diff options
| author | Tomas Babej <tbabej@redhat.com> | 2013-05-13 13:19:12 +0200 |
|---|---|---|
| committer | Martin Kosek <mkosek@redhat.com> | 2013-05-30 12:35:29 +0200 |
| commit | 3613e9239caab8c94a0ecc21211b4c3ebb2ece75 (patch) | |
| tree | 0f92788b8ac214e8ece5a1c7284e655a881d45f4 | |
| parent | 2dd96732e157200742f45b42b9d932aa499a656a (diff) | |
| download | freeipa-3613e9239caab8c94a0ecc21211b4c3ebb2ece75.tar.gz freeipa-3613e9239caab8c94a0ecc21211b4c3ebb2ece75.tar.xz freeipa-3613e9239caab8c94a0ecc21211b4c3ebb2ece75.zip | |
Support multiple local domain ranges with RID base set
In ip-adtrust-install, "adding RID bases" step would fail
if there was more than one local range defined. This can be a
common case if e.g. there are users that migrated from previous
IdM solution.
With this patch, we fail only if there are multiple local ranges
that do not have RID bases set.
Keep in mind that overlap checking is ensured by ipa-range-check
DS plugin.
https://fedorahosted.org/freeipa/ticket/3498
| -rw-r--r-- | ipaserver/install/adtrustinstance.py | 50 |
1 files changed, 34 insertions, 16 deletions
diff --git a/ipaserver/install/adtrustinstance.py b/ipaserver/install/adtrustinstance.py index a47c80b39..d2929801b 100644 --- a/ipaserver/install/adtrustinstance.py +++ b/ipaserver/install/adtrustinstance.py @@ -258,36 +258,54 @@ class ADTRUSTInstance(service.Service): """ try: - res = self.admin_conn.get_entries( + # Get the ranges + ranges = self.admin_conn.get_entries( DN(api.env.container_ranges, self.suffix), ldap.SCOPE_ONELEVEL, "(objectclass=ipaDomainIDRange)") - if len(res) != 1: - root_logger.critical("Found more than one ID range for the " \ - "local domain.") - raise RuntimeError("Too many ID ranges\n") - if res[0].single_value('ipaBaseRID', None) or \ - res[0].single_value('ipaSecondaryBaseRID', None): + # Filter out ranges where RID base is already set + no_rid_base_set = lambda r: not any(( + r.single_value('ipaBaseRID', None), + r.single_value('ipaSecondaryBaseRID', None))) + + ranges_with_no_rid_base = filter(no_rid_base_set, ranges) + + # Return if no range is without RID base + if len(ranges_with_no_rid_base) == 0: self.print_msg("RID bases already set, nothing to do") return - size = res[0].single_value('ipaIDRangeSize', None) + # Abort if RID base needs to be added to more than one range + if len(ranges_with_no_rid_base) != 1: + root_logger.critical("Found more than one local domain ID " + "range with no RID base set.") + raise RuntimeError("Too many ID ranges\n") + + # Abort if RID bases are too close + local_range = ranges_with_no_rid_base[0] + size = local_range.single_value('ipaIDRangeSize', None) + if abs(self.rid_base - self.secondary_rid_base) > size: - self.print_msg("Primary and secondary RID base are too close. " \ + self.print_msg("Primary and secondary RID base are too close. " "They have to differ at least by %d." % size) raise RuntimeError("RID bases too close.\n") + # Modify the range + # If the RID bases would cause overlap with some other range, + # this will be detected by ipa-range-check DS plugin try: - self.admin_conn.modify_s(res[0].dn, - [(ldap.MOD_ADD, "ipaBaseRID", \ - str(self.rid_base)), \ - (ldap.MOD_ADD, "ipaSecondaryBaseRID", \ + self.admin_conn.modify_s(local_range.dn, + [(ldap.MOD_ADD, "ipaBaseRID", + str(self.rid_base)), + (ldap.MOD_ADD, "ipaSecondaryBaseRID", str(self.secondary_rid_base))]) - except: - self.print_msg("Failed to add RID bases to the local range object") + except ldap.CONSTRAINT_VIOLATION, e: + self.print_msg("Failed to add RID bases to the local range " + "object:\n %s" % e[0]['info']) + raise RuntimeError("Constraint violation.\n") except errors.NotFound as e: - root_logger.critical("ID range of the local domain not found, " \ + root_logger.critical("ID range of the local domain not found, " "define it and run again.") raise e |