Hi,

Adds --use-posix option to ipa trust-add command. It takes two
allowed values:
'yes' : the 'ipa-ad-trust-posix' range type is enforced
'no' : the 'ipa-ad-trust' range type is enforced

When --use-posix option is not specified, the range type should be
determined by ID range discovery.

https://fedorahosted.org/freeipa/ticket/3650

Tomas
From 58e1c5892125bcef70b204562fd0824c181809e1 Mon Sep 17 00:00:00 2001
From: Tomas Babej <tba...@redhat.com>
Date: Wed, 5 Jun 2013 11:51:27 +0200
Subject: [PATCH] Add --use-posix option that forces trusted range type

Adds --use-posix option to ipa trust-add command. It takes two
allowed values:
  'yes' : the 'ipa-ad-trust-posix' range type is enforced
  'no'  : the 'ipa-ad-trust' range type is enforced

When --use-posix option is not specified, the range type shold be
determined by ID range discovery.

https://fedorahosted.org/freeipa/ticket/3650
---
 API.txt                 |  3 ++-
 ipalib/plugins/trust.py | 42 +++++++++++++++++++++++++++++++++---------
 2 files changed, 35 insertions(+), 10 deletions(-)

diff --git a/API.txt b/API.txt
index 0a4b356e6f8a66d785e222f5941ff65a3cb484b7..9dff02906fddd9078519b11610c8930bdfe32070 100644
--- a/API.txt
+++ b/API.txt
@@ -3340,7 +3340,7 @@ output: Entry('result', <type 'dict'>, Gettext('A dictionary representing an LDA
 output: Output('summary', (<type 'unicode'>, <type 'NoneType'>), None)
 output: Output('value', <type 'unicode'>, None)
 command: trust_add
-args: 1,12,3
+args: 1,13,3
 arg: Str('cn', attribute=True, cli_name='realm', multivalue=False, primary_key=True, required=True)
 option: Str('addattr*', cli_name='addattr', exclude='webui')
 option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui')
@@ -3353,6 +3353,7 @@ option: Str('realm_server?', cli_name='server')
 option: Str('setattr*', cli_name='setattr', exclude='webui')
 option: Password('trust_secret?', cli_name='trust_secret', confirm=False)
 option: StrEnum('trust_type', autofill=True, cli_name='type', default=u'ad', values=(u'ad',))
+option: StrEnum('use_posix?', cli_name='use_posix', values=(u'yes', u'no'))
 option: Str('version?', exclude='webui')
 output: Entry('result', <type 'dict'>, Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None))
 output: Output('summary', (<type 'unicode'>, <type 'NoneType'>), None)
diff --git a/ipalib/plugins/trust.py b/ipalib/plugins/trust.py
index 3cb0ed98005ae5bd11b39f8ae01c9470d1bfc9c4..db72f005595f4e1e992be588725cff72669403fa 100644
--- a/ipalib/plugins/trust.py
+++ b/ipalib/plugins/trust.py
@@ -290,6 +290,12 @@ sides.
             default=200000,
             autofill=True
         ),
+        StrEnum('use_posix?',
+                cli_name='use_posix',
+                label=_('Use POSIX attributes in ID range for the '
+                        'trusted domain'),
+                values=(u'yes', u'no'),
+        ),
     )
 
     msg_summary = _('Added Active Directory trust for realm "%(value)s"')
@@ -330,23 +336,40 @@ sides.
         dom_sid = new_obj['result']['ipanttrusteddomainsid'][0];
 
         range_name = keys[-1].upper()+'_id_range'
+        range_type = None
+
+        # Force the given range type if --use-posix option was used
+        if 'use_posix' in options:
+            if options['use_posix'] == 'yes':
+                range_type = u'ipa-ad-trust-posix'
+            elif options['use_posix'] == 'no':
+                range_type = u'ipa-ad-trust'
 
         try:
-            old_range = api.Command['idrange_show'](range_name)
+            old_range = api.Command['idrange_show'](range_name, raw=True)
         except errors.NotFound, e:
             old_range = None
 
         if old_range:
-            old_dom_sid = old_range['result']['ipanttrusteddomainsid'][0];
+            old_dom_sid = old_range['result']['ipanttrusteddomainsid'][0]
+            old_range_type = old_range['result']['iparangetype'][0]
 
-            if old_dom_sid == dom_sid:
-                return
-
-            raise errors.ValidationError(name=_('range exists'),
-                    error=_('ID range with the same name but different ' \
-                            'domain SID already exists. The ID range for ' \
+            if old_dom_sid != dom_sid:
+                raise errors.ValidationError(name=_('range exists'),
+                    error=_('ID range with the same name but different '
+                            'domain SID already exists. The ID range for '
                             'the new trusted domain must be created manually.'))
 
+            if range_type is not None:
+                if range_type != old_range_type:
+                    raise errors.ValidationError(name=_('range type change'),
+                        error=_('ID range for the trusted domain already exists, '
+                                'but it has a different type. Please remove the '
+                                'old range manually, or do not enforce type '
+                                'via --use-posix option.'))
+
+            return
+
         if 'base_id' in options:
             base_id = options['base_id']
         else:
@@ -357,7 +380,8 @@ sides.
                                    ipabaseid=base_id,
                                    ipaidrangesize=options['range_size'],
                                    ipabaserid=0,
-                                   ipanttrusteddomainsid=dom_sid)
+                                   ipanttrusteddomainsid=dom_sid,
+                                   iparangetype=range_type)
 
     def execute_ad(self, *keys, **options):
         # Join domain using full credentials and with random trustdom
-- 
1.8.1.4

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to