subject:"\[Freeipa\-devel\] \[PATCH 0440\] Fix broken trust warnings"

Re: [Freeipa-devel] [PATCH 0440] Fix broken trust warnings

2016-03-19 Thread Martin Basti




On 16.03.2016 13:32, Martin Basti wrote:



On 16.03.2016 13:32, Alexander Bokovoy wrote:

On Wed, 16 Mar 2016, Martin Basti wrote:



On 15.03.2016 16:40, Martin Basti wrote:

https://fedorahosted.org/freeipa/ticket/5737

Patch attached.



Sekf NACK,

fix should be just oneliner, I found out that domain are stored 
hierarchically so extra finding of parents zone is needed.

you meant 'not needed', I'd guess.


Yes, I meant that, sorry :)



Updated patch attached.
From 74c55e5048af4b582469b1668a9dd592f868cf4b Mon Sep 17 00:00:00 2001
From: Martin Basti 
Date: Wed, 16 Mar 2016 13:41:51 +0100
Subject: [PATCH] Fix broken trust warnings

Warning should be shown only for parent entries of trust domain. Sub
domains do not contain SIDs at all.

https://fedorahosted.org/freeipa/ticket/5737
---
 ipalib/plugins/trust.py | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/ipalib/plugins/trust.py b/ipalib/plugins/trust.py
index ba0c98e2f3711924dace395b7becf2977ca8e35c..7d815fd6118586a4a75a1eeff7457103fe4c331c 100644
--- a/ipalib/plugins/trust.py
+++ b/ipalib/plugins/trust.py
@@ -597,7 +597,9 @@ class trust(LDAPObject):
 
 try:
 entries, truncated = ldap.find_entries(
-base_dn=DN(self.container_dn, self.api.env.basedn),
+base_dn=DN(self.api.env.container_adtrusts,
+   self.api.env.basedn),
+scope=ldap.SCOPE_ONELEVEL,
 attrs_list=['cn'],
 filter='(&(ipaNTTrustPartner=*)'
'(!(ipaNTSecurityIdentifier=*)))',
-- 
2.5.0

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0440] Fix broken trust warnings

2016-03-19 Thread Martin Basti




On 16.03.2016 13:32, Alexander Bokovoy wrote:

On Wed, 16 Mar 2016, Martin Basti wrote:



On 15.03.2016 16:40, Martin Basti wrote:

https://fedorahosted.org/freeipa/ticket/5737

Patch attached.



Sekf NACK,

fix should be just oneliner, I found out that domain are stored 
hierarchically so extra finding of parents zone is needed.

you meant 'not needed', I'd guess.


Yes, I meant that, sorry :)

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0440] Fix broken trust warnings

2016-03-19 Thread Alexander Bokovoy


On Wed, 16 Mar 2016, Martin Basti wrote:



On 16.03.2016 13:32, Martin Basti wrote:



On 16.03.2016 13:32, Alexander Bokovoy wrote:

On Wed, 16 Mar 2016, Martin Basti wrote:



On 15.03.2016 16:40, Martin Basti wrote:

https://fedorahosted.org/freeipa/ticket/5737

Patch attached.



Sekf NACK,

fix should be just oneliner, I found out that domain are stored 
hierarchically so extra finding of parents zone is needed.

you meant 'not needed', I'd guess.


Yes, I meant that, sorry :)



Updated patch attached.



From 74c55e5048af4b582469b1668a9dd592f868cf4b Mon Sep 17 00:00:00 2001
From: Martin Basti 
Date: Wed, 16 Mar 2016 13:41:51 +0100
Subject: [PATCH] Fix broken trust warnings

Warning should be shown only for parent entries of trust domain. Sub
domains do not contain SIDs at all.

https://fedorahosted.org/freeipa/ticket/5737
---
ipalib/plugins/trust.py | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/ipalib/plugins/trust.py b/ipalib/plugins/trust.py
index 
ba0c98e2f3711924dace395b7becf2977ca8e35c..7d815fd6118586a4a75a1eeff7457103fe4c331c
 100644
--- a/ipalib/plugins/trust.py
+++ b/ipalib/plugins/trust.py
@@ -597,7 +597,9 @@ class trust(LDAPObject):

try:
entries, truncated = ldap.find_entries(
-base_dn=DN(self.container_dn, self.api.env.basedn),
+base_dn=DN(self.api.env.container_adtrusts,
+   self.api.env.basedn),
+scope=ldap.SCOPE_ONELEVEL,
attrs_list=['cn'],
filter='(&(ipaNTTrustPartner=*)'
   '(!(ipaNTSecurityIdentifier=*)))',


ACK if you change the commit message to say that subdomains do not
contain ipaNTSecurityIdentifier attribute.

--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0440] Fix broken trust warnings

2016-03-19 Thread Alexander Bokovoy


On Wed, 16 Mar 2016, Martin Basti wrote:



On 15.03.2016 16:40, Martin Basti wrote:

https://fedorahosted.org/freeipa/ticket/5737

Patch attached.



Sekf NACK,

fix should be just oneliner, I found out that domain are stored 
hierarchically so extra finding of parents zone is needed.

you meant 'not needed', I'd guess.

--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0440] Fix broken trust warnings

2016-03-18 Thread Martin Basti




On 15.03.2016 16:40, Martin Basti wrote:

https://fedorahosted.org/freeipa/ticket/5737

Patch attached.



Sekf NACK,

fix should be just oneliner, I found out that domain are stored 
hierarchically so extra finding of parents zone is needed.
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [PATCH 0440] Fix broken trust warnings

2016-03-15 Thread Martin Basti


https://fedorahosted.org/freeipa/ticket/5737

Patch attached.
From 952a43a2ef272a61916125040852bc6f5b5de079 Mon Sep 17 00:00:00 2001
From: Martin Basti 
Date: Tue, 15 Mar 2016 16:18:57 +0100
Subject: [PATCH] Fix broken trust warnings

Warning should be shown only for parent entries of trust domain. Sub
domains do not contain SIDs at all.

https://fedorahosted.org/freeipa/ticket/5737
---
 ipalib/plugins/trust.py  | 25 +++--
 ipaserver/install/plugins/adtrust.py | 17 +++--
 2 files changed, 34 insertions(+), 8 deletions(-)

diff --git a/ipalib/plugins/trust.py b/ipalib/plugins/trust.py
index ba0c98e2f3711924dace395b7becf2977ca8e35c..148f1cd03d937f24e039e15bc009f9e941ec4ea9 100644
--- a/ipalib/plugins/trust.py
+++ b/ipalib/plugins/trust.py
@@ -594,23 +594,36 @@ class trust(LDAPObject):
 AD trust domain without generated SID, warn user about it.
 """
 ldap = self.api.Backend.ldap2
-
+sid_attr_name = 'ipaNTSecurityIdentifier'
 try:
 entries, truncated = ldap.find_entries(
 base_dn=DN(self.container_dn, self.api.env.basedn),
-attrs_list=['cn'],
-filter='(&(ipaNTTrustPartner=*)'
-   '(!(ipaNTSecurityIdentifier=*)))',
+attrs_list=['cn', sid_attr_name],
+filter='(ipaNTTrustPartner=*)',
 )
 except errors.NotFound:
 pass
 else:
+# print warning only for parent domain, subdomains do not contain
+# SIDs
+parent_domains = {}
 for entry in entries:
- add_message(
+domain = entry.single_value["cn"]
+parent_domains = {
+d: e for d, e in parent_domains.items()
+if not d.endswith(domain)
+}
+if not any(domain.endswith(d) for d in parent_domains.keys()):
+parent_domains[domain] = entry
+
+for domain, entry in parent_domains.items():
+if entry.get(sid_attr_name):
+continue
+add_message(
 options['version'],
 result,
 BrokenTrust(domain=entry.single_value['cn'])
- )
+)
 
 
 @register()
diff --git a/ipaserver/install/plugins/adtrust.py b/ipaserver/install/plugins/adtrust.py
index ce58d7f171bd448dc767f92bbc32346a14f5b2ea..3c68b13c7809cb48ff27bd1d557da23e77d6df9d 100644
--- a/ipaserver/install/plugins/adtrust.py
+++ b/ipaserver/install/plugins/adtrust.py
@@ -291,10 +291,10 @@ class update_sids(Updater):
 trust_domain_entries, truncated = ldap.find_entries(
 base_dn=base_dn,
 scope=ldap.SCOPE_ONELEVEL,
-attrs_list=["cn"],
+attrs_list=["cn", attr_name],
 # more types of trusts can be stored under cn=trusts, we need
 # the type with ipaNTTrustPartner attribute
-filter="(&(ipaNTTrustPartner=*)(!(%s=*)))" % attr_name
+filter="(ipaNTTrustPartner=*)"
 )
 except errors.NotFound:
 pass
@@ -302,8 +302,21 @@ class update_sids(Updater):
 if truncated:
 self.log.warning("update_sids: Search results were truncated")
 
+# print warning only for parent domain, subdomains do not contain
+# SIDs
+parent_domains = {}
 for entry in trust_domain_entries:
 domain = entry.single_value["cn"]
+parent_domains = {
+d: e for d, e in parent_domains.items()
+if not d.endswith(domain)
+}
+if not any(domain.endswith(d) for d in parent_domains.keys()):
+parent_domains[domain] = entry
+
+for domain, entry in parent_domains.items():
+if entry.get(attr_name):
+continue
 self.log.error(
 "Your trust to %s is broken. Please re-create it by "
 "running 'ipa trust-add' again.", domain)
-- 
2.5.0

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0440] Fix broken trust warnings

Re: [Freeipa-devel] [PATCH 0440] Fix broken trust warnings

Re: [Freeipa-devel] [PATCH 0440] Fix broken trust warnings

Re: [Freeipa-devel] [PATCH 0440] Fix broken trust warnings

Re: [Freeipa-devel] [PATCH 0440] Fix broken trust warnings

[Freeipa-devel] [PATCH 0440] Fix broken trust warnings

6 matches

Site Navigation

Mail list logo

Footer information