From 54422d3c58ace8496b0bd2fc536365159e6666e6 Mon Sep 17 00:00:00 2001 From: Florence Blanc-Renaud Date: Mon, 3 Apr 2017 15:57:47 +0200 Subject: [PATCH] Upgrade: add gidnumber to trusted domain entry The trusted domain entries created in earlier versions are missing gidnumber. During upgrade, a new plugin will read the gidnumber of the fallback group cn=Default SMB Group and add this value to trusted domain entries which do not have a gidNumber. https://pagure.io/freeipa/issue/6827 Reviewed-By: Alexander Bokovoy --- install/updates/90-post_upgrade_plugins.update | 1 + ipaserver/install/plugins/adtrust.py | 56 ++++++++++++++++++++++++++ 2 files changed, 57 insertions(+) diff --git a/install/updates/90-post_upgrade_plugins.update b/install/updates/90-post_upgrade_plugins.update index 34069e7457dd9690a14c5c055c6d05ad76004d16..8477199e07d6729d5847e58bfa67d061bd1410c2 100644 --- a/install/updates/90-post_upgrade_plugins.update +++ b/install/updates/90-post_upgrade_plugins.update @@ -10,6 +10,7 @@ plugin: update_sigden_extdom_broken_config plugin: update_sids plugin: update_default_range plugin: update_default_trust_view +plugin: update_tdo_gidnumber plugin: update_ca_renewal_master plugin: update_idrange_type plugin: update_pacs diff --git a/ipaserver/install/plugins/adtrust.py b/ipaserver/install/plugins/adtrust.py index 42968089f547f61edd2f1223d088a22762a33b70..075f197780edc2aadf42fa82b71e9e2b29e66ea9 100644 --- a/ipaserver/install/plugins/adtrust.py +++ b/ipaserver/install/plugins/adtrust.py @@ -22,6 +22,7 @@ from ipalib import Updater from ipapython.dn import DN from ipapython.ipa_log_manager import root_logger from ipaserver.install import sysupgrade +from ipaserver.install.adtrustinstance import ADTRUSTInstance register = Registry() @@ -316,3 +317,58 @@ class update_sids(Updater): sysupgrade.set_upgrade_state('sidgen', 'update_sids', False) return False, () + + +@register() +class update_tdo_gidnumber(Updater): + """ + Create a gidNumber attribute for Trusted Domain Objects. + + The value is taken from the fallback group defined in cn=Default SMB Group. + """ + def execute(self, **options): + ldap = self.api.Backend.ldap2 + + # Read the gidnumber of the fallback group + dn = DN(('cn', ADTRUSTInstance.FALLBACK_GROUP_NAME), + self.api.env.container_group, + self.api.env.basedn) + + try: + entry = ldap.get_entry(dn, ['gidnumber']) + gidNumber = entry.get('gidnumber') + except errors.NotFound: + self.log.error("{0} not found".format( + ADTRUSTInstance.FALLBACK_GROUP_NAME)) + return False, () + + if not gidNumber: + self.log.error("{0} does not have a gidnumber".format( + ADTRUSTInstance.FALLBACK_GROUP_NAME)) + return False, () + + # For each trusted domain object, add gidNumber + try: + tdos = ldap.get_entries( + DN(self.api.env.container_adtrusts, self.api.env.basedn), + scope=ldap.SCOPE_ONELEVEL, + filter="(objectclass=ipaNTTrustedDomain)", + attrs_list=['gidnumber']) + for tdo in tdos: + # if the trusted domain object does not contain gidnumber, + # add the default fallback group gidnumber + if not tdo.get('gidnumber'): + try: + tdo['gidnumber'] = gidNumber + ldap.update_entry(tdo) + self.log.debug("Added gidnumber {0} to {1}".format( + gidNumber, tdo.dn)) + except Exception: + self.log.warning( + "Failed to add gidnumber to {0}".format(tdo.dn)) + + except errors.NotFound: + self.log.debug("No trusted domain object to update") + return False, () + + return False, () -- 2.9.3