rpms / ipa

Clone
Source Code
GIT

Blame SOURCES/0040-re-set-canonical-principal-name-on-migrated-users.patch

c4 c5 c5-plus c6 c6-plus c7 c7-alt c7-beta c8-beta-stream-DL1 c8-beta-stream-client c8-stream-DL1 c8-stream-client c8s-stream-DL1 c8s-stream-client c9 c9-beta
  1.   53a374936ca448d4897930910a79131c0085a284
  2.   SOURCES
  3.   0040-re-set-canonical-principal-name-on-migrated-users.patch
Blob History Raw
403b09 
From 1dfba16f6d46a2811d0230f28abf0ea4621bfde2 Mon Sep 17 00:00:00 2001
403b09 
From: Martin Babinsky <mbabinsk@redhat.com>
403b09 
Date: Thu, 28 Jul 2016 10:42:58 +0200
403b09 
Subject: [PATCH] re-set canonical principal name on migrated users
403b09
403b09 
The migration procedure has been updated to re-set `krbcanonicalname`
403b09 
attribute on migrated users as well as `krbprincipalname` so that migration
403b09 
from FreeIPA versions supporting principal aliases does not break subsequent
403b09 
authentication of migrated users.
403b09
403b09 
https://fedorahosted.org/freeipa/ticket/6101
403b09
403b09 
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
403b09 
---
403b09 
 ipaserver/plugins/migration.py | 41 ++++++++++++++++++++++++++++-------------
403b09 
 1 file changed, 28 insertions(+), 13 deletions(-)
403b09
403b09 
diff --git a/ipaserver/plugins/migration.py b/ipaserver/plugins/migration.py
403b09 
index 7f634a7ccf8c49a4c8e0cc3fe2b2dce84b5cadff..404c4aeb08ff2ee018799af3a9224bec93c26f82 100644
403b09 
--- a/ipaserver/plugins/migration.py
403b09 
+++ b/ipaserver/plugins/migration.py
403b09 
@@ -36,6 +36,7 @@ if api.env.in_server and api.env.context in ['lite', 'server']:
403b09 
 from ipalib import _
403b09 
 from ipapython.dn import DN
403b09 
 from ipapython.ipautil import write_tmp_file
403b09 
+from ipapython.kerberos import Principal
403b09 
 import datetime
403b09 
 from ipaplatform.paths import paths
403b09
403b09 
@@ -152,6 +153,32 @@ _supported_scopes = {u'base': SCOPE_BASE, u'onelevel': SCOPE_ONELEVEL, u'subtree
403b09 
 _default_scope = u'onelevel'
403b09
403b09
403b09 
+def _create_kerberos_principals(ldap, pkey, entry_attrs, failed):
403b09 
+    """
403b09 
+    Create 'krbprincipalname' and 'krbcanonicalname' attributes for incoming
403b09 
+    user entry or skip it if there already is a user with such principal name.
403b09 
+    The code does not search for `krbcanonicalname` since we assume that the
403b09 
+    canonical principal name is always contained among values of
403b09 
+    `krbprincipalname` attribute.Both `krbprincipalname` and `krbcanonicalname`
403b09 
+    are set to default value generated from uid and realm.
403b09 
+
403b09 
+    Note: the migration does not currently preserve principal aliases
403b09 
+    """
403b09 
+    principal = Principal((pkey,), realm=api.env.realm)
403b09 
+    try:
403b09 
+        ldap.find_entry_by_attr(
403b09 
+            'krbprincipalname', principal, 'krbprincipalaux', [''],
403b09 
+            DN(api.env.container_user, api.env.basedn)
403b09 
+        )
403b09 
+    except errors.NotFound:
403b09 
+        entry_attrs['krbprincipalname'] = principal
403b09 
+        entry_attrs['krbcanonicalname'] = principal
403b09 
+    except errors.LimitsExceeded:
403b09 
+        failed[pkey] = unicode(_krb_failed_msg % unicode(principal))
403b09 
+    else:
403b09 
+        failed[pkey] = unicode(_krb_err_msg % unicode(principal))
403b09 
+
403b09 
+
403b09 
 def _pre_migrate_user(ldap, pkey, dn, entry_attrs, failed, config, ctx, **kwargs):
403b09 
     assert isinstance(dn, DN)
403b09 
     attr_blacklist = ['krbprincipalkey','memberofindirect','memberindirect']
403b09 
@@ -217,19 +244,7 @@ def _pre_migrate_user(ldap, pkey, dn, entry_attrs, failed, config, ctx, **kwargs
403b09 
             except ValueError:  # object class not present
403b09 
                 pass
403b09
403b09 
-    # generate a principal name and check if it isn't already taken
403b09 
-    principal = u'%s@%s' % (pkey, api.env.realm)
403b09 
-    try:
403b09 
-        ldap.find_entry_by_attr(
403b09 
-            'krbprincipalname', principal, 'krbprincipalaux', [''],
403b09 
-            DN(api.env.container_user, api.env.basedn)
403b09 
-        )
403b09 
-    except errors.NotFound:
403b09 
-        entry_attrs['krbprincipalname'] = principal
403b09 
-    except errors.LimitsExceeded:
403b09 
-        failed[pkey] = unicode(_krb_failed_msg % principal)
403b09 
-    else:
403b09 
-        failed[pkey] = unicode(_krb_err_msg % principal)
403b09 
+    _create_kerberos_principals(ldap, pkey, entry_attrs, failed)
403b09
403b09 
     # Fix any attributes with DN syntax that point to entries in the old
403b09 
     # tree
403b09 
--
403b09 
2.7.4
403b09

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation