mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2024-12-24 16:10:02 -06:00
Add --range-type option that forces range type of the trusted domain
Adds --range-type option to ipa trust-add command. It takes two allowed values: 'ipa-ad-trust-posix' and 'ipa-ad-trust'. When --range-type option is not specified, the range type should be determined by ID range discovery. https://fedorahosted.org/freeipa/ticket/3650
This commit is contained in:
parent
fb166e8f5c
commit
e4437a3e7f
3
API.txt
3
API.txt
@ -3278,12 +3278,13 @@ output: Entry('result', <type 'dict'>, Gettext('A dictionary representing an LDA
|
|||||||
output: Output('summary', (<type 'unicode'>, <type 'NoneType'>), None)
|
output: Output('summary', (<type 'unicode'>, <type 'NoneType'>), None)
|
||||||
output: Output('value', <type 'unicode'>, None)
|
output: Output('value', <type 'unicode'>, None)
|
||||||
command: trust_add
|
command: trust_add
|
||||||
args: 1,12,3
|
args: 1,13,3
|
||||||
arg: Str('cn', attribute=True, cli_name='realm', multivalue=False, primary_key=True, required=True)
|
arg: Str('cn', attribute=True, cli_name='realm', multivalue=False, primary_key=True, required=True)
|
||||||
option: Str('addattr*', cli_name='addattr', exclude='webui')
|
option: Str('addattr*', cli_name='addattr', exclude='webui')
|
||||||
option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui')
|
option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui')
|
||||||
option: Int('base_id?', cli_name='base_id')
|
option: Int('base_id?', cli_name='base_id')
|
||||||
option: Int('range_size?', autofill=True, cli_name='range_size', default=200000)
|
option: Int('range_size?', autofill=True, cli_name='range_size', default=200000)
|
||||||
|
option: StrEnum('range_type?', cli_name='range_type', values=(u'ipa-ad-trust-posix', u'ipa-ad-trust'))
|
||||||
option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui')
|
option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui')
|
||||||
option: Str('realm_admin?', cli_name='admin')
|
option: Str('realm_admin?', cli_name='admin')
|
||||||
option: Password('realm_passwd?', cli_name='password', confirm=False)
|
option: Password('realm_passwd?', cli_name='password', confirm=False)
|
||||||
|
2
VERSION
2
VERSION
@ -89,4 +89,4 @@ IPA_DATA_VERSION=20100614120000
|
|||||||
# #
|
# #
|
||||||
########################################################
|
########################################################
|
||||||
IPA_API_VERSION_MAJOR=2
|
IPA_API_VERSION_MAJOR=2
|
||||||
IPA_API_VERSION_MINOR=60
|
IPA_API_VERSION_MINOR=61
|
||||||
|
@ -458,12 +458,12 @@ class idrange_add(LDAPCreate):
|
|||||||
entry_attrs['objectclass'].append('ipatrustedaddomainrange')
|
entry_attrs['objectclass'].append('ipatrustedaddomainrange')
|
||||||
|
|
||||||
# Default to ipa-ad-trust if no type set
|
# Default to ipa-ad-trust if no type set
|
||||||
if 'iparangetype' not in entry_attrs:
|
if not is_set('iparangetype'):
|
||||||
entry_attrs['iparangetype'] = u'ipa-ad-trust'
|
entry_attrs['iparangetype'] = u'ipa-ad-trust'
|
||||||
|
|
||||||
if entry_attrs['iparangetype'] not in (u'ipa-ad-trust',
|
if entry_attrs['iparangetype'] not in (u'ipa-ad-trust',
|
||||||
u'ipa-ad-trust-posix'):
|
u'ipa-ad-trust-posix'):
|
||||||
raise errors.ValidationError('ID Range setup',
|
raise errors.ValidationError(name='ID Range setup',
|
||||||
error=_('IPA Range type must be one of ipa-ad-trust '
|
error=_('IPA Range type must be one of ipa-ad-trust '
|
||||||
'or ipa-ad-trust-posix when SID of the trusted '
|
'or ipa-ad-trust-posix when SID of the trusted '
|
||||||
'domain is specified.'))
|
'domain is specified.'))
|
||||||
|
@ -259,6 +259,12 @@ this will cause change to trust relationship credentials on both
|
|||||||
sides.
|
sides.
|
||||||
''')
|
''')
|
||||||
|
|
||||||
|
range_types = {
|
||||||
|
u'ipa-ad-trust': unicode(_('Active Directory domain range')),
|
||||||
|
u'ipa-ad-trust-posix': unicode(_('Active Directory trust range with '
|
||||||
|
'POSIX attributes')),
|
||||||
|
}
|
||||||
|
|
||||||
takes_options = LDAPCreate.takes_options + (
|
takes_options = LDAPCreate.takes_options + (
|
||||||
_trust_type_option,
|
_trust_type_option,
|
||||||
Str('realm_admin?',
|
Str('realm_admin?',
|
||||||
@ -289,6 +295,13 @@ sides.
|
|||||||
default=DEFAULT_RANGE_SIZE,
|
default=DEFAULT_RANGE_SIZE,
|
||||||
autofill=True
|
autofill=True
|
||||||
),
|
),
|
||||||
|
StrEnum('range_type?',
|
||||||
|
label=_('Range type'),
|
||||||
|
cli_name='range_type',
|
||||||
|
doc=(_('Type of trusted domain ID range, one of {vals}'
|
||||||
|
.format(vals=', '.join(range_types.keys())))),
|
||||||
|
values=tuple(range_types.keys()),
|
||||||
|
),
|
||||||
)
|
)
|
||||||
|
|
||||||
msg_summary = _('Added Active Directory trust for realm "%(value)s"')
|
msg_summary = _('Added Active Directory trust for realm "%(value)s"')
|
||||||
@ -388,13 +401,27 @@ sides.
|
|||||||
def validate_range(self, *keys, **options):
|
def validate_range(self, *keys, **options):
|
||||||
# If a range for this trusted domain already exists,
|
# If a range for this trusted domain already exists,
|
||||||
# '--base-id' or '--range-size' options should not be specified
|
# '--base-id' or '--range-size' options should not be specified
|
||||||
range_name = keys[-1].upper()+'_id_range'
|
range_name = keys[-1].upper() + '_id_range'
|
||||||
|
range_type = options.get('range_type')
|
||||||
|
|
||||||
try:
|
try:
|
||||||
old_range = api.Command['idrange_show'](range_name)
|
old_range = api.Command['idrange_show'](range_name, raw=True)
|
||||||
except errors.NotFound:
|
except errors.NotFound:
|
||||||
old_range = None
|
old_range = None
|
||||||
|
|
||||||
|
if options.get('type') == u'ad':
|
||||||
|
if range_type and range_type not in (u'ipa-ad-trust',
|
||||||
|
u'ipa-ad-trust-posix'):
|
||||||
|
raise errors.ValidationError(
|
||||||
|
name=_('id range type'),
|
||||||
|
error=_(
|
||||||
|
'Only the ipa-ad-trust and ipa-ad-trust-posix are '
|
||||||
|
'allowed values for --range-type when adding an AD '
|
||||||
|
'trust.'
|
||||||
|
)
|
||||||
|
|
||||||
|
)
|
||||||
|
|
||||||
base_id = options.get('base_id')
|
base_id = options.get('base_id')
|
||||||
range_size = options.get('range_size') != DEFAULT_RANGE_SIZE
|
range_size = options.get('range_size') != DEFAULT_RANGE_SIZE
|
||||||
|
|
||||||
@ -420,6 +447,7 @@ sides.
|
|||||||
|
|
||||||
if old_range:
|
if old_range:
|
||||||
old_dom_sid = old_range['result']['ipanttrusteddomainsid'][0]
|
old_dom_sid = old_range['result']['ipanttrusteddomainsid'][0]
|
||||||
|
old_range_type = old_range['result']['iparangetype'][0]
|
||||||
|
|
||||||
if old_dom_sid != dom_sid:
|
if old_dom_sid != dom_sid:
|
||||||
raise errors.ValidationError(
|
raise errors.ValidationError(
|
||||||
@ -431,6 +459,13 @@ sides.
|
|||||||
)
|
)
|
||||||
)
|
)
|
||||||
|
|
||||||
|
if range_type and range_type != old_range_type:
|
||||||
|
raise errors.ValidationError(name=_('range type change'),
|
||||||
|
error=_('ID range for the trusted domain already exists, '
|
||||||
|
'but it has a different type. Please remove the '
|
||||||
|
'old range manually, or do not enforce type '
|
||||||
|
'via --range-type option.'))
|
||||||
|
|
||||||
return old_range, range_name, dom_sid
|
return old_range, range_name, dom_sid
|
||||||
|
|
||||||
def add_range(self, range_name, dom_sid, **options):
|
def add_range(self, range_name, dom_sid, **options):
|
||||||
@ -448,6 +483,7 @@ sides.
|
|||||||
ipabaseid=base_id,
|
ipabaseid=base_id,
|
||||||
ipaidrangesize=options['range_size'],
|
ipaidrangesize=options['range_size'],
|
||||||
ipabaserid=0,
|
ipabaserid=0,
|
||||||
|
iparangetype=options.get('range_type'),
|
||||||
ipanttrusteddomainsid=dom_sid)
|
ipanttrusteddomainsid=dom_sid)
|
||||||
|
|
||||||
def execute_ad(self, full_join, *keys, **options):
|
def execute_ad(self, full_join, *keys, **options):
|
||||||
|
Loading…
Reference in New Issue
Block a user