URL: https://github.com/freeipa/freeipa/pull/867 Author: abbra Title: #867: trust-mod: allow modifying list of UPNs of a trusted forest Action: synchronized
To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/867/head:pr867 git checkout pr867
From 2cd8af5201af9e2e962c4987a3b3641f3b83c982 Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy <[email protected]> Date: Mon, 12 Jun 2017 11:05:06 +0300 Subject: [PATCH] trust-mod: allow modifying list of UPNs of a trusted forest There are two ways for maintaining user principal names (UPNs) in Active Directory: - associate UPN suffixes with the forest root and then allow for each user account to choose UPN suffix for logon - directly modify userPrincipalName attribute in LDAP Both approaches lead to the same result: AD DC accepts user@UPN-Suffix as a proper principal in AS-REQ and TGS-REQ. The latter (directly modify userPrincipalName) case has a consequence that this UPN suffix is not visible via netr_DsRGetForestTrustInformation DCE RPC call. As result, FreeIPA KDC will not know that a particular UPN suffix does belong to a trusted Active Directory forest. As result, SSSD will not be able to authenticate and validate this user from a trusted Active Directory forest. This is especially true for one-word UPNs which otherwise wouldn't work properly on Kerberos level for both FreeIPA and Active Directory. Administrators are responsible for amending the list of UPNs associated with the forest in this case. With this commit, an option is added to 'ipa trust-mod' that allows specifying arbitrary UPN suffixes to a trusted forest root. As with all '-mod' commands, the change replaces existing UPNs when applied, so administrators are responsible to specify all of them: ipa trust-mod ad.test --upn-suffixes={existing.upn,another_upn,new} Fixes: https://pagure.io/freeipa/issue/7015 --- API.txt | 3 ++- VERSION.m4 | 4 ++-- ipaserver/plugins/trust.py | 3 ++- 3 files changed, 6 insertions(+), 4 deletions(-) diff --git a/API.txt b/API.txt index 44567a22da..aabd9c0d4a 100644 --- a/API.txt +++ b/API.txt @@ -5772,11 +5772,12 @@ output: ListOfEntries('result') output: Output('summary', type=[<type 'unicode'>, <type 'NoneType'>]) output: Output('truncated', type=[<type 'bool'>]) command: trust_mod/1 -args: 1,9,3 +args: 1,10,3 arg: Str('cn', cli_name='realm') option: Str('addattr*', cli_name='addattr') option: Flag('all', autofill=True, cli_name='all', default=False) option: Str('delattr*', cli_name='delattr') +option: Str('ipantadditionalsuffixes*', autofill=False, cli_name='upn_suffixes') option: Str('ipantsidblacklistincoming*', autofill=False, cli_name='sid_blacklist_incoming') option: Str('ipantsidblacklistoutgoing*', autofill=False, cli_name='sid_blacklist_outgoing') option: Flag('raw', autofill=True, cli_name='raw', default=False) diff --git a/VERSION.m4 b/VERSION.m4 index 706c243739..cc308f1e23 100644 --- a/VERSION.m4 +++ b/VERSION.m4 @@ -73,8 +73,8 @@ define(IPA_DATA_VERSION, 20100614120000) # # ######################################################## define(IPA_API_VERSION_MAJOR, 2) -define(IPA_API_VERSION_MINOR, 227) -# Last change: Add `pkinit-status` command +define(IPA_API_VERSION_MINOR, 228) +# Last change: Expose ipaNTAdditionalSuffixes in trust-mod ######################################################## diff --git a/ipaserver/plugins/trust.py b/ipaserver/plugins/trust.py index 075b39dcc3..d0bbfbc47c 100644 --- a/ipaserver/plugins/trust.py +++ b/ipaserver/plugins/trust.py @@ -553,8 +553,9 @@ class trust(LDAPObject): flags={'virtual_attribute', 'no_create', 'no_update', 'no_search'}, ), Str('ipantadditionalsuffixes*', + cli_name='upn_suffixes', label=_('UPN suffixes'), - flags={'no_create', 'no_update', 'no_search'}, + flags={'no_create', 'no_search'}, ), )
_______________________________________________ FreeIPA-devel mailing list -- [email protected] To unsubscribe send an email to [email protected]
