From 75f080132421d7f3cfe6f82ab0d446f563a5d7bf Mon Sep 17 00:00:00 2001 From: Tomas Babej Date: Thu, 11 Apr 2013 16:59:41 +0200 Subject: Add nfs:NONE to default PAC types only when needed We need to add nfs:NONE as a default PAC type only if there's no other default PAC type for nfs. Adds a update plugin which determines whether default PAC type for nfs is set and adds nfs:NONE PAC type accordingly. https://fedorahosted.org/freeipa/ticket/3555 --- install/updates/60-trusts.update | 5 --- ipaserver/install/plugins/Makefile.am | 1 + ipaserver/install/plugins/update_pacs.py | 57 ++++++++++++++++++++++++++++++++ 3 files changed, 58 insertions(+), 5 deletions(-) create mode 100644 ipaserver/install/plugins/update_pacs.py diff --git a/install/updates/60-trusts.update b/install/updates/60-trusts.update index f63651f7a..1b2511540 100644 --- a/install/updates/60-trusts.update +++ b/install/updates/60-trusts.update @@ -73,11 +73,6 @@ replace:aci:'(targetattr = "userPassword || krbPrincipalKey || sambaLMPassword | dn: cn=ipaConfig,cn=etc,$SUFFIX addifnew: ipaKrbAuthzData: MS-PAC -# Add authorization data type NONE for NFS because the hardcoded default was -# removed. -dn: cn=ipaConfig,cn=etc,$SUFFIX -add: ipaKrbAuthzData: nfs:NONE - # Fix typo in some installs in the spelling of ORDERING. They were added # with a typo which was silently dropped by 389-ds-base, so add in the # proper ordering syntax now. diff --git a/ipaserver/install/plugins/Makefile.am b/ipaserver/install/plugins/Makefile.am index a0c62ca70..624e82687 100644 --- a/ipaserver/install/plugins/Makefile.am +++ b/ipaserver/install/plugins/Makefile.am @@ -10,6 +10,7 @@ app_PYTHON = \ updateclient.py \ update_services.py \ update_anonymous_aci.py \ + update_pacs.py \ $(NULL) EXTRA_DIST = \ diff --git a/ipaserver/install/plugins/update_pacs.py b/ipaserver/install/plugins/update_pacs.py new file mode 100644 index 000000000..653456bb8 --- /dev/null +++ b/ipaserver/install/plugins/update_pacs.py @@ -0,0 +1,57 @@ +# Authors: +# Tomas Babej +# +# Copyright (C) 2013 Red Hat +# see file 'COPYING' for use and warranty information +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +from ipaserver.install.plugins import MIDDLE +from ipaserver.install.plugins.baseupdate import PostUpdate +from ipalib import api, errors +from ipapython.dn import DN + + +class update_pacs(PostUpdate): + """ + Includes default nfs:None only if no nfs: PAC present in ipakrbauthzdata. + """ + + order = MIDDLE + + def execute(self, **options): + ldap = self.obj.backend + + try: + dn = DN('cn=ipaConfig', 'cn=etc', api.env.basedn) + entry = ldap.get_entry(dn, ['ipakrbauthzdata']) + pacs = entry.get('ipakrbauthzdata', []) + except errors.NotFound: + self.log.warning('Error retrieving: %s' % str(dn)) + return (False, False, []) + + nfs_pac_set = any(pac.startswith('nfs:') for pac in pacs) + + if not nfs_pac_set: + self.log.debug('Adding nfs:NONE to default PAC types') + + updated_pacs = pacs + [u'nfs:NONE'] + entry['ipakrbauthzdata'] = updated_pacs + ldap.update_entry(entry) + else: + self.log.debug('PAC for nfs is already set, not adding nfs:NONE.') + + return (False, False, []) + +api.register(update_pacs) -- cgit