From a57998f51eb8b62052fe021a68503eed4714c6d3 Mon Sep 17 00:00:00 2001 From: Drew Erny Date: Jun 05 2015 17:31:18 +0000 Subject: Migration now accepts scope as argument Adds a new option to command ipa migrate-ds, --scope=[base,onelevel,subtree] which allows the user to specify LDAP search depth for users and groups. 'onelevel' was the hard-coded level before this patch and is still default. Specify 'subtree' to search nested OUs for users and groups. https://fedorahosted.org/freeipa/ticket/2547 Reviewed-By: Martin Basti --- diff --git a/API.txt b/API.txt index c47d800..eca4e30 100644 --- a/API.txt +++ b/API.txt @@ -2522,7 +2522,7 @@ output: Entry('result', , Gettext('A dictionary representing an LDA output: Output('summary', (, ), None) output: PrimaryKey('value', None, None) command: migrate_ds -args: 2,19,4 +args: 2,20,4 arg: Str('ldapuri', cli_name='ldap_uri') arg: Password('bindpw', cli_name='password', confirm=False) option: DNParam('basedn?', cli_name='base_dn') @@ -2538,6 +2538,7 @@ option: Str('groupignoreobjectclass*', autofill=True, cli_name='group_ignore_obj option: Str('groupobjectclass+', autofill=True, cli_name='group_objectclass', csv=True, default=(u'groupOfUniqueNames', u'groupOfNames')) option: Flag('groupoverwritegid', autofill=True, cli_name='group_overwrite_gid', default=False) option: StrEnum('schema?', autofill=True, cli_name='schema', default=u'RFC2307bis', values=(u'RFC2307bis', u'RFC2307')) +option: StrEnum('scope', autofill=True, cli_name='scope', default=u'onelevel', values=(u'base', u'subtree', u'onelevel')) option: Bool('use_def_group?', autofill=True, cli_name='use_default_group', default=True) option: DNParam('usercontainer', autofill=True, cli_name='user_container', default=ipapython.dn.DN('ou=people')) option: Str('userignoreattribute*', autofill=True, cli_name='user_ignore_attribute', csv=True, default=()) diff --git a/VERSION b/VERSION index 6f6e363..fe746a7 100644 --- a/VERSION +++ b/VERSION @@ -90,5 +90,5 @@ IPA_DATA_VERSION=20100614120000 # # ######################################################## IPA_API_VERSION_MAJOR=2 -IPA_API_VERSION_MINOR=124 -# Last change: pvoborni - added topology management commands +IPA_API_VERSION_MINOR=125 +# Last change: derny - migration now accepts scope as argument diff --git a/ipalib/plugins/migration.py b/ipalib/plugins/migration.py index 8b7dd9e..9dced13 100644 --- a/ipalib/plugins/migration.py +++ b/ipalib/plugins/migration.py @@ -19,6 +19,7 @@ import re from ldap import MOD_ADD +from ldap import SCOPE_BASE, SCOPE_ONELEVEL, SCOPE_SUBTREE from ipalib import api, errors, output from ipalib import Command, Password, Str, Flag, StrEnum, DNParam, File, Bool @@ -141,6 +142,10 @@ _dn_err_msg = _('Malformed DN') _supported_schemas = (u'RFC2307bis', u'RFC2307') +# search scopes for users and groups when migrating +_supported_scopes = {u'base': SCOPE_BASE, u'onelevel': SCOPE_ONELEVEL, u'subtree': SCOPE_SUBTREE} +_default_scope = u'onelevel' + def _pre_migrate_user(ldap, pkey, dn, entry_attrs, failed, config, ctx, **kwargs): assert isinstance(dn, DN) @@ -611,6 +616,15 @@ class migrate_ds(Command): default=True, autofill=True, ), + StrEnum('scope', + cli_name='scope', + label=_('Search scope'), + doc=_('LDAP search scope for users and groups: base, onelevel, or ' + 'subtree. Defaults to onelevel'), + values=tuple(_supported_scopes.keys()), + default=_default_scope, + autofill=True, + ), ) has_output = ( @@ -705,6 +719,9 @@ can use their Kerberos accounts.''') failed = {} # {'OBJ': {'PKEY1': 'Failed 'cos blabla', ...}, ...} search_bases = self._get_search_bases(options, ds_base_dn, self.migrate_order) migration_start = datetime.datetime.now() + + scope = _supported_scopes[options.get('scope')] + for ldap_obj_name in self.migrate_order: ldap_obj = self.api.Object[ldap_obj_name] @@ -721,7 +738,7 @@ can use their Kerberos accounts.''') try: entries, truncated = ds_ldap.find_entries( search_filter, ['*'], search_bases[ldap_obj_name], - ds_ldap.SCOPE_ONELEVEL, + scope, time_limit=0, size_limit=-1, search_refs=True # migrated DS may contain search references )