Require rid-base and secondary-rid-base in idrange-add after ipa-adtrust-install

Add a new API command 'adtrust_is_enabled', which can be used to determine whether ipa-adtrust-install has been run on the system. This new command is not visible in IPA CLI. Use this command in idrange_add to conditionally require rid-base and secondary-rid-base options. Add tests to cover the new functionality https://fedorahosted.org/freeipa/ticket/3634
author: Ana Krivokapic <akrivoka@redhat.com> 2013-06-10 18:57:08 -0400
committer: Petr Viktorin <pviktori@redhat.com> 2013-06-24 14:30:06 +0200
commit: 91a5d3349be3a8c6044684405a4e66f4ed1dd543 (patch)
tree: c8d6ee3bbe7eaa81e25ab2b576f6db20345c3090 /ipalib
parent: 2775dec3bec3499c69de60d5bb581ffad7615cef (diff)
download: freeipa-91a5d3349be3a8c6044684405a4e66f4ed1dd543.tar.gz
freeipa-91a5d3349be3a8c6044684405a4e66f4ed1dd543.tar.xz
freeipa-91a5d3349be3a8c6044684405a4e66f4ed1dd543.zip
2 files changed, 62 insertions, 5 deletions
diff --git a/ipalib/plugins/idrange.py b/ipalib/plugins/idrange.py
index 54b835e24..f258cbb15 100644
--- a/ipalib/plugins/idrange.py
+++ b/ipalib/plugins/idrange.py
@@ -356,7 +356,7 @@ class idrange_add(LDAPCreate):
 
     may be given for a new ID range for the local domain while
 
-        --rid-bas
+        --rid-base
         --dom-sid
 
     must be given to add a new range for a trusted AD domain.
@@ -381,6 +381,9 @@ class idrange_add(LDAPCreate):
 
         Also ensure that secondary-rid-base is prompted for when rid-base is
         specified and vice versa, in case that dom-sid was not specified.
+
+        Also ensure that rid-base and secondary-rid-base is prompted for
+        if ipa-adtrust-install has been run on the system.
         """
 
         # dom-sid can be specified using dom-sid or dom-name options
@@ -410,6 +413,22 @@ class idrange_add(LDAPCreate):
                 value = self.prompt_param(self.params['ipabaserid'])
                 kw.update(dict(ipabaserid=value))
 
+        # Prompt for rid-base and secondary-rid-base if ipa-adtrust-install
+        # has been run on the system
+        adtrust_is_enabled = api.Command['adtrust_is_enabled']()['result']
+
+        if adtrust_is_enabled:
+            rid_base = kw.get('ipabaserid', None)
+            secondary_rid_base = kw.get('ipasecondarybaserid', None)
+
+            if rid_base is None:
+                value = self.prompt_param(self.params['ipabaserid'])
+                kw.update(dict(ipabaserid=value))
+
+            if secondary_rid_base is None:
+                value = self.prompt_param(self.params['ipasecondarybaserid'])
+                kw.update(dict(ipasecondarybaserid=value))
+
     def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options):
         assert isinstance(dn, DN)
 
@@ -495,6 +514,20 @@ class idrange_add(LDAPCreate):
                             error=_("Primary RID range and secondary RID range"
                                     " cannot overlap"))
 
+            # rid-base and secondary-rid-base must be set if
+            # ipa-adtrust-install has been run on the system
+            adtrust_is_enabled = api.Command['adtrust_is_enabled']()['result']
+
+            if adtrust_is_enabled and not (
+                    is_set('ipabaserid') and is_set('ipasecondarybaserid')):
+                raise errors.ValidationError(
+                    name='ID Range setup',
+                    error=_(
+                        'You must specify both rid-base and '
+                        'secondary-rid-base options, because '
+                        'ipa-adtrust-install has already been run.'
+                    )
+                )
         return dn
 
     def post_callback(self, ldap, dn, entry_attrs, *keys, **options):
diff --git a/ipalib/plugins/trust.py b/ipalib/plugins/trust.py
index 5c9360b57..d2b58399f 100644
--- a/ipalib/plugins/trust.py
+++ b/ipalib/plugins/trust.py
@@ -20,12 +20,9 @@
 
 from ipalib.plugins.baseldap import *
 from ipalib.plugins.dns import dns_container_exists
-from ipalib import api, Str, StrEnum, Password, DefaultFrom, _, ngettext, Object
-from ipalib.parameters import Enum
+from ipalib import api, Str, StrEnum, Password, _, ngettext
 from ipalib import Command
 from ipalib import errors
-from ipapython import ipautil
-from ipalib import util
 try:
     import pysss_murmur #pylint: disable=F0401
     _murmur_installed = True
@@ -843,3 +840,30 @@ class trust_resolve(Command):
         return dict(result=result)
 
 api.register(trust_resolve)
+
+
+class adtrust_is_enabled(Command):
+    NO_CLI = True
+
+    __doc__ = _('Determine whether ipa-adtrust-install has been run on this '
+                'system')
+
+    def execute(self, *keys, **options):
+        ldap = self.api.Backend.ldap2
+        adtrust_dn = DN(
+            ('cn', 'ADTRUST'),
+            ('cn', api.env.host),
+            ('cn', 'masters'),
+            ('cn', 'ipa'),
+            ('cn', 'etc'),
+            api.env.basedn
+        )
+
+        try:
+            ldap.get_entry(adtrust_dn)
+        except errors.NotFound:
+            return dict(result=False)
+
+        return dict(result=True)
+
+api.register(adtrust_is_enabled)
author	Ana Krivokapic <akrivoka@redhat.com>	2013-06-10 18:57:08 -0400
committer	Petr Viktorin <pviktori@redhat.com>	2013-06-24 14:30:06 +0200
commit	91a5d3349be3a8c6044684405a4e66f4ed1dd543 (patch)
tree	c8d6ee3bbe7eaa81e25ab2b576f6db20345c3090 /ipalib
parent	2775dec3bec3499c69de60d5bb581ffad7615cef (diff)
download	freeipa-91a5d3349be3a8c6044684405a4e66f4ed1dd543.tar.gz freeipa-91a5d3349be3a8c6044684405a4e66f4ed1dd543.tar.xz freeipa-91a5d3349be3a8c6044684405a4e66f4ed1dd543.zip