summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorTomas Babej <tbabej@redhat.com>2015-07-15 14:22:48 +0200
committerPetr Vobornik <pvoborni@redhat.com>2015-07-17 17:04:17 +0200
commit45958d62197296eabe5513ea392e204e1d49d5c6 (patch)
treea280c3f6a7d4f04df4254f77fd65676bbc20ee12
parent82aaa1e6d07a13429381b94ffe4b5fc562427213 (diff)
downloadfreeipa-45958d62197296eabe5513ea392e204e1d49d5c6.tar.gz
freeipa-45958d62197296eabe5513ea392e204e1d49d5c6.tar.xz
freeipa-45958d62197296eabe5513ea392e204e1d49d5c6.zip
trusts: Check for AD root domain among our trusted domains
Check for the presence of the forest root DNS domain of the AD realm among the IPA realm domains prior to esablishing the trust. This prevents creation of a failing setup, as trusts would not work properly in this case. https://fedorahosted.org/freeipa/ticket/4799 Reviewed-By: Petr Vobornik <pvoborni@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
-rw-r--r--ipalib/plugins/trust.py21
1 files changed, 20 insertions, 1 deletions
diff --git a/ipalib/plugins/trust.py b/ipalib/plugins/trust.py
index b2e18f5bc..faa8186ba 100644
--- a/ipalib/plugins/trust.py
+++ b/ipalib/plugins/trust.py
@@ -640,6 +640,8 @@ sides.
self.params['realm_passwd'].label, confirm=False)
def validate_options(self, *keys, **options):
+ trusted_realm_domain = keys[-1]
+
if not _bindings_installed:
raise errors.NotFound(
name=_('AD Trust setup'),
@@ -692,6 +694,23 @@ sides.
)
)
+ # Obtain a list of IPA realm domains
+ result = self.api.Command.realmdomains_show()['result']
+ realm_domains = result['associateddomain']
+
+ # Do not allow the AD's trusted realm domain in the list
+ # of our realm domains
+ if trusted_realm_domain.lower() in realm_domains:
+ raise errors.ValidationError(
+ name=_('AD Trust setup'),
+ error=_(
+ 'Trusted domain %(domain)s is included among '
+ 'IPA realm domains. It needs to be removed '
+ 'prior to establishing the trust. See the '
+ '"ipa realmdomains-mod --del-domain" command.'
+ ) % dict(domain=trusted_realm_domain)
+ )
+
self.realm_server = options.get('realm_server')
self.realm_admin = options.get('realm_admin')
self.realm_passwd = options.get('realm_passwd')
@@ -702,7 +721,7 @@ sides.
if len(names) > 1:
# realm admin name is in UPN format, user@realm, check that
# realm is the same as the one that we are attempting to trust
- if keys[-1].lower() != names[-1].lower():
+ if trusted_realm_domain.lower() != names[-1].lower():
raise errors.ValidationError(
name=_('AD Trust setup'),
error=_(