diff options
Diffstat (limited to 'ipalib/plugins/trust.py')
-rw-r--r-- | ipalib/plugins/trust.py | 40 |
1 files changed, 38 insertions, 2 deletions
diff --git a/ipalib/plugins/trust.py b/ipalib/plugins/trust.py index d2b58399f..965ff76bb 100644 --- a/ipalib/plugins/trust.py +++ b/ipalib/plugins/trust.py @@ -259,6 +259,12 @@ this will cause change to trust relationship credentials on both sides. ''') + range_types = { + u'ipa-ad-trust': unicode(_('Active Directory domain range')), + u'ipa-ad-trust-posix': unicode(_('Active Directory trust range with ' + 'POSIX attributes')), + } + takes_options = LDAPCreate.takes_options + ( _trust_type_option, Str('realm_admin?', @@ -289,6 +295,13 @@ sides. default=DEFAULT_RANGE_SIZE, autofill=True ), + StrEnum('range_type?', + label=_('Range type'), + cli_name='range_type', + doc=(_('Type of trusted domain ID range, one of {vals}' + .format(vals=', '.join(range_types.keys())))), + values=tuple(range_types.keys()), + ), ) msg_summary = _('Added Active Directory trust for realm "%(value)s"') @@ -388,13 +401,27 @@ sides. def validate_range(self, *keys, **options): # If a range for this trusted domain already exists, # '--base-id' or '--range-size' options should not be specified - range_name = keys[-1].upper()+'_id_range' + range_name = keys[-1].upper() + '_id_range' + range_type = options.get('range_type') try: - old_range = api.Command['idrange_show'](range_name) + old_range = api.Command['idrange_show'](range_name, raw=True) except errors.NotFound: old_range = None + if options.get('type') == u'ad': + if range_type and range_type not in (u'ipa-ad-trust', + u'ipa-ad-trust-posix'): + raise errors.ValidationError( + name=_('id range type'), + error=_( + 'Only the ipa-ad-trust and ipa-ad-trust-posix are ' + 'allowed values for --range-type when adding an AD ' + 'trust.' + ) + +) + base_id = options.get('base_id') range_size = options.get('range_size') != DEFAULT_RANGE_SIZE @@ -420,6 +447,7 @@ sides. if old_range: old_dom_sid = old_range['result']['ipanttrusteddomainsid'][0] + old_range_type = old_range['result']['iparangetype'][0] if old_dom_sid != dom_sid: raise errors.ValidationError( @@ -431,6 +459,13 @@ sides. ) ) + if range_type and range_type != old_range_type: + raise errors.ValidationError(name=_('range type change'), + error=_('ID range for the trusted domain already exists, ' + 'but it has a different type. Please remove the ' + 'old range manually, or do not enforce type ' + 'via --range-type option.')) + return old_range, range_name, dom_sid def add_range(self, range_name, dom_sid, **options): @@ -448,6 +483,7 @@ sides. ipabaseid=base_id, ipaidrangesize=options['range_size'], ipabaserid=0, + iparangetype=options.get('range_type'), ipanttrusteddomainsid=dom_sid) def execute_ad(self, full_join, *keys, **options): |