Hi, Sending rebased versions on top of current master.
Tomas
From 589be38f4e34fc759fc9aff580f2d17e0eae52bb Mon Sep 17 00:00:00 2001 From: Tomas Babej <tba...@redhat.com> Date: Thu, 30 May 2013 14:02:44 +0200 Subject: [PATCH 61/63] Add ipaRangeType attribute to LDAP Schema This adds a new LDAP attribute ipaRangeType with OID 2.16.840.1.113730.3.8.11.41 to the LDAP Schema. ObjectClass ipaIDrange has been altered to require ipaRangeType attribute. Part of https://fedorahosted.org/freeipa/ticket/3647 --- install/share/60basev3.ldif | 3 ++- install/updates/62-ranges.update | 2 ++ 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/install/share/60basev3.ldif b/install/share/60basev3.ldif index 435948faefb66870aba20248ef88fae90505609c..b84789e25d75033f18fa5b70f69d852ddf35b7ca 100644 --- a/install/share/60basev3.ldif +++ b/install/share/60basev3.ldif @@ -37,6 +37,7 @@ attributeTypes: (2.16.840.1.113730.3.8.11.36 NAME 'ipaSecondaryBaseRID' DESC 'Fi attributeTypes: (2.16.840.1.113730.3.8.11.38 NAME 'ipaNTSIDBlacklistIncoming' DESC 'Extra SIDs filtered out from incoming MS-PAC' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN 'IPA v3') attributeTypes: (2.16.840.1.113730.3.8.11.39 NAME 'ipaNTSIDBlacklistOutgoing' DESC 'Extra SIDs filtered out from outgoing MS-PAC' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN 'IPA v3') attributeTypes: (2.16.840.1.113730.3.8.11.40 NAME 'ipaUserAuthType' DESC 'Allowed authentication methods' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v3') +attributeTypes: (2.16.840.1.113730.3.8.11.41 NAME 'ipaRangeType' DESC 'Range type' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN 'IPA v3' ) objectClasses: (2.16.840.1.113730.3.8.12.1 NAME 'ipaExternalGroup' SUP top STRUCTURAL MUST ( cn ) MAY ( ipaExternalMember $ memberOf $ description $ owner) X-ORIGIN 'IPA v3' ) objectClasses: (2.16.840.1.113730.3.8.12.2 NAME 'ipaNTUserAttrs' SUP top AUXILIARY MUST ( ipaNTSecurityIdentifier ) MAY ( ipaNTHash $ ipaNTLogonScript $ ipaNTProfilePath $ ipaNTHomeDirectory $ ipaNTHomeDirectoryDrive ) X-ORIGIN 'IPA v3' ) objectClasses: (2.16.840.1.113730.3.8.12.3 NAME 'ipaNTGroupAttrs' SUP top AUXILIARY MUST ( ipaNTSecurityIdentifier ) X-ORIGIN 'IPA v3' ) @@ -49,7 +50,7 @@ objectClasses: (2.16.840.1.113730.3.8.12.11 NAME 'ipaSshGroupOfPubKeys' ABSTRACT objectClasses: (2.16.840.1.113730.3.8.12.12 NAME 'ipaSshUser' SUP ipaSshGroupOfPubKeys AUXILIARY X-ORIGIN 'IPA v3' ) objectClasses: (2.16.840.1.113730.3.8.12.13 NAME 'ipaSshHost' SUP ipaSshGroupOfPubKeys AUXILIARY X-ORIGIN 'IPA v3' ) objectClasses: (2.16.840.1.113730.3.8.12.14 NAME 'ipaIDobject' SUP top AUXILIARY MAY ( uidNumber $ gidNumber $ ipaNTSecurityIdentifier ) X-ORIGIN 'IPA v3' ) -objectClasses: (2.16.840.1.113730.3.8.12.15 NAME 'ipaIDrange' ABSTRACT MUST ( cn $ ipaBaseID $ ipaIDRangeSize ) X-ORIGIN 'IPA v3' ) +objectClasses: (2.16.840.1.113730.3.8.12.15 NAME 'ipaIDrange' ABSTRACT MUST ( cn $ ipaBaseID $ ipaIDRangeSize $ ipaRangeType ) X-ORIGIN 'IPA v3' ) objectClasses: (2.16.840.1.113730.3.8.12.16 NAME 'ipaDomainIDRange' SUP ipaIDrange STRUCTURAL MAY ( ipaBaseRID $ ipaSecondaryBaseRID ) X-ORIGIN 'IPA v3' ) objectClasses: (2.16.840.1.113730.3.8.12.17 NAME 'ipaTrustedADDomainRange' SUP ipaIDrange STRUCTURAL MUST ( ipaBaseRID $ ipaNTTrustedDomainSID ) X-ORIGIN 'IPA v3' ) objectclasses: (2.16.840.1.113730.3.8.12.19 NAME 'ipaUserAuthTypeClass' SUP top AUXILIARY DESC 'Class for authentication methods definition' MAY ipaUserAuthType X-ORIGIN 'IPA v3') diff --git a/install/updates/62-ranges.update b/install/updates/62-ranges.update index 79d5326d6000d038923b2a92dcdec98370fa90f4..c2eb6dca7077aebf56b06b39710b3c46db799aed 100644 --- a/install/updates/62-ranges.update +++ b/install/updates/62-ranges.update @@ -3,10 +3,12 @@ add:attributeTypes: (2.16.840.1.113730.3.8.11.33 NAME 'ipaBaseID' DESC 'First va add:attributeTypes: (2.16.840.1.113730.3.8.11.34 NAME 'ipaIDRangeSize' DESC 'Size of a Posix ID range' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'IPA v3' ) add:attributeTypes: (2.16.840.1.113730.3.8.11.35 NAME 'ipaBaseRID' DESC 'First value of a RID range' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'IPA v3' ) add:attributeTypes: (2.16.840.1.113730.3.8.11.36 NAME 'ipaSecondaryBaseRID' DESC 'First value of a secondary RID range' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'IPA v3' ) +add:attributeTypes: (2.16.840.1.113730.3.8.11.41 NAME 'ipaRangeType' DESC 'Range type' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN 'IPA v3' ) add:objectClasses: (2.16.840.1.113730.3.8.12.14 NAME 'ipaIDobject' SUP top AUXILIARY MAY ( uidNumber $$ gidNumber $$ ipaNTSecurityIdentifier ) X-ORIGIN 'IPA v3' ) add:objectClasses: (2.16.840.1.113730.3.8.12.15 NAME 'ipaIDrange' ABSTRACT MUST ( cn $$ ipaBaseID $$ ipaIDRangeSize ) X-ORIGIN 'IPA v3' ) add:objectClasses: (2.16.840.1.113730.3.8.12.16 NAME 'ipaDomainIDRange' SUP ipaIDrange STRUCTURAL MAY ( ipaBaseRID $$ ipaSecondaryBaseRID ) X-ORIGIN 'IPA v3' ) add:objectClasses: (2.16.840.1.113730.3.8.12.17 NAME 'ipaTrustedADDomainRange' SUP ipaIDrange STRUCTURAL MUST ( ipaBaseRID $$ ipaNTTrustedDomainSID ) X-ORIGIN 'IPA v3' ) +replace:objectClasses: (2.16.840.1.113730.3.8.12.15 NAME 'ipaIDrange' ABSTRACT MUST ( cn $$ ipaBaseID $$ ipaIDRangeSize ) X-ORIGIN 'IPA v3' )::(2.16.840.1.113730.3.8.12.15 NAME 'ipaIDrange' ABSTRACT MUST ( cn $$ ipaBaseID $$ ipaIDRangeSize $$ ipaRangeType ) X-ORIGIN 'IPA v3' ) dn: cn=ranges,cn=etc,$SUFFIX default: objectClass: top -- 1.8.1.4
From 8e811bb854ad6e12308ac80a230425dc64843138 Mon Sep 17 00:00:00 2001 From: Tomas Babej <tba...@redhat.com> Date: Thu, 30 May 2013 14:07:09 +0200 Subject: [PATCH 62/63] Add update plugin to fill in ipaRangeType attribute Previously, we deduced the range type from the range objectclass and filled in virtual attribute in post_callback phase. Having a ipaRangeType attributeType in schema, we need to fill the attribute values to ranges created in previous IPA versions. The plugin follows the same approach, setting ipa-local or ipa-ad-trust value to the ipaRangeType attribute according to the objectclass of the range. Part of https://fedorahosted.org/freeipa/ticket/3647 --- ipaserver/install/plugins/adtrust.py | 1 + ipaserver/install/plugins/update_idranges.py | 114 +++++++++++++++++++++++++++ 2 files changed, 115 insertions(+) create mode 100644 ipaserver/install/plugins/update_idranges.py diff --git a/ipaserver/install/plugins/adtrust.py b/ipaserver/install/plugins/adtrust.py index 555a28b8f5333cae08e5f53d23b01f1093046eff..28358588b5693a8bb451f52a52bb8ef73747353b 100644 --- a/ipaserver/install/plugins/adtrust.py +++ b/ipaserver/install/plugins/adtrust.py @@ -62,6 +62,7 @@ class update_default_range(PostUpdate): 'cn:%s' % id_range_name, 'ipabaseid:%s' % id_range_base_id, 'ipaidrangesize:%s' % id_range_size, + 'iparangetype:ipa-local', ] updates = {} diff --git a/ipaserver/install/plugins/update_idranges.py b/ipaserver/install/plugins/update_idranges.py new file mode 100644 index 0000000000000000000000000000000000000000..a4dc06daf382cf132e2d28d14ced9efd01982ec5 --- /dev/null +++ b/ipaserver/install/plugins/update_idranges.py @@ -0,0 +1,114 @@ +# Authors: +# Tomas Babej <tba...@redhat.com> +# +# Copyright (C) 2013 Red Hat +# see file 'COPYING' for use and warranty information +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. + +from ipaserver.install.plugins import MIDDLE +from ipaserver.install.plugins.baseupdate import PostUpdate +from ipalib import api, errors +from ipapython.dn import DN +from ipapython.ipa_log_manager import * + + +class update_idrange_type(PostUpdate): + """ + Update all ID ranges that do not have ipaRangeType attribute filled. + This applies to all ID ranges prior to IPA 3.3. + """ + + order = MIDDLE + + def execute(self, **options): + ldap = self.obj.backend + + base_dn = DN(api.env.container_ranges, api.env.basedn) + search_filter = ("(&(objectClass=ipaIDrange)(!(ipaRangeType=*)))") + root_logger.debug("update_idrange_type: search for ID ranges with no " + "type set") + + while True: + # Run the search in loop to avoid issues when LDAP limits are hit + # during update + + try: + (entries, truncated) = ldap.find_entries(search_filter, + ['objectclass'], base_dn, time_limit=0, size_limit=0) + + except errors.NotFound: + root_logger.debug("update_idrange_type: no ID range without " + "type set found") + return (False, False, []) + + except errors.ExecutionError, e: + root_logger.error("update_idrange_type: cannot retrieve list " + "of ranges with no type set: %s", e) + return (False, False, []) + + if not entries: + # No entry was returned, rather break than continue cycling + root_logger.debug("update_idrange_type: no ID range was " + "returned") + return (False, False, []) + + root_logger.debug("update_idrange_type: found %d " + "idranges to update, truncated: %s", + len(entries), truncated) + + error = False + + # Set the range type + for dn, entry in entries: + update = {} + + objectclasses = entry.get('objectclass', []) + if 'ipaTrustedADDomainRange' in objectclasses: + # NOTICE: assumes every AD range does not use POSIX + # attributes + update['ipaRangeType'] = 'ipa-ad-trust' + elif 'ipaDomainIDRange' in objectclasses: + update['ipaRangeType'] = 'ipa-local' + else: + update['ipaRangeType'] = 'unknown' + root_logger.error("update_idrange_type: could not detect " + "range type for entry: %s" % str(dn)) + root_logger.error("update_idrange_type: ID range type set " + "to 'unknown' for entry: %s" % str(dn)) + + try: + ldap.update_entry(dn, update) + except (errors.EmptyModlist, errors.NotFound): + pass + except errors.ExecutionError, e: + root_logger.debug("update_idrange_type: cannot " + "update idrange type: %s", e) + error = True + + if error: + # Exit loop to avoid infinite cycles + root_logger.error("update_idrange_type: error(s) " + "detected during idrange type update") + return (False, False, []) + + elif not truncated: + # All affected entries updated, exit the loop + root_logger.debug("update_idrange_type: all affected idranges " + "were assigned types") + return (False, False, []) + + return (False, False, []) + +api.register(update_idrange_type) -- 1.8.1.4
From eb5c22d69a33c60e12cefdd9649b3115b6322178 Mon Sep 17 00:00:00 2001 From: Tomas Babej <tba...@redhat.com> Date: Thu, 30 May 2013 14:12:52 +0200 Subject: [PATCH 63/63] Extend idrange commands to support new range origin types Following values of ipaRangeType attribute are supported and translated accordingly in the idrange commands: 'ipa-local': 'local domain range' 'ipa-ad-winsync': 'Active Directory winsync range' 'ipa-ad-trust': 'Active Directory domain range' 'ipa-ad-trust-posix': 'Active Directory trust range with POSIX attributes' 'ipa-ipa-trust': 'IPA trust range' Part of https://fedorahosted.org/freeipa/ticket/3647 --- ipalib/plugins/idrange.py | 43 ++++++++++++++++++++++++++++++++----------- 1 file changed, 32 insertions(+), 11 deletions(-) diff --git a/ipalib/plugins/idrange.py b/ipalib/plugins/idrange.py index 22383ba9bab926318784b703bfb2c29d01cd5457..2ece848eb2fbf2e804717985a3bc70278bca9808 100644 --- a/ipalib/plugins/idrange.py +++ b/ipalib/plugins/idrange.py @@ -206,12 +206,22 @@ class idrange(LDAPObject): ) ) + range_types = { + 'ipa-local': unicode(_(u'local domain range')), + 'ipa-ad-winsync': unicode(_('Active Directory winsync range')), + 'ipa-ad-trust': unicode(_('Active Directory domain range')), + 'ipa-ad-trust-posix': unicode(_('Active Directory trust range with ' + 'POSIX attributes')), + 'ipa-ipa-trust': unicode(_('IPA trust range')), + } + def handle_iparangetype(self, entry_attrs, options, keep_objectclass=False): - if not options.get('pkey_only', False): - if 'ipatrustedaddomainrange' in entry_attrs.get('objectclass', []): - entry_attrs['iparangetype'] = [unicode(_('Active Directory domain range'))] - else: - entry_attrs['iparangetype'] = [unicode(_(u'local domain range'))] + if not any((options.get('pkey_only', False), + options.get('raw', False))): + range_type = entry_attrs['iparangetype'][0] + entry_attrs['iparangetype'] = self.range_types.get(range_type, None) + + # Remove the objectclass if not keep_objectclass: if not options.get('all', False) or options.get('pkey_only', False): entry_attrs.pop('objectclass', None) @@ -383,7 +393,11 @@ class idrange_add(LDAPCreate): 'not be found. Please specify the SID directly ' 'using dom-sid option.')) + # ipaNTTrustedDomainSID attribute set, this is AD Trusted domain range if is_set('ipanttrusteddomainsid'): + entry_attrs['objectclass'].append('ipatrustedaddomainrange') + entry_attrs['iparangetype'] = 'ipa-ad-trust' + if is_set('ipasecondarybaserid'): raise errors.ValidationError(name='ID Range setup', error=_('Options dom-sid/dom-name and secondary-rid-base ' @@ -396,11 +410,13 @@ class idrange_add(LDAPCreate): # Validate SID as the one of trusted domains self.obj.validate_trusted_domain_sid(entry_attrs['ipanttrusteddomainsid']) - # Finally, add trusted AD domain range object class - entry_attrs['objectclass'].append('ipatrustedaddomainrange') + # ipaNTTrustedDomainSID attribute not set, this is local domain range else: - # secondary base rid must be set if and only if base rid is set + entry_attrs['objectclass'].append('ipadomainidrange') + entry_attrs['iparangetype'] = 'ipa-local' + + # secondary base rid must be set if and only if base rid is set if is_set('ipasecondarybaserid') != is_set('ipabaserid'): raise errors.ValidationError(name='ID Range setup', error=_('Options secondary-rid-base and rid-base must ' @@ -416,15 +432,15 @@ class idrange_add(LDAPCreate): error=_("Primary RID range and secondary RID range" " cannot overlap")) - entry_attrs['objectclass'].append('ipadomainidrange') - return dn def post_callback(self, ldap, dn, entry_attrs, *keys, **options): assert isinstance(dn, DN) - self.obj.handle_iparangetype(entry_attrs, options, keep_objectclass=True) + self.obj.handle_iparangetype(entry_attrs, options, + keep_objectclass=True) return dn + class idrange_del(LDAPDelete): __doc__ = _('Delete an ID range.') @@ -459,6 +475,7 @@ class idrange_del(LDAPDelete): return dn + class idrange_find(LDAPSearch): __doc__ = _('Search for ranges.') @@ -478,6 +495,7 @@ class idrange_find(LDAPSearch): self.obj.handle_iparangetype(entry, options) return truncated + class idrange_show(LDAPRetrieve): __doc__ = _('Display information about a range.') @@ -491,6 +509,7 @@ class idrange_show(LDAPRetrieve): self.obj.handle_iparangetype(entry_attrs, options) return dn + class idrange_mod(LDAPUpdate): __doc__ = _('Modify ID range.') @@ -557,6 +576,7 @@ class idrange_mod(LDAPUpdate): # Add trusted AD domain range object class, if it wasn't there if not 'ipatrustedaddomainrange' in old_attrs['objectclass']: entry_attrs['objectclass'].append('ipatrustedaddomainrange') + entry_attrs['iparangetype'] = 'ipa-ad-trust' else: # secondary base rid must be set if and only if base rid is set @@ -612,6 +632,7 @@ class idrange_mod(LDAPUpdate): self.obj.handle_iparangetype(entry_attrs, options) return dn + api.register(idrange) api.register(idrange_add) api.register(idrange_mod) -- 1.8.1.4
_______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel