Hi,

When adding/modifying an ID range for a trusted domain, the newly
added option --dom-name can be used. This looks up SID of the
trusted domain in LDAP and therefore the user is not required
to write it down in CLI. If the lookup fails, error message
asking the user to specify the SID manually is shown.

https://fedorahosted.org/freeipa/ticket/3133

Tomas
>From 72f8802953edaaf5b9f7c34a38601fbccd681c8e Mon Sep 17 00:00:00 2001
From: Tomas Babej <tba...@redhat.com>
Date: Mon, 4 Feb 2013 08:33:53 -0500
Subject: [PATCH] Add option to specify SID using domain name to
 idrange-add/mod

When adding/modifying an ID range for a trusted domain, the newly
added option --dom-name can be used. This looks up SID of the
trusted domain in LDAP and therefore the user is not required
to write it down in CLI. If the lookup fails, error message
asking the user to specify the SID manually is shown.

https://fedorahosted.org/freeipa/ticket/3133
---
 ipalib/plugins/idrange.py | 78 +++++++++++++++++++++++++++++++++++++++++------
 ipaserver/dcerpc.py       | 10 ++++++
 2 files changed, 78 insertions(+), 10 deletions(-)

diff --git a/ipalib/plugins/idrange.py b/ipalib/plugins/idrange.py
index 84e1057ac6b59b8ad99882a54e3288897338c978..77a75e4cabc18ca873be7cadcf870427d5b36ea0 100644
--- a/ipalib/plugins/idrange.py
+++ b/ipalib/plugins/idrange.py
@@ -197,6 +197,11 @@ class idrange(LDAPObject):
             cli_name='dom_sid',
             label=_('Domain SID of the trusted domain'),
         ),
+        Str('ipanttrusteddomainname?',
+            cli_name='dom_name',
+            flags=('no_search', 'virtual_attribute'),
+            label=_('Name of the trusted domain'),
+        ),
         Str('iparangetype?',
             label=_('Range type'),
             flags=['no_option'],
@@ -265,17 +270,42 @@ class idrange(LDAPObject):
                     error=_('range modification leaving objects with ID out '
                             'of the defined range is not allowed'))
 
-    def validate_trusted_domain_sid(self, sid):
+    def get_domain_validator(self):
         if not _dcerpc_bindings_installed:
-            raise errors.NotFound(reason=_('Cannot perform SID validation without Samba 4 support installed. '
-                         'Make sure you have installed server-trust-ad sub-package of IPA on the server'))
+            raise errors.NotFound(reason=_('Cannot perform SID validation '
+                'without Samba 4 support installed. Make sure you have '
+                'installed server-trust-ad sub-package of IPA on the server'))
+
         domain_validator = ipaserver.dcerpc.DomainValidator(self.api)
+
         if not domain_validator.is_configured():
-            raise errors.NotFound(reason=_('Cross-realm trusts are not configured. '
-                          'Make sure you have run ipa-adtrust-install on the IPA server first'))
+            raise errors.NotFound(reason=_('Cross-realm trusts are not '
+                'configured. Make sure you have run ipa-adtrust-install '
+                'on the IPA server first'))
+
+        return domain_validator
+
+    def validate_trusted_domain_sid(self, sid):
+
+        domain_validator = self.get_domain_validator()
+
         if not domain_validator.is_trusted_sid_valid(sid):
             raise errors.ValidationError(name='domain SID',
-                  error=_('SID is not recognized as a valid SID for a trusted domain'))
+                  error=_('SID is not recognized as a valid SID for a '
+                          'trusted domain'))
+
+    def get_trusted_domain_sid_from_name(self, name):
+        """ Returns unicode string representation for given trusted domain name
+        or None if SID forthe given trusted domain name could not be found."""
+
+        domain_validator = self.get_domain_validator()
+
+        sid = domain_validator.get_sid_from_domain_name(name)
+
+        if sid is not None:
+            sid = unicode(sid)
+
+        return sid
 
     # checks that primary and secondary rid ranges do not overlap
     def are_rid_ranges_overlapping(self, rid_base, secondary_rid_base, size):
@@ -336,19 +366,33 @@ class idrange_add(LDAPCreate):
 
         is_set = lambda x: (x in entry_attrs) and (x is not None)
 
+        # This needs to stay in options since there is no
+        # ipanttrusteddomainname attribute in LDAP
+        if 'ipanttrusteddomainname' in options:
+            sid = self.obj.get_trusted_domain_sid_from_name(
+                options['ipanttrusteddomainname'])
+
+            if sid is not None:
+                entry_attrs['ipanttrusteddomainsid'] = sid
+            else:
+                raise errors.ValidationError(name='ID Range setup',
+                    error=_('SID for the specified trusted domain name could '
+                            'not be found. Please specify the SID directly '
+                            'using dom_sid option.'))
+
         if is_set('ipanttrusteddomainsid'):
             if is_set('ipasecondarybaserid'):
                 raise errors.ValidationError(name='ID Range setup',
-                    error=_('Options dom_sid and secondary_rid_base cannot '
+                    error=_('Options dom_sid/dom_name and secondary_rid_base cannot '
                             'be used together'))
 
             if not is_set('ipabaserid'):
                 raise errors.ValidationError(name='ID Range setup',
-                    error=_('Options dom_sid and rid_base must '
+                    error=_('Options dom_sid/dom_name and rid_base must '
                             'be used together'))
 
             # Validate SID as the one of trusted domains
-            self.obj.validate_trusted_domain_sid(options['ipanttrusteddomainsid'])
+            self.obj.validate_trusted_domain_sid(entry_attrs['ipanttrusteddomainsid'])
             # Finally, add trusted AD domain range object class
             entry_attrs['objectclass'].append('ipatrustedaddomainrange')
 
@@ -436,6 +480,20 @@ class idrange_mod(LDAPUpdate):
 
         is_set = lambda x: (x in entry_attrs) and (x is not None)
 
+        # This needs to stay in options since there is no
+        # ipanttrusteddomainname attribute in LDAP
+        if 'ipanttrusteddomainname' in options:
+            sid = self.obj.get_trusted_domain_sid_from_name(
+                options['ipanttrusteddomainname'])
+
+            if sid is not None:
+                entry_attrs['ipanttrusteddomainsid'] = sid
+            else:
+                raise errors.ValidationError(name='ID Range setup',
+                    error=_('SID for the specified trusted domain name could '
+                            'not be found. Please specify the SID directly '
+                            'using dom_sid option.'))
+
         try:
             (old_dn, old_attrs) = ldap.get_entry(dn,
                                                 ['ipabaseid',
@@ -447,7 +505,7 @@ class idrange_mod(LDAPUpdate):
 
         if is_set('ipanttrusteddomainsid'):
             # Validate SID as the one of trusted domains
-            self.obj.validate_trusted_domain_sid(options['ipanttrusteddomainsid'])
+            self.obj.validate_trusted_domain_sid(entry_attrs['ipanttrusteddomainsid'])
 
         # ensure that primary and secondary rid ranges do not overlap
         if all((base in entry_attrs) or (base in old_attrs)
diff --git a/ipaserver/dcerpc.py b/ipaserver/dcerpc.py
index 54a70defc9df52db58054d29c1c9f9189a88cabb..e66d80ad1010e9d928454cf09caff863856cadc6 100644
--- a/ipaserver/dcerpc.py
+++ b/ipaserver/dcerpc.py
@@ -185,6 +185,16 @@ class DomainValidator(object):
                 return True
         return False
 
+    def get_sid_from_domain_name(self, name):
+        """Returns binary representation of SID for the trusted domain name
+           or None if name is not in the list of trusted domains."""
+
+        domains = self.get_trusted_domains()
+        if name in domains:
+            return domains[name][1]
+        else:
+            return None
+
     def get_sid_trusted_domain_object(self, object_name):
         """Returns SID for the trusted domain object (user or group only)"""
         if not self.domain:
-- 
1.8.1

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to