From 66356f0daf2a55c7e64dc648e0f8c765e9a56151 Mon Sep 17 00:00:00 2001
From: Ana Krivokapic <akrivoka@redhat.com>
Date: Thu, 21 Feb 2013 10:56:03 -0500
Subject: Improve error messages for external group members

When adding a duplicate member to a group, an error message is issued,
informing the user that the entry is already a member of the group.
Similarly, when trying to delete an entry which is not a member,
an error message is issued, informing the user that the entry is not
a member of the group. These error messages were missing in case of
external members.

This patch also adds support for using the AD\name or name@ad.domain.com
format in ipa group-remove-member command. This format was supported in
group-add-member, but not in group-remove-member.

Unit test file covering these cases was also added.

https://fedorahosted.org/freeipa/ticket/3254
---
 ipalib/plugins/group.py | 27 +++++++++++++++++++++++----
 1 file changed, 23 insertions(+), 4 deletions(-)

(limited to 'ipalib/plugins/group.py')

diff --git a/ipalib/plugins/group.py b/ipalib/plugins/group.py
index bde002a8d..21ee00490 100644
--- a/ipalib/plugins/group.py
+++ b/ipalib/plugins/group.py
@@ -398,7 +398,7 @@ class group_add_member(LDAPAddMember):
             result = add_external_post_callback('member', 'group', 'ipaexternalmember',
                                                 ldap, completed, failed, dn, entry_attrs,
                                                 keys, options, external_callback_normalize=False)
-            failed['member']['group'] = restore + failed_sids
+            failed['member']['group'] += restore + failed_sids
         return result
 
 api.register(group_add_member)
@@ -425,15 +425,34 @@ class group_remove_member(LDAPRemoveMember):
         assert isinstance(dn, DN)
         result = (completed, dn)
         if 'ipaexternalmember' in options:
-            sids = options['ipaexternalmember']
-            restore = list()
+            if not _dcerpc_bindings_installed:
+                raise errors.NotFound(reason=_('Cannot perform external member validation without '
+                                               'Samba 4 support installed. Make sure you have installed '
+                                               'server-trust-ad sub-package of IPA on the server'))
+            domain_validator = ipaserver.dcerpc.DomainValidator(self.api)
+            if not domain_validator.is_configured():
+                raise errors.NotFound(reason=_('Cannot perform join operation without own domain configured. '
+                                               'Make sure you have run ipa-adtrust-install on the IPA server first'))
+            sids = []
+            failed_sids = []
+            for sid in options['ipaexternalmember']:
+                if domain_validator.is_trusted_sid_valid(sid):
+                    sids.append(sid)
+                else:
+                    try:
+                        actual_sid = domain_validator.get_trusted_domain_object_sid(sid)
+                    except errors.PublicError, e:
+                        failed_sids.append((sid, unicode(e)))
+                    else:
+                        sids.append(actual_sid)
+            restore = []
             if 'member' in failed and 'group' in failed['member']:
                 restore = failed['member']['group']
             failed['member']['group'] = list((id,id) for id in sids)
             result = remove_external_post_callback('member', 'group', 'ipaexternalmember',
                                                 ldap, completed, failed, dn, entry_attrs,
                                                 keys, options)
-            failed['member']['group'] = restore
+            failed['member']['group'] += restore + failed_sids
         return result
 
 api.register(group_remove_member)
-- 
cgit