IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-02-25 18:55:28 -06:00
Code Issues Packages Projects Releases Wiki Activity

Use new objectclasses and attributes for trust

Browse Source
This commit is contained in:
Sumit Bose
2011-11-07 12:48:10 +01:00
committed by Simo Sorce
parent 2d355da9e2
commit 0945e46845
1 changed files with 32 additions and 14 deletions
Download Patch File Download Diff File Expand all files Collapse all files

46
ipaserver/install/adtrustinstance.py
View File

@@ -22,7 +22,7 @@ import errno
import ldap import ldap
import service import service
import tempfile import tempfile
import installutils import uuid
from ipaserver import ipaldap from ipaserver import ipaldap
from ipaserver.install.dsinstance import realm_to_serverid from ipaserver.install.dsinstance import realm_to_serverid
from ipaserver.install.bindinstance import get_rr, add_rr, del_rr, \ from ipaserver.install.bindinstance import get_rr, add_rr, del_rr, \
@@ -75,6 +75,14 @@ def make_netbios_name(s):
return ''.join([c for c in s.split('.')[0].upper() if c in allowed_netbios_chars])[:15] return ''.join([c for c in s.split('.')[0].upper() if c in allowed_netbios_chars])[:15]
class ADTRUSTInstance(service.Service): class ADTRUSTInstance(service.Service):
ATTR_SID = "ipaNTSecurityIdentifier"
ATTR_FLAT_NAME = "ipaNTFlatName"
ATTR_GUID = "ipaNTDomainGUID"
OBJC_USER = "ipaNTUserAttrs"
OBJC_GROUP = "ipaNTGroupAttrs"
OBJC_DOMAIN = "ipaNTDomainAttrs"
def __init__(self, fstore=None, dm_password=None): def __init__(self, fstore=None, dm_password=None):
service.Service.__init__(self, "smb", dm_password=dm_password) service.Service.__init__(self, "smb", dm_password=dm_password)
@@ -107,13 +115,22 @@ class ADTRUSTInstance(service.Service):
# Also the premission to create trusted domain objects below the # Also the premission to create trusted domain objects below the
# domain object is granted. # domain object is granted.
mod = [(ldap.MOD_ADD, 'aci', mod = [(ldap.MOD_ADD, 'aci',
str('(targetattr = "sambaNTPassword")' \ str('(targetattr = "ipaNTHash")' \
'(version 3.0; acl "Samba user can read NT passwords";' \ '(version 3.0; acl "Samba user can read NT passwords";' \
'allow (read) userdn="ldap:///%s";)' % self.smb_dn)), 'allow (read) userdn="ldap:///%s";)' % self.smb_dn)),
(ldap.MOD_ADD, 'aci', (ldap.MOD_ADD, 'aci',
str('(target = "ldap:///cn=ad,cn=trusts,%s")' \ str('(target = "ldap:///cn=ad,cn=trusts,%s")' \
'(targetattr = "sambaTrustType || sambaTrustAttributes || sambaTrustDirection || sambaTrustPartner || sambaFlatName || sambaTrustAuthOutgoing || sambaTrustAuthIncoming || sambaSecurityIdentifier || sambaTrustForestTrustInfo || sambaTrustPosixOffset || sambaSupportedEncryptionTypes")' \ '(targetattr = "ipaNTTrustType || ipaNTTrustAttributes || ' \
'(version 3.0;acl "Allow samba user to create and delete trust accounts";' \ 'ipaNTTrustDirection || ' \
'ipaNTTrustPartner || ipaNTFlatName || ' \
'ipaNTTrustAuthOutgoing || ' \
'ipaNTTrustAuthIncoming || ' \
'ipaNTSecurityIdentifier || ' \
'ipaNTTrustForestTrustInfo || ' \
'ipaNTTrustPosixOffset || ' \
'ipaNTSupportedEncryptionTypes")' \
'(version 3.0;acl "Allow samba user to create and delete ' \
'trust accounts";' \
'allow (write,add,delete) userdn = "ldap:///%s";)' % \ 'allow (write,add,delete) userdn = "ldap:///%s";)' % \
(self.suffix, self.smb_dn)))] (self.suffix, self.smb_dn)))]
@@ -137,7 +154,7 @@ class ADTRUSTInstance(service.Service):
print "Samba domain object not found" print "Samba domain object not found"
return return
dom_sid = dom_entry.getValue("sambaSID") dom_sid = dom_entry.getValue(self.ATTR_SID)
if not dom_sid: if not dom_sid:
print "Samba domain object does not have a SID" print "Samba domain object does not have a SID"
return return
@@ -155,22 +172,22 @@ class ADTRUSTInstance(service.Service):
print "IPA admin group object not found" print "IPA admin group object not found"
return return
if admin_entry.getValue("sambaSID") or \ if admin_entry.getValue(self.ATTR_SID) or \
admin_group_entry.getValue("sambaSID"): admin_group_entry.getValue(self.ATTR_SID):
print "Admin SID already set, nothing to do" print "Admin SID already set, nothing to do"
return return
try: try:
self.admin_conn.modify_s(admin_dn, \ self.admin_conn.modify_s(admin_dn, \
[(ldap.MOD_ADD, "objectclass", "sambaSamAccount"), \ [(ldap.MOD_ADD, "objectclass", self.OBJC_USER), \
(ldap.MOD_ADD, "sambaSID", dom_sid + "-500")]) (ldap.MOD_ADD, self.ATTR_SID, dom_sid + "-500")])
except: except:
print "Failed to modify IPA admin object" print "Failed to modify IPA admin object"
try: try:
self.admin_conn.modify_s(admin_group_dn, \ self.admin_conn.modify_s(admin_group_dn, \
[(ldap.MOD_ADD, "objectclass", "sambaSidEntry"), \ [(ldap.MOD_ADD, "objectclass", self.OBJC_GROUP), \
(ldap.MOD_ADD, "sambaSID", dom_sid + "-512")]) (ldap.MOD_ADD, self.ATTR_SID, dom_sid + "-512")])
except: except:
print "Failed to modify IPA admin group object" print "Failed to modify IPA admin group object"
@@ -199,10 +216,11 @@ class ADTRUSTInstance(service.Service):
self.admin_conn.addEntry(entry) self.admin_conn.addEntry(entry)
entry = ipaldap.Entry(self.smb_dom_dn) entry = ipaldap.Entry(self.smb_dom_dn)
entry.setValues("objectclass", ["sambaDomain", "nsContainer"]) entry.setValues("objectclass", [self.OBJC_DOMAIN, "nsContainer"])
entry.setValues("cn", self.domain_name) entry.setValues("cn", self.domain_name)
entry.setValues("sambaDomainName", self.netbios_name) entry.setValues(self.ATTR_FLAT_NAME, self.netbios_name)
entry.setValues("sambaSID", self.__gen_sid_string()) entry.setValues(self.ATTR_SID, self.__gen_sid_string())
entry.setValues(self.ATTR_GUID, str(uuid.uuid4()))
#TODO: which MAY attributes do we want to set ? #TODO: which MAY attributes do we want to set ?
self.admin_conn.add_s(entry) self.admin_conn.add_s(entry)