76fd9fb78f
- Resolves: RHEL-95010 [RFE] Give warning when adding user with UID out of any ID range - Resolves: RHEL-93890 Include latest fixes in python3-ipatests package - Resolves: RHEL-93887 ipa idrange-add --help should be more clear about required options - Resolves: RHEL-93483 Unable to modify IPA config; --ipaconfigstring="" causes internal error - Resolves: RHEL-88834 kdb: ipadb_get_connection() succeeds but returns null LDAP context - Resolves: RHEL-68800 ipa-migrate with LDIF file from backup of remote server, fails with error 'change collided with another change'
226 lines
9.5 KiB
Diff
226 lines
9.5 KiB
Diff
From 6f1b9a4228e400ef23f0f411ebf8a98c30cd2f9f Mon Sep 17 00:00:00 2001
|
|
From: David Hanina <dhanina@redhat.com>
|
|
Date: Mon, 5 May 2025 17:31:18 +0200
|
|
Subject: [PATCH] Require baserid and secondarybaserid
|
|
|
|
This has been already required for some time, just not really enforced.
|
|
Also adds few new tests, and removes test without providing rid.
|
|
|
|
Fixes: https://pagure.io/freeipa/issue/9779
|
|
|
|
Signed-off-by: David Hanina <dhanina@redhat.com>
|
|
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
|
|
---
|
|
ipaclient/plugins/idrange.py | 31 +++------------
|
|
ipaserver/plugins/idrange.py | 35 +++++++----------
|
|
ipatests/test_cmdline/test_cli.py | 13 -------
|
|
ipatests/test_xmlrpc/test_range_plugin.py | 46 +++++++++++++++++++++++
|
|
4 files changed, 66 insertions(+), 59 deletions(-)
|
|
|
|
diff --git a/ipaclient/plugins/idrange.py b/ipaclient/plugins/idrange.py
|
|
index 1a8d68ed7ff724854d5ea2f3dd43ec9644b5c671..b62cb1e3526d33a0d762809142b6e372f6f608ea 100644
|
|
--- a/ipaclient/plugins/idrange.py
|
|
+++ b/ipaclient/plugins/idrange.py
|
|
@@ -19,7 +19,6 @@
|
|
|
|
from ipaclient.frontend import MethodOverride
|
|
from ipalib.plugable import Registry
|
|
-from ipalib import api
|
|
|
|
register = Registry()
|
|
|
|
@@ -33,8 +32,7 @@ class idrange_add(MethodOverride):
|
|
Also ensure that secondary-rid-base is prompted for when rid-base is
|
|
specified and vice versa, in case that dom-sid was not specified.
|
|
|
|
- Also ensure that rid-base and secondary-rid-base is prompted for
|
|
- if ipa-adtrust-install has been run on the system.
|
|
+ Also ensure that rid-base and secondary-rid-base is prompted for.
|
|
"""
|
|
|
|
# dom-sid can be specified using dom-sid or dom-name options
|
|
@@ -63,27 +61,10 @@ class idrange_add(MethodOverride):
|
|
|
|
else:
|
|
# This is a local range
|
|
- # Find out whether ipa-adtrust-install has been ran
|
|
- adtrust_is_enabled = api.Command['adtrust_is_enabled']()['result']
|
|
|
|
- if adtrust_is_enabled:
|
|
- # If ipa-adtrust-install has been ran, all local ranges
|
|
- # require both RID base and secondary RID base
|
|
-
|
|
- if rid_base is None:
|
|
- set_from_prompt('ipabaserid')
|
|
-
|
|
- if secondary_rid_base is None:
|
|
- set_from_prompt('ipasecondarybaserid')
|
|
-
|
|
- else:
|
|
- # This is a local range on a server with no adtrust support
|
|
-
|
|
- # Prompt for secondary RID base only if RID base was given
|
|
- if rid_base is not None and secondary_rid_base is None:
|
|
- set_from_prompt('ipasecondarybaserid')
|
|
+ # All local ranges require both RID base and secondary RID base
|
|
+ if rid_base is None:
|
|
+ set_from_prompt('ipabaserid')
|
|
|
|
- # Symetrically, prompt for RID base if secondary RID base was
|
|
- # given
|
|
- if rid_base is None and secondary_rid_base is not None:
|
|
- set_from_prompt('ipabaserid')
|
|
+ if secondary_rid_base is None:
|
|
+ set_from_prompt('ipasecondarybaserid')
|
|
diff --git a/ipaserver/plugins/idrange.py b/ipaserver/plugins/idrange.py
|
|
index d155fb46da8240449a077d35e86a91ee9f95c132..1c8b5c6899ec927d753b7d9b116d35396b536339 100644
|
|
--- a/ipaserver/plugins/idrange.py
|
|
+++ b/ipaserver/plugins/idrange.py
|
|
@@ -73,10 +73,14 @@ Both types have the following attributes in common:
|
|
With those two attributes a range object can reserve the Posix IDs starting
|
|
with base-id up to but not including base-id+range-size exclusively.
|
|
|
|
-Additionally an ID range of the local domain may set
|
|
+Additionally an ID range of the local domain must set
|
|
- rid-base: the first RID(*) of the corresponding RID range
|
|
- secondary-rid-base: first RID of the secondary RID range
|
|
|
|
+If the server is updated from a previous version and defines local ID ranges
|
|
+missing the rid-base and secondary-rid-base, it is recommended to use
|
|
+`ipa-idrange-fix` command to identify the missing values and fix the ID ranges.
|
|
+
|
|
and an ID range of a trusted domain must set
|
|
- rid-base: the first RID of the corresponding RID range
|
|
- sid: domain SID of the trusted domain
|
|
@@ -519,11 +523,15 @@ class idrange_add(LDAPCreate):
|
|
'or ipa-ad-trust-posix when '
|
|
'auto-private-groups is specified'))
|
|
|
|
- # secondary base rid must be set if and only if base rid is set
|
|
- if is_set('ipasecondarybaserid') != is_set('ipabaserid'):
|
|
- raise errors.ValidationError(name='ID Range setup',
|
|
- error=_('Options secondary-rid-base and rid-base must '
|
|
- 'be used together'))
|
|
+ # base rid and secondary base rid must be set for sidgen
|
|
+ if not (is_set('ipabaserid') and is_set('ipasecondarybaserid')):
|
|
+ raise errors.ValidationError(
|
|
+ name='ID Range setup',
|
|
+ error=_(
|
|
+ 'You must specify both rid-base and '
|
|
+ 'secondary-rid-base options.'
|
|
+ )
|
|
+ )
|
|
|
|
# and they must not overlap
|
|
if is_set('ipabaserid') and is_set('ipasecondarybaserid'):
|
|
@@ -534,21 +542,6 @@ class idrange_add(LDAPCreate):
|
|
raise errors.ValidationError(name='ID Range setup',
|
|
error=_("Primary RID range and secondary RID range"
|
|
" cannot overlap"))
|
|
-
|
|
- # rid-base and secondary-rid-base must be set if
|
|
- # ipa-adtrust-install has been run on the system
|
|
- adtrust_is_enabled = api.Command['adtrust_is_enabled']()['result']
|
|
-
|
|
- if adtrust_is_enabled and not (
|
|
- is_set('ipabaserid') and is_set('ipasecondarybaserid')):
|
|
- raise errors.ValidationError(
|
|
- name='ID Range setup',
|
|
- error=_(
|
|
- 'You must specify both rid-base and '
|
|
- 'secondary-rid-base options, because '
|
|
- 'ipa-adtrust-install has already been run.'
|
|
- )
|
|
- )
|
|
return dn
|
|
|
|
def post_callback(self, ldap, dn, entry_attrs, *keys, **options):
|
|
diff --git a/ipatests/test_cmdline/test_cli.py b/ipatests/test_cmdline/test_cli.py
|
|
index 718798d68083285ce8aefe23af951bc819bdefdb..6c86bbb657a0d9a7b74ef34ad20a796a10073315 100644
|
|
--- a/ipatests/test_cmdline/test_cli.py
|
|
+++ b/ipatests/test_cmdline/test_cli.py
|
|
@@ -276,25 +276,12 @@ class TestCLIParsing:
|
|
ipasecondarybaserid=u'500000',
|
|
)
|
|
|
|
- def test_without_options():
|
|
- self.check_command(
|
|
- 'idrange_add range1 --base-id=1 --range-size=1',
|
|
- 'idrange_add',
|
|
- cn=u'range1',
|
|
- ipabaseid=u'1',
|
|
- ipaidrangesize=u'1',
|
|
- )
|
|
-
|
|
adtrust_dn = 'cn=ADTRUST,cn=%s,cn=masters,cn=ipa,cn=etc,%s' % \
|
|
(api.env.host, api.env.basedn)
|
|
adtrust_is_enabled = api.Command['adtrust_is_enabled']()['result']
|
|
mockldap = None
|
|
|
|
if not adtrust_is_enabled:
|
|
- # ipa-adtrust-install not run - no need to pass rid-base
|
|
- # and secondary-rid-base
|
|
- test_without_options()
|
|
-
|
|
# Create a mock service object to test against
|
|
adtrust_add = dict(
|
|
ipaconfigstring=b'enabledService',
|
|
diff --git a/ipatests/test_xmlrpc/test_range_plugin.py b/ipatests/test_xmlrpc/test_range_plugin.py
|
|
index 36469525b14ee507f2d8580b1f021ff09b82c99d..ffc89c028168740e7b8ae217259af512abff2d8a 100644
|
|
--- a/ipatests/test_xmlrpc/test_range_plugin.py
|
|
+++ b/ipatests/test_xmlrpc/test_range_plugin.py
|
|
@@ -1086,4 +1086,50 @@ class test_range(Declarative):
|
|
),
|
|
),
|
|
|
|
+ # Fail without baserid and secondarybaserid
|
|
+
|
|
+ dict(
|
|
+ desc='Try creating ID range %r without both rid' % (testrange9),
|
|
+ command=('idrange_add', [testrange9],
|
|
+ dict(ipabaseid=testrange9_base_id,
|
|
+ ipaidrangesize=testrange9_size)),
|
|
+ expected=errors.ValidationError(
|
|
+ name='ID Range setup',
|
|
+ error=(
|
|
+ 'You must specify both rid-base and '
|
|
+ 'secondary-rid-base options.'
|
|
+ )
|
|
+ )
|
|
+ ),
|
|
+
|
|
+ dict(
|
|
+ desc='Try creating ID range %r without'
|
|
+ 'secondarybaserid' % (testrange9),
|
|
+ command=('idrange_add', [testrange9],
|
|
+ dict(ipabaseid=testrange9_base_id,
|
|
+ ipaidrangesize=testrange9_size,
|
|
+ ipabaserid=testrange9_base_rid)),
|
|
+ expected=errors.ValidationError(
|
|
+ name='ID Range setup',
|
|
+ error=(
|
|
+ 'You must specify both rid-base and '
|
|
+ 'secondary-rid-base options.'
|
|
+ )
|
|
+ )
|
|
+ ),
|
|
+
|
|
+ dict(
|
|
+ desc='Try creating ID range %r without baserid' % (testrange9),
|
|
+ command=('idrange_add', [testrange9],
|
|
+ dict(ipabaseid=testrange9_base_id,
|
|
+ ipaidrangesize=testrange9_size,
|
|
+ ipasecondarybaserid=testrange9_secondary_base_rid)),
|
|
+ expected=errors.ValidationError(
|
|
+ name='ID Range setup',
|
|
+ error=(
|
|
+ 'You must specify both rid-base and '
|
|
+ 'secondary-rid-base options.'
|
|
+ )
|
|
+ )
|
|
+ ),
|
|
]
|
|
--
|
|
2.49.0
|
|
|