diff options
| author | Tomas Babej <tbabej@redhat.com> | 2013-11-21 14:44:42 +0100 |
|---|---|---|
| committer | Martin Kosek <mkosek@redhat.com> | 2013-11-22 08:47:49 +0100 |
| commit | 63d4f306867095654d1b46c8731a95140a5126ce (patch) | |
| tree | 8d0d873ad674d119372604f4ce108a55bc155878 | |
| parent | 56e3e12f129fa43c4ef66dce4bee55dcd7cd38b6 (diff) | |
| download | freeipa-63d4f306867095654d1b46c8731a95140a5126ce.tar.gz freeipa-63d4f306867095654d1b46c8731a95140a5126ce.tar.xz freeipa-63d4f306867095654d1b46c8731a95140a5126ce.zip | |
trusts: Do not pass base-id to the subdomain ranges
For trusted domains base id is calculated using a murmur3 hash of the
domain Security Identifier (SID). During trust-add we create ranges for
forest root domain and other forest domains. Since --base-id explicitly
overrides generated base id for forest root domain, its value should not
be passed to other forest domains' ranges -- their base ids must be
calculated based on their SIDs.
In case base id change for non-root forest domains is required, it can
be done manually through idrange-mod command after the trust is
established.
https://fedorahosted.org/freeipa/ticket/4041
| -rw-r--r-- | ipalib/plugins/trust.py | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/ipalib/plugins/trust.py b/ipalib/plugins/trust.py index 32a93834..5ba09050 100644 --- a/ipalib/plugins/trust.py +++ b/ipalib/plugins/trust.py @@ -375,6 +375,11 @@ sides. passed_options = options passed_options.update(range_type=created_range_type) + # Do not pass the base id to the subdomains since it would + # clash with the root level domain + if 'base_id' in passed_options: + del passed_options['base_id'] + # Try to add the range for each subdomain try: self.add_range(range_name, dom_sid, *keys, |