|
|
0b494d |
From b1cefe64e4e91966e59d81c778abc8057af4cd6f Mon Sep 17 00:00:00 2001
|
|
|
0b494d |
From: Alexander Bokovoy <abokovoy@redhat.com>
|
|
|
0b494d |
Date: Tue, 10 Sep 2019 13:39:39 +0300
|
|
|
0b494d |
Subject: [PATCH] add default access control when migrating trust objects
|
|
|
0b494d |
|
|
|
0b494d |
It looks like for some cases we do not have proper set up keytab
|
|
|
0b494d |
retrieval configuration in the old trusted domain object. This mostly
|
|
|
0b494d |
affects two-way trust cases. In such cases, create default configuration
|
|
|
0b494d |
as ipasam would have created when trust was established.
|
|
|
0b494d |
|
|
|
0b494d |
Resolves: https://pagure.io/freeipa/issue/8067
|
|
|
0b494d |
|
|
|
0b494d |
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
|
|
|
0b494d |
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
|
|
|
0b494d |
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
|
|
|
0b494d |
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
|
|
|
0b494d |
---
|
|
|
0b494d |
ipaserver/install/plugins/adtrust.py | 14 ++++++++++++--
|
|
|
0b494d |
1 file changed, 12 insertions(+), 2 deletions(-)
|
|
|
0b494d |
|
|
|
0b494d |
diff --git a/ipaserver/install/plugins/adtrust.py b/ipaserver/install/plugins/adtrust.py
|
|
|
0b494d |
index 12596d5bfe71c16a2cb87acb755a88051676e3e5..0dd2c840899abe3b51b9308d38a9d0f4d1fb2f9b 100644
|
|
|
0b494d |
--- a/ipaserver/install/plugins/adtrust.py
|
|
|
0b494d |
+++ b/ipaserver/install/plugins/adtrust.py
|
|
|
0b494d |
@@ -28,6 +28,9 @@ logger = logging.getLogger(__name__)
|
|
|
0b494d |
register = Registry()
|
|
|
0b494d |
|
|
|
0b494d |
DEFAULT_ID_RANGE_SIZE = 200000
|
|
|
0b494d |
+trust_read_keys_template = \
|
|
|
0b494d |
+ ["cn=adtrust agents,cn=sysaccounts,cn=etc,{basedn}",
|
|
|
0b494d |
+ "cn=trust admins,cn=groups,cn=accounts,{basedn}"]
|
|
|
0b494d |
|
|
|
0b494d |
|
|
|
0b494d |
@register()
|
|
|
0b494d |
@@ -575,8 +578,15 @@ class update_tdo_to_new_layout(Updater):
|
|
|
0b494d |
'krbprincipalkey')
|
|
|
0b494d |
entry_data['krbextradata'] = en.single_value.get(
|
|
|
0b494d |
'krbextradata')
|
|
|
0b494d |
- entry_data['ipaAllowedToPerform;read_keys'] = en.get(
|
|
|
0b494d |
- 'ipaAllowedToPerform;read_keys', [])
|
|
|
0b494d |
+ read_keys = en.get('ipaAllowedToPerform;read_keys', [])
|
|
|
0b494d |
+ if not read_keys:
|
|
|
0b494d |
+ # Old style, no ipaAllowedToPerform;read_keys in the entry,
|
|
|
0b494d |
+ # use defaults that ipasam should have set when creating a
|
|
|
0b494d |
+ # trust
|
|
|
0b494d |
+ read_keys = list(map(
|
|
|
0b494d |
+ lambda x: x.format(basedn=self.api.env.basedn),
|
|
|
0b494d |
+ trust_read_keys_template))
|
|
|
0b494d |
+ entry_data['ipaAllowedToPerform;read_keys'] = read_keys
|
|
|
0b494d |
|
|
|
0b494d |
entry.update(entry_data)
|
|
|
0b494d |
try:
|
|
|
0b494d |
--
|
|
|
0b494d |
2.20.1
|
|
|
0b494d |
|