9744eaabe1
- Resolves: RHEL-84481 Protect all IPA service principals - Resolves: RHEL-84277 [RFE] IDM support UIDs up to 4,294,967,293 - Resolves: RHEL-84276 Ipa client --raw --structured throws internal error - Resolves: RHEL-82707 Search size limit tooltip has Search time limit tooltip text - Resolves: RHEL-82089 IPU 9 -> 10: ipa-server breaks the in-place upgrade due to failed scriptlet - Resolves: RHEL-68800 ipa-migrate with LDIF file from backup of remote server, fails with error 'change collided with another change' - Resolves: RHEL-30658 ipa-cacert-manage install fails with CAs having the same subject DN (subject key mismatch info) Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
67 lines
2.7 KiB
Diff
67 lines
2.7 KiB
Diff
From 7fd4b940abd2084fd6ec7de73dfd68551fce73fe Mon Sep 17 00:00:00 2001
|
|
From: Mark Reynolds <mreynolds@redhat.com>
|
|
Date: Wed, 29 Jan 2025 10:07:45 -0500
|
|
Subject: [PATCH] ipa-migrate - do not migrate tombstone entries, ignore
|
|
MidairCollisions, and krbpwdpolicyreference
|
|
|
|
Replication related entries should not be migrated. The main reason is
|
|
that we do not allow entries to be added that have an RDN of nsuniqueid
|
|
(only the server can internally add them).
|
|
|
|
Most midair collisions are transient issues and can be ignored for
|
|
migration purposes. In migration tests this only happens when an
|
|
attribute does not exist in the local server. This happens frequently
|
|
with COS attributes.
|
|
|
|
We should also ignore 'krbpwdpolicyreference' as it's an attribute that is
|
|
set by COS and does not need to be migrated.
|
|
|
|
Fixes: https://pagure.io/freeipa/issue/9737
|
|
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
|
|
---
|
|
ipaserver/install/ipa_migrate.py | 8 ++++++++
|
|
ipaserver/install/ipa_migrate_constants.py | 1 +
|
|
2 files changed, 9 insertions(+)
|
|
|
|
diff --git a/ipaserver/install/ipa_migrate.py b/ipaserver/install/ipa_migrate.py
|
|
index ece473bc8cb525e2d563356b5b274502d6b703e8..5ba140ce37156a6f2cb50d08427f5024925686e6 100644
|
|
--- a/ipaserver/install/ipa_migrate.py
|
|
+++ b/ipaserver/install/ipa_migrate.py
|
|
@@ -1462,6 +1462,10 @@ class IPAMigrate():
|
|
if DN(exclude_dn) in DN(entry_dn):
|
|
return
|
|
|
|
+ # Skip tombstones
|
|
+ if 'nsTombstone' in entry_attrs['objectClass']:
|
|
+ return
|
|
+
|
|
# Determine entry type: user, group, hbac, etc
|
|
entry_type = self.get_entry_type(entry_dn, entry_attrs)
|
|
if entry_type is None:
|
|
@@ -1568,6 +1572,10 @@ class IPAMigrate():
|
|
stats['custom'] += 1
|
|
else:
|
|
DB_OBJECTS[entry_type]['count'] += 1
|
|
+ except errors.MidairCollision as e:
|
|
+ # Typically means no such attribute, ok to ignore
|
|
+ self.log_debug(f'Failed to update "{local_dn}" error: '
|
|
+ f'{str(e)} - ok to ignore')
|
|
except errors.ExecutionError as e:
|
|
self.log_error(f'Failed to update "{local_dn}" error: '
|
|
f'{str(e)}')
|
|
diff --git a/ipaserver/install/ipa_migrate_constants.py b/ipaserver/install/ipa_migrate_constants.py
|
|
index e8192fb1aabae1c36669370eff242428a1f0355f..09856f07cabd124a7899bc5f355a56eb23023cc0 100644
|
|
--- a/ipaserver/install/ipa_migrate_constants.py
|
|
+++ b/ipaserver/install/ipa_migrate_constants.py
|
|
@@ -71,6 +71,7 @@ IGNORE_ATTRS = [
|
|
'serverhostname',
|
|
'krbpasswordexpiration',
|
|
'krblastadminunlock',
|
|
+ 'krbpwdpolicyreference', # COS attribute
|
|
]
|
|
|
|
# For production mode, bring everything over
|
|
--
|
|
2.48.1
|
|
|