diff options
author | Tomas Babej <tbabej@redhat.com> | 2013-10-10 15:11:16 +0200 |
---|---|---|
committer | Martin Kosek <mkosek@redhat.com> | 2013-10-14 10:09:56 +0200 |
commit | 285ed59889590ddd0d6ca2e2a030b28527941cbf (patch) | |
tree | fd85cd103b3f4e50cba91b824d0b2446371ca02a /ipalib/plugins/trust.py | |
parent | dfa135e6069f9cb7f158d4540b530b137887932f (diff) | |
download | freeipa-285ed59889590ddd0d6ca2e2a030b28527941cbf.tar.gz freeipa-285ed59889590ddd0d6ca2e2a030b28527941cbf.tar.xz freeipa-285ed59889590ddd0d6ca2e2a030b28527941cbf.zip |
trusts: Do not create ranges for subdomains in case of POSIX trust
For the AD trusts where the ID range for the root level domain is of
ipa-ad-trust-posix type, do not create a separate ranges for the
subdomains, since POSIX attributes provide global mapping.
Diffstat (limited to 'ipalib/plugins/trust.py')
-rw-r--r-- | ipalib/plugins/trust.py | 50 |
1 files changed, 39 insertions, 11 deletions
diff --git a/ipalib/plugins/trust.py b/ipalib/plugins/trust.py index f412c6185..f4e5d021d 100644 --- a/ipalib/plugins/trust.py +++ b/ipalib/plugins/trust.py @@ -337,31 +337,56 @@ sides. result = self.execute_ad(full_join, *keys, **options) if not old_range: - self.add_range(range_name, dom_sid, *keys, **options) + # Store the created range type, since for POSIX trusts no + # ranges for the subdomains should be added, POSIX attributes + # provide a global mapping across all subdomains + (created_range_type, _, _) = self.add_range(range_name, dom_sid, + *keys, **options) trust_filter = "cn=%s" % result['value'] ldap = self.obj.backend (trusts, truncated) = ldap.find_entries( - base_dn = DN(api.env.container_trusts, api.env.basedn), - filter = trust_filter) - + base_dn=DN(api.env.container_trusts, api.env.basedn), + filter=trust_filter) result['result'] = entry_to_dict(trusts[0][1], **options) - if options.get('trust_type') == u'ad': - domains = fetch_domains_from_trust(self, self.trustinstance, result['result'], **options) + + # For AD trusts with algorithmic mapping, we need to add a separate + # range for each subdomain. + if (options.get('trust_type') == u'ad' and + created_range_type != u'ipa-ad-trust-posix'): + + domains = fetch_domains_from_trust(self, self.trustinstance, + result['result'], **options) if domains and len(domains) > 0: for dom in domains: range_name = dom['cn'][0].upper() + '_id_range' - range_type=options.get('range_type', u'ipa-ad-trust') dom_sid = dom['ipanttrusteddomainsid'][0] + + # Enforce the same range type as the range for the root + # level domain. + + # This will skip the detection of the POSIX attributes if + # they are not available, since it has been already + # detected when creating the range for the root level domain + passed_options = options + passed_options.update(range_type=created_range_type) + + # Try to add the range for each subdomain try: - self.add_range(range_name, dom_sid, range_type=range_type) + self.add_range(range_name, dom_sid, *keys, + **passed_options) except errors.DuplicateEntry: pass - result['result']['trusttype'] = [trust_type_string(result['result']['ipanttrusttype'][0])] - result['result']['trustdirection'] = [trust_direction_string(result['result']['ipanttrustdirection'][0])] - result['result']['truststatus'] = [trust_status_string(result['verified'])] + # Format the output into human-readable values + result['result']['trusttype'] = [trust_type_string( + result['result']['ipanttrusttype'][0])] + result['result']['trustdirection'] = [trust_direction_string( + result['result']['ipanttrustdirection'][0])] + result['result']['truststatus'] = [trust_status_string( + result['verified'])] + del result['verified'] return result @@ -620,6 +645,9 @@ sides. iparangetype=range_type, ipanttrusteddomainsid=dom_sid) + # Return the values that were generated inside this function + return range_type, range_size, base_id + def execute_ad(self, full_join, *keys, **options): # Join domain using full credentials and with random trustdom # secret (will be generated by the join method) |