URL: https://github.com/freeipa/freeipa/pull/867
Author: abbra
Title: #867: trust-mod: allow modifying list of UPNs of a trusted forest
Action: synchronized
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/867/head:pr867
git checkout pr867
From 2cd8af5201af9e2e962c4987a3b3641f3b83c982 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <aboko...@redhat.com>
Date: Mon, 12 Jun 2017 11:05:06 +0300
Subject: [PATCH] trust-mod: allow modifying list of UPNs of a trusted forest
There are two ways for maintaining user principal names (UPNs) in Active
Directory:
- associate UPN suffixes with the forest root and then allow for each
user account to choose UPN suffix for logon
- directly modify userPrincipalName attribute in LDAP
Both approaches lead to the same result: AD DC accepts user@UPN-Suffix
as a proper principal in AS-REQ and TGS-REQ.
The latter (directly modify userPrincipalName) case has a consequence
that this UPN suffix is not visible via netr_DsRGetForestTrustInformation
DCE RPC call. As result, FreeIPA KDC will not know that a particular UPN
suffix does belong to a trusted Active Directory forest. As result, SSSD
will not be able to authenticate and validate this user from a trusted
Active Directory forest.
This is especially true for one-word UPNs which otherwise wouldn't work
properly on Kerberos level for both FreeIPA and Active Directory.
Administrators are responsible for amending the list of UPNs associated
with the forest in this case. With this commit, an option is added to
'ipa trust-mod' that allows specifying arbitrary UPN suffixes to a
trusted forest root.
As with all '-mod' commands, the change replaces existing UPNs when
applied, so administrators are responsible to specify all of them:
ipa trust-mod ad.test --upn-suffixes={existing.upn,another_upn,new}
Fixes: https://pagure.io/freeipa/issue/7015
---
API.txt | 3 ++-
VERSION.m4 | 4 ++--
ipaserver/plugins/trust.py | 3 ++-
3 files changed, 6 insertions(+), 4 deletions(-)
diff --git a/API.txt b/API.txt
index 44567a22da..aabd9c0d4a 100644
--- a/API.txt
+++ b/API.txt
@@ -5772,11 +5772,12 @@ output: ListOfEntries('result')
output: Output('summary', type=[<type 'unicode'>, <type 'NoneType'>])
output: Output('truncated', type=[<type 'bool'>])
command: trust_mod/1
-args: 1,9,3
+args: 1,10,3
arg: Str('cn', cli_name='realm')
option: Str('addattr*', cli_name='addattr')
option: Flag('all', autofill=True, cli_name='all', default=False)
option: Str('delattr*', cli_name='delattr')
+option: Str('ipantadditionalsuffixes*', autofill=False, cli_name='upn_suffixes')
option: Str('ipantsidblacklistincoming*', autofill=False, cli_name='sid_blacklist_incoming')
option: Str('ipantsidblacklistoutgoing*', autofill=False, cli_name='sid_blacklist_outgoing')
option: Flag('raw', autofill=True, cli_name='raw', default=False)
diff --git a/VERSION.m4 b/VERSION.m4
index 706c243739..cc308f1e23 100644
--- a/VERSION.m4
+++ b/VERSION.m4
@@ -73,8 +73,8 @@ define(IPA_DATA_VERSION, 20100614120000)
# #
########################################################
define(IPA_API_VERSION_MAJOR, 2)
-define(IPA_API_VERSION_MINOR, 227)
-# Last change: Add `pkinit-status` command
+define(IPA_API_VERSION_MINOR, 228)
+# Last change: Expose ipaNTAdditionalSuffixes in trust-mod
########################################################
diff --git a/ipaserver/plugins/trust.py b/ipaserver/plugins/trust.py
index 075b39dcc3..d0bbfbc47c 100644
--- a/ipaserver/plugins/trust.py
+++ b/ipaserver/plugins/trust.py
@@ -553,8 +553,9 @@ class trust(LDAPObject):
flags={'virtual_attribute', 'no_create', 'no_update', 'no_search'},
),
Str('ipantadditionalsuffixes*',
+ cli_name='upn_suffixes',
label=_('UPN suffixes'),
- flags={'no_create', 'no_update', 'no_search'},
+ flags={'no_create', 'no_search'},
),
)
_______________________________________________
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
