'*-add-principal' would crash with error if the trusted domains did not have any UPN suffixes or NETBIOS name associated with them. This patch fixes that.

Big thanks to Milan who found and reported the issue during writing tests for the feature.


https://fedorahosted.org/freeipa/ticket/6099

--
Martin^3 Babinsky
From bb1b54a1d7432af719c6051b79b9afdef8e87c96 Mon Sep 17 00:00:00 2001
From: Martin Babinsky <mbabi...@redhat.com>
Date: Wed, 20 Jul 2016 15:46:22 +0200
Subject: [PATCH] harden the check for trust namespace overlap in new
 principals

This check must handle the possibility of optional attributes
(ipantadditionalsuffixes and ipantflatname) missing in the trusted domain
entry.

https://fedorahosted.org/freeipa/ticket/6099
---
 ipalib/util.py | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/ipalib/util.py b/ipalib/util.py
index 0cd5c091ec576e02e477f661bab981d12e01f1eb..805774006312e82c7acd4a46b8c9df2895a94ffe 100644
--- a/ipalib/util.py
+++ b/ipalib/util.py
@@ -975,11 +975,15 @@ def check_principal_realm_in_trust_namespace(api_instance, *keys):
     trust_suffix_namespace = set()
 
     for obj in trust_objects:
-        trust_suffix_namespace.update(
-            set(upn.lower() for upn in obj['ipantadditionalsuffixes']))
+        nt_suffixes = obj.get('ipantadditionalsuffixes', [])
 
         trust_suffix_namespace.update(
-            set((obj['cn'][0].lower(), obj['ipantflatname'][0].lower())))
+            set(upn.lower() for upn in nt_suffixes))
+
+        if 'ipantflatname' in obj:
+            trust_suffix_namespace.add(obj['ipantflatname'][0].lower())
+
+        trust_suffix_namespace.add(obj['cn'][0].lower())
 
     for principal in keys[-1]:
         realm = principal.realm
-- 
2.7.4

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to