[Freeipa-devel] [PATCH 0030] Add option to specify SID using domain name to idrange-add/mod
Alexander Bokovoy
abokovoy at redhat.com
Thu Feb 14 16:37:19 UTC 2013
On Thu, 14 Feb 2013, Tomas Babej wrote:
>>>>> + Str('ipanttrusteddomainname?',
>>>>> + cli_name='dom_name',
>>>>> + flags=('no_search', 'virtual_attribute'),
>>>>> + label=_('Name of the trusted domain'),
>>>>> + ),
>>>> New options is added but API.txt wasn't changed. As result, 'make rpms'
>>>> does not work.
>>>>
>>>> Could you please fix the patch and re-send it?
>>>>
>>> Sorry about that.
>>>
>>> Updated patch attached.
>> I have one small question regarding use of dom_sid/dom_name.
>>
>> If both dom_sid and dom_name were specified, failing to resolve dom_name
>> would force command to raise exception.
>>
>> I'm not sure this is right behavior. Probably we should detect that both
>> dom_sid and dom_name were specified and bail out earlier so that only
>> one of them is accepted. That would be clearer to users, wouldn't it
> Sure, I definitely agree on that point. I added the check to idrange-add and
> idrange-mod. Also, the patch needed a rebase to apply on the current master.
I tried to play with various scenarious and one thing I noticed is
that we refer dom_sid and dom_name in the error messages as they are
named internally. CLI replaces underscore by hyphen (_ -> -) and therefore
this error message becomes wrong -- you cannot specify --dom_sid, this
option is unknown to CLI.
In Web UI this would also mean an error message pointing to non-existing
option. Perhaps it would be reasonable to name options '--name' and
'--sid'? We don't have any clash there:
-------------------------------------------------------------------------
# ipa idrange-mod --help
Usage: ipa [global-options] idrange-mod NAME [options]
Positional arguments:
NAME Range name
Options:
-h, --help show this help message and exit
--base-id=INT First Posix ID of the range
--range-size=INT Number of IDs in the range
--rid-base=INT First RID of the corresponding RID range
--secondary-rid-base=INT
First RID of the secondary RID range
--dom-sid=STR Domain SID of the trusted domain
--dom-name=STR Name of the trusted domain
--setattr=STR Set an attribute to a name/value pair. Format is
attr=value. For multi-valued attributes, the command
replaces the values already present.
--addattr=STR Add an attribute/value pair. Format is
attr=value. The
attribute must be part of the schema.
--delattr=STR Delete an attribute/value pair. The option willbe
evaluated last, after all sets and adds.
--rights Display the access rights of this entry(requires
--all). See ipa man page for details.
--all Retrieve and print all attributes from the server.
Affects command output.
--raw Print entries as stored on the server. Only affects
output format.
-------------------------------------------------------------------------
So, if --name and --sid were used, an error message would become
----------------------------------------------------------------------
# ipa idrange-mod AD.LAN_id_range --dom-name foo.bar
ipa: ERROR: invalid 'ID Range setup': SID for the specified trusted
domain name could not be found. Please specify the SID directly using
--sid option.
----------------------------------------------------------------------
Additionally, there is an error when SID for an object within the domain
is specified. Last RID of the SID represents an object within the domain
and we generally need to be careful allowing it in the place where
domain SID is specified:
# ipa idrange-mod AD.LAN_id_range --dom-sid S-1-5-21-3502988750-125904550-3683905862-1
-----------------------------------
Modified ID range "AD.LAN_id_range"
-----------------------------------
Range name: AD.LAN_id_range
First Posix ID of the range: 1442800000
Number of IDs in the range: 200000
First RID of the corresponding RID range: 0
Domain SID of the trusted domain: S-1-5-21-3502988750-125904550-3683905862-1
Range type: Active Directory domain range
Now this range is completely unusable due to the fact that there is no
way to match the domain SID against the range.
I think we need to make the check against established trusts more
strict and only allow exact match.
--
/ Alexander Bokovoy
More information about the Freeipa-devel
mailing list