diff options
| author | Martin Kosek <mkosek@redhat.com> | 2013-01-24 11:51:58 +0100 |
|---|---|---|
| committer | Rob Crittenden <rcritten@redhat.com> | 2013-02-20 13:23:58 -0500 |
| commit | a41e10f0ebdd0be543d36b3bbe795d92974b0a2e (patch) | |
| tree | d146c13289ca365c9ae6b69bd4e0ea0509cab309 | |
| parent | 981c9f10ee43a6ce94a99ac3d743933470f69c63 (diff) | |
| download | freeipa-a41e10f0ebdd0be543d36b3bbe795d92974b0a2e.tar.gz freeipa-a41e10f0ebdd0be543d36b3bbe795d92974b0a2e.tar.xz freeipa-a41e10f0ebdd0be543d36b3bbe795d92974b0a2e.zip | |
Avoid internal error when user is not Trust admin
When user tries to perform any action requiring communication with
trusted domain, IPA server tries to retrieve a trust secret on his
behalf to be able to establish the connection. This happens for
example during group-add-member command when external user is
being resolved in the AD.
When user is not member of Trust admins group, the retrieval crashes
and reports internal error. Catch this exception and rather report
properly formatted ACIError. Also make sure that this exception is
properly processed in group-add-member post callback.
https://fedorahosted.org/freeipa/ticket/3390
| -rw-r--r-- | ipalib/plugins/group.py | 2 | ||||
| -rw-r--r-- | ipaserver/dcerpc.py | 27 |
2 files changed, 24 insertions, 5 deletions
diff --git a/ipalib/plugins/group.py b/ipalib/plugins/group.py index 4994dacb3..06e80931a 100644 --- a/ipalib/plugins/group.py +++ b/ipalib/plugins/group.py @@ -387,7 +387,7 @@ class group_add_member(LDAPAddMember): try: actual_sid = domain_validator.get_trusted_domain_object_sid(sid) except errors.PublicError, e: - failed_sids.append((sid, unicode(e))) + failed_sids.append((sid, e.strerror)) else: sids.append(actual_sid) restore = [] diff --git a/ipaserver/dcerpc.py b/ipaserver/dcerpc.py index b471bccee..140e26f77 100644 --- a/ipaserver/dcerpc.py +++ b/ipaserver/dcerpc.py @@ -156,10 +156,29 @@ class DomainValidator(object): self.ATTR_TRUST_AUTHOUT]) result = dict() - for entry in entries: - result[entry[1][self.ATTR_TRUST_PARTNER][0]] = (entry[1][self.ATTR_FLATNAME][0].lower(), - security.dom_sid(entry[1][self.ATTR_TRUSTED_SID][0]), - entry[1][self.ATTR_TRUST_AUTHOUT][0]) + for dn, entry in entries: + try: + trust_partner = entry[self.ATTR_TRUST_PARTNER][0] + flatname_normalized = entry[self.ATTR_FLATNAME][0].lower() + trusted_sid = entry[self.ATTR_TRUSTED_SID][0] + except KeyError, e: + # Some piece of trusted domain info in LDAP is missing + # Skip the domain, but leave log entry for investigation + api.log.warn("Trusted domain '%s' entry misses an attribute: %s", + dn, e) + continue + trust_authout = entry.get(self.ATTR_TRUST_AUTHOUT, [None])[0] + + # We were able to read all Trusted domain attributes but the secret + # User is not member of trust admins group + if trust_authout is None: + raise errors.ACIError( + info=_('communication with trusted domains is allowed ' + 'for Trusts administrator group members only')) + + result[trust_partner] = (flatname_normalized, + security.dom_sid(trusted_sid), + trust_authout) return result except errors.NotFound, e: return [] |