Improve error messages for external group members

When adding a duplicate member to a group, an error message is issued, informing the user that the entry is already a member of the group. Similarly, when trying to delete an entry which is not a member, an error message is issued, informing the user that the entry is not a member of the group. These error messages were missing in case of external members. This patch also adds support for using the AD\name or name@ad.domain.com format in ipa group-remove-member command. This format was supported in group-add-member, but not in group-remove-member. Unit test file covering these cases was also added. https://fedorahosted.org/freeipa/ticket/3254
2025-02-25 18:55:28 -06:00 · 2013-02-21 10:56:03 -05:00
parent c4ab8dae35
commit 66356f0daf
4 changed files with 190 additions and 4 deletions
--- a/ipalib/plugins/group.py
+++ b/ipalib/plugins/group.py
@@ -398,7 +398,7 @@ class group_add_member(LDAPAddMember):
            result = add_external_post_callback('member', 'group', 'ipaexternalmember',
                                                ldap, completed, failed, dn, entry_attrs,
                                                keys, options, external_callback_normalize=False)
-            failed['member']['group'] = restore + failed_sids
+            failed['member']['group'] += restore + failed_sids
        return result

 api.register(group_add_member)
@@ -425,15 +425,34 @@ class group_remove_member(LDAPRemoveMember):
        assert isinstance(dn, DN)
        result = (completed, dn)
        if 'ipaexternalmember' in options:
-            sids = options['ipaexternalmember']
-            restore = list()
+            if not _dcerpc_bindings_installed:
+                raise errors.NotFound(reason=_('Cannot perform external member validation without '
+                                               'Samba 4 support installed. Make sure you have installed '
+                                               'server-trust-ad sub-package of IPA on the server'))
+            domain_validator = ipaserver.dcerpc.DomainValidator(self.api)
+            if not domain_validator.is_configured():
+                raise errors.NotFound(reason=_('Cannot perform join operation without own domain configured. '
+                                               'Make sure you have run ipa-adtrust-install on the IPA server first'))
+            sids = []
+            failed_sids = []
+            for sid in options['ipaexternalmember']:
+                if domain_validator.is_trusted_sid_valid(sid):
+                    sids.append(sid)
+                else:
+                    try:
+                        actual_sid = domain_validator.get_trusted_domain_object_sid(sid)
+                    except errors.PublicError, e:
+                        failed_sids.append((sid, unicode(e)))
+                    else:
+                        sids.append(actual_sid)
+            restore = []
            if 'member' in failed and 'group' in failed['member']:
                restore = failed['member']['group']
            failed['member']['group'] = list((id,id) for id in sids)
            result = remove_external_post_callback('member', 'group', 'ipaexternalmember',
                                                ldap, completed, failed, dn, entry_attrs,
                                                keys, options)
-            failed['member']['group'] = restore
+            failed['member']['group'] += restore + failed_sids
        return result

 api.register(group_remove_member)