Hi, This patch adds validation of SID for trusted domain when adding or modifying ID range for the domain. We only allow creating ranges for trusted domains when the trust is already established -- the default range is created automatically right after the trust is added.
https://fedorahosted.org/freeipa/ticket/3087 -- / Alexander Bokovoy
>From c8859d449b65be67841c96c81f7f64f8c27b06b1 Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy <aboko...@redhat.com> Date: Wed, 19 Sep 2012 19:09:22 +0300 Subject: [PATCH] validate SID for trusted domain when adding/modifying ID range https://fedorahosted.org/freeipa/ticket/3087 --- ipalib/plugins/idrange.py | 28 ++++++++++++++++++++++++++++ 1 file changed, 28 insertions(+) diff --git a/ipalib/plugins/idrange.py b/ipalib/plugins/idrange.py index efa906428aa58c670bc4af63b10c88123dda5b65..4750c1d6716bd69045d53f32ae1836f44e70b03b 100644 --- a/ipalib/plugins/idrange.py +++ b/ipalib/plugins/idrange.py @@ -26,6 +26,12 @@ from ipapython import ipautil from ipalib import util from ipapython.dn import DN +if api.env.in_server and api.env.context in ['lite', 'server']: + try: + import ipaserver.dcerpc + _dcerpc_bindings_installed = True + except Exception, e: + _dcerpc_bindings_installed = False __doc__ = _(""" ID ranges @@ -137,6 +143,21 @@ user. RIDs are unique in a domain, 32bit values and are used for users and groups. """) +def validate_trusted_domain_sid(self, sid): + if not _dcerpc_bindings_installed: + raise errors.NotFound(name=_('ID Range setup'), + reason=_('''Cannot perform SID validation without Samba 4 support installed. + Make sure you have installed server-trust-ad sub-package of IPA on the server''')) + domain_validator = ipaserver.dcerpc.DomainValidator(self.api) + if not domain_validator.is_configured(): + raise errors.NotFound(name=_('ID Range setup'), + reason=_('''Cross-realm trusts are not configured.. + Make sure you have run ipa-adtrust-install on the IPA server first''')) + if not domain_validator.is_trusted_sid_valid(sid): + raise errors.ValidationError(name=_('ID Range setup'), + error=_('SID is not recognized as a valid SID from a trusted domain')) + + class idrange(LDAPObject): """ Range object. @@ -287,6 +308,9 @@ class idrange_add(LDAPCreate): error=_('Options dom_sid and rid_base must ' \ 'be used together')) + # Validate SID as the one of trusted domains + validate_trusted_domain_sid(self, options['ipanttrusteddomainsid']) + # Finally, add trusted AD domain range object class entry_attrs['objectclass'].append('ipatrustedaddomainrange') else: if (('ipasecondarybaserid' in options) != ('ipabaserid' in options)): @@ -366,6 +390,10 @@ class idrange_mod(LDAPUpdate): except errors.NotFound: self.obj.handle_not_found(*keys) + if 'ipanttrusteddomainsid' in options: + # Validate SID as the one of trusted domains + validate_trusted_domain_sid(self, options['ipanttrusteddomainsid']) + old_base_id = int(old_attrs.get('ipabaseid', [0])[0]) old_range_size = int(old_attrs.get('ipaidrangesize', [0])[0]) new_base_id = entry_attrs.get('ipabaseid') -- 1.7.12
_______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel