diff options
author | Martin Babinsky <mbabinsk@redhat.com> | 2017-02-16 14:06:08 +0100 |
---|---|---|
committer | Martin Basti <mbasti@redhat.com> | 2017-03-01 15:55:45 +0100 |
commit | 4ba6b968399204aac66d82d917a8cc159e77ad4d (patch) | |
tree | 956f7b1bedc90ec9fc7c5aef1eb3ab5438c1f1f7 | |
parent | 052de4308c64b126bee440e970be4cf8449c5ebc (diff) | |
download | freeipa-4ba6b968399204aac66d82d917a8cc159e77ad4d.tar.gz freeipa-4ba6b968399204aac66d82d917a8cc159e77ad4d.tar.xz freeipa-4ba6b968399204aac66d82d917a8cc159e77ad4d.zip |
Refactor the code checking for missing SIDs
Decompose the individual sub-tasks into separate functions. Also perform
the lookup only when LDAP is connected.
https://fedorahosted.org/freeipa/ticket/6630
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
-rw-r--r-- | ipaserver/install/adtrust.py | 107 |
1 files changed, 64 insertions, 43 deletions
diff --git a/ipaserver/install/adtrust.py b/ipaserver/install/adtrust.py index 92fe0315f..69e9834f7 100644 --- a/ipaserver/install/adtrust.py +++ b/ipaserver/install/adtrust.py @@ -168,6 +168,69 @@ def check_for_installed_deps(): raise ScriptError("Aborting installation.") +def retrieve_entries_without_sid(api): + """ + Retrieve a list of entries without assigned SIDs. + :returns: a list of entries or an empty list if an error occurs + """ + # The filter corresponds to ipa_sidgen_task.c LDAP search filter + filter = '(&(objectclass=ipaobject)(!(objectclass=mepmanagedentry))' \ + '(|(objectclass=posixaccount)(objectclass=posixgroup)' \ + '(objectclass=ipaidobject))(!(ipantsecurityidentifier=*)))' + base_dn = api.env.basedn + try: + root_logger.debug( + "Searching for objects with missing SID with " + "filter=%s, base_dn=%s", filter, base_dn) + entries, _truncated = api.Backend.ldap2.find_entries( + filter=filter, base_dn=base_dn, attrs_list=['']) + return entries + except errors.NotFound: + # All objects have SIDs assigned + pass + except (errors.DatabaseError, errors.NetworkError) as e: + print("Could not retrieve a list of objects that need a SID " + "identifier assigned:") + print(unicode(e)) + + return [] + + +def retrieve_and_ask_about_sids(api, options): + entries = [] + if api.Backend.ldap2.isconnected(): + entries = retrieve_entries_without_sid(api) + else: + root_logger.debug( + "LDAP backend not connected, can not retrieve entries " + "with missing SID") + + object_count = len(entries) + if object_count > 0: + print("") + print("WARNING: %d existing users or groups do not have " + "a SID identifier assigned." % len(entries)) + print("Installer can run a task to have ipa-sidgen " + "Directory Server plugin generate") + print("the SID identifier for all these users. Please note, " + "the in case of a high") + print("number of users and groups, the operation might " + "lead to high replication") + print("traffic and performance degradation. Refer to " + "ipa-adtrust-install(1) man page") + print("for details.") + print("") + if options.unattended: + print("Unattended mode was selected, installer will " + "NOT run ipa-sidgen task!") + else: + if ipautil.user_input( + "Do you want to run the ipa-sidgen task?", + default=False, + allow_empty=False): + options.add_sids = True + + def install_check(standalone, options, api): global netbios_name global reset_netbios_name @@ -225,49 +288,7 @@ def install_check(standalone, options, api): options.netbios_name, options.unattended, api) if not options.add_sids: - # The filter corresponds to ipa_sidgen_task.c LDAP search filter - filter = '(&(objectclass=ipaobject)(!(objectclass=mepmanagedentry))' \ - '(|(objectclass=posixaccount)(objectclass=posixgroup)' \ - '(objectclass=ipaidobject))(!(ipantsecurityidentifier=*)))' - base_dn = api.env.basedn - try: - root_logger.debug( - "Searching for objects with missing SID with " - "filter=%s, base_dn=%s", filter, base_dn) - entries, _truncated = api.Backend.ldap2.find_entries( - filter=filter, base_dn=base_dn, attrs_list=['']) - except errors.NotFound: - # All objects have SIDs assigned - pass - except (errors.DatabaseError, errors.NetworkError) as e: - print("Could not retrieve a list of objects that need a SID " - "identifier assigned:") - print(unicode(e)) - else: - object_count = len(entries) - if object_count > 0: - print("") - print("WARNING: %d existing users or groups do not have " - "a SID identifier assigned." % len(entries)) - print("Installer can run a task to have ipa-sidgen " - "Directory Server plugin generate") - print("the SID identifier for all these users. Please note, " - "the in case of a high") - print("number of users and groups, the operation might " - "lead to high replication") - print("traffic and performance degradation. Refer to " - "ipa-adtrust-install(1) man page") - print("for details.") - print("") - if options.unattended: - print("Unattended mode was selected, installer will " - "NOT run ipa-sidgen task!") - else: - if ipautil.user_input( - "Do you want to run the ipa-sidgen task?", - default=False, - allow_empty=False): - options.add_sids = True + retrieve_and_ask_about_sids(api, options) def install(options, fstore, api): |