diff options
author | Martin Basti <mbasti@redhat.com> | 2014-11-07 13:28:01 +0100 |
---|---|---|
committer | Petr Vobornik <pvoborni@redhat.com> | 2014-11-13 13:26:34 +0100 |
commit | f62c7843ffeda1e841719cb35f9f773f186780a6 (patch) | |
tree | 583fb9e91821b72ae8032d6cb261e4f11b9943ed | |
parent | c32ecbff8cfe219499c15afe34e617ec7a9297cf (diff) | |
download | freeipa-f62c7843ffeda1e841719cb35f9f773f186780a6.tar.gz freeipa-f62c7843ffeda1e841719cb35f9f773f186780a6.tar.xz freeipa-f62c7843ffeda1e841719cb35f9f773f186780a6.zip |
Fix upgrade referint plugin
Mixing 'Old' and 'New' attr style for referential integrity plugin causes errors.
Now old setting are migrated to new style setting before upgrade
Ticket: https://fedorahosted.org/freeipa/ticket/4622
Reviewed-By: David Kupka <dkupka@redhat.com>
-rw-r--r-- | install/updates/25-referint.update | 13 | ||||
-rw-r--r-- | ipaserver/install/plugins/Makefile.am | 1 | ||||
-rw-r--r-- | ipaserver/install/plugins/update_referint.py | 90 |
3 files changed, 92 insertions, 12 deletions
diff --git a/install/updates/25-referint.update b/install/updates/25-referint.update index a43d21ad5..609eaba74 100644 --- a/install/updates/25-referint.update +++ b/install/updates/25-referint.update @@ -1,19 +1,8 @@ # Expand attributes checked by Referential Integrity plugin # pres and eq indexes defined in 20-indices.update must be set for all these # attributes +# NOTE: migration to new style is done in update_referint.py dn: cn=referential integrity postoperation,cn=plugins,cn=config -remove: nsslapd-pluginArg7: manager -remove: nsslapd-pluginArg8: secretary -remove: nsslapd-pluginArg9: memberuser -remove: nsslapd-pluginArg10: memberhost -remove: nsslapd-pluginArg11: sourcehost -remove: nsslapd-pluginArg12: memberservice -remove: nsslapd-pluginArg13: managedby -remove: nsslapd-pluginArg14: memberallowcmd -remove: nsslapd-pluginArg15: memberdenycmd -remove: nsslapd-pluginArg16: ipasudorunas -remove: nsslapd-pluginArg17: ipasudorunasgroup -remove: nsslapd-pluginArg18: ipatokenradiusconfiglink add: referint-membership-attr: manager add: referint-membership-attr: secretary add: referint-membership-attr: memberuser diff --git a/ipaserver/install/plugins/Makefile.am b/ipaserver/install/plugins/Makefile.am index 635877d8c..d651297ac 100644 --- a/ipaserver/install/plugins/Makefile.am +++ b/ipaserver/install/plugins/Makefile.am @@ -11,6 +11,7 @@ app_PYTHON = \ update_services.py \ update_anonymous_aci.py \ update_pacs.py \ + update_referint.py \ ca_renewal_master.py \ update_uniqueness.py \ $(NULL) diff --git a/ipaserver/install/plugins/update_referint.py b/ipaserver/install/plugins/update_referint.py new file mode 100644 index 000000000..1b7411035 --- /dev/null +++ b/ipaserver/install/plugins/update_referint.py @@ -0,0 +1,90 @@ +# +# Copyright (C) 2014 FreeIPA Contributors see COPYING for license +# + +from ipaserver.install.plugins import MIDDLE +from ipaserver.install.plugins.baseupdate import PreUpdate +from ipalib import api, errors +from ipapython.dn import DN +from ipapython.ipa_log_manager import root_logger + +class update_referint(PreUpdate): + """ + Update referential integrity configuration to new style + http://directory.fedoraproject.org/docs/389ds/design/ri-plugin-configuration.html + + old attr -> new attr + nsslapd-pluginArg0 -> referint-update-delay + nsslapd-pluginArg1 -> referint-logfile + nsslapd-pluginArg2 -> referint-logchanges + nsslapd-pluginArg3..N -> referint-membership-attr [3..N] + + Old and new style cannot be mixed, all nslapd-pluginArg* attrs have to be removed + """ + + order = MIDDLE + + referint_dn = DN(('cn', 'referential integrity postoperation'), + ('cn', 'plugins'), ('cn', 'config')) + + def execute(self, **options): + + root_logger.debug("Upgrading referential integrity plugin configuration") + ldap = self.obj.backend + try: + entry = ldap.get_entry(self.referint_dn) + except errors.NotFound: + root_logger.error("Referential integrity configuration not found") + return False, False, [] + + referint_membership_attrs = [] + + root_logger.debug("Initial value: %s", repr(entry)) + + # nsslapd-pluginArg0 -> referint-update-delay + update_delay = entry.get('nsslapd-pluginArg0') + if update_delay: + root_logger.debug("add: referint-update-delay: %s", update_delay) + entry['referint-update-delay'] = update_delay + entry['nsslapd-pluginArg0'] = None + else: + root_logger.info("Plugin already uses new style, skipping") + return False, False, [] + + # nsslapd-pluginArg1 -> referint-logfile + logfile = entry.get('nsslapd-pluginArg1') + if logfile: + root_logger.debug("add: referint-logfile: %s", logfile) + entry['referint-logfile'] = logfile + entry['nsslapd-pluginArg1'] = None + + # nsslapd-pluginArg2 -> referint-logchanges + logchanges = entry.get('nsslapd-pluginArg2') + if logchanges: + root_logger.debug("add: referint-logchanges: %s", logchanges) + entry['referint-logchanges'] = logchanges + entry['nsslapd-pluginArg2'] = None + + # nsslapd-pluginArg3..N -> referint-membership-attr [3..N] + for key in entry.keys(): + if key.lower().startswith('nsslapd-pluginarg'): + arg_val = entry.single_value[key] + if arg_val: + referint_membership_attrs.append(arg_val) + entry[key] = None + + if referint_membership_attrs: + # entry['referint-membership-attr'] is None, plugin doesn't allow + # mixing old and new style + entry['referint-membership-attr'] = referint_membership_attrs + + root_logger.debug("Final value: %s", repr(entry)) + try: + ldap.update_entry(entry) + except errors.EmptyModlist: + root_logger.debug("No modifications required") + return False, False, [] + + return False, True, [] + +api.register(update_referint) |