diff options
author | Alexander Bokovoy <abokovoy@redhat.com> | 2016-06-06 11:41:46 +0300 |
---|---|---|
committer | Martin Basti <mbasti@redhat.com> | 2016-06-11 17:25:50 +0200 |
commit | bb75f5a5836ea011b8920f8bb8d58c1f4cd9b4c8 (patch) | |
tree | 108fedb3d09df8b2030e66702d3d3c2b4aaf701f /install/oddjob | |
parent | b506fd178edbf1553ca581c44ac6697f88ead125 (diff) | |
download | freeipa-bb75f5a5836ea011b8920f8bb8d58c1f4cd9b4c8.tar.gz freeipa-bb75f5a5836ea011b8920f8bb8d58c1f4cd9b4c8.tar.xz freeipa-bb75f5a5836ea011b8920f8bb8d58c1f4cd9b4c8.zip |
adtrust: support UPNs for trusted domain users
Add support for additional user name principal suffixes from
trusted Active Directory forests. UPN suffixes are property
of the forest and as such are associated with the forest root
domain.
FreeIPA stores UPN suffixes as ipaNTAdditionalSuffixes multi-valued
attribute of ipaNTTrustedDomain object class.
In order to look up UPN suffixes, netr_DsRGetForestTrustInformation
LSA RPC call is used instead of netr_DsrEnumerateDomainTrusts.
For more details on UPN and naming in Active Directory see
https://technet.microsoft.com/en-us/library/cc739093%28v=ws.10%29.aspx
https://fedorahosted.org/freeipa/ticket/5354
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Diffstat (limited to 'install/oddjob')
-rwxr-xr-x | install/oddjob/com.redhat.idm.trust-fetch-domains | 31 |
1 files changed, 3 insertions, 28 deletions
diff --git a/install/oddjob/com.redhat.idm.trust-fetch-domains b/install/oddjob/com.redhat.idm.trust-fetch-domains index ea00f30d9..57b15f7ee 100755 --- a/install/oddjob/com.redhat.idm.trust-fetch-domains +++ b/install/oddjob/com.redhat.idm.trust-fetch-domains @@ -3,7 +3,7 @@ from ipaserver import dcerpc from ipaserver.install.installutils import is_ipa_configured, ScriptError from ipapython import config, ipautil -from ipalib import api, errors +from ipalib import api from ipapython.dn import DN from ipalib.config import Env from ipalib.constants import DEFAULT_CONFIG @@ -170,33 +170,8 @@ except gssapi.exceptions.GSSError: ipa_domain = api.env.domain os.environ['KRB5CCNAME'] = oneway_ccache_name domains = dcerpc.fetch_domains(api, ipa_domain, trusted_domain, creds=True) - -if domains: - # trust range must exist by the time fetch_domains_from_trust is called - range_name = unicode(trusted_domain.upper() + '_id_range') - old_range = api.Command.idrange_show(range_name, raw=True)['result'] - idrange_type = old_range['iparangetype'][0] - - result = [] - for dom in domains: - dom['trust_type'] = u'ad' - try: - name = dom['cn'] - del dom['cn'] - - res = api.Command.trustdomain_add(trusted_domain, name, **dom) - result.append(res['result']) - - if idrange_type != u'ipa-ad-trust-posix': - range_name = name.upper() + '_id_range' - dom['range_type'] = u'ipa-ad-trust' - # Do not pass ipaserver.dcerpc.TrustInstance to trust.add_range - # to force it using existing credentials cache - trust.add_range(api, None, range_name, dom['ipanttrusteddomainsid'], - trusted_domain, name, **dom) - except errors.DuplicateEntry: - # Ignore updating duplicate entries - pass +trust_domain_object = api.Command.trust_show(trusted_domain, raw=True)['result'] +trust.add_new_domains_from_trust(api, None, trust_domain_object, domains) if old_ccache: os.environ['KRB5CCNAME'] = old_ccache |