Re: [Freeipa-devel] [PATCH 0019] Forbid overlapping primary and secondary rid ranges
On 10/18/2012 10:00 PM, Sumit Bose wrote: On Thu, Oct 18, 2012 at 08:31:50AM +0200, Tomas Babej wrote: On 10/17/2012 08:12 PM, Sumit Bose wrote: On Wed, Oct 17, 2012 at 03:29:11PM +0200, Tomas Babej wrote: On 10/17/2012 02:34 PM, Sumit Bose wrote: On Wed, Oct 17, 2012 at 12:59:52PM +0200, Tomas Babej wrote: On 10/17/2012 11:14 AM, Sumit Bose wrote: On Tue, Oct 16, 2012 at 02:26:24PM +0200, Tomas Babej wrote: Hi, commands ipa idrange-add / idrange-mod no longer allows the user to enter primary or secondary rid range such that has non-zero intersection with primary or secondary rid range of another existing id range, as this could cause collision. Unit tests added to test_range_plugin.py https://fedorahosted.org/freeipa/ticket/3086 Tomas Thank you for the patch, comments are in-line. bye, Sumit Thank you for your suggestions. New version of the patch attached. Tomas Thank you for addressing my comments. I just realized that the check is too strict. The ranges of the Posix IDs [base_id - base_id+id_range_size) may not overlap for any existing range because those IDs belong to the single Posix ID namespace of the IPA domain. I.e each user, local or from a trusted domain, must have a unique Posix ID. The RID ranges [base_rid, base_rid+id_range_size) and [secondary_base_rid, secondary_base_rid+id_range_size) may not overlap with RID ranges from the same domain. So the RID ranges for the local domain may not overlap and the RID ranges for any specific trusted domain may not overlap. It is allowed that there is a range form the local domain may have base_rid=1000 and a range from a trusted domain as well. This is ok because the RID is only part of the identifier, each domain has a unique domain SID which is used together with the RID to identify e.g. a user. I would suggest to look for the ipaNTTrustedDomainSID attribute in slapi_entry_to_range_info() too and add it to struct range_info. In ranges_overlap() you can then check the Posix ID range for all ranges but do the RID checks only when the domain identifiers are either both NULL (local IPA domain) or are the same strings. Sorry for not seeing this earlier. bye, Sumit Thanks for catching this issue. It is solved in the newest revision of the patch. Tomas sorry, found another one ... ... +static int ranges_overlap(struct range_info *r1, struct range_info *r2) +{ +if (r1-name != NULL r2-name != NULL +strcasecmp(r1-name, r2-name) == 0) { +return 0; +} + +/* check if base range overlaps with existing base range */ +if (intervals_overlap(r1-base_id, r2-base_id, +r1-id_range_size, r2-id_range_size)){ +return 1; +} + +/* if both base_rid and secondary_base_rid = 0, the rid range is not set */ +bool rid_ranges_set = (r1-base_rid != 0 || r1-secondary_base_rid != 0) + (r2-base_rid != 0 || r2-secondary_base_rid != 0); + +bool ranges_from_same_domain = + (r1-domain_id == NULL r2-domain_id == NULL) || + (strcasecmp(r1-domain_id, r2-domain_id) == 0); + you have to check that both domain_id are not NULL before calling strcasecmp. bye, Sumit Null pointer check added. Thank you. ACK bye, Sumit Tomas Thanks guys. Pushed to master, ipa-3-0. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0019] Forbid overlapping primary and secondary rid ranges
On 10/17/2012 08:12 PM, Sumit Bose wrote: On Wed, Oct 17, 2012 at 03:29:11PM +0200, Tomas Babej wrote: On 10/17/2012 02:34 PM, Sumit Bose wrote: On Wed, Oct 17, 2012 at 12:59:52PM +0200, Tomas Babej wrote: On 10/17/2012 11:14 AM, Sumit Bose wrote: On Tue, Oct 16, 2012 at 02:26:24PM +0200, Tomas Babej wrote: Hi, commands ipa idrange-add / idrange-mod no longer allows the user to enter primary or secondary rid range such that has non-zero intersection with primary or secondary rid range of another existing id range, as this could cause collision. Unit tests added to test_range_plugin.py https://fedorahosted.org/freeipa/ticket/3086 Tomas Thank you for the patch, comments are in-line. bye, Sumit Thank you for your suggestions. New version of the patch attached. Tomas Thank you for addressing my comments. I just realized that the check is too strict. The ranges of the Posix IDs [base_id - base_id+id_range_size) may not overlap for any existing range because those IDs belong to the single Posix ID namespace of the IPA domain. I.e each user, local or from a trusted domain, must have a unique Posix ID. The RID ranges [base_rid, base_rid+id_range_size) and [secondary_base_rid, secondary_base_rid+id_range_size) may not overlap with RID ranges from the same domain. So the RID ranges for the local domain may not overlap and the RID ranges for any specific trusted domain may not overlap. It is allowed that there is a range form the local domain may have base_rid=1000 and a range from a trusted domain as well. This is ok because the RID is only part of the identifier, each domain has a unique domain SID which is used together with the RID to identify e.g. a user. I would suggest to look for the ipaNTTrustedDomainSID attribute in slapi_entry_to_range_info() too and add it to struct range_info. In ranges_overlap() you can then check the Posix ID range for all ranges but do the RID checks only when the domain identifiers are either both NULL (local IPA domain) or are the same strings. Sorry for not seeing this earlier. bye, Sumit Thanks for catching this issue. It is solved in the newest revision of the patch. Tomas sorry, found another one ... ... +static int ranges_overlap(struct range_info *r1, struct range_info *r2) +{ +if (r1-name != NULL r2-name != NULL +strcasecmp(r1-name, r2-name) == 0) { +return 0; +} + +/* check if base range overlaps with existing base range */ +if (intervals_overlap(r1-base_id, r2-base_id, +r1-id_range_size, r2-id_range_size)){ +return 1; +} + +/* if both base_rid and secondary_base_rid = 0, the rid range is not set */ +bool rid_ranges_set = (r1-base_rid != 0 || r1-secondary_base_rid != 0) + (r2-base_rid != 0 || r2-secondary_base_rid != 0); + +bool ranges_from_same_domain = + (r1-domain_id == NULL r2-domain_id == NULL) || + (strcasecmp(r1-domain_id, r2-domain_id) == 0); + you have to check that both domain_id are not NULL before calling strcasecmp. bye, Sumit Null pointer check added. Tomas From 2a90a4f2f3958575ecd7cf69034d4e381930f6c5 Mon Sep 17 00:00:00 2001 From: Tomas Babej tba...@redhat.com Date: Mon, 15 Oct 2012 06:28:16 -0400 Subject: [PATCH] Forbid overlapping primary and secondary rid ranges Commands ipa idrange-add / idrange-mod no longer allows the user to enter primary or secondary rid range such that has non-zero intersection with primary or secondary rid range of another existing id range, as this could cause collision. Unit tests added to test_range_plugin.py https://fedorahosted.org/freeipa/ticket/3086 --- .../ipa-range-check/ipa_range_check.c | 115 +--- tests/test_xmlrpc/test_range_plugin.py | 120 +++-- 2 files changed, 213 insertions(+), 22 deletions(-) diff --git a/daemons/ipa-slapi-plugins/ipa-range-check/ipa_range_check.c b/daemons/ipa-slapi-plugins/ipa-range-check/ipa_range_check.c index 499e54a9c4a4c9134a231c0cd09e700390565a14..290dc5a52080d6b7d1587fa2af6102f022ccb30a 100644 --- a/daemons/ipa-slapi-plugins/ipa-range-check/ipa_range_check.c +++ b/daemons/ipa-slapi-plugins/ipa-range-check/ipa_range_check.c @@ -49,6 +49,7 @@ #define IPA_ID_RANGE_SIZE ipaIDRangeSize #define IPA_BASE_RID ipaBaseRID #define IPA_SECONDARY_BASE_RID ipaSecondaryBaseRID +#define IPA_DOMAIN_ID ipaNTTrustedDomainSID #define RANGES_FILTER objectclass=ipaIDRange #define IPA_PLUGIN_NAME ipa-range-check @@ -70,6 +71,7 @@ struct ipa_range_check_ctx { struct range_info { char *name; +char *domain_id; uint32_t base_id; uint32_t id_range_size; uint32_t base_rid; @@ -93,6 +95,8 @@ static int slapi_entry_to_range_info(struct slapi_entry *entry, return EINVAL; } +range-domain_id = slapi_entry_attr_get_charptr(entry, IPA_DOMAIN_ID); + ul_val = slapi_entry_attr_get_ulong(entry, IPA_BASE_ID); if (ul_val == 0 || ul_val = UINT32_MAX) {
Re: [Freeipa-devel] [PATCH 0019] Forbid overlapping primary and secondary rid ranges
On Thu, Oct 18, 2012 at 08:31:50AM +0200, Tomas Babej wrote: On 10/17/2012 08:12 PM, Sumit Bose wrote: On Wed, Oct 17, 2012 at 03:29:11PM +0200, Tomas Babej wrote: On 10/17/2012 02:34 PM, Sumit Bose wrote: On Wed, Oct 17, 2012 at 12:59:52PM +0200, Tomas Babej wrote: On 10/17/2012 11:14 AM, Sumit Bose wrote: On Tue, Oct 16, 2012 at 02:26:24PM +0200, Tomas Babej wrote: Hi, commands ipa idrange-add / idrange-mod no longer allows the user to enter primary or secondary rid range such that has non-zero intersection with primary or secondary rid range of another existing id range, as this could cause collision. Unit tests added to test_range_plugin.py https://fedorahosted.org/freeipa/ticket/3086 Tomas Thank you for the patch, comments are in-line. bye, Sumit Thank you for your suggestions. New version of the patch attached. Tomas Thank you for addressing my comments. I just realized that the check is too strict. The ranges of the Posix IDs [base_id - base_id+id_range_size) may not overlap for any existing range because those IDs belong to the single Posix ID namespace of the IPA domain. I.e each user, local or from a trusted domain, must have a unique Posix ID. The RID ranges [base_rid, base_rid+id_range_size) and [secondary_base_rid, secondary_base_rid+id_range_size) may not overlap with RID ranges from the same domain. So the RID ranges for the local domain may not overlap and the RID ranges for any specific trusted domain may not overlap. It is allowed that there is a range form the local domain may have base_rid=1000 and a range from a trusted domain as well. This is ok because the RID is only part of the identifier, each domain has a unique domain SID which is used together with the RID to identify e.g. a user. I would suggest to look for the ipaNTTrustedDomainSID attribute in slapi_entry_to_range_info() too and add it to struct range_info. In ranges_overlap() you can then check the Posix ID range for all ranges but do the RID checks only when the domain identifiers are either both NULL (local IPA domain) or are the same strings. Sorry for not seeing this earlier. bye, Sumit Thanks for catching this issue. It is solved in the newest revision of the patch. Tomas sorry, found another one ... ... +static int ranges_overlap(struct range_info *r1, struct range_info *r2) +{ +if (r1-name != NULL r2-name != NULL +strcasecmp(r1-name, r2-name) == 0) { +return 0; +} + +/* check if base range overlaps with existing base range */ +if (intervals_overlap(r1-base_id, r2-base_id, +r1-id_range_size, r2-id_range_size)){ +return 1; +} + +/* if both base_rid and secondary_base_rid = 0, the rid range is not set */ +bool rid_ranges_set = (r1-base_rid != 0 || r1-secondary_base_rid != 0) + (r2-base_rid != 0 || r2-secondary_base_rid != 0); + +bool ranges_from_same_domain = + (r1-domain_id == NULL r2-domain_id == NULL) || + (strcasecmp(r1-domain_id, r2-domain_id) == 0); + you have to check that both domain_id are not NULL before calling strcasecmp. bye, Sumit Null pointer check added. Thank you. ACK bye, Sumit Tomas ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0019] Forbid overlapping primary and secondary rid ranges
On 10/17/2012 11:14 AM, Sumit Bose wrote: On Tue, Oct 16, 2012 at 02:26:24PM +0200, Tomas Babej wrote: Hi, commands ipa idrange-add / idrange-mod no longer allows the user to enter primary or secondary rid range such that has non-zero intersection with primary or secondary rid range of another existing id range, as this could cause collision. Unit tests added to test_range_plugin.py https://fedorahosted.org/freeipa/ticket/3086 Tomas Thank you for the patch, comments are in-line. bye, Sumit From a46a8d0aa4e64e105a53a177b6a12cf28e56620e Mon Sep 17 00:00:00 2001 From: Tomas Babej tba...@redhat.com Date: Mon, 15 Oct 2012 06:28:16 -0400 Subject: [PATCH] Forbid overlapping primary and secondary rid ranges Commands ipa idrange-add / idrange-mod no longer allows the user to enter primary or secondary rid range such that has non-zero intersection with primary or secondary rid range of another existing id range, as this could cause collision. Unit tests added to test_range_plugin.py https://fedorahosted.org/freeipa/ticket/3086 --- .../ipa-range-check/ipa_range_check.c | 93 +--- tests/test_xmlrpc/test_range_plugin.py | 120 +++-- 2 files changed, 191 insertions(+), 22 deletions(-) diff --git a/daemons/ipa-slapi-plugins/ipa-range-check/ipa_range_check.c b/daemons/ipa-slapi-plugins/ipa-range-check/ipa_range_check.c index 499e54a9c4a4c9134a231c0cd09e700390565a14..4f9f7437d11d2bc33238b14f5099a42b4c5463d2 100644 --- a/daemons/ipa-slapi-plugins/ipa-range-check/ipa_range_check.c +++ b/daemons/ipa-slapi-plugins/ipa-range-check/ipa_range_check.c @@ -132,24 +132,67 @@ done: return ret; } -#define IN_RANGE(x,base,size) ( (x) = (base) ((x) - (base)) (size) ) -static bool ranges_overlap(struct range_info *r1, struct range_info *r2) +#define IN_RANGE(x,base,size) ( (x) = (base) (x) (size+base) ) Would you mind to use the original definition of IN_RANGE? x-base looks a bit odd, but I made it on purpose to avoid overruns. Since we already know that x=base we can be sure that there will be no underrun. +static bool intervals_overlap(uint32_t x, uint32_t base, uint32_t x_size, uint32_t base_size) { -if (r1-name != NULL r2-name != NULL -strcasecmp(r1-name, r2-name) == 0) { -return false; -} - -if (IN_RANGE(r1-base_id, r2-base_id, r2-id_range_size) || -IN_RANGE((r1-base_id + r1-id_range_size - 1), r2-base_id, r2-id_range_size) || -IN_RANGE(r2-base_id, r1-base_id, r1-id_range_size) || -IN_RANGE((r2-base_id + r2-id_range_size - 1), r1-base_id, r1-id_range_size)) { +if (IN_RANGE(x, base, base_size) || +IN_RANGE((x + x_size - 1), base, base_size) || +IN_RANGE(base, x, x_size) || +IN_RANGE((base + base_size - 1), x, x_size)) { return true; } return false; } +//returns 0 if there is no overlap +//connected ranges must not overlap: +// existing range: base rid sec_rid +//| | \ / | +//| | \/ | +//| | /\ | +//| | / \ | +// new range: base rid sec_rid I think we currently do not use C++ style comments in freeipa C code. Can you switch to /* */ comments? +static int ranges_overlap(struct range_info *r1, struct range_info *r2) +{ +if (r1-name != NULL r2-name != NULL +strcasecmp(r1-name, r2-name) == 0) { +return 0; +} + +//check if base range overlaps with existing base range +if (intervals_overlap(r1-base_id, r2-base_id, +r1-id_range_size, r2-id_range_size)){ +return 1; +} + +//if both base_rid and secondary_base_rid are 0, the rid range is not set +//in that case we skip the primary/secondary rid range overlap test +if((r1-base_rid!=0 || r1-secondary_base_rid!=0) + (r2-base_rid!=0 || r2-secondary_base_rid!=0)){ can you add spaces around '!=' ? + +//check if rid range overlaps with existing rid range +if (intervals_overlap(r1-base_rid, r2-base_rid, +r1-id_range_size, r2-id_range_size)) +return 2; + +//check if secondary rid range overlaps with existing secondary rid range +if (intervals_overlap(r1-secondary_base_rid, r2-secondary_base_rid, +r1-id_range_size, r2-id_range_size)) +return 3; + +//check if rid range overlaps with existing secondary rid range +if (intervals_overlap(r1-base_rid, r2-secondary_base_rid, +r1-id_range_size, r2-id_range_size)) +return 4; + +//check if secondary rid range overlaps with existing rid range +if (intervals_overlap(r1-secondary_base_rid, r2-base_rid, +r1-id_range_size, r2-id_range_size)) +return 5; +} Return code is missing if one of the ranges does not have the rid ranges set. Can you add a test case for this condition as well? +} + static
Re: [Freeipa-devel] [PATCH 0019] Forbid overlapping primary and secondary rid ranges
On Wed, Oct 17, 2012 at 12:59:52PM +0200, Tomas Babej wrote: On 10/17/2012 11:14 AM, Sumit Bose wrote: On Tue, Oct 16, 2012 at 02:26:24PM +0200, Tomas Babej wrote: Hi, commands ipa idrange-add / idrange-mod no longer allows the user to enter primary or secondary rid range such that has non-zero intersection with primary or secondary rid range of another existing id range, as this could cause collision. Unit tests added to test_range_plugin.py https://fedorahosted.org/freeipa/ticket/3086 Tomas Thank you for the patch, comments are in-line. bye, Sumit Thank you for your suggestions. New version of the patch attached. Tomas Thank you for addressing my comments. I just realized that the check is too strict. The ranges of the Posix IDs [base_id - base_id+id_range_size) may not overlap for any existing range because those IDs belong to the single Posix ID namespace of the IPA domain. I.e each user, local or from a trusted domain, must have a unique Posix ID. The RID ranges [base_rid, base_rid+id_range_size) and [secondary_base_rid, secondary_base_rid+id_range_size) may not overlap with RID ranges from the same domain. So the RID ranges for the local domain may not overlap and the RID ranges for any specific trusted domain may not overlap. It is allowed that there is a range form the local domain may have base_rid=1000 and a range from a trusted domain as well. This is ok because the RID is only part of the identifier, each domain has a unique domain SID which is used together with the RID to identify e.g. a user. I would suggest to look for the ipaNTTrustedDomainSID attribute in slapi_entry_to_range_info() too and add it to struct range_info. In ranges_overlap() you can then check the Posix ID range for all ranges but do the RID checks only when the domain identifiers are either both NULL (local IPA domain) or are the same strings. Sorry for not seeing this earlier. bye, Sumit ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0019] Forbid overlapping primary and secondary rid ranges
On 10/17/2012 02:34 PM, Sumit Bose wrote: On Wed, Oct 17, 2012 at 12:59:52PM +0200, Tomas Babej wrote: On 10/17/2012 11:14 AM, Sumit Bose wrote: On Tue, Oct 16, 2012 at 02:26:24PM +0200, Tomas Babej wrote: Hi, commands ipa idrange-add / idrange-mod no longer allows the user to enter primary or secondary rid range such that has non-zero intersection with primary or secondary rid range of another existing id range, as this could cause collision. Unit tests added to test_range_plugin.py https://fedorahosted.org/freeipa/ticket/3086 Tomas Thank you for the patch, comments are in-line. bye, Sumit Thank you for your suggestions. New version of the patch attached. Tomas Thank you for addressing my comments. I just realized that the check is too strict. The ranges of the Posix IDs [base_id - base_id+id_range_size) may not overlap for any existing range because those IDs belong to the single Posix ID namespace of the IPA domain. I.e each user, local or from a trusted domain, must have a unique Posix ID. The RID ranges [base_rid, base_rid+id_range_size) and [secondary_base_rid, secondary_base_rid+id_range_size) may not overlap with RID ranges from the same domain. So the RID ranges for the local domain may not overlap and the RID ranges for any specific trusted domain may not overlap. It is allowed that there is a range form the local domain may have base_rid=1000 and a range from a trusted domain as well. This is ok because the RID is only part of the identifier, each domain has a unique domain SID which is used together with the RID to identify e.g. a user. I would suggest to look for the ipaNTTrustedDomainSID attribute in slapi_entry_to_range_info() too and add it to struct range_info. In ranges_overlap() you can then check the Posix ID range for all ranges but do the RID checks only when the domain identifiers are either both NULL (local IPA domain) or are the same strings. Sorry for not seeing this earlier. bye, Sumit Thanks for catching this issue. It is solved in the newest revision of the patch. Tomas From dab63f5d42e53218a0611c82a1cb0768ad4be17f Mon Sep 17 00:00:00 2001 From: Tomas Babej tba...@redhat.com Date: Mon, 15 Oct 2012 06:28:16 -0400 Subject: [PATCH] Forbid overlapping primary and secondary rid ranges Commands ipa idrange-add / idrange-mod no longer allows the user to enter primary or secondary rid range such that has non-zero intersection with primary or secondary rid range of another existing id range, as this could cause collision. Unit tests added to test_range_plugin.py https://fedorahosted.org/freeipa/ticket/3086 --- .../ipa-range-check/ipa_range_check.c | 114 +--- tests/test_xmlrpc/test_range_plugin.py | 120 +++-- 2 files changed, 212 insertions(+), 22 deletions(-) diff --git a/daemons/ipa-slapi-plugins/ipa-range-check/ipa_range_check.c b/daemons/ipa-slapi-plugins/ipa-range-check/ipa_range_check.c index 499e54a9c4a4c9134a231c0cd09e700390565a14..b866259134658da77aff3760b872acfe4ed5a5fe 100644 --- a/daemons/ipa-slapi-plugins/ipa-range-check/ipa_range_check.c +++ b/daemons/ipa-slapi-plugins/ipa-range-check/ipa_range_check.c @@ -49,6 +49,7 @@ #define IPA_ID_RANGE_SIZE ipaIDRangeSize #define IPA_BASE_RID ipaBaseRID #define IPA_SECONDARY_BASE_RID ipaSecondaryBaseRID +#define IPA_DOMAIN_ID ipaNTTrustedDomainSID #define RANGES_FILTER objectclass=ipaIDRange #define IPA_PLUGIN_NAME ipa-range-check @@ -70,6 +71,7 @@ struct ipa_range_check_ctx { struct range_info { char *name; +char *domain_id; uint32_t base_id; uint32_t id_range_size; uint32_t base_rid; @@ -93,6 +95,8 @@ static int slapi_entry_to_range_info(struct slapi_entry *entry, return EINVAL; } +range-domain_id = slapi_entry_attr_get_charptr(entry, IPA_DOMAIN_ID); + ul_val = slapi_entry_attr_get_ulong(entry, IPA_BASE_ID); if (ul_val == 0 || ul_val = UINT32_MAX) { ret = ERANGE; @@ -132,24 +136,81 @@ done: return ret; } -#define IN_RANGE(x,base,size) ( (x) = (base) ((x) - (base)) (size) ) -static bool ranges_overlap(struct range_info *r1, struct range_info *r2) +#define IN_RANGE(x,base,size) ( (x) = (base) ((x) - (base) (size)) ) +static bool intervals_overlap(uint32_t x, uint32_t base, uint32_t x_size, uint32_t base_size) { -if (r1-name != NULL r2-name != NULL -strcasecmp(r1-name, r2-name) == 0) { -return false; -} - -if (IN_RANGE(r1-base_id, r2-base_id, r2-id_range_size) || -IN_RANGE((r1-base_id + r1-id_range_size - 1), r2-base_id, r2-id_range_size) || -IN_RANGE(r2-base_id, r1-base_id, r1-id_range_size) || -IN_RANGE((r2-base_id + r2-id_range_size - 1), r1-base_id, r1-id_range_size)) { +if (IN_RANGE(x, base, base_size) || +IN_RANGE((x + x_size - 1), base, base_size) || +IN_RANGE(base, x, x_size) || +IN_RANGE((base + base_size - 1), x, x_size)) { return true; } return
Re: [Freeipa-devel] [PATCH 0019] Forbid overlapping primary and secondary rid ranges
On Wed, Oct 17, 2012 at 03:29:11PM +0200, Tomas Babej wrote: On 10/17/2012 02:34 PM, Sumit Bose wrote: On Wed, Oct 17, 2012 at 12:59:52PM +0200, Tomas Babej wrote: On 10/17/2012 11:14 AM, Sumit Bose wrote: On Tue, Oct 16, 2012 at 02:26:24PM +0200, Tomas Babej wrote: Hi, commands ipa idrange-add / idrange-mod no longer allows the user to enter primary or secondary rid range such that has non-zero intersection with primary or secondary rid range of another existing id range, as this could cause collision. Unit tests added to test_range_plugin.py https://fedorahosted.org/freeipa/ticket/3086 Tomas Thank you for the patch, comments are in-line. bye, Sumit Thank you for your suggestions. New version of the patch attached. Tomas Thank you for addressing my comments. I just realized that the check is too strict. The ranges of the Posix IDs [base_id - base_id+id_range_size) may not overlap for any existing range because those IDs belong to the single Posix ID namespace of the IPA domain. I.e each user, local or from a trusted domain, must have a unique Posix ID. The RID ranges [base_rid, base_rid+id_range_size) and [secondary_base_rid, secondary_base_rid+id_range_size) may not overlap with RID ranges from the same domain. So the RID ranges for the local domain may not overlap and the RID ranges for any specific trusted domain may not overlap. It is allowed that there is a range form the local domain may have base_rid=1000 and a range from a trusted domain as well. This is ok because the RID is only part of the identifier, each domain has a unique domain SID which is used together with the RID to identify e.g. a user. I would suggest to look for the ipaNTTrustedDomainSID attribute in slapi_entry_to_range_info() too and add it to struct range_info. In ranges_overlap() you can then check the Posix ID range for all ranges but do the RID checks only when the domain identifiers are either both NULL (local IPA domain) or are the same strings. Sorry for not seeing this earlier. bye, Sumit Thanks for catching this issue. It is solved in the newest revision of the patch. Tomas sorry, found another one ... ... +static int ranges_overlap(struct range_info *r1, struct range_info *r2) +{ +if (r1-name != NULL r2-name != NULL +strcasecmp(r1-name, r2-name) == 0) { +return 0; +} + +/* check if base range overlaps with existing base range */ +if (intervals_overlap(r1-base_id, r2-base_id, +r1-id_range_size, r2-id_range_size)){ +return 1; +} + +/* if both base_rid and secondary_base_rid = 0, the rid range is not set */ +bool rid_ranges_set = (r1-base_rid != 0 || r1-secondary_base_rid != 0) + (r2-base_rid != 0 || r2-secondary_base_rid != 0); + +bool ranges_from_same_domain = + (r1-domain_id == NULL r2-domain_id == NULL) || + (strcasecmp(r1-domain_id, r2-domain_id) == 0); + you have to check that both domain_id are not NULL before calling strcasecmp. bye, Sumit ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel