[Freeipa-devel] [PATCH] 361 ipa-adtrust-install should ask for SID generation
Alexander Bokovoy
abokovoy at redhat.com
Thu Jan 31 15:29:10 UTC 2013
On Thu, 31 Jan 2013, Martin Kosek wrote:
>When ipa-adtrust-install is run, check if there are any objects
>that need to have SID generated. If yes, interactively ask the user
>if the sidgen task should be run.
>
>https://fedorahosted.org/freeipa/ticket/3195
>From bd6512628d83d1f4bdfc9f414689c8a67bd01c7c Mon Sep 17 00:00:00 2001
>From: Martin Kosek <mkosek at redhat.com>
>Date: Thu, 31 Jan 2013 15:08:08 +0100
>Subject: [PATCH] ipa-adtrust-install should ask for SID generation
>
>When ipa-adtrust-install is run, check if there are any objects
>that need have SID generated. If yes, interactively ask the user
>if the sidgen task should be run.
>
>https://fedorahosted.org/freeipa/ticket/3195
>---
> install/tools/ipa-adtrust-install | 42 +++++++++++++++++++++++++++++++++------
> 1 file changed, 36 insertions(+), 6 deletions(-)
>
>diff --git a/install/tools/ipa-adtrust-install b/install/tools/ipa-adtrust-install
>index 17f2f0e98d08863c9e48595d219bffb148490921..e127fd63e9a43b2630325d1fc3aa645f2ef8951a 100755
>--- a/install/tools/ipa-adtrust-install
>+++ b/install/tools/ipa-adtrust-install
>@@ -275,12 +275,6 @@ def main():
> ip_address = str(ip)
> root_logger.debug("will use ip_address: %s\n", ip_address)
>
>- if not options.unattended:
>- print ""
>- print "The following operations may take some minutes to complete."
>- print "Please wait until the prompt is returned."
>- print ""
>-
> admin_password = options.admin_password
> if not (options.unattended or admin_password):
> admin_password = read_admin_password(options.admin_name)
>@@ -320,6 +314,42 @@ def main():
> set_and_check_netbios_name(options.netbios_name,
> options.unattended)
>
>+ if not options.unattended and not options.add_sids:
>+ # The filter corresponds to ipa_sidgen_task.c LDAP search filter
>+ filter = '(&(objectclass=ipaobject)(!(objectclass=mepmanagedentry))' \
>+ '(|(objectclass=posixaccount)(objectclass=posixgroup)' \
>+ '(objectclass=ipaidobject))(!(ipantsecurityidentifier=*)))'
>+ try:
>+ (entries, truncated) = api.Backend.ldap2.find_entries(filter=filter,
>+ base_dn=api.env.basedn, attrs_list=[''])
>+ except errors.NotFound:
>+ # All objects have SIDs assigned
>+ pass
>+ except (errors.DatabaseError, errors.NetworkError), e:
>+ print "Could not retrieve a list of entries that needs a SID generation:"
>+ print " %s" % e
>+ else:
>+ object_count = len(entries)
>+ if object_count > 0:
>+ print ""
>+ print "%d existing users or groups do not have a SID identifier assigned." \
>+ % len(entries)
>+ print "Installer can run a task to have ipa-sidgen Directory Server plugin generate"
>+ print "the SID identifier for all these users. Please note, the in case of a high"
>+ print "number of users and groups, the operation might lead to high replication"
>+ print "traffic and performance degradation. Refer to ipa-adtrust-install(1) man page"
>+ print "for details."
>+ print ""
>+ if ipautil.user_input("Do you want to run the ipa-sidgen task?", default=False,
>+ allow_empty=False):
>+ options.add_sids = True
I would still run this check in options.unattended mode and reported
warning, for accounting purposes.
Could you please make so?
--
/ Alexander Bokovoy
More information about the Freeipa-devel
mailing list