Hi,
this patch adds a new option to ipa-adtrust-install to generate the SID
for users and groups at the end of the run. This fixes
https://fedorahosted.org/freeipa/ticket/3104 .
bye,
Sumit
From 64f5b76c1869dbbc5e63035baa13642b43854839 Mon Sep 17 00:00:00 2001
From: Sumit Bose sb...@redhat.com
Date: Tue, 2 Oct 2012 22:11:17 +0200
Subject: [PATCH] Add SIDs for existing users and groups at the end of
ipa-adtrust-install
Fixes https://fedorahosted.org/freeipa/ticket/3104
---
daemons/ipa-slapi-plugins/ipa-sidgen/Makefile.am | 1 +
.../ipa-sidgen/ipa-sidgen-task-example.ldif | 10 --
.../ipa-sidgen/ipa-sidgen-task-run.ldif | 10 ++
install/tools/ipa-adtrust-install | 5 -
install/tools/man/ipa-adtrust-install.1 | 10 ++
ipaserver/install/adtrustinstance.py | 19 ++-
6 Dateien geändert, 43 Zeilen hinzugefügt(+), 12 Zeilen entfernt(-)
delete mode 100644
daemons/ipa-slapi-plugins/ipa-sidgen/ipa-sidgen-task-example.ldif
create mode 100644
daemons/ipa-slapi-plugins/ipa-sidgen/ipa-sidgen-task-run.ldif
diff --git a/daemons/ipa-slapi-plugins/ipa-sidgen/Makefile.am
b/daemons/ipa-slapi-plugins/ipa-sidgen/Makefile.am
index
0d8b74e86369ae9c972e090ff0e6feddc840cfde..a0d0e9ecf366b23cc6f054945544cd88cd846cad
100644
--- a/daemons/ipa-slapi-plugins/ipa-sidgen/Makefile.am
+++ b/daemons/ipa-slapi-plugins/ipa-sidgen/Makefile.am
@@ -49,6 +49,7 @@ appdir = $(IPA_DATA_DIR)
app_DATA = \
ipa-sidgen-conf.ldif\
ipa-sidgen-task-conf.ldif \
+ ipa-sidgen-task-run.ldif\
$(NULL)
EXTRA_DIST = \
diff --git a/daemons/ipa-slapi-plugins/ipa-sidgen/ipa-sidgen-task-example.ldif
b/daemons/ipa-slapi-plugins/ipa-sidgen/ipa-sidgen-task-example.ldif
deleted file mode 100644
index
9cfded73b1b53461c0c0aa4f563452f51d258aae..
--- a/daemons/ipa-slapi-plugins/ipa-sidgen/ipa-sidgen-task-example.ldif
+++ /dev/null
@@ -1,10 +0,0 @@
-dn: cn=sidgen,cn=ipa-sidgen-task,cn=plugins,cn=config
-changetype: add
-objectClass: top
-objectClass: nsSlapdPlugin
-objectClass: extensibleObject
-cn: ipa-sidgen-task
-nsslapd-pluginPath: libipa_sidgen_task
-nsslapd-pluginInitfunc: sidgen_task_init
-nsslapd-basedn: $SUFFIX
-delay: 0
diff --git a/daemons/ipa-slapi-plugins/ipa-sidgen/ipa-sidgen-task-run.ldif
b/daemons/ipa-slapi-plugins/ipa-sidgen/ipa-sidgen-task-run.ldif
new file mode 100644
index
..663b7597b90a59c88c658dbcc5f483a6693f88dc
--- /dev/null
+++ b/daemons/ipa-slapi-plugins/ipa-sidgen/ipa-sidgen-task-run.ldif
@@ -0,0 +1,10 @@
+dn: cn=sidgen,cn=ipa-sidgen-task,cn=tasks,cn=config
+changetype: add
+objectClass: top
+objectClass: extensibleObject
+cn: sidgen
+# $SUFFIX must be replaced with the base DN of the IPA directory tree
+nsslapd-basedn: $SUFFIX
+# delay specifies the time the task should sleep between the generation of SIDs
+# in nanoseconds
+delay: 0
diff --git a/install/tools/ipa-adtrust-install
b/install/tools/ipa-adtrust-install
index
12e218de62dd4b4d795f7372e0108e6a208f1285..f50bb58213ac0681cd8bda0a449ae21c48e6adb8
100755
--- a/install/tools/ipa-adtrust-install
+++ b/install/tools/ipa-adtrust-install
@@ -61,6 +61,9 @@ def parse_options():
parser.add_option(-A, --admin-name,
sensitive=True, dest=admin_name, default='admin',
help=admin user principal)
+parser.add_option(--add-sids, dest=add_sids, action=store_true,
+ default=False, help=Add SIDs for existing users and \
+ groups as the final step)
options, args = parser.parse_args()
safe_options = parser.get_safe_opts(options)
@@ -254,7 +257,7 @@ def main():
smb.autobind = service.ENABLED
smb.setup(api.env.host, ip_address, api.env.realm, api.env.domain,
netbios_name, options.rid_base, options.secondary_rid_base,
- options.no_msdcs)
+ options.no_msdcs, options.add_sids)
smb.find_local_id_range()
smb.create_instance()
diff --git a/install/tools/man/ipa-adtrust-install.1
b/install/tools/man/ipa-adtrust-install.1
index
fa63bca3c4859325acb5891de6ad1e21b97dc754..9204b7d5fde7493a4c268eb71693e86a63a1b4b7
100644
--- a/install/tools/man/ipa-adtrust-install.1
+++ b/install/tools/man/ipa-adtrust-install.1
@@ -71,6 +71,16 @@ are needed for the IPA domain which should point to all IPA
servers:
.IP
\(bu _kerberos._udp.Default-First-Site-Name._sites.dc._msdcs
.TP
+\fB\-\-add\-sids\fR
+Add SIDs to existing users and groups as a final step of the
+ipa\-adtrust\-install run. If there a many existing users and groups and a
+couple of replicas in the environment this operation might lead to a high
+replication traffic and a performance degradation of all IPA servers in the
+environment. To avoid this the SID