summaryrefslogtreecommitdiffstats
path: root/ipalib/plugins
diff options
context:
space:
mode:
Diffstat (limited to 'ipalib/plugins')
-rw-r--r--ipalib/plugins/migration.py30
1 files changed, 28 insertions, 2 deletions
diff --git a/ipalib/plugins/migration.py b/ipalib/plugins/migration.py
index 82100ee35..a3baf97fe 100644
--- a/ipalib/plugins/migration.py
+++ b/ipalib/plugins/migration.py
@@ -52,6 +52,11 @@ Two LDAP schemas define how group members are stored: RFC2307 and
RFC2307bis. RFC2307bis uses member and uniquemember to specify group
members, RFC2307 uses memberUid. The default schema is RFC2307bis.
+The schema compat feature allows IPA to reformat data for systems that
+do not support RFC2307bis. It is recommended that this feature is disabled
+during migration to reduce system overhead. It can be re-enabled after
+migration. To migrate with it enabled use the "--with-compat" option.
+
Migrated users do not have Kerberos credentials, they have only their
LDAP password. To complete the migration process, users need to go
to http://ipa.example.com/ipa/migration and authenticate using their
@@ -107,6 +112,8 @@ _dn_err_msg = _('Malformed DN')
_supported_schemas = (u'RFC2307bis', u'RFC2307')
+_compat_dn = "cn=Schema Compatibility,cn=plugins,cn=config"
+
def _pre_migrate_user(ldap, pkey, dn, entry_attrs, failed, config, ctx, **kwargs):
attr_blacklist = ['krbprincipalkey','memberofindirect','memberindirect']
@@ -445,6 +452,12 @@ class migrate_ds(Command):
label=_('Base DN'),
doc=_('Base DN on remote LDAP server'),
),
+ Flag('compat?',
+ cli_name='with_compat',
+ label=_('Ignore compat plugin'),
+ doc=_('Allows migration despite the usage of compat plugin'),
+ default=False,
+ ),
)
has_output = (
@@ -460,6 +473,10 @@ class migrate_ds(Command):
type=bool,
doc=_('False if migration mode was disabled.'),
),
+ output.Output('compat',
+ type=bool,
+ doc=_('False if migration fails because the compatibility plug-in is enabled.'),
+ ),
)
exclude_doc = _('comma-separated list of %s to exclude from migration')
@@ -645,12 +662,18 @@ can use their Kerberos accounts.''')
# check if migration mode is enabled
if config.get('ipamigrationenabled', ('FALSE', ))[0] == 'FALSE':
- return dict(result={}, failed={}, enabled=False)
+ return dict(result={}, failed={}, enabled=False, compat=True)
# connect to DS
ds_ldap = ldap2(shared_instance=False, ldap_uri=ldapuri, base_dn='')
ds_ldap.connect(bind_dn=options['binddn'], bind_pw=bindpw)
+ #check whether the compat plugin is enabled
+ if not options.get('compat'):
+ (dn,check_compat) = ds_ldap.get_entry(_compat_dn, normalize=False)
+ if check_compat is not None and check_compat.get('nsslapd-pluginenabled', [''])[0].lower() == 'on':
+ return dict(result={},failed={},enabled=True, compat=False)
+
if not ds_base_dn:
# retrieve base DN from remote LDAP server
(entries, truncated) = ds_ldap.find_entries(
@@ -670,13 +693,16 @@ can use their Kerberos accounts.''')
ldap, config, ds_ldap, ds_base_dn, options
)
- return dict(result=migrated, failed=failed, enabled=True)
+ return dict(result=migrated, failed=failed, enabled=True, compat=True)
def output_for_cli(self, textui, result, ldapuri, bindpw, **options):
textui.print_name(self.name)
if not result['enabled']:
textui.print_plain(self.migration_disabled_msg)
return 1
+ if not result['compat']:
+ textui.print_plain("The compat plug-in is enabled. This can increase the memory requirements during migration. Disable the compat plug-in with \'ipa-compat-manage disable\' or re-run this script with \'--with-compat\' option.")
+ return 1
textui.print_plain('Migrated:')
textui.print_entry1(
result['result'], attr_order=self.migrate_order,