Re: [Freeipa-devel] [PATCH 0076] Use AD LDAP probing to create trusted domain ID range
On Tue, 23 Jul 2013, Tomas Babej wrote: This improved revision creates ranges of sizes that are multiples of default range size (20). ACK, works fine. Pushed to master. -- / Alexander Bokovoy ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0076] Use AD LDAP probing to create trusted domain ID range
This improved revision creates ranges of sizes that are multiples of default range size (20). Tomas -- / Alexander Bokovoy From 629428d12fcfafdf2695dad2b2861980a18cceb4 Mon Sep 17 00:00:00 2001 From: Tomas Babej Date: Wed, 17 Jul 2013 15:55:36 +0200 Subject: [PATCH] Use AD LDAP probing to create trusted domain ID range When creating a trusted domain ID range, probe AD DC to get information about ID space leveraged by POSIX users already defined in AD, and create an ID range with according parameters. For more details: http://www.freeipa.org/page/V3/Use_posix_attributes_defined_in_AD https://fedorahosted.org/freeipa/ticket/3649 --- API.txt | 2 +- VERSION | 2 +- ipalib/plugins/trust.py | 111 +++--- ipaserver/dcerpc.py | 164 +- ipaserver/install/installutils.py | 7 +- 5 files changed, 232 insertions(+), 54 deletions(-) diff --git a/API.txt b/API.txt index 44b3dd444964c8dac595177f8601c82d0235eabe..2773f3d5c88ffa05ab7587dd9f0df97b350e45ca 100644 --- a/API.txt +++ b/API.txt @@ -3283,7 +3283,7 @@ arg: Str('cn', attribute=True, cli_name='realm', multivalue=False, primary_key=T option: Str('addattr*', cli_name='addattr', exclude='webui') option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') option: Int('base_id?', cli_name='base_id') -option: Int('range_size?', autofill=True, cli_name='range_size', default=20) +option: Int('range_size?', cli_name='range_size') option: StrEnum('range_type?', cli_name='range_type', values=(u'ipa-ad-trust-posix', u'ipa-ad-trust')) option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') option: Str('realm_admin?', cli_name='admin') diff --git a/VERSION b/VERSION index 8606d724e6c8c785ba9d554ed3effa905573e25f..8a36c6304d7cfe0452eae5dbdc7a5d2951ab 100644 --- a/VERSION +++ b/VERSION @@ -89,4 +89,4 @@ IPA_DATA_VERSION=2010061412 # # IPA_API_VERSION_MAJOR=2 -IPA_API_VERSION_MINOR=61 +IPA_API_VERSION_MINOR=62 diff --git a/ipalib/plugins/trust.py b/ipalib/plugins/trust.py index 965ff76bb7968a8d2784e67478eb824dc3f0621b..b19a27ecabb62abdfbc3c7927a8f78e83ad6821d 100644 --- a/ipalib/plugins/trust.py +++ b/ipalib/plugins/trust.py @@ -20,9 +20,13 @@ from ipalib.plugins.baseldap import * from ipalib.plugins.dns import dns_container_exists +from ipapython.ipautil import realm_to_suffix from ipalib import api, Str, StrEnum, Password, _, ngettext from ipalib import Command from ipalib import errors +from ldap import SCOPE_SUBTREE +from time import sleep + try: import pysss_murmur #pylint: disable=F0401 _murmur_installed = True @@ -292,8 +296,6 @@ sides. Int('range_size?', cli_name='range_size', label=_('Size of the ID range reserved for the trusted domain'), -default=DEFAULT_RANGE_SIZE, -autofill=True ), StrEnum('range_type?', label=_('Range type'), @@ -313,7 +315,7 @@ sides. result = self.execute_ad(full_join, *keys, **options) if not old_range: -self.add_range(range_name, dom_sid, **options) +self.add_range(range_name, dom_sid, *keys, **options) trust_filter = "cn=%s" % result['value'] ldap = self.obj.backend @@ -418,9 +420,7 @@ sides. 'Only the ipa-ad-trust and ipa-ad-trust-posix are ' 'allowed values for --range-type when adding an AD ' 'trust.' -) - -) +)) base_id = options.get('base_id') range_size = options.get('range_size') != DEFAULT_RANGE_SIZE @@ -468,9 +468,96 @@ sides. return old_range, range_name, dom_sid -def add_range(self, range_name, dom_sid, **options): -base_id = options.get('base_id') -if not base_id: +def add_range(self, range_name, dom_sid, *keys, **options): +""" +First, we try to derive the parameters of the ID range based on the +information contained in the Active Directory. + +If that was not successful, we go for our usual defaults (random base, +range size 200 000, ipa-ad-trust range type). + +Any of these can be overriden by passing appropriate CLI options +to the trust-add command. +""" + +range_size = None +range_type = None +base_id = None + +# First, get information about ID space from AD +# However, we skip this step if other than ipa-ad-trust-posix +# range type is enforced + +if options.get('range_type', None) in (None, u'ipa-ad-trust-posix'): + +# Get the base dn +domain = keys[-1] +basedn = realm_to_suffix(domain) + +# Search
Re: [Freeipa-devel] [PATCH 0076] Use AD LDAP probing to create trusted domain ID range
On Mon, 22 Jul 2013, Tomas Babej wrote: - Original Message - From: "Alexander Bokovoy" To: "Tomas Babej" Cc: freeipa-devel@redhat.com Sent: Friday, July 19, 2013 6:18:50 PM Subject: Re: [Freeipa-devel] [PATCH 0076] Use AD LDAP probing to create trusted domain ID range On Fri, 19 Jul 2013, Tomas Babej wrote: On Friday 19 of July 2013 12:32:04 Tomas Babej wrote: Hi, I still need to test this with AD 2008. Sending so that code can get some review before that. https://fedorahosted.org/freeipa/ticket/3649 Tomas This version fixes few small build nitpicks. ACK, works fine for me. It requires my patches 0109-0110. Yes. This revision also respects enforcement of ipa-ad-trust range type despite the fact that AD has UNIX support configured. Also surpressed the warning messages from AD searches in search_in_dc method when probing for the range information, since first one-two queries usually fail (expected) and leave warning messages in the log. ACK again. -- / Alexander Bokovoy ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0076] Use AD LDAP probing to create trusted domain ID range
- Original Message - From: "Alexander Bokovoy" To: "Tomas Babej" Cc: freeipa-devel@redhat.com Sent: Friday, July 19, 2013 6:18:50 PM Subject: Re: [Freeipa-devel] [PATCH 0076] Use AD LDAP probing to create trusted domain ID range On Fri, 19 Jul 2013, Tomas Babej wrote: >On Friday 19 of July 2013 12:32:04 Tomas Babej wrote: >> Hi, >> >> I still need to test this with AD 2008. Sending so that code can get some >> review before that. >> >> https://fedorahosted.org/freeipa/ticket/3649 >> >> Tomas > >This version fixes few small build nitpicks. ACK, works fine for me. It requires my patches 0109-0110. Yes. This revision also respects enforcement of ipa-ad-trust range type despite the fact that AD has UNIX support configured. Also surpressed the warning messages from AD searches in search_in_dc method when probing for the range information, since first one-two queries usually fail (expected) and leave warning messages in the log. Tomas -- / Alexander Bokovoy From aa9530cbe5cd95eb276d5f62be21720d54e1f8a8 Mon Sep 17 00:00:00 2001 From: Tomas Babej Date: Wed, 17 Jul 2013 15:55:36 +0200 Subject: [PATCH] Use AD LDAP probing to create trusted domain ID range When creating a trusted domain ID range, probe AD DC to get information about ID space leveraged by POSIX users already defined in AD, and create an ID range with according parameters. For more details: http://www.freeipa.org/page/V3/Use_posix_attributes_defined_in_AD https://fedorahosted.org/freeipa/ticket/3649 --- API.txt | 2 +- VERSION | 2 +- ipalib/plugins/trust.py | 110 ++--- ipaserver/dcerpc.py | 164 +- ipaserver/install/installutils.py | 7 +- 5 files changed, 231 insertions(+), 54 deletions(-) diff --git a/API.txt b/API.txt index 44b3dd444964c8dac595177f8601c82d0235eabe..2773f3d5c88ffa05ab7587dd9f0df97b350e45ca 100644 --- a/API.txt +++ b/API.txt @@ -3283,7 +3283,7 @@ arg: Str('cn', attribute=True, cli_name='realm', multivalue=False, primary_key=T option: Str('addattr*', cli_name='addattr', exclude='webui') option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') option: Int('base_id?', cli_name='base_id') -option: Int('range_size?', autofill=True, cli_name='range_size', default=20) +option: Int('range_size?', cli_name='range_size') option: StrEnum('range_type?', cli_name='range_type', values=(u'ipa-ad-trust-posix', u'ipa-ad-trust')) option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') option: Str('realm_admin?', cli_name='admin') diff --git a/VERSION b/VERSION index 8606d724e6c8c785ba9d554ed3effa905573e25f..8a36c6304d7cfe0452eae5dbdc7a5d2951ab 100644 --- a/VERSION +++ b/VERSION @@ -89,4 +89,4 @@ IPA_DATA_VERSION=2010061412 # # IPA_API_VERSION_MAJOR=2 -IPA_API_VERSION_MINOR=61 +IPA_API_VERSION_MINOR=62 diff --git a/ipalib/plugins/trust.py b/ipalib/plugins/trust.py index 965ff76bb7968a8d2784e67478eb824dc3f0621b..3da1aa1a7ef63727d631d64214aaf7aaf67136f0 100644 --- a/ipalib/plugins/trust.py +++ b/ipalib/plugins/trust.py @@ -20,9 +20,13 @@ from ipalib.plugins.baseldap import * from ipalib.plugins.dns import dns_container_exists +from ipapython.ipautil import realm_to_suffix from ipalib import api, Str, StrEnum, Password, _, ngettext from ipalib import Command from ipalib import errors +from ldap import SCOPE_SUBTREE +from time import sleep + try: import pysss_murmur #pylint: disable=F0401 _murmur_installed = True @@ -292,8 +296,6 @@ sides. Int('range_size?', cli_name='range_size', label=_('Size of the ID range reserved for the trusted domain'), -default=DEFAULT_RANGE_SIZE, -autofill=True ), StrEnum('range_type?', label=_('Range type'), @@ -313,7 +315,7 @@ sides. result = self.execute_ad(full_join, *keys, **options) if not old_range: -self.add_range(range_name, dom_sid, **options) +self.add_range(range_name, dom_sid, *keys, **options) trust_filter = "cn=%s" % result['value'] ldap = self.obj.backend @@ -418,9 +420,7 @@ sides. 'Only the ipa-ad-trust and ipa-ad-trust-posix are ' 'allowed values for --range-type when adding an AD ' 'trust.' -) -
Re: [Freeipa-devel] [PATCH 0076] Use AD LDAP probing to create trusted domain ID range
On Fri, 19 Jul 2013, Tomas Babej wrote: On Friday 19 of July 2013 12:32:04 Tomas Babej wrote: Hi, I still need to test this with AD 2008. Sending so that code can get some review before that. https://fedorahosted.org/freeipa/ticket/3649 Tomas This version fixes few small build nitpicks. ACK, works fine for me. It requires my patches 0109-0110. -- / Alexander Bokovoy ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0076] Use AD LDAP probing to create trusted domain ID range
On Friday 19 of July 2013 12:32:04 Tomas Babej wrote: > Hi, > > I still need to test this with AD 2008. Sending so that code can get some > review before that. > > https://fedorahosted.org/freeipa/ticket/3649 > > Tomas This version fixes few small build nitpicks. Tomas>From c7dbbf5523176b713fd651c6c817c46806afbfc2 Mon Sep 17 00:00:00 2001 From: Tomas Babej Date: Wed, 17 Jul 2013 15:55:36 +0200 Subject: [PATCH] Use AD LDAP probing to create trusted domain ID range When creating a trusted domain ID range, probe AD DC to get information about ID space leveraged by POSIX users already defined in AD, and create an ID range with according parameters. For more details: http://www.freeipa.org/page/V3/Use_posix_attributes_defined_in_AD https://fedorahosted.org/freeipa/ticket/3649 --- API.txt | 2 +- VERSION | 2 +- ipalib/plugins/trust.py | 105 +--- ipaserver/dcerpc.py | 163 +- ipaserver/install/installutils.py | 7 +- 5 files changed, 225 insertions(+), 54 deletions(-) diff --git a/API.txt b/API.txt index 44b3dd444964c8dac595177f8601c82d0235eabe..2773f3d5c88ffa05ab7587dd9f0df97b350e45ca 100644 --- a/API.txt +++ b/API.txt @@ -3283,7 +3283,7 @@ arg: Str('cn', attribute=True, cli_name='realm', multivalue=False, primary_key=T option: Str('addattr*', cli_name='addattr', exclude='webui') option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') option: Int('base_id?', cli_name='base_id') -option: Int('range_size?', autofill=True, cli_name='range_size', default=20) +option: Int('range_size?', cli_name='range_size') option: StrEnum('range_type?', cli_name='range_type', values=(u'ipa-ad-trust-posix', u'ipa-ad-trust')) option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') option: Str('realm_admin?', cli_name='admin') diff --git a/VERSION b/VERSION index 8606d724e6c8c785ba9d554ed3effa905573e25f..8a36c6304d7cfe0452eae5dbdc7a5d2951ab 100644 --- a/VERSION +++ b/VERSION @@ -89,4 +89,4 @@ IPA_DATA_VERSION=2010061412 # # IPA_API_VERSION_MAJOR=2 -IPA_API_VERSION_MINOR=61 +IPA_API_VERSION_MINOR=62 diff --git a/ipalib/plugins/trust.py b/ipalib/plugins/trust.py index 965ff76bb7968a8d2784e67478eb824dc3f0621b..40432c6074bb19e1a31c21e7e32d5b85c12d7210 100644 --- a/ipalib/plugins/trust.py +++ b/ipalib/plugins/trust.py @@ -20,9 +20,13 @@ from ipalib.plugins.baseldap import * from ipalib.plugins.dns import dns_container_exists +from ipapython.ipautil import realm_to_suffix from ipalib import api, Str, StrEnum, Password, _, ngettext from ipalib import Command from ipalib import errors +from ldap import SCOPE_SUBTREE +from time import sleep + try: import pysss_murmur #pylint: disable=F0401 _murmur_installed = True @@ -292,8 +296,6 @@ sides. Int('range_size?', cli_name='range_size', label=_('Size of the ID range reserved for the trusted domain'), -default=DEFAULT_RANGE_SIZE, -autofill=True ), StrEnum('range_type?', label=_('Range type'), @@ -313,7 +315,7 @@ sides. result = self.execute_ad(full_join, *keys, **options) if not old_range: -self.add_range(range_name, dom_sid, **options) +self.add_range(range_name, dom_sid, *keys, **options) trust_filter = "cn=%s" % result['value'] ldap = self.obj.backend @@ -418,9 +420,7 @@ sides. 'Only the ipa-ad-trust and ipa-ad-trust-posix are ' 'allowed values for --range-type when adding an AD ' 'trust.' -) - -) +)) base_id = options.get('base_id') range_size = options.get('range_size') != DEFAULT_RANGE_SIZE @@ -468,9 +468,90 @@ sides. return old_range, range_name, dom_sid -def add_range(self, range_name, dom_sid, **options): -base_id = options.get('base_id') -if not base_id: +def add_range(self, range_name, dom_sid, *keys, **options): +""" +First, we try to derive the parameters of the ID range based on the +information contained in the Active Directory. + +If that was not successful, we go for our usual defaults (random base, +range size 200 000, ipa-ad-trust range type). + +Any of these can be overriden by passing appropriate CLI options +to the trust-add command. +""" + +range_size = None +range_type = None +base_id = None + +# First, get information about ID space from AD + +# Get the base dn +domain = keys[-1] +basedn = realm_to_suffix(domain) + +# Search for information contained in +# CN=ypservers,CN=y