mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2024-12-23 23:50:03 -06:00
adtrust upgrade: fix wrong primary principal name, part 2
Second part of the trust principals upgrade For existing LOCAL-FLAT$@REMOTE object, convert it to krbtgt/LOCAL-FLAT@REMOTE and add LOCAL-FLAT$@REMOTE as an alias. To do so we need to modify an entry content a bit so it is better to remove the old entry and create a new one instead of renaming. Resolves: https://pagure.io/freeipa/issue/7992 Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
This commit is contained in:
parent
881ec5a317
commit
7af4c7d472
@ -512,16 +512,19 @@ class update_tdo_to_new_layout(Updater):
|
||||
|
||||
if isinstance(principals, (list, tuple)):
|
||||
trust_principal = principals[0]
|
||||
aliases = principals[1:]
|
||||
alias = principals[1]
|
||||
else:
|
||||
trust_principal = principals
|
||||
aliases = []
|
||||
alias = None
|
||||
|
||||
entry = None
|
||||
en = None
|
||||
try:
|
||||
entry = ldap.get_entry(
|
||||
DN(('krbprincipalname', trust_principal), trustdn))
|
||||
dn = entry.dn
|
||||
action = ldap.update_entry
|
||||
ticket_flags = int(entry.single_value.get('krbticketflags', 0))
|
||||
logger.debug("Updating Kerberos principal entry for %s",
|
||||
trust_principal)
|
||||
except errors.NotFound:
|
||||
@ -530,6 +533,19 @@ class update_tdo_to_new_layout(Updater):
|
||||
if flags & self.KRB_PRINC_MUST_EXIST:
|
||||
raise
|
||||
|
||||
ticket_flags = 0
|
||||
if alias:
|
||||
try:
|
||||
en = ldap.get_entry(
|
||||
DN(('krbprincipalname', alias), trustdn))
|
||||
ldap.delete_entry(en.dn)
|
||||
ticket_flags = int(en.single_value.get(
|
||||
'krbticketflags', 0))
|
||||
except errors.NotFound:
|
||||
logger.debug("Entry for alias TDO does not exist for "
|
||||
"trusted domain object %s, skip it",
|
||||
alias)
|
||||
|
||||
dn = DN(('krbprincipalname', trust_principal), trustdn)
|
||||
entry = ldap.make_entry(dn)
|
||||
logger.debug("Adding Kerberos principal entry for %s",
|
||||
@ -544,15 +560,23 @@ class update_tdo_to_new_layout(Updater):
|
||||
'krbprincipalname': [trust_principal],
|
||||
}
|
||||
|
||||
entry_data['krbprincipalname'].extend(aliases)
|
||||
|
||||
if flags & self.KRB_PRINC_CREATE_DISABLED:
|
||||
flg = int(entry.single_value.get('krbticketflags', 0))
|
||||
entry_data['krbticketflags'] = flg | self.KRB_DISALLOW_ALL_TIX
|
||||
entry_data['krbticketflags'] = (ticket_flags |
|
||||
self.KRB_DISALLOW_ALL_TIX)
|
||||
|
||||
if flags & self.KRB_PRINC_CREATE_AGENT_PERMISSION:
|
||||
entry_data['objectclass'].extend(['ipaAllowedOperations'])
|
||||
|
||||
if alias:
|
||||
entry_data['krbprincipalname'].extend([alias])
|
||||
if en:
|
||||
entry_data['krbprincipalkey'] = en.single_value.get(
|
||||
'krbprincipalkey')
|
||||
entry_data['krbextradata'] = en.single_value.get(
|
||||
'krbextradata')
|
||||
entry_data['ipaAllowedToPerform;read_keys'] = en.get(
|
||||
'ipaAllowedToPerform;read_keys', [])
|
||||
|
||||
entry.update(entry_data)
|
||||
try:
|
||||
action(entry)
|
||||
|
Loading…
Reference in New Issue
Block a user