rpms / ipa

Clone
Source Code
GIT

Blame SOURCES/0054-add-default-access-control-when-migrating-trust-obje.patch

c4 c5 c5-plus c6 c6-plus c7 c7-alt c7-beta c8-beta-stream-DL1 c8-beta-stream-client c8-stream-DL1 c8-stream-client c8s-stream-DL1 c8s-stream-client c9 c9-beta
  1.   0b494d91bfa72029a98629ca2d85792cf9d2ddcb
  2.   SOURCES
  3.   0054-add-default-access-control-when-migrating-trust-obje.patch
Blob History Raw
0b494d 
From b1cefe64e4e91966e59d81c778abc8057af4cd6f Mon Sep 17 00:00:00 2001
0b494d 
From: Alexander Bokovoy <abokovoy@redhat.com>
0b494d 
Date: Tue, 10 Sep 2019 13:39:39 +0300
0b494d 
Subject: [PATCH] add default access control when migrating trust objects
0b494d
0b494d 
It looks like for some cases we do not have proper set up keytab
0b494d 
retrieval configuration in the old trusted domain object. This mostly
0b494d 
affects two-way trust cases. In such cases, create default configuration
0b494d 
as ipasam would have created when trust was established.
0b494d
0b494d 
Resolves: https://pagure.io/freeipa/issue/8067
0b494d
0b494d 
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
0b494d 
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
0b494d 
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
0b494d 
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
0b494d 
---
0b494d 
 ipaserver/install/plugins/adtrust.py | 14 ++++++++++++--
0b494d 
 1 file changed, 12 insertions(+), 2 deletions(-)
0b494d
0b494d 
diff --git a/ipaserver/install/plugins/adtrust.py b/ipaserver/install/plugins/adtrust.py
0b494d 
index 12596d5bfe71c16a2cb87acb755a88051676e3e5..0dd2c840899abe3b51b9308d38a9d0f4d1fb2f9b 100644
0b494d 
--- a/ipaserver/install/plugins/adtrust.py
0b494d 
+++ b/ipaserver/install/plugins/adtrust.py
0b494d 
@@ -28,6 +28,9 @@ logger = logging.getLogger(__name__)
0b494d 
 register = Registry()
0b494d
0b494d 
 DEFAULT_ID_RANGE_SIZE = 200000
0b494d 
+trust_read_keys_template = \
0b494d 
+    ["cn=adtrust agents,cn=sysaccounts,cn=etc,{basedn}",
0b494d 
+     "cn=trust admins,cn=groups,cn=accounts,{basedn}"]
0b494d
0b494d
0b494d 
 @register()
0b494d 
@@ -575,8 +578,15 @@ class update_tdo_to_new_layout(Updater):
0b494d 
                     'krbprincipalkey')
0b494d 
                 entry_data['krbextradata'] = en.single_value.get(
0b494d 
                     'krbextradata')
0b494d 
-                entry_data['ipaAllowedToPerform;read_keys'] = en.get(
0b494d 
-                    'ipaAllowedToPerform;read_keys', [])
0b494d 
+                read_keys = en.get('ipaAllowedToPerform;read_keys', [])
0b494d 
+                if not read_keys:
0b494d 
+                    # Old style, no ipaAllowedToPerform;read_keys in the entry,
0b494d 
+                    # use defaults that ipasam should have set when creating a
0b494d 
+                    # trust
0b494d 
+                    read_keys = list(map(
0b494d 
+                        lambda x: x.format(basedn=self.api.env.basedn),
0b494d 
+                        trust_read_keys_template))
0b494d 
+                entry_data['ipaAllowedToPerform;read_keys'] = read_keys
0b494d
0b494d 
         entry.update(entry_data)
0b494d 
         try:
0b494d 
--
0b494d 
2.20.1
0b494d

Powered by Pagure 5.13.3

SSH Hostkey/Fingerprint | Documentation