From 56d89d39cef552336deaa8852ae62fd88c270a9b Mon Sep 17 00:00:00 2001
From: Martin Kosek <mkosek@redhat.com>
Date: Thu, 29 Sep 2011 11:55:13 +0200
Subject: migrate process cannot handle multivalued pkey attribute

When group/user is migrated, the attribute used for RDN may be
multivalued. Make sure that we pick the value used in the RDN
which should be the unique one and not just the first one.

https://fedorahosted.org/freeipa/ticket/1892
---
 ipalib/plugins/migration.py | 18 +++++++++++++++++-
 1 file changed, 17 insertions(+), 1 deletion(-)

diff --git a/ipalib/plugins/migration.py b/ipalib/plugins/migration.py
index f75612cef..93ac114d8 100644
--- a/ipalib/plugins/migration.py
+++ b/ipalib/plugins/migration.py
@@ -24,6 +24,7 @@ import ldap as _ldap
 from ipalib import api, errors, output
 from ipalib import Command, List, Password, Str, Flag, StrEnum
 from ipalib.cli import to_cli
+from ipalib.dn import *
 if api.env.in_server and api.env.context in ['lite', 'server']:
     try:
         from ipaserver.plugins.ldap2 import ldap2
@@ -77,6 +78,7 @@ EXAMPLES:
 _krb_err_msg = _('Kerberos principal %s already exists. Use \'ipa user-mod\' to set it manually.')
 _grp_err_msg = _('Failed to add user to the default group. Use \'ipa group-add-member\' to add manually.')
 _ref_err_msg = _('Migration of LDAP search reference is not supported.')
+_dn_err_msg = _('Malformed DN')
 
 _supported_schemas = (u'RFC2307bis', u'RFC2307')
 
@@ -496,7 +498,21 @@ can use their Kerberos accounts.''')
                     failed[ldap_obj_name][entry_attrs[0]] = unicode(_ref_err_msg)
                     continue
 
-                pkey = entry_attrs[ldap_obj.primary_key.name][0].lower()
+                try:
+                    dn = DN(dn)
+                except ValueError:
+                    failed[ldap_obj_name][dn] = unicode(_dn_err_msg)
+                    continue
+
+                ava = dn[0][0]
+                if ava.attr == ldap_obj.primary_key.name:
+                    # In case if pkey attribute is in the migrated object DN
+                    # and the original LDAP is multivalued, make sure that
+                    # we pick the correct value (the unique one stored in DN)
+                    pkey = ava.value.lower()
+                else:
+                    pkey = entry_attrs[ldap_obj.primary_key.name][0].lower()
+
                 if pkey in exclude:
                     continue
 
-- 
cgit