|
 |
590d18 |
From 6f0660a342320ecec805bc158ba31f43394f5ab2 Mon Sep 17 00:00:00 2001
|
|
|
590d18 |
From: Tomas Babej <tbabej@redhat.com>
|
|
|
590d18 |
Date: Wed, 23 Sep 2015 13:28:33 +0200
|
|
|
590d18 |
Subject: [PATCH] winsync-migrate: Properly handle collisions in the names of
|
|
|
590d18 |
external groups
|
|
|
590d18 |
|
|
|
590d18 |
Since the names of the external groups containing the migrated users
|
|
|
590d18 |
must be stripped of characters which are not valid for use in group names,
|
|
|
590d18 |
two different groups might be mapped to one during this process.
|
|
|
590d18 |
|
|
|
590d18 |
Properly handle collisions in the names by adding an incremental
|
|
|
590d18 |
numeric suffix.
|
|
|
590d18 |
|
|
|
590d18 |
https://fedorahosted.org/freeipa/ticket/5319
|
|
|
590d18 |
|
|
|
590d18 |
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
|
|
|
590d18 |
---
|
|
|
590d18 |
ipaserver/install/ipa_winsync_migrate.py | 17 ++++++++++++++---
|
|
|
590d18 |
1 file changed, 14 insertions(+), 3 deletions(-)
|
|
|
590d18 |
|
|
|
590d18 |
diff --git a/ipaserver/install/ipa_winsync_migrate.py b/ipaserver/install/ipa_winsync_migrate.py
|
|
|
590d18 |
index 4dacde3f27ead341fd4d7d2a744d28f74d5c5b95..13c5ddef383204451cbc4bb662c8a1befc1d5f93 100644
|
|
|
590d18 |
--- a/ipaserver/install/ipa_winsync_migrate.py
|
|
|
590d18 |
+++ b/ipaserver/install/ipa_winsync_migrate.py
|
|
|
590d18 |
@@ -231,15 +231,26 @@ class WinsyncMigrate(admintool.AdminTool):
|
|
|
590d18 |
posixify(object_entry['cn'][0])
|
|
|
590d18 |
)
|
|
|
590d18 |
|
|
|
590d18 |
- def create_winsync_group(object_entry):
|
|
|
590d18 |
+ def create_winsync_group(object_entry, suffix=0):
|
|
|
590d18 |
"""
|
|
|
590d18 |
Creates the group containing migrated external users that were
|
|
|
590d18 |
previously available via winsync.
|
|
|
590d18 |
"""
|
|
|
590d18 |
|
|
|
590d18 |
name = winsync_group_name(object_entry)
|
|
|
590d18 |
- api.Command['group_add'](name, external=True)
|
|
|
590d18 |
- api.Command[object_membership_command](object_entry['cn'][0], group=[name])
|
|
|
590d18 |
+
|
|
|
590d18 |
+ # Only non-trivial suffix is appended at the end
|
|
|
590d18 |
+ if suffix != 0:
|
|
|
590d18 |
+ name += str(suffix)
|
|
|
590d18 |
+
|
|
|
590d18 |
+ try:
|
|
|
590d18 |
+ api.Command['group_add'](name, external=True)
|
|
|
590d18 |
+ except errors.DuplicateEntry:
|
|
|
590d18 |
+ # If there is a collision, let's try again with a higher suffix
|
|
|
590d18 |
+ create_winsync_group(object_entry, suffix=suffix+1)
|
|
|
590d18 |
+ else:
|
|
|
590d18 |
+ # In case of no collision, add the membership
|
|
|
590d18 |
+ api.Command[object_membership_command](object_entry['cn'][0], group=[name])
|
|
|
590d18 |
|
|
|
590d18 |
# Search for all objects containing the given user as a direct member
|
|
|
590d18 |
member_filter = self.ldap.make_filter_from_attr(user_dn_attribute,
|
|
|
590d18 |
--
|
|
|
590d18 |
2.4.3
|
|
|
590d18 |
|