add default access control when migrating trust objects

It looks like for some cases we do not have proper set up keytab retrieval configuration in the old trusted domain object. This mostly affects two-way trust cases. In such cases, create default configuration as ipasam would have created when trust was established. Resolves: https://pagure.io/freeipa/issue/8067 Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com> Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2025-02-25 18:55:28 -06:00 · 2019-09-10 13:39:39 +03:00 · 2019-09-10 13:39:39 +03:00 · 9aeb6bae23
commit 9aeb6bae23
parent 991d508a5c
1 changed files with 12 additions and 2 deletions
--- a/ipaserver/install/plugins/adtrust.py
+++ b/ipaserver/install/plugins/adtrust.py
@ -29,6 +29,9 @@ logger = logging.getLogger(__name__)
 register = Registry()

 DEFAULT_ID_RANGE_SIZE = 200000
+trust_read_keys_template = \
+    ["cn=adtrust agents,cn=sysaccounts,cn=etc,{basedn}",
+     "cn=trust admins,cn=groups,cn=accounts,{basedn}"]


@register()
@ -576,8 +579,15 @@ class update_tdo_to_new_layout(Updater):
                    'krbprincipalkey')
                entry_data['krbextradata'] = en.single_value.get(
                    'krbextradata')
-                entry_data['ipaAllowedToPerform;read_keys'] = en.get(
-                    'ipaAllowedToPerform;read_keys', [])
+                read_keys = en.get('ipaAllowedToPerform;read_keys', [])
+                if not read_keys:
+                    # Old style, no ipaAllowedToPerform;read_keys in the entry,
+                    # use defaults that ipasam should have set when creating a
+                    # trust
+                    read_keys = list(map(
+                        lambda x: x.format(basedn=self.api.env.basedn),
+                        trust_read_keys_template))
+                entry_data['ipaAllowedToPerform;read_keys'] = read_keys

        entry.update(entry_data)
        try: