diff options
| author | Alexander Bokovoy <abokovoy@redhat.com> | 2012-09-19 19:09:22 +0300 |
|---|---|---|
| committer | Martin Kosek <mkosek@redhat.com> | 2012-09-20 14:55:46 +0200 |
| commit | 7d2dbe56cb987bb8d9b197260edfe28de99c371b (patch) | |
| tree | cd46784dde0e114f5a571a2d6d01d22b7d0f975b /ipalib | |
| parent | 7c8130c4337ea9c174a4d036a499dcb87d2a7e29 (diff) | |
| download | freeipa.git-7d2dbe56cb987bb8d9b197260edfe28de99c371b.tar.gz freeipa.git-7d2dbe56cb987bb8d9b197260edfe28de99c371b.tar.xz freeipa.git-7d2dbe56cb987bb8d9b197260edfe28de99c371b.zip | |
validate SID for trusted domain when adding/modifying ID range
https://fedorahosted.org/freeipa/ticket/3087
Diffstat (limited to 'ipalib')
| -rw-r--r-- | ipalib/plugins/idrange.py | 31 |
1 files changed, 28 insertions, 3 deletions
diff --git a/ipalib/plugins/idrange.py b/ipalib/plugins/idrange.py index ee50613b..8f2d4efd 100644 --- a/ipalib/plugins/idrange.py +++ b/ipalib/plugins/idrange.py @@ -26,6 +26,12 @@ from ipapython import ipautil from ipalib import util from ipapython.dn import DN +if api.env.in_server and api.env.context in ['lite', 'server']: + try: + import ipaserver.dcerpc + _dcerpc_bindings_installed = True + except ImportError: + _dcerpc_bindings_installed = False __doc__ = _(""" ID ranges @@ -249,6 +255,18 @@ class idrange(LDAPObject): error=_('range modification leaving objects with ID out ' 'of the defined range is not allowed')) + def validate_trusted_domain_sid(self, sid): + if not _dcerpc_bindings_installed: + raise errors.NotFound(reason=_('Cannot perform SID validation without Samba 4 support installed. ' + 'Make sure you have installed server-trust-ad sub-package of IPA on the server')) + domain_validator = ipaserver.dcerpc.DomainValidator(self.api) + if not domain_validator.is_configured(): + raise errors.NotFound(reason=_('Cross-realm trusts are not configured. ' + 'Make sure you have run ipa-adtrust-install on the IPA server first')) + if not domain_validator.is_trusted_sid_valid(sid): + raise errors.ValidationError(name='domain SID', + error=_('SID is not recognized as a valid SID for a trusted domain')) + class idrange_add(LDAPCreate): __doc__ = _(""" Add new ID range. @@ -278,19 +296,22 @@ class idrange_add(LDAPCreate): if 'ipanttrusteddomainsid' in options: if 'ipasecondarybaserid' in options: - raise errors.ValidationError(name=_('ID Range setup'), + raise errors.ValidationError(name='ID Range setup', error=_('Options dom_sid and secondary_rid_base cannot ' \ 'be used together')) if 'ipabaserid' not in options: - raise errors.ValidationError(name=_('ID Range setup'), + raise errors.ValidationError(name='ID Range setup', error=_('Options dom_sid and rid_base must ' \ 'be used together')) + # Validate SID as the one of trusted domains + self.obj.validate_trusted_domain_sid(options['ipanttrusteddomainsid']) + # Finally, add trusted AD domain range object class entry_attrs['objectclass'].append('ipatrustedaddomainrange') else: if (('ipasecondarybaserid' in options) != ('ipabaserid' in options)): - raise errors.ValidationError(name=_('ID Range setup'), + raise errors.ValidationError(name='ID Range setup', error=_('Options secondary_rid_base and rid_base must ' \ 'be used together')) @@ -366,6 +387,10 @@ class idrange_mod(LDAPUpdate): except errors.NotFound: self.obj.handle_not_found(*keys) + if 'ipanttrusteddomainsid' in options: + # Validate SID as the one of trusted domains + self.obj.validate_trusted_domain_sid(options['ipanttrusteddomainsid']) + old_base_id = int(old_attrs.get('ipabaseid', [0])[0]) old_range_size = int(old_attrs.get('ipaidrangesize', [0])[0]) new_base_id = entry_attrs.get('ipabaseid') |