From c9bae715b24df0f5476bdb70a2209d5f55e46a93 Mon Sep 17 00:00:00 2001

From: Christian Heimes <cheimes@redhat.com>

Date: Fri, 21 May 2021 09:26:33 +0200

Subject: [PATCH] Use 389-DS' dnaInterval setting to assign intervals

Signed-off-by: Christian Heimes <cheimes@redhat.com>

Reviewed-By: Francois Cami <fcami@redhat.com>

Reviewed-By: Rob Crittenden <rcritten@redhat.com>

Reviewed-By: Francois Cami <fcami@redhat.com>

Reviewed-By: Rob Crittenden <rcritten@redhat.com>

---

 freeipa.spec.in                 |  3 ++-

 install/share/dna.ldif          |  1 +

 install/updates/73-subid.update |  7 ++-----

 ipaserver/plugins/subid.py      | 14 +-------------

 4 files changed, 6 insertions(+), 19 deletions(-)

diff --git a/freeipa.spec.in b/freeipa.spec.in

index 044e3559975c399f6697d4da94b5a059eb5b407c..fa649cf4e1abe8e9928ef340a66d48d78f7e3521 100755

--- a/freeipa.spec.in

+++ b/freeipa.spec.in

@@ -106,8 +106,9 @@

 %global python_ldap_version 3.1.0-1

 # Make sure to use 389-ds-base versions that fix https://github.com/389ds/389-ds-base/issues/4700

+# and has DNA interval enabled

 %if 0%{?fedora} < 34

-%global ds_version %{lua: local v={}; v['32']='1.4.3.20-2'; v['33']='1.4.4.16-1'; print(v[rpm.expand('%{fedora}')])}

+%global ds_version 1.4.4.16-1

 %else

 %global ds_version 2.0.5-1

 %endif

diff --git a/install/share/dna.ldif b/install/share/dna.ldif

index 735faab8261feef59486f7c933b01c57ad511166..9023fcd7db5a2c121c493559e2546c85c0daf69a 100644

--- a/install/share/dna.ldif

+++ b/install/share/dna.ldif

@@ -31,6 +31,7 @@ dnaScope: $SUFFIX

 dnaThreshold: eval($SUBID_DNA_THRESHOLD)

 dnaSharedCfgDN: cn=subordinate-ids,cn=dna,cn=ipa,cn=etc,$SUFFIX

 dnaExcludeScope: cn=provisioning,$SUFFIX

+dnaInterval: eval($SUBID_COUNT)

 # TODO: enable when 389-DS' DNA plugin supports dnaStepAttr

 # dnaIntervalAttr: ipasubuidcount

 # dnaIntervalAttr: ipasubgidcount

diff --git a/install/updates/73-subid.update b/install/updates/73-subid.update

index 1aa43822a8b8c220583b81e08d70b648ca594363..e10703aa3f9528751233ddebe00b8c8c8fc5ed3f 100644

--- a/install/updates/73-subid.update

+++ b/install/updates/73-subid.update

@@ -62,12 +62,8 @@ default:member: cn=Subordinate ID Administrators,cn=privileges,cn=pbac,$SUFFIX

 # The delete-when-empty check is required because IPA uses MOD_REPLACE to

 # set attributes, see https://github.com/389ds/389-ds-base/issues/4597.

 #

-# TODO: remove (ipasubuidnumber>=eval($SUBID_RANGE_START) from

-# self-service permission when 389-DS' DNA plugin supports dnaStepAttr and

-# fake_dna_plugin hack has been removed.

-#

 dn: cn=subids,cn=accounts,$SUFFIX

-add: aci: (targetfilter = "(objectclass=ipasubordinateidentry)")(targetattr="description || ipaowner || ipauniqueid")(targattrfilters = "add=objectClass:(|(objectClass=top)(objectClass=ipasubordinateid)(objectClass=ipasubordinateidentry)(objectClass=ipasubordinategid)(objectClass=ipasubordinateuid)) && ipasubuidnumber:(|(ipasubuidnumber>=eval($SUBID_RANGE_START))(ipasubuidnumber=-1)) && ipasubuidcount:(ipasubuidcount=eval($SUBID_COUNT)) && ipasubgidnumber:(|(ipasubgidnumber>=eval($SUBID_RANGE_START))(ipasubgidnumber=-1)) && ipasubgidcount:(ipasubgidcount=eval($SUBID_COUNT)), del=ipasubuidnumber:(!(ipasubuidnumber=*)) && ipasubuidcount:(!(ipasubuidcount=*)) && ipasubgidnumber:(!(ipasubgidnumber=*)) && ipasubgidcount:(!(ipasubgidcount=*))")(version 3.0;acl "selfservice: Add subordinate id";allow (add, write) userattr = "ipaowner#SELFDN" and groupdn="ldap:///cn=Self-service subordinate ID,cn=permissions,cn=pbac,$SUFFIX";)

+add: aci: (targetfilter = "(objectclass=ipasubordinateidentry)")(targetattr="description || ipaowner || ipauniqueid")(targattrfilters = "add=objectClass:(|(objectClass=top)(objectClass=ipasubordinateid)(objectClass=ipasubordinateidentry)(objectClass=ipasubordinategid)(objectClass=ipasubordinateuid)) && ipasubuidnumber:(ipasubuidnumber=-1) && ipasubuidcount:(ipasubuidcount=eval($SUBID_COUNT)) && ipasubgidnumber:(ipasubgidnumber=-1) && ipasubgidcount:(ipasubgidcount=eval($SUBID_COUNT)), del=ipasubuidnumber:(!(ipasubuidnumber=*)) && ipasubuidcount:(!(ipasubuidcount=*)) && ipasubgidnumber:(!(ipasubgidnumber=*)) && ipasubgidcount:(!(ipasubgidcount=*))")(version 3.0;acl "selfservice: Add subordinate id";allow (add, write) userattr = "ipaowner#SELFDN" and groupdn="ldap:///cn=Self-service subordinate ID,cn=permissions,cn=pbac,$SUFFIX";)

 add: aci: (targetfilter = "(objectclass=ipasubordinateidentry)")(targetattr="description || ipaowner || ipauniqueid")(targattrfilters = "add=objectClass:(|(objectClass=top)(objectClass=ipasubordinateid)(objectClass=ipasubordinateidentry)(objectClass=ipasubordinategid)(objectClass=ipasubordinateuid)) && ipasubuidnumber:(|(ipasubuidnumber>=1)(ipasubuidnumber=-1)) && ipasubuidcount:(ipasubuidcount=eval($SUBID_COUNT)) && ipasubgidnumber:(|(ipasubgidnumber>=1)(ipasubgidnumber=-1)) && ipasubgidcount:(ipasubgidcount=eval($SUBID_COUNT)), del=ipasubuidnumber:(!(ipasubuidnumber=*)) && ipasubuidcount:(!(ipasubuidcount=*)) && ipasubgidnumber:(!(ipasubgidnumber=*)) && ipasubgidcount:(!(ipasubgidcount=*))")(version 3.0;acl "Add subordinate ids to any user";allow (add, write) groupdn="ldap:///cn=Subordinate ID Administrators,cn=privileges,cn=pbac,$SUFFIX";)

 # DNA plugin and idrange configuration

@@ -90,6 +86,7 @@ default: dnaScope: $SUFFIX

 default: dnaThreshold: eval($SUBID_DNA_THRESHOLD)

 default: dnaSharedCfgDN: cn=subordinate-ids,cn=dna,cn=ipa,cn=etc,$SUFFIX

 default: dnaExcludeScope: cn=provisioning,$SUFFIX

+default: dnaInterval: eval($SUBID_COUNT)

 # TODO: enable when 389-DS' DNA plugin supports dnaStepAttr

 # add: dnaIntervalAttr: ipasubuidcount

 # add: dnaIntervalAttr: ipasubgidcount

diff --git a/ipaserver/plugins/subid.py b/ipaserver/plugins/subid.py

index 7d9a2f33e84bc7cdf17900346343e49d5eda0d8c..440f24ee627f0736100f63026158c564b04520c2 100644

--- a/ipaserver/plugins/subid.py

+++ b/ipaserver/plugins/subid.py

@@ -2,7 +2,6 @@

 # Copyright (C) 2021  FreeIPA Contributors see COPYING for license

 #

-import random

 import uuid

 from ipalib import api

@@ -291,12 +290,8 @@ class subid(LDAPObject):

             _entry_attrs = ldap.get_entry(dn, ["objectclass"])

             entry_attrs["objectclass"] = _entry_attrs["objectclass"]

-        # XXX HACK, remove later

-        if subuid == DNA_MAGIC:

-            subuid = self._fake_dna_plugin(ldap, dn, entry_attrs)

-

         entry_attrs["ipasubuidnumber"] = subuid

-        # enforice subuid == subgid for now

+        # enforce subuid == subgid for now

         entry_attrs["ipasubgidnumber"] = subuid

         # hard-coded constants

         entry_attrs["ipasubuidcount"] = constants.SUBID_COUNT

@@ -350,13 +345,6 @@ class subid(LDAPObject):

         filters.extend(extra_filters)

         return ldap.combine_filters(filters, rules=ldap.MATCH_ALL)

-    def _fake_dna_plugin(self, ldap, dn, entry_attrs):

-        """XXX HACK, remove when 389-DS DNA plugin supports steps"""

-        return (

-            constants.SUBID_RANGE_START

-            + random.randint(1, 32764 - 2) * constants.SUBID_COUNT

-        )

-

 @register()

 class subid_add(LDAPCreate):

-- 

2.26.3