mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2024-12-23 23:50:03 -06:00
domainlevel-get: fix various issues when running as non-admin
Use proper filter that is caught up by the ACI for 'permission:System: Read Domain Level' to allow any authenticated user to see the domain level. If the server doesn't have domain level set, callers in replica installer expect errors.NotFound but never get it. Return the right exception here and change the other caller to follow the same convention. Inability to retrieve ipaDomainLevel attribute due to a filter mismatch casues ipa-replica-install to fail if run as a replica host principal. Use DOMAIN_LEVEL_0 constant instead of 0 as used by the rest of the code. Fixes: https://pagure.io/freeipa/issue/7876 Reviewed-By: Christian Heimes <cheimes@redhat.com>
This commit is contained in:
parent
6e8d38caa8
commit
b9dc975777
@ -10,6 +10,7 @@ from ipalib import errors
|
|||||||
from ipalib import output
|
from ipalib import output
|
||||||
from ipalib.parameters import Int
|
from ipalib.parameters import Int
|
||||||
from ipalib.plugable import Registry
|
from ipalib.plugable import Registry
|
||||||
|
from ipalib.constants import DOMAIN_LEVEL_0, MIN_DOMAIN_LEVEL
|
||||||
|
|
||||||
from ipapython.dn import DN
|
from ipapython.dn import DN
|
||||||
|
|
||||||
@ -45,7 +46,7 @@ def get_domainlevel_range(master_entry):
|
|||||||
int(master_entry['ipaMaxDomainLevel'][0])
|
int(master_entry['ipaMaxDomainLevel'][0])
|
||||||
)
|
)
|
||||||
except KeyError:
|
except KeyError:
|
||||||
return DomainLevelRange(0, 0)
|
return DomainLevelRange(DOMAIN_LEVEL_0, DOMAIN_LEVEL_0)
|
||||||
|
|
||||||
|
|
||||||
def check_conflict_entries(ldap, api, desired_value):
|
def check_conflict_entries(ldap, api, desired_value):
|
||||||
@ -102,12 +103,20 @@ class domainlevel_get(Command):
|
|||||||
|
|
||||||
def execute(self, *args, **options):
|
def execute(self, *args, **options):
|
||||||
ldap = self.api.Backend.ldap2
|
ldap = self.api.Backend.ldap2
|
||||||
entry = ldap.get_entry(
|
entry = ldap.get_entries(
|
||||||
get_domainlevel_dn(self.api),
|
get_domainlevel_dn(self.api),
|
||||||
['ipaDomainLevel']
|
scope=ldap.SCOPE_BASE,
|
||||||
)
|
filter='(objectclass=ipadomainlevelconfig)',
|
||||||
|
attrs_list=['ipaDomainLevel']
|
||||||
|
)[0]
|
||||||
|
|
||||||
return {'result': int(entry.single_value['ipaDomainLevel'])}
|
try:
|
||||||
|
value = int(entry.single_value['ipaDomainLevel'])
|
||||||
|
return {'result': value}
|
||||||
|
except KeyError:
|
||||||
|
raise errors.NotFound(
|
||||||
|
reason=_(
|
||||||
|
'Server does not support domain level functionality'))
|
||||||
|
|
||||||
|
|
||||||
@register()
|
@register()
|
||||||
@ -120,7 +129,7 @@ class domainlevel_set(Command):
|
|||||||
Int('ipadomainlevel',
|
Int('ipadomainlevel',
|
||||||
cli_name='level',
|
cli_name='level',
|
||||||
label=_('Domain Level'),
|
label=_('Domain Level'),
|
||||||
minvalue=0,
|
minvalue=MIN_DOMAIN_LEVEL,
|
||||||
),
|
),
|
||||||
)
|
)
|
||||||
|
|
||||||
|
@ -12,7 +12,7 @@ from .baseldap import (
|
|||||||
LDAPRetrieve)
|
LDAPRetrieve)
|
||||||
from ipalib import _, ngettext
|
from ipalib import _, ngettext
|
||||||
from ipalib import output
|
from ipalib import output
|
||||||
from ipalib.constants import DOMAIN_LEVEL_1
|
from ipalib.constants import MIN_DOMAIN_LEVEL, DOMAIN_LEVEL_1
|
||||||
from ipaserver.topology import (
|
from ipaserver.topology import (
|
||||||
create_topology_graph, get_topology_connection_errors,
|
create_topology_graph, get_topology_connection_errors,
|
||||||
map_masters_to_suffixes)
|
map_masters_to_suffixes)
|
||||||
@ -82,7 +82,11 @@ register = Registry()
|
|||||||
|
|
||||||
|
|
||||||
def validate_domain_level(api):
|
def validate_domain_level(api):
|
||||||
|
try:
|
||||||
current = int(api.Command.domainlevel_get()['result'])
|
current = int(api.Command.domainlevel_get()['result'])
|
||||||
|
except errors.NotFound:
|
||||||
|
current = MIN_DOMAIN_LEVEL
|
||||||
|
|
||||||
if current < DOMAIN_LEVEL_1:
|
if current < DOMAIN_LEVEL_1:
|
||||||
raise errors.InvalidDomainLevelError(
|
raise errors.InvalidDomainLevelError(
|
||||||
reason=_('Topology management requires minimum domain level {0} '
|
reason=_('Topology management requires minimum domain level {0} '
|
||||||
|
Loading…
Reference in New Issue
Block a user