On 23.10.2014 10:39, Martin Kosek wrote:
On 10/22/2014 07:39 PM, Tomas Babej wrote:
Hi,
thank you for the patches, comments inline.
On 10/15/2014 02:20 PM, Petr Vobornik wrote:
ticket: https://fedorahosted.org/freeipa/ticket/4221
== [PATCH] 773 ranges: prohibit setting --rid-base with
ipa-trust-ad-posix type ==
We should not allow setting --rid-base for ranges of
ipa-trust-ad-posix since we do not perform any RID -> UID/GID mappings
for these ranges (objects have UID/GID set in AD). Thus, setting RID
base makes no sense.
Since ipaBaseRID is a MUST in ipaTrustedADDomainRange object class,
value '0' is allowed and used internally for 'ipa-trust-ad-posix'
range type.
We probably don't want to display the first RID if it is 0 and the type
is ad-posix. This occurs in idrange-find:
[tbabej@vm-043 labtool]$ ipa idrange-find
----------------
2 ranges matched
----------------
Range name: DOM043.TBAD.IDM.LAB.ENG.BRQ.REDHAT.COM_id_range
First Posix ID of the range: 514800000
Number of IDs in the range: 200000
First RID of the corresponding RID range: 1000
First RID of the secondary RID range: 100000000
Range type: local domain range
Range name: TBAD.IDM.LAB.ENG.BRQ.REDHAT.COM_id_range
First Posix ID of the range: 10000
Number of IDs in the range: 200000
First RID of the corresponding RID range: 0
Domain SID of the trusted domain: S-1-5-21-2997650941-1802118864-3094776726
Range type: Active Directory trust range with POSIX attributes
----------------------------
Number of entries returned 2
----------------------------
And also idrange-show:
[tbabej@vm-043 labtool]$ ipa idrange-show
TBAD.IDM.LAB.ENG.BRQ.REDHAT.COM_id_range
Range name: TBAD.IDM.LAB.ENG.BRQ.REDHAT.COM_id_range
First Posix ID of the range: 10000
Number of IDs in the range: 200000
First RID of the corresponding RID range: 0
Domain SID of the trusted domain: S-1-5-21-2997650941-1802118864-3094776726
Range type: Active Directory trust range with POSIX attributes
No schema change is done.
Fixed
snip
== [PATCH] 775 ldapupdater: set baserid to 0 for ipa-ad-trust-posix
ranges ==
Can you use the paged_search=True in find_entries instead of having a
infinite loop? It would make this code quite cleaner.
I also saw you did not update Makefile.am.
Because I did not add a new file.
updated patches attached (only 773-775 are changed)
--
Petr Vobornik
From 7be769b432984dbd54d14309dde465ce6ea24ab0 Mon Sep 17 00:00:00 2001
From: Petr Vobornik <[email protected]>
Date: Wed, 3 Sep 2014 17:23:33 +0200
Subject: [PATCH 5/5] webui: prohibit setting rid base with ipa-trust-ad-posix
type
Base RID is no longer editable for ipa-trust-ad-posix range type
Adder dialog:
- Range type selector was moved up because it affects a field above it
Details page:
- Only fields relevant to range's type are visible
https://fedorahosted.org/freeipa/ticket/4221
---
install/ui/src/freeipa/idrange.js | 77 ++++++++++++++++++++++++++++++---------
1 file changed, 60 insertions(+), 17 deletions(-)
diff --git a/install/ui/src/freeipa/idrange.js b/install/ui/src/freeipa/idrange.js
index 12c0b288b766c059db6b844f445fb88b5821a1db..4e5dbfa00dcf80495d8a96f7fc961b9c6676691f 100644
--- a/install/ui/src/freeipa/idrange.js
+++ b/install/ui/src/freeipa/idrange.js
@@ -54,6 +54,11 @@ return {
'cn',
'iparangetype',
{
+ name: 'iparangetyperaw',
+ read_only: true,
+ visible: false
+ },
+ {
name: 'ipabaseid',
label: '@i18n:objects.idrange.ipabaseid',
title: '@mo-param:idrange:ipabaseid:label'
@@ -80,6 +85,9 @@ return {
}
]
}
+ ],
+ policies: [
+ exp.idrange_policy
]
}
],
@@ -89,21 +97,6 @@ return {
name: 'cn'
},
{
- name: 'ipabaseid',
- label: '@i18n:objects.idrange.ipabaseid',
- title: '@mo-param:idrange:ipabaseid:label'
- },
- {
- name: 'ipaidrangesize',
- label: '@i18n:objects.idrange.ipaidrangesize',
- title: '@mo-param:idrange:ipaidrangesize:label'
- },
- {
- name: 'ipabaserid',
- label: '@i18n:objects.idrange.ipabaserid',
- title: '@mo-param:idrange:ipabaserid:label'
- },
- {
name: 'iparangetype',
$type: 'radio',
label: '@i18n:objects.idrange.type',
@@ -125,6 +118,21 @@ return {
]
},
{
+ name: 'ipabaseid',
+ label: '@i18n:objects.idrange.ipabaseid',
+ title: '@mo-param:idrange:ipabaseid:label'
+ },
+ {
+ name: 'ipaidrangesize',
+ label: '@i18n:objects.idrange.ipaidrangesize',
+ title: '@mo-param:idrange:ipaidrangesize:label'
+ },
+ {
+ name: 'ipabaserid',
+ label: '@i18n:objects.idrange.ipabaserid',
+ title: '@mo-param:idrange:ipabaserid:label'
+ },
+ {
name: 'ipasecondarybaserid',
label: '@i18n:objects.idrange.ipasecondarybaserid',
title: '@mo-param:idrange:ipasecondarybaserid:label'
@@ -147,7 +155,9 @@ IPA.idrange_adder_policy = function(spec) {
The logic for enabling/requiring ipabaserid, ipasecondarybaserid and
ipanttrusteddomainsid is as follows:
1) for AD ranges (range type is ipa-ad-trust or ipa-ad-trust-posix):
- * ipabaserid and ipanttrusteddomainsid are requred
+ * ipanttrusteddomainsid is required
+ * ipabaserid is required for ipa-ad-trust but disabled for
+ ipa-ad-trust-posix
* ipasecondarybaserid is disabled
2) for local ranges
* ipanttrusteddomainsid is disabled
@@ -206,7 +216,11 @@ IPA.idrange_adder_policy = function(spec) {
var is_ad_range = (type_v === 'ipa-ad-trust' || type_v === 'ipa-ad-trust-posix');
if (is_ad_range) {
- require(baserid_f);
+ if (type_v === 'ipa-ad-trust') {
+ require(baserid_f);
+ } else {
+ disable(baserid_f);
+ }
require(trusteddomainsid_f);
disable(secondarybaserid_f);
} else {
@@ -230,6 +244,35 @@ IPA.idrange_adder_policy = function(spec) {
return that;
};
+exp.idrange_policy = function(spec) {
+
+ spec = spec || {};
+ var that = IPA.facet_policy(spec);
+
+ that.post_load = function() {
+ var type_f = that.container.fields.get_field('iparangetyperaw');
+ var widgets = that.container.widgets;
+ var type_v = type_f.get_value()[0];
+
+ var baserid = true;
+ var secrid = true;
+ var sid = true;
+
+ if (type_v === 'ipa-local') {
+ sid = false;
+ } else if (type_v === 'ipa-ad-trust-posix') {
+ baserid = secrid = false;
+ } else if (type_v === 'ipa-ad-trust') {
+ secrid = false;
+ }
+
+ widgets.get_widget('details.ipabaserid').set_visible(baserid);
+ widgets.get_widget('details.ipasecondarybaserid').set_visible(secrid);
+ widgets.get_widget('details.ipanttrusteddomainsid').set_visible(sid);
+ };
+ return that;
+};
+
exp.entity_spec = make_spec();
exp.register = function() {
var e = reg.entity;
--
1.9.3
From 37f310795b6d714548d040da06099ec7dbfa05db Mon Sep 17 00:00:00 2001
From: Petr Vobornik <[email protected]>
Date: Wed, 15 Oct 2014 13:42:30 +0200
Subject: [PATCH 4/5] idrange: include raw range type in output
iparangetype output is a localized human-readable value which is not suitable for machine-based API consumers
Solved by new iparangetyperaw output attribute which contains iparangetype's raw value
---
ipalib/plugins/idrange.py | 1 +
ipatests/test_xmlrpc/test_range_plugin.py | 7 +++++++
2 files changed, 8 insertions(+)
diff --git a/ipalib/plugins/idrange.py b/ipalib/plugins/idrange.py
index 14dfd43c7f23574b514d4fc31966f427130b2e24..9c453dd7ee30682f48751efcafcf8cc223756b79 100644
--- a/ipalib/plugins/idrange.py
+++ b/ipalib/plugins/idrange.py
@@ -241,6 +241,7 @@ class idrange(LDAPObject):
if not any((options.get('pkey_only', False),
options.get('raw', False))):
range_type = entry_attrs['iparangetype'][0]
+ entry_attrs['iparangetyperaw'] = [range_type]
entry_attrs['iparangetype'] = [self.range_types.get(range_type, None)]
# Remove the objectclass
diff --git a/ipatests/test_xmlrpc/test_range_plugin.py b/ipatests/test_xmlrpc/test_range_plugin.py
index f777184012891c58d382a28c6171330c6931b094..ae8450f9954befaaf2425598403248208329c2d1 100644
--- a/ipatests/test_xmlrpc/test_range_plugin.py
+++ b/ipatests/test_xmlrpc/test_range_plugin.py
@@ -463,6 +463,7 @@ class test_range(Declarative):
ipabaserid=[unicode(testrange1_base_rid)],
ipasecondarybaserid=[unicode(testrange1_secondary_base_rid)],
ipaidrangesize=[unicode(testrange1_size)],
+ iparangetyperaw=[u'ipa-local'],
iparangetype=[u'local domain range'],
),
value=testrange1,
@@ -482,6 +483,7 @@ class test_range(Declarative):
ipabaserid=[unicode(testrange1_base_rid)],
ipasecondarybaserid=[unicode(testrange1_secondary_base_rid)],
ipaidrangesize=[unicode(testrange1_size)],
+ iparangetyperaw=[u'ipa-local'],
iparangetype=[u'local domain range'],
),
value=testrange1,
@@ -569,6 +571,7 @@ class test_range(Declarative):
ipabaserid=[unicode(testrange1_base_rid)],
ipasecondarybaserid=[unicode(testrange1_secondary_base_rid)],
ipaidrangesize=[u'90000'],
+ iparangetyperaw=[u'ipa-local'],
iparangetype=[u'local domain range'],
),
value=testrange1,
@@ -637,6 +640,7 @@ class test_range(Declarative):
ipabaserid=[unicode(testrange2_base_rid)],
ipasecondarybaserid=[unicode(testrange2_secondary_base_rid)],
ipaidrangesize=[unicode(testrange2_size)],
+ iparangetyperaw=[u'ipa-local'],
iparangetype=[u'local domain range'],
),
value=testrange2,
@@ -764,6 +768,7 @@ class test_range(Declarative):
ipabaseid=[unicode(domain7range1_base_id)],
ipaidrangesize=[unicode(domain7range1_size)],
ipanttrusteddomainsid=[unicode(domain7_sid)],
+ iparangetyperaw=[u'ipa-ad-trust-posix'],
iparangetype=[u'Active Directory trust range with POSIX attributes'],
),
value=unicode(domain7range1),
@@ -821,6 +826,7 @@ class test_range(Declarative):
ipabaseid=[unicode(domain3range1_base_id)],
ipaidrangesize=[unicode(domain3range2_size)],
ipanttrusteddomainsid=[unicode(domain3_sid)],
+ iparangetyperaw=[u'ipa-ad-trust-posix'],
iparangetype=[u'Active Directory trust range with POSIX '
'attributes'],
),
@@ -886,6 +892,7 @@ class test_range(Declarative):
ipabaserid=[unicode(domain5range1_base_rid)],
ipaidrangesize=[unicode(domain2range1_size)],
ipanttrusteddomainsid=[unicode(domain2_sid)],
+ iparangetyperaw=[u'ipa-ad-trust'],
iparangetype=[u'Active Directory domain range'],
),
value=domain2range1,
--
1.9.3
From 93f66717e5ce0141c069b1e5e006d2992daac326 Mon Sep 17 00:00:00 2001
From: Petr Vobornik <[email protected]>
Date: Mon, 13 Oct 2014 14:59:24 +0200
Subject: [PATCH 3/5] ldapupdater: set baserid to 0 for ipa-ad-trust-posix
ranges
New updater plugin which sets baserid to 0 for ranges with type ipa-ad-trust-posix
https://fedorahosted.org/freeipa/ticket/4221
---
ipaserver/install/plugins/update_idranges.py | 69 +++++++++++++++++++++++++++-
1 file changed, 68 insertions(+), 1 deletion(-)
diff --git a/ipaserver/install/plugins/update_idranges.py b/ipaserver/install/plugins/update_idranges.py
index 9e97c9f74570484a8bae82e99a7561350163a1b1..1aa5fa7631fd35a7aaf4a23a5eee44e4e0a2e904 100644
--- a/ipaserver/install/plugins/update_idranges.py
+++ b/ipaserver/install/plugins/update_idranges.py
@@ -17,7 +17,7 @@
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
-from ipaserver.install.plugins import MIDDLE
+from ipaserver.install.plugins import MIDDLE, LAST
from ipaserver.install.plugins.baseupdate import PostUpdate
from ipalib import api, errors
from ipapython.dn import DN
@@ -111,4 +111,71 @@ class update_idrange_type(PostUpdate):
return (False, False, [])
+
+class update_idrange_baserid(PostUpdate):
+ """
+ Update ipa-ad-trust-posix ranges' base RID to 0. This applies to AD trust
+ posix ranges prior to IPA 4.1.
+ """
+
+ order = LAST
+
+ def execute(self, **options):
+ ldap = self.obj.backend
+
+ base_dn = DN(api.env.container_ranges, api.env.basedn)
+ search_filter = ("(&(objectClass=ipaTrustedADDomainRange)"
+ "(ipaRangeType=ipa-ad-trust-posix)"
+ "(!(ipaBaseRID=0)))")
+ root_logger.debug(
+ "update_idrange_baserid: search for ipa-ad-trust-posix ID ranges "
+ "with ipaBaseRID != 0"
+ )
+
+ try:
+ (entries, truncated) = ldap.find_entries(
+ search_filter, ['ipabaserid'], base_dn,
+ paged_search=True, time_limit=0, size_limit=0)
+
+ except errors.NotFound:
+ root_logger.debug("update_idrange_baserid: no AD domain "
+ "range with posix attributes found")
+ return (False, False, [])
+
+ except errors.ExecutionError, e:
+ root_logger.error("update_idrange_baserid: cannot retrieve "
+ "list of affected ranges: %s", e)
+ return (False, False, [])
+
+ root_logger.debug("update_idrange_baserid: found %d "
+ "idranges possible to update",
+ len(entries))
+
+ error = False
+
+ # Set the range type
+ for entry in entries:
+ entry['ipabaserid'] = 0
+ try:
+ root_logger.info("Updating existing idrange: %s" % (entry.dn))
+ ldap.update_entry(entry)
+ root_logger.info("Done")
+ except (errors.EmptyModlist, errors.NotFound):
+ pass
+ except errors.ExecutionError, e:
+ root_logger.debug("update_idrange_type: cannot "
+ "update idrange: %s", e)
+ error = True
+
+ if error:
+ root_logger.error("update_idrange_baserid: error(s) "
+ "detected during idrange baserid update")
+ else:
+ # All affected entries updated, exit the loop
+ root_logger.debug("update_idrange_baserid: all affected "
+ "idranges updated")
+
+ return (False, False, [])
+
api.register(update_idrange_type)
+api.register(update_idrange_baserid)
--
1.9.3
From 5c784bb441f80ee9b7aba3cf663e48c1a1684eeb Mon Sep 17 00:00:00 2001
From: Petr Vobornik <[email protected]>
Date: Tue, 14 Oct 2014 18:31:19 +0200
Subject: [PATCH 2/5] unittests: baserid for ipa-ad-trust-posix idranges
https://fedorahosted.org/freeipa/ticket/4221
---
ipatests/test_xmlrpc/test_range_plugin.py | 160 ++++++++++++++++++++++++------
1 file changed, 132 insertions(+), 28 deletions(-)
diff --git a/ipatests/test_xmlrpc/test_range_plugin.py b/ipatests/test_xmlrpc/test_range_plugin.py
index 349fb73649650f97c3a9464f7e49bbd44863e869..f777184012891c58d382a28c6171330c6931b094 100644
--- a/ipatests/test_xmlrpc/test_range_plugin.py
+++ b/ipatests/test_xmlrpc/test_range_plugin.py
@@ -188,6 +188,23 @@ domain2range1_add = get_trusted_dom_range_dict(
sid=domain2_sid
)
+domain2range2 = u'domain2range2'
+domain2range2_base_id = id_shift + 10200
+domain2range2_size = 50
+domain2range2_base_rid = rid_shift + 10200
+domain2range2_type = u'ipa-ad-trust'
+
+domain2range2_dn = get_range_dn(name=domain2range2)
+
+domain2range2_add = get_trusted_dom_range_dict(
+ name=domain2range2,
+ base_id=domain2range2_base_id,
+ size=domain2range2_size,
+ rangetype=domain2range2_type,
+ base_rid=domain2range2_base_rid,
+ sid=domain2_sid
+)
+
# Domain3 - Posix active AD domain, two posix ranges
domain3 = u'domain3'
@@ -197,9 +214,9 @@ domain3_sid = u'S-1-5-21-1980929950-1830687243-1002863068'
domain3_add = get_trusted_dom_dict(domain3, domain3_sid)
domain3range1 = u'domain3range1'
-domain3range1_base_id = id_shift + 10200
+domain3range1_base_id = id_shift + 10300
domain3range1_size = 50
-domain3range1_base_rid = rid_shift + 10200
+domain3range1_base_rid = 0
domain3range1_type = u'ipa-ad-trust-posix'
domain3range1_dn = get_range_dn(name=domain3range1)
@@ -214,9 +231,9 @@ domain3range1_add = get_trusted_dom_range_dict(
)
domain3range2 = u'domain3range2'
-domain3range2_base_id = id_shift + 10300
+domain3range2_base_id = id_shift + 10400
domain3range2_size = 50
-domain3range2_base_rid = rid_shift + 10300
+domain3range2_base_rid = 0
domain3range2_type = u'ipa-ad-trust-posix'
domain3range2_dn = get_range_dn(name=domain3range2)
@@ -238,9 +255,9 @@ domain4_sid = u'S-1-5-21-2630044516-2228086573-3500008130'
domain4_add = get_trusted_dom_dict(domain4, domain4_sid)
domain4range1 = u'domain4range1'
-domain4range1_base_id = id_shift + 10400
+domain4range1_base_id = id_shift + 10500
domain4range1_size = 50
-domain4range1_base_rid = rid_shift + 10400
+domain4range1_base_rid = 0
domain4range1_type = u'ipa-ad-trust-posix'
domain4range1_dn = get_range_dn(name=domain4range1)
@@ -262,9 +279,9 @@ domain5_sid = u'S-1-5-21-2936727573-1940715531-2353349748'
domain5_add = get_trusted_dom_dict(domain5, domain5_sid)
domain5range1 = u'domain5range1'
-domain5range1_base_id = id_shift + 10500
+domain5range1_base_id = id_shift + 10600
domain5range1_size = 50
-domain5range1_base_rid = rid_shift + 10500
+domain5range1_base_rid = rid_shift + 10600
domain5range1_type = u'ipa-ad-trust'
domain5range1_dn = get_range_dn(name=domain5range1)
@@ -279,9 +296,9 @@ domain5range1_add = get_trusted_dom_range_dict(
)
domain5range2 = u'domain5range2'
-domain5range2_base_id = id_shift + 10600
+domain5range2_base_id = id_shift + 10700
domain5range2_size = 50
-domain5range2_base_rid = rid_shift + 10600
+domain5range2_base_rid = rid_shift + 10700
domain5range2_type = u'ipa-ad-trust'
domain5range2_dn = get_range_dn(name=domain5range2)
@@ -303,9 +320,9 @@ domain6_sid = u'S-1-5-21-2824814446-180299986-1494994477'
domain6_add = get_trusted_dom_dict(domain6, domain6_sid)
domain6range1 = u'domain6range1'
-domain6range1_base_id = id_shift + 10700
+domain6range1_base_id = id_shift + 10800
domain6range1_size = 50
-domain6range1_base_rid = rid_shift + 10700
+domain6range1_base_rid = rid_shift + 10800
domain6range1_type = u'ipa-ad-trust'
domain6range1_dn = get_range_dn(name=domain6range1)
@@ -319,6 +336,18 @@ domain6range1_add = get_trusted_dom_range_dict(
sid=domain6_sid
)
+# Domain7 - Posix active AD domain, invalid(defined) RID
+domain7 = u'domain7'
+domain7_dn = get_trust_dn(domain7)
+domain7_sid = u'S-1-5-21-2714542333-175454564-1645457223'
+domain7_add = get_trusted_dom_dict(domain7, domain7_sid)
+
+domain7range1 = u'domain7range1'
+domain7range1_base_id = id_shift + 10900
+domain7range1_size = 50
+domain7range1_base_rid = rid_shift + 10900
+domain7range1_type = u'ipa-ad-trust-posix'
+domain7range1_dn = get_range_dn(name=domain7range1)
# Container for all trusted objects
@@ -327,6 +356,27 @@ trust_container_add = dict(
objectClass=["nsContainer", "top"]
)
+# Convince Domain Validator that adtrust-install was run in order to test
+# adding of ipa-trust-posix range
+
+smb_cont_dn = "{cifsdomains},{basedn}".format(
+ cifsdomains=api.env.container_cifsdomains,
+ basedn=api.env.basedn)
+smb_cont_add = dict(
+ objectClass=["nsContainer", "top"]
+ )
+
+trust_local_dn = "cn={domain},{smbcont}".format(
+ domain=api.env.domain,
+ smbcont=smb_cont_dn)
+
+trust_local_add = dict(
+ objectClass=["ipaNTDomainAttrs", "nsContainer", "top"],
+ ipaNTFlatName=["UNITTESTS"],
+ ipaNTDomainGUID=["4ed70def-bff4-464c-889f-6cd2cfa4dbb7"],
+ ipaNTSecurityIdentifier=["S-1-5-21-2568409255-1212639194-836868319"]
+ )
+
user1 = u'tuser1'
user1_uid = id_shift + 900000
group1 = u'group1'
@@ -340,15 +390,19 @@ class test_range(Declarative):
cls.tearDownClass()
cls.mockldap = MockLDAP()
cls.mockldap.add_entry(trust_container_dn, trust_container_add)
+ cls.mockldap.add_entry(smb_cont_dn, smb_cont_add)
+ cls.mockldap.add_entry(trust_local_dn, trust_local_add)
cls.mockldap.add_entry(domain2_dn, domain2_add)
cls.mockldap.add_entry(domain3_dn, domain3_add)
cls.mockldap.add_entry(domain4_dn, domain4_add)
cls.mockldap.add_entry(domain5_dn, domain5_add)
cls.mockldap.add_entry(domain6_dn, domain6_add)
+ cls.mockldap.add_entry(domain7_dn, domain7_add)
cls.mockldap.add_entry(domain1range1_dn, domain1range1_add)
cls.mockldap.add_entry(domain2range1_dn, domain2range1_add)
+ cls.mockldap.add_entry(domain2range2_dn, domain2range2_add)
cls.mockldap.add_entry(domain3range1_dn, domain3range1_add)
cls.mockldap.add_entry(domain3range2_dn, domain3range2_add)
cls.mockldap.add_entry(domain4range1_dn, domain4range1_add)
@@ -366,16 +420,21 @@ class test_range(Declarative):
cls.mockldap.del_entry(domain4_dn)
cls.mockldap.del_entry(domain5_dn)
cls.mockldap.del_entry(domain6_dn)
+ cls.mockldap.del_entry(domain7_dn)
cls.mockldap.del_entry(domain1range1_dn)
cls.mockldap.del_entry(domain2range1_dn)
+ cls.mockldap.del_entry(domain2range2_dn)
cls.mockldap.del_entry(domain3range1_dn)
cls.mockldap.del_entry(domain3range2_dn)
cls.mockldap.del_entry(domain4range1_dn)
cls.mockldap.del_entry(domain5range1_dn)
cls.mockldap.del_entry(domain5range2_dn)
cls.mockldap.del_entry(domain6range1_dn)
+ cls.mockldap.del_entry(domain7range1_dn)
cls.mockldap.del_entry(trust_container_dn)
+ cls.mockldap.del_entry(trust_local_dn)
+ cls.mockldap.del_entry(smb_cont_dn)
cls.mockldap.unbind()
cleanup_commands = [
@@ -674,6 +733,53 @@ class test_range(Declarative):
'secondary-rid-base cannot be used together'),
),
+ # Testing framework validation: --rid-base is prohibited with ipa-ad-posix
+
+ dict(
+ desc='Try to create ipa-ad-trust-posix ID range %r with base RID' % (domain7range1),
+ command=('idrange_add', [domain7range1],
+ dict(ipabaseid=domain7range1_base_id,
+ ipaidrangesize=domain7range1_size,
+ ipabaserid=domain7range1_base_rid,
+ iparangetype=domain7range1_type,
+ ipanttrusteddomainsid=domain7_sid)),
+ expected=errors.ValidationError(
+ name='ID Range setup',
+ error='Option rid-base must not be used when IPA range '
+ 'type is ipa-ad-trust-posix'),
+ ),
+
+ dict(
+ desc='Create ID range %r' % (domain7range1),
+ command=('idrange_add', [domain7range1],
+ dict(ipabaseid=domain7range1_base_id,
+ ipaidrangesize=domain7range1_size,
+ iparangetype=domain7range1_type,
+ ipanttrusteddomainsid=domain7_sid)),
+ expected=dict(
+ result=dict(
+ dn=unicode(domain7range1_dn),
+ cn=[domain7range1],
+ objectclass=[u'ipaIDrange', u'ipatrustedaddomainrange'],
+ ipabaseid=[unicode(domain7range1_base_id)],
+ ipaidrangesize=[unicode(domain7range1_size)],
+ ipanttrusteddomainsid=[unicode(domain7_sid)],
+ iparangetype=[u'Active Directory trust range with POSIX attributes'],
+ ),
+ value=unicode(domain7range1),
+ summary=u'Added ID range "%s"' % (domain7range1),
+ ),
+ ),
+
+ dict(
+ desc='Try to modify ipa-ad-trust-posix ID range %r with base RID' % (domain7range1),
+ command=('idrange_mod', [domain7range1], dict(ipabaserid=domain7range1_base_rid)),
+ expected=errors.ValidationError(
+ name='ID Range setup',
+ error='Option rid-base must not be used when IPA range '
+ 'type is ipa-ad-trust-posix'),
+ ),
+
# Testing prohibition of deletion of ranges belonging to active
# trusted domains.
@@ -713,7 +819,6 @@ class test_range(Declarative):
result=dict(
cn=[domain3range2],
ipabaseid=[unicode(domain3range1_base_id)],
- ipabaserid=[unicode(domain3range2_base_rid)],
ipaidrangesize=[unicode(domain3range2_size)],
ipanttrusteddomainsid=[unicode(domain3_sid)],
iparangetype=[u'Active Directory trust range with POSIX '
@@ -766,26 +871,25 @@ class test_range(Declarative):
# - RID range overlaps
# 1. Overlaps on base RID ranges are allowed for ranges from different
- # domains, use domain4range1 and domain5range1
+ # domains, use domain2range1 and domain5range1
dict(
- desc=('Modify ipa-ad-trust-posix range %r to overlap on base RID'
+ desc=('Modify ipa-ad-trust range %r to overlap on base RID'
' range with nonposix range from different domain'
- % (domain4range1)),
- command=('idrange_mod', [domain4range1],
+ % (domain2range1)),
+ command=('idrange_mod', [domain2range1],
dict(ipabaserid=domain5range1_base_rid)),
expected=dict(
result=dict(
- cn=[domain4range1],
- ipabaseid=[unicode(domain4range1_base_id)],
+ cn=[domain2range1],
+ ipabaseid=[unicode(domain2range1_base_id)],
ipabaserid=[unicode(domain5range1_base_rid)],
- ipaidrangesize=[unicode(domain4range1_size)],
- ipanttrusteddomainsid=[unicode(domain4_sid)],
- iparangetype=[u'Active Directory trust range with POSIX '
- 'attributes'],
+ ipaidrangesize=[unicode(domain2range1_size)],
+ ipanttrusteddomainsid=[unicode(domain2_sid)],
+ iparangetype=[u'Active Directory domain range'],
),
- value=domain4range1,
- summary=u'Modified ID range "%s"' % (domain4range1),
+ value=domain2range1,
+ summary=u'Modified ID range "%s"' % (domain2range1),
),
),
@@ -794,9 +898,9 @@ class test_range(Declarative):
dict(
desc=('Modify ipa-ad-trust range %r to overlap on base RID range'
- ' with range from the same domain' % (domain5range1)),
- command=('idrange_mod', [domain5range1],
- dict(ipabaserid=domain5range2_base_rid)),
+ ' with range from the same domain' % (domain2range1)),
+ command=('idrange_mod', [domain2range1],
+ dict(ipabaserid=domain2range2_base_rid)),
expected=errors.DatabaseError(
desc='Constraint violation',
info='New primary rid range overlaps with existing primary rid '
--
1.9.3
From a736cd0fd1016e5e952a02b89824e0e9762dc904 Mon Sep 17 00:00:00 2001
From: Petr Vobornik <[email protected]>
Date: Mon, 13 Oct 2014 14:57:45 +0200
Subject: [PATCH 1/5] ranges: prohibit setting --rid-base with
ipa-trust-ad-posix type
We should not allow setting --rid-base for ranges of ipa-trust-ad-posix since we do not perform any RID -> UID/GID mappings for these ranges (objects have UID/GID set in AD). Thus, setting RID base makes no sense.
Since ipaBaseRID is a MUST in ipaTrustedADDomainRange object class, value '0' is allowed and used internally for 'ipa-trust-ad-posix' range type.
No schema change is done.
https://fedorahosted.org/freeipa/ticket/4221
---
ipalib/plugins/idrange.py | 58 ++++++++++++++++++++++++++++++++++++-----------
1 file changed, 45 insertions(+), 13 deletions(-)
diff --git a/ipalib/plugins/idrange.py b/ipalib/plugins/idrange.py
index 9e0481e94048c465f9a86112378a47390de0d494..14dfd43c7f23574b514d4fc31966f427130b2e24 100644
--- a/ipalib/plugins/idrange.py
+++ b/ipalib/plugins/idrange.py
@@ -248,6 +248,12 @@ class idrange(LDAPObject):
if not options.get('all', False) or options.get('pkey_only', False):
entry_attrs.pop('objectclass', None)
+ def handle_ipabaserid(self, entry_attrs, options):
+ if any((options.get('pkey_only', False), options.get('raw', False))):
+ return
+ if entry_attrs['iparangetype'][0] == u'ipa-ad-trust-posix':
+ entry_attrs.pop('ipabaserid', None)
+
def check_ids_in_modified_range(self, old_base, old_size, new_base,
new_size):
if new_base is None and new_size is None:
@@ -486,23 +492,33 @@ class idrange_add(LDAPCreate):
if not is_set('iparangetype'):
entry_attrs['iparangetype'] = u'ipa-ad-trust'
- if entry_attrs['iparangetype'] not in (u'ipa-ad-trust',
- u'ipa-ad-trust-posix'):
+ if entry_attrs['iparangetype'] == u'ipa-ad-trust':
+ if not is_set('ipabaserid'):
+ raise errors.ValidationError(
+ name='ID Range setup',
+ error=_('Options dom-sid/dom-name and rid-base must '
+ 'be used together')
+ )
+ elif entry_attrs['iparangetype'] == u'ipa-ad-trust-posix':
+ if is_set('ipabaserid') and entry_attrs['ipabaserid'] != 0:
+ raise errors.ValidationError(
+ name='ID Range setup',
+ error=_('Option rid-base must not be used when IPA '
+ 'range type is ipa-ad-trust-posix')
+ )
+ else:
+ entry_attrs['ipabaserid'] = 0
+ else:
raise errors.ValidationError(name='ID Range setup',
error=_('IPA Range type must be one of ipa-ad-trust '
'or ipa-ad-trust-posix when SID of the trusted '
- 'domain is specified.'))
+ 'domain is specified'))
if is_set('ipasecondarybaserid'):
raise errors.ValidationError(name='ID Range setup',
error=_('Options dom-sid/dom-name and secondary-rid-base '
'cannot be used together'))
- if not is_set('ipabaserid'):
- raise errors.ValidationError(name='ID Range setup',
- error=_('Options dom-sid/dom-name and rid-base must '
- 'be used together'))
-
# Validate SID as the one of trusted domains
self.obj.validate_trusted_domain_sid(
entry_attrs['ipanttrusteddomainsid'])
@@ -557,6 +573,7 @@ class idrange_add(LDAPCreate):
def post_callback(self, ldap, dn, entry_attrs, *keys, **options):
assert isinstance(dn, DN)
+ self.obj.handle_ipabaserid(entry_attrs, options)
self.obj.handle_iparangetype(entry_attrs, options,
keep_objectclass=True)
return dn
@@ -628,6 +645,7 @@ class idrange_find(LDAPSearch):
def post_callback(self, ldap, entries, truncated, *args, **options):
for entry in entries:
+ self.obj.handle_ipabaserid(entry, options)
self.obj.handle_iparangetype(entry, options)
return truncated
@@ -643,6 +661,7 @@ class idrange_show(LDAPRetrieve):
def post_callback(self, ldap, dn, entry_attrs, *keys, **options):
assert isinstance(dn, DN)
+ self.obj.handle_ipabaserid(entry_attrs, options)
self.obj.handle_iparangetype(entry_attrs, options)
return dn
@@ -699,11 +718,23 @@ class idrange_mod(LDAPUpdate):
raise errors.ValidationError(name='ID Range setup',
error=_('Options dom-sid and secondary-rid-base cannot '
'be used together'))
-
- if not in_updated_attrs('ipabaserid'):
- raise errors.ValidationError(name='ID Range setup',
- error=_('Options dom-sid and rid-base must '
- 'be used together'))
+ range_type = old_attrs['iparangetype'][0]
+ if range_type == u'ipa-ad-trust':
+ if not in_updated_attrs('ipabaserid'):
+ raise errors.ValidationError(
+ name='ID Range setup',
+ error=_('Options dom-sid and rid-base must '
+ 'be used together'))
+ elif (range_type == u'ipa-ad-trust-posix' and
+ 'ipabaserid' in entry_attrs):
+ if entry_attrs['ipabaserid'] is None:
+ entry_attrs['ipabaserid'] = 0
+ elif entry_attrs['ipabaserid'] != 0:
+ raise errors.ValidationError(
+ name='ID Range setup',
+ error=_('Option rid-base must not be used when IPA '
+ 'range type is ipa-ad-trust-posix')
+ )
if is_set('ipanttrusteddomainsid'):
# Validate SID as the one of trusted domains
@@ -766,6 +797,7 @@ class idrange_mod(LDAPUpdate):
def post_callback(self, ldap, dn, entry_attrs, *keys, **options):
assert isinstance(dn, DN)
+ self.obj.handle_ipabaserid(entry_attrs, options)
self.obj.handle_iparangetype(entry_attrs, options)
return dn
--
1.9.3
_______________________________________________
Freeipa-devel mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/freeipa-devel
