Migration warning when compat enabled

Added check into migration plugin to warn user when compat is enabled.
If compat is enabled, the migration fails and user is warned that he
must turn the compat off or run the script with (the newly introduced)
option '--with-compat'.

'--with-compat' is new flag. If it is set, the compat status is ignored.

https://fedorahosted.org/freeipa/ticket/2274

API.txt

@@ -1893,7 +1893,7 @@ output: Output('summary', (<type 'unicode'>, <type 'NoneType'>), None)
 output: Entry('result', <type 'dict'>, Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None))
 output: Output('value', <type 'unicode'>, None)
 command: migrate_ds
-args: 2,15,3
+args: 2,16,4
 arg: Str('ldapuri', cli_name='ldap_uri')
 arg: Password('bindpw', cli_name='password', confirm=False)
 option: Str('binddn?', autofill=True, cli_name='bind_dn', default=u'cn=directory manager')
@@ -1909,11 +1909,13 @@ option: Flag('groupoverwritegid', autofill=True, cli_name='group_overwrite_gid',
 option: StrEnum('schema?', autofill=True, cli_name='schema', default=u'RFC2307bis', values=(u'RFC2307bis', u'RFC2307'))
 option: Flag('continue?', autofill=True, default=False)
 option: Str('basedn?', cli_name='base_dn')
+option: Flag('compat?', autofill=True, cli_name='with_compat', default=False)
 option: Str('exclude_groups*', autofill=True, cli_name='exclude_groups', csv=True, default=())
 option: Str('exclude_users*', autofill=True, cli_name='exclude_users', csv=True, default=())
 output: Output('result', <type 'dict'>, None)
 output: Output('failed', <type 'dict'>, None)
 output: Output('enabled', <type 'bool'>, None)
+output: Output('compat', <type 'bool'>, None)
 command: netgroup_add
 args: 1,9,3
 arg: Str('cn', attribute=True, cli_name='name', multivalue=False, pattern='^[a-zA-Z0-9_.][a-zA-Z0-9_.-]+$', pattern_errmsg='may only include letters, numbers, _, -, and .', primary_key=True, required=True)

VERSION

@@ -79,4 +79,4 @@ IPA_DATA_VERSION=20100614120000
 #                                                      #
 ########################################################
 IPA_API_VERSION_MAJOR=2
-IPA_API_VERSION_MINOR=28
+IPA_API_VERSION_MINOR=29

ipalib/plugins/migration.py

@@ -52,6 +52,11 @@ Two LDAP schemas define how group members are stored: RFC2307 and
 RFC2307bis. RFC2307bis uses member and uniquemember to specify group
 members, RFC2307 uses memberUid. The default schema is RFC2307bis.
 
+The schema compat feature allows IPA to reformat data for systems that
+do not support RFC2307bis. It is recommended that this feature is disabled
+during migration to reduce system overhead. It can be re-enabled after
+migration. To migrate with it enabled use the "--with-compat" option.
+
 Migrated users do not have Kerberos credentials, they have only their
 LDAP password. To complete the migration process, users need to go
 to http://ipa.example.com/ipa/migration and authenticate using their
@@ -107,6 +112,8 @@ _dn_err_msg = _('Malformed DN')
 
 _supported_schemas = (u'RFC2307bis', u'RFC2307')
 
+_compat_dn = "cn=Schema Compatibility,cn=plugins,cn=config"
+
 
 def _pre_migrate_user(ldap, pkey, dn, entry_attrs, failed, config, ctx, **kwargs):
     attr_blacklist = ['krbprincipalkey','memberofindirect','memberindirect']
@@ -445,6 +452,12 @@ class migrate_ds(Command):
             label=_('Base DN'),
             doc=_('Base DN on remote LDAP server'),
         ),
+        Flag('compat?',
+            cli_name='with_compat',
+            label=_('Ignore compat plugin'),
+            doc=_('Allows migration despite the usage of compat plugin'),
+            default=False,
+        ),
     )
 
     has_output = (
@@ -460,6 +473,10 @@ class migrate_ds(Command):
             type=bool,
             doc=_('False if migration mode was disabled.'),
         ),
+        output.Output('compat',
+            type=bool,
+            doc=_('False if migration fails because the compatibility plug-in is enabled.'),
+        ),
     )
 
     exclude_doc = _('comma-separated list of %s to exclude from migration')
@@ -645,12 +662,18 @@ can use their Kerberos accounts.''')
 
         # check if migration mode is enabled
         if config.get('ipamigrationenabled', ('FALSE', ))[0] == 'FALSE':
-            return dict(result={}, failed={}, enabled=False)
+            return dict(result={}, failed={}, enabled=False, compat=True)
 
         # connect to DS
         ds_ldap = ldap2(shared_instance=False, ldap_uri=ldapuri, base_dn='')
         ds_ldap.connect(bind_dn=options['binddn'], bind_pw=bindpw)
 
+        #check whether the compat plugin is enabled
+        if not options.get('compat'):
+            (dn,check_compat) = ds_ldap.get_entry(_compat_dn, normalize=False)
+            if check_compat is not None and check_compat.get('nsslapd-pluginenabled', [''])[0].lower() == 'on':
+                return dict(result={},failed={},enabled=True, compat=False)
+
         if not ds_base_dn:
             # retrieve base DN from remote LDAP server
             (entries, truncated) = ds_ldap.find_entries(
@@ -670,13 +693,16 @@ can use their Kerberos accounts.''')
             ldap, config, ds_ldap, ds_base_dn, options
         )
 
-        return dict(result=migrated, failed=failed, enabled=True)
+        return dict(result=migrated, failed=failed, enabled=True, compat=True)
 
     def output_for_cli(self, textui, result, ldapuri, bindpw, **options):
         textui.print_name(self.name)
         if not result['enabled']:
             textui.print_plain(self.migration_disabled_msg)
             return 1
+        if not result['compat']:
+            textui.print_plain("The compat plug-in is enabled. This can increase the memory requirements during migration. Disable the compat plug-in with \'ipa-compat-manage disable\' or re-run this script with \'--with-compat\' option.")
+            return 1
         textui.print_plain('Migrated:')
         textui.print_entry1(
             result['result'], attr_order=self.migrate_order,