Skip to content

GitLab

Commit 332fed5a authored by Côme Chilliet's avatar Côme Chilliet
Browse files

Fixes #5235 Removed from fusiondirectory-setup migration option from older than 1.0.15

parent ae3b5141
Hide whitespace changes
Inline Side-by-side
contrib/bin/fusiondirectory-setup
View file @ 332fed5a
......@@ -1216,206 +1216,11 @@ sub migrate_users {
}
}
$mesg = $ldap->search(
filter => '(objectClass=gosaAccount)',
base => $base
);
$mesg->code && die $mesg->error;
if ($mesg->count > 0) {
print ("The following users are using the obsolete gosaAccount objectClass:\n");
my @entries = $mesg->entries;
foreach my $entry (@entries) {
print $entry->dn()."\n";
}
if (ask_yn_question("Remove the gosaAccount objectClass from these entries?")) {
foreach my $entry (@entries) {
my @replace;
my @delete;
my @classes = $entry->get_value('objectClass');
if (grep {$_ eq 'gosaAccount'} @classes) {
foreach my $class (@classes) {
if ($class ne 'gosaAccount') {
push(@replace, "$class");
}
}
if (
($entry->exists('dateOfBirth') || $entry->exists('personalTitle') || $entry->exists('gender'))
&& !(grep {$_ eq 'fdPersonalInfo'} @classes)
) {
push(@replace, "fdPersonalInfo");
}
if (!(grep {$_ eq 'sambaSamAccount'} @classes)) {
foreach my $sambaAttr ('sambaLMPassword','sambaNTPassword','sambaPwdLastSet','sambaBadPasswordCount','sambaBadPasswordTime') {
if ($entry->exists($sambaAttr)) {
push(@delete, $sambaAttr);
}
}
}
}
if (scalar(@delete) > 0) {
$mesg = $ldap->modify($entry->dn(), delete => \@delete, replace => [ "objectClass" => \@replace ]);
$mesg->code && print $entry->dn()." (deleting samba attributes): ".$mesg->error."\n";
} else {
$mesg = $ldap->modify($entry->dn(), replace => [ "objectClass" => \@replace ]);
$mesg->code && print $entry->dn().": ".$mesg->error."\n";
}
undef @replace;
undef @delete;
}
}
}
# unbind to the LDAP server
my $unbind = $ldap->unbind;
$unbind->code && warn "! Unable to unbind from LDAP server: ", $unbind->error."\n";
}
# function that moves DNS zones from systems to ou=dns
sub migrate_dns {
# initiate the LDAP connexion
my %hash_ldap_param = get_ldap_connexion();
# LDAP's connection's parameters
my $base = $hash_ldap_param{base};
my $ldap = $hash_ldap_param{ldap};
# Search for DNS zones
my $mesg = $ldap->search(
base => "$base",
filter => "(&(objectClass=dNSZone)(relativeDomainName=@)(!(|(zoneName=*.arpa)(zoneName=*.arpa.))))",
attrs => ['zoneName']
);
$mesg->code && die $mesg->error;
my @entries = $mesg->entries;
print "There are ".$mesg->count." DNS zones in the LDAP\n";
my @baddns = ();
foreach my $entry (@entries) {
if ($entry->dn() !~ m/$dnsrdn/) {
if (scalar(@baddns) == 0) {
print "The following are not in the DNS branch ($dnsrdn):\n";
}
print $entry->dn()."\n";
push @baddns, $entry->dn();
}
}
if (scalar(@baddns) == 0) {
print "They all already are in the DNS branch ($dnsrdn):\n";
} else {
if (ask_yn_question("Move these entries to the DNS branch ($dnsrdn)?")) {
foreach my $entrydn (@baddns) {
$entrydn =~ m/^([^,]+),(.+$systemrdn,(.+))$/ or die "Could not parse dn ".$entrydn."\n";
my $rdn = $1;
my $systemdn = $2;
my $entrybase = $3;
if (!branch_exists($ldap, "$dnsrdn,$entrybase")) {
create_branch($ldap, $entrybase, $dnsrdn);
}
my $result = $ldap->moddn (
$entrydn,
newrdn => $rdn,
deleteoldrdn => '1',
newsuperior => "$dnsrdn,$entrybase"
);
$result->code && die "Migration of DNS zone entry failed, LDAP error: ".$result->error."\n";
my $zoneDn = "$rdn,$dnsrdn,$entrybase";
$mesg = $ldap->search(
base => $zoneDn,
filter => "(&(objectClass=dNSZone)(relativeDomainName=*)(!(|(zoneName=*.arpa)(zoneName=*.arpa.))))"
);
$mesg->code && die $mesg->error;
@entries = $mesg->entries;
foreach my $entry (@entries) {
$entry->dn() =~ m/^([^,]+),(relativeDomainName=[^,]+),$zoneDn$/ or next;
$rdn = $1;
my $relativeDomainName = $2;
if ($rdn eq $relativeDomainName) {
my %replace = ();
my @attributes = $entry->attributes();
foreach my $attr (@attributes) {
$replace{$attr} = $entry->get_value($attr, asref => 1)
}
$result = $ldap->modify (
"$rdn,$zoneDn",
replace => \%replace
);
$result->code && die "Migration of DNS zone subentry failed, LDAP error: ".$result->error."\n";
$result = $ldap->delete ($entry->dn());
} else {
$result = $ldap->moddn (
$entry->dn(),
newrdn => $rdn,
deleteoldrdn => '1',
newsuperior => $zoneDn
);
}
$result->code && die "Migration of DNS zone subentry failed, LDAP error: ".$result->error."\n";
}
# Fix reverse zone PTR records DNs
$mesg = $ldap->search(
base => $zoneDn,
filter => "(&(objectClass=dNSZone)(!(relativeDomainName=@))(|(zoneName=*.arpa)(zoneName=*.arpa.)))"
);
$mesg->code && die $mesg->error;
@entries = $mesg->entries;
foreach my $entry (@entries) {
$entry->dn() =~ m/^([^,]+),relativeDomainName=[^,]+,$zoneDn$/ or next;
$result = $ldap->moddn (
$entry->dn(),
newrdn => $1,
deleteoldrdn => '1',
newsuperior => 'zoneName='.$entry->get_value('zoneName').','.$zoneDn
);
$result->code && die "Migration of DNS reverse zone subentry ".$entry->dn()." failed, LDAP error: ".$result->error."\n";
}
# Add DNS tab on server
$mesg = $ldap->search(
base => $systemdn,
scope => 'base',
filter => '(objectClass=*)'
);
$mesg->code && die $mesg->error;
my $system_entry = $mesg->shift_entry;
$system_entry->get_value('objectClass');
my @classes = $system_entry->get_value('objectClass');
if (grep {$_ eq 'fdDNSHost'} @classes) {
$result = $ldap->modify (
"$systemdn",
add => {
'fdDNSZoneDn' => $zoneDn,
}
);
} else {
$result = $ldap->modify (
"$systemdn",
add => {
'fdDNSZoneDn' => $zoneDn,
'objectClass' => 'fdDNSHost'
}
);
}
$result->code && print "Could not add DNS tab on $systemdn, LDAP error: ".$result->error."\nYou'll need to activate it yourself\n";
}
}
}
}
# function that moves DHCP configurations from systems to ou=dhcp
sub migrate_dhcp {
# initiate the LDAP connexion
......@@ -1506,139 +1311,6 @@ sub migrate_dhcp {
}
}
sub migrate_acls {
# initiate the LDAP connexion
my %hash_ldap_param = get_ldap_connexion();
# LDAP's connection's parameters
my $base = $hash_ldap_param{base};
my $ldap = $hash_ldap_param{ldap};
# Search for old formatted ACLs
my $mesg = $ldap->search(
base => "$base",
filter => "(gosaAclEntry=*)",
attrs => ['gosaAclEntry']
);
$mesg->code && die $mesg->error;
while (my $entry = $mesg->shift_entry) {
my $acls = $entry->get_value('gosaAclEntry', asref => 1);
my @nacls = ();
my $old_formats = 0;
ACL: foreach my $acl (@$acls) {
my $old_format = 0;
my ($index,$scope,$part1,$part2,$filter);
if ($acl =~ m/:(p?sub|role):/) {
$old_format = 1;
($index,$scope,$part1,$part2,$filter) = split(':', $acl);
} elsif ($acl !~ m/:subtree:/) {
# With one or base scope we can't know, we have to check other parts
($index,$scope,$part1,$part2,$filter) = split(':', $acl);
my $dn = decode_base64($part1);
$mesg = $ldap->search(
base => "$dn",
scope => 'base',
filter => '(objectClass=gosaRole)'
);
die_on_ldap_errors($mesg);
if ($mesg->count == 0) {
$old_format = 1;
}
}
if ($old_format) {
$old_formats = 1;
print "$acl needs migration\n";
my ($role_dn, $members);
if ($scope eq 'role') {
$role_dn = decode_base64($part1);
$members = $part2;
# Find scope in role
$mesg = $ldap->search(
base => $role_dn,
scope => 'base',
filter => '(objectClass=gosaRole)'
);
die_on_ldap_errors($mesg);
if (my $role_entry = $mesg->shift_entry) {
my $acl_templates = $role_entry->get_value('gosaAclTemplate', asref => 1);
my $scope = '';
foreach my $acl_template (@$acl_templates) {
my ($t_index,$t_scope,$t_acl) = split(':',$acl_template);
if ($scope eq '') {
$scope = $t_scope;
} elsif ($scope ne $t_scope) {
print "We don't know how to migrate role $role_dn as it contains several scopes\n";
push @nacls, $acl;
next ACL;
}
}
push @nacls, "$index:$scope:".encode_base64($role_dn).":$members";
} else {
# Removing invalid ACL
print "Removing acl as associated role $role_dn does not exists\n";
next ACL;
}
} else {
my $cn = find_free_role_dn($ldap,$base,'migrated-acl');
$role_dn = create_role($ldap,$base,$cn,$part2);
$members = $part1;
if ($scope =~ m/sub$/) {
$scope = 'subtree';
}
push @nacls, "$index:$scope:".encode_base64($role_dn).":$members";
}
} else {
push @nacls, $acl;
}
}
if ($old_formats) {
@nacls = sort @nacls;
my $i = 0;
for (@nacls) { s/^[0-9]*:/$i:/; $i++ }; # Re-index acls
my $result = $ldap->modify (
$entry->dn,
replace => {
'gosaAclEntry' => \@nacls
}
);
$result->code && warn "\n! failed to migrate ACL for '".$entry->dn."' - ".$result->error_name.": ".$result->error_text;
print "Migrated acls for '".$entry->dn."'\n";
}
}
# Search for old formatted ACL roles
$mesg = $ldap->search(
base => "$base",
filter => "(gosaAclTemplate=*:*:*)",
attrs => ['gosaAclTemplate']
);
$mesg->code && die $mesg->error;
ROLE: while (my $role_entry = $mesg->shift_entry) {
my $acl_templates = $role_entry->get_value('gosaAclTemplate', asref => 1);
my $scope = '';
my @ntemplates = ();
foreach my $acl_template (@$acl_templates) {
my ($t_index,$t_scope,$t_acl) = split(':',$acl_template);
if ($scope eq '') {
$scope = $t_scope;
} elsif ($scope ne $t_scope) {
print "We don't know how to migrate role '".$role_entry->dn."' as it contains several scopes\n";
next ROLE;
}
push @ntemplates, $t_index.':'.$t_acl;
}
my $result = $ldap->modify (
$role_entry->dn,
replace => {
'gosaAclTemplate' => \@ntemplates
}
);
$result->code && warn "\n! failed to migrate ACL for '".$role_entry->dn."' - ".$result->error_name.": ".$result->error_text;
print "Migrated role '".$role_entry->dn."'\n";
}
}
sub delete_gosa_locks {
# initiate the LDAP connexion
my %hash_ldap_param = get_ldap_connexion();
......@@ -1697,65 +1369,6 @@ sub get_deprecated {
return (\@obsolete_attrs, \@obsolete_classes);
}
# function that migrates printers from FD<=1.0.13 to FD>=1.0.14
sub migrate_printers {
# initiate the LDAP connexion
my %hash_ldap_param = get_ldap_connexion();
# LDAP's connection's parameters
my $base = $hash_ldap_param{base};
my $ldap = $hash_ldap_param{ldap};
my $mesg = $ldap->search(
filter => '(objectClass=gotoPrinter)',
base => $base
);
$mesg->code && die $mesg->error;
if ($mesg->count > 0) {
print ("The following printers are using the obsolete gotoPrinter objectClass:\n");
my @entries = $mesg->entries;
foreach my $entry (@entries) {
print $entry->dn()."\n";
}
if (ask_yn_question("Migrate these entries to fdPrinter objectClass?")) {
foreach my $entry (@entries) {
my $newrdn = "cn=".$entry->get_value('cn')."+ipHostNumber=".$entry->get_value('ipHostNumber');
$mesg = $ldap->moddn($entry->dn(), newrdn => $newrdn);
if ($mesg->code) {
print $entry->dn().": ".$mesg->error."\n";
next;
}
my $dn_old = $entry->dn();
$dn_old =~ s/^[^,]+,/$newrdn,/;
my @replace = ('ieee802Device', 'ipHost', 'fdPrinter');
my @classes = $entry->get_value('objectClass');
foreach my $class (@classes) {
if ($class ne 'gotoPrinter') {
push(@replace, "$class");
}
}
$entry->replace("objectClass" => \@replace);
$mesg = $ldap->add($entry);
if ($mesg->code) {
print $entry->dn().": ".$mesg->error."\n";
next;
}
undef @replace;
$mesg = $ldap->delete($dn_old);
$mesg->code && print $dn_old.": ".$mesg->error."\n";
}
}
}
# unbind to the LDAP server
my $unbind = $ldap->unbind;
$unbind->code && warn "! Unable to unbind from LDAP server: ", $unbind->error."\n";
}
# function that migrates systems from FD<1.1 to FD>=1.1
sub migrate_systems {
# initiate the LDAP connexion
......@@ -1963,7 +1576,7 @@ sub ldif_deprecated {
my ($obsolete_attrs, $obsolete_classes) = get_deprecated();
my $filterAttrs = '(|'.join('', (map{ '('.$_->{'name'}.'=*)' } @$obsolete_attrs)).')';
my $filterClasses = '(|'.join('', (map{ '(objectClass='.$_->{'name'}.')' } (grep {$_ ne 'gosaAccount'} @$obsolete_classes))).')';
my $filterClasses = '(|'.join('', (map{ '(objectClass='.$_->{'name'}.')' } @$obsolete_classes)).')';
# initiate the LDAP connexion
my %hash_ldap_param = get_ldap_connexion();
......@@ -1987,24 +1600,6 @@ sub ldif_deprecated {
print "delete:".$attr->{'name'}."\n-\n";
}
}
my @classes = $entry->get_value('objectClass');
if (grep {$_ eq 'gosaAccount'} @classes) {
print "# Removing obsolete objectClass gosaAccount\n";
print "replace:objectClass\n";
foreach my $class (@classes) {
if ($class ne 'gosaAccount') {
print "objectClass:$class\n";
}
}
if (
($entry->exists('dateOfBirth') || $entry->exists('personalTitle') || $entry->exists('gender'))
&& !(grep {$_ eq 'fdPersonalInfo'} @classes)
) {
print "objectClass:fdPersonalInfo\n";
print "# Adding fdPersonalInfo because either dateOfBirth, personalTitle or gender is present. See personal plugin.\n";
}
print "-\n";
}
print "\n";
}
} else {
......@@ -2018,7 +1613,7 @@ sub ldif_deprecated {
$entries->code && die $entries->error;
if ($entries->count > 0) {
print "# WARNING: There are entries in the LDAP using obsolete classes (other than gosaAccount), you need to edit them manually\n";
print "# WARNING: There are entries in the LDAP using obsolete classes, you need to edit them manually\n";
} else {
print "# There are no entries in the LDAP using obsolete classes\n";
}
......@@ -2144,12 +1739,9 @@ die ("! You have to run this script as root\n") if ($<!=0);
$commands{"--check-ldap"} = ["Checking your LDAP tree", \&check_ldap];
$commands{"--check-ids"} = ["Checking for duplicated uid or gid numbers", \&check_id_numbers];
$commands{"--migrate-users"} = ["Migrating your users", \&migrate_users];
$commands{"--migrate-printers"} = ["Migrating your printers from FD < 1.0.14", \&migrate_printers];
$commands{"--migrate-phones"} = ["Migrating your phones from FD < 1.1", \&migrate_phones];
$commands{"--migrate-systems"} = ["Migrating your systems from FD < 1.1", \&migrate_systems];
$commands{"--migrate-dns"} = ["Migrating DNS zones for FD >= 1.0.10", \&migrate_dns];
$commands{"--migrate-dhcp"} = ["Migrating DHCP configurations for FD >= 1.0.17",\&migrate_dhcp];
$commands{"--migrate-acls"} = ["Migrating your ACLs", \&migrate_acls];
$commands{"--delete-gosa-locks"} = ["Delete lock tokens using old gosaLockEntry class", \&delete_gosa_locks];
$commands{"--install-plugins"} = ["Installing FusionDirectory's plugins", \&install_plugins];
$commands{"--encrypt-passwords"} = ["Encrypt passwords in fusiondirectory.conf", \&encrypt_passwords];
......@@ -2247,10 +1839,6 @@ This option check your LDAP tree for duplicated uidNumber or gidNumber among use
This option add FusionDirectory attributes to the people branch.
=item --migrate-printers
This option replace gosaPrinter objectClass by new fdPrinter objectClass.
=item --migrate-phones
This option removes device objectClass for phones as fdPhones is now structural since FD 1.1.
......@@ -2259,18 +1847,10 @@ This option removes device objectClass for phones as fdPhones is now structural
This option replace old systems objectClasses by new objectClasses from FD 1.1.
=item --migrate-dns
This option moves DNS zones from systems branch to DNS branch, which is necessary for FusionDirectory 1.0.10 and above.
=item --migrate-dhcp
This option moves DHCP configurations from systems branch to DHCP branch, which is necessary for FusionDirectory 1.0.17 and above.
=item --migrate-acls
This option will migrated old GOsa style acl from 1.0.7 into FusionDirectory acl roles in 1.0.8
=item --delete-gosa-locks
This option will delete old GOsa style lock tokens from 1.0.15 or older
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment