From e4437a3e7ffcb547a00a70614804dc35fefd630e Mon Sep 17 00:00:00 2001 From: Tomas Babej Date: Tue, 25 Jun 2013 14:25:44 +0200 Subject: [PATCH] Add --range-type option that forces range type of the trusted domain Adds --range-type option to ipa trust-add command. It takes two allowed values: 'ipa-ad-trust-posix' and 'ipa-ad-trust'. When --range-type option is not specified, the range type should be determined by ID range discovery. https://fedorahosted.org/freeipa/ticket/3650 --- API.txt | 3 ++- VERSION | 2 +- ipalib/plugins/idrange.py | 4 ++-- ipalib/plugins/trust.py | 40 +++++++++++++++++++++++++++++++++++++-- 4 files changed, 43 insertions(+), 6 deletions(-) diff --git a/API.txt b/API.txt index 067955ef7..44b3dd444 100644 --- a/API.txt +++ b/API.txt @@ -3278,12 +3278,13 @@ output: Entry('result', , Gettext('A dictionary representing an LDA output: Output('summary', (, ), None) output: Output('value', , None) command: trust_add -args: 1,12,3 +args: 1,13,3 arg: Str('cn', attribute=True, cli_name='realm', multivalue=False, primary_key=True, required=True) option: Str('addattr*', cli_name='addattr', exclude='webui') option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') option: Int('base_id?', cli_name='base_id') option: Int('range_size?', autofill=True, cli_name='range_size', default=200000) +option: StrEnum('range_type?', cli_name='range_type', values=(u'ipa-ad-trust-posix', u'ipa-ad-trust')) option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') option: Str('realm_admin?', cli_name='admin') option: Password('realm_passwd?', cli_name='password', confirm=False) diff --git a/VERSION b/VERSION index c713b18b7..8606d724e 100644 --- a/VERSION +++ b/VERSION @@ -89,4 +89,4 @@ IPA_DATA_VERSION=20100614120000 # # ######################################################## IPA_API_VERSION_MAJOR=2 -IPA_API_VERSION_MINOR=60 +IPA_API_VERSION_MINOR=61 diff --git a/ipalib/plugins/idrange.py b/ipalib/plugins/idrange.py index f258cbb15..7f8c1ab7b 100644 --- a/ipalib/plugins/idrange.py +++ b/ipalib/plugins/idrange.py @@ -458,12 +458,12 @@ class idrange_add(LDAPCreate): entry_attrs['objectclass'].append('ipatrustedaddomainrange') # Default to ipa-ad-trust if no type set - if 'iparangetype' not in entry_attrs: + if not is_set('iparangetype'): entry_attrs['iparangetype'] = u'ipa-ad-trust' if entry_attrs['iparangetype'] not in (u'ipa-ad-trust', u'ipa-ad-trust-posix'): - raise errors.ValidationError('ID Range setup', + raise errors.ValidationError(name='ID Range setup', error=_('IPA Range type must be one of ipa-ad-trust ' 'or ipa-ad-trust-posix when SID of the trusted ' 'domain is specified.')) diff --git a/ipalib/plugins/trust.py b/ipalib/plugins/trust.py index d2b58399f..965ff76bb 100644 --- a/ipalib/plugins/trust.py +++ b/ipalib/plugins/trust.py @@ -259,6 +259,12 @@ this will cause change to trust relationship credentials on both sides. ''') + range_types = { + u'ipa-ad-trust': unicode(_('Active Directory domain range')), + u'ipa-ad-trust-posix': unicode(_('Active Directory trust range with ' + 'POSIX attributes')), + } + takes_options = LDAPCreate.takes_options + ( _trust_type_option, Str('realm_admin?', @@ -289,6 +295,13 @@ sides. default=DEFAULT_RANGE_SIZE, autofill=True ), + StrEnum('range_type?', + label=_('Range type'), + cli_name='range_type', + doc=(_('Type of trusted domain ID range, one of {vals}' + .format(vals=', '.join(range_types.keys())))), + values=tuple(range_types.keys()), + ), ) msg_summary = _('Added Active Directory trust for realm "%(value)s"') @@ -388,13 +401,27 @@ sides. def validate_range(self, *keys, **options): # If a range for this trusted domain already exists, # '--base-id' or '--range-size' options should not be specified - range_name = keys[-1].upper()+'_id_range' + range_name = keys[-1].upper() + '_id_range' + range_type = options.get('range_type') try: - old_range = api.Command['idrange_show'](range_name) + old_range = api.Command['idrange_show'](range_name, raw=True) except errors.NotFound: old_range = None + if options.get('type') == u'ad': + if range_type and range_type not in (u'ipa-ad-trust', + u'ipa-ad-trust-posix'): + raise errors.ValidationError( + name=_('id range type'), + error=_( + 'Only the ipa-ad-trust and ipa-ad-trust-posix are ' + 'allowed values for --range-type when adding an AD ' + 'trust.' + ) + +) + base_id = options.get('base_id') range_size = options.get('range_size') != DEFAULT_RANGE_SIZE @@ -420,6 +447,7 @@ sides. if old_range: old_dom_sid = old_range['result']['ipanttrusteddomainsid'][0] + old_range_type = old_range['result']['iparangetype'][0] if old_dom_sid != dom_sid: raise errors.ValidationError( @@ -431,6 +459,13 @@ sides. ) ) + if range_type and range_type != old_range_type: + raise errors.ValidationError(name=_('range type change'), + error=_('ID range for the trusted domain already exists, ' + 'but it has a different type. Please remove the ' + 'old range manually, or do not enforce type ' + 'via --range-type option.')) + return old_range, range_name, dom_sid def add_range(self, range_name, dom_sid, **options): @@ -448,6 +483,7 @@ sides. ipabaseid=base_id, ipaidrangesize=options['range_size'], ipabaserid=0, + iparangetype=options.get('range_type'), ipanttrusteddomainsid=dom_sid) def execute_ad(self, full_join, *keys, **options):