diff options
Diffstat (limited to 'ipalib/util.py')
-rw-r--r-- | ipalib/util.py | 71 |
1 files changed, 71 insertions, 0 deletions
diff --git a/ipalib/util.py b/ipalib/util.py index 67865eb04..d101514ca 100644 --- a/ipalib/util.py +++ b/ipalib/util.py @@ -912,3 +912,74 @@ def set_krbcanonicalname(entry_attrs): if ('krbprincipalname' in entry_attrs and 'krbcanonicalname' not in entry_attrs): entry_attrs['krbcanonicalname'] = entry_attrs['krbprincipalname'] + + +def ensure_last_krbprincipalname(ldap, entry_attrs, *keys): + """ + ensure that the LDAP entry has at least one value of krbprincipalname + and that this value is equal to krbcanonicalname + + :param ldap: LDAP connection object + :param entry_attrs: LDAP entry made prior to update + :param options: command options + """ + entry = ldap.get_entry( + entry_attrs.dn, ['krbcanonicalname', 'krbprincipalname']) + + krbcanonicalname = entry.single_value.get('krbcanonicalname', None) + + if krbcanonicalname in keys[-1]: + raise errors.ValidationError( + name='krbprincipalname', + error=_('at least one value equal to the canonical ' + 'principal name must be present') + ) + + +def ensure_krbcanonicalname_set(ldap, entry_attrs): + old_entry = ldap.get_entry( + entry_attrs.dn, + ['krbcanonicalname', 'krbprincipalname', 'objectclass']) + + if old_entry.single_value.get('krbcanonicalname', None) is not None: + return + + set_krbcanonicalname(old_entry) + + old_entry.pop('krbprincipalname', None) + old_entry.pop('objectclass', None) + + entry_attrs.update(old_entry) + + +def check_principal_realm_in_trust_namespace(api_instance, *keys): + """ + Check that principal name's suffix does not overlap with UPNs and realm + names of trusted forests. + + :param api_instance: API instance + :param suffixes: principal suffixes + + :raises: ValidationError if the suffix coincides with realm name, UPN + suffix or netbios name of trusted domains + """ + trust_objects = api_instance.Command.trust_find(u'', sizelimit=0)['result'] + + trust_suffix_namespace = set() + + for obj in trust_objects: + trust_suffix_namespace.update( + set(upn.lower() for upn in obj['ipantadditionalsuffixes'])) + + trust_suffix_namespace.update( + set((obj['cn'][0].lower(), obj['ipantflatname'][0].lower()))) + + for principal in keys[-1]: + realm = principal.realm + upn = principal.upn_suffix if principal.is_enterprise else None + + if realm in trust_suffix_namespace or upn in trust_suffix_namespace: + raise errors.ValidationError( + name='krbprincipalname', + error=_('realm or UPN suffix overlaps with trusted domain ' + 'namespace')) |