summaryrefslogtreecommitdiffstats
path: root/ipalib/plugins/group.py
diff options
context:
space:
mode:
authorAlexander Bokovoy <abokovoy@redhat.com>2012-10-18 21:46:35 +0300
committerAlexander Bokovoy <abokovoy@redhat.com>2012-10-31 22:28:53 +0200
commit09a4764112b9aa3e2e26e00f20fa23f42356b9b4 (patch)
tree3a2733f4383c1504468a4e31eb9fb36f49c79172 /ipalib/plugins/group.py
parent381f7f583ca02835731aeb2ca8be31ee279504ef (diff)
downloadfreeipa-09a4764112b9aa3e2e26e00f20fa23f42356b9b4.tar.gz
freeipa-09a4764112b9aa3e2e26e00f20fa23f42356b9b4.tar.xz
freeipa-09a4764112b9aa3e2e26e00f20fa23f42356b9b4.zip
Resolve external members from trusted domain via Global Catalog30gatepo
A sequence is following: 1. Match external member against existing trusted domain 2. Find trusted domain's domain controller and preferred GC hosts 3. Fetch trusted domain account auth info 4. Set up ccache in /var/run/ipa_memcached/krb5cc_TD<domain> with principal ourdomain$@trusted.domain 5. Do LDAP SASL interactive bind using the ccache 6. Search for the member's SID 7. Decode SID 8. Replace external member name by SID
Diffstat (limited to 'ipalib/plugins/group.py')
-rw-r--r--ipalib/plugins/group.py32
1 files changed, 19 insertions, 13 deletions
diff --git a/ipalib/plugins/group.py b/ipalib/plugins/group.py
index a174ba62c..f86b134e6 100644
--- a/ipalib/plugins/group.py
+++ b/ipalib/plugins/group.py
@@ -83,28 +83,30 @@ External members should be added to groups that specifically created as
external and non-POSIX. Such group later should be included into one of POSIX
groups.
-An external group member is currently a Security Identifier as defined by
-the trusted domain.
+An external group member is currently a Security Identifier (SID) as defined by
+the trusted domain. When adding external group members, it is possible to
+specify them in either SID, or DOM\\name, or name@domain format. IPA will attempt
+to resolve passed name to SID with the use of Global Catalog of the trusted domain.
Example:
-1. Make note of the trusted domain security identifier
-
- domainsid = `ipa trust-show <ad.domain> | grep Identifier | cut -d: -f2`
-
-2. Create group for the trusted domain admins' mapping and their local POSIX group:
+1. Create group for the trusted domain admins' mapping and their local POSIX group:
ipa group-add --desc='<ad.domain> admins external map' ad_admins_external --external
ipa group-add --desc='<ad.domain> admins' ad_admins
-3. Add security identifier of Domain Admins of the <ad.domain> to the ad_admins_external
- group (security identifier of <ad.domain SID>-513 is Domain Admins group):
+2. Add security identifier of Domain Admins of the <ad.domain> to the ad_admins_external
+ group:
- ipa group-add-member ad_admins_external --external ${domainsid}-513
+ ipa group-add-member ad_admins_external --external 'AD\\Domain Admins'
-4. Allow members of ad_admins_external group to be associated with ad_admins POSIX group:
+3. Allow members of ad_admins_external group to be associated with ad_admins POSIX group:
ipa group-add-member ad_admins --groups ad_admins_external
+
+4. List members of external members of ad_admins_external group to see their SIDs:
+
+ ipa group-show ad_admins_external
""")
PROTECTED_GROUPS = (u'admins', u'trust admins', u'default smb group')
@@ -165,7 +167,7 @@ api.register(group)
ipaexternalmember_param = Str('ipaexternalmember*',
cli_name='external',
label=_('External member'),
- doc=_('comma-separated SIDs of members of a trusted domain'),
+ doc=_('comma-separated list of members of a trusted domain in DOM\\name or name@domain form'),
csv=True,
flags=['no_create', 'no_update', 'no_search'],
)
@@ -382,7 +384,11 @@ class group_add_member(LDAPAddMember):
if domain_validator.is_trusted_sid_valid(sid):
sids.append(sid)
else:
- failed_sids.append((sid, 'Not a trusted domain SID'))
+ actual_sid = domain_validator.get_sid_trusted_domain_object(sid)
+ if isinstance(actual_sid, unicode):
+ sids.append(actual_sid)
+ else:
+ failed_sids.append((sid, 'Not a trusted domain SID'))
if len(sids) == 0:
raise errors.ValidationError(name=_('external member'),
error=_('values are not recognized as valid SIDs from trusted domain'))