IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-01-24 15:16:40 -06:00
Code Issues Packages Projects Releases Wiki Activity

Extend idrange commands to support new range origin types

Browse Source 
Following values of ipaRangeType attribute are supported
and translated accordingly in the idrange commands:

 'ipa-local': 'local domain range'
 'ipa-ad-winsync': 'Active Directory winsync range'
 'ipa-ad-trust': 'Active Directory domain range'
 'ipa-ad-trust-posix': 'Active Directory trust range with
                        POSIX attributes'
 'ipa-ipa-trust': 'IPA trust range'

Part of https://fedorahosted.org/freeipa/ticket/3647
This commit is contained in:
Tomas Babej 2013-05-30 14:12:52 +02:00 committed by Alexander Bokovoy
parent 11c0f0517f
commit d2b943f08b
2 changed files with 57 additions and 18 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
API.txt
View File

@ -1969,7 +1969,7 @@ option: Int('ipabaserid', attribute=True, cli_name='rid_base', multivalue=False,
option: Int('ipaidrangesize', attribute=True, cli_name='range_size', multivalue=False, required=True) option: Int('ipaidrangesize', attribute=True, cli_name='range_size', multivalue=False, required=True)
option: Str('ipanttrusteddomainname', attribute=False, cli_name='dom_name', multivalue=False, required=False) option: Str('ipanttrusteddomainname', attribute=False, cli_name='dom_name', multivalue=False, required=False)
option: Str('ipanttrusteddomainsid', attribute=True, cli_name='dom_sid', multivalue=False, required=False) option: Str('ipanttrusteddomainsid', attribute=True, cli_name='dom_sid', multivalue=False, required=False)
option: Str('iparangetype', attribute=True, cli_name='iparangetype', multivalue=False, required=False) option: StrEnum('iparangetype', attribute=True, cli_name='type', multivalue=False, required=False, values=(u'ipa-ad-trust-posix', u'ipa-ad-trust', u'ipa-local', u'ipa-ad-winsync', u'ipa-ipa-trust'))
option: Int('ipasecondarybaserid', attribute=True, cli_name='secondary_rid_base', multivalue=False, required=False) option: Int('ipasecondarybaserid', attribute=True, cli_name='secondary_rid_base', multivalue=False, required=False)
option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui')
option: Str('setattr*', cli_name='setattr', exclude='webui') option: Str('setattr*', cli_name='setattr', exclude='webui')
@ -1994,7 +1994,7 @@ option: Int('ipabaseid', attribute=True, autofill=False, cli_name='base_id', mul
option: Int('ipabaserid', attribute=True, autofill=False, cli_name='rid_base', multivalue=False, query=True, required=False) option: Int('ipabaserid', attribute=True, autofill=False, cli_name='rid_base', multivalue=False, query=True, required=False)
option: Int('ipaidrangesize', attribute=True, autofill=False, cli_name='range_size', multivalue=False, query=True, required=False) option: Int('ipaidrangesize', attribute=True, autofill=False, cli_name='range_size', multivalue=False, query=True, required=False)
option: Str('ipanttrusteddomainsid', attribute=True, autofill=False, cli_name='dom_sid', multivalue=False, query=True, required=False) option: Str('ipanttrusteddomainsid', attribute=True, autofill=False, cli_name='dom_sid', multivalue=False, query=True, required=False)
option: Str('iparangetype', attribute=True, autofill=False, cli_name='iparangetype', multivalue=False, query=True, required=False) option: StrEnum('iparangetype', attribute=True, autofill=False, cli_name='type', multivalue=False, query=True, required=False, values=(u'ipa-ad-trust-posix', u'ipa-ad-trust', u'ipa-local', u'ipa-ad-winsync', u'ipa-ipa-trust'))
option: Int('ipasecondarybaserid', attribute=True, autofill=False, cli_name='secondary_rid_base', multivalue=False, query=True, required=False) option: Int('ipasecondarybaserid', attribute=True, autofill=False, cli_name='secondary_rid_base', multivalue=False, query=True, required=False)
option: Flag('pkey_only?', autofill=True, default=False) option: Flag('pkey_only?', autofill=True, default=False)
option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui')
@ -2006,7 +2006,7 @@ output: ListOfEntries('result', (<type 'list'>, <type 'tuple'>), Gettext('A list
output: Output('summary', (<type 'unicode'>, <type 'NoneType'>), None) output: Output('summary', (<type 'unicode'>, <type 'NoneType'>), None)
output: Output('truncated', <type 'bool'>, None) output: Output('truncated', <type 'bool'>, None)
command: idrange_mod command: idrange_mod
args: 1,14,3 args: 1,13,3
arg: Str('cn', attribute=True, cli_name='name', multivalue=False, primary_key=True, query=True, required=True) arg: Str('cn', attribute=True, cli_name='name', multivalue=False, primary_key=True, query=True, required=True)
option: Str('addattr*', cli_name='addattr', exclude='webui') option: Str('addattr*', cli_name='addattr', exclude='webui')
option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui')
@ -2016,7 +2016,6 @@ option: Int('ipabaserid', attribute=True, autofill=False, cli_name='rid_base', m
option: Int('ipaidrangesize', attribute=True, autofill=False, cli_name='range_size', multivalue=False, required=False) option: Int('ipaidrangesize', attribute=True, autofill=False, cli_name='range_size', multivalue=False, required=False)
option: DeprecatedParam('ipanttrusteddomainname?') option: DeprecatedParam('ipanttrusteddomainname?')
option: DeprecatedParam('ipanttrusteddomainsid?') option: DeprecatedParam('ipanttrusteddomainsid?')
option: Str('iparangetype', attribute=True, autofill=False, cli_name='iparangetype', multivalue=False, required=False)
option: Int('ipasecondarybaserid', attribute=True, autofill=False, cli_name='secondary_rid_base', multivalue=False, required=False) option: Int('ipasecondarybaserid', attribute=True, autofill=False, cli_name='secondary_rid_base', multivalue=False, required=False)
option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui')
option: Flag('rights', autofill=True, default=False) option: Flag('rights', autofill=True, default=False)

68
ipalib/plugins/idrange.py
View File

@ -19,7 +19,7 @@
from ipalib.plugins.baseldap import (LDAPObject, LDAPCreate, LDAPDelete, from ipalib.plugins.baseldap import (LDAPObject, LDAPCreate, LDAPDelete,
LDAPRetrieve, LDAPSearch, LDAPUpdate) LDAPRetrieve, LDAPSearch, LDAPUpdate)
from ipalib import api, Int, Str, DeprecatedParam, _, ngettext from ipalib import api, Int, Str, DeprecatedParam, StrEnum, _, ngettext
from ipalib import errors from ipalib import errors
from ipapython.dn import DN from ipapython.dn import DN
@ -168,6 +168,15 @@ class idrange(LDAPObject):
label = _('ID Ranges') label = _('ID Ranges')
label_singular = _('ID Range') label_singular = _('ID Range')
range_types = {
u'ipa-local': unicode(_('local domain range')),
u'ipa-ad-winsync': unicode(_('Active Directory winsync range')),
u'ipa-ad-trust': unicode(_('Active Directory domain range')),
u'ipa-ad-trust-posix': unicode(_('Active Directory trust range with '
'POSIX attributes')),
u'ipa-ipa-trust': unicode(_('IPA trust range')),
}
takes_params = ( takes_params = (
Str('cn', Str('cn',
cli_name='name', cli_name='name',
@ -200,18 +209,23 @@ class idrange(LDAPObject):
flags=('no_search', 'virtual_attribute', 'no_update'), flags=('no_search', 'virtual_attribute', 'no_update'),
label=_('Name of the trusted domain'), label=_('Name of the trusted domain'),
), ),
Str('iparangetype?', StrEnum('iparangetype?',
label=_('Range type'), label=_('Range type'),
flags=['no_option'], cli_name='type',
doc=(_('ID range type, one of {vals}'
.format(vals=', '.join(range_types.keys())))),
values=tuple(range_types.keys()),
flags=['no_update'],
) )
) )
def handle_iparangetype(self, entry_attrs, options, keep_objectclass=False): def handle_iparangetype(self, entry_attrs, options, keep_objectclass=False):
if not options.get('pkey_only', False): if not any((options.get('pkey_only', False),
if 'ipatrustedaddomainrange' in entry_attrs.get('objectclass', []): options.get('raw', False))):
entry_attrs['iparangetype'] = [unicode(_('Active Directory domain range'))] range_type = entry_attrs['iparangetype'][0]
else: entry_attrs['iparangetype'] = self.range_types.get(range_type, None)
entry_attrs['iparangetype'] = [unicode(_(u'local domain range'))]
# Remove the objectclass
if not keep_objectclass: if not keep_objectclass:
if not options.get('all', False) or options.get('pkey_only', False): if not options.get('all', False) or options.get('pkey_only', False):
entry_attrs.pop('objectclass', None) entry_attrs.pop('objectclass', None)
@ -418,7 +432,21 @@ class idrange_add(LDAPCreate):
'not be found. Please specify the SID directly ' 'not be found. Please specify the SID directly '
'using dom-sid option.')) 'using dom-sid option.'))
# ipaNTTrustedDomainSID attribute set, this is AD Trusted domain range
if is_set('ipanttrusteddomainsid'): if is_set('ipanttrusteddomainsid'):
entry_attrs['objectclass'].append('ipatrustedaddomainrange')
# Default to ipa-ad-trust if no type set
if 'iparangetype' not in entry_attrs:
entry_attrs['iparangetype'] = u'ipa-ad-trust'
if entry_attrs['iparangetype'] not in (u'ipa-ad-trust',
u'ipa-ad-trust-posix'):
raise errors.ValidationError('ID Range setup',
error=_('IPA Range type must be one of ipa-ad-trust '
'or ipa-ad-trust-posix when SID of the trusted '
'domain is specified.'))
if is_set('ipasecondarybaserid'): if is_set('ipasecondarybaserid'):
raise errors.ValidationError(name='ID Range setup', raise errors.ValidationError(name='ID Range setup',
error=_('Options dom-sid/dom-name and secondary-rid-base ' error=_('Options dom-sid/dom-name and secondary-rid-base '
@ -431,11 +459,24 @@ class idrange_add(LDAPCreate):
# Validate SID as the one of trusted domains # Validate SID as the one of trusted domains
self.obj.validate_trusted_domain_sid(entry_attrs['ipanttrusteddomainsid']) self.obj.validate_trusted_domain_sid(entry_attrs['ipanttrusteddomainsid'])
# Finally, add trusted AD domain range object class
entry_attrs['objectclass'].append('ipatrustedaddomainrange')
# ipaNTTrustedDomainSID attribute not set, this is local domain range
else: else:
# secondary base rid must be set if and only if base rid is set entry_attrs['objectclass'].append('ipadomainidrange')
# Default to ipa-local if no type set
if 'iparangetype' not in entry_attrs:
entry_attrs['iparangetype'] = 'ipa-local'
# TODO: can also be ipa-ad-winsync here?
if entry_attrs['iparangetype'] in (u'ipa-ad-trust',
u'ipa-ad-trust-posix'):
raise errors.ValidationError('ID Range setup',
error=_('IPA Range type must not be one of ipa-ad-trust '
'or ipa-ad-trust-posix when SID of the trusted '
'domain is not specified.'))
# secondary base rid must be set if and only if base rid is set
if is_set('ipasecondarybaserid') != is_set('ipabaserid'): if is_set('ipasecondarybaserid') != is_set('ipabaserid'):
raise errors.ValidationError(name='ID Range setup', raise errors.ValidationError(name='ID Range setup',
error=_('Options secondary-rid-base and rid-base must ' error=_('Options secondary-rid-base and rid-base must '
@ -451,13 +492,12 @@ class idrange_add(LDAPCreate):
error=_("Primary RID range and secondary RID range" error=_("Primary RID range and secondary RID range"
" cannot overlap")) " cannot overlap"))
entry_attrs['objectclass'].append('ipadomainidrange')
return dn return dn
def post_callback(self, ldap, dn, entry_attrs, *keys, **options): def post_callback(self, ldap, dn, entry_attrs, *keys, **options):
assert isinstance(dn, DN) assert isinstance(dn, DN)
self.obj.handle_iparangetype(entry_attrs, options, keep_objectclass=True) self.obj.handle_iparangetype(entry_attrs, options,
keep_objectclass=True)
return dn return dn
class idrange_del(LDAPDelete): class idrange_del(LDAPDelete):