diff options
| -rw-r--r-- | install/share/bootstrap-template.ldif | 4 | ||||
| -rw-r--r-- | install/updates/62-ranges.update | 20 | ||||
| -rw-r--r-- | ipaserver/install/plugins/adtrust.py | 74 |
3 files changed, 95 insertions, 3 deletions
diff --git a/install/share/bootstrap-template.ldif b/install/share/bootstrap-template.ldif index ece48f80..23510c95 100644 --- a/install/share/bootstrap-template.ldif +++ b/install/share/bootstrap-template.ldif @@ -415,11 +415,11 @@ objectClass: top objectClass: nsContainer cn: ranges -dn: cn=$REALM_id_range,cn=ranges,cn=etc,$SUFFIX +dn: cn=${REALM}_id_range,cn=ranges,cn=etc,$SUFFIX changetype: add objectClass: top objectClass: ipaIDrange objectClass: ipaDomainIDRange -cn: $REALM_id_range +cn: ${REALM}_id_range ipaBaseID: $IDSTART ipaIDRangeSize: $IDRANGE_SIZE diff --git a/install/updates/62-ranges.update b/install/updates/62-ranges.update index 42c1e2a9..9ba47421 100644 --- a/install/updates/62-ranges.update +++ b/install/updates/62-ranges.update @@ -3,11 +3,29 @@ add:attributeTypes: (2.16.840.1.113730.3.8.11.33 NAME 'ipaBaseID' DESC 'First va add:attributeTypes: (2.16.840.1.113730.3.8.11.34 NAME 'ipaIDRangeSize' DESC 'Size of a Posix ID range' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'IPA v3' ) add:attributeTypes: (2.16.840.1.113730.3.8.11.35 NAME 'ipaBaseRID' DESC 'First value of a RID range' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'IPA v3' ) add:attributeTypes: (2.16.840.1.113730.3.8.11.36 NAME 'ipaSecondaryBaseRID' DESC 'First value of a secondary RID range' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'IPA v3' ) +add:objectClasses: (2.16.840.1.113730.3.8.12.14 NAME 'ipaIDobject' SUP top AUXILIARY MAY ( uidNumber $$ gidNumber $$ ipaNTSecurityIdentifier ) X-ORIGIN 'IPA v3' ) add:objectClasses: (2.16.840.1.113730.3.8.12.15 NAME 'ipaIDrange' ABSTRACT MUST ( cn $$ ipaBaseID $$ ipaIDRangeSize ) X-ORIGIN 'IPA v3' ) add:objectClasses: (2.16.840.1.113730.3.8.12.16 NAME 'ipaDomainIDRange' SUP ipaIDrange STRUCTURAL MAY ( ipaBaseRID $$ ipaSecondaryBaseRID ) X-ORIGIN 'IPA v3' ) add:objectClasses: (2.16.840.1.113730.3.8.12.17 NAME 'ipaTrustedADDomainRange' SUP ipaIDrange STRUCTURAL MUST ( ipaBaseRID $$ ipaNTTrustedDomainSID ) X-ORIGIN 'IPA v3' ) dn: cn=ranges,cn=etc,$SUFFIX -default: obectClass: top +default: objectClass: top default: objectClass: nsContainer default: cn: ranges + +dn: cn=IPA Range-Check,cn=plugins,cn=config +default: changetype: add +default: objectclass: top +default: objectclass: nsSlapdPlugin +default: objectclass: extensibleObject +default: cn: IPA Range-Check +default: nsslapd-pluginpath: libipa_range_check +default: nsslapd-plugininitfunc: ipa_range_check_init +default: nsslapd-plugintype: preoperation +default: nsslapd-pluginenabled: on +default: nsslapd-pluginid: ipa_range_check_version +default: nsslapd-pluginversion: 1.0 +default: nsslapd-pluginvendor: Red Hat, Inc. +default: nsslapd-plugindescription: IPA Range-Check plugin +default: nsslapd-plugin-depends-on-type: database +default: nsslapd-basedn: $SUFFIX diff --git a/ipaserver/install/plugins/adtrust.py b/ipaserver/install/plugins/adtrust.py new file mode 100644 index 00000000..abd676a2 --- /dev/null +++ b/ipaserver/install/plugins/adtrust.py @@ -0,0 +1,74 @@ +# Authors: +# Martin Kosek <mkosek@redhat.com> +# +# Copyright (C) 2012 Red Hat +# see file 'COPYING' for use and warranty information +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. + +from ipaserver.install.plugins import MIDDLE +from ipaserver.install.plugins.baseupdate import PostUpdate +from ipalib import api, errors +from ipalib.dn import DN +from ipapython.ipa_log_manager import * + +class update_default_range(PostUpdate): + """ + Create default ID range for upgraded servers. + """ + order=MIDDLE + + def execute(self, **options): + ldap = self.obj.backend + + dn = str(DN(api.env.container_ranges, api.env.basedn)) + search_filter = "objectclass=ipaDomainIDRange" + try: + (entries, truncated) = ldap.find_entries(search_filter, [], dn) + except errors.NotFound: + pass + else: + root_logger.debug("default_range: ipaDomainIDRange entry found, skip plugin") + return (False, False, []) + + dn = str(DN(('cn', 'admins'), api.env.container_group, api.env.basedn)) + try: + (dn, admins_entry) = ldap.get_entry(dn, ['gidnumber']) + except errors.NotFound: + root_logger.error("No local ID range and no admins group found. " + "Cannot create default ID range") + return (False, False, []) + + base_id = admins_entry['gidnumber'][0] + id_range_size = 200000 + + range_entry = ['objectclass:top', + 'objectclass:ipaIDrange', + 'objectclass:ipaDomainIDRange', + 'cn:%s_id_range' % api.env.realm, + 'ipabaseid:%s' % base_id, + 'ipaidrangesize:%s' % id_range_size, + ] + + updates = {} + dn = str(DN(('cn', '%s_id_range' % api.env.realm), + api.env.container_ranges, api.env.basedn)) + + # make sure everything is str or otherwise python-ldap would complain + range_entry = map(str, range_entry) + updates[dn] = {'dn' : dn, 'default' : range_entry} + + return (False, True, [updates]) + +api.register(update_default_range) |