summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorTomas Babej <tbabej@redhat.com>2015-05-05 22:15:11 +0200
committerTomas Babej <tbabej@redhat.com>2015-07-02 13:23:21 +0200
commit8d30feb5391026a42a2f8da5df8d539311963b86 (patch)
tree04c3bb4dad68b21a95b23b825c48dadc8efc862d
parente5fe79a0f427c117a6ecd8f7870cb43eb5be0c84 (diff)
downloadfreeipa-8d30feb5391026a42a2f8da5df8d539311963b86.zip
freeipa-8d30feb5391026a42a2f8da5df8d539311963b86.tar.gz
freeipa-8d30feb5391026a42a2f8da5df8d539311963b86.tar.xz
winsync_migrate: Generalize membership migration
https://fedorahosted.org/freeipa/ticket/4943 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
-rw-r--r--ipaserver/install/ipa_winsync_migrate.py99
1 files changed, 78 insertions, 21 deletions
diff --git a/ipaserver/install/ipa_winsync_migrate.py b/ipaserver/install/ipa_winsync_migrate.py
index bf03dce..cbe0684 100644
--- a/ipaserver/install/ipa_winsync_migrate.py
+++ b/ipaserver/install/ipa_winsync_migrate.py
@@ -198,56 +198,110 @@ class WinsyncMigrate(admintool.AdminTool):
return entries
- def migrate_memberships(self, entry):
+ def migrate_memberships(self, user_entry, winsync_group_prefix,
+ object_membership_command,
+ object_info_command,
+ user_dn_attribute,
+ object_group_membership_key,
+ object_container_dn):
"""
- Migrates user memberships to the external identity.
+ Migrates user memberships to theier external identities.
+
+ All migrated users for the given object are migrated to a common
+ external group which is then assigned to the given object as a
+ (user) member group.
"""
- def winsync_group_name(group_entry):
+ def winsync_group_name(object_entry):
"""
Returns the generated name of group containing migrated external users
"""
- return u"%s_winsync_external" % group_entry['cn'][0]
+ return u"{0}_{1}_winsync_external".format(
+ winsync_group_prefix,
+ object_entry['cn'][0]
+ )
- def create_winsync_group(group_entry):
+ def create_winsync_group(object_entry):
"""
Creates the group containing migrated external users that were
previously available via winsync.
"""
- name = winsync_group_name(group_entry)
+ name = winsync_group_name(object_entry)
api.Command['group_add'](name, external=True)
- api.Command['group_add_member'](group_entry['cn'][0], group=[name])
+ api.Command[object_membership_command](object_entry['cn'][0], group=[name])
- # Search for all groups containing the given user as a direct member
- member_filter = self.ldap.make_filter_from_attr('member', entry.dn)
+ # Search for all objects containing the given user as a direct member
+ member_filter = self.ldap.make_filter_from_attr(user_dn_attribute,
+ user_entry.dn)
try:
- groups, _ = self.ldap.find_entries(member_filter,
- base_dn=api.env.basedn)
+ objects, _ = self.ldap.find_entries(member_filter,
+ base_dn=object_container_dn)
except errors.EmptyResult:
# If there's nothing to migrate, then let's get out of here
return
- # The external user cannot be added directly to the IPA groups, hence
- # we need to wrap all the external users into one new external group,
- # which will be then added to the original IPA group as a member.
+ # The external user cannot be added directly as member of the IPA
+ # objects, hence we need to wrap all the external users into one
+ # new external group, which will be then added to the original IPA
+ # object as a member.
- for group in groups:
+ for obj in objects:
# Check for existence of winsync external group
- name = winsync_group_name(group)
- info = api.Command['group_show'](group['cn'][0])['result']
+ name = winsync_group_name(obj)
+ info = api.Command[object_info_command](obj['cn'][0])['result']
# If it was not created yet, do it now
- if name not in info.get('member_group', []):
- create_winsync_group(group)
+ if name not in info.get(object_group_membership_key, []):
+ create_winsync_group(obj)
# Add the user to the external group. Membership is migrated
# at this point.
- user_identifier = u"%s@%s" % (entry['uid'][0], self.options.realm)
+ user_identifier = u"%s@%s" % (user_entry['uid'][0], self.options.realm)
api.Command['group_add_member'](name, ipaexternalmember=[user_identifier])
+ def migrate_group_memberships(self, user_entry):
+ return self.migrate_memberships(user_entry,
+ winsync_group_prefix="group",
+ user_dn_attribute="member",
+ object_membership_command="group_add_member",
+ object_info_command="group_show",
+ object_group_membership_key="member_group",
+ object_container_dn=DN(api.env.container_group, api.env.basedn),
+ )
+
+ def migrate_role_memberships(self, user_entry):
+ return self.migrate_memberships(user_entry,
+ winsync_group_prefix="role",
+ user_dn_attribute="member",
+ object_membership_command="role_add_member",
+ object_info_command="role_show",
+ object_group_membership_key="member_group",
+ object_container_dn=DN(api.env.container_rolegroup, api.env.basedn),
+ )
+
+ def migrate_hbac_memberships(self, user_entry):
+ return self.migrate_memberships(user_entry,
+ winsync_group_prefix="hbacrule",
+ user_dn_attribute="memberuser",
+ object_membership_command="hbacrule_add_user",
+ object_info_command="hbacrule_show",
+ object_group_membership_key="memberuser_group",
+ object_container_dn=DN(api.env.container_hbac, api.env.basedn),
+ )
+
+ def migrate_selinux_memberships(self, user_entry):
+ return self.migrate_memberships(user_entry,
+ winsync_group_prefix="selinux",
+ user_dn_attribute="memberuser",
+ object_membership_command="selinuxusermap_add_user",
+ object_info_command="selinuxusermap_show",
+ object_group_membership_key="memberuser_group",
+ object_container_dn=DN(api.env.container_selinux, api.env.basedn),
+ )
+
@classmethod
def main(cls, argv):
"""
@@ -284,5 +338,8 @@ class WinsyncMigrate(admintool.AdminTool):
entries = self.find_winsync_users()
for entry in entries:
self.create_id_user_override(entry)
- self.migrate_memberships(entry)
+ self.migrate_group_memberships(entry)
+ self.migrate_role_memberships(entry)
+ self.migrate_hbac_memberships(entry)
+ self.migrate_selinux_memberships(entry)
self.ldap.delete_entry(entry)