Hi,

In ipa-adtrust-install, "adding RID bases" step would fail
if there was more than one local range defined. This can be a
common case if e.g. there are users that migrated from previous
IdM solution.

With this patch, we fail only if there are multiple local ranges
that do not have RID bases set.

Keep in mind that overlap checking is ensured by ipa-range-check
DS plugin.

https://fedorahosted.org/freeipa/ticket/3498

Tomas
From fd62902846b9cb8d81d0eb0dd19f9f33fa60feca Mon Sep 17 00:00:00 2001
From: Tomas Babej <tba...@redhat.com>
Date: Mon, 13 May 2013 13:19:12 +0200
Subject: [PATCH] Support multiple local domain ranges with RID base set

In ip-adtrust-install, "adding RID bases" step would fail
if there was more than one local range defined. This can be a
common case if e.g. there are users that migrated from previous
IdM solution.

With this patch, we fail only if there are multiple local ranges
that do not have RID bases set.

Keep in mind that overlap checking is ensured by ipa-range-check
DS plugin.

https://fedorahosted.org/freeipa/ticket/3498
---
 ipaserver/install/adtrustinstance.py | 50 ++++++++++++++++++++++++------------
 1 file changed, 34 insertions(+), 16 deletions(-)

diff --git a/ipaserver/install/adtrustinstance.py b/ipaserver/install/adtrustinstance.py
index a47c80b3983f3086199353694ddb629e2c1c4492..d2929801b431625764e5b949349ab63d2caaf696 100644
--- a/ipaserver/install/adtrustinstance.py
+++ b/ipaserver/install/adtrustinstance.py
@@ -258,36 +258,54 @@ class ADTRUSTInstance(service.Service):
         """
 
         try:
-            res = self.admin_conn.get_entries(
+            # Get the ranges
+            ranges = self.admin_conn.get_entries(
                 DN(api.env.container_ranges, self.suffix),
                 ldap.SCOPE_ONELEVEL, "(objectclass=ipaDomainIDRange)")
-            if len(res) != 1:
-                root_logger.critical("Found more than one ID range for the " \
-                                     "local domain.")
-                raise RuntimeError("Too many ID ranges\n")
 
-            if res[0].single_value('ipaBaseRID', None) or \
-               res[0].single_value('ipaSecondaryBaseRID', None):
+            # Filter out ranges where RID base is already set
+            no_rid_base_set = lambda r: not any((
+                                  r.single_value('ipaBaseRID', None),
+                                  r.single_value('ipaSecondaryBaseRID', None)))
+
+            ranges_with_no_rid_base = filter(no_rid_base_set, ranges)
+
+            # Return if no range is without RID base
+            if len(ranges_with_no_rid_base) == 0:
                 self.print_msg("RID bases already set, nothing to do")
                 return
 
-            size = res[0].single_value('ipaIDRangeSize', None)
+            # Abort if RID base needs to be added to more than one range
+            if len(ranges_with_no_rid_base) != 1:
+                root_logger.critical("Found more than one local domain ID "
+                                     "range with no RID base set.")
+                raise RuntimeError("Too many ID ranges\n")
+
+            # Abort if RID bases are too close
+            local_range = ranges_with_no_rid_base[0]
+            size = local_range.single_value('ipaIDRangeSize', None)
+
             if abs(self.rid_base - self.secondary_rid_base) > size:
-                self.print_msg("Primary and secondary RID base are too close. " \
+                self.print_msg("Primary and secondary RID base are too close. "
                       "They have to differ at least by %d." % size)
                 raise RuntimeError("RID bases too close.\n")
 
+            # Modify the range
+            # If the RID bases would cause overlap with some other range,
+            # this will be detected by ipa-range-check DS plugin
             try:
-                self.admin_conn.modify_s(res[0].dn,
-                                         [(ldap.MOD_ADD, "ipaBaseRID", \
-                                                 str(self.rid_base)), \
-                                         (ldap.MOD_ADD, "ipaSecondaryBaseRID", \
+                self.admin_conn.modify_s(local_range.dn,
+                                         [(ldap.MOD_ADD, "ipaBaseRID",
+                                                 str(self.rid_base)),
+                                         (ldap.MOD_ADD, "ipaSecondaryBaseRID",
                                                  str(self.secondary_rid_base))])
-            except:
-                self.print_msg("Failed to add RID bases to the local range object")
+            except ldap.CONSTRAINT_VIOLATION, e:
+                self.print_msg("Failed to add RID bases to the local range "
+                               "object:\n  %s" % e[0]['info'])
+                raise RuntimeError("Constraint violation.\n")
 
         except errors.NotFound as e:
-            root_logger.critical("ID range of the local domain not found, " \
+            root_logger.critical("ID range of the local domain not found, "
                                  "define it and run again.")
             raise e
 
-- 
1.8.1.4

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to