From 06eb54e3e8e645a64d915602a64834cc26bc8924 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Tue, 10 Sep 2019 13:39:39 +0300
Subject: [PATCH] add default access control when migrating trust objects
It looks like for some cases we do not have proper set up keytab
retrieval configuration in the old trusted domain object. This mostly
affects two-way trust cases. In such cases, create default configuration
as ipasam would have created when trust was established.
Resolves: https://pagure.io/freeipa/issue/8067
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
---
ipaserver/install/plugins/adtrust.py | 14 ++++++++++++--
1 file changed, 12 insertions(+), 2 deletions(-)
diff --git a/ipaserver/install/plugins/adtrust.py b/ipaserver/install/plugins/adtrust.py
index 12596d5bfe71c16a2cb87acb755a88051676e3e5..0dd2c840899abe3b51b9308d38a9d0f4d1fb2f9b 100644
--- a/ipaserver/install/plugins/adtrust.py
+++ b/ipaserver/install/plugins/adtrust.py
@@ -28,6 +28,9 @@ logger = logging.getLogger(__name__)
register = Registry()
DEFAULT_ID_RANGE_SIZE = 200000
+trust_read_keys_template = \
+ ["cn=adtrust agents,cn=sysaccounts,cn=etc,{basedn}",
+ "cn=trust admins,cn=groups,cn=accounts,{basedn}"]
@register()
@@ -575,8 +578,15 @@ class update_tdo_to_new_layout(Updater):
'krbprincipalkey')
entry_data['krbextradata'] = en.single_value.get(
'krbextradata')
- entry_data['ipaAllowedToPerform;read_keys'] = en.get(
- 'ipaAllowedToPerform;read_keys', [])
+ read_keys = en.get('ipaAllowedToPerform;read_keys', [])
+ if not read_keys:
+ # Old style, no ipaAllowedToPerform;read_keys in the entry,
+ # use defaults that ipasam should have set when creating a
+ # trust
+ read_keys = list(map(
+ lambda x: x.format(basedn=self.api.env.basedn),
+ trust_read_keys_template))
+ entry_data['ipaAllowedToPerform;read_keys'] = read_keys
entry.update(entry_data)
try:
--
2.20.1