Don't delete users from LDAP before regenerating them (to avoid UID change)

4901ca3c · Baptiste Jonglez · c187697b · 4901ca3c
Commit 4901ca3c authored Feb 23, 2015 by Baptiste Jonglez
--- a/coin/members/management/commands/regenerate_ldap_members.py
+++ b/coin/members/management/commands/regenerate_ldap_members.py
@@ -9,11 +9,6 @@ from django.conf import settings
 from coin.members.models import Member, LdapUser


-# TODO: currently, we may completely mess up UIDs (attribute "uidNumber"
-# in LDAP), because we delete then recreate users, thus potentially
-# re-attributing a new uid.  If the users are used as Unix users on a
-# system, then it's probably not a good idea to change the uid.
-
 class Command(BaseCommand):
    args = '[login1 login2 ...]'
    help = """Regenerate user objects in the LDAP backend.  This is useful if you
@@ -24,8 +19,12 @@ class Command(BaseCommand):

    If --erase-all is passed, then the LDAP database is cleared of all its
    users before regenerating users from the local database.  Use this
-    option with caution, as you will lose any user that was present in the
-    LDAP database but not in the local database."""
+    option with a lot of caution, as you will lose any user that was
+    present in the LDAP database but not in the local database.
+    Additionally, Unix UIDs (attribute "uidNumber" in LDAP) are currently
+    generated when saving a new user, so --erase-all might lead to
+    different UIDs after the regeneration.  This is certainly a bad idea
+    if your Unix users are based on LDAP."""

    option_list = BaseCommand.option_list + (
        make_option('--erase-all',
@@ -54,11 +53,14 @@ class Command(BaseCommand):
            login = m.username
            if options['verbosity'] >= 2:
                self.stdout.write("Regenerating user {login}...".format(login=login))
-            # Try deleting the LDAP user first, so that we can recreate it
+            # The user might not exist in LDAP (maybe it was deleted or something)
            try:
-                LdapUser.objects.get(pk=login).delete()
+                LdapUser.objects.get(pk=login)
+                m.sync_to_ldap(creation=False, update_fields=None)
            except LdapUser.DoesNotExist:
-                pass
-            # Create the LDAP user
-            m.sync_to_ldap(creation=True, update_fields=None)
+                # Create the LDAP user
+                self.stderr.write("WARNING: user {login} not found in LDAP, "
+                                  "creating it (look at the resulting Unix "
+                                  "uidNumber to see if it's ok).".format(login=login))
+                m.sync_to_ldap(creation=True, update_fields=None)
        self.stdout.write("Done")