diff options
| author | Tomas Babej <tbabej@redhat.com> | 2015-09-23 13:28:33 +0200 |
|---|---|---|
| committer | Jan Cholasta <jcholast@redhat.com> | 2015-09-23 17:05:47 +0200 |
| commit | 75cba4e8bfe0479078ba112d99628ed517e010a2 (patch) | |
| tree | 8f1c0fdd43cc088882fdac62b0a580b66ca7c901 | |
| parent | a758f16abe608569e3797b048676c3eb245d784a (diff) | |
| download | freeipa-75cba4e8bfe0479078ba112d99628ed517e010a2.tar.gz freeipa-75cba4e8bfe0479078ba112d99628ed517e010a2.tar.xz freeipa-75cba4e8bfe0479078ba112d99628ed517e010a2.zip | |
winsync-migrate: Properly handle collisions in the names of external groups
Since the names of the external groups containing the migrated users
must be stripped of characters which are not valid for use in group names,
two different groups might be mapped to one during this process.
Properly handle collisions in the names by adding an incremental
numeric suffix.
https://fedorahosted.org/freeipa/ticket/5319
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
| -rw-r--r-- | ipaserver/install/ipa_winsync_migrate.py | 17 |
1 files changed, 14 insertions, 3 deletions
diff --git a/ipaserver/install/ipa_winsync_migrate.py b/ipaserver/install/ipa_winsync_migrate.py index d0c6cc80c..87e23fb36 100644 --- a/ipaserver/install/ipa_winsync_migrate.py +++ b/ipaserver/install/ipa_winsync_migrate.py @@ -236,15 +236,26 @@ class WinsyncMigrate(admintool.AdminTool): posixify(object_entry['cn'][0]) ) - def create_winsync_group(object_entry): + def create_winsync_group(object_entry, suffix=0): """ Creates the group containing migrated external users that were previously available via winsync. """ name = winsync_group_name(object_entry) - api.Command['group_add'](name, external=True) - api.Command[object_membership_command](object_entry['cn'][0], group=[name]) + + # Only non-trivial suffix is appended at the end + if suffix != 0: + name += str(suffix) + + try: + api.Command['group_add'](name, external=True) + except errors.DuplicateEntry: + # If there is a collision, let's try again with a higher suffix + create_winsync_group(object_entry, suffix=suffix+1) + else: + # In case of no collision, add the membership + api.Command[object_membership_command](object_entry['cn'][0], group=[name]) # Search for all objects containing the given user as a direct member member_filter = self.ldap.make_filter_from_attr(user_dn_attribute, |