Provide centralized management of user short name resolution #573
Conversation
ipapython/ldapattrs.py
Outdated
| @@ -0,0 +1,135 @@ | |||
| # | |||
| # Copyright (C) 2016 FreeIPA Contributors see COPYING for license | |||
ipapython/ldapattrs.py
Outdated
| attributes in the framework | ||
| """ | ||
|
|
||
| from __future__ import print_function, unicode_literals |
There was a problem hiding this comment.
unicode_literals doesn't sound right to me
|
ACIs? AFAIK SSSD should be able to read this |
|
I would rather avoid the refactoring in 4.5 - this is fragile code you are touching and I'm afraid it might break in some cases (think different client / server version combinations, thin client vs fat client, etc.). As for the edge case values, IMO we should allow |
martbab
force-pushed
the
ad-user-short-names
branch
from
2566716
to
87f626f
Compare
|
Updated PR, added ACIs and fixed Py2/Py3 compatibility of doctests. |
|
I don't see ACI.txt regenerated. |
ipaserver/plugins/idviews.py
Outdated
| @@ -94,7 +95,7 @@ class idview(LDAPObject): | |||
| container_dn = api.env.container_views | |||
| object_name = _('ID View') | |||
| object_name_plural = _('ID Views') | |||
| object_class = ['ipaIDView', 'top'] | |||
| object_class = ['ipaIDView', 'ipaNameResolutionData', 'top'] | |||
There was a problem hiding this comment.
IMO ipaNameResolutionData must be in possible_object_class, because idviews after upgrade doesn't have it
There was a problem hiding this comment.
Correct, it is auxilliary object class, so it should be in the possible_object_class and default_attributes should contain ipaNameResolutionOrder to be able to return the value if it is there.
ipaserver/plugins/config.py
Outdated
| 'ipadomainresolutionorder?', | ||
| cli_name='domain_resolution_order', | ||
| label=_('Domain resolution order'), | ||
| doc=_('colon-separated list of domains used for short name' |
There was a problem hiding this comment.
nitpick: all other doc strings in this plugin start with capital letter
martbab
force-pushed
the
ad-user-short-names
branch
from
87f626f
to
3a29b48
Compare
|
@HonzaCholasta I agree, I have removed the commit which introduces special param handling and resorted to simple splitting in validator. I have also regenerated ACIs in the respective commits. |
VERSION.m4
Outdated
| @@ -73,8 +73,8 @@ define(IPA_DATA_VERSION, 20100614120000) | |||
| # # | |||
| ######################################################## | |||
| define(IPA_API_VERSION_MAJOR, 2) | |||
| define(IPA_API_VERSION_MINOR, 220) | |||
| # Last change: Add whoami command | |||
| define(IPA_API_VERSION_MINOR, 222) | |||
| @@ -84,5 +85,6 @@ objectClasses: (2.16.840.1.113730.3.8.12.24 NAME 'ipaPublicKeyObject' DESC 'Wrap | |||
| objectClasses: (2.16.840.1.113730.3.8.12.25 NAME 'ipaPrivateKeyObject' DESC 'Wrapped private keys' SUP top AUXILIARY MUST ( ipaPrivateKey $ ipaWrappingKey $ ipaWrappingMech ) X-ORIGIN 'IPA v4.1' ) | |||
| objectClasses: (2.16.840.1.113730.3.8.12.26 NAME 'ipaSecretKeyObject' DESC 'Wrapped secret keys' SUP top AUXILIARY MUST ( ipaSecretKey $ ipaWrappingKey $ ipaWrappingMech ) X-ORIGIN 'IPA v4.1' ) | |||
| objectClasses: (2.16.840.1.113730.3.8.12.34 NAME 'ipaSecretKeyRefObject' DESC 'Indirect storage for encoded key material' SUP top AUXILIARY MUST ( ipaSecretKeyRef ) X-ORIGIN 'IPA v4.1' ) | |||
| objectClasses: (2.16.840.1.113730.3.8.12.39 NAME 'ipaNameResolutionData' DESC 'Data used to resolve short names to fully-qualified form' SUP top AUXILIARY MAY ( ipaDomainResolutionOrder ) X-ORIGIN 'IPA v4.5') | |||
There was a problem hiding this comment.
ipaNameResolutionConfig would make more sense to me (I know, I know).
There was a problem hiding this comment.
I have already registered this OID and name so we are out of luck I think.
| } | ||
| ) | ||
|
|
||
| return trusted_domains |
There was a problem hiding this comment.
It would be nice to share code with certmap.check_associateddomain_is_trusted. Not a blocker.
There was a problem hiding this comment.
Nice catch, I will try to think about plugging the trustdomain retrieval magic there.
|
Server upgrade consists only from adding the objectclass to ipaConfig which is taken care of in the update file. The idview object schema is modified on-demand when the attribute is set. Is there something else I need to take care of? |
|
IMO you should add the object class to all existing idviews on upgrade rather than add it on-demand. |
|
@HonzaCholasta it will break in case when idview entry is created on older replica, so it is more safe to appending the objectclass dynamically |
|
Ah, right. |
martbab
force-pushed
the
ad-user-short-names
branch
from
3a29b48
to
a6158e9
Compare
Add ipaDomainResolutionOrder and ipaNameResolutionData to IPAv3 schema. Extend ipaConfig object with ipaNameResolutionData objectclass during update. https://pagure.io/freeipa/issue/6372
optional attribute was added to config object along with validator that check for valid domain names and also checks whether the specified domains exist in FreeIPA or in trusted forests and, in case of trusted domains, are not disabled. Part of http://www.freeipa.org/page/V4/AD_User_Short_Names https://pagure.io/freeipa/issue/6372
`idview-add` and `idview-mod` can now set and validate the attribute. The required objectclass is added on-demand after modification https://pagure.io/freeipa/issue/6372
martbab
force-pushed
the
ad-user-short-names
branch
from
a6158e9
to
8ac3fb1
Compare
|
PR rebased, I have fixed bugs in ID view objectclass handling and re-used the trusted domain retrieval code in certmap plugin. This is a separate commit so it can be removed if necessary. I have noticed that with current PR we can not add the domain resolution order to Default Trust View, as it is protected from both modification and removal. @abbra is this expected also in this case? |
|
Yes, it is expected too. Remember that 'Default Trust View' is a view that applies globally. You have already global setting to apply. |
|
Ok thanks for explanation. |
MartinBasti
added
ack
This PR implement an initial version of AD user short name resolution
infrastructure consumable by SSSD.[1]
Most of the stuff described in the design page[2] is in-place except of hooks
that would refresh the domain resolution orders after trust domain removal or
disablement. I would like to do them in a separate PR.
Also some edge cases like specifying only separator (':') or an empty domain
('dom1::dom2') have no special treatment, the current code will just complain
about empty DNS labels. Should I improve this behavior?
[1] https://pagure.io/freeipa/issue/6372
[2] https://www.freeipa.org/page/V4/AD_User_Short_Names