[Freeipa-devel] [PATCH] ipa-adtrust-install: create fallback group with ldif file
Simo Sorce
simo at redhat.com
Mon Oct 8 13:11:59 UTC 2012
On Mon, 2012-10-08 at 13:29 +0200, Sumit Bose wrote:
> Hi,
>
> this patch fixes https://fedorahosted.org/freeipa/ticket/3147 by
> adding
> the default fallback group with an LDIF file instead of using the
> framework.
>
> bye,
> Sumit
>
>
>
>
>
>
>
> plain text
> document
> attachment
> (freeipa-sbose-0085-ipa-adtrust-install-create-fallback-group-with-ldif-.patch)
>
> From 2cd6a4e0f93c34df60a221ea7e96a5c2735ece4d Mon Sep 17 00:00:00 2001
> From: Sumit Bose <sbose at redhat.com>
> Date: Mon, 8 Oct 2012 10:44:07 +0200
> Subject: [PATCH] ipa-adtrust-install: create fallback group with ldif
> file
>
> Currently the framework is used to add the group but we want to avoid
> that users are added explicitly to the group by removing the
> objectclasses groupofnames, ipausergroup and nestedgroup and we want
> to
> use a name with spaces in it. Both it not easy possible with the
> framework, a LDIF file is used instead to create the group.
>
> Fixes https://fedorahosted.org/freeipa/ticket/3147
> ---
> install/share/Makefile.am | 1 +
> install/share/default-smb-group.ldif | 8 +++++++
> ipaserver/install/adtrustinstance.py | 41
> ++++++++++--------------------------
> 3 Dateien geändert, 20 Zeilen hinzugefügt(+), 30 Zeilen entfernt(-)
> create mode 100644 install/share/default-smb-group.ldif
>
> diff --git a/install/share/Makefile.am b/install/share/Makefile.am
> index
> 03fef9a66f2f4c64e5685d4947c6f9139ac69ad0..23cd766a5a82ca514ffff9ebad82e0ee7db9ae77 100644
> --- a/install/share/Makefile.am
> +++ b/install/share/Makefile.am
> @@ -16,6 +16,7 @@ app_DATA = \
> caJarSigningCert.cfg.template \
> default-aci.ldif \
> default-hbac.ldif \
> + default-smb-group.ldif \
> delegation.ldif \
> replica-acis.ldif \
> ds-nfiles.ldif \
> diff --git a/install/share/default-smb-group.ldif
> b/install/share/default-smb-group.ldif
> new file mode 100644
> index
> 0000000000000000000000000000000000000000..8d89f67cc7d8be66375c9accb038b3c20a4d4be4
> --- /dev/null
> +++ b/install/share/default-smb-group.ldif
> @@ -0,0 +1,8 @@
> +dn: cn=Default SMB Group,cn=groups,cn=accounts,$SUFFIX
> +changetype: add
> +cn: Default SMB Group
> +description: Fallback group for primary group RID, do not add user to
> this group
Please change user -> users
> +gidnumber: 999
> +objectclass: top
> +objectclass: ipaobject
> +objectclass: posixgroup
> diff --git a/ipaserver/install/adtrustinstance.py
> b/ipaserver/install/adtrustinstance.py
> index
> 3f3924eb3ce9f56ac66407347645c40f96eb6430..41030223d1f644ba6a6557ac90d8f518fcba9c29 100644
> --- a/ipaserver/install/adtrustinstance.py
> +++ b/ipaserver/install/adtrustinstance.py
> @@ -22,7 +22,6 @@ import errno
> import ldap
> import tempfile
> import uuid
> -import krbV
> from ipaserver import ipaldap
> from ipaserver.install import installutils
> from ipaserver.install import service
> @@ -101,7 +100,7 @@ class ADTRUSTInstance(service.Service):
> OBJC_USER = "ipaNTUserAttrs"
> OBJC_GROUP = "ipaNTGroupAttrs"
> OBJC_DOMAIN = "ipaNTDomainAttrs"
> - FALLBACK_GROUP_NAME = u'Default_SMB_Group'
> + FALLBACK_GROUP_NAME = u'Default SMB Group'
>
> def __init__(self, fstore=None):
> self.fqdn = None
> @@ -211,25 +210,6 @@ class ADTRUSTInstance(service.Service):
> """
>
> self.ldap_connect()
> - try:
> - ctx = krbV.default_context()
> - ccache = ctx.default_ccache()
> - except krbV.Krb5Error, e:
> - self.print_msg("Must have Kerberos credentials to setup "
> \
> - "AD trusts on server")
> - return
> -
> - try:
> - api.Backend.ldap2.disconnect()
> - api.Backend.ldap2.connect(ccache.name)
> - except errors.ACIError, e:
> - self.print_msg("Outdated Kerberos credentials. " \
> - "Use kdestroy and kinit to update your
> ticket")
> - return
> - except errors.DatabaseError, e:
> - self.print_msg("Cannot connect to the LDAP database. " \
> - "Please check if IPA is running")
> - return
>
> try:
> dom_entry = self.admin_conn.getEntry(self.smb_dom_dn, \
> @@ -248,20 +228,21 @@ class ADTRUSTInstance(service.Service):
> self.admin_conn.getEntry(fb_group_dn, ldap.SCOPE_BASE)
> except errors.NotFound:
> try:
> - fallback =
> api.Command['group_add'](self.FALLBACK_GROUP_NAME,
> - description= u'Fallback
> group for ' \
> - 'primary
> group RID, ' \
> - 'do not add
> user to ' \
> - 'this
> group',
> - nonposix=False)
> - fb_group_dn = fallback['result']['dn']
> + self._ldap_mod('default-smb-group.ldif',
> self.sub_dict)
> except Exception, e:
> self.print_msg("Failed to add fallback group.")
> raise e
>
> + # _ldap_mod does not return useful error codes, so we must
> check again
> + # if the fallback group was created properly.
> try:
> - mod = [(ldap.MOD_ADD, self.ATTR_FALLBACK_GROUP,
> - fallback['result']['dn'])]
> + self.admin_conn.getEntry(fb_group_dn, ldap.SCOPE_BASE)
> + except errors.NotFound:
> + self.print_msg("Failed to add fallback group.")
> + return
This exception block looks like on the wrong indentation (8 vs 4) ?
> +
> + try:
> + mod = [(ldap.MOD_ADD, self.ATTR_FALLBACK_GROUP,
> fb_group_dn)]
> self.admin_conn.modify_s(self.smb_dom_dn, mod)
> except:
> self.print_msg("Failed to add fallback group to domain
> object")
Other than these minor issues, ack.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
More information about the Freeipa-devel
mailing list