diff options
| author | Alexander Bokovoy <abokovoy@redhat.com> | 2014-02-27 14:08:49 +0100 |
|---|---|---|
| committer | Martin Kosek <mkosek@redhat.com> | 2014-02-27 14:08:49 +0100 |
| commit | 41ca5afba79110a8dfb9dd713df2d909b5210294 (patch) | |
| tree | 7720c23af9b74daf89957ed827095cadc808de4d /ipalib | |
| parent | 96f87e548af5107e33f33cdb3af9fd542d0aa413 (diff) | |
| download | freeipa-41ca5afba79110a8dfb9dd713df2d909b5210294.tar.gz freeipa-41ca5afba79110a8dfb9dd713df2d909b5210294.tar.xz freeipa-41ca5afba79110a8dfb9dd713df2d909b5210294.zip | |
trust: make sure we always discover topology of the
forest trust
Even though we are creating idranges for subdomains only in case
there is algorithmic ID mapping in use, we still need to fetch
list of subdomains for all other cases.
https://fedorahosted.org/freeipa/ticket/4205
Diffstat (limited to 'ipalib')
| -rw-r--r-- | ipalib/plugins/trust.py | 37 |
1 files changed, 6 insertions, 31 deletions
diff --git a/ipalib/plugins/trust.py b/ipalib/plugins/trust.py index 832230a11..fe395688b 100644 --- a/ipalib/plugins/trust.py +++ b/ipalib/plugins/trust.py @@ -458,38 +458,13 @@ sides. result['result'] = entry_to_dict(trusts[0], **options) - # For AD trusts with algorithmic mapping, we need to add a separate - # range for each subdomain. - if (options.get('trust_type') == u'ad' and - created_range_type != u'ipa-ad-trust-posix'): - + # Fetch topology of the trust forest -- we need always to do it + # for AD trusts, regardless of the type of idranges associated with it + # Note that fetch_domains_from_trust will add needed ranges for + # the algorithmic ID mapping case. + if options.get('trust_type') == u'ad': domains = fetch_domains_from_trust(self, self.trustinstance, result['result'], **options) - if domains and len(domains) > 0: - for dom in domains: - range_name = dom['cn'][0].upper() + '_id_range' - dom_sid = dom['ipanttrusteddomainsid'][0] - - # Enforce the same range type as the range for the root - # level domain. - - # This will skip the detection of the POSIX attributes if - # they are not available, since it has been already - # detected when creating the range for the root level domain - passed_options = options - passed_options.update(range_type=created_range_type) - - # Do not pass the base id to the subdomains since it would - # clash with the root level domain - if 'base_id' in passed_options: - del passed_options['base_id'] - - # Try to add the range for each subdomain - try: - add_range(self, range_name, dom_sid, *keys, - **passed_options) - except errors.DuplicateEntry: - pass # Format the output into human-readable values result['result']['trusttype'] = [trust_type_string( @@ -1268,7 +1243,7 @@ def fetch_domains_from_trust(self, trustinstance, trust_entry, **options): # trust range must exist by the time fetch_domains_from_trust is called range_name = trust_name.upper() + '_id_range' old_range = api.Command.idrange_show(range_name, raw=True)['result'] - idrange_type = old_range['iparangetype'] + idrange_type = old_range['iparangetype'][0] for dom in domains: dom['trust_type'] = u'ad' |