IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-02-25 18:55:28 -06:00
Code Issues Packages Projects Releases Wiki Activity

adtrust upgrade: fix wrong primary principal name, part 2

Browse Source 
Second part of the trust principals upgrade

For existing LOCAL-FLAT$@REMOTE object, convert it to
krbtgt/LOCAL-FLAT@REMOTE and add LOCAL-FLAT$@REMOTE as an alias. To do
so we need to modify an entry content a bit so it is better to remove
the old entry and create a new one instead of renaming.

Resolves: https://pagure.io/freeipa/issue/7992
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
This commit is contained in:
Alexander Bokovoy 2019-06-27 11:56:08 +03:00
parent 881ec5a317
commit 7af4c7d472
1 changed files with 30 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

36
ipaserver/install/plugins/adtrust.py
View File

@ -512,16 +512,19 @@ class update_tdo_to_new_layout(Updater):
if isinstance(principals, (list, tuple)): if isinstance(principals, (list, tuple)):
trust_principal = principals[0] trust_principal = principals[0]
aliases = principals[1:] alias = principals[1]
else: else:
trust_principal = principals trust_principal = principals
aliases = [] alias = None
entry = None
en = None
try: try:
entry = ldap.get_entry( entry = ldap.get_entry(
DN(('krbprincipalname', trust_principal), trustdn)) DN(('krbprincipalname', trust_principal), trustdn))
dn = entry.dn dn = entry.dn
action = ldap.update_entry action = ldap.update_entry
ticket_flags = int(entry.single_value.get('krbticketflags', 0))
logger.debug("Updating Kerberos principal entry for %s", logger.debug("Updating Kerberos principal entry for %s",
trust_principal) trust_principal)
except errors.NotFound: except errors.NotFound:
@ -530,6 +533,19 @@ class update_tdo_to_new_layout(Updater):
if flags & self.KRB_PRINC_MUST_EXIST: if flags & self.KRB_PRINC_MUST_EXIST:
raise raise
ticket_flags = 0
if alias:
try:
en = ldap.get_entry(
DN(('krbprincipalname', alias), trustdn))
ldap.delete_entry(en.dn)
ticket_flags = int(en.single_value.get(
'krbticketflags', 0))
except errors.NotFound:
logger.debug("Entry for alias TDO does not exist for "
"trusted domain object %s, skip it",
alias)
dn = DN(('krbprincipalname', trust_principal), trustdn) dn = DN(('krbprincipalname', trust_principal), trustdn)
entry = ldap.make_entry(dn) entry = ldap.make_entry(dn)
logger.debug("Adding Kerberos principal entry for %s", logger.debug("Adding Kerberos principal entry for %s",
@ -544,15 +560,23 @@ class update_tdo_to_new_layout(Updater):
'krbprincipalname': [trust_principal], 'krbprincipalname': [trust_principal],
} }
entry_data['krbprincipalname'].extend(aliases)
if flags & self.KRB_PRINC_CREATE_DISABLED: if flags & self.KRB_PRINC_CREATE_DISABLED:
flg = int(entry.single_value.get('krbticketflags', 0)) entry_data['krbticketflags'] = (ticket_flags |
entry_data['krbticketflags'] = flg | self.KRB_DISALLOW_ALL_TIX self.KRB_DISALLOW_ALL_TIX)
if flags & self.KRB_PRINC_CREATE_AGENT_PERMISSION: if flags & self.KRB_PRINC_CREATE_AGENT_PERMISSION:
entry_data['objectclass'].extend(['ipaAllowedOperations']) entry_data['objectclass'].extend(['ipaAllowedOperations'])
if alias:
entry_data['krbprincipalname'].extend([alias])
if en:
entry_data['krbprincipalkey'] = en.single_value.get(
'krbprincipalkey')
entry_data['krbextradata'] = en.single_value.get(
'krbextradata')
entry_data['ipaAllowedToPerform;read_keys'] = en.get(
'ipaAllowedToPerform;read_keys', [])
entry.update(entry_data) entry.update(entry_data)
try: try:
action(entry) action(entry)