ipa/0054-migrate-ds-workaround-to-detect-compat-tree.patch

From 3c4f9e7347965ff9a887147df34e720224ffa7cc Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud <flo@redhat.com>
Date: Tue, 7 Sep 2021 17:06:53 +0200
Subject: [PATCH] migrate-ds: workaround to detect compat tree

Migrate-ds needs to check if compat tree is enabled before
migrating users and groups. The check is doing a base
search on cn=compat,$SUFFIX and considers the compat tree
enabled when the entry exists.

Due to a bug in slapi-nis, the base search may return NotFound
even though the compat tree is enabled. The workaround is to
perform a base search on cn=users,cn=compat,$SUFFIX instead.

Fixes: https://pagure.io/freeipa/issue/8984
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
---
 ipaserver/plugins/migration.py | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/ipaserver/plugins/migration.py b/ipaserver/plugins/migration.py
index db5241915497b14a12ed2c33003e1c4fc1a5369f..6ee205fc836a463ac250baa6131e43acb0c00efa 100644
--- a/ipaserver/plugins/migration.py
+++ b/ipaserver/plugins/migration.py
@@ -922,7 +922,8 @@ migration process might be incomplete\n''')
         # check whether the compat plugin is enabled
         if not options.get('compat'):
             try:
-                ldap.get_entry(DN(('cn', 'compat'), (api.env.basedn)))
+                ldap.get_entry(DN(('cn', 'users'), ('cn', 'compat'),
+                                  (api.env.basedn)))
                 return dict(result={}, failed={}, enabled=True, compat=False)
             except errors.NotFound:
                 pass
-- 
2.31.1