From d639e932e248866e7a5993f899f025778860bc95 Mon Sep 17 00:00:00 2001 From: Tomas Babej Date: Sep 23 2015 15:06:16 +0000 Subject: winsync-migrate: Properly handle collisions in the names of external groups Since the names of the external groups containing the migrated users must be stripped of characters which are not valid for use in group names, two different groups might be mapped to one during this process. Properly handle collisions in the names by adding an incremental numeric suffix. https://fedorahosted.org/freeipa/ticket/5319 Reviewed-By: Martin Babinsky --- diff --git a/ipaserver/install/ipa_winsync_migrate.py b/ipaserver/install/ipa_winsync_migrate.py index 4dacde3..13c5dde 100644 --- a/ipaserver/install/ipa_winsync_migrate.py +++ b/ipaserver/install/ipa_winsync_migrate.py @@ -231,15 +231,26 @@ class WinsyncMigrate(admintool.AdminTool): posixify(object_entry['cn'][0]) ) - def create_winsync_group(object_entry): + def create_winsync_group(object_entry, suffix=0): """ Creates the group containing migrated external users that were previously available via winsync. """ name = winsync_group_name(object_entry) - api.Command['group_add'](name, external=True) - api.Command[object_membership_command](object_entry['cn'][0], group=[name]) + + # Only non-trivial suffix is appended at the end + if suffix != 0: + name += str(suffix) + + try: + api.Command['group_add'](name, external=True) + except errors.DuplicateEntry: + # If there is a collision, let's try again with a higher suffix + create_winsync_group(object_entry, suffix=suffix+1) + else: + # In case of no collision, add the membership + api.Command[object_membership_command](object_entry['cn'][0], group=[name]) # Search for all objects containing the given user as a direct member member_filter = self.ldap.make_filter_from_attr(user_dn_attribute,