From 959b276e7d10f80269568c6d340e59d664fc5d42 Mon Sep 17 00:00:00 2001
From: Martin Kosek <mkosek@redhat.com>
Date: Wed, 30 Jan 2013 09:46:02 +0100
Subject: Fix migration for openldap DS

openldap server does not store its schema in cn=schema entry, but
rather in cn=subschema. Add a fallback to ldap2 plugin to read from
this entry when cn=schema is not found. ldap2 plugin uses the schema
when doing some of the automatic encoding, like an automatic
encoding of DN object.

IPA migration plugin DN attribute processing is now also more
tolerant when it finds that some DN attribute was not autoencoded.
It tries to convert it to DN on its own and report a warning and
continue with user processing when the conversion fails instead of
crashing with AssertionError and thus abandoning the whole
migration run.

https://fedorahosted.org/freeipa/ticket/3372
---
 ipalib/plugins/migration.py | 14 +++++++++++++-
 1 file changed, 13 insertions(+), 1 deletion(-)

(limited to 'ipalib/plugins/migration.py')

diff --git a/ipalib/plugins/migration.py b/ipalib/plugins/migration.py
index 05036c9c..81df59a2 100644
--- a/ipalib/plugins/migration.py
+++ b/ipalib/plugins/migration.py
@@ -191,7 +191,19 @@ def _pre_migrate_user(ldap, pkey, dn, entry_attrs, failed, config, ctx, **kwargs
     for attr in entry_attrs.keys():
         if ldap.has_dn_syntax(attr):
             for ind, value in enumerate(entry_attrs[attr]):
-                assert isinstance(value, DN)
+                if not isinstance(value, DN):
+                    # value is not DN instance, the automatic encoding may have
+                    # failed due to missing schema or the remote attribute type OID was
+                    # not detected as DN type. Try to work this around
+                    api.log.debug('%s: value %s of type %s in attribute %s is not a DN'
+                        ', convert it', pkey, value, type(value), attr)
+                    try:
+                        value = DN(value)
+                    except ValueError, e:
+                        api.log.warn('%s: skipping normalization of value %s of type %s '
+                            'in attribute %s which could not be converted to DN: %s',
+                                pkey, value, type(value), attr, e)
+                        continue
                 try:
                     (remote_dn, remote_entry) = ds_ldap.get_entry(value, [api.Object.user.primary_key.name, api.Object.group.primary_key.name])
                 except errors.NotFound:
-- 
cgit