[Freeipa-devel] [PATCH] 0074 validate SID for trusted domain when adding/modifying ID range
Alexander Bokovoy
abokovoy at redhat.com
Wed Sep 19 16:19:10 UTC 2012
Hi,
This patch adds validation of SID for trusted domain when adding or
modifying ID range for the domain. We only allow creating ranges for
trusted domains when the trust is already established -- the default
range is created automatically right after the trust is added.
https://fedorahosted.org/freeipa/ticket/3087
--
/ Alexander Bokovoy
-------------- next part --------------
>From c8859d449b65be67841c96c81f7f64f8c27b06b1 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy at redhat.com>
Date: Wed, 19 Sep 2012 19:09:22 +0300
Subject: [PATCH] validate SID for trusted domain when adding/modifying ID
range
https://fedorahosted.org/freeipa/ticket/3087
---
ipalib/plugins/idrange.py | 28 ++++++++++++++++++++++++++++
1 file changed, 28 insertions(+)
diff --git a/ipalib/plugins/idrange.py b/ipalib/plugins/idrange.py
index efa906428aa58c670bc4af63b10c88123dda5b65..4750c1d6716bd69045d53f32ae1836f44e70b03b 100644
--- a/ipalib/plugins/idrange.py
+++ b/ipalib/plugins/idrange.py
@@ -26,6 +26,12 @@ from ipapython import ipautil
from ipalib import util
from ipapython.dn import DN
+if api.env.in_server and api.env.context in ['lite', 'server']:
+ try:
+ import ipaserver.dcerpc
+ _dcerpc_bindings_installed = True
+ except Exception, e:
+ _dcerpc_bindings_installed = False
__doc__ = _("""
ID ranges
@@ -137,6 +143,21 @@ user. RIDs are unique in a domain, 32bit values and are used for users and
groups.
""")
+def validate_trusted_domain_sid(self, sid):
+ if not _dcerpc_bindings_installed:
+ raise errors.NotFound(name=_('ID Range setup'),
+ reason=_('''Cannot perform SID validation without Samba 4 support installed.
+ Make sure you have installed server-trust-ad sub-package of IPA on the server'''))
+ domain_validator = ipaserver.dcerpc.DomainValidator(self.api)
+ if not domain_validator.is_configured():
+ raise errors.NotFound(name=_('ID Range setup'),
+ reason=_('''Cross-realm trusts are not configured..
+ Make sure you have run ipa-adtrust-install on the IPA server first'''))
+ if not domain_validator.is_trusted_sid_valid(sid):
+ raise errors.ValidationError(name=_('ID Range setup'),
+ error=_('SID is not recognized as a valid SID from a trusted domain'))
+
+
class idrange(LDAPObject):
"""
Range object.
@@ -287,6 +308,9 @@ class idrange_add(LDAPCreate):
error=_('Options dom_sid and rid_base must ' \
'be used together'))
+ # Validate SID as the one of trusted domains
+ validate_trusted_domain_sid(self, options['ipanttrusteddomainsid'])
+ # Finally, add trusted AD domain range object class
entry_attrs['objectclass'].append('ipatrustedaddomainrange')
else:
if (('ipasecondarybaserid' in options) != ('ipabaserid' in options)):
@@ -366,6 +390,10 @@ class idrange_mod(LDAPUpdate):
except errors.NotFound:
self.obj.handle_not_found(*keys)
+ if 'ipanttrusteddomainsid' in options:
+ # Validate SID as the one of trusted domains
+ validate_trusted_domain_sid(self, options['ipanttrusteddomainsid'])
+
old_base_id = int(old_attrs.get('ipabaseid', [0])[0])
old_range_size = int(old_attrs.get('ipaidrangesize', [0])[0])
new_base_id = entry_attrs.get('ipabaseid')
--
1.7.12
More information about the Freeipa-devel
mailing list