freeipa/ipalib/plugins/migration.py

375 lines
13 KiB
Python
Raw Normal View History

# Authors:
# Pavel Zuna <pzuna@redhat.com>
#
# Copyright (C) 2009 Red Hat
# see file 'COPYING' for use and warranty information
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License as
# published by the Free Software Foundation; version 2 only
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
"""
Migration to IPA
Example: Migrate users and groups from DS to IPA
ipa migrate-ds ldap://example.com:389
"""
import logging
import re
from ipalib import api, errors, output, uuid
from ipalib import Command, List, Password, Str
from ipalib.cli import to_cli
from ipaserver.plugins.ldap2 import ldap2
# USER MIGRATION CALLBACKS AND VARS
_krb_err_msg = 'Kerberos principal %s already exists. ' \
'Use \'ipa user-mod\' to set it manually.'
_grp_err_msg = 'Failed to add user to the default group. ' \
'Use \'ipa group-add-member\' to add manually.'
def _pre_migrate_user(ldap, pkey, dn, entry_attrs, failed, config, ctx):
# get default primary group for new users
if 'def_group_dn' not in ctx:
def_group = config.get('ipadefaultprimarygroup')
ctx['def_group_dn'] = api.Object.group.get_dn(def_group)
try:
(g_dn, g_attrs) = ldap.get_entry(ctx['def_group_dn'], ['gidnumber'])
except errors.NotFound:
error_msg = 'Default group for new users not found.'
raise errors.NotFound(reason=error_msg)
ctx['def_group_gid'] = g_attrs['gidnumber'][0]
# fill in required attributes by IPA
entry_attrs['ipauniqueid'] = str(uuid.uuid1())
if 'homedirectory' not in entry_attrs:
homes_root = config.get('ipahomesrootdir', ('/home', ))[0]
home_dir = '%s/%s' % (homes_root, pkey)
home_dir = home_dir.replace('//', '/').rstrip('/')
entry_attrs['homedirectory'] = home_dir
entry_attrs.setdefault('gidnumber', ctx['def_group_gid'])
# generate a principal name and check if it isn't already taken
principal = '%s@%s' % (pkey, api.env.realm)
try:
ldap.find_entry_by_attr(
'krbprincipalname', principal, 'krbprincipalaux', ['']
)
except errors.NotFound:
entry_attrs['krbprincipalname'] = principal
else:
failed[pkey] = _krb_err_msg % principal
return dn
def _post_migrate_user(ldap, pkey, dn, entry_attrs, failed, config, ctx):
# add user to the default group
try:
ldap.add_entry_to_group(dn, ctx['def_group_dn'])
except errors.ExecutionError, e:
failed[pkey] = _grp_err_msg
# GROUP MIGRATION CALLBACKS AND VARS
def _pre_migrate_group(ldap, pkey, dn, entry_attrs, failed, config, ctx):
def convert_members(member_attr, overwrite=False):
"""
Convert DNs in member attributes to work in IPA.
"""
new_members = []
entry_attrs.setdefault(member_attr, [])
for m in entry_attrs[member_attr]:
col = m.find(',')
if col == -1:
continue
if m.startswith('uid'):
m = '%s,%s' % (m[0:col], api.env.container_user)
elif m.startswith('cn'):
m = '%s,%s' % (m[0:col], api.env.container_group)
m = ldap.normalize_dn(m)
new_members.append(m)
del entry_attrs[member_attr]
if overwrite:
entry_attrs['member'] = []
entry_attrs['member'] += new_members
entry_attrs['ipauniqueid'] = str(uuid.uuid1())
convert_members('member', overwrite=True)
convert_members('uniquemember')
return dn
# DS MIGRATION PLUGIN
def validate_ldapuri(ugettext, ldapuri):
m = re.match('^ldaps?://[-\w\.]+(:\d+)?$', ldapuri)
if not m:
err_msg = 'Invalid LDAP URI.'
raise errors.ValidationError(name='ldap_uri', error=err_msg)
class migrate_ds(Command):
"""
Migrate users and groups from DS to IPA.
"""
migrate_objects = {
# OBJECT_NAME: (search_filter, pre_callback, post_callback)
#
# OBJECT_NAME - is the name of an LDAPObject subclass
# search_filter - is the filter to retrieve objects from DS
# pre_callback - is called for each object just after it was
# retrieved from DS and before being added to IPA
# post_callback - is called for each object after it was added to IPA
#
# {pre, post}_callback parameters:
# ldap - ldap2 instance connected to IPA
# pkey - primary key value of the object (uid for users, etc.)
# dn - dn of the object as it (will be/is) stored in IPA
# entry_attrs - attributes of the object
# failed - a list of so-far failed objects
# config - IPA config entry attributes
# ctx - object context, used to pass data between callbacks
#
# If pre_callback return value evaluates to False, migration
# of the current object is aborted.
'user': (
'(&(objectClass=person)(uid=*))',
_pre_migrate_user, _post_migrate_user
),
'group': (
'(&(objectClass=groupOfUniqueNames)(cn=*))',
_pre_migrate_group, None
),
}
migrate_order = ('user', 'group')
takes_args = (
Str('ldapuri', validate_ldapuri,
cli_name='ldap_uri',
doc='LDAP URI of DS server to migrate from',
),
Password('bindpw',
cli_name='password',
doc='bind password',
),
)
takes_options = (
Str('binddn?',
cli_name='bind_dn',
doc='bind DN',
default=u'cn=directory manager',
autofill=True,
),
Str('usercontainer?',
cli_name='user_container',
doc='RDN of container for users in DS',
default=u'ou=people',
autofill=True,
),
Str('groupcontainer?',
cli_name='group_container',
doc='RDN of container for groups in DS',
default=u'ou=groups',
autofill=True,
),
)
has_output = (
output.Output('result',
type=dict,
doc='Lists of objects migrated; categorized by type.',
),
output.Output('failed',
type=dict,
doc='Lists of objects that could not be migrated; ' \
'categorized by type.',
),
output.Output('enabled',
type=bool,
doc='False if migration mode was disabled.',
),
)
exclude_doc = 'comma-separated list of %s to exclude from migration'
truncated_err_msg = 'search results for objects to be migrated ' \
'have been truncated by the server; migration ' \
'process might be uncomplete\n'
migration_disabled_msg = 'Migration mode is disabled. ' \
'Use \'ipa config-mod\' to enable it.'
pwd_migration_msg = 'Passwords have been migrated in pre-hashed format. ' \
'IPA is unable to generate Kerberos keys unless provided ' \
'with clear text passwords. All migrated users need to ' \
'login at https://your.domain/ipa/migration/ before they ' \
'can use their Kerberos accounts.'
def get_options(self):
"""
Call get_options of the baseclass and add "exclude" options
for each type of object being migrated.
"""
for option in super(migrate_ds, self).get_options():
yield option
for ldap_obj_name in self.migrate_objects:
ldap_obj = self.api.Object[ldap_obj_name]
name = 'exclude_%ss' % to_cli(ldap_obj_name)
doc = self.exclude_doc % ldap_obj.object_name_plural
yield List(
'%s?' % name, cli_name=name, doc=doc, default=tuple(),
autofill=True
)
def normalize_options(self, options):
"""
Convert all "exclude" option values to lower-case.
Also, empty List parameters are converted to None, but the migration
plugin doesn't like that - convert back to empty lists.
"""
for p in self.params():
if isinstance(p, List):
if options[p.name]:
options[p.name] = tuple(
v.lower() for v in options[p.name]
)
else:
options[p.name] = tuple()
def migrate(self, ldap, config, ds_ldap, ds_base_dn, options):
"""
Migrate objects from DS to LDAP.
"""
migrated = {} # {'OBJ': ['PKEY1', 'PKEY2', ...], ...}
failed = {} # {'OBJ': {'PKEY1': 'Failed 'cos blabla', ...}, ...}
for ldap_obj_name in self.migrate_order:
ldap_obj = self.api.Object[ldap_obj_name]
search_filter = self.migrate_objects[ldap_obj_name][0]
search_base = '%s,%s' % (
options['%scontainer' % to_cli(ldap_obj_name)], ds_base_dn
)
exclude = options['exclude_%ss' % to_cli(ldap_obj_name)]
context = {}
migrated[ldap_obj_name] = []
failed[ldap_obj_name] = {}
# FIXME: with limits set, we get a strange 'Success' exception
(entries, truncated) = ds_ldap.find_entries(
search_filter, ['*'], search_base, ds_ldap.SCOPE_ONELEVEL#,
#time_limit=0, size_limit=0
)
if truncated:
self.log.error(
'%s: %s' % (
ldap_obj.object_name_plural, self.truncated_err_msg
)
)
for (dn, entry_attrs) in entries:
pkey = entry_attrs[ldap_obj.primary_key.name][0].lower()
if pkey in exclude:
continue
dn = ldap_obj.get_dn(pkey)
entry_attrs['objectclass'] = list(
set(
config.get(
ldap_obj.object_class_config, ldap_obj.object_class
) + [o.lower() for o in entry_attrs['objectclass']]
)
)
callback = self.migrate_objects[ldap_obj_name][1]
if callable(callback):
dn = callback(
ldap, pkey, dn, entry_attrs, failed[ldap_obj_name],
config, context
)
if not dn:
continue
try:
ldap.add_entry(dn, entry_attrs)
except errors.ExecutionError, e:
failed[ldap_obj_name][pkey] = str(e)
else:
migrated[ldap_obj_name].append(pkey)
callback = self.migrate_objects[ldap_obj_name][2]
if callable(callback):
callback(
ldap, pkey, dn, entry_attrs, failed[ldap_obj_name],
config, context
)
return (migrated, failed)
def execute(self, ldapuri, bindpw, **options):
ldap = self.api.Backend.ldap2
self.normalize_options(options)
config = ldap.get_ipa_config()[1]
# check if migration mode is enabled
if config.get('ipamigrationenabled', ('FALSE', ))[0] == 'FALSE':
return dict(result={}, failed={}, enabled=False)
# connect to DS
ds_ldap = ldap2(shared_instance=False, ldap_uri=ldapuri, base_dn='')
ds_ldap.connect(bind_dn=options['binddn'], bind_pw=bindpw)
# retrieve DS base DN
(entries, truncated) = ds_ldap.find_entries(
'', ['namingcontexts'], '', ds_ldap.SCOPE_BASE
)
try:
ds_base_dn = entries[0][1]['namingcontexts'][0]
except (IndexError, KeyError), e:
raise StandardError(str(e))
# migrate!
(migrated, failed) = self.migrate(
ldap, config, ds_ldap, ds_base_dn, options
)
return dict(result=migrated, failed=failed, enabled=True)
def output_for_cli(self, textui, result, ldapuri, bindpw, **options):
textui.print_name(self.name)
if not result['enabled']:
textui.print_plain(self.migration_disabled_msg)
return 1
textui.print_plain('Migrated:')
textui.print_entry1(
result['result'], attr_order=self.migrate_order,
one_value_per_line=False
)
for ldap_obj_name in self.migrate_order:
textui.print_plain('Failed %s:' % ldap_obj_name)
textui.print_entry1(
result['failed'][ldap_obj_name], attr_order=self.migrate_order,
one_value_per_line=True,
)
textui.print_plain('-' * len(self.name))
textui.print_plain(self.pwd_migration_msg)
api.register(migrate_ds)