Re: [Freeipa-devel] [PATCH 0030] Add option to specify SID using domain name to idrange-add/mod
On Fri, 15 Feb 2013, Tomas Babej wrote:
On 02/14/2013 05:37 PM, Alexander Bokovoy wrote:
On Thu, 14 Feb 2013, Tomas Babej wrote:
+ Str('ipanttrusteddomainname?',
+ cli_name='dom_name',
+ flags=('no_search', 'virtual_attribute'),
+ label=_('Name of the trusted domain'),
+ ),
New options is added but API.txt wasn't changed. As result,
'make rpms'
does not work.
Could you please fix the patch and re-send it?
Sorry about that.
Updated patch attached.
I have one small question regarding use of dom_sid/dom_name.
If both dom_sid and dom_name were specified, failing to resolve
dom_name
would force command to raise exception.
I'm not sure this is right behavior. Probably we should detect
that both
dom_sid and dom_name were specified and bail out earlier so that only
one of them is accepted. That would be clearer to users, wouldn't it
Sure, I definitely agree on that point. I added the check to
idrange-add and
idrange-mod. Also, the patch needed a rebase to apply on the
current master.
I tried to play with various scenarious and one thing I noticed is
that we refer dom_sid and dom_name in the error messages as they
are
named internally. CLI replaces underscore by hyphen (_ - -) and
therefore
this error message becomes wrong -- you cannot specify --dom_sid, this
option is unknown to CLI.
In Web UI this would also mean an error message pointing to non-existing
option. Perhaps it would be reasonable to name options '--name' and
'--sid'? We don't have any clash there:
-
# ipa idrange-mod --help
Usage: ipa [global-options] idrange-mod NAME [options]
Positional arguments:
NAME Range name
Options:
-h, --helpshow this help message and exit
--base-id=INT First Posix ID of the range
--range-size=INT Number of IDs in the range
--rid-base=INTFirst RID of the corresponding RID range
--secondary-rid-base=INT
First RID of the secondary RID range
--dom-sid=STR Domain SID of the trusted domain
--dom-name=STRName of the trusted domain
--setattr=STR Set an attribute to a name/value pair. Format is
attr=value. For multi-valued attributes,
the command
replaces the values already present.
--addattr=STR Add an attribute/value pair. Format is
attr=value. The
attribute must be part of the schema.
--delattr=STR Delete an attribute/value pair. The option willbe
evaluated last, after all sets and adds.
--rights Display the access rights of this entry(requires
--all). See ipa man page for details.
--all Retrieve and print all attributes from the
server.
Affects command output.
--raw Print entries as stored on the server. Only
affects
output format.
-
So, if --name and --sid were used, an error message would become
--
# ipa idrange-mod AD.LAN_id_range --dom-name foo.bar ipa: ERROR:
invalid 'ID Range setup': SID for the specified trusted
domain name could not be found. Please specify the SID directly using
--sid option.
--
Additionally, there is an error when SID for an object within the domain
is specified. Last RID of the SID represents an object within the domain
and we generally need to be careful allowing it in the place where
domain SID is specified:
# ipa idrange-mod AD.LAN_id_range --dom-sid
S-1-5-21-3502988750-125904550-3683905862-1
---
Modified ID range AD.LAN_id_range
---
Range name: AD.LAN_id_range
First Posix ID of the range: 144280
Number of IDs in the range: 20
First RID of the corresponding RID range: 0
Domain SID of the trusted domain:
S-1-5-21-3502988750-125904550-3683905862-1
Range type: Active Directory domain range
Now this range is completely unusable due to the fact that there is no
way to match the domain SID against the range.
I think we need to make the check against established trusts more
strict and only allow exact match.
1.) Regarding dom_sid and dom_name options, we do not have to change
their internal names
to get more user-friendly error messages. These are hardcoded
strings, and not generated from
internal names of the options. I followed the naming convention
already set in the file, but you're right,
the current state is somewhat confusing to the end user. I changed
all the error messages so that
they refer to hyphen-versions of the options (not only
dom_sid/dom_name but also rid_base, etc.).
Ok, thanks.
I considered renaming the options to --sid and --name. However,
although
Re: [Freeipa-devel] [PATCH 0030] Add option to specify SID using domain name to idrange-add/mod
On 02/18/2013 12:36 PM, Alexander Bokovoy wrote:
On Fri, 15 Feb 2013, Tomas Babej wrote:
On 02/14/2013 05:37 PM, Alexander Bokovoy wrote:
On Thu, 14 Feb 2013, Tomas Babej wrote:
+ Str('ipanttrusteddomainname?',
+ cli_name='dom_name',
+ flags=('no_search', 'virtual_attribute'),
+ label=_('Name of the trusted domain'),
+ ),
New options is added but API.txt wasn't changed. As result,
'make rpms'
does not work.
Could you please fix the patch and re-send it?
Sorry about that.
Updated patch attached.
I have one small question regarding use of dom_sid/dom_name.
If both dom_sid and dom_name were specified, failing to resolve
dom_name
would force command to raise exception.
I'm not sure this is right behavior. Probably we should detect
that both
dom_sid and dom_name were specified and bail out earlier so that only
one of them is accepted. That would be clearer to users, wouldn't it
Sure, I definitely agree on that point. I added the check to
idrange-add and
idrange-mod. Also, the patch needed a rebase to apply on the
current master.
I tried to play with various scenarious and one thing I noticed is
that we refer dom_sid and dom_name in the error messages as they are
named internally. CLI replaces underscore by hyphen (_ - -) and
therefore
this error message becomes wrong -- you cannot specify --dom_sid, this
option is unknown to CLI.
In Web UI this would also mean an error message pointing to
non-existing
option. Perhaps it would be reasonable to name options '--name' and
'--sid'? We don't have any clash there:
-
# ipa idrange-mod --help
Usage: ipa [global-options] idrange-mod NAME [options]
Positional arguments:
NAME Range name
Options:
-h, --helpshow this help message and exit
--base-id=INT First Posix ID of the range
--range-size=INT Number of IDs in the range
--rid-base=INTFirst RID of the corresponding RID range
--secondary-rid-base=INT
First RID of the secondary RID range
--dom-sid=STR Domain SID of the trusted domain
--dom-name=STRName of the trusted domain
--setattr=STR Set an attribute to a name/value pair. Format is
attr=value. For multi-valued attributes, the
command
replaces the values already present.
--addattr=STR Add an attribute/value pair. Format is
attr=value. The
attribute must be part of the schema.
--delattr=STR Delete an attribute/value pair. The option
willbe
evaluated last, after all sets and adds.
--rights Display the access rights of this entry(requires
--all). See ipa man page for details.
--all Retrieve and print all attributes from the
server.
Affects command output.
--raw Print entries as stored on the server. Only
affects
output format.
-
So, if --name and --sid were used, an error message would become
--
# ipa idrange-mod AD.LAN_id_range --dom-name foo.bar ipa: ERROR:
invalid 'ID Range setup': SID for the specified trusted
domain name could not be found. Please specify the SID directly using
--sid option.
--
Additionally, there is an error when SID for an object within the
domain
is specified. Last RID of the SID represents an object within the
domain
and we generally need to be careful allowing it in the place where
domain SID is specified:
# ipa idrange-mod AD.LAN_id_range --dom-sid
S-1-5-21-3502988750-125904550-3683905862-1
---
Modified ID range AD.LAN_id_range
---
Range name: AD.LAN_id_range
First Posix ID of the range: 144280
Number of IDs in the range: 20
First RID of the corresponding RID range: 0
Domain SID of the trusted domain:
S-1-5-21-3502988750-125904550-3683905862-1
Range type: Active Directory domain range
Now this range is completely unusable due to the fact that there is no
way to match the domain SID against the range.
I think we need to make the check against established trusts more
strict and only allow exact match.
1.) Regarding dom_sid and dom_name options, we do not have to change
their internal names
to get more user-friendly error messages. These are hardcoded
strings, and not generated from
internal names of the options. I followed the naming convention
already set in the file, but you're right,
the current state is somewhat confusing to the end user. I changed
all the error messages so that
they refer to hyphen-versions of the options (not only
dom_sid/dom_name but also rid_base, etc.).
Ok, thanks.
I considered
Re: [Freeipa-devel] [PATCH 0030] Add option to specify SID using domain name to idrange-add/mod
On 02/18/2013 12:36 PM, Alexander Bokovoy wrote:
On Fri, 15 Feb 2013, Tomas Babej wrote:
On 02/14/2013 05:37 PM, Alexander Bokovoy wrote:
On Thu, 14 Feb 2013, Tomas Babej wrote:
+ Str('ipanttrusteddomainname?',
+ cli_name='dom_name',
+ flags=('no_search', 'virtual_attribute'),
+ label=_('Name of the trusted domain'),
+ ),
New options is added but API.txt wasn't changed. As result, 'make rpms'
does not work.
Could you please fix the patch and re-send it?
Sorry about that.
Updated patch attached.
I have one small question regarding use of dom_sid/dom_name.
If both dom_sid and dom_name were specified, failing to resolve dom_name
would force command to raise exception.
I'm not sure this is right behavior. Probably we should detect that both
dom_sid and dom_name were specified and bail out earlier so that only
one of them is accepted. That would be clearer to users, wouldn't it
Sure, I definitely agree on that point. I added the check to idrange-add
and
idrange-mod. Also, the patch needed a rebase to apply on the current
master.
I tried to play with various scenarious and one thing I noticed is that we
refer dom_sid and dom_name in the error messages as they are
named internally. CLI replaces underscore by hyphen (_ - -) and therefore
this error message becomes wrong -- you cannot specify --dom_sid, this
option is unknown to CLI.
In Web UI this would also mean an error message pointing to non-existing
option. Perhaps it would be reasonable to name options '--name' and
'--sid'? We don't have any clash there:
-
# ipa idrange-mod --help
Usage: ipa [global-options] idrange-mod NAME [options]
Positional arguments:
NAME Range name
Options:
-h, --helpshow this help message and exit
--base-id=INT First Posix ID of the range
--range-size=INT Number of IDs in the range
--rid-base=INTFirst RID of the corresponding RID range
--secondary-rid-base=INT
First RID of the secondary RID range
--dom-sid=STR Domain SID of the trusted domain
--dom-name=STRName of the trusted domain
--setattr=STR Set an attribute to a name/value pair. Format is
attr=value. For multi-valued attributes, the command
replaces the values already present.
--addattr=STR Add an attribute/value pair. Format is
attr=value. The
attribute must be part of the schema.
--delattr=STR Delete an attribute/value pair. The option willbe
evaluated last, after all sets and adds.
--rights Display the access rights of this entry(requires
--all). See ipa man page for details.
--all Retrieve and print all attributes from the server.
Affects command output.
--raw Print entries as stored on the server. Only affects
output format.
-
So, if --name and --sid were used, an error message would become
--
# ipa idrange-mod AD.LAN_id_range --dom-name foo.bar ipa: ERROR: invalid 'ID
Range setup': SID for the specified trusted
domain name could not be found. Please specify the SID directly using
--sid option.
--
Additionally, there is an error when SID for an object within the domain
is specified. Last RID of the SID represents an object within the domain
and we generally need to be careful allowing it in the place where
domain SID is specified:
# ipa idrange-mod AD.LAN_id_range --dom-sid
S-1-5-21-3502988750-125904550-3683905862-1
---
Modified ID range AD.LAN_id_range
---
Range name: AD.LAN_id_range
First Posix ID of the range: 144280
Number of IDs in the range: 20
First RID of the corresponding RID range: 0
Domain SID of the trusted domain:
S-1-5-21-3502988750-125904550-3683905862-1
Range type: Active Directory domain range
Now this range is completely unusable due to the fact that there is no
way to match the domain SID against the range.
I think we need to make the check against established trusts more
strict and only allow exact match.
1.) Regarding dom_sid and dom_name options, we do not have to change their
internal names
to get more user-friendly error messages. These are hardcoded strings, and
not generated from
internal names of the options. I followed the naming convention already set
in the file, but you're right,
the current state is somewhat confusing to the end user. I changed all the
error messages so that
they refer to hyphen-versions of the options (not only dom_sid/dom_name but
Re: [Freeipa-devel] [PATCH 0030] Add option to specify SID using domain name to idrange-add/mod
On 02/14/2013 05:37 PM, Alexander Bokovoy wrote:
On Thu, 14 Feb 2013, Tomas Babej wrote:
+ Str('ipanttrusteddomainname?',
+ cli_name='dom_name',
+ flags=('no_search', 'virtual_attribute'),
+ label=_('Name of the trusted domain'),
+ ),
New options is added but API.txt wasn't changed. As result, 'make
rpms'
does not work.
Could you please fix the patch and re-send it?
Sorry about that.
Updated patch attached.
I have one small question regarding use of dom_sid/dom_name.
If both dom_sid and dom_name were specified, failing to resolve
dom_name
would force command to raise exception.
I'm not sure this is right behavior. Probably we should detect that
both
dom_sid and dom_name were specified and bail out earlier so that only
one of them is accepted. That would be clearer to users, wouldn't it
Sure, I definitely agree on that point. I added the check to
idrange-add and
idrange-mod. Also, the patch needed a rebase to apply on the current
master.
I tried to play with various scenarious and one thing I noticed is
that we refer dom_sid and dom_name in the error messages as they are
named internally. CLI replaces underscore by hyphen (_ - -) and
therefore
this error message becomes wrong -- you cannot specify --dom_sid, this
option is unknown to CLI.
In Web UI this would also mean an error message pointing to non-existing
option. Perhaps it would be reasonable to name options '--name' and
'--sid'? We don't have any clash there:
-
# ipa idrange-mod --help
Usage: ipa [global-options] idrange-mod NAME [options]
Positional arguments:
NAME Range name
Options:
-h, --helpshow this help message and exit
--base-id=INT First Posix ID of the range
--range-size=INT Number of IDs in the range
--rid-base=INTFirst RID of the corresponding RID range
--secondary-rid-base=INT
First RID of the secondary RID range
--dom-sid=STR Domain SID of the trusted domain
--dom-name=STRName of the trusted domain
--setattr=STR Set an attribute to a name/value pair. Format is
attr=value. For multi-valued attributes, the
command
replaces the values already present.
--addattr=STR Add an attribute/value pair. Format is
attr=value. The
attribute must be part of the schema.
--delattr=STR Delete an attribute/value pair. The option willbe
evaluated last, after all sets and adds.
--rights Display the access rights of this entry(requires
--all). See ipa man page for details.
--all Retrieve and print all attributes from the
server.
Affects command output.
--raw Print entries as stored on the server. Only
affects
output format.
-
So, if --name and --sid were used, an error message would become
--
# ipa idrange-mod AD.LAN_id_range --dom-name foo.bar ipa: ERROR:
invalid 'ID Range setup': SID for the specified trusted
domain name could not be found. Please specify the SID directly using
--sid option.
--
Additionally, there is an error when SID for an object within the domain
is specified. Last RID of the SID represents an object within the domain
and we generally need to be careful allowing it in the place where
domain SID is specified:
# ipa idrange-mod AD.LAN_id_range --dom-sid
S-1-5-21-3502988750-125904550-3683905862-1
---
Modified ID range AD.LAN_id_range
---
Range name: AD.LAN_id_range
First Posix ID of the range: 144280
Number of IDs in the range: 20
First RID of the corresponding RID range: 0
Domain SID of the trusted domain:
S-1-5-21-3502988750-125904550-3683905862-1
Range type: Active Directory domain range
Now this range is completely unusable due to the fact that there is no
way to match the domain SID against the range.
I think we need to make the check against established trusts more
strict and only allow exact match.
1.) Regarding dom_sid and dom_name options, we do not have to change
their internal names
to get more user-friendly error messages. These are hardcoded strings,
and not generated from
internal names of the options. I followed the naming convention already
set in the file, but you're right,
the current state is somewhat confusing to the end user. I changed all
the error messages so that
they refer to hyphen-versions of the options (not only dom_sid/dom_name
but also rid_base, etc.).
I considered renaming the options to --sid and --name. However, although
--sid is pretty
Re: [Freeipa-devel] [PATCH 0030] Add option to specify SID using domain name to idrange-add/mod
On 02/12/2013 06:58 PM, Petr Vobornik wrote: On 02/04/2013 05:23 PM, Tomas Babej wrote: Hi, When adding/modifying an ID range for a trusted domain, the newly added option --dom-name can be used. This looks up SID of the trusted domain in LDAP and therefore the user is not required to write it down in CLI. If the lookup fails, error message asking the user to specify the SID manually is shown. https://fedorahosted.org/freeipa/ticket/3133 Tomas Just wondering: How bad would it be to not introduce new virtual attribute and just use the ipanttrusteddomainsid. On add and mod (when ipanttrusteddomainsid is set) we would check if ipanttrusteddomainsid is SID. If not, it would be treated as domain name and get_trusted_domain_sid_from_name method will be used to get the SID. I'm asking because I don't really like virtual and standard attributes for the same ldap attribute in a mod command. In WEB UI details page we have to display only one field - ipanttrusteddomainsid. So we are left with options: 1) do not use this feature for mod operations in Web UI 2) enter domain name in ipanttrusteddomainsid field, implement the aforementioned check in Web UI and fill the correct option in RPC request 3) add special action into action list which will open new dialog, user will enter domain name, mod command with ipanttrusteddomainname set will be executed on confirmation 4) some other method I don't really like any of the options. If a SID check is an easy operation, we can go with #2, but I would still rather see this logic in server plugin. Just for the record, after a short discussion with Petr we decided to keep the virtual attribute ipatrustedomainname as it is. The idea of having ipatrusteddomainsid do two different things seems rather confusing, and in the end would be probably less user-friendly. In the WebUI, user should be able to enter SID using either domain name or domain SID. The proposal is that user would be able to either modify domain SID or enter domain name (and therefore modify SID). Tomas ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0030] Add option to specify SID using domain name to idrange-add/mod
On 02/12/2013 06:00 PM, Alexander Bokovoy wrote:
On Fri, 08 Feb 2013, Tomas Babej wrote:
On 02/08/2013 03:25 PM, Alexander Bokovoy wrote:
On Mon, 04 Feb 2013, Tomas Babej wrote:
Hi,
When adding/modifying an ID range for a trusted domain, the newly
added option --dom-name can be used. This looks up SID of the
trusted domain in LDAP and therefore the user is not required
to write it down in CLI. If the lookup fails, error message
asking the user to specify the SID manually is shown.
https://fedorahosted.org/freeipa/ticket/3133
Tomas
From 72f8802953edaaf5b9f7c34a38601fbccd681c8e Mon Sep 17 00:00:00
2001
From: Tomas Babej tba...@redhat.com
Date: Mon, 4 Feb 2013 08:33:53 -0500
Subject: [PATCH] Add option to specify SID using domain name to
idrange-add/mod
When adding/modifying an ID range for a trusted domain, the newly
added option --dom-name can be used. This looks up SID of the
trusted domain in LDAP and therefore the user is not required
to write it down in CLI. If the lookup fails, error message
asking the user to specify the SID manually is shown.
https://fedorahosted.org/freeipa/ticket/3133
---
ipalib/plugins/idrange.py | 78
+--
ipaserver/dcerpc.py | 10 ++
2 files changed, 78 insertions(+), 10 deletions(-)
diff --git a/ipalib/plugins/idrange.py b/ipalib/plugins/idrange.py
index
84e1057ac6b59b8ad99882a54e3288897338c978..77a75e4cabc18ca873be7cadcf870427d5b36ea0
100644
--- a/ipalib/plugins/idrange.py
+++ b/ipalib/plugins/idrange.py
@@ -197,6 +197,11 @@ class idrange(LDAPObject):
cli_name='dom_sid',
label=_('Domain SID of the trusted domain'),
),
+ Str('ipanttrusteddomainname?',
+ cli_name='dom_name',
+ flags=('no_search', 'virtual_attribute'),
+ label=_('Name of the trusted domain'),
+ ),
New options is added but API.txt wasn't changed. As result, 'make rpms'
does not work.
Could you please fix the patch and re-send it?
Sorry about that.
Updated patch attached.
I have one small question regarding use of dom_sid/dom_name.
If both dom_sid and dom_name were specified, failing to resolve dom_name
would force command to raise exception.
I'm not sure this is right behavior. Probably we should detect that both
dom_sid and dom_name were specified and bail out earlier so that only
one of them is accepted. That would be clearer to users, wouldn't it
Sure, I definitely agree on that point. I added the check to idrange-add and
idrange-mod. Also, the patch needed a rebase to apply on the current master.
Tomas
From 9064bdff83cb21ad9690b2d8b40a9722ecbb3283 Mon Sep 17 00:00:00 2001
From: Tomas Babej tba...@redhat.com
Date: Mon, 4 Feb 2013 08:33:53 -0500
Subject: [PATCH] Add option to specify SID using domain name to
idrange-add/mod
When adding/modifying an ID range for a trusted domain, the newly
added option --dom-name can be used. This looks up SID of the
trusted domain in LDAP and therefore the user is not required
to write it down in CLI. If the lookup fails, error message
asking the user to specify the SID manually is shown.
https://fedorahosted.org/freeipa/ticket/3133
---
API.txt | 6 ++--
ipalib/plugins/idrange.py | 90 +--
ipaserver/dcerpc.py | 10 ++
3 files changed, 93 insertions(+), 13 deletions(-)
diff --git a/API.txt b/API.txt
index d1913022b180cd0922f98931ad6030cb0555a6c0..5219c51be62862c43ebe9396147ff220b33605c7 100644
--- a/API.txt
+++ b/API.txt
@@ -1885,13 +1885,14 @@ command: i18n_messages
args: 0,0,1
output: Output('messages', type 'dict', None)
command: idrange_add
-args: 1,11,3
+args: 1,12,3
arg: Str('cn', attribute=True, cli_name='name', multivalue=False, primary_key=True, required=True)
option: Str('addattr*', cli_name='addattr', exclude='webui')
option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui')
option: Int('ipabaseid', attribute=True, cli_name='base_id', multivalue=False, required=True)
option: Int('ipabaserid', attribute=True, cli_name='rid_base', multivalue=False, required=False)
option: Int('ipaidrangesize', attribute=True, cli_name='range_size', multivalue=False, required=True)
+option: Str('ipanttrusteddomainname', attribute=False, cli_name='dom_name', multivalue=False, required=False)
option: Str('ipanttrusteddomainsid', attribute=True, cli_name='dom_sid', multivalue=False, required=False)
option: Str('iparangetype', attribute=True, cli_name='iparangetype', multivalue=False, required=False)
option: Int('ipasecondarybaserid', attribute=True, cli_name='secondary_rid_base', multivalue=False, required=False)
@@ -1929,7 +1930,7 @@ output: ListOfEntries('result', (type 'list', type 'tuple'), Gettext('A list
output: Output('summary', (type 'unicode', type 'NoneType'), None)
output: Output('truncated', type 'bool', None)
command: idrange_mod
-args: 1,13,3
+args: 1,14,3
arg: Str('cn', attribute=True, cli_name='name', multivalue=False, primary_key=True, query=True, required=True)
option:
Re: [Freeipa-devel] [PATCH 0030] Add option to specify SID using domain name to idrange-add/mod
On Thu, 14 Feb 2013, Tomas Babej wrote:
+ Str('ipanttrusteddomainname?',
+ cli_name='dom_name',
+ flags=('no_search', 'virtual_attribute'),
+ label=_('Name of the trusted domain'),
+ ),
New options is added but API.txt wasn't changed. As result, 'make rpms'
does not work.
Could you please fix the patch and re-send it?
Sorry about that.
Updated patch attached.
I have one small question regarding use of dom_sid/dom_name.
If both dom_sid and dom_name were specified, failing to resolve dom_name
would force command to raise exception.
I'm not sure this is right behavior. Probably we should detect that both
dom_sid and dom_name were specified and bail out earlier so that only
one of them is accepted. That would be clearer to users, wouldn't it
Sure, I definitely agree on that point. I added the check to idrange-add and
idrange-mod. Also, the patch needed a rebase to apply on the current master.
I tried to play with various scenarious and one thing I noticed is
that we refer dom_sid and dom_name in the error messages as they are
named internally. CLI replaces underscore by hyphen (_ - -) and therefore
this error message becomes wrong -- you cannot specify --dom_sid, this
option is unknown to CLI.
In Web UI this would also mean an error message pointing to non-existing
option. Perhaps it would be reasonable to name options '--name' and
'--sid'? We don't have any clash there:
-
# ipa idrange-mod --help
Usage: ipa [global-options] idrange-mod NAME [options]
Positional arguments:
NAME Range name
Options:
-h, --helpshow this help message and exit
--base-id=INT First Posix ID of the range
--range-size=INT Number of IDs in the range
--rid-base=INTFirst RID of the corresponding RID range
--secondary-rid-base=INT
First RID of the secondary RID range
--dom-sid=STR Domain SID of the trusted domain
--dom-name=STRName of the trusted domain
--setattr=STR Set an attribute to a name/value pair. Format is
attr=value. For multi-valued attributes, the command
replaces the values already present.
--addattr=STR Add an attribute/value pair. Format is
attr=value. The
attribute must be part of the schema.
--delattr=STR Delete an attribute/value pair. The option willbe
evaluated last, after all sets and adds.
--rights Display the access rights of this entry(requires
--all). See ipa man page for details.
--all Retrieve and print all attributes from the server.
Affects command output.
--raw Print entries as stored on the server. Only affects
output format.
-
So, if --name and --sid were used, an error message would become
--
# ipa idrange-mod AD.LAN_id_range --dom-name foo.bar
ipa: ERROR: invalid 'ID Range setup': SID for the specified trusted
domain name could not be found. Please specify the SID directly using
--sid option.
--
Additionally, there is an error when SID for an object within the domain
is specified. Last RID of the SID represents an object within the domain
and we generally need to be careful allowing it in the place where
domain SID is specified:
# ipa idrange-mod AD.LAN_id_range --dom-sid
S-1-5-21-3502988750-125904550-3683905862-1
---
Modified ID range AD.LAN_id_range
---
Range name: AD.LAN_id_range
First Posix ID of the range: 144280
Number of IDs in the range: 20
First RID of the corresponding RID range: 0
Domain SID of the trusted domain: S-1-5-21-3502988750-125904550-3683905862-1
Range type: Active Directory domain range
Now this range is completely unusable due to the fact that there is no
way to match the domain SID against the range.
I think we need to make the check against established trusts more
strict and only allow exact match.
--
/ Alexander Bokovoy
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0030] Add option to specify SID using domain name to idrange-add/mod
On Fri, 08 Feb 2013, Tomas Babej wrote:
On 02/08/2013 03:25 PM, Alexander Bokovoy wrote:
On Mon, 04 Feb 2013, Tomas Babej wrote:
Hi,
When adding/modifying an ID range for a trusted domain, the newly
added option --dom-name can be used. This looks up SID of the
trusted domain in LDAP and therefore the user is not required
to write it down in CLI. If the lookup fails, error message
asking the user to specify the SID manually is shown.
https://fedorahosted.org/freeipa/ticket/3133
Tomas
From 72f8802953edaaf5b9f7c34a38601fbccd681c8e Mon Sep 17 00:00:00 2001
From: Tomas Babej tba...@redhat.com
Date: Mon, 4 Feb 2013 08:33:53 -0500
Subject: [PATCH] Add option to specify SID using domain name to
idrange-add/mod
When adding/modifying an ID range for a trusted domain, the newly
added option --dom-name can be used. This looks up SID of the
trusted domain in LDAP and therefore the user is not required
to write it down in CLI. If the lookup fails, error message
asking the user to specify the SID manually is shown.
https://fedorahosted.org/freeipa/ticket/3133
---
ipalib/plugins/idrange.py | 78
+--
ipaserver/dcerpc.py | 10 ++
2 files changed, 78 insertions(+), 10 deletions(-)
diff --git a/ipalib/plugins/idrange.py b/ipalib/plugins/idrange.py
index 84e1057ac6b59b8ad99882a54e3288897338c978..77a75e4cabc18ca873be7cadcf870427d5b36ea0
100644
--- a/ipalib/plugins/idrange.py
+++ b/ipalib/plugins/idrange.py
@@ -197,6 +197,11 @@ class idrange(LDAPObject):
cli_name='dom_sid',
label=_('Domain SID of the trusted domain'),
),
+ Str('ipanttrusteddomainname?',
+ cli_name='dom_name',
+ flags=('no_search', 'virtual_attribute'),
+ label=_('Name of the trusted domain'),
+ ),
New options is added but API.txt wasn't changed. As result, 'make rpms'
does not work.
Could you please fix the patch and re-send it?
Sorry about that.
Updated patch attached.
I have one small question regarding use of dom_sid/dom_name.
If both dom_sid and dom_name were specified, failing to resolve dom_name
would force command to raise exception.
I'm not sure this is right behavior. Probably we should detect that both
dom_sid and dom_name were specified and bail out earlier so that only
one of them is accepted. That would be clearer to users, wouldn't it?
--
/ Alexander Bokovoy
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0030] Add option to specify SID using domain name to idrange-add/mod
On Mon, 04 Feb 2013, Tomas Babej wrote:
Hi,
When adding/modifying an ID range for a trusted domain, the newly
added option --dom-name can be used. This looks up SID of the
trusted domain in LDAP and therefore the user is not required
to write it down in CLI. If the lookup fails, error message
asking the user to specify the SID manually is shown.
https://fedorahosted.org/freeipa/ticket/3133
Tomas
From 72f8802953edaaf5b9f7c34a38601fbccd681c8e Mon Sep 17 00:00:00 2001
From: Tomas Babej tba...@redhat.com
Date: Mon, 4 Feb 2013 08:33:53 -0500
Subject: [PATCH] Add option to specify SID using domain name to
idrange-add/mod
When adding/modifying an ID range for a trusted domain, the newly
added option --dom-name can be used. This looks up SID of the
trusted domain in LDAP and therefore the user is not required
to write it down in CLI. If the lookup fails, error message
asking the user to specify the SID manually is shown.
https://fedorahosted.org/freeipa/ticket/3133
---
ipalib/plugins/idrange.py | 78 +--
ipaserver/dcerpc.py | 10 ++
2 files changed, 78 insertions(+), 10 deletions(-)
diff --git a/ipalib/plugins/idrange.py b/ipalib/plugins/idrange.py
index
84e1057ac6b59b8ad99882a54e3288897338c978..77a75e4cabc18ca873be7cadcf870427d5b36ea0
100644
--- a/ipalib/plugins/idrange.py
+++ b/ipalib/plugins/idrange.py
@@ -197,6 +197,11 @@ class idrange(LDAPObject):
cli_name='dom_sid',
label=_('Domain SID of the trusted domain'),
),
+Str('ipanttrusteddomainname?',
+cli_name='dom_name',
+flags=('no_search', 'virtual_attribute'),
+label=_('Name of the trusted domain'),
+),
New options is added but API.txt wasn't changed. As result, 'make rpms'
does not work.
Could you please fix the patch and re-send it?
--
/ Alexander Bokovoy
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH 0030] Add option to specify SID using domain name to idrange-add/mod
Hi,
When adding/modifying an ID range for a trusted domain, the newly
added option --dom-name can be used. This looks up SID of the
trusted domain in LDAP and therefore the user is not required
to write it down in CLI. If the lookup fails, error message
asking the user to specify the SID manually is shown.
https://fedorahosted.org/freeipa/ticket/3133
Tomas
From 72f8802953edaaf5b9f7c34a38601fbccd681c8e Mon Sep 17 00:00:00 2001
From: Tomas Babej tba...@redhat.com
Date: Mon, 4 Feb 2013 08:33:53 -0500
Subject: [PATCH] Add option to specify SID using domain name to
idrange-add/mod
When adding/modifying an ID range for a trusted domain, the newly
added option --dom-name can be used. This looks up SID of the
trusted domain in LDAP and therefore the user is not required
to write it down in CLI. If the lookup fails, error message
asking the user to specify the SID manually is shown.
https://fedorahosted.org/freeipa/ticket/3133
---
ipalib/plugins/idrange.py | 78 +--
ipaserver/dcerpc.py | 10 ++
2 files changed, 78 insertions(+), 10 deletions(-)
diff --git a/ipalib/plugins/idrange.py b/ipalib/plugins/idrange.py
index 84e1057ac6b59b8ad99882a54e3288897338c978..77a75e4cabc18ca873be7cadcf870427d5b36ea0 100644
--- a/ipalib/plugins/idrange.py
+++ b/ipalib/plugins/idrange.py
@@ -197,6 +197,11 @@ class idrange(LDAPObject):
cli_name='dom_sid',
label=_('Domain SID of the trusted domain'),
),
+Str('ipanttrusteddomainname?',
+cli_name='dom_name',
+flags=('no_search', 'virtual_attribute'),
+label=_('Name of the trusted domain'),
+),
Str('iparangetype?',
label=_('Range type'),
flags=['no_option'],
@@ -265,17 +270,42 @@ class idrange(LDAPObject):
error=_('range modification leaving objects with ID out '
'of the defined range is not allowed'))
-def validate_trusted_domain_sid(self, sid):
+def get_domain_validator(self):
if not _dcerpc_bindings_installed:
-raise errors.NotFound(reason=_('Cannot perform SID validation without Samba 4 support installed. '
- 'Make sure you have installed server-trust-ad sub-package of IPA on the server'))
+raise errors.NotFound(reason=_('Cannot perform SID validation '
+'without Samba 4 support installed. Make sure you have '
+'installed server-trust-ad sub-package of IPA on the server'))
+
domain_validator = ipaserver.dcerpc.DomainValidator(self.api)
+
if not domain_validator.is_configured():
-raise errors.NotFound(reason=_('Cross-realm trusts are not configured. '
- 'Make sure you have run ipa-adtrust-install on the IPA server first'))
+raise errors.NotFound(reason=_('Cross-realm trusts are not '
+'configured. Make sure you have run ipa-adtrust-install '
+'on the IPA server first'))
+
+return domain_validator
+
+def validate_trusted_domain_sid(self, sid):
+
+domain_validator = self.get_domain_validator()
+
if not domain_validator.is_trusted_sid_valid(sid):
raise errors.ValidationError(name='domain SID',
- error=_('SID is not recognized as a valid SID for a trusted domain'))
+ error=_('SID is not recognized as a valid SID for a '
+ 'trusted domain'))
+
+def get_trusted_domain_sid_from_name(self, name):
+ Returns unicode string representation for given trusted domain name
+or None if SID forthe given trusted domain name could not be found.
+
+domain_validator = self.get_domain_validator()
+
+sid = domain_validator.get_sid_from_domain_name(name)
+
+if sid is not None:
+sid = unicode(sid)
+
+return sid
# checks that primary and secondary rid ranges do not overlap
def are_rid_ranges_overlapping(self, rid_base, secondary_rid_base, size):
@@ -336,19 +366,33 @@ class idrange_add(LDAPCreate):
is_set = lambda x: (x in entry_attrs) and (x is not None)
+# This needs to stay in options since there is no
+# ipanttrusteddomainname attribute in LDAP
+if 'ipanttrusteddomainname' in options:
+sid = self.obj.get_trusted_domain_sid_from_name(
+options['ipanttrusteddomainname'])
+
+if sid is not None:
+entry_attrs['ipanttrusteddomainsid'] = sid
+else:
+raise errors.ValidationError(name='ID Range setup',
+error=_('SID for the specified trusted domain name could '
+'not be found. Please specify the SID directly '
+'using dom_sid option.'))
+
if is_set('ipanttrusteddomainsid'):
if
