Validate DN & RDN parameters for migrate command

Ticket #2555

We were generating a traceback (server error) if a malformed RDN was
passed as a parameter to the migrate command.

* add parameter validation functions validate_dn_param() and
  validate_rdn_param() to ipalib.util. Those functions simply invoke
  the DN or RDN constructor from our dn module passing it the string
  representation. If the constructor does not throw an error it's
  valid.

* Add the parameter validation function pointers to the Param objects
  in the migrate command.

* Make the usercontainer and groupcontainer parameters required.
  passing --usercontainer= on the command line will produce

  ipa: ERROR: 'user_container' is required

* Fix _get_search_bases() so if a container dn is empty it it just
  uses the base dn alone instead of faulting (currently
  bullet-proofing because now the containers are required).

* Update the doc for usercontainer and groupcontainer to reflect the
  fact they are DN's not RDN's. A RDN can only be one level and it
  should be possible to have a container more than one RDN removed
  from the base.
This commit is contained in:
John Dennis 2012-04-16 08:33:26 +02:00 committed by Martin Kosek
parent 98e662b96f
commit d317c2a0d1
3 changed files with 29 additions and 10 deletions

View File

@ -1900,8 +1900,8 @@ args: 2,16,4
arg: Str('ldapuri', cli_name='ldap_uri')
arg: Password('bindpw', cli_name='password', confirm=False)
option: Str('binddn?', autofill=True, cli_name='bind_dn', default=u'cn=directory manager')
option: Str('usercontainer?', autofill=True, cli_name='user_container', default=u'ou=people')
option: Str('groupcontainer?', autofill=True, cli_name='group_container', default=u'ou=groups')
option: Str('usercontainer', autofill=True, cli_name='user_container', default=u'ou=people')
option: Str('groupcontainer', autofill=True, cli_name='group_container', default=u'ou=groups')
option: Str('userobjectclass*', autofill=True, cli_name='user_objectclass', csv=True, default=(u'person',))
option: Str('groupobjectclass*', autofill=True, cli_name='group_objectclass', csv=True, default=(u'groupOfUniqueNames', u'groupOfNames'))
option: Str('userignoreobjectclass*', autofill=True, cli_name='user_ignore_objectclass', csv=True, default=())

View File

@ -23,6 +23,7 @@ import ldap as _ldap
from ipalib import api, errors, output
from ipalib import Command, Password, Str, Flag, StrEnum
from ipalib.cli import to_cli
from ipalib.util import validate_dn_param
from ipalib.dn import *
from ipalib.plugins.user import NO_UPG_MAGIC
if api.env.in_server and api.env.context in ['lite', 'server']:
@ -418,23 +419,23 @@ class migrate_ds(Command):
)
takes_options = (
Str('binddn?',
Str('binddn?', validate_dn_param,
cli_name='bind_dn',
label=_('Bind DN'),
default=u'cn=directory manager',
autofill=True,
),
Str('usercontainer?',
Str('usercontainer', validate_dn_param,
cli_name='user_container',
label=_('User container'),
doc=_('RDN of container for users in DS relative to base DN'),
doc=_('DN of container for users in DS relative to base DN'),
default=u'ou=people',
autofill=True,
),
Str('groupcontainer?',
Str('groupcontainer', validate_dn_param,
cli_name='group_container',
label=_('Group container'),
doc=_('RDN of container for groups in DS relative to base DN'),
doc=_('DN of container for groups in DS relative to base DN'),
default=u'ou=groups',
autofill=True,
),
@ -589,9 +590,12 @@ can use their Kerberos accounts.''')
def _get_search_bases(self, options, ds_base_dn, migrate_order):
search_bases = dict()
for ldap_obj_name in migrate_order:
search_bases[ldap_obj_name] = '%s,%s' % (
options['%scontainer' % to_cli(ldap_obj_name)], ds_base_dn
)
container = options.get('%scontainer' % to_cli(ldap_obj_name))
if container:
search_base = str(DN(container, ds_base_dn))
else:
search_base = ds_base_dn
search_bases[ldap_obj_name] = search_base
return search_bases
def migrate(self, ldap, config, ds_ldap, ds_base_dn, options):

View File

@ -31,6 +31,7 @@ from weakref import WeakKeyDictionary
from ipalib import errors
from ipalib.text import _
from ipalib.dn import DN, RDN
from ipapython import dnsclient
from ipapython.ipautil import decode_ssh_pubkey
@ -484,3 +485,17 @@ def gen_dns_update_policy(realm, rrtypes=('A', 'AAAA', 'SSHFP')):
policy += ";"
return policy
def validate_rdn_param(ugettext, value):
try:
rdn = RDN(value)
except Exception, e:
return str(e)
return None
def validate_dn_param(ugettext, value):
try:
rdn = DN(value)
except Exception, e:
return str(e)
return None