Trust: add auto private groups option

Add a new option --auto-private-groups to the command
ipa idrange-add / ipa idrange-mod.
The option can take true/false/hybrid values.

Fixes: https://pagure.io/freeipa/issue/8807
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>

ACI.txt

@@ -181,7 +181,7 @@ aci: (targetattr = "cn || createtimestamp || description || entryusn || gidnumbe
 dn: cn=views,cn=accounts,dc=ipa,dc=example
 aci: (targetattr = "createtimestamp || description || entryusn || gecos || gidnumber || homedirectory || ipaanchoruuid || ipaoriginaluid || ipasshpubkey || loginshell || memberof || modifytimestamp || objectclass || uid || uidnumber || usercertificate")(targetfilter = "(objectclass=ipaUserOverride)")(version 3.0;acl "permission:System: Read User ID Overrides";allow (compare,read,search) userdn = "ldap:///all";)
 dn: cn=ranges,cn=etc,dc=ipa,dc=example
-aci: (targetattr = "cn || createtimestamp || entryusn || ipabaseid || ipabaserid || ipaidrangesize || ipanttrusteddomainsid || iparangetype || ipasecondarybaserid || modifytimestamp || objectclass")(targetfilter = "(objectclass=ipaidrange)")(version 3.0;acl "permission:System: Read ID Ranges";allow (compare,read,search) userdn = "ldap:///all";)
+aci: (targetattr = "cn || createtimestamp || entryusn || ipaautoprivategroups || ipabaseid || ipabaserid || ipaidrangesize || ipanttrusteddomainsid || iparangetype || ipasecondarybaserid || modifytimestamp || objectclass")(targetfilter = "(objectclass=ipaidrange)")(version 3.0;acl "permission:System: Read ID Ranges";allow (compare,read,search) userdn = "ldap:///all";)
 dn: cn=views,cn=accounts,dc=ipa,dc=example
 aci: (targetattr = "cn || createtimestamp || description || entryusn || ipadomainresolutionorder || modifytimestamp || objectclass")(targetfilter = "(objectclass=nsContainer)")(version 3.0;acl "permission:System: Read ID Views";allow (compare,read,search) userdn = "ldap:///all";)
 dn: cn=IPA.EXAMPLE,cn=kerberos,dc=ipa,dc=example

API.txt

@@ -3049,10 +3049,11 @@ output: Entry('result')
 output: Output('summary', type=[<type 'unicode'>, <type 'NoneType'>])
 output: PrimaryKey('value')
 command: idrange_add/1
-args: 1,12,3
+args: 1,13,3
 arg: Str('cn', cli_name='name')
 option: Str('addattr*', cli_name='addattr')
 option: Flag('all', autofill=True, cli_name='all', default=False)
+option: StrEnum('ipaautoprivategroups?', cli_name='auto_private_groups', values=[u'true', u'false', u'hybrid'])
 option: Int('ipabaseid', cli_name='base_id')
 option: Int('ipabaserid?', cli_name='rid_base')
 option: Int('ipaidrangesize', cli_name='range_size')
@@ -3075,10 +3076,11 @@ output: Output('result', type=[<type 'dict'>])
 output: Output('summary', type=[<type 'unicode'>, <type 'NoneType'>])
 output: ListOfPrimaryKeys('value')
 command: idrange_find/1
-args: 1,13,4
+args: 1,14,4
 arg: Str('criteria?')
 option: Flag('all', autofill=True, cli_name='all', default=False)
 option: Str('cn?', autofill=False, cli_name='name')
+option: StrEnum('ipaautoprivategroups?', autofill=False, cli_name='auto_private_groups', values=[u'true', u'false', u'hybrid'])
 option: Int('ipabaseid?', autofill=False, cli_name='base_id')
 option: Int('ipabaserid?', autofill=False, cli_name='rid_base')
 option: Int('ipaidrangesize?', autofill=False, cli_name='range_size')
@@ -3095,11 +3097,12 @@ output: ListOfEntries('result')
 output: Output('summary', type=[<type 'unicode'>, <type 'NoneType'>])
 output: Output('truncated', type=[<type 'bool'>])
 command: idrange_mod/1
-args: 1,13,3
+args: 1,14,3
 arg: Str('cn', cli_name='name')
 option: Str('addattr*', cli_name='addattr')
 option: Flag('all', autofill=True, cli_name='all', default=False)
 option: Str('delattr*', cli_name='delattr')
+option: StrEnum('ipaautoprivategroups?', autofill=False, cli_name='auto_private_groups', values=[u'true', u'false', u'hybrid'])
 option: Int('ipabaseid?', autofill=False, cli_name='base_id')
 option: Int('ipabaserid?', autofill=False, cli_name='rid_base')
 option: Int('ipaidrangesize?', autofill=False, cli_name='range_size')

VERSION.m4

@@ -86,8 +86,8 @@ define(IPA_DATA_VERSION, 20100614120000)
 #                                                      #
 ########################################################
 define(IPA_API_VERSION_MAJOR, 2)
-define(IPA_API_VERSION_MINOR, 240)
-# Last change: add pwquality options to pwpolicy
+define(IPA_API_VERSION_MINOR, 241)
+# Last change: add auto-private-groups option to idrange
 
 
 ########################################################

ipaserver/plugins/idrange.py

@@ -80,6 +80,9 @@ and an ID range of a trusted domain must set
  - rid-base: the first RID of the corresponding RID range
  - sid: domain SID of the trusted domain
 
+and an ID range of a trusted domain may set
+ - auto-private-groups: [true|false|hybrid] automatic creation of private groups
+
 
 
 EXAMPLE: Add a new ID range for a trusted domain
@@ -181,7 +184,7 @@ class idrange(LDAPObject):
     possible_objectclasses = ['ipadomainidrange', 'ipatrustedaddomainrange']
     default_attributes = ['cn', 'ipabaseid', 'ipaidrangesize', 'ipabaserid',
                           'ipasecondarybaserid', 'ipanttrusteddomainsid',
-                          'iparangetype']
+                          'iparangetype', 'ipaautoprivategroups']
     managed_permissions = {
         'System: Read ID Ranges': {
             'replaces_global_anonymous_aci': True,
@@ -191,6 +194,7 @@ class idrange(LDAPObject):
                 'cn', 'objectclass',
                 'ipabaseid', 'ipaidrangesize', 'iparangetype',
                 'ipabaserid', 'ipasecondarybaserid', 'ipanttrusteddomainsid',
+                'ipaautoprivategroups',
             },
         },
     }
@@ -246,7 +250,13 @@ class idrange(LDAPObject):
                 doc=_('ID range type, one of allowed values'),
                 values=sorted(range_types),
                 flags=['no_update'],
-                )
+                ),
+        StrEnum('ipaautoprivategroups?',
+                label=_('Auto private groups'),
+                cli_name='auto_private_groups',
+                doc=_('Auto creation of private groups, one of allowed values'),
+                values=(u'true', u'false', u'hybrid'),
+                ),
     )
 
     def handle_iparangetype(self, entry_attrs, options,
@@ -394,6 +404,10 @@ class idrange_add(LDAPCreate):
 
     may be given for a new ID range for the local domain while
 
+        --auto-private-groups
+
+    may be given for a new ID range for a trusted AD domain and
+
         --rid-base
         --dom-sid
 
@@ -482,6 +496,16 @@ class idrange_add(LDAPCreate):
                             'or ipa-ad-trust-posix when SID of the trusted '
                             'domain is not specified.'))
 
+            # auto private group is possible only for ad trusts
+            if is_set('ipaautoprivategroups') and \
+               entry_attrs['iparangetype'] not in (u'ipa-ad-trust',
+                                                   u'ipa-ad-trust-posix'):
+                raise errors.ValidationError(
+                    name='ID Range setup',
+                    error=_('IPA Range type must be one of ipa-ad-trust '
+                            'or ipa-ad-trust-posix when '
+                            'auto-private-groups is specified'))
+
             # secondary base rid must be set if and only if base rid is set
             if is_set('ipasecondarybaserid') != is_set('ipabaserid'):
                 raise errors.ValidationError(name='ID Range setup',