Hi,
Sending rebased versions on top of current master.
Tomas
From 589be38f4e34fc759fc9aff580f2d17e0eae52bb Mon Sep 17 00:00:00 2001
From: Tomas Babej <tba...@redhat.com>
Date: Thu, 30 May 2013 14:02:44 +0200
Subject: [PATCH 61/63] Add ipaRangeType attribute to LDAP Schema
This adds a new LDAP attribute ipaRangeType with
OID 2.16.840.1.113730.3.8.11.41 to the LDAP Schema.
ObjectClass ipaIDrange has been altered to require
ipaRangeType attribute.
Part of https://fedorahosted.org/freeipa/ticket/3647
---
install/share/60basev3.ldif | 3 ++-
install/updates/62-ranges.update | 2 ++
2 files changed, 4 insertions(+), 1 deletion(-)
diff --git a/install/share/60basev3.ldif b/install/share/60basev3.ldif
index 435948faefb66870aba20248ef88fae90505609c..b84789e25d75033f18fa5b70f69d852ddf35b7ca 100644
--- a/install/share/60basev3.ldif
+++ b/install/share/60basev3.ldif
@@ -37,6 +37,7 @@ attributeTypes: (2.16.840.1.113730.3.8.11.36 NAME 'ipaSecondaryBaseRID' DESC 'Fi
attributeTypes: (2.16.840.1.113730.3.8.11.38 NAME 'ipaNTSIDBlacklistIncoming' DESC 'Extra SIDs filtered out from incoming MS-PAC' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN 'IPA v3')
attributeTypes: (2.16.840.1.113730.3.8.11.39 NAME 'ipaNTSIDBlacklistOutgoing' DESC 'Extra SIDs filtered out from outgoing MS-PAC' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN 'IPA v3')
attributeTypes: (2.16.840.1.113730.3.8.11.40 NAME 'ipaUserAuthType' DESC 'Allowed authentication methods' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v3')
+attributeTypes: (2.16.840.1.113730.3.8.11.41 NAME 'ipaRangeType' DESC 'Range type' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN 'IPA v3' )
objectClasses: (2.16.840.1.113730.3.8.12.1 NAME 'ipaExternalGroup' SUP top STRUCTURAL MUST ( cn ) MAY ( ipaExternalMember $ memberOf $ description $ owner) X-ORIGIN 'IPA v3' )
objectClasses: (2.16.840.1.113730.3.8.12.2 NAME 'ipaNTUserAttrs' SUP top AUXILIARY MUST ( ipaNTSecurityIdentifier ) MAY ( ipaNTHash $ ipaNTLogonScript $ ipaNTProfilePath $ ipaNTHomeDirectory $ ipaNTHomeDirectoryDrive ) X-ORIGIN 'IPA v3' )
objectClasses: (2.16.840.1.113730.3.8.12.3 NAME 'ipaNTGroupAttrs' SUP top AUXILIARY MUST ( ipaNTSecurityIdentifier ) X-ORIGIN 'IPA v3' )
@@ -49,7 +50,7 @@ objectClasses: (2.16.840.1.113730.3.8.12.11 NAME 'ipaSshGroupOfPubKeys' ABSTRACT
objectClasses: (2.16.840.1.113730.3.8.12.12 NAME 'ipaSshUser' SUP ipaSshGroupOfPubKeys AUXILIARY X-ORIGIN 'IPA v3' )
objectClasses: (2.16.840.1.113730.3.8.12.13 NAME 'ipaSshHost' SUP ipaSshGroupOfPubKeys AUXILIARY X-ORIGIN 'IPA v3' )
objectClasses: (2.16.840.1.113730.3.8.12.14 NAME 'ipaIDobject' SUP top AUXILIARY MAY ( uidNumber $ gidNumber $ ipaNTSecurityIdentifier ) X-ORIGIN 'IPA v3' )
-objectClasses: (2.16.840.1.113730.3.8.12.15 NAME 'ipaIDrange' ABSTRACT MUST ( cn $ ipaBaseID $ ipaIDRangeSize ) X-ORIGIN 'IPA v3' )
+objectClasses: (2.16.840.1.113730.3.8.12.15 NAME 'ipaIDrange' ABSTRACT MUST ( cn $ ipaBaseID $ ipaIDRangeSize $ ipaRangeType ) X-ORIGIN 'IPA v3' )
objectClasses: (2.16.840.1.113730.3.8.12.16 NAME 'ipaDomainIDRange' SUP ipaIDrange STRUCTURAL MAY ( ipaBaseRID $ ipaSecondaryBaseRID ) X-ORIGIN 'IPA v3' )
objectClasses: (2.16.840.1.113730.3.8.12.17 NAME 'ipaTrustedADDomainRange' SUP ipaIDrange STRUCTURAL MUST ( ipaBaseRID $ ipaNTTrustedDomainSID ) X-ORIGIN 'IPA v3' )
objectclasses: (2.16.840.1.113730.3.8.12.19 NAME 'ipaUserAuthTypeClass' SUP top AUXILIARY DESC 'Class for authentication methods definition' MAY ipaUserAuthType X-ORIGIN 'IPA v3')
diff --git a/install/updates/62-ranges.update b/install/updates/62-ranges.update
index 79d5326d6000d038923b2a92dcdec98370fa90f4..c2eb6dca7077aebf56b06b39710b3c46db799aed 100644
--- a/install/updates/62-ranges.update
+++ b/install/updates/62-ranges.update
@@ -3,10 +3,12 @@ add:attributeTypes: (2.16.840.1.113730.3.8.11.33 NAME 'ipaBaseID' DESC 'First va
add:attributeTypes: (2.16.840.1.113730.3.8.11.34 NAME 'ipaIDRangeSize' DESC 'Size of a Posix ID range' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'IPA v3' )
add:attributeTypes: (2.16.840.1.113730.3.8.11.35 NAME 'ipaBaseRID' DESC 'First value of a RID range' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'IPA v3' )
add:attributeTypes: (2.16.840.1.113730.3.8.11.36 NAME 'ipaSecondaryBaseRID' DESC 'First value of a secondary RID range' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'IPA v3' )
+add:attributeTypes: (2.16.840.1.113730.3.8.11.41 NAME 'ipaRangeType' DESC 'Range type' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN 'IPA v3' )
add:objectClasses: (2.16.840.1.113730.3.8.12.14 NAME 'ipaIDobject' SUP top AUXILIARY MAY ( uidNumber $$ gidNumber $$ ipaNTSecurityIdentifier ) X-ORIGIN 'IPA v3' )
add:objectClasses: (2.16.840.1.113730.3.8.12.15 NAME 'ipaIDrange' ABSTRACT MUST ( cn $$ ipaBaseID $$ ipaIDRangeSize ) X-ORIGIN 'IPA v3' )
add:objectClasses: (2.16.840.1.113730.3.8.12.16 NAME 'ipaDomainIDRange' SUP ipaIDrange STRUCTURAL MAY ( ipaBaseRID $$ ipaSecondaryBaseRID ) X-ORIGIN 'IPA v3' )
add:objectClasses: (2.16.840.1.113730.3.8.12.17 NAME 'ipaTrustedADDomainRange' SUP ipaIDrange STRUCTURAL MUST ( ipaBaseRID $$ ipaNTTrustedDomainSID ) X-ORIGIN 'IPA v3' )
+replace:objectClasses: (2.16.840.1.113730.3.8.12.15 NAME 'ipaIDrange' ABSTRACT MUST ( cn $$ ipaBaseID $$ ipaIDRangeSize ) X-ORIGIN 'IPA v3' )::(2.16.840.1.113730.3.8.12.15 NAME 'ipaIDrange' ABSTRACT MUST ( cn $$ ipaBaseID $$ ipaIDRangeSize $$ ipaRangeType ) X-ORIGIN 'IPA v3' )
dn: cn=ranges,cn=etc,$SUFFIX
default: objectClass: top
--
1.8.1.4
From 8e811bb854ad6e12308ac80a230425dc64843138 Mon Sep 17 00:00:00 2001
From: Tomas Babej <tba...@redhat.com>
Date: Thu, 30 May 2013 14:07:09 +0200
Subject: [PATCH 62/63] Add update plugin to fill in ipaRangeType attribute
Previously, we deduced the range type from the range objectclass
and filled in virtual attribute in post_callback phase.
Having a ipaRangeType attributeType in schema, we need to fill
the attribute values to ranges created in previous IPA versions.
The plugin follows the same approach, setting ipa-local or
ipa-ad-trust value to the ipaRangeType attribute according
to the objectclass of the range.
Part of https://fedorahosted.org/freeipa/ticket/3647
---
ipaserver/install/plugins/adtrust.py | 1 +
ipaserver/install/plugins/update_idranges.py | 114 +++++++++++++++++++++++++++
2 files changed, 115 insertions(+)
create mode 100644 ipaserver/install/plugins/update_idranges.py
diff --git a/ipaserver/install/plugins/adtrust.py b/ipaserver/install/plugins/adtrust.py
index 555a28b8f5333cae08e5f53d23b01f1093046eff..28358588b5693a8bb451f52a52bb8ef73747353b 100644
--- a/ipaserver/install/plugins/adtrust.py
+++ b/ipaserver/install/plugins/adtrust.py
@@ -62,6 +62,7 @@ class update_default_range(PostUpdate):
'cn:%s' % id_range_name,
'ipabaseid:%s' % id_range_base_id,
'ipaidrangesize:%s' % id_range_size,
+ 'iparangetype:ipa-local',
]
updates = {}
diff --git a/ipaserver/install/plugins/update_idranges.py b/ipaserver/install/plugins/update_idranges.py
new file mode 100644
index 0000000000000000000000000000000000000000..a4dc06daf382cf132e2d28d14ced9efd01982ec5
--- /dev/null
+++ b/ipaserver/install/plugins/update_idranges.py
@@ -0,0 +1,114 @@
+# Authors:
+# Tomas Babej <tba...@redhat.com>
+#
+# Copyright (C) 2013 Red Hat
+# see file 'COPYING' for use and warranty information
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+
+from ipaserver.install.plugins import MIDDLE
+from ipaserver.install.plugins.baseupdate import PostUpdate
+from ipalib import api, errors
+from ipapython.dn import DN
+from ipapython.ipa_log_manager import *
+
+
+class update_idrange_type(PostUpdate):
+ """
+ Update all ID ranges that do not have ipaRangeType attribute filled.
+ This applies to all ID ranges prior to IPA 3.3.
+ """
+
+ order = MIDDLE
+
+ def execute(self, **options):
+ ldap = self.obj.backend
+
+ base_dn = DN(api.env.container_ranges, api.env.basedn)
+ search_filter = ("(&(objectClass=ipaIDrange)(!(ipaRangeType=*)))")
+ root_logger.debug("update_idrange_type: search for ID ranges with no "
+ "type set")
+
+ while True:
+ # Run the search in loop to avoid issues when LDAP limits are hit
+ # during update
+
+ try:
+ (entries, truncated) = ldap.find_entries(search_filter,
+ ['objectclass'], base_dn, time_limit=0, size_limit=0)
+
+ except errors.NotFound:
+ root_logger.debug("update_idrange_type: no ID range without "
+ "type set found")
+ return (False, False, [])
+
+ except errors.ExecutionError, e:
+ root_logger.error("update_idrange_type: cannot retrieve list "
+ "of ranges with no type set: %s", e)
+ return (False, False, [])
+
+ if not entries:
+ # No entry was returned, rather break than continue cycling
+ root_logger.debug("update_idrange_type: no ID range was "
+ "returned")
+ return (False, False, [])
+
+ root_logger.debug("update_idrange_type: found %d "
+ "idranges to update, truncated: %s",
+ len(entries), truncated)
+
+ error = False
+
+ # Set the range type
+ for dn, entry in entries:
+ update = {}
+
+ objectclasses = entry.get('objectclass', [])
+ if 'ipaTrustedADDomainRange' in objectclasses:
+ # NOTICE: assumes every AD range does not use POSIX
+ # attributes
+ update['ipaRangeType'] = 'ipa-ad-trust'
+ elif 'ipaDomainIDRange' in objectclasses:
+ update['ipaRangeType'] = 'ipa-local'
+ else:
+ update['ipaRangeType'] = 'unknown'
+ root_logger.error("update_idrange_type: could not detect "
+ "range type for entry: %s" % str(dn))
+ root_logger.error("update_idrange_type: ID range type set "
+ "to 'unknown' for entry: %s" % str(dn))
+
+ try:
+ ldap.update_entry(dn, update)
+ except (errors.EmptyModlist, errors.NotFound):
+ pass
+ except errors.ExecutionError, e:
+ root_logger.debug("update_idrange_type: cannot "
+ "update idrange type: %s", e)
+ error = True
+
+ if error:
+ # Exit loop to avoid infinite cycles
+ root_logger.error("update_idrange_type: error(s) "
+ "detected during idrange type update")
+ return (False, False, [])
+
+ elif not truncated:
+ # All affected entries updated, exit the loop
+ root_logger.debug("update_idrange_type: all affected idranges "
+ "were assigned types")
+ return (False, False, [])
+
+ return (False, False, [])
+
+api.register(update_idrange_type)
--
1.8.1.4
From eb5c22d69a33c60e12cefdd9649b3115b6322178 Mon Sep 17 00:00:00 2001
From: Tomas Babej <tba...@redhat.com>
Date: Thu, 30 May 2013 14:12:52 +0200
Subject: [PATCH 63/63] Extend idrange commands to support new range origin
types
Following values of ipaRangeType attribute are supported
and translated accordingly in the idrange commands:
'ipa-local': 'local domain range'
'ipa-ad-winsync': 'Active Directory winsync range'
'ipa-ad-trust': 'Active Directory domain range'
'ipa-ad-trust-posix': 'Active Directory trust range with
POSIX attributes'
'ipa-ipa-trust': 'IPA trust range'
Part of https://fedorahosted.org/freeipa/ticket/3647
---
ipalib/plugins/idrange.py | 43 ++++++++++++++++++++++++++++++++-----------
1 file changed, 32 insertions(+), 11 deletions(-)
diff --git a/ipalib/plugins/idrange.py b/ipalib/plugins/idrange.py
index 22383ba9bab926318784b703bfb2c29d01cd5457..2ece848eb2fbf2e804717985a3bc70278bca9808 100644
--- a/ipalib/plugins/idrange.py
+++ b/ipalib/plugins/idrange.py
@@ -206,12 +206,22 @@ class idrange(LDAPObject):
)
)
+ range_types = {
+ 'ipa-local': unicode(_(u'local domain range')),
+ 'ipa-ad-winsync': unicode(_('Active Directory winsync range')),
+ 'ipa-ad-trust': unicode(_('Active Directory domain range')),
+ 'ipa-ad-trust-posix': unicode(_('Active Directory trust range with '
+ 'POSIX attributes')),
+ 'ipa-ipa-trust': unicode(_('IPA trust range')),
+ }
+
def handle_iparangetype(self, entry_attrs, options, keep_objectclass=False):
- if not options.get('pkey_only', False):
- if 'ipatrustedaddomainrange' in entry_attrs.get('objectclass', []):
- entry_attrs['iparangetype'] = [unicode(_('Active Directory domain range'))]
- else:
- entry_attrs['iparangetype'] = [unicode(_(u'local domain range'))]
+ if not any((options.get('pkey_only', False),
+ options.get('raw', False))):
+ range_type = entry_attrs['iparangetype'][0]
+ entry_attrs['iparangetype'] = self.range_types.get(range_type, None)
+
+ # Remove the objectclass
if not keep_objectclass:
if not options.get('all', False) or options.get('pkey_only', False):
entry_attrs.pop('objectclass', None)
@@ -383,7 +393,11 @@ class idrange_add(LDAPCreate):
'not be found. Please specify the SID directly '
'using dom-sid option.'))
+ # ipaNTTrustedDomainSID attribute set, this is AD Trusted domain range
if is_set('ipanttrusteddomainsid'):
+ entry_attrs['objectclass'].append('ipatrustedaddomainrange')
+ entry_attrs['iparangetype'] = 'ipa-ad-trust'
+
if is_set('ipasecondarybaserid'):
raise errors.ValidationError(name='ID Range setup',
error=_('Options dom-sid/dom-name and secondary-rid-base '
@@ -396,11 +410,13 @@ class idrange_add(LDAPCreate):
# Validate SID as the one of trusted domains
self.obj.validate_trusted_domain_sid(entry_attrs['ipanttrusteddomainsid'])
- # Finally, add trusted AD domain range object class
- entry_attrs['objectclass'].append('ipatrustedaddomainrange')
+ # ipaNTTrustedDomainSID attribute not set, this is local domain range
else:
- # secondary base rid must be set if and only if base rid is set
+ entry_attrs['objectclass'].append('ipadomainidrange')
+ entry_attrs['iparangetype'] = 'ipa-local'
+
+ # secondary base rid must be set if and only if base rid is set
if is_set('ipasecondarybaserid') != is_set('ipabaserid'):
raise errors.ValidationError(name='ID Range setup',
error=_('Options secondary-rid-base and rid-base must '
@@ -416,15 +432,15 @@ class idrange_add(LDAPCreate):
error=_("Primary RID range and secondary RID range"
" cannot overlap"))
- entry_attrs['objectclass'].append('ipadomainidrange')
-
return dn
def post_callback(self, ldap, dn, entry_attrs, *keys, **options):
assert isinstance(dn, DN)
- self.obj.handle_iparangetype(entry_attrs, options, keep_objectclass=True)
+ self.obj.handle_iparangetype(entry_attrs, options,
+ keep_objectclass=True)
return dn
+
class idrange_del(LDAPDelete):
__doc__ = _('Delete an ID range.')
@@ -459,6 +475,7 @@ class idrange_del(LDAPDelete):
return dn
+
class idrange_find(LDAPSearch):
__doc__ = _('Search for ranges.')
@@ -478,6 +495,7 @@ class idrange_find(LDAPSearch):
self.obj.handle_iparangetype(entry, options)
return truncated
+
class idrange_show(LDAPRetrieve):
__doc__ = _('Display information about a range.')
@@ -491,6 +509,7 @@ class idrange_show(LDAPRetrieve):
self.obj.handle_iparangetype(entry_attrs, options)
return dn
+
class idrange_mod(LDAPUpdate):
__doc__ = _('Modify ID range.')
@@ -557,6 +576,7 @@ class idrange_mod(LDAPUpdate):
# Add trusted AD domain range object class, if it wasn't there
if not 'ipatrustedaddomainrange' in old_attrs['objectclass']:
entry_attrs['objectclass'].append('ipatrustedaddomainrange')
+ entry_attrs['iparangetype'] = 'ipa-ad-trust'
else:
# secondary base rid must be set if and only if base rid is set
@@ -612,6 +632,7 @@ class idrange_mod(LDAPUpdate):
self.obj.handle_iparangetype(entry_attrs, options)
return dn
+
api.register(idrange)
api.register(idrange_add)
api.register(idrange_mod)
--
1.8.1.4
_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
