From d317c2a0d1114cb0c53c9a333538f579624e4a9b Mon Sep 17 00:00:00 2001 From: John Dennis Date: Mon, 16 Apr 2012 08:33:26 +0200 Subject: Validate DN & RDN parameters for migrate command Ticket #2555 We were generating a traceback (server error) if a malformed RDN was passed as a parameter to the migrate command. * add parameter validation functions validate_dn_param() and validate_rdn_param() to ipalib.util. Those functions simply invoke the DN or RDN constructor from our dn module passing it the string representation. If the constructor does not throw an error it's valid. * Add the parameter validation function pointers to the Param objects in the migrate command. * Make the usercontainer and groupcontainer parameters required. passing --usercontainer= on the command line will produce ipa: ERROR: 'user_container' is required * Fix _get_search_bases() so if a container dn is empty it it just uses the base dn alone instead of faulting (currently bullet-proofing because now the containers are required). * Update the doc for usercontainer and groupcontainer to reflect the fact they are DN's not RDN's. A RDN can only be one level and it should be possible to have a container more than one RDN removed from the base. --- ipalib/plugins/migration.py | 20 ++++++++++++-------- 1 file changed, 12 insertions(+), 8 deletions(-) (limited to 'ipalib/plugins/migration.py') diff --git a/ipalib/plugins/migration.py b/ipalib/plugins/migration.py index 873ff4c4a..89076f64d 100644 --- a/ipalib/plugins/migration.py +++ b/ipalib/plugins/migration.py @@ -23,6 +23,7 @@ import ldap as _ldap from ipalib import api, errors, output from ipalib import Command, Password, Str, Flag, StrEnum from ipalib.cli import to_cli +from ipalib.util import validate_dn_param from ipalib.dn import * from ipalib.plugins.user import NO_UPG_MAGIC if api.env.in_server and api.env.context in ['lite', 'server']: @@ -418,23 +419,23 @@ class migrate_ds(Command): ) takes_options = ( - Str('binddn?', + Str('binddn?', validate_dn_param, cli_name='bind_dn', label=_('Bind DN'), default=u'cn=directory manager', autofill=True, ), - Str('usercontainer?', + Str('usercontainer', validate_dn_param, cli_name='user_container', label=_('User container'), - doc=_('RDN of container for users in DS relative to base DN'), + doc=_('DN of container for users in DS relative to base DN'), default=u'ou=people', autofill=True, ), - Str('groupcontainer?', + Str('groupcontainer', validate_dn_param, cli_name='group_container', label=_('Group container'), - doc=_('RDN of container for groups in DS relative to base DN'), + doc=_('DN of container for groups in DS relative to base DN'), default=u'ou=groups', autofill=True, ), @@ -589,9 +590,12 @@ can use their Kerberos accounts.''') def _get_search_bases(self, options, ds_base_dn, migrate_order): search_bases = dict() for ldap_obj_name in migrate_order: - search_bases[ldap_obj_name] = '%s,%s' % ( - options['%scontainer' % to_cli(ldap_obj_name)], ds_base_dn - ) + container = options.get('%scontainer' % to_cli(ldap_obj_name)) + if container: + search_base = str(DN(container, ds_base_dn)) + else: + search_base = ds_base_dn + search_bases[ldap_obj_name] = search_base return search_bases def migrate(self, ldap, config, ds_ldap, ds_base_dn, options): -- cgit