From 887bd5f84d862dfb923c72a60b4491374be34d5f Mon Sep 17 00:00:00 2001

From: Martin Babinsky <mbabinsk@redhat.com>

Date: Fri, 7 Aug 2015 15:44:57 +0200

Subject: [PATCH] idranges: raise an error when local IPA ID range is being

 modified

also show the message about the way UID/GID ranges are managed in FreeIPA in

the idrange-mod's help message

https://fedorahosted.org/freeipa/ticket/4826

Reviewed-By: Tomas Babej <tbabej@redhat.com>

---

 ipalib/plugins/idrange.py | 52 ++++++++++++++++++++++++++---------------------

 1 file changed, 29 insertions(+), 23 deletions(-)

diff --git a/ipalib/plugins/idrange.py b/ipalib/plugins/idrange.py

index fb198d79d4c14ffd5f7dc633c9f01a1465ff01d7..2cec05bd8f837fb27803b869bf33fe389126506c 100644

--- a/ipalib/plugins/idrange.py

+++ b/ipalib/plugins/idrange.py

@@ -31,6 +31,20 @@ if api.env.in_server and api.env.context in ['lite', 'server']:

     except ImportError:

         _dcerpc_bindings_installed = False

+ID_RANGE_VS_DNA_WARNING = """=======

+WARNING:

+

+DNA plugin in 389-ds will allocate IDs based on the ranges configured for the

+local domain. Currently the DNA plugin *cannot* be reconfigured itself based

+on the local ranges set via this family of commands.

+

+Manual configuration change has to be done in the DNA plugin configuration for

+the new local range. Specifically, The dnaNextRange attribute of 'cn=Posix

+IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config' has to be

+modified to match the new range.

+=======

+"""

+

 __doc__ = _("""

 ID ranges

@@ -139,17 +153,8 @@ this domain has the SID S-1-5-21-123-456-789-1010 then 1010 id the RID of the

 user. RIDs are unique in a domain, 32bit values and are used for users and

 groups.

-WARNING:

-

-DNA plugin in 389-ds will allocate IDs based on the ranges configured for the

-local domain. Currently the DNA plugin *cannot* be reconfigured itself based

-on the local ranges set via this family of commands.

-

-Manual configuration change has to be done in the DNA plugin configuration for

-the new local range. Specifically, The dnaNextRange attribute of 'cn=Posix

-IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config' has to be

-modified to match the new range.

-""")

+{0}

+""".format(ID_RANGE_VS_DNA_WARNING))

 register = Registry()

@@ -386,17 +391,8 @@ class idrange_add(LDAPCreate):

     must be given to add a new range for a trusted AD domain.

-    WARNING:

-

-    DNA plugin in 389-ds will allocate IDs based on the ranges configured for the

-    local domain. Currently the DNA plugin *cannot* be reconfigured itself based

-    on the local ranges set via this family of commands.

-

-    Manual configuration change has to be done in the DNA plugin configuration for

-    the new local range. Specifically, The dnaNextRange attribute of 'cn=Posix

-    IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config' has to be

-    modified to match the new range.

-    """)

+{0}

+""".format(ID_RANGE_VS_DNA_WARNING))

     msg_summary = _('Added ID range "%(value)s"')

@@ -670,7 +666,10 @@ class idrange_show(LDAPRetrieve):

 @register()

 class idrange_mod(LDAPUpdate):

-    __doc__ = _('Modify ID range.')

+    __doc__ = _("""Modify ID range.

+

+{0}

+""".format(ID_RANGE_VS_DNA_WARNING))

     msg_summary = _('Modified ID range "%(value)s"')

@@ -688,6 +687,13 @@ class idrange_mod(LDAPUpdate):

         except errors.NotFound:

             self.obj.handle_not_found(*keys)

+        if old_attrs['iparangetype'][0] == 'ipa-local':

+            raise errors.ExecutionError(

+                message=_('This command can not be used to change ID '

+                          'allocation for local IPA domain. Run '

+                          '`ipa help idrange` for more information')

+            )

+

         is_set = lambda x: (x in entry_attrs) and (entry_attrs[x] is not None)

         in_updated_attrs = lambda x:\

             (x in entry_attrs and entry_attrs[x] is not None) or\

-- 

2.4.3