mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2024-12-23 15:40:01 -06:00
Validate DN & RDN parameters for migrate command
Ticket #2555 We were generating a traceback (server error) if a malformed RDN was passed as a parameter to the migrate command. * add parameter validation functions validate_dn_param() and validate_rdn_param() to ipalib.util. Those functions simply invoke the DN or RDN constructor from our dn module passing it the string representation. If the constructor does not throw an error it's valid. * Add the parameter validation function pointers to the Param objects in the migrate command. * Make the usercontainer and groupcontainer parameters required. passing --usercontainer= on the command line will produce ipa: ERROR: 'user_container' is required * Fix _get_search_bases() so if a container dn is empty it it just uses the base dn alone instead of faulting (currently bullet-proofing because now the containers are required). * Update the doc for usercontainer and groupcontainer to reflect the fact they are DN's not RDN's. A RDN can only be one level and it should be possible to have a container more than one RDN removed from the base.
This commit is contained in:
parent
98e662b96f
commit
d317c2a0d1
4
API.txt
4
API.txt
@ -1900,8 +1900,8 @@ args: 2,16,4
|
||||
arg: Str('ldapuri', cli_name='ldap_uri')
|
||||
arg: Password('bindpw', cli_name='password', confirm=False)
|
||||
option: Str('binddn?', autofill=True, cli_name='bind_dn', default=u'cn=directory manager')
|
||||
option: Str('usercontainer?', autofill=True, cli_name='user_container', default=u'ou=people')
|
||||
option: Str('groupcontainer?', autofill=True, cli_name='group_container', default=u'ou=groups')
|
||||
option: Str('usercontainer', autofill=True, cli_name='user_container', default=u'ou=people')
|
||||
option: Str('groupcontainer', autofill=True, cli_name='group_container', default=u'ou=groups')
|
||||
option: Str('userobjectclass*', autofill=True, cli_name='user_objectclass', csv=True, default=(u'person',))
|
||||
option: Str('groupobjectclass*', autofill=True, cli_name='group_objectclass', csv=True, default=(u'groupOfUniqueNames', u'groupOfNames'))
|
||||
option: Str('userignoreobjectclass*', autofill=True, cli_name='user_ignore_objectclass', csv=True, default=())
|
||||
|
@ -23,6 +23,7 @@ import ldap as _ldap
|
||||
from ipalib import api, errors, output
|
||||
from ipalib import Command, Password, Str, Flag, StrEnum
|
||||
from ipalib.cli import to_cli
|
||||
from ipalib.util import validate_dn_param
|
||||
from ipalib.dn import *
|
||||
from ipalib.plugins.user import NO_UPG_MAGIC
|
||||
if api.env.in_server and api.env.context in ['lite', 'server']:
|
||||
@ -418,23 +419,23 @@ class migrate_ds(Command):
|
||||
)
|
||||
|
||||
takes_options = (
|
||||
Str('binddn?',
|
||||
Str('binddn?', validate_dn_param,
|
||||
cli_name='bind_dn',
|
||||
label=_('Bind DN'),
|
||||
default=u'cn=directory manager',
|
||||
autofill=True,
|
||||
),
|
||||
Str('usercontainer?',
|
||||
Str('usercontainer', validate_dn_param,
|
||||
cli_name='user_container',
|
||||
label=_('User container'),
|
||||
doc=_('RDN of container for users in DS relative to base DN'),
|
||||
doc=_('DN of container for users in DS relative to base DN'),
|
||||
default=u'ou=people',
|
||||
autofill=True,
|
||||
),
|
||||
Str('groupcontainer?',
|
||||
Str('groupcontainer', validate_dn_param,
|
||||
cli_name='group_container',
|
||||
label=_('Group container'),
|
||||
doc=_('RDN of container for groups in DS relative to base DN'),
|
||||
doc=_('DN of container for groups in DS relative to base DN'),
|
||||
default=u'ou=groups',
|
||||
autofill=True,
|
||||
),
|
||||
@ -589,9 +590,12 @@ can use their Kerberos accounts.''')
|
||||
def _get_search_bases(self, options, ds_base_dn, migrate_order):
|
||||
search_bases = dict()
|
||||
for ldap_obj_name in migrate_order:
|
||||
search_bases[ldap_obj_name] = '%s,%s' % (
|
||||
options['%scontainer' % to_cli(ldap_obj_name)], ds_base_dn
|
||||
)
|
||||
container = options.get('%scontainer' % to_cli(ldap_obj_name))
|
||||
if container:
|
||||
search_base = str(DN(container, ds_base_dn))
|
||||
else:
|
||||
search_base = ds_base_dn
|
||||
search_bases[ldap_obj_name] = search_base
|
||||
return search_bases
|
||||
|
||||
def migrate(self, ldap, config, ds_ldap, ds_base_dn, options):
|
||||
|
@ -31,6 +31,7 @@ from weakref import WeakKeyDictionary
|
||||
|
||||
from ipalib import errors
|
||||
from ipalib.text import _
|
||||
from ipalib.dn import DN, RDN
|
||||
from ipapython import dnsclient
|
||||
from ipapython.ipautil import decode_ssh_pubkey
|
||||
|
||||
@ -484,3 +485,17 @@ def gen_dns_update_policy(realm, rrtypes=('A', 'AAAA', 'SSHFP')):
|
||||
policy += ";"
|
||||
|
||||
return policy
|
||||
|
||||
def validate_rdn_param(ugettext, value):
|
||||
try:
|
||||
rdn = RDN(value)
|
||||
except Exception, e:
|
||||
return str(e)
|
||||
return None
|
||||
|
||||
def validate_dn_param(ugettext, value):
|
||||
try:
|
||||
rdn = DN(value)
|
||||
except Exception, e:
|
||||
return str(e)
|
||||
return None
|
||||
|
Loading…
Reference in New Issue
Block a user