diff options
author | Tomas Babej <tbabej@redhat.com> | 2013-09-18 12:55:19 +0200 |
---|---|---|
committer | Martin Kosek <mkosek@redhat.com> | 2013-10-03 12:01:56 +0200 |
commit | 8ebb76177dbe675b281a4c06fabd4d27b2dffd7c (patch) | |
tree | 08b25a54d69726df1bc3f4cf5ae5c38b098c8cc8 /ipalib/plugins | |
parent | 6a124160a56bba66ffd7290ed0f111e72f36b521 (diff) | |
download | freeipa-8ebb76177dbe675b281a4c06fabd4d27b2dffd7c.tar.gz freeipa-8ebb76177dbe675b281a4c06fabd4d27b2dffd7c.tar.xz freeipa-8ebb76177dbe675b281a4c06fabd4d27b2dffd7c.zip |
Do not add trust to AD in case of IPA realm-domain mismatch
Make sure that trust-add command fails when admin attempts
to add an Active Directory trust when the realm name and
the domain name of the IPA server do not match.
https://fedorahosted.org/freeipa/ticket/3923
Diffstat (limited to 'ipalib/plugins')
-rw-r--r-- | ipalib/plugins/trust.py | 13 |
1 files changed, 13 insertions, 0 deletions
diff --git a/ipalib/plugins/trust.py b/ipalib/plugins/trust.py index 3c117b49..3d050299 100644 --- a/ipalib/plugins/trust.py +++ b/ipalib/plugins/trust.py @@ -360,6 +360,19 @@ sides. error=_('only "ad" is supported') ) + # If domain name and realm does not match, IPA server is not be able + # to estabilish trust with Active Directory. + + realm_not_matching_domain = (api.env.domain.upper() != api.env.realm) + + if options['trust_type'] == u'ad' and realm_not_matching_domain: + raise errors.ValidationError( + name=_('Realm-domain mismatch'), + error=_('To estabilish trust with Active Directory, the ' + 'domain name and the realm name of the IPA server ' + 'must match') + ) + self.trustinstance = ipaserver.dcerpc.TrustDomainJoins(self.api) if not self.trustinstance.configured: raise errors.NotFound( |