diff options
| author | Tomas Babej <tbabej@redhat.com> | 2015-09-23 13:27:35 +0200 |
|---|---|---|
| committer | Jan Cholasta <jcholast@redhat.com> | 2015-09-23 17:05:47 +0200 |
| commit | a758f16abe608569e3797b048676c3eb245d784a (patch) | |
| tree | 828f9d61f7b236b227a812a3ed64fe19201e4798 | |
| parent | 4c39561261e79fe1cfdef916eafbcb9c204e77e8 (diff) | |
| download | freeipa-a758f16abe608569e3797b048676c3eb245d784a.tar.gz freeipa-a758f16abe608569e3797b048676c3eb245d784a.tar.xz freeipa-a758f16abe608569e3797b048676c3eb245d784a.zip | |
winsync-migrate: Convert entity names to posix friendly strings
During the migration from winsync replicated users to their
trusted identities, memberships are being preserved. However,
trusted users are external and as such cannot be added as
direct members to the IPA entities. External groups which
encapsulate the migrated users are added as members to those
entities instead.
The name of the external group is generated from the type
of the entity and its name. However, the entity's name can
contain characters which are invalid for use in the group
name.
Adds a helper function to convert a given string to a string
which would be valid for such use and leverages it in the
winsync-migrate tool.
https://fedorahosted.org/freeipa/ticket/5319
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
| -rw-r--r-- | ipapython/ipautil.py | 23 | ||||
| -rw-r--r-- | ipaserver/install/ipa_winsync_migrate.py | 15 |
2 files changed, 35 insertions, 3 deletions
diff --git a/ipapython/ipautil.py b/ipapython/ipautil.py index 2402689cc..573e6040c 100644 --- a/ipapython/ipautil.py +++ b/ipapython/ipautil.py @@ -1330,6 +1330,29 @@ def restore_hostname(statestore): except CalledProcessError as e: print("Failed to set this machine hostname back to %s: %s" % (old_hostname, str(e)), file=sys.stderr) +def posixify(string): + """ + Convert a string to a more strict alpha-numeric representation. + + - Alpha-numeric, underscore, dot and dash characters are accepted + - Space is converted to underscore + - Other characters are omitted + - Leading dash is stripped + + Note: This mapping is not one-to-one and may map different input to the + same result. When using posixify, make sure the you do not map two different + entities to one unintentionally. + """ + + def valid_char(char): + return char.isalnum() or char in ('_', '.', '-') + + # First replace space characters + replaced = string.replace(' ','_') + omitted = ''.join(filter(valid_char, replaced)) + + # Leading dash is not allowed + return omitted.lstrip('-') @contextmanager def private_ccache(path=None): diff --git a/ipaserver/install/ipa_winsync_migrate.py b/ipaserver/install/ipa_winsync_migrate.py index cafec9d18..d0c6cc80c 100644 --- a/ipaserver/install/ipa_winsync_migrate.py +++ b/ipaserver/install/ipa_winsync_migrate.py @@ -26,7 +26,7 @@ from ipalib import api from ipalib import errors from ipapython import admintool from ipapython.dn import DN -from ipapython.ipautil import realm_to_suffix +from ipapython.ipautil import realm_to_suffix, posixify from ipapython.ipa_log_manager import log_mgr from ipaserver.plugins.ldap2 import ldap2 from ipaserver.install import replication @@ -219,12 +219,21 @@ class WinsyncMigrate(admintool.AdminTool): def winsync_group_name(object_entry): """ - Returns the generated name of group containing migrated external users + Returns the generated name of group containing migrated external + users. + + The group name is of the form: + "<prefix>_<object name>_winsync_external" + + Object name is converted to posix-friendly string by omitting + and/or replacing characters. This may lead to collisions, i.e. + if both 'trust_admins' and 'trust admin' groups have winsync + users being migrated. """ return u"{0}_{1}_winsync_external".format( winsync_group_prefix, - object_entry['cn'][0] + posixify(object_entry['cn'][0]) ) def create_winsync_group(object_entry): |