Fix migration for openldap DS

openldap server does not store its schema in cn=schema entry, but
rather in cn=subschema. Add a fallback to ldap2 plugin to read from
this entry when cn=schema is not found. ldap2 plugin uses the schema
when doing some of the automatic encoding, like an automatic
encoding of DN object.

IPA migration plugin DN attribute processing is now also more
tolerant when it finds that some DN attribute was not autoencoded.
It tries to convert it to DN on its own and report a warning and
continue with user processing when the conversion fails instead of
crashing with AssertionError and thus abandoning the whole
migration run.

https://fedorahosted.org/freeipa/ticket/3372

1 files changed, 9 insertions, 2 deletions

diff --git a/ipaserver/plugins/ldap2.py b/ipaserver/plugins/ldap2.py
index 8e8e1604f..731df1aa4 100644
--- a/ipaserver/plugins/ldap2.py
+++ b/ipaserver/plugins/ldap2.py
@@ -218,8 +218,15 @@ class SchemaCache(object):
                     conn.set_option(_ldap.OPT_HOST_NAME, api.env.host)
                 conn.sasl_interactive_bind_s(None, SASL_AUTH)
 
-            schema_entry = conn.search_s('cn=schema', _ldap.SCOPE_BASE,
-                                         attrlist=['attributetypes', 'objectclasses'])[0]
+            try:
+                schema_entry = conn.search_s('cn=schema', _ldap.SCOPE_BASE,
+                    attrlist=['attributetypes', 'objectclasses'])[0]
+            except _ldap.NO_SUCH_OBJECT:
+                # try different location for schema
+                # openldap has schema located in cn=subschema
+                self.debug('cn=schema not found, fallback to cn=subschema')
+                schema_entry = conn.search_s('cn=subschema', _ldap.SCOPE_BASE,
+                    attrlist=['attributetypes', 'objectclasses'])[0]
             if not has_conn:
                 conn.unbind_s()
         except _ldap.SERVER_DOWN: