             return 1
+        if not result['compat']:
+            textui.print_plain("The compat plug-in is enabled. This can increase the memory requirements during migration. Disable the compat plug-in with \'ipa-compat-manage disable\' or re-run this script with \'--with-compat\' option.")
+            return 1
         textui.print_plain('Migrated:')
         textui.print_entry1(
             result['result'], attr_order=self.migrate_order,
author	Ondrej Hamada <ohamada@redhat.com>	2012-03-01 11:41:53 +0100
committer	Rob Crittenden <rcritten@redhat.com>	2012-02-29 18:30:03 -0500
commit	73249140fce64e56ddf5cd70441804a627b0cc34 (patch)
tree	7b10ac3973dd1e3f228798774ff0fc7f818d4d7a /ipalib/plugins/migration.py
parent	0099ccbea829203a14013255aa0a4058d4d58a36 (diff)
download	freeipa-73249140fce64e56ddf5cd70441804a627b0cc34.tar.gz freeipa-73249140fce64e56ddf5cd70441804a627b0cc34.tar.xz freeipa-73249140fce64e56ddf5cd70441804a627b0cc34.zip