summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorTomas Babej <tbabej@redhat.com>2015-05-05 12:41:12 +0200
committerTomas Babej <tbabej@redhat.com>2015-07-02 13:23:21 +0200
commite5fe79a0f427c117a6ecd8f7870cb43eb5be0c84 (patch)
tree5285481d1ef9665d634da802002900ceeb40a098
parent199358112eb1fe2da61de42c207396646067cb87 (diff)
downloadfreeipa-e5fe79a0f427c117a6ecd8f7870cb43eb5be0c84.zip
freeipa-e5fe79a0f427c117a6ecd8f7870cb43eb5be0c84.tar.gz
freeipa-e5fe79a0f427c117a6ecd8f7870cb43eb5be0c84.tar.xz
winsync_migrate: Migrate memberships of the winsynced users
https://fedorahosted.org/freeipa/ticket/4524 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
-rw-r--r--ipaserver/install/ipa_winsync_migrate.py51
1 files changed, 51 insertions, 0 deletions
diff --git a/ipaserver/install/ipa_winsync_migrate.py b/ipaserver/install/ipa_winsync_migrate.py
index cb62c7e..bf03dce 100644
--- a/ipaserver/install/ipa_winsync_migrate.py
+++ b/ipaserver/install/ipa_winsync_migrate.py
@@ -198,6 +198,56 @@ class WinsyncMigrate(admintool.AdminTool):
return entries
+ def migrate_memberships(self, entry):
+ """
+ Migrates user memberships to the external identity.
+ """
+
+ def winsync_group_name(group_entry):
+ """
+ Returns the generated name of group containing migrated external users
+ """
+
+ return u"%s_winsync_external" % group_entry['cn'][0]
+
+ def create_winsync_group(group_entry):
+ """
+ Creates the group containing migrated external users that were
+ previously available via winsync.
+ """
+
+ name = winsync_group_name(group_entry)
+ api.Command['group_add'](name, external=True)
+ api.Command['group_add_member'](group_entry['cn'][0], group=[name])
+
+ # Search for all groups containing the given user as a direct member
+ member_filter = self.ldap.make_filter_from_attr('member', entry.dn)
+
+ try:
+ groups, _ = self.ldap.find_entries(member_filter,
+ base_dn=api.env.basedn)
+ except errors.EmptyResult:
+ # If there's nothing to migrate, then let's get out of here
+ return
+
+ # The external user cannot be added directly to the IPA groups, hence
+ # we need to wrap all the external users into one new external group,
+ # which will be then added to the original IPA group as a member.
+
+ for group in groups:
+ # Check for existence of winsync external group
+ name = winsync_group_name(group)
+ info = api.Command['group_show'](group['cn'][0])['result']
+
+ # If it was not created yet, do it now
+ if name not in info.get('member_group', []):
+ create_winsync_group(group)
+
+ # Add the user to the external group. Membership is migrated
+ # at this point.
+ user_identifier = u"%s@%s" % (entry['uid'][0], self.options.realm)
+ api.Command['group_add_member'](name, ipaexternalmember=[user_identifier])
+
@classmethod
def main(cls, argv):
"""
@@ -234,4 +284,5 @@ class WinsyncMigrate(admintool.AdminTool):
entries = self.find_winsync_users()
for entry in entries:
self.create_id_user_override(entry)
+ self.migrate_memberships(entry)
self.ldap.delete_entry(entry)