403b09
From 1dfba16f6d46a2811d0230f28abf0ea4621bfde2 Mon Sep 17 00:00:00 2001
403b09
From: Martin Babinsky <mbabinsk@redhat.com>
403b09
Date: Thu, 28 Jul 2016 10:42:58 +0200
403b09
Subject: [PATCH] re-set canonical principal name on migrated users
403b09
403b09
The migration procedure has been updated to re-set `krbcanonicalname`
403b09
attribute on migrated users as well as `krbprincipalname` so that migration
403b09
from FreeIPA versions supporting principal aliases does not break subsequent
403b09
authentication of migrated users.
403b09
403b09
https://fedorahosted.org/freeipa/ticket/6101
403b09
403b09
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
403b09
---
403b09
 ipaserver/plugins/migration.py | 41 ++++++++++++++++++++++++++++-------------
403b09
 1 file changed, 28 insertions(+), 13 deletions(-)
403b09
403b09
diff --git a/ipaserver/plugins/migration.py b/ipaserver/plugins/migration.py
403b09
index 7f634a7ccf8c49a4c8e0cc3fe2b2dce84b5cadff..404c4aeb08ff2ee018799af3a9224bec93c26f82 100644
403b09
--- a/ipaserver/plugins/migration.py
403b09
+++ b/ipaserver/plugins/migration.py
403b09
@@ -36,6 +36,7 @@ if api.env.in_server and api.env.context in ['lite', 'server']:
403b09
 from ipalib import _
403b09
 from ipapython.dn import DN
403b09
 from ipapython.ipautil import write_tmp_file
403b09
+from ipapython.kerberos import Principal
403b09
 import datetime
403b09
 from ipaplatform.paths import paths
403b09
 
403b09
@@ -152,6 +153,32 @@ _supported_scopes = {u'base': SCOPE_BASE, u'onelevel': SCOPE_ONELEVEL, u'subtree
403b09
 _default_scope = u'onelevel'
403b09
 
403b09
 
403b09
+def _create_kerberos_principals(ldap, pkey, entry_attrs, failed):
403b09
+    """
403b09
+    Create 'krbprincipalname' and 'krbcanonicalname' attributes for incoming
403b09
+    user entry or skip it if there already is a user with such principal name.
403b09
+    The code does not search for `krbcanonicalname` since we assume that the
403b09
+    canonical principal name is always contained among values of
403b09
+    `krbprincipalname` attribute.Both `krbprincipalname` and `krbcanonicalname`
403b09
+    are set to default value generated from uid and realm.
403b09
+
403b09
+    Note: the migration does not currently preserve principal aliases
403b09
+    """
403b09
+    principal = Principal((pkey,), realm=api.env.realm)
403b09
+    try:
403b09
+        ldap.find_entry_by_attr(
403b09
+            'krbprincipalname', principal, 'krbprincipalaux', [''],
403b09
+            DN(api.env.container_user, api.env.basedn)
403b09
+        )
403b09
+    except errors.NotFound:
403b09
+        entry_attrs['krbprincipalname'] = principal
403b09
+        entry_attrs['krbcanonicalname'] = principal
403b09
+    except errors.LimitsExceeded:
403b09
+        failed[pkey] = unicode(_krb_failed_msg % unicode(principal))
403b09
+    else:
403b09
+        failed[pkey] = unicode(_krb_err_msg % unicode(principal))
403b09
+
403b09
+
403b09
 def _pre_migrate_user(ldap, pkey, dn, entry_attrs, failed, config, ctx, **kwargs):
403b09
     assert isinstance(dn, DN)
403b09
     attr_blacklist = ['krbprincipalkey','memberofindirect','memberindirect']
403b09
@@ -217,19 +244,7 @@ def _pre_migrate_user(ldap, pkey, dn, entry_attrs, failed, config, ctx, **kwargs
403b09
             except ValueError:  # object class not present
403b09
                 pass
403b09
 
403b09
-    # generate a principal name and check if it isn't already taken
403b09
-    principal = u'%s@%s' % (pkey, api.env.realm)
403b09
-    try:
403b09
-        ldap.find_entry_by_attr(
403b09
-            'krbprincipalname', principal, 'krbprincipalaux', [''],
403b09
-            DN(api.env.container_user, api.env.basedn)
403b09
-        )
403b09
-    except errors.NotFound:
403b09
-        entry_attrs['krbprincipalname'] = principal
403b09
-    except errors.LimitsExceeded:
403b09
-        failed[pkey] = unicode(_krb_failed_msg % principal)
403b09
-    else:
403b09
-        failed[pkey] = unicode(_krb_err_msg % principal)
403b09
+    _create_kerberos_principals(ldap, pkey, entry_attrs, failed)
403b09
 
403b09
     # Fix any attributes with DN syntax that point to entries in the old
403b09
     # tree
403b09
-- 
403b09
2.7.4
403b09