From aa5a5fa8349444c2817feb21dd8c6f8ba6b38fd0 Mon Sep 17 00:00:00 2001
From: Petr Vobornik <pvoborni@redhat.com>
Date: Mon, 13 Oct 2014 14:59:24 +0200
Subject: [PATCH] ldapupdater: set baserid to 0 for ipa-ad-trust-posix ranges

New updater plugin which sets baserid to 0 for ranges with type ipa-ad-trust-posix

https://fedorahosted.org/freeipa/ticket/4221

Reviewed-By: Tomas Babej <tbabej@redhat.com>
---
 ipaserver/install/plugins/update_idranges.py | 69 +++++++++++++++++++++++++++-
 1 file changed, 68 insertions(+), 1 deletion(-)

diff --git a/ipaserver/install/plugins/update_idranges.py b/ipaserver/install/plugins/update_idranges.py
index 9e97c9f74570484a8bae82e99a7561350163a1b1..1aa5fa7631fd35a7aaf4a23a5eee44e4e0a2e904 100644
--- a/ipaserver/install/plugins/update_idranges.py
+++ b/ipaserver/install/plugins/update_idranges.py
@@ -17,7 +17,7 @@
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
-from ipaserver.install.plugins import MIDDLE
+from ipaserver.install.plugins import MIDDLE, LAST
 from ipaserver.install.plugins.baseupdate import PostUpdate
 from ipalib import api, errors
 from ipapython.dn import DN
@@ -111,4 +111,71 @@ class update_idrange_type(PostUpdate):
 
         return (False, False, [])
 
+
+class update_idrange_baserid(PostUpdate):
+    """
+    Update ipa-ad-trust-posix ranges' base RID to 0. This applies to AD trust
+    posix ranges prior to IPA 4.1.
+    """
+
+    order = LAST
+
+    def execute(self, **options):
+        ldap = self.obj.backend
+
+        base_dn = DN(api.env.container_ranges, api.env.basedn)
+        search_filter = ("(&(objectClass=ipaTrustedADDomainRange)"
+                         "(ipaRangeType=ipa-ad-trust-posix)"
+                         "(!(ipaBaseRID=0)))")
+        root_logger.debug(
+            "update_idrange_baserid: search for ipa-ad-trust-posix ID ranges "
+            "with ipaBaseRID != 0"
+        )
+
+        try:
+            (entries, truncated) = ldap.find_entries(
+                search_filter, ['ipabaserid'], base_dn,
+                paged_search=True, time_limit=0, size_limit=0)
+
+        except errors.NotFound:
+            root_logger.debug("update_idrange_baserid: no AD domain "
+                              "range with posix attributes found")
+            return (False, False, [])
+
+        except errors.ExecutionError, e:
+            root_logger.error("update_idrange_baserid: cannot retrieve "
+                              "list of affected ranges: %s", e)
+            return (False, False, [])
+
+        root_logger.debug("update_idrange_baserid: found %d "
+                          "idranges possible to update",
+                          len(entries))
+
+        error = False
+
+        # Set the range type
+        for entry in entries:
+            entry['ipabaserid'] = 0
+            try:
+                root_logger.info("Updating existing idrange: %s" % (entry.dn))
+                ldap.update_entry(entry)
+                root_logger.info("Done")
+            except (errors.EmptyModlist, errors.NotFound):
+                pass
+            except errors.ExecutionError, e:
+                root_logger.debug("update_idrange_type: cannot "
+                                  "update idrange: %s", e)
+                error = True
+
+        if error:
+            root_logger.error("update_idrange_baserid: error(s) "
+                              "detected during idrange baserid update")
+        else:
+            # All affected entries updated, exit the loop
+            root_logger.debug("update_idrange_baserid: all affected "
+                              "idranges updated")
+
+        return (False, False, [])
+
 api.register(update_idrange_type)
+api.register(update_idrange_baserid)
-- 
2.1.0