ticket: https://fedorahosted.org/freeipa/ticket/4221

== [PATCH] 773 ranges: prohibit setting --rid-base with ipa-trust-ad-posix type ==

We should not allow setting --rid-base for ranges of ipa-trust-ad-posix since we do not perform any RID -> UID/GID mappings for these ranges (objects have UID/GID set in AD). Thus, setting RID base makes no sense.

Since ipaBaseRID is a MUST in ipaTrustedADDomainRange object class, value '0' is allowed and used internally for 'ipa-trust-ad-posix' range type.

No schema change is done.

== [PATCH] 774 unittests: baserid for ipa-ad-trust-posix idranges ==

== [PATCH] 775 ldapupdater: set baserid to 0 for ipa-ad-trust-posix ranges ==

New updater plugin which sets baserid to 0 for ranges with type ipa-ad-trust-posix

https://fedorahosted.org/freeipa/ticket/4221

== [PATCH] 776 idrange: include raw range type in output ==

iparangetype output is a localized human-readable value which is not suitable for machine-based API consumers

Solved by new iparangetyperaw output attribute which contains iparangetype's raw value

Note: I don't like this approach. It would be better to return just the raw value a do the transformation in clients. But we do have a precedent: http://www.redhat.com/archives/freeipa-devel/2012-January/msg00190.html

== [PATCH] 777 webui: prohibit setting rid base with ipa-trust-ad-posix type ==

Base RID is no longer editable for ipa-trust-ad-posix range type

Adder dialog:
- Range type selector was moved up because it affects a field above it

Details page:
- Only fields relevant to range's type are visible

https://fedorahosted.org/freeipa/ticket/4221
--
Petr Vobornik
From 1bda87528855aaf4ad9b18a31479c8b2a353bd92 Mon Sep 17 00:00:00 2001
From: Petr Vobornik <pvobo...@redhat.com>
Date: Wed, 3 Sep 2014 17:23:33 +0200
Subject: [PATCH] webui: prohibit setting rid base with ipa-trust-ad-posix type

Base RID is no longer editable for ipa-trust-ad-posix range type

Adder dialog:
- Range type selector was moved up because it affects a field above it

Details page:
- Only fields relevant to range's type are visible

https://fedorahosted.org/freeipa/ticket/4221
---
 install/ui/src/freeipa/idrange.js | 77 ++++++++++++++++++++++++++++++---------
 1 file changed, 60 insertions(+), 17 deletions(-)

diff --git a/install/ui/src/freeipa/idrange.js b/install/ui/src/freeipa/idrange.js
index 12c0b288b766c059db6b844f445fb88b5821a1db..4e5dbfa00dcf80495d8a96f7fc961b9c6676691f 100644
--- a/install/ui/src/freeipa/idrange.js
+++ b/install/ui/src/freeipa/idrange.js
@@ -54,6 +54,11 @@ return {
                         'cn',
                         'iparangetype',
                         {
+                            name: 'iparangetyperaw',
+                            read_only: true,
+                            visible: false
+                        },
+                        {
                             name: 'ipabaseid',
                             label: '@i18n:objects.idrange.ipabaseid',
                             title: '@mo-param:idrange:ipabaseid:label'
@@ -80,6 +85,9 @@ return {
                         }
                     ]
                 }
+            ],
+            policies: [
+                exp.idrange_policy
             ]
         }
     ],
@@ -89,21 +97,6 @@ return {
                 name: 'cn'
             },
             {
-                name: 'ipabaseid',
-                label: '@i18n:objects.idrange.ipabaseid',
-                title: '@mo-param:idrange:ipabaseid:label'
-            },
-            {
-                name: 'ipaidrangesize',
-                label: '@i18n:objects.idrange.ipaidrangesize',
-                title: '@mo-param:idrange:ipaidrangesize:label'
-            },
-            {
-                name: 'ipabaserid',
-                label: '@i18n:objects.idrange.ipabaserid',
-                title: '@mo-param:idrange:ipabaserid:label'
-            },
-            {
                 name: 'iparangetype',
                 $type: 'radio',
                 label: '@i18n:objects.idrange.type',
@@ -125,6 +118,21 @@ return {
                 ]
             },
             {
+                name: 'ipabaseid',
+                label: '@i18n:objects.idrange.ipabaseid',
+                title: '@mo-param:idrange:ipabaseid:label'
+            },
+            {
+                name: 'ipaidrangesize',
+                label: '@i18n:objects.idrange.ipaidrangesize',
+                title: '@mo-param:idrange:ipaidrangesize:label'
+            },
+            {
+                name: 'ipabaserid',
+                label: '@i18n:objects.idrange.ipabaserid',
+                title: '@mo-param:idrange:ipabaserid:label'
+            },
+            {
                 name: 'ipasecondarybaserid',
                 label: '@i18n:objects.idrange.ipasecondarybaserid',
                 title: '@mo-param:idrange:ipasecondarybaserid:label'
@@ -147,7 +155,9 @@ IPA.idrange_adder_policy = function(spec) {
     The logic for enabling/requiring ipabaserid, ipasecondarybaserid and
     ipanttrusteddomainsid is as follows:
         1) for AD ranges (range type is ipa-ad-trust or ipa-ad-trust-posix):
-           * ipabaserid and ipanttrusteddomainsid are requred
+           * ipanttrusteddomainsid is required
+           * ipabaserid is required for ipa-ad-trust but disabled for
+             ipa-ad-trust-posix
            * ipasecondarybaserid is disabled
         2) for local ranges
            *  ipanttrusteddomainsid is disabled
@@ -206,7 +216,11 @@ IPA.idrange_adder_policy = function(spec) {
         var is_ad_range = (type_v === 'ipa-ad-trust' || type_v === 'ipa-ad-trust-posix');
 
         if (is_ad_range) {
-            require(baserid_f);
+            if (type_v === 'ipa-ad-trust') {
+                require(baserid_f);
+            } else {
+                disable(baserid_f);
+            }
             require(trusteddomainsid_f);
             disable(secondarybaserid_f);
         } else {
@@ -230,6 +244,35 @@ IPA.idrange_adder_policy = function(spec) {
     return that;
 };
 
+exp.idrange_policy = function(spec) {
+
+    spec = spec || {};
+    var that = IPA.facet_policy(spec);
+
+    that.post_load = function() {
+        var type_f = that.container.fields.get_field('iparangetyperaw');
+        var widgets = that.container.widgets;
+        var type_v = type_f.get_value()[0];
+
+        var baserid = true;
+        var secrid = true;
+        var sid = true;
+
+        if (type_v === 'ipa-local') {
+            sid = false;
+        } else if (type_v === 'ipa-ad-trust-posix') {
+            baserid = secrid = false;
+        } else if (type_v === 'ipa-ad-trust') {
+            secrid = false;
+        }
+
+        widgets.get_widget('details.ipabaserid').set_visible(baserid);
+        widgets.get_widget('details.ipasecondarybaserid').set_visible(secrid);
+        widgets.get_widget('details.ipanttrusteddomainsid').set_visible(sid);
+    };
+    return that;
+};
+
 exp.entity_spec = make_spec();
 exp.register = function() {
     var e = reg.entity;
-- 
1.9.3

From 6dfa1baaa7603a0819302baa1bb2e99766adf312 Mon Sep 17 00:00:00 2001
From: Petr Vobornik <pvobo...@redhat.com>
Date: Wed, 15 Oct 2014 13:42:30 +0200
Subject: [PATCH] idrange: include raw range type in output

iparangetype output is a localized human-readable value which is not suitable for machine-based API consumers

Solved by new iparangetyperaw output attribute which contains iparangetype's raw value
---
 ipalib/plugins/idrange.py                 | 1 +
 ipatests/test_xmlrpc/test_range_plugin.py | 7 +++++++
 2 files changed, 8 insertions(+)

diff --git a/ipalib/plugins/idrange.py b/ipalib/plugins/idrange.py
index 3078c882d538508aafa03012b7691b0ab6d76b34..ff5abfc094d96a27049c0bb3e65dd5c1797b0f28 100644
--- a/ipalib/plugins/idrange.py
+++ b/ipalib/plugins/idrange.py
@@ -241,6 +241,7 @@ class idrange(LDAPObject):
         if not any((options.get('pkey_only', False),
                     options.get('raw', False))):
             range_type = entry_attrs['iparangetype'][0]
+            entry_attrs['iparangetyperaw'] = [range_type]
             entry_attrs['iparangetype'] = [self.range_types.get(range_type, None)]
 
         # Remove the objectclass
diff --git a/ipatests/test_xmlrpc/test_range_plugin.py b/ipatests/test_xmlrpc/test_range_plugin.py
index 03959dea5b02549c9e67685c9be5523a44088fe6..7230395d0518c2c8c411aaf56f18452fd7562f9d 100644
--- a/ipatests/test_xmlrpc/test_range_plugin.py
+++ b/ipatests/test_xmlrpc/test_range_plugin.py
@@ -463,6 +463,7 @@ class test_range(Declarative):
                     ipabaserid=[unicode(testrange1_base_rid)],
                     ipasecondarybaserid=[unicode(testrange1_secondary_base_rid)],
                     ipaidrangesize=[unicode(testrange1_size)],
+                    iparangetyperaw=[u'ipa-local'],
                     iparangetype=[u'local domain range'],
                 ),
                 value=testrange1,
@@ -482,6 +483,7 @@ class test_range(Declarative):
                     ipabaserid=[unicode(testrange1_base_rid)],
                     ipasecondarybaserid=[unicode(testrange1_secondary_base_rid)],
                     ipaidrangesize=[unicode(testrange1_size)],
+                    iparangetyperaw=[u'ipa-local'],
                     iparangetype=[u'local domain range'],
                 ),
                 value=testrange1,
@@ -569,6 +571,7 @@ class test_range(Declarative):
                     ipabaserid=[unicode(testrange1_base_rid)],
                     ipasecondarybaserid=[unicode(testrange1_secondary_base_rid)],
                     ipaidrangesize=[u'90000'],
+                    iparangetyperaw=[u'ipa-local'],
                     iparangetype=[u'local domain range'],
                 ),
                 value=testrange1,
@@ -637,6 +640,7 @@ class test_range(Declarative):
                     ipabaserid=[unicode(testrange2_base_rid)],
                     ipasecondarybaserid=[unicode(testrange2_secondary_base_rid)],
                     ipaidrangesize=[unicode(testrange2_size)],
+                    iparangetyperaw=[u'ipa-local'],
                     iparangetype=[u'local domain range'],
                 ),
                 value=testrange2,
@@ -765,6 +769,7 @@ class test_range(Declarative):
                     ipabaserid=[u'0'],
                     ipaidrangesize=[unicode(domain7range1_size)],
                     ipanttrusteddomainsid=[unicode(domain7_sid)],
+                    iparangetyperaw=[u'ipa-ad-trust-posix'],
                     iparangetype=[u'Active Directory trust range with POSIX attributes'],
                 ),
                 value=unicode(domain7range1),
@@ -823,6 +828,7 @@ class test_range(Declarative):
                     ipabaserid=[u'0'],
                     ipaidrangesize=[unicode(domain3range2_size)],
                     ipanttrusteddomainsid=[unicode(domain3_sid)],
+                    iparangetyperaw=[u'ipa-ad-trust-posix'],
                     iparangetype=[u'Active Directory trust range with POSIX '
                                    'attributes'],
                 ),
@@ -888,6 +894,7 @@ class test_range(Declarative):
                     ipabaserid=[unicode(domain5range1_base_rid)],
                     ipaidrangesize=[unicode(domain2range1_size)],
                     ipanttrusteddomainsid=[unicode(domain2_sid)],
+                    iparangetyperaw=[u'ipa-ad-trust'],
                     iparangetype=[u'Active Directory domain range'],
                 ),
                 value=domain2range1,
-- 
1.9.3

From ec47ae6569e6e285db0d08f6f960305296a351a7 Mon Sep 17 00:00:00 2001
From: Petr Vobornik <pvobo...@redhat.com>
Date: Mon, 13 Oct 2014 14:59:24 +0200
Subject: [PATCH] ldapupdater: set baserid to 0 for ipa-ad-trust-posix ranges

New updater plugin which sets baserid to 0 for ranges with type ipa-ad-trust-posix

https://fedorahosted.org/freeipa/ticket/4221
---
 ipaserver/install/plugins/update_idranges.py | 83 +++++++++++++++++++++++++++-
 1 file changed, 82 insertions(+), 1 deletion(-)

diff --git a/ipaserver/install/plugins/update_idranges.py b/ipaserver/install/plugins/update_idranges.py
index 9e97c9f74570484a8bae82e99a7561350163a1b1..f4487689625bd9da10e373866eba0f3492299c9e 100644
--- a/ipaserver/install/plugins/update_idranges.py
+++ b/ipaserver/install/plugins/update_idranges.py
@@ -17,7 +17,7 @@
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
-from ipaserver.install.plugins import MIDDLE
+from ipaserver.install.plugins import MIDDLE, LAST
 from ipaserver.install.plugins.baseupdate import PostUpdate
 from ipalib import api, errors
 from ipapython.dn import DN
@@ -111,4 +111,85 @@ class update_idrange_type(PostUpdate):
 
         return (False, False, [])
 
+
+class update_idrange_baserid(PostUpdate):
+    """
+    Update ipa-ad-trust-posix ranges' base RID to 0. This applies to AD trust
+    posix ranges prior to IPA 4.1.
+    """
+
+    order = LAST
+
+    def execute(self, **options):
+        ldap = self.obj.backend
+
+        base_dn = DN(api.env.container_ranges, api.env.basedn)
+        search_filter = ("(&(objectClass=ipaTrustedADDomainRange)"
+                         "(ipaRangeType=ipa-ad-trust-posix)"
+                         "(!(ipaBaseRID=0)))")
+        root_logger.debug(
+            "update_idrange_baserid: search for ipa-ad-trust-posix ID ranges "
+            "with ipaBaseRID != 0"
+        )
+
+        while True:
+            # Run the search in loop to avoid issues when LDAP limits are hit
+            # during update
+
+            try:
+                (entries, truncated) = ldap.find_entries(
+                    search_filter,
+                    ['ipabaserid'], base_dn, time_limit=0, size_limit=0)
+
+            except errors.NotFound:
+                root_logger.debug("update_idrange_baserid: Trusted AD domain "
+                                  "range with posix attributes found")
+                return (False, False, [])
+
+            except errors.ExecutionError, e:
+                root_logger.error("update_idrange_baserid: cannot retrieve "
+                                  "list of affected ranges: %s", e)
+                return (False, False, [])
+
+            if not entries:
+                # No entry was returned, rather break than continue cycling
+                root_logger.debug("update_idrange_baserid: no ID range was "
+                                  "returned")
+                return (False, False, [])
+
+            root_logger.debug("update_idrange_baserid: found %d "
+                              "idranges possible to update, truncated: %s",
+                              len(entries), truncated)
+
+            error = False
+
+            # Set the range type
+            for entry in entries:
+                entry['ipabaserid'] = 0
+                try:
+                    root_logger.info("Updating existing idrange: %s" % (entry.dn))
+                    ldap.update_entry(entry)
+                    root_logger.info("Done")
+                except (errors.EmptyModlist, errors.NotFound):
+                    pass
+                except errors.ExecutionError, e:
+                    root_logger.debug("update_idrange_type: cannot "
+                                      "update idrange: %s", e)
+                    error = True
+
+            if error:
+                # Exit loop to avoid infinite cycles
+                root_logger.error("update_idrange_baserid: error(s) "
+                                  "detected during idrange baserid update")
+                return (False, False, [])
+
+            elif not truncated:
+                # All affected entries updated, exit the loop
+                root_logger.debug("update_idrange_baserid: all affected "
+                                  "idranges updated")
+                return (False, False, [])
+
+        return (False, False, [])
+
 api.register(update_idrange_type)
+api.register(update_idrange_baserid)
-- 
1.9.3

From fbbc49d237b5b017b1a04d246c287d2e9bb790a3 Mon Sep 17 00:00:00 2001
From: Petr Vobornik <pvobo...@redhat.com>
Date: Tue, 14 Oct 2014 18:31:19 +0200
Subject: [PATCH] unittests: baserid for ipa-ad-trust-posix idranges

https://fedorahosted.org/freeipa/ticket/4221
---
 ipatests/test_xmlrpc/test_range_plugin.py | 162 ++++++++++++++++++++++++------
 1 file changed, 134 insertions(+), 28 deletions(-)

diff --git a/ipatests/test_xmlrpc/test_range_plugin.py b/ipatests/test_xmlrpc/test_range_plugin.py
index 349fb73649650f97c3a9464f7e49bbd44863e869..03959dea5b02549c9e67685c9be5523a44088fe6 100644
--- a/ipatests/test_xmlrpc/test_range_plugin.py
+++ b/ipatests/test_xmlrpc/test_range_plugin.py
@@ -188,6 +188,23 @@ domain2range1_add = get_trusted_dom_range_dict(
     sid=domain2_sid
 )
 
+domain2range2 = u'domain2range2'
+domain2range2_base_id = id_shift + 10200
+domain2range2_size = 50
+domain2range2_base_rid = rid_shift + 10200
+domain2range2_type = u'ipa-ad-trust'
+
+domain2range2_dn = get_range_dn(name=domain2range2)
+
+domain2range2_add = get_trusted_dom_range_dict(
+    name=domain2range2,
+    base_id=domain2range2_base_id,
+    size=domain2range2_size,
+    rangetype=domain2range2_type,
+    base_rid=domain2range2_base_rid,
+    sid=domain2_sid
+)
+
 
 # Domain3 - Posix active AD domain, two posix ranges
 domain3 = u'domain3'
@@ -197,9 +214,9 @@ domain3_sid = u'S-1-5-21-1980929950-1830687243-1002863068'
 domain3_add = get_trusted_dom_dict(domain3, domain3_sid)
 
 domain3range1 = u'domain3range1'
-domain3range1_base_id = id_shift + 10200
+domain3range1_base_id = id_shift + 10300
 domain3range1_size = 50
-domain3range1_base_rid = rid_shift + 10200
+domain3range1_base_rid = 0
 domain3range1_type = u'ipa-ad-trust-posix'
 
 domain3range1_dn = get_range_dn(name=domain3range1)
@@ -214,9 +231,9 @@ domain3range1_add = get_trusted_dom_range_dict(
 )
 
 domain3range2 = u'domain3range2'
-domain3range2_base_id = id_shift + 10300
+domain3range2_base_id = id_shift + 10400
 domain3range2_size = 50
-domain3range2_base_rid = rid_shift + 10300
+domain3range2_base_rid = 0
 domain3range2_type = u'ipa-ad-trust-posix'
 
 domain3range2_dn = get_range_dn(name=domain3range2)
@@ -238,9 +255,9 @@ domain4_sid = u'S-1-5-21-2630044516-2228086573-3500008130'
 domain4_add = get_trusted_dom_dict(domain4, domain4_sid)
 
 domain4range1 = u'domain4range1'
-domain4range1_base_id = id_shift + 10400
+domain4range1_base_id = id_shift + 10500
 domain4range1_size = 50
-domain4range1_base_rid = rid_shift + 10400
+domain4range1_base_rid = 0
 domain4range1_type = u'ipa-ad-trust-posix'
 
 domain4range1_dn = get_range_dn(name=domain4range1)
@@ -262,9 +279,9 @@ domain5_sid = u'S-1-5-21-2936727573-1940715531-2353349748'
 domain5_add = get_trusted_dom_dict(domain5, domain5_sid)
 
 domain5range1 = u'domain5range1'
-domain5range1_base_id = id_shift + 10500
+domain5range1_base_id = id_shift + 10600
 domain5range1_size = 50
-domain5range1_base_rid = rid_shift + 10500
+domain5range1_base_rid = rid_shift + 10600
 domain5range1_type = u'ipa-ad-trust'
 
 domain5range1_dn = get_range_dn(name=domain5range1)
@@ -279,9 +296,9 @@ domain5range1_add = get_trusted_dom_range_dict(
 )
 
 domain5range2 = u'domain5range2'
-domain5range2_base_id = id_shift + 10600
+domain5range2_base_id = id_shift + 10700
 domain5range2_size = 50
-domain5range2_base_rid = rid_shift + 10600
+domain5range2_base_rid = rid_shift + 10700
 domain5range2_type = u'ipa-ad-trust'
 
 domain5range2_dn = get_range_dn(name=domain5range2)
@@ -303,9 +320,9 @@ domain6_sid = u'S-1-5-21-2824814446-180299986-1494994477'
 domain6_add = get_trusted_dom_dict(domain6, domain6_sid)
 
 domain6range1 = u'domain6range1'
-domain6range1_base_id = id_shift + 10700
+domain6range1_base_id = id_shift + 10800
 domain6range1_size = 50
-domain6range1_base_rid = rid_shift + 10700
+domain6range1_base_rid = rid_shift + 10800
 domain6range1_type = u'ipa-ad-trust'
 
 domain6range1_dn = get_range_dn(name=domain6range1)
@@ -319,6 +336,18 @@ domain6range1_add = get_trusted_dom_range_dict(
     sid=domain6_sid
 )
 
+# Domain7 - Posix active AD domain, invalid(defined) RID
+domain7 = u'domain7'
+domain7_dn = get_trust_dn(domain7)
+domain7_sid = u'S-1-5-21-2714542333-175454564-1645457223'
+domain7_add = get_trusted_dom_dict(domain7, domain7_sid)
+
+domain7range1 = u'domain7range1'
+domain7range1_base_id = id_shift + 10900
+domain7range1_size = 50
+domain7range1_base_rid = rid_shift + 10900
+domain7range1_type = u'ipa-ad-trust-posix'
+domain7range1_dn = get_range_dn(name=domain7range1)
 
 # Container for all trusted objects
 
@@ -327,6 +356,27 @@ trust_container_add = dict(
     objectClass=["nsContainer", "top"]
     )
 
+# Convince Domain Validator that adtrust-install was run in order to test
+# adding of ipa-trust-posix range
+
+smb_cont_dn = "{cifsdomains},{basedn}".format(
+    cifsdomains=api.env.container_cifsdomains,
+    basedn=api.env.basedn)
+smb_cont_add = dict(
+    objectClass=["nsContainer", "top"]
+    )
+
+trust_local_dn = "cn={domain},{smbcont}".format(
+    domain=api.env.domain,
+    smbcont=smb_cont_dn)
+
+trust_local_add = dict(
+    objectClass=["ipaNTDomainAttrs", "nsContainer", "top"],
+    ipaNTFlatName=["UNITTESTS"],
+    ipaNTDomainGUID=["4ed70def-bff4-464c-889f-6cd2cfa4dbb7"],
+    ipaNTSecurityIdentifier=["S-1-5-21-2568409255-1212639194-836868319"]
+    )
+
 user1 = u'tuser1'
 user1_uid = id_shift + 900000
 group1 = u'group1'
@@ -340,15 +390,19 @@ class test_range(Declarative):
         cls.tearDownClass()
         cls.mockldap = MockLDAP()
         cls.mockldap.add_entry(trust_container_dn, trust_container_add)
+        cls.mockldap.add_entry(smb_cont_dn, smb_cont_add)
+        cls.mockldap.add_entry(trust_local_dn, trust_local_add)
 
         cls.mockldap.add_entry(domain2_dn, domain2_add)
         cls.mockldap.add_entry(domain3_dn, domain3_add)
         cls.mockldap.add_entry(domain4_dn, domain4_add)
         cls.mockldap.add_entry(domain5_dn, domain5_add)
         cls.mockldap.add_entry(domain6_dn, domain6_add)
+        cls.mockldap.add_entry(domain7_dn, domain7_add)
 
         cls.mockldap.add_entry(domain1range1_dn, domain1range1_add)
         cls.mockldap.add_entry(domain2range1_dn, domain2range1_add)
+        cls.mockldap.add_entry(domain2range2_dn, domain2range2_add)
         cls.mockldap.add_entry(domain3range1_dn, domain3range1_add)
         cls.mockldap.add_entry(domain3range2_dn, domain3range2_add)
         cls.mockldap.add_entry(domain4range1_dn, domain4range1_add)
@@ -366,16 +420,21 @@ class test_range(Declarative):
         cls.mockldap.del_entry(domain4_dn)
         cls.mockldap.del_entry(domain5_dn)
         cls.mockldap.del_entry(domain6_dn)
+        cls.mockldap.del_entry(domain7_dn)
 
         cls.mockldap.del_entry(domain1range1_dn)
         cls.mockldap.del_entry(domain2range1_dn)
+        cls.mockldap.del_entry(domain2range2_dn)
         cls.mockldap.del_entry(domain3range1_dn)
         cls.mockldap.del_entry(domain3range2_dn)
         cls.mockldap.del_entry(domain4range1_dn)
         cls.mockldap.del_entry(domain5range1_dn)
         cls.mockldap.del_entry(domain5range2_dn)
         cls.mockldap.del_entry(domain6range1_dn)
+        cls.mockldap.del_entry(domain7range1_dn)
         cls.mockldap.del_entry(trust_container_dn)
+        cls.mockldap.del_entry(trust_local_dn)
+        cls.mockldap.del_entry(smb_cont_dn)
         cls.mockldap.unbind()
 
     cleanup_commands = [
@@ -674,6 +733,54 @@ class test_range(Declarative):
                      'secondary-rid-base cannot be used together'),
         ),
 
+        # Testing framework validation: --rid-base is prohibited with ipa-ad-posix
+
+        dict(
+            desc='Try to create ipa-ad-trust-posix ID range %r with base RID' % (domain7range1),
+            command=('idrange_add', [domain7range1],
+                     dict(ipabaseid=domain7range1_base_id,
+                          ipaidrangesize=domain7range1_size,
+                          ipabaserid=domain7range1_base_rid,
+                          iparangetype=domain7range1_type,
+                          ipanttrusteddomainsid=domain7_sid)),
+            expected=errors.ValidationError(
+                name='ID Range setup',
+                error='Option rid-base must not be used when IPA range '
+                      'type is ipa-ad-trust-posix'),
+        ),
+
+        dict(
+            desc='Create ID range %r' % (domain7range1),
+            command=('idrange_add', [domain7range1],
+                     dict(ipabaseid=domain7range1_base_id,
+                          ipaidrangesize=domain7range1_size,
+                          iparangetype=domain7range1_type,
+                          ipanttrusteddomainsid=domain7_sid)),
+            expected=dict(
+                result=dict(
+                    dn=unicode(domain7range1_dn),
+                    cn=[domain7range1],
+                    objectclass=[u'ipaIDrange', u'ipatrustedaddomainrange'],
+                    ipabaseid=[unicode(domain7range1_base_id)],
+                    ipabaserid=[u'0'],
+                    ipaidrangesize=[unicode(domain7range1_size)],
+                    ipanttrusteddomainsid=[unicode(domain7_sid)],
+                    iparangetype=[u'Active Directory trust range with POSIX attributes'],
+                ),
+                value=unicode(domain7range1),
+                summary=u'Added ID range "%s"' % (domain7range1),
+            ),
+        ),
+
+        dict(
+            desc='Try to modify ipa-ad-trust-posix ID range %r with base RID' % (domain7range1),
+            command=('idrange_mod', [domain7range1], dict(ipabaserid=domain7range1_base_rid)),
+            expected=errors.ValidationError(
+                name='ID Range setup',
+                error='Option rid-base must not be used when IPA range '
+                      'type is ipa-ad-trust-posix'),
+        ),
+
         # Testing prohibition of deletion of ranges belonging to active
         # trusted domains.
 
@@ -713,7 +820,7 @@ class test_range(Declarative):
                 result=dict(
                     cn=[domain3range2],
                     ipabaseid=[unicode(domain3range1_base_id)],
-                    ipabaserid=[unicode(domain3range2_base_rid)],
+                    ipabaserid=[u'0'],
                     ipaidrangesize=[unicode(domain3range2_size)],
                     ipanttrusteddomainsid=[unicode(domain3_sid)],
                     iparangetype=[u'Active Directory trust range with POSIX '
@@ -766,26 +873,25 @@ class test_range(Declarative):
         # - RID range overlaps
 
         # 1. Overlaps on base RID ranges are allowed for ranges from different
-        # domains, use domain4range1 and domain5range1
+        # domains, use domain2range1 and domain5range1
 
         dict(
-            desc=('Modify ipa-ad-trust-posix range %r to overlap on base RID'
+            desc=('Modify ipa-ad-trust range %r to overlap on base RID'
                   ' range with nonposix range from different domain'
-                  % (domain4range1)),
-            command=('idrange_mod', [domain4range1],
+                  % (domain2range1)),
+            command=('idrange_mod', [domain2range1],
                      dict(ipabaserid=domain5range1_base_rid)),
             expected=dict(
                 result=dict(
-                    cn=[domain4range1],
-                    ipabaseid=[unicode(domain4range1_base_id)],
+                    cn=[domain2range1],
+                    ipabaseid=[unicode(domain2range1_base_id)],
                     ipabaserid=[unicode(domain5range1_base_rid)],
-                    ipaidrangesize=[unicode(domain4range1_size)],
-                    ipanttrusteddomainsid=[unicode(domain4_sid)],
-                    iparangetype=[u'Active Directory trust range with POSIX '
-                                   'attributes'],
+                    ipaidrangesize=[unicode(domain2range1_size)],
+                    ipanttrusteddomainsid=[unicode(domain2_sid)],
+                    iparangetype=[u'Active Directory domain range'],
                 ),
-                value=domain4range1,
-                summary=u'Modified ID range "%s"' % (domain4range1),
+                value=domain2range1,
+                summary=u'Modified ID range "%s"' % (domain2range1),
             ),
         ),
 
@@ -794,9 +900,9 @@ class test_range(Declarative):
 
         dict(
             desc=('Modify ipa-ad-trust range %r to overlap on base RID range'
-                  ' with range from the same domain' % (domain5range1)),
-            command=('idrange_mod', [domain5range1],
-                     dict(ipabaserid=domain5range2_base_rid)),
+                  ' with range from the same domain' % (domain2range1)),
+            command=('idrange_mod', [domain2range1],
+                     dict(ipabaserid=domain2range2_base_rid)),
             expected=errors.DatabaseError(
                 desc='Constraint violation',
                 info='New primary rid range overlaps with existing primary rid '
-- 
1.9.3

From 33139f8ee8ff457e7d6e5e67fc938e3b023f38b7 Mon Sep 17 00:00:00 2001
From: Petr Vobornik <pvobo...@redhat.com>
Date: Mon, 13 Oct 2014 14:57:45 +0200
Subject: [PATCH] ranges: prohibit setting --rid-base with ipa-trust-ad-posix
 type

We should not allow setting --rid-base for ranges of ipa-trust-ad-posix since we do not perform any RID -> UID/GID mappings for these ranges (objects have UID/GID set in AD). Thus, setting RID base makes no sense.

Since ipaBaseRID is a MUST in ipaTrustedADDomainRange object class, value '0' is allowed and used internally for 'ipa-trust-ad-posix' range type.

No schema change is done.

https://fedorahosted.org/freeipa/ticket/4221
---
 ipalib/plugins/idrange.py | 48 ++++++++++++++++++++++++++++++++++-------------
 1 file changed, 35 insertions(+), 13 deletions(-)

diff --git a/ipalib/plugins/idrange.py b/ipalib/plugins/idrange.py
index 9e0481e94048c465f9a86112378a47390de0d494..3078c882d538508aafa03012b7691b0ab6d76b34 100644
--- a/ipalib/plugins/idrange.py
+++ b/ipalib/plugins/idrange.py
@@ -486,23 +486,33 @@ class idrange_add(LDAPCreate):
             if not is_set('iparangetype'):
                 entry_attrs['iparangetype'] = u'ipa-ad-trust'
 
-            if entry_attrs['iparangetype'] not in (u'ipa-ad-trust',
-                                                   u'ipa-ad-trust-posix'):
+            if entry_attrs['iparangetype'] == u'ipa-ad-trust':
+                if not is_set('ipabaserid'):
+                    raise errors.ValidationError(
+                        name='ID Range setup',
+                        error=_('Options dom-sid/dom-name and rid-base must '
+                                'be used together')
+                    )
+            elif entry_attrs['iparangetype'] == u'ipa-ad-trust-posix':
+                if is_set('ipabaserid') and entry_attrs['ipabaserid'] != 0:
+                    raise errors.ValidationError(
+                        name='ID Range setup',
+                        error=_('Option rid-base must not be used when IPA '
+                                'range type is ipa-ad-trust-posix')
+                    )
+                else:
+                    entry_attrs['ipabaserid'] = 0
+            else:
                 raise errors.ValidationError(name='ID Range setup',
                     error=_('IPA Range type must be one of ipa-ad-trust '
                             'or ipa-ad-trust-posix when SID of the trusted '
-                            'domain is specified.'))
+                            'domain is specified'))
 
             if is_set('ipasecondarybaserid'):
                 raise errors.ValidationError(name='ID Range setup',
                     error=_('Options dom-sid/dom-name and secondary-rid-base '
                             'cannot be used together'))
 
-            if not is_set('ipabaserid'):
-                raise errors.ValidationError(name='ID Range setup',
-                    error=_('Options dom-sid/dom-name and rid-base must '
-                            'be used together'))
-
             # Validate SID as the one of trusted domains
             self.obj.validate_trusted_domain_sid(
                                         entry_attrs['ipanttrusteddomainsid'])
@@ -699,11 +709,23 @@ class idrange_mod(LDAPUpdate):
                 raise errors.ValidationError(name='ID Range setup',
                     error=_('Options dom-sid and secondary-rid-base cannot '
                             'be used together'))
-
-            if not in_updated_attrs('ipabaserid'):
-                raise errors.ValidationError(name='ID Range setup',
-                    error=_('Options dom-sid and rid-base must '
-                            'be used together'))
+            range_type = old_attrs['iparangetype'][0]
+            if range_type == u'ipa-ad-trust':
+                if not in_updated_attrs('ipabaserid'):
+                    raise errors.ValidationError(
+                        name='ID Range setup',
+                        error=_('Options dom-sid and rid-base must '
+                                'be used together'))
+            elif (range_type == u'ipa-ad-trust-posix' and
+                  'ipabaserid' in entry_attrs):
+                if entry_attrs['ipabaserid'] is None:
+                    entry_attrs['ipabaserid'] = 0
+                elif entry_attrs['ipabaserid'] != 0:
+                    raise errors.ValidationError(
+                        name='ID Range setup',
+                        error=_('Option rid-base must not be used when IPA '
+                                'range type is ipa-ad-trust-posix')
+                    )
 
             if is_set('ipanttrusteddomainsid'):
                 # Validate SID as the one of trusted domains
-- 
1.9.3

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to