summaryrefslogtreecommitdiffstats
path: root/ipalib
diff options
context:
space:
mode:
authorAlexander Bokovoy <abokovoy@redhat.com>2012-09-19 19:09:22 +0300
committerMartin Kosek <mkosek@redhat.com>2012-09-20 14:55:34 +0200
commit87a37c8e2f9ee4900f533f0c455c7bbf28f5987a (patch)
treeab9a8165f5875e52e1b49c3807f46404fec91643 /ipalib
parent4bb453510197bb2c51d7f9b334052d68151bca83 (diff)
downloadfreeipa-87a37c8e2f9ee4900f533f0c455c7bbf28f5987a.tar.gz
freeipa-87a37c8e2f9ee4900f533f0c455c7bbf28f5987a.tar.xz
freeipa-87a37c8e2f9ee4900f533f0c455c7bbf28f5987a.zip
validate SID for trusted domain when adding/modifying ID range
https://fedorahosted.org/freeipa/ticket/3087
Diffstat (limited to 'ipalib')
-rw-r--r--ipalib/plugins/idrange.py31
1 files changed, 28 insertions, 3 deletions
diff --git a/ipalib/plugins/idrange.py b/ipalib/plugins/idrange.py
index ee50613bb..8f2d4efdc 100644
--- a/ipalib/plugins/idrange.py
+++ b/ipalib/plugins/idrange.py
@@ -26,6 +26,12 @@ from ipapython import ipautil
from ipalib import util
from ipapython.dn import DN
+if api.env.in_server and api.env.context in ['lite', 'server']:
+ try:
+ import ipaserver.dcerpc
+ _dcerpc_bindings_installed = True
+ except ImportError:
+ _dcerpc_bindings_installed = False
__doc__ = _("""
ID ranges
@@ -249,6 +255,18 @@ class idrange(LDAPObject):
error=_('range modification leaving objects with ID out '
'of the defined range is not allowed'))
+ def validate_trusted_domain_sid(self, sid):
+ if not _dcerpc_bindings_installed:
+ raise errors.NotFound(reason=_('Cannot perform SID validation without Samba 4 support installed. '
+ 'Make sure you have installed server-trust-ad sub-package of IPA on the server'))
+ domain_validator = ipaserver.dcerpc.DomainValidator(self.api)
+ if not domain_validator.is_configured():
+ raise errors.NotFound(reason=_('Cross-realm trusts are not configured. '
+ 'Make sure you have run ipa-adtrust-install on the IPA server first'))
+ if not domain_validator.is_trusted_sid_valid(sid):
+ raise errors.ValidationError(name='domain SID',
+ error=_('SID is not recognized as a valid SID for a trusted domain'))
+
class idrange_add(LDAPCreate):
__doc__ = _("""
Add new ID range.
@@ -278,19 +296,22 @@ class idrange_add(LDAPCreate):
if 'ipanttrusteddomainsid' in options:
if 'ipasecondarybaserid' in options:
- raise errors.ValidationError(name=_('ID Range setup'),
+ raise errors.ValidationError(name='ID Range setup',
error=_('Options dom_sid and secondary_rid_base cannot ' \
'be used together'))
if 'ipabaserid' not in options:
- raise errors.ValidationError(name=_('ID Range setup'),
+ raise errors.ValidationError(name='ID Range setup',
error=_('Options dom_sid and rid_base must ' \
'be used together'))
+ # Validate SID as the one of trusted domains
+ self.obj.validate_trusted_domain_sid(options['ipanttrusteddomainsid'])
+ # Finally, add trusted AD domain range object class
entry_attrs['objectclass'].append('ipatrustedaddomainrange')
else:
if (('ipasecondarybaserid' in options) != ('ipabaserid' in options)):
- raise errors.ValidationError(name=_('ID Range setup'),
+ raise errors.ValidationError(name='ID Range setup',
error=_('Options secondary_rid_base and rid_base must ' \
'be used together'))
@@ -366,6 +387,10 @@ class idrange_mod(LDAPUpdate):
except errors.NotFound:
self.obj.handle_not_found(*keys)
+ if 'ipanttrusteddomainsid' in options:
+ # Validate SID as the one of trusted domains
+ self.obj.validate_trusted_domain_sid(options['ipanttrusteddomainsid'])
+
old_base_id = int(old_attrs.get('ipabaseid', [0])[0])
old_range_size = int(old_attrs.get('ipaidrangesize', [0])[0])
new_base_id = entry_attrs.get('ipabaseid')