From c052bbbfd2737f88b6496be7d4849cf17d9a126f Mon Sep 17 00:00:00 2001 From: Mark Reynolds Date: Tue, 29 Apr 2025 14:05:15 -0400 Subject: [PATCH] ipa-migrate - improve suffix replacement When values are "normalized/converted" to a new domain the order in which the host/release/suffix are converted matters. Replacing the suffix first can lead to incorrect results, so convert the host/realm before converting the suffix Signed-off-by: Mark Reynolds relates: https://pagure.io/freeipa/issue/9776 Reviewed-By: Rob Crittenden --- ipaserver/install/ipa_migrate.py | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/ipaserver/install/ipa_migrate.py b/ipaserver/install/ipa_migrate.py index 8ef0071f5c2edc1ce6cba780ac9a7d74122ea79d..a24a2ab7a5ffd4cf1d59179f14e2f5d348fd57e2 100644 --- a/ipaserver/install/ipa_migrate.py +++ b/ipaserver/install/ipa_migrate.py @@ -1084,11 +1084,9 @@ class IPAMigrate(): if isinstance(val, bytes) or isinstance(val, DN): return val - # Replace base DN - val = self.replace_suffix_value(val) - # For DNS DN we only replace suffix if dns: + val = self.replace_suffix_value(val) return val # Replace host @@ -1102,6 +1100,9 @@ class IPAMigrate(): # Replace realm val = val.replace(self.remote_realm, self.realm) + # Lastly, replace base DN + val = self.replace_suffix_value(val) + return val def convert_values(self, values, dns=False): -- 2.49.0