diff options
| -rw-r--r-- | API.txt | 4 | ||||
| -rw-r--r-- | VERSION | 2 | ||||
| -rw-r--r-- | ipalib/plugins/migration.py | 30 |
3 files changed, 32 insertions, 4 deletions
@@ -1893,7 +1893,7 @@ output: Output('summary', (<type 'unicode'>, <type 'NoneType'>), None) output: Entry('result', <type 'dict'>, Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None)) output: Output('value', <type 'unicode'>, None) command: migrate_ds -args: 2,15,3 +args: 2,16,4 arg: Str('ldapuri', cli_name='ldap_uri') arg: Password('bindpw', cli_name='password', confirm=False) option: Str('binddn?', autofill=True, cli_name='bind_dn', default=u'cn=directory manager') @@ -1909,11 +1909,13 @@ option: Flag('groupoverwritegid', autofill=True, cli_name='group_overwrite_gid', option: StrEnum('schema?', autofill=True, cli_name='schema', default=u'RFC2307bis', values=(u'RFC2307bis', u'RFC2307')) option: Flag('continue?', autofill=True, default=False) option: Str('basedn?', cli_name='base_dn') +option: Flag('compat?', autofill=True, cli_name='with_compat', default=False) option: Str('exclude_groups*', autofill=True, cli_name='exclude_groups', csv=True, default=()) option: Str('exclude_users*', autofill=True, cli_name='exclude_users', csv=True, default=()) output: Output('result', <type 'dict'>, None) output: Output('failed', <type 'dict'>, None) output: Output('enabled', <type 'bool'>, None) +output: Output('compat', <type 'bool'>, None) command: netgroup_add args: 1,9,3 arg: Str('cn', attribute=True, cli_name='name', multivalue=False, pattern='^[a-zA-Z0-9_.][a-zA-Z0-9_.-]+$', pattern_errmsg='may only include letters, numbers, _, -, and .', primary_key=True, required=True) @@ -79,4 +79,4 @@ IPA_DATA_VERSION=20100614120000 # # ######################################################## IPA_API_VERSION_MAJOR=2 -IPA_API_VERSION_MINOR=28 +IPA_API_VERSION_MINOR=29 diff --git a/ipalib/plugins/migration.py b/ipalib/plugins/migration.py index 82100ee35..a3baf97fe 100644 --- a/ipalib/plugins/migration.py +++ b/ipalib/plugins/migration.py @@ -52,6 +52,11 @@ Two LDAP schemas define how group members are stored: RFC2307 and RFC2307bis. RFC2307bis uses member and uniquemember to specify group members, RFC2307 uses memberUid. The default schema is RFC2307bis. +The schema compat feature allows IPA to reformat data for systems that +do not support RFC2307bis. It is recommended that this feature is disabled +during migration to reduce system overhead. It can be re-enabled after +migration. To migrate with it enabled use the "--with-compat" option. + Migrated users do not have Kerberos credentials, they have only their LDAP password. To complete the migration process, users need to go to http://ipa.example.com/ipa/migration and authenticate using their @@ -107,6 +112,8 @@ _dn_err_msg = _('Malformed DN') _supported_schemas = (u'RFC2307bis', u'RFC2307') +_compat_dn = "cn=Schema Compatibility,cn=plugins,cn=config" + def _pre_migrate_user(ldap, pkey, dn, entry_attrs, failed, config, ctx, **kwargs): attr_blacklist = ['krbprincipalkey','memberofindirect','memberindirect'] @@ -445,6 +452,12 @@ class migrate_ds(Command): label=_('Base DN'), doc=_('Base DN on remote LDAP server'), ), + Flag('compat?', + cli_name='with_compat', + label=_('Ignore compat plugin'), + doc=_('Allows migration despite the usage of compat plugin'), + default=False, + ), ) has_output = ( @@ -460,6 +473,10 @@ class migrate_ds(Command): type=bool, doc=_('False if migration mode was disabled.'), ), + output.Output('compat', + type=bool, + doc=_('False if migration fails because the compatibility plug-in is enabled.'), + ), ) exclude_doc = _('comma-separated list of %s to exclude from migration') @@ -645,12 +662,18 @@ can use their Kerberos accounts.''') # check if migration mode is enabled if config.get('ipamigrationenabled', ('FALSE', ))[0] == 'FALSE': - return dict(result={}, failed={}, enabled=False) + return dict(result={}, failed={}, enabled=False, compat=True) # connect to DS ds_ldap = ldap2(shared_instance=False, ldap_uri=ldapuri, base_dn='') ds_ldap.connect(bind_dn=options['binddn'], bind_pw=bindpw) + #check whether the compat plugin is enabled + if not options.get('compat'): + (dn,check_compat) = ds_ldap.get_entry(_compat_dn, normalize=False) + if check_compat is not None and check_compat.get('nsslapd-pluginenabled', [''])[0].lower() == 'on': + return dict(result={},failed={},enabled=True, compat=False) + if not ds_base_dn: # retrieve base DN from remote LDAP server (entries, truncated) = ds_ldap.find_entries( @@ -670,13 +693,16 @@ can use their Kerberos accounts.''') ldap, config, ds_ldap, ds_base_dn, options ) - return dict(result=migrated, failed=failed, enabled=True) + return dict(result=migrated, failed=failed, enabled=True, compat=True) def output_for_cli(self, textui, result, ldapuri, bindpw, **options): textui.print_name(self.name) if not result['enabled']: textui.print_plain(self.migration_disabled_msg) return 1 + if not result['compat']: + textui.print_plain("The compat plug-in is enabled. This can increase the memory requirements during migration. Disable the compat plug-in with \'ipa-compat-manage disable\' or re-run this script with \'--with-compat\' option.") + return 1 textui.print_plain('Migrated:') textui.print_entry1( result['result'], attr_order=self.migrate_order, |