rpms/ipa
7
0
Fork 0
Code Issues Pull Requests Releases Activity
2a6200c7f4
ipa/SOURCES/0010-Use-389-DS-dnaInterval-setting-to-assign-intervals.patch

114 lines
6.9 KiB
Diff
Raw Normal View History

import ipa-4.9.6-9.el9
2021-12-07 17:19:43 +00:00
From c9bae715b24df0f5476bdb70a2209d5f55e46a93 Mon Sep 17 00:00:00 2001
From: Christian Heimes <cheimes@redhat.com>
Date: Fri, 21 May 2021 09:26:33 +0200
Subject: [PATCH] Use 389-DS' dnaInterval setting to assign intervals
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
---
freeipa.spec.in | 3 ++-
install/share/dna.ldif | 1 +
install/updates/73-subid.update | 7 ++-----
ipaserver/plugins/subid.py | 14 +-------------
4 files changed, 6 insertions(+), 19 deletions(-)
diff --git a/freeipa.spec.in b/freeipa.spec.in
index 044e3559975c399f6697d4da94b5a059eb5b407c..fa649cf4e1abe8e9928ef340a66d48d78f7e3521 100755
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -106,8 +106,9 @@
%global python_ldap_version 3.1.0-1
# Make sure to use 389-ds-base versions that fix https://github.com/389ds/389-ds-base/issues/4700
+# and has DNA interval enabled
%if 0%{?fedora} < 34
-%global ds_version %{lua: local v={}; v['32']='1.4.3.20-2'; v['33']='1.4.4.16-1'; print(v[rpm.expand('%{fedora}')])}
+%global ds_version 1.4.4.16-1
%else
%global ds_version 2.0.5-1
%endif
diff --git a/install/share/dna.ldif b/install/share/dna.ldif
index 735faab8261feef59486f7c933b01c57ad511166..9023fcd7db5a2c121c493559e2546c85c0daf69a 100644
--- a/install/share/dna.ldif
+++ b/install/share/dna.ldif
@@ -31,6 +31,7 @@ dnaScope: $SUFFIX
dnaThreshold: eval($SUBID_DNA_THRESHOLD)
dnaSharedCfgDN: cn=subordinate-ids,cn=dna,cn=ipa,cn=etc,$SUFFIX
dnaExcludeScope: cn=provisioning,$SUFFIX
+dnaInterval: eval($SUBID_COUNT)
# TODO: enable when 389-DS' DNA plugin supports dnaStepAttr
# dnaIntervalAttr: ipasubuidcount
# dnaIntervalAttr: ipasubgidcount
diff --git a/install/updates/73-subid.update b/install/updates/73-subid.update
index 1aa43822a8b8c220583b81e08d70b648ca594363..e10703aa3f9528751233ddebe00b8c8c8fc5ed3f 100644
--- a/install/updates/73-subid.update
+++ b/install/updates/73-subid.update
@@ -62,12 +62,8 @@ default:member: cn=Subordinate ID Administrators,cn=privileges,cn=pbac,$SUFFIX
# The delete-when-empty check is required because IPA uses MOD_REPLACE to
# set attributes, see https://github.com/389ds/389-ds-base/issues/4597.
#
-# TODO: remove (ipasubuidnumber>=eval($SUBID_RANGE_START) from
-# self-service permission when 389-DS' DNA plugin supports dnaStepAttr and
-# fake_dna_plugin hack has been removed.
-#
dn: cn=subids,cn=accounts,$SUFFIX
-add: aci: (targetfilter = "(objectclass=ipasubordinateidentry)")(targetattr="description || ipaowner || ipauniqueid")(targattrfilters = "add=objectClass:(|(objectClass=top)(objectClass=ipasubordinateid)(objectClass=ipasubordinateidentry)(objectClass=ipasubordinategid)(objectClass=ipasubordinateuid)) && ipasubuidnumber:(|(ipasubuidnumber>=eval($SUBID_RANGE_START))(ipasubuidnumber=-1)) && ipasubuidcount:(ipasubuidcount=eval($SUBID_COUNT)) && ipasubgidnumber:(|(ipasubgidnumber>=eval($SUBID_RANGE_START))(ipasubgidnumber=-1)) && ipasubgidcount:(ipasubgidcount=eval($SUBID_COUNT)), del=ipasubuidnumber:(!(ipasubuidnumber=*)) && ipasubuidcount:(!(ipasubuidcount=*)) && ipasubgidnumber:(!(ipasubgidnumber=*)) && ipasubgidcount:(!(ipasubgidcount=*))")(version 3.0;acl "selfservice: Add subordinate id";allow (add, write) userattr = "ipaowner#SELFDN" and groupdn="ldap:///cn=Self-service subordinate ID,cn=permissions,cn=pbac,$SUFFIX";)
+add: aci: (targetfilter = "(objectclass=ipasubordinateidentry)")(targetattr="description || ipaowner || ipauniqueid")(targattrfilters = "add=objectClass:(|(objectClass=top)(objectClass=ipasubordinateid)(objectClass=ipasubordinateidentry)(objectClass=ipasubordinategid)(objectClass=ipasubordinateuid)) && ipasubuidnumber:(ipasubuidnumber=-1) && ipasubuidcount:(ipasubuidcount=eval($SUBID_COUNT)) && ipasubgidnumber:(ipasubgidnumber=-1) && ipasubgidcount:(ipasubgidcount=eval($SUBID_COUNT)), del=ipasubuidnumber:(!(ipasubuidnumber=*)) && ipasubuidcount:(!(ipasubuidcount=*)) && ipasubgidnumber:(!(ipasubgidnumber=*)) && ipasubgidcount:(!(ipasubgidcount=*))")(version 3.0;acl "selfservice: Add subordinate id";allow (add, write) userattr = "ipaowner#SELFDN" and groupdn="ldap:///cn=Self-service subordinate ID,cn=permissions,cn=pbac,$SUFFIX";)
add: aci: (targetfilter = "(objectclass=ipasubordinateidentry)")(targetattr="description || ipaowner || ipauniqueid")(targattrfilters = "add=objectClass:(|(objectClass=top)(objectClass=ipasubordinateid)(objectClass=ipasubordinateidentry)(objectClass=ipasubordinategid)(objectClass=ipasubordinateuid)) && ipasubuidnumber:(|(ipasubuidnumber>=1)(ipasubuidnumber=-1)) && ipasubuidcount:(ipasubuidcount=eval($SUBID_COUNT)) && ipasubgidnumber:(|(ipasubgidnumber>=1)(ipasubgidnumber=-1)) && ipasubgidcount:(ipasubgidcount=eval($SUBID_COUNT)), del=ipasubuidnumber:(!(ipasubuidnumber=*)) && ipasubuidcount:(!(ipasubuidcount=*)) && ipasubgidnumber:(!(ipasubgidnumber=*)) && ipasubgidcount:(!(ipasubgidcount=*))")(version 3.0;acl "Add subordinate ids to any user";allow (add, write) groupdn="ldap:///cn=Subordinate ID Administrators,cn=privileges,cn=pbac,$SUFFIX";)
# DNA plugin and idrange configuration
@@ -90,6 +86,7 @@ default: dnaScope: $SUFFIX
default: dnaThreshold: eval($SUBID_DNA_THRESHOLD)
default: dnaSharedCfgDN: cn=subordinate-ids,cn=dna,cn=ipa,cn=etc,$SUFFIX
default: dnaExcludeScope: cn=provisioning,$SUFFIX
+default: dnaInterval: eval($SUBID_COUNT)
# TODO: enable when 389-DS' DNA plugin supports dnaStepAttr
# add: dnaIntervalAttr: ipasubuidcount
# add: dnaIntervalAttr: ipasubgidcount
diff --git a/ipaserver/plugins/subid.py b/ipaserver/plugins/subid.py
index 7d9a2f33e84bc7cdf17900346343e49d5eda0d8c..440f24ee627f0736100f63026158c564b04520c2 100644
--- a/ipaserver/plugins/subid.py
+++ b/ipaserver/plugins/subid.py
@@ -2,7 +2,6 @@
# Copyright (C) 2021 FreeIPA Contributors see COPYING for license
#
-import random
import uuid
from ipalib import api
@@ -291,12 +290,8 @@ class subid(LDAPObject):
_entry_attrs = ldap.get_entry(dn, ["objectclass"])
entry_attrs["objectclass"] = _entry_attrs["objectclass"]
- # XXX HACK, remove later
- if subuid == DNA_MAGIC:
- subuid = self._fake_dna_plugin(ldap, dn, entry_attrs)
-
entry_attrs["ipasubuidnumber"] = subuid
- # enforice subuid == subgid for now
+ # enforce subuid == subgid for now
entry_attrs["ipasubgidnumber"] = subuid
# hard-coded constants
entry_attrs["ipasubuidcount"] = constants.SUBID_COUNT
@@ -350,13 +345,6 @@ class subid(LDAPObject):
filters.extend(extra_filters)
return ldap.combine_filters(filters, rules=ldap.MATCH_ALL)
- def _fake_dna_plugin(self, ldap, dn, entry_attrs):
- """XXX HACK, remove when 389-DS DNA plugin supports steps"""
- return (
- constants.SUBID_RANGE_START
- + random.randint(1, 32764 - 2) * constants.SUBID_COUNT
- )
-
@register()
class subid_add(LDAPCreate):
--
2.26.3
Reference in New Issue Copy Permalink