On 06/27/2016 07:56 AM, Martin Babinsky wrote:
On 06/24/2016 04:07 PM, Martin Babinsky wrote:
This patch reverts commits 705f66f7490c64de1adc129221b31927616c485 and
06d945a04607dc36e25af78688b4295420489fb9 responsible for
https://fedorahosted.org/freeipa/ticket/5996

This should unblock replica promotion.



self-NACK, disregard this patch, it should not be necessary to revert
the whole commit


This version only reverts the change that actually breaks stuff.

https://fedorahosted.org/freeipa/ticket/5996

--
Martin^3 Babinsky
From 700a29dc8dc87220bcbf301e32d8ea32b63d4ac0 Mon Sep 17 00:00:00 2001
From: Martin Babinsky <mbabi...@redhat.com>
Date: Mon, 27 Jun 2016 08:48:29 +0200
Subject: [PATCH] keep setting ipakrbprincipal objectclass on new service
 entries

this is required for replica promotion to work, since the ACI allowing hosts
to add their own services uses this objectclass as target filter.

This partially reverts changes from commit
705f66f7490c64de1adc129221b31927616c485d

https://fedorahosted.org/freeipa/ticket/5996
---
 ipaserver/plugins/service.py                | 9 +++++++++
 ipatests/test_xmlrpc/objectclasses.py       | 1 +
 ipatests/test_xmlrpc/test_service_plugin.py | 4 +++-
 3 files changed, 13 insertions(+), 1 deletion(-)

diff --git a/ipaserver/plugins/service.py b/ipaserver/plugins/service.py
index cb9952d4479a543321999269cb4bd6ace0714436..701314f8d9f2ac14c2b92fea1b75c7bf1754dac3 100644
--- a/ipaserver/plugins/service.py
+++ b/ipaserver/plugins/service.py
@@ -576,6 +576,15 @@ class service_add(LDAPCreate):
         if not 'managedby' in entry_attrs:
             entry_attrs['managedby'] = hostresult['dn']
 
+        # Enforce ipaKrbPrincipalAlias to aid case-insensitive searches
+        # as krbPrincipalName/krbCanonicalName are case-sensitive in Kerberos
+        # schema
+        entry_attrs['ipakrbprincipalalias'] = keys[-1]
+
+        # Objectclass ipakrbprincipal providing ipakrbprincipalalias is not in
+        # in a list of default objectclasses, add it manually
+        entry_attrs['objectclass'].append('ipakrbprincipal')
+
         # set krbcanonicalname attribute to enable principal canonicalization
         util.set_krbcanonicalname(entry_attrs)
 
diff --git a/ipatests/test_xmlrpc/objectclasses.py b/ipatests/test_xmlrpc/objectclasses.py
index 7050de289760ede29d057e42658c2f68d8506249..134a08803f3abca1124c4d26274d9e3fc981b941 100644
--- a/ipatests/test_xmlrpc/objectclasses.py
+++ b/ipatests/test_xmlrpc/objectclasses.py
@@ -100,6 +100,7 @@ service = [
     u'ipaobject',
     u'ipaservice',
     u'pkiuser',
+    u'ipakrbprincipal',
     u'top',
 ]
 
diff --git a/ipatests/test_xmlrpc/test_service_plugin.py b/ipatests/test_xmlrpc/test_service_plugin.py
index 3009521c3b2d9c496bff4e11b96838ce50a2eefa..f22824f9ab101e10961eecf241420eac92315a68 100644
--- a/ipatests/test_xmlrpc/test_service_plugin.py
+++ b/ipatests/test_xmlrpc/test_service_plugin.py
@@ -239,6 +239,7 @@ class test_service(Declarative):
                 result=dict(
                     dn=service1dn,
                     krbprincipalname=[service1],
+                    ipakrbprincipalalias=[service1],
                     krbcanonicalname=[service1],
                     objectclass=objectclasses.service,
                     ipauniqueid=[fuzzy_uuid],
@@ -301,7 +302,8 @@ class test_service(Declarative):
                     dict(
                         dn=service1dn,
                         krbprincipalname=[service1],
-                        krbcanonicalname=service1,
+                        ipakrbprincipalalias=[service1],
+                        krbcanonicalname=[service1],
                         objectclass=objectclasses.service,
                         ipauniqueid=[fuzzy_uuid],
                         has_keytab=False,
-- 
2.5.5

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to