From f6fd0abeaa64d927f2d993235e97ac3009e64f2c Mon Sep 17 00:00:00 2001
From: Christian Heimes <cheimes@redhat.com>
Date: Wed, 14 Apr 2021 15:21:18 +0200
Subject: [PATCH] Redesign subid feature
Subordinate ids are now handled by a new plugin class and stored in
separate entries in the cn=subids,cn=accounts subtree.
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
---
ACI.txt | 12 +-
API.txt | 153 +++--
doc/designs/subordinate-ids.md | 358 ++++++++---
install/share/60basev4.ldif | 25 +-
install/share/60ipaconfig.ldif | 5 +-
install/share/dna.ldif | 8 +-
install/share/memberof-conf.ldif | 4 +-
install/ui/src/freeipa/app.js | 1 +
.../ui/src/freeipa/navigation/menu_spec.js | 3 +-
install/ui/src/freeipa/serverconfig.js | 4 +
install/ui/src/freeipa/subid.js | 92 +++
install/ui/src/freeipa/user.js | 108 ++--
install/updates/10-uniqueness.update | 19 +
install/updates/20-indices.update | 12 +
install/updates/25-referint.update | 1 +
install/updates/73-subid.update | 28 +-
ipalib/constants.py | 6 +-
ipaserver/install/ipa_subids.py | 18 +-
.../plugins/update_dna_shared_config.py | 2 +-
ipaserver/plugins/baseldap.py | 10 +-
ipaserver/plugins/baseuser.py | 272 +-------
ipaserver/plugins/config.py | 8 +-
ipaserver/plugins/internal.py | 2 +-
ipaserver/plugins/subid.py | 608 ++++++++++++++++++
ipaserver/plugins/user.py | 39 +-
ipatests/test_integration/test_subids.py | 182 +++---
26 files changed, 1389 insertions(+), 591 deletions(-)
create mode 100644 install/ui/src/freeipa/subid.js
create mode 100644 ipaserver/plugins/subid.py
diff --git a/ACI.txt b/ACI.txt
index fce02a333b212de9b61f920515eed3e356b1391b..e985461cd1c10cc98d1080daa81cfd90e2433dbb 100644
--- a/ACI.txt
+++ b/ACI.txt
@@ -61,7 +61,7 @@ aci: (targetattr = "cn || description || ipacertprofilestoreissued")(targetfilte
dn: cn=certprofiles,cn=ca,dc=ipa,dc=example
aci: (targetattr = "cn || createtimestamp || description || entryusn || ipacertprofilestoreissued || modifytimestamp || objectclass")(targetfilter = "(objectclass=ipacertprofile)")(version 3.0;acl "permission:System: Read Certificate Profiles";allow (compare,read,search) userdn = "ldap:///all";)
dn: cn=ipaconfig,cn=etc,dc=ipa,dc=example
-aci: (targetattr = "cn || createtimestamp || entryusn || ipacertificatesubjectbase || ipaconfigstring || ipacustomfields || ipadefaultemaildomain || ipadefaultloginshell || ipadefaultprimarygroup || ipadomainresolutionorder || ipagroupobjectclasses || ipagroupsearchfields || ipahomesrootdir || ipakrbauthzdata || ipamaxhostnamelength || ipamaxusernamelength || ipamigrationenabled || ipapwdexpadvnotify || ipasearchrecordslimit || ipasearchtimelimit || ipaselinuxusermapdefault || ipaselinuxusermaporder || ipauserauthtype || ipauserobjectclasses || ipausersearchfields || modifytimestamp || objectclass")(targetfilter = "(objectclass=ipaguiconfig)")(version 3.0;acl "permission:System: Read Global Configuration";allow (compare,read,search) userdn = "ldap:///all";)
+aci: (targetattr = "cn || createtimestamp || entryusn || ipacertificatesubjectbase || ipaconfigstring || ipacustomfields || ipadefaultemaildomain || ipadefaultloginshell || ipadefaultprimarygroup || ipadomainresolutionorder || ipagroupobjectclasses || ipagroupsearchfields || ipahomesrootdir || ipakrbauthzdata || ipamaxhostnamelength || ipamaxusernamelength || ipamigrationenabled || ipapwdexpadvnotify || ipasearchrecordslimit || ipasearchtimelimit || ipaselinuxusermapdefault || ipaselinuxusermaporder || ipauserauthtype || ipauserdefaultsubordinateid || ipauserobjectclasses || ipausersearchfields || modifytimestamp || objectclass")(targetfilter = "(objectclass=ipaguiconfig)")(version 3.0;acl "permission:System: Read Global Configuration";allow (compare,read,search) userdn = "ldap:///all";)
dn: cn=costemplates,cn=accounts,dc=ipa,dc=example
aci: (targetfilter = "(objectclass=costemplate)")(version 3.0;acl "permission:System: Add Group Password Policy costemplate";allow (add) groupdn = "ldap:///cn=System: Add Group Password Policy costemplate,cn=permissions,cn=pbac,dc=ipa,dc=example";)
dn: cn=costemplates,cn=accounts,dc=ipa,dc=example
@@ -318,6 +318,14 @@ dn: cn=deleted users,cn=accounts,cn=provisioning,dc=ipa,dc=example
aci: (targetattr = "krblastpwdchange || krbpasswordexpiration || krbprincipalkey || userpassword")(target = "ldap:///uid=*,cn=deleted users,cn=accounts,cn=provisioning,dc=ipa,dc=example")(targetfilter = "(objectclass=posixaccount)")(version 3.0;acl "permission:System: Reset Preserved User password";allow (read,search,write) groupdn = "ldap:///cn=System: Reset Preserved User password,cn=permissions,cn=pbac,dc=ipa,dc=example";)
dn: dc=ipa,dc=example
aci: (target_to = "ldap:///cn=users,cn=accounts,dc=ipa,dc=example")(target_from = "ldap:///cn=deleted users,cn=accounts,cn=provisioning,dc=ipa,dc=example")(targetfilter = "(objectclass=nsContainer)")(version 3.0;acl "permission:System: Undelete User";allow (moddn) groupdn = "ldap:///cn=System: Undelete User,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+dn: cn=subids,cn=accounts,dc=ipa,dc=example
+aci: (targetattr = "description || ipaowner")(targetfilter = "(objectclass=ipasubordinateidentry)")(version 3.0;acl "permission:System: Manage Subordinate Ids";allow (write) groupdn = "ldap:///cn=System: Manage Subordinate Ids,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+dn: cn=subids,cn=accounts,dc=ipa,dc=example
+aci: (targetattr = "createtimestamp || description || entryusn || ipaowner || ipasubgidcount || ipasubgidnumber || ipasubuidcount || ipasubuidnumber || ipauniqueid || modifytimestamp || objectclass")(targetfilter = "(objectclass=ipasubordinateidentry)")(version 3.0;acl "permission:System: Read Subordinate Id Attributes";allow (compare,read,search) userdn = "ldap:///all";)
+dn: cn=subids,cn=accounts,dc=ipa,dc=example
+aci: (targetattr = "numsubordinates")(target = "ldap:///cn=subids,cn=accounts,dc=ipa,dc=example")(version 3.0;acl "permission:System: Read Subordinate Id Count";allow (compare,read,search) userdn = "ldap:///all";)
+dn: cn=subids,cn=accounts,dc=ipa,dc=example
+aci: (targetfilter = "(objectclass=ipasubordinateidentry)")(version 3.0;acl "permission:System: Remove Subordinate Ids";allow (delete) groupdn = "ldap:///cn=System: Remove Subordinate Ids,cn=permissions,cn=pbac,dc=ipa,dc=example";)
dn: cn=sudocmds,cn=sudo,dc=ipa,dc=example
aci: (targetfilter = "(objectclass=ipasudocmd)")(version 3.0;acl "permission:System: Add Sudo Command";allow (add) groupdn = "ldap:///cn=System: Add Sudo Command,cn=permissions,cn=pbac,dc=ipa,dc=example";)
dn: cn=sudocmds,cn=sudo,dc=ipa,dc=example
@@ -375,7 +383,7 @@ aci: (targetattr = "audio || businesscategory || carlicense || departmentnumber
dn: dc=ipa,dc=example
aci: (targetattr = "cn || createtimestamp || entryusn || gecos || gidnumber || homedirectory || loginshell || modifytimestamp || objectclass || uid || uidnumber")(target = "ldap:///cn=users,cn=compat,dc=ipa,dc=example")(version 3.0;acl "permission:System: Read User Compat Tree";allow (compare,read,search) userdn = "ldap:///anyone";)
dn: cn=users,cn=accounts,dc=ipa,dc=example
-aci: (targetattr = "ipasshpubkey || ipasubgidcount || ipasubgidnumber || ipasubuidcount || ipasubuidnumber || ipauniqueid || ipauserauthtype || userclass")(targetfilter = "(objectclass=posixaccount)")(version 3.0;acl "permission:System: Read User IPA Attributes";allow (compare,read,search) userdn = "ldap:///all";)
+aci: (targetattr = "ipasshpubkey || ipauniqueid || ipauserauthtype || userclass")(targetfilter = "(objectclass=posixaccount)")(version 3.0;acl "permission:System: Read User IPA Attributes";allow (compare,read,search) userdn = "ldap:///all";)
dn: cn=users,cn=accounts,dc=ipa,dc=example
aci: (targetattr = "krbcanonicalname || krblastpwdchange || krbpasswordexpiration || krbprincipalaliases || krbprincipalexpiration || krbprincipalname || krbprincipaltype || nsaccountlock")(targetfilter = "(objectclass=posixaccount)")(version 3.0;acl "permission:System: Read User Kerberos Attributes";allow (compare,read,search) userdn = "ldap:///all";)
dn: cn=users,cn=accounts,dc=ipa,dc=example
diff --git a/API.txt b/API.txt
index 262b4d6a72c7d7032a7027116f7a4f65aa620615..6c80028bfe8e9b739637fa11e015441efbf984b5 100644
--- a/API.txt
+++ b/API.txt
@@ -1076,7 +1076,7 @@ args: 0,1,1
option: Str('version?')
output: Output('result')
command: config_mod/1
-args: 0,28,3
+args: 0,29,3
option: Str('addattr*', cli_name='addattr')
option: Flag('all', autofill=True, cli_name='all', default=False)
option: Str('ca_renewal_master_server?', autofill=False)
@@ -1099,6 +1099,7 @@ option: Int('ipasearchtimelimit?', autofill=False, cli_name='searchtimelimit')
option: Str('ipaselinuxusermapdefault?', autofill=False)
option: Str('ipaselinuxusermaporder?', autofill=False)
option: StrEnum('ipauserauthtype*', autofill=False, cli_name='user_auth_type', values=[u'password', u'radius', u'otp', u'pkinit', u'hardened', u'disabled'])
+option: Bool('ipauserdefaultsubordinateid?', autofill=False, cli_name='user_default_subid')
option: Str('ipauserobjectclasses*', autofill=False, cli_name='userobjectclasses')
option: IA5Str('ipausersearchfields?', autofill=False, cli_name='usersearch')
option: Flag('raw', autofill=True, cli_name='raw', default=False)
@@ -4974,7 +4975,7 @@ output: Entry('result')
output: Output('summary', type=[<type 'unicode'>, <type 'NoneType'>])
output: PrimaryKey('value')
command: stageuser_add/1
-args: 1,46,3
+args: 1,45,3
arg: Str('uid', cli_name='login')
option: Str('addattr*', cli_name='addattr')
option: Flag('all', autofill=True, cli_name='all', default=False)
@@ -4992,7 +4993,6 @@ option: Str('givenname', cli_name='first')
option: Str('homedirectory?', cli_name='homedir')
option: Str('initials?', autofill=True)
option: Str('ipasshpubkey*', cli_name='sshpubkey')
-option: Int('ipasubuidnumber?', cli_name='subuid')
option: Str('ipatokenradiusconfiglink?', cli_name='radius')
option: Str('ipatokenradiususername?', cli_name='radius_username')
option: StrEnum('ipauserauthtype*', cli_name='user_auth_type', values=[u'password', u'radius', u'otp', u'pkinit', u'hardened'])
@@ -5099,14 +5099,13 @@ option: Str('in_group*', cli_name='in_groups')
option: Str('in_hbacrule*', cli_name='in_hbacrules')
option: Str('in_netgroup*', cli_name='in_netgroups')
option: Str('in_role*', cli_name='in_roles')
+option: Str('in_subid*', cli_name='in_subids')
option: Str('in_sudorule*', cli_name='in_sudorules')
option: Str('initials?', autofill=False)
option: Str('ipanthomedirectory?', autofill=False, cli_name='smb_home_dir')
option: StrEnum('ipanthomedirectorydrive?', autofill=False, cli_name='smb_home_drive', values=[u'A:', u'B:', u'C:', u'D:', u'E:', u'F:', u'G:', u'H:', u'I:', u'J:', u'K:', u'L:', u'M:', u'N:', u'O:', u'P:', u'Q:', u'R:', u'S:', u'T:', u'U:', u'V:', u'W:', u'X:', u'Y:', u'Z:'])
option: Str('ipantlogonscript?', autofill=False, cli_name='smb_logon_script')
option: Str('ipantprofilepath?', autofill=False, cli_name='smb_profile_path')
-option: Int('ipasubgidnumber?', autofill=False, cli_name='subgid')
-option: Int('ipasubuidnumber?', autofill=False, cli_name='subuid')
option: Str('ipatokenradiusconfiglink?', autofill=False, cli_name='radius')
option: Str('ipatokenradiususername?', autofill=False, cli_name='radius_username')
option: StrEnum('ipauserauthtype*', autofill=False, cli_name='user_auth_type', values=[u'password', u'radius', u'otp', u'pkinit', u'hardened'])
@@ -5123,6 +5122,7 @@ option: Str('not_in_group*', cli_name='not_in_groups')
option: Str('not_in_hbacrule*', cli_name='not_in_hbacrules')
option: Str('not_in_netgroup*', cli_name='not_in_netgroups')
option: Str('not_in_role*', cli_name='not_in_roles')
+option: Str('not_in_subid*', cli_name='not_in_subids')
option: Str('not_in_sudorule*', cli_name='not_in_sudorules')
option: Str('ou?', autofill=False, cli_name='orgunit')
option: Str('pager*', autofill=False)
@@ -5148,7 +5148,7 @@ output: ListOfEntries('result')
output: Output('summary', type=[<type 'unicode'>, <type 'NoneType'>])
output: Output('truncated', type=[<type 'bool'>])
command: stageuser_mod/1
-args: 1,52,3
+args: 1,51,3
arg: Str('uid', cli_name='login')
option: Str('addattr*', cli_name='addattr')
option: Flag('all', autofill=True, cli_name='all', default=False)
@@ -5170,7 +5170,6 @@ option: StrEnum('ipanthomedirectorydrive?', autofill=False, cli_name='smb_home_d
option: Str('ipantlogonscript?', autofill=False, cli_name='smb_logon_script')
option: Str('ipantprofilepath?', autofill=False, cli_name='smb_profile_path')
option: Str('ipasshpubkey*', autofill=False, cli_name='sshpubkey')
-option: Int('ipasubuidnumber?', autofill=False, cli_name='subuid')
option: Str('ipatokenradiusconfiglink?', autofill=False, cli_name='radius')
option: Str('ipatokenradiususername?', autofill=False, cli_name='radius_username')
option: StrEnum('ipauserauthtype*', autofill=False, cli_name='user_auth_type', values=[u'password', u'radius', u'otp', u'pkinit', u'hardened'])
@@ -5263,6 +5262,100 @@ option: Str('version?')
output: Entry('result')
output: Output('summary', type=[<type 'unicode'>, <type 'NoneType'>])
output: PrimaryKey('value')
+command: subid_add/1
+args: 1,8,3
+arg: Str('ipauniqueid?', cli_name='id')
+option: Str('addattr*', cli_name='addattr')
+option: Flag('all', autofill=True, cli_name='all', default=False)
+option: Str('description?', cli_name='desc')
+option: Str('ipaowner', cli_name='owner')
+option: Int('ipasubuidnumber?', cli_name='subuid')
+option: Flag('raw', autofill=True, cli_name='raw', default=False)
+option: Str('setattr*', cli_name='setattr')
+option: Str('version?')
+output: Entry('result')
+output: Output('summary', type=[<type 'unicode'>, <type 'NoneType'>])
+output: PrimaryKey('value')
+command: subid_del/1
+args: 1,2,3
+arg: Str('ipauniqueid+', cli_name='id')
+option: Flag('continue', autofill=True, cli_name='continue', default=False)
+option: Str('version?')
+output: Output('result', type=[<type 'dict'>])
+output: Output('summary', type=[<type 'unicode'>, <type 'NoneType'>])
+output: ListOfPrimaryKeys('value')
+command: subid_find/1
+args: 1,11,4
+arg: Str('criteria?')
+option: Flag('all', autofill=True, cli_name='all', default=False)
+option: Str('description?', autofill=False, cli_name='desc')
+option: Str('ipaowner?', autofill=False, cli_name='owner')
+option: Int('ipasubgidnumber?', autofill=False, cli_name='subgid')
+option: Int('ipasubuidnumber?', autofill=False, cli_name='subuid')
+option: Str('ipauniqueid?', autofill=False, cli_name='id')
+option: Flag('pkey_only?', autofill=True, default=False)
+option: Flag('raw', autofill=True, cli_name='raw', default=False)
+option: Int('sizelimit?', autofill=False)
+option: Int('timelimit?', autofill=False)
+option: Str('version?')
+output: Output('count', type=[<type 'int'>])
+output: ListOfEntries('result')
+output: Output('summary', type=[<type 'unicode'>, <type 'NoneType'>])
+output: Output('truncated', type=[<type 'bool'>])
+command: subid_generate/1
+args: 0,4,3
+option: Flag('all', autofill=True, cli_name='all', default=False)
+option: Str('ipaowner?', cli_name='owner')
+option: Flag('raw', autofill=True, cli_name='raw', default=False)
+option: Str('version?')
+output: Entry('result')
+output: Output('summary', type=[<type 'unicode'>, <type 'NoneType'>])
+output: PrimaryKey('value')
+command: subid_match/1
+args: 1,7,4
+arg: Str('criteria?')
+option: Flag('all', autofill=True, cli_name='all', default=False)
+option: Int('ipasubuidnumber', autofill=False, cli_name='subuid')
+option: Flag('pkey_only?', autofill=True, default=False)
+option: Flag('raw', autofill=True, cli_name='raw', default=False)
+option: Int('sizelimit?', autofill=False)
+option: Int('timelimit?', autofill=False)
+option: Str('version?')
+output: Output('count', type=[<type 'int'>])
+output: ListOfEntries('result')
+output: Output('summary', type=[<type 'unicode'>, <type 'NoneType'>])
+output: Output('truncated', type=[<type 'bool'>])
+command: subid_mod/1
+args: 1,8,3
+arg: Str('ipauniqueid', cli_name='id')
+option: Str('addattr*', cli_name='addattr')
+option: Flag('all', autofill=True, cli_name='all', default=False)
+option: Str('delattr*', cli_name='delattr')
+option: Str('description?', autofill=False, cli_name='desc')
+option: Flag('raw', autofill=True, cli_name='raw', default=False)
+option: Flag('rights', autofill=True, default=False)
+option: Str('setattr*', cli_name='setattr')
+option: Str('version?')
+output: Entry('result')
+output: Output('summary', type=[<type 'unicode'>, <type 'NoneType'>])
+output: PrimaryKey('value')
+command: subid_show/1
+args: 1,4,3
+arg: Str('ipauniqueid', cli_name='id')
+option: Flag('all', autofill=True, cli_name='all', default=False)
+option: Flag('raw', autofill=True, cli_name='raw', default=False)
+option: Flag('rights', autofill=True, default=False)
+option: Str('version?')
+output: Entry('result')
+output: Output('summary', type=[<type 'unicode'>, <type 'NoneType'>])
+output: PrimaryKey('value')
+command: subid_stats/1
+args: 0,3,2
+option: Flag('all', autofill=True, cli_name='all', default=False)
+option: Flag('raw', autofill=True, cli_name='raw', default=False)
+option: Str('version?')
+output: Entry('result')
+output: Output('summary', type=[<type 'unicode'>, <type 'NoneType'>])
command: sudocmd_add/1
args: 1,7,3
arg: Str('sudocmd', cli_name='command')
@@ -6062,7 +6155,7 @@ output: Entry('result')
output: Output('summary', type=[<type 'unicode'>, <type 'NoneType'>])
output: PrimaryKey('value')
command: user_add/1
-args: 1,47,3
+args: 1,46,3
arg: Str('uid', cli_name='login')
option: Str('addattr*', cli_name='addattr')
option: Flag('all', autofill=True, cli_name='all', default=False)
@@ -6079,7 +6172,6 @@ option: Str('givenname', cli_name='first')
option: Str('homedirectory?', cli_name='homedir')
option: Str('initials?', autofill=True)
option: Str('ipasshpubkey*', cli_name='sshpubkey')
-option: Int('ipasubuidnumber?', cli_name='subuid')
option: Str('ipatokenradiusconfiglink?', cli_name='radius')
option: Str('ipatokenradiususername?', cli_name='radius_username')
option: StrEnum('ipauserauthtype*', cli_name='user_auth_type', values=[u'password', u'radius', u'otp', u'pkinit', u'hardened'])
@@ -6161,16 +6253,6 @@ option: Str('version?')
output: Entry('result')
output: Output('summary', type=[<type 'unicode'>, <type 'NoneType'>])
output: PrimaryKey('value')
-command: user_auto_subid/1
-args: 1,4,3
-arg: Str('uid', cli_name='login')
-option: Flag('all', autofill=True, cli_name='all', default=False)
-option: Flag('no_members', autofill=True, default=False)
-option: Flag('raw', autofill=True, cli_name='raw', default=False)
-option: Str('version?')
-output: Entry('result')
-output: Output('summary', type=[<type 'unicode'>, <type 'NoneType'>])
-output: PrimaryKey('value')
command: user_del/1
args: 1,3,3
arg: Str('uid+', cli_name='login')
@@ -6213,14 +6295,13 @@ option: Str('in_group*', cli_name='in_groups')
option: Str('in_hbacrule*', cli_name='in_hbacrules')
option: Str('in_netgroup*', cli_name='in_netgroups')
option: Str('in_role*', cli_name='in_roles')
+option: Str('in_subid*', cli_name='in_subids')
option: Str('in_sudorule*', cli_name='in_sudorules')
option: Str('initials?', autofill=False)
option: Str('ipanthomedirectory?', autofill=False, cli_name='smb_home_dir')
option: StrEnum('ipanthomedirectorydrive?', autofill=False, cli_name='smb_home_drive', values=[u'A:', u'B:', u'C:', u'D:', u'E:', u'F:', u'G:', u'H:', u'I:', u'J:', u'K:', u'L:', u'M:', u'N:', u'O:', u'P:', u'Q:', u'R:', u'S:', u'T:', u'U:', u'V:', u'W:', u'X:', u'Y:', u'Z:'])
option: Str('ipantlogonscript?', autofill=False, cli_name='smb_logon_script')
option: Str('ipantprofilepath?', autofill=False, cli_name='smb_profile_path')
-option: Int('ipasubgidnumber?', autofill=False, cli_name='subgid')
-option: Int('ipasubuidnumber?', autofill=False, cli_name='subuid')
option: Str('ipatokenradiusconfiglink?', autofill=False, cli_name='radius')
option: Str('ipatokenradiususername?', autofill=False, cli_name='radius_username')
option: StrEnum('ipauserauthtype*', autofill=False, cli_name='user_auth_type', values=[u'password', u'radius', u'otp', u'pkinit', u'hardened'])
@@ -6237,6 +6318,7 @@ option: Str('not_in_group*', cli_name='not_in_groups')
option: Str('not_in_hbacrule*', cli_name='not_in_hbacrules')
option: Str('not_in_netgroup*', cli_name='not_in_netgroups')
option: Str('not_in_role*', cli_name='not_in_roles')
+option: Str('not_in_subid*', cli_name='not_in_subids')
option: Str('not_in_sudorule*', cli_name='not_in_sudorules')
option: Bool('nsaccountlock?', autofill=False, cli_name='disabled', default=False)
option: Str('ou?', autofill=False, cli_name='orgunit')
@@ -6264,23 +6346,8 @@ output: Output('count', type=[<type 'int'>])
output: ListOfEntries('result')
output: Output('summary', type=[<type 'unicode'>, <type 'NoneType'>])
output: Output('truncated', type=[<type 'bool'>])
-command: user_match_subid/1
-args: 1,8,4
-arg: Str('criteria?')
-option: Flag('all', autofill=True, cli_name='all', default=False)
-option: Int('ipasubuidnumber', autofill=False, cli_name='subuid')
-option: Flag('no_members', autofill=True, default=True)
-option: Flag('pkey_only?', autofill=True, default=False)
-option: Flag('raw', autofill=True, cli_name='raw', default=False)
-option: Int('sizelimit?', autofill=False)
-option: Int('timelimit?', autofill=False)
-option: Str('version?')
-output: Output('count', type=[<type 'int'>])
-output: ListOfEntries('result')
-output: Output('summary', type=[<type 'unicode'>, <type 'NoneType'>])
-output: Output('truncated', type=[<type 'bool'>])
command: user_mod/1
-args: 1,53,3
+args: 1,52,3
arg: Str('uid', cli_name='login')
option: Str('addattr*', cli_name='addattr')
option: Flag('all', autofill=True, cli_name='all', default=False)
@@ -6302,7 +6369,6 @@ option: StrEnum('ipanthomedirectorydrive?', autofill=False, cli_name='smb_home_d
option: Str('ipantlogonscript?', autofill=False, cli_name='smb_logon_script')
option: Str('ipantprofilepath?', autofill=False, cli_name='smb_profile_path')
option: Str('ipasshpubkey*', autofill=False, cli_name='sshpubkey')
-option: Int('ipasubuidnumber?', autofill=False, cli_name='subuid')
option: Str('ipatokenradiusconfiglink?', autofill=False, cli_name='radius')
option: Str('ipatokenradiususername?', autofill=False, cli_name='radius_username')
option: StrEnum('ipauserauthtype*', autofill=False, cli_name='user_auth_type', values=[u'password', u'radius', u'otp', u'pkinit', u'hardened'])
@@ -7138,6 +7204,15 @@ default: stageuser_remove_certmapdata/1
default: stageuser_remove_manager/1
default: stageuser_remove_principal/1
default: stageuser_show/1
+default: subid/1
+default: subid_add/1
+default: subid_del/1
+default: subid_find/1
+default: subid_generate/1
+default: subid_match/1
+default: subid_mod/1
+default: subid_show/1
+default: subid_stats/1
default: sudocmd/1
default: sudocmd_add/1
default: sudocmd_del/1
@@ -7216,12 +7291,10 @@ default: user_add_cert/1
default: user_add_certmapdata/1
default: user_add_manager/1
default: user_add_principal/1
-default: user_auto_subid/1
default: user_del/1
default: user_disable/1
default: user_enable/1
default: user_find/1
-default: user_match_subid/1
default: user_mod/1
default: user_remove_cert/1
default: user_remove_certmapdata/1
diff --git a/doc/designs/subordinate-ids.md b/doc/designs/subordinate-ids.md
index 1b578667a8cfdda223af38a14d142c72a5d5c073..b3be3bcfa275e836e777f807d5210a4db6be0f79 100644
--- a/doc/designs/subordinate-ids.md
+++ b/doc/designs/subordinate-ids.md
@@ -1,5 +1,9 @@
# Central management of subordinate user and group ids
+## OUTDATED
+
+**The design document does not reflect new implementation yet!**
+
Subordinate ids are a Linux Kernel feature to grant a user additional
user and group id ranges. Amongst others the feature can be used
by container runtime engies to implement rootless containers.
@@ -74,8 +78,10 @@ basic use cases. Some restrictions may be lifted in the future.
to the same value.
* counts are hard-coded to value 65536
* once assigned subids cannot be removed
-* IPA does not support multiple subordinate id ranges. Contrary to
- ``/etc/subuid``, users are limited to one set of subordinate ids.
+* IPA does not support multiple subordinate id ranges, yet. Contrary to
+ ``/etc/subuid``, users are limited to one set of subordinate ids. The
+ limitation is implemented with a unique index on owner reference and
+ can be lifted in the future.
* subids are auto-assigned. Auto-assignment is currently emulated
until 389-DS has been extended to support DNA with step interval.
* subids are allocated from hard-coded range
@@ -118,20 +124,21 @@ to servers. The DNA plug-in guarantees uniqueness across servers.
### LDAP schema extension
The subordinate id feature introduces a new auxiliar object class
-``ipaSubordinateId`` with four required attributes ``ipaSubUidNumber``,
-``ipaSubUidCount``, ``ipaSubGidNumber``, and ``ipaSubGidCount``. The
-attributes with ``number`` suffix store the start value of the interval.
-The ``count`` attributes contain the size of the interval including the
-start value. The maximum subid is
-``ipaSubUidNumber + ipaSubUidCount - 1``.
-
-All four attributes are single-value ``INTEGER`` type with standard
-integer matching rules. OIDs ``2.16.840.1.113730.3.8.23.8`` and
+``ipaSubordinateId`` with five required attributes ``ipaOwner``,
+``ipaSubUidNumber``, ``ipaSubUidCount``, ``ipaSubGidNumber``, and
+``ipaSubGidCount``. The attributes with ``number`` suffix store the
+start value of the interval. The ``count`` attributes contain the
+size of the interval including the start value. The maximum subid is
+``ipaSubUidNumber + ipaSubUidCount - 1``. The ``ipaOwner`` attribute
+is a reference to the owning user.
+
+All count and number attributes are single-value ``INTEGER`` type with
+standard integer matching rules. OIDs ``2.16.840.1.113730.3.8.23.8`` and
``2.16.840.1.113730.3.8.23.11`` are reserved for future use.
```raw
attributeTypes: (
- 2.16.840.1.113730.3.8.23.6
+ 2.16.840.1.113730.3.8.23.7
NAME 'ipaSubUidNumber'
DESC 'Numerical subordinate user ID (range start value)'
EQUALITY integerMatch ORDERING integerOrderingMatch
@@ -139,7 +146,7 @@ attributeTypes: (
X-ORIGIN 'IPA v4.9'
)
attributeTypes: (
- 2.16.840.1.113730.3.8.23.7
+ 2.16.840.1.113730.3.8.23.8
NAME 'ipaSubUidCount'
DESC 'Subordinate user ID count (range size)'
EQUALITY integerMatch ORDERING integerOrderingMatch
@@ -147,7 +154,7 @@ attributeTypes: (
X-ORIGIN 'IPA v4.9'
)
attributeTypes: (
- 2.16.840.1.113730.3.8.23.9
+ 2.16.840.1.113730.3.8.23.10
NAME 'ipaSubGidNumber'
DESC 'Numerical subordinate group ID (range start value)'
EQUALITY integerMatch ORDERING integerOrderingMatch
@@ -155,7 +162,7 @@ attributeTypes: (
X-ORIGIN 'IPA v4.9'
)
attributeTypes: (
- 2.16.840.1.113730.3.8.23.10
+ 2.16.840.1.113730.3.8.23.11
NAME 'ipaSubGidCount'
DESC 'Subordinate group ID count (range size)'
EQUALITY integerMatch ORDERING integerOrderingMatch
@@ -164,51 +171,96 @@ attributeTypes: (
)
```
-The ``ipaSubordinateId`` object class is an auxiliar subclass of
+The ``ipaOwner`` attribute is a single-value DN attribute that refers
+to user entry that owns the subordinate ID entry. The proposal does not
+reuse any of the existing attributes like ``owner`` or ``member``,
+because they are all multi-valued.
+
+```
+attributeTypes: (
+ 2.16.840.1.113730.3.8.23.13
+ NAME 'ipaOwner'
+ DESC 'Owner of an entry'
+ SUP distinguishedName
+ EQUALITY distinguishedNameMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.12
+ SINGLE-VALUE
+ X-ORIGIN 'IPA v4.9')
+```
+
+The ``ipaSubordinateId`` object class is an auxiliary subclass of
``top`` and requires all four subordinate id attributes as well as
-``uidNumber``. It does not subclass ``posixAccount`` to make
-the class reusable in idview overrides later.
+``ipaOwner`` attribute``
```raw
objectClasses: (
2.16.840.1.113730.3.8.24.4
NAME 'ipaSubordinateId'
DESC 'Subordinate uid and gid for users'
- SUP top AUXILIARY
- MUST ( uidNumber $ ipaSubUidNumber $ ipaSubUidCount $ ipaSubGidNumber $ ipaSubGidCount )
+ SUP top
+ AUXILIARY
+ MUST ( ipaOwner $ ipaSubUidNumber $ ipaSubUidCount $ ipaSubGidNumber $ ipaSubGidCount )
X-ORIGIN 'IPA v4.9'
)
```
The ``ipaSubordinateGid`` and ``ipaSubordinateUid`` are defined for
-future use. IPA always assumes the presence of ``ipaSubordinateId`` and
-does not use these object classes.
+future use. IPA always assumes the presence of ``ipaSubordinateId``.
```raw
objectClasses: (
2.16.840.1.113730.3.8.24.2
NAME 'ipaSubordinateUid'
DESC 'Subordinate uids for users, see subuid(5)'
- SUP top AUXILIARY
- MUST ( uidNumber $ ipaSubUidNumber $ ipaSubUidCount )
+ SUP top
+ AUXILIARY
+ MUST ( ipaOwner $ ipaSubUidNumber $ ipaSubUidCount )
X-ORIGIN 'IPA v4.9'
)
objectClasses: (
2.16.840.1.113730.3.8.24.3
NAME 'ipaSubordinateGid'
DESC 'Subordinate gids for users, see subgid(5)'
- SUP top AUXILIARY
- MUST ( uidNumber $ ipaSubGidNumber $ ipaSubGidCount )
+ SUP top
+ AUXILIARY
+ MUST ( ipaOwner $ ipaSubGidNumber $ ipaSubGidCount )
X-ORIGIN 'IPA v4.9'
)
```
-### Index
+Subordinate id entries have the structural object class
+``ipaSubordinateIdEntry`` and one or more of the auxiliary object
+classes ``ipaSubordinateId``, ``ipaSubordinateGid``, or
+``ipaSubordinateUid``. ``ipaUniqueId`` is used as a primary key (RDN).
+
+```raw
+objectClasses: (
+ 2.16.840.1.113730.3.8.24.5
+ NAME 'ipaSubordinateIdEntry'
+ DESC 'Subordinate uid and gid entry'
+ SUP top
+ STRUCTURAL
+ MUST ( ipaUniqueId ) MAY ( description ) X-ORIGIN 'IPA v4.9'
+)
+```
+
+### cn=subids,cn=accounts,$SUFFIX
+
+Subordiante ids and ACIs are stored in the new subtree
+``cn=subids,cn=accounts,$SUFFIX``.
+
+### Index, integrity, memberOf
The attributes ``ipaSubUidNumber`` and ``ipaSubGidNumber`` are index
for ``pres`` and ``eq`` with ``nsMatchingRule: integerOrderingMatch``
to enable efficient ``=``, ``>=``, and ``<=`` searches.
+The attribute ``ipaOwner`` is indexed for ``pres`` and ``eq``. This DN
+attribute is also checked for referential integrity and uniqueness
+within the ``cn=subids,cn=accounts,$SUFFIX`` subtree. The memberOf
+plugin creates back-references for ``ipaOwner`` references.
+
+
### Distributed numeric assignment (DNA) plug-in extension
Subordinate id auto-assignment requires an extension of 389-DS'
@@ -221,6 +273,85 @@ option ``dnaStepAttr`` (name is tentative) will tell the DNA plug-in
to use the value of entry attributes as step size.
+## IPA plugins and commands
+
+The config plugin has a new option to enable or disable generation of
+subordinate id entries for new users:
+
+```raw
+$ ipa config-mod --user-default-subid=true
+```
+
+Subordinate ids are managed by a new plugin class. The ``subid-add``
+and ``subid-del`` commands are hidden from command line. New subordinate
+ids are generated and auto-assigned with ``subid-generate``.
+
+```raw
+$ ipa help subid
+Topic commands:
+ subid-find Search for subordinate id.
+ subid-generate Generate and auto-assign subuid and subgid range to user entry
+ subid-match Match users by any subordinate uid in their range
+ subid-mod Modify a subordinate id.
+ subid-show Display information about a subordinate id.
+ subid-stats Subordinate id statistics
+```
+
+```raw
+$ ipa subid-generate --owner testuser9
+-----------------------------------------------------------
+Added subordinate id "aa28f132-457c-488b-82e1-d123727e4f81"
+-----------------------------------------------------------
+ Unique ID: aa28f132-457c-488b-82e1-d123727e4f81
+ Description: auto-assigned subid
+ Owner: testuser9
+ SubUID range start: 3922132992
+ SubUID range size: 65536
+ SubGID range start: 3922132992
+ SubGID range size: 65536
+```
+
+
+```raw
+$ ipa subid-find --owner testuser9
+------------------------
+1 subordinate id matched
+------------------------
+ Unique ID: aa28f132-457c-488b-82e1-d123727e4f81
+ Owner: testuser9
+ SubUID range start: 3922132992
+ SubUID range size: 65536
+ SubGID range start: 3922132992
+ SubGID range size: 65536
+----------------------------
+Number of entries returned 1
+----------------------------
+```
+
+```raw
+$ ipa -vv subid-stats
+...
+ipa: INFO: Response: {
+ "error": null,
+ "id": 0,
+ "principal": "admin@IPASUBID.TEST",
+ "result": {
+ "result": {
+ "assigned_subids": 20,
+ "baseid": 2147483648,
+ "dna_remaining": 4293394434,
+ "rangesize": 2147352576,
+ "remaining_subids": 65512
+ },
+ "summary": "65532 remaining subordinate id ranges"
+ },
+ "version": "4.10.0.dev"
+}
+-------------------------------------
+65532 remaining subordinate id ranges
+-------------------------------------
+```
+
## Permissions, Privileges, Roles
### Self-servive RBAC
@@ -246,6 +377,13 @@ be modified or deleted.
* Privilege: *Subordinate ID Administrators*
* default privilege role: *User Administrator*
+### Managed permissions
+
+* *System: Read Subordinate Id Attributes* (all authenticated users)
+* *System: Read Subordinate Id Count* (all authenticated usrs)
+* *System: Manage Subordinate Ids* (User Administrators)
+* *System: Remove Subordinate Ids* (User Administrators)
+
## Workflows
@@ -257,12 +395,12 @@ to assign subordinate ids to users.
Users with *User Administrator* role and members of the *admins* group
have permission to auto-assign new subordinate ids to any user. Auto
-assignment can be performed with new ``user-auto-subid`` command on the
+assignment can be performed with new ``subid-generate`` command on the
command line or with the *Auto assign subordinate ids* action in the
*Actions* drop-down menu in the web UI.
```shell
-$ ipa user-auto-subid someusername
+$ ipa subid-generate --owner myusername
```
### Self-service for group members
@@ -279,27 +417,14 @@ $ ipa role-add-member "Subordinate ID Selfservice User" --groups=ipausers
```
This allows members of ``ipausers`` to request subordinate ids with
-the ``user-auto-subid`` command or the *Auto assign subordinate ids*
-action in the web UI.
-
-```shell
-$ ipa user-auto-subid myusername
-```
-
-### Auto assignment with user default object class
-
-Admins can also enable auto-assignment of subordinate ids for all new
-users by adding ``ipasubordinateid`` as a default user objectclass.
-This can be accomplished in the web UI under "IPA Server" /
-"Configuration" / "Default user objectclasses" or on the command line
-with:
+the ``subid-generate`` command or the *Auto assign subordinate ids*
+action in the web UI (**TODO** not implemented yet). The command picks
+the name of the current user principal automatically.
```shell
-$ ipa config-mod --addattr="ipaUserObjectClasses=ipasubordinateid"
+$ ipa subid-generate
```
-**NOTE:** The objectclass must be written all lower case.
-
### ipa-subid tool
Finally IPA includes a new tool for mass-assignment of subordinate ids.
@@ -355,26 +480,25 @@ gid range. The new command ``user-match-subid`` can be used to find a
user by any subordinate id in their range.
```raw
-$ ipa user-match-subid --subuid=2153185287
- User login: asmith
- First name: Alice
- Last name: Smith
- ...
- SubUID range start: 2153185280
+$ ipa subid-match --subuid=2147549183
+------------------------
+1 subordinate id matched
+------------------------
+ Name: asmith-auto
+ Owner: asmith
+ SubUID range start: 2147483648
SubUID range size: 65536
- SubGID range start: 2153185280
+ SubGID range start: 2147483648
SubGID range size: 65536
----------------------------
Number of entries returned 1
----------------------------
-$ ipa user-match-subid --subuid=2153185279
- User login: bjones
- First name: Bob
- Last name: Jones
- ...
- SubUID range start: 2153119744
+$ ipa user-match-subid --subuid=2147549184
+ Name: bjones-auto
+ Owner: bjones
+ SubUID range start: 2147549184
SubUID range size: 65536
- SubGID range start: 2153119744
+ SubGID range start: 2147549184
SubGID range size: 65536
----------------------------
Number of entries returned 1
@@ -383,61 +507,54 @@ Number of entries returned 1
## SSSD integration
-* base: ``cn=accounts,$SUFFIX`` / ``cn=users,cn=accounts,$SUFFIX``
-* scope: ``SCOPE_SUBTREE`` (2) / ``SCOPE_ONELEVEL`` (1)
-* user filter: should include ``(objectClass=posixAccount)``
-* attributes: ``uidNumber ipaSubUidNumber ipaSubUidCount ipaSubGidNumber ipaSubGidCount``
-
-SSSD can safely assume that only *user accounts* of type ``posixAccount``
-have subordinate ids. In the first revision there are no other entries
-with subordinate ids. The ``posixAccount`` object class has ``uid``
-(user login name) and ``uidNumber`` (numeric user id) as mandatory
-attributes. The ``uid`` attribute is guaranteed to be unique across
-all user accounts in an IPA domain.
-
-The ``uidNumber`` attribute is commonly unique, too. However it's
-technically possible that an administrator has assigned the same
-numeric user id to multiple users. Automatically assigned uid numbers
-don't conflict. SSSD should treat multiple users with same numeric
-user id as an error.
+* search base: ``cn=subids,cn=accounts,$SUFFIX``
+* scope: ``SCOPE_ONELEVEL`` (1)
+* filter: ``(objectClass=ipaSubordinateId)``
+* attributes: ``ipaOwner ipaSubUidNumber ipaSubUidCount ipaSubGidNumber ipaSubGidCount``
The attribute ``ipaSubUidNumber`` is always accompanied by
``ipaSubUidCount`` and ``ipaSubGidNumber`` is always accompanied
by ``ipaSubGidCount``. In revision 1 the presence of
``ipaSubUidNumber`` implies presence of the other three attributes.
-All four subordinate id attributes and ``uidNumber`` are single-value
-``INTEGER`` types. Any value outside of range of ``uint32_t`` must
-treated as invalid. SSSD will never see the DNA magic value ``-1``
-in ``cn=accounts,$SUFFIX`` subtree.
-
-IPA recommends that SSSD simply extends its existing query for user
-accounts and requests the four subordinate attributes additionally to
-RFC 2307 attributes ``rfc2307_user_map``. SSSD can directly take the
-values and return them without further processing, e.g.
-``uidNumber:ipaSubUidNumber:ipaSubUidCount`` for ``/etc/subuid``.
-
-Filters for additional cases:
-
-* subuid filter (find user with subuid by numeric uid):
- ``&((objectClass=posixAccount)(ipaSubUidNumber=*)(uidNumber=$UID))``,
- ``(&(objectClass=ipaSubordinateId)(uidNumber=$UID))``, or similar
-* subuid enumeration filter:
- ``&((objectClass=posixAccount)(ipaSubUidNumber=*)(uidNumber=*))``,
- ``(objectClass=ipaSubordinateId)``, or similar
-* subgid filter (find user with subgid by numeric uid):
- ``&((objectClass=posixAccount)(ipaSubGidNumber=*)(uidNumber=$UID))``,
- ``(&(objectClass=ipaSubordinateId)(uidNumber=$UID))``, or similar
-* subgid enumeration filter:
- ``&((objectClass=posixAccount)(ipaSubGidNumber=*)(uidNumber=*))``,
- ``(objectClass=ipaSubordinateId)``, or similar
+All four subordinate id attributes are single-value ``INTEGER`` types.
+Any value outside of range of ``uint32_t`` must treated as invalid.
+SSSD will never see the DNA magic value ``-1`` in
+``cn=accounts,$SUFFIX`` subtree. In revision 1 each user subordinate
+id entry is assigned to exactly one user and each user has either 0
+or 1 subid.
+
+IPA recommends that SSSD uses LDAP deref controls for ``ipaOwner``
+attribute to fetch ``uidNumber`` from the user object.
+
+### Deref control example
+
+```raw
+$ ldapsearch -L -E '!deref=ipaOwner:uid,uidNumber' \
+ -b 'cn=subids,cn=accounts,dc=ipasubid,dc=test' \
+ '(ipaOwner=uid=testuser10,cn=users,cn=accounts,dc=ipasubid,dc=test)'
+
+dn: ipauniqueid=35c02c93-3799-4551-a355-ebbf042e431c,cn=subids,cn=accounts,dc=ipasubid,dc=test
+# control: 1.3.6.1.4.1.4203.666.5.16 false MIQAAABxMIQAAABrBAhpcGFPd25lcgQ3dWlk
+ PXRlc3R1c2VyMTAsY249dXNlcnMsY249YWNjb3VudHMsZGM9aXBhc3ViaWQsZGM9dGVzdKCEAAAAIj
+ CEAAAAHAQJdWlkTnVtYmVyMYQAAAALBAk2MjgwMDAwMTE=
+# ipaOwner: <uidNumber=628000011>;uid=testuser10,cn=users,cn=accounts,dc=ipasubid,dc=test
+
+ipaOwner: uid=testuser10,cn=users,cn=accounts,dc=ipasubid,dc=test
+ipaUniqueID: 35c02c93-3799-4551-a355-ebbf042e431c
+description: auto-assigned subid
+objectClass: ipasubordinateidentry
+objectClass: ipasubordinategid
+objectClass: ipasubordinateuid
+objectClass: ipasubordinateid
+objectClass: top
+ipaSubUidNumber: 3434020864
+ipaSubGidNumber: 3434020864
+ipaSubUidCount: 65536
+ipaSubGidCount: 65536
+```
## Implementation details
-* The four subid attributes are not included in
- ``baseuser.default_attributes`` on purpose. The ``config-mod``
- command does not permit removal of a user default objectclasses
- when the class is the last provider of an attribute in
- ``default_attributes``.
* ``ipaSubordinateId`` object class does not subclass the other two
object classes. LDAP supports
``SUP ( ipaSubordinateGid $ ipaSubordinateUid )`` but 389-DS only
@@ -459,6 +576,13 @@ Filters for additional cases:
* Shared DNA configuration entries in ``cn=dna,cn=ipa,cn=etc,$SUFFIX``
are automatically removed by existing code. Server and replication
plug-ins search and delete entries by ``dnaHostname`` attribute.
+* ``ipaSubordinateId`` entries no longer contains ``uidNumber``
+ attribute. I considered to use CoS plugin to provide ``uidNumber``
+ as virtual attribute. However it's not possible to
+ ``objectClass: cosIndirectDefinition`` with
+ ``cosIndirectSpecifier: ipaOwner`` and
+ ``cosAttribute: uidNumber override`` for the task. Indexes and
+ searches don't work with virtual attributes.
### TODO
@@ -466,3 +590,23 @@ Filters for additional cases:
* remove ``fake_dna_plugin`` hack from ``baseuser`` plug-in.
* add custom range type for idranges and teach AD trust, sidgen, and
range overlap check code to deal with new range type.
+
+#### user-del --preserve
+
+Preserving a user with ``ipa user-del --preserve`` currently fails with
+an ObjectclassViolation error (err=65). The problem is caused by
+configuration of referential integrity postoperation plug-in. The
+plug-in excludes the subtree
+``nsslapd-pluginexcludeentryscope: cn=provisioning,$SUFFX``. Preserved
+users are moved into the staging area of the provisioning subtree.
+Since the ``ipaOwner`` DN target is now out of scope, the plug-in
+attempts to delete references. However ``ipaOwner`` is a required
+attribute, which triggers the objectclass violation.
+
+Possible solutions
+
+* Don't preserve subid entries
+* Implement preserve feature for subid entries and move subids of
+ preserved users into
+ ``cn=deleted subids,cn=accounts,cn=provisioning,$SUFFIX`` subtree.
+* Change ``nsslapd-pluginexcludeentryscope`` setting
diff --git a/install/share/60basev4.ldif b/install/share/60basev4.ldif
index 7f5173e593ff68a03d4005957b1dc9b9eb489dc5..c48b0c36a3012d86a74e12a77695e29cceafb698 100644
--- a/install/share/60basev4.ldif
+++ b/install/share/60basev4.ldif
@@ -5,15 +5,16 @@
##
dn: cn=schema
# subordinate ids
-# range ceiling OIDs are reserved for future use (operational attribute?)
-# object class requires uidNumber but does not subclass posixAccount so we
-# can re-use the object class in idview overrides later.
-attributeTypes: ( 2.16.840.1.113730.3.8.23.6 NAME 'ipaSubUidNumber' DESC 'Numerical subordinate user ID (range start value)' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'IPA v4.9')
-attributeTypes: ( 2.16.840.1.113730.3.8.23.7 NAME 'ipaSubUidCount' DESC 'Subordinate user ID count (range size)' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'IPA v4.9')
-# attributeTypes: ( 2.16.840.1.113730.3.8.23.8 NAME 'ipaSubUidCeiling' DESC 'Numerical subordinate user ID ceiling (largest value in range)' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'IPA v4.9')
-attributeTypes: ( 2.16.840.1.113730.3.8.23.9 NAME 'ipaSubGidNumber' DESC 'Numerical subordinate group ID (range start value)' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'IPA v4.9')
-attributeTypes: ( 2.16.840.1.113730.3.8.23.10 NAME 'ipaSubGidCount' DESC 'Subordinate group ID count (range size)' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'IPA v4.9')
-# attributeTypes: ( 2.16.840.1.113730.3.8.23.11 NAME 'ipaSubGidCeiling' DESC 'Numerical subordinate user ID ceiling (largest value in range)' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'IPA v4.9')
-objectClasses: (2.16.840.1.113730.3.8.24.2 NAME 'ipaSubordinateUid' DESC 'Subordinate uids for users, see subuid(5)' SUP top AUXILIARY MUST ( uidNumber $ ipaSubUidNumber $ ipaSubUidCount ) X-ORIGIN 'IPA v4.9')
-objectClasses: (2.16.840.1.113730.3.8.24.3 NAME 'ipaSubordinateGid' DESC 'Subordinate gids for users, see subgid(5)' SUP top AUXILIARY MUST ( uidNumber $ ipaSubGidNumber $ ipaSubGidCount ) X-ORIGIN 'IPA v4.9')
-objectClasses: (2.16.840.1.113730.3.8.24.4 NAME 'ipaSubordinateId' DESC 'Subordinate uid and gid for users' SUP top AUXILIARY MUST ( uidNumber $ ipaSubUidNumber $ ipaSubUidCount $ ipaSubGidNumber $ ipaSubGidCount ) X-ORIGIN 'IPA v4.9')
+# range ceiling OIDs are reserved for future use
+attributeTypes: ( 2.16.840.1.113730.3.8.23.7 NAME 'ipaSubUidNumber' DESC 'Numerical subordinate user ID (range start value)' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'IPA v4.9')
+attributeTypes: ( 2.16.840.1.113730.3.8.23.8 NAME 'ipaSubUidCount' DESC 'Subordinate user ID count (range size)' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'IPA v4.9')
+# attributeTypes: ( 2.16.840.1.113730.3.8.23.9 NAME 'ipaSubUidCeiling' DESC 'Numerical subordinate user ID ceiling (largest value in range)' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'IPA v4.9')
+attributeTypes: ( 2.16.840.1.113730.3.8.23.10 NAME 'ipaSubGidNumber' DESC 'Numerical subordinate group ID (range start value)' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'IPA v4.9')
+attributeTypes: ( 2.16.840.1.113730.3.8.23.11 NAME 'ipaSubGidCount' DESC 'Subordinate group ID count (range size)' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'IPA v4.9')
+# attributeTypes: ( 2.16.840.1.113730.3.8.23.12 NAME 'ipaSubGidCeiling' DESC 'Numerical subordinate user ID ceiling (largest value in range)' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'IPA v4.9')
+attributeTypes: ( 2.16.840.1.113730.3.8.23.13 NAME 'ipaOwner' DESC 'Owner of an entry' SUP distinguishedName EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE X-ORIGIN 'IPA v4.9')
+# attribute 2.16.840.1.113730.3.8.23.14 'ipaUserDefaultSubordinateId' is defined in 60ipaconfig.ldif
+objectClasses: (2.16.840.1.113730.3.8.24.2 NAME 'ipaSubordinateUid' DESC 'Subordinate uids for users, see subuid(5)' SUP top AUXILIARY MUST ( ipaOwner $ ipaSubUidNumber $ ipaSubUidCount ) X-ORIGIN 'IPA v4.9')
+objectClasses: (2.16.840.1.113730.3.8.24.3 NAME 'ipaSubordinateGid' DESC 'Subordinate gids for users, see subgid(5)' SUP top AUXILIARY MUST ( ipaOwner $ ipaSubGidNumber $ ipaSubGidCount ) X-ORIGIN 'IPA v4.9')
+objectClasses: (2.16.840.1.113730.3.8.24.4 NAME 'ipaSubordinateId' DESC 'Subordinate uid and gid for users' SUP top AUXILIARY MUST ( ipaOwner $ ipaSubUidNumber $ ipaSubUidCount $ ipaSubGidNumber $ ipaSubGidCount ) X-ORIGIN 'IPA v4.9')
+objectClasses: (2.16.840.1.113730.3.8.24.5 NAME 'ipaSubordinateIdEntry' DESC 'Subordinate uid and gid entry' SUP top STRUCTURAL MUST ( ipaUniqueId ) MAY ( description ) X-ORIGIN 'IPA v4.9')
diff --git a/install/share/60ipaconfig.ldif b/install/share/60ipaconfig.ldif
index dbcf9ee603b361f6aac1413d0a53fff5561b6f89..f84b38ead1d70ff408f5669029f1517b0c98ecf1 100644
--- a/install/share/60ipaconfig.ldif
+++ b/install/share/60ipaconfig.ldif
@@ -6,6 +6,7 @@
## ObjectClasses: 2.16.840.1.113730.3.8.2 - V1
## Attributes: 2.16.840.1.113730.3.8.3 - V2
## ObjectClasses: 2.16.840.1.113730.3.8.4 - V2
+## Attributes: 2.16.840.1.113730.3.8.23 - V4 base attributes
dn: cn=schema
###############################################
##
@@ -45,11 +46,13 @@ attributeTypes: ( 2.16.840.1.113730.3.8.3.26 NAME 'ipaSELinuxUserMapDefault' DES
attributeTypes: ( 2.16.840.1.113730.3.8.3.27 NAME 'ipaSELinuxUserMapOrder' DESC 'Available SELinux user context ordering' EQUALITY caseIgnoreMatch ORDERING caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'IPA v3')
## ipaMaxHostnameLength - maximum hostname length to allow
attributeTypes: ( 2.16.840.1.113730.3.8.1.28 NAME 'ipaMaxHostnameLength' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE)
+# ipaUserDefaultSubordinateId - if TRUE new user entries gain subordinate id by default
+attributeTypes: ( 2.16.840.1.113730.3.8.3.23.14 NAME 'ipaUserDefaultSubordinateId' DESC 'Enable adding user entries with subordinate id' SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN 'IPA v4.9')
###############################################
##
## ObjectClasses
##
## ipaGuiConfig - GUI config parameters objectclass
-objectClasses: ( 2.16.840.1.113730.3.8.2.1 NAME 'ipaGuiConfig' AUXILIARY MAY ( ipaUserSearchFields $ ipaGroupSearchFields $ ipaSearchTimeLimit $ ipaSearchRecordsLimit $ ipaCustomFields $ ipaHomesRootDir $ ipaDefaultLoginShell $ ipaDefaultPrimaryGroup $ ipaMaxUsernameLength $ ipaPwdExpAdvNotify $ ipaUserObjectClasses $ ipaGroupObjectClasses $ ipaDefaultEmailDomain $ ipaMigrationEnabled $ ipaCertificateSubjectBase $ ipaSELinuxUserMapDefault $ ipaSELinuxUserMapOrder $ ipaKrbAuthzData $ ipaMaxHostnameLength) )
+objectClasses: ( 2.16.840.1.113730.3.8.2.1 NAME 'ipaGuiConfig' AUXILIARY MAY ( ipaUserSearchFields $ ipaGroupSearchFields $ ipaSearchTimeLimit $ ipaSearchRecordsLimit $ ipaCustomFields $ ipaHomesRootDir $ ipaDefaultLoginShell $ ipaDefaultPrimaryGroup $ ipaMaxUsernameLength $ ipaPwdExpAdvNotify $ ipaUserObjectClasses $ ipaGroupObjectClasses $ ipaDefaultEmailDomain $ ipaMigrationEnabled $ ipaCertificateSubjectBase $ ipaSELinuxUserMapDefault $ ipaSELinuxUserMapOrder $ ipaKrbAuthzData $ ipaMaxHostnameLength $ ipaUserDefaultSubordinateId) )
## ipaConfigObject - Generic config strings object holder
objectClasses: (2.16.840.1.113730.3.8.4.13 NAME 'ipaConfigObject' DESC 'generic config object for IPA' AUXILIARY MAY ( ipaConfigString ) X-ORIGIN 'IPA v2' )
diff --git a/install/share/dna.ldif b/install/share/dna.ldif
index 649313e72fc58112865e5901125923b3704276b1..735faab8261feef59486f7c933b01c57ad511166 100644
--- a/install/share/dna.ldif
+++ b/install/share/dna.ldif
@@ -29,12 +29,12 @@ dnaMagicRegen: -1
dnaFilter: (objectClass=ipaSubordinateId)
dnaScope: $SUFFIX
dnaThreshold: eval($SUBID_DNA_THRESHOLD)
-# TODO: enable when 389-DS' DNA plugin supports dnaStepAttr
-# dnaStepAttr: ipaSubUidCount
-# dnaStepAttr: ipaSubGidCount
-# dnaStepAllowedValues: eval($SUBID_COUNT)
dnaSharedCfgDN: cn=subordinate-ids,cn=dna,cn=ipa,cn=etc,$SUFFIX
dnaExcludeScope: cn=provisioning,$SUFFIX
+# TODO: enable when 389-DS' DNA plugin supports dnaStepAttr
+# dnaIntervalAttr: ipasubuidcount
+# dnaIntervalAttr: ipasubgidcount
+# dnaMaxInterval: eval($SUBID_COUNT)
# Enable the DNA plugin
dn: cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config
diff --git a/install/share/memberof-conf.ldif b/install/share/memberof-conf.ldif
index 79ad647e76feb6647524553a634c91c66ebd178e..3c22dfa9e52b8005bac88cd0962571c6fea18e7b 100644
--- a/install/share/memberof-conf.ldif
+++ b/install/share/memberof-conf.ldif
@@ -8,4 +8,6 @@ memberofgroupattr: memberUser
-
add: memberofgroupattr
memberofgroupattr: memberHost
-
+-
+add: memberofgroupattr
+memberofgroupattr: ipaOwner
diff --git a/install/ui/src/freeipa/app.js b/install/ui/src/freeipa/app.js
index 093737b8f923b41e8a1eabc90f66c6709991e239..9e0007528febb3d6641d152c72c51328d2d72cf6 100644
--- a/install/ui/src/freeipa/app.js
+++ b/install/ui/src/freeipa/app.js
@@ -52,6 +52,7 @@ define([
'./serverconfig',
'./service',
'./stageuser',
+ './subid',
'./sudo',
'./trust',
'./topology',
diff --git a/install/ui/src/freeipa/navigation/menu_spec.js b/install/ui/src/freeipa/navigation/menu_spec.js
index 0c30459691d8f652dc35ccf74ed27fae7654020d..6ccd06919fbe04c7e8d2034ff7a1f644f373c607 100644
--- a/install/ui/src/freeipa/navigation/menu_spec.js
+++ b/install/ui/src/freeipa/navigation/menu_spec.js
@@ -103,7 +103,8 @@ var nav = {};
]
}
]
- }
+ },
+ { entity: 'subid' }
]
},
{
diff --git a/install/ui/src/freeipa/serverconfig.js b/install/ui/src/freeipa/serverconfig.js
index bb26b107317ae12ee032fb767fcfc9060690c66e..9de0bab4b64abf1094e52dffda8add5349dc0e3c 100644
--- a/install/ui/src/freeipa/serverconfig.js
+++ b/install/ui/src/freeipa/serverconfig.js
@@ -123,6 +123,10 @@ return {
$type: 'checkbox',
name: 'ipamigrationenabled'
},
+ {
+ $type: 'checkbox',
+ name: 'ipauserdefaultsubordinateid'
+ },
{
$type: 'multivalued',
name: 'ipauserobjectclasses'
diff --git a/install/ui/src/freeipa/subid.js b/install/ui/src/freeipa/subid.js
new file mode 100644
index 0000000000000000000000000000000000000000..f286165070b08badf77cac6c30e93cab916c2acc
--- /dev/null
+++ b/install/ui/src/freeipa/subid.js
@@ -0,0 +1,92 @@
+/*
+ * Copyright (C) 2021 FreeIPA Contributors see COPYING for license
+ */
+
+define([
+ 'dojo/on',
+ './ipa',
+ './jquery',
+ './phases',
+ './reg',
+ './details',
+ './search',
+ './association',
+ './entity'],
+ function(on, IPA, $, phases, reg) {
+
+var exp = IPA.subid = {};
+
+var make_spec = function() {
+return {
+ name: 'subid',
+ facets: [
+ {
+ $type: 'search',
+ columns: [
+ 'ipauniqueid',
+ 'ipaowner',
+ 'ipasubgidnumber',
+ 'ipasubuidnumber'
+ ]
+ },
+ {
+ $type: 'details',
+ sections: [
+ {
+ name: 'details',
+ fields: [
+ 'ipauniqueid',
+ 'description',
+ {
+ name: 'ipaowner',
+ label: '@i18n:objects.subid.ipaowner',
+ title: '@mo-param:subid:ipaowner:label'
+ },
+ {
+ name: 'ipasubgidnumber',
+ label: '@i18n:objects.subid.ipasubgidnumber',
+ title: '@mo-param:subid:ipasubgidnumber:label'
+ },
+ {
+ name: 'ipasubgidcount',
+ label: '@i18n:objects.subid.ipasubgidcount',
+ title: '@mo-param:subid:ipasubgidcount:label'
+ },
+ {
+ name: 'ipasubuidnumber',
+ label: '@i18n:objects.subid.ipasubuidnumber',
+ title: '@mo-param:subid:ipasubuidnumber:label'
+ },
+ {
+ name: 'ipasubuidcount',
+ label: '@i18n:objects.subid.ipasubuidcount',
+ title: '@mo-param:subid:ipasubuidcount:label'
+ }
+ ]
+ }
+ ]
+ }
+ ],
+ adder_dialog: {
+ title: '@i18n:objects.subid.add',
+ method: 'generate',
+ fields: [
+ {
+ $type: 'entity_select',
+ name: 'ipaowner',
+ other_entity: 'user',
+ other_field: 'uid'
+ }
+ ]
+ }
+};};
+
+exp.entity_spec = make_spec();
+exp.register = function() {
+ var e = reg.entity;
+ e.register({type: 'subid', spec: exp.entity_spec});
+};
+phases.on('registration', exp.register);
+
+return {};
+});
diff --git a/install/ui/src/freeipa/user.js b/install/ui/src/freeipa/user.js
index 5b49b0f6edbbbb6c802afb803a6406a0ab796c44..56bb6f4feffb637d33a57aecf9a98f08d4639550 100644
--- a/install/ui/src/freeipa/user.js
+++ b/install/ui/src/freeipa/user.js
@@ -259,33 +259,6 @@ return {
}
]
},
- {
- name: 'subordinate',
- label: '@i18n:objects.subordinate.identity',
- fields: [
- {
- name: 'ipasubuidnumber',
- label: '@i18n:objects.subordinate.subuidnumber',
- read_only: true
- },
- {
- name: 'ipasubuidcount',
- label: '@i18n:objects.subordinate.subuidcount',
- read_only: true
-
- },
- {
- name: 'ipasubgidnumber',
- label: '@i18n:objects.subordinate.subgidnumber',
- read_only: true
- },
- {
- name: 'ipasubgidcount',
- label: '@i18n:objects.subordinate.subgidcount',
- read_only: true
- }
- ]
- },
{
name: 'pwpolicy',
label: '@i18n:objects.pwpolicy.identity',
@@ -478,16 +451,6 @@ return {
enable_cond: ['is-locked'],
confirm_msg: '@i18n:objects.user.unlock_confirm'
},
- {
- $factory: IPA.object_action,
- name: 'auto_subid',
- method: 'auto_subid',
- label: '@i18n:objects.user.auto_subid',
- needs_confirm: true,
- hide_cond: ['preserved-user'],
- enable_cond: ['no-subid'],
- confirm_msg: '@i18n:objects.user.auto_subid_confirm'
- },
{
$type: 'automember_rebuild',
name: 'automember_rebuild',
@@ -500,20 +463,15 @@ return {
title: '@i18n:objects.cert.issue_for_user'
},
{
- $factory: IPA.object_action,
- name: 'auto_subid',
- method: 'auto_subid',
- label: '@i18n:objects.user.auto_subid',
- needs_confirm: true,
+ $type: 'subid_generate',
hide_cond: ['preserved-user'],
- enable_cond: ['no-subid'],
- confirm_msg: '@i18n:objects.user.auto_subid_confirm'
+ enable_cond: ['no-subid']
}
],
header_actions: [
'reset_password', 'enable', 'disable', 'stage', 'undel',
'delete_active_user', 'delete', 'unlock', 'add_otptoken',
- 'automember_rebuild', 'request_cert', 'auto_subid'
+ 'automember_rebuild', 'request_cert', 'subid_generate'
],
state: {
evaluators: [
@@ -532,7 +490,8 @@ return {
IPA.user.self_service_other_user_evaluator,
IPA.user.preserved_user_evaluator,
IPA.user.is_locked_evaluator,
- IPA.cert.certificate_evaluator
+ IPA.cert.certificate_evaluator,
+ IPA.user.has_subid_evaluator
],
summary_conditions: [
{
@@ -593,6 +552,12 @@ return {
add_title: '@i18n:objects.user.add_into_sudo',
remove_method: 'remove_user',
remove_title: '@i18n:objects.user.remove_from_sudo'
+ },
+ {
+ $type: 'association',
+ name: 'memberof_subid',
+ associator: IPA.serial_associator,
+ read_only: true
}
],
standard_association_facets: {
@@ -1206,7 +1171,31 @@ IPA.user.is_locked_evaluator = function(spec) {
}
}
- if (!user.ipasubuidnumber) {
+ that.notify_on_change(old_state);
+ };
+
+ return that;
+};
+
+IPA.user.has_subid_evaluator = function(spec) {
+
+ spec = spec || {};
+ spec.event = spec.event || 'post_load';
+
+ var that = IPA.state_evaluator(spec);
+ that.name = spec.name || 'has_subid_evaluator';
+ that.param = spec.param || 'memberof_subid';
+
+ /**
+ * Evaluates if user already has a subid
+ */
+ that.on_event = function(data) {
+
+ var old_state = that.state;
+ that.state = [];
+
+ var value = that.adapter.load(data);
+ if (value.length === 0) {
that.state.push('no-subid');
}
@@ -1216,6 +1205,30 @@ IPA.user.is_locked_evaluator = function(spec) {
return that;
};
+IPA.user.subid_generate_action = function(spec) {
+
+ spec = spec || {};
+ spec.name = spec.name || 'subid_generate';
+ spec.label = spec.label || '@i18n:objects.user.auto_subid';
+ spec.hide_cond = spec.hide_cond || ['preserved-user'];
+ spec.confirm_msg = spec.confirm_msg || '@i18n:objects.user.auto_subid_confirm';
+
+ var that = IPA.action(spec);
+
+ that.execute_action = function(facet) {
+
+ var subid_e = reg.entity.get('subid');
+ var dialog = subid_e.get_dialog('add');
+ dialog.open();
+ if (!IPA.is_selfservice) {
+ var owner = facet.get_pkey();
+ dialog.get_field('ipaowner').set_value([owner]);
+ }
+ };
+
+ return that;
+};
+
exp.entity_spec = make_spec();
exp.register = function() {
var e = reg.entity;
@@ -1225,6 +1238,7 @@ exp.register = function() {
a.register('reset_password', IPA.user.reset_password_action);
a.register('add_otptoken', IPA.user.add_otptoken_action);
a.register('delete_active_user', IPA.user.delete_active_user_action);
+ a.register('subid_generate', IPA.user.subid_generate_action);
d.copy('password', 'user_password', {
factory: IPA.user.password_dialog,
pre_ops: [IPA.user.password_dialog_pre_op]
diff --git a/install/updates/10-uniqueness.update b/install/updates/10-uniqueness.update
index 77facba195cb5a1564818010f97afdd15d65a274..699de3b4d3305def5d81aeb945106b80eef0ef40 100644
--- a/install/updates/10-uniqueness.update
+++ b/install/updates/10-uniqueness.update
@@ -109,3 +109,22 @@ default:nsslapd-plugin-depends-on-type: database
default:nsslapd-pluginId: NSUniqueAttr
default:nsslapd-pluginVersion: 1.1.0
default:nsslapd-pluginVendor: Fedora Project
+
+dn: cn=ipaSubordinateIdEntry ipaOwner uniqueness,cn=plugins,cn=config
+default:objectClass: top
+default:objectClass: nsSlapdPlugin
+default:objectClass: extensibleObject
+default:cn: ipaSubordinateIdEntry ipaOwner uniqueness
+default:nsslapd-pluginDescription: Enforce unique attribute values of ipaOwner
+default:nsslapd-pluginPath: libattr-unique-plugin
+default:nsslapd-pluginInitfunc: NSUniqueAttr_Init
+default:nsslapd-pluginType: preoperation
+default:nsslapd-pluginEnabled: on
+default:uniqueness-attribute-name: ipaOwner
+default:uniqueness-subtrees: cn=subids,cn=accounts,$SUFFIX
+default:uniqueness-across-all-subtrees: on
+default:uniqueness-subtree-entries-oc: ipaSubordinateIdEntry
+default:nsslapd-plugin-depends-on-type: database
+default:nsslapd-pluginId: NSUniqueAttr
+default:nsslapd-pluginVersion: 1.1.0
+default:nsslapd-pluginVendor: Fedora Project
diff --git a/install/updates/20-indices.update b/install/updates/20-indices.update
index 7f83ab9f04c565a59efdd2f41c3e7ee30f5da9c7..d6df5b37d0a9092e936d2c6002bce71ed876ec27 100644
--- a/install/updates/20-indices.update
+++ b/install/updates/20-indices.update
@@ -263,6 +263,14 @@ default:nsSystemIndex: false
add:nsIndexType: eq
add:nsIndexType: pres
+dn: cn=ipaOwner,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
+only:cn: ipaOwner
+default:objectClass: nsIndex
+default:objectClass: top
+default:nsSystemIndex: false
+add:nsIndexType: eq
+add:nsIndexType: pres
+
dn: cn=ipasudorunas,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
only:cn: ipasudorunas
default:objectClass: nsIndex
@@ -425,6 +433,10 @@ default:nsSystemIndex: false
add:nsIndexType: eq
add:nsIndexType: pres
+dn: cn=memberOf,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
+only:cn: member
+add:nsIndexType: sub
+
dn: cn=memberPrincipal,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
only:cn: memberPrincipal
default:objectClass: nsIndex
diff --git a/install/updates/25-referint.update b/install/updates/25-referint.update
index 89bc5ef91b2f5c85ee3a4a2c7d112a0549d4e1da..b29926a4e3bd410115cde4ede3ed7886a412d300 100644
--- a/install/updates/25-referint.update
+++ b/install/updates/25-referint.update
@@ -21,3 +21,4 @@ add: referint-membership-attr: ipamemberca
add: referint-membership-attr: ipamembercertprofile
add: referint-membership-attr: ipalocation
add: referint-membership-attr: membermanager
+add: referint-membership-attr: ipaowner
diff --git a/install/updates/73-subid.update b/install/updates/73-subid.update
index 2aab3d445a33ae1663f81ca2d61b62ebc94aa37d..1aa43822a8b8c220583b81e08d70b648ca594363 100644
--- a/install/updates/73-subid.update
+++ b/install/updates/73-subid.update
@@ -1,5 +1,15 @@
# subordinate ids
+# create memberOf attributes for ipaOwner
+dn: cn=MemberOf Plugin,cn=plugins,cn=config
+add: memberofgroupattr: ipaOwner
+
+# container
+dn: cn=subids,cn=accounts,$SUFFIX
+default: objectClass: top
+default: objectClass: nsContainer
+default: cn: subids
+
# self-service RBAC
dn: cn=Subordinate ID Selfservice User,cn=roles,cn=accounts,$SUFFIX
default:objectClass: groupofnames
@@ -56,9 +66,9 @@ default:member: cn=Subordinate ID Administrators,cn=privileges,cn=pbac,$SUFFIX
# self-service permission when 389-DS' DNA plugin supports dnaStepAttr and
# fake_dna_plugin hack has been removed.
#
-dn: $SUFFIX
-add: aci: (targetfilter = "(objectclass=posixaccount)")(targattrfilters = "add=objectClass:(|(objectClass=ipasubordinateid)(objectClass=ipasubordinategid)(objectClass=ipasubordinateuid)) && ipasubuidnumber:(|(ipasubuidnumber>=eval($SUBID_RANGE_START))(ipasubuidnumber=-1)) && ipasubuidcount:(ipasubuidcount=eval($SUBID_COUNT)) && ipasubgidnumber:(|(ipasubgidnumber>=eval($SUBID_RANGE_START))(ipasubgidnumber=-1)) && ipasubgidcount:(ipasubgidcount=eval($SUBID_COUNT)), del=ipasubuidnumber:(!(ipasubuidnumber=*)) && ipasubuidcount:(!(ipasubuidcount=*)) && ipasubgidnumber:(!(ipasubgidnumber=*)) && ipasubgidcount:(!(ipasubgidcount=*))")(version 3.0;acl "selfservice: Add subordinate id";allow (write) userdn = "ldap:///self" and groupdn="ldap:///cn=Self-service subordinate ID,cn=permissions,cn=pbac,$SUFFIX";)
-add: aci: (targetfilter = "(objectclass=posixaccount)")(targattrfilters = "add=objectClass:(|(objectClass=ipasubordinateid)(objectClass=ipasubordinategid)(objectClass=ipasubordinateuid)) && ipasubuidnumber:(|(ipasubuidnumber>=1)(ipasubuidnumber=-1)) && ipasubuidcount:(ipasubuidcount=eval($SUBID_COUNT)) && ipasubgidnumber:(|(ipasubgidnumber>=1)(ipasubgidnumber=-1)) && ipasubgidcount:(ipasubgidcount=eval($SUBID_COUNT)), del=ipasubuidnumber:(!(ipasubuidnumber=*)) && ipasubuidcount:(!(ipasubuidcount=*)) && ipasubgidnumber:(!(ipasubgidnumber=*)) && ipasubgidcount:(!(ipasubgidcount=*))")(version 3.0;acl "Add subordinate ids to any user";allow (write) groupdn="ldap:///cn=Subordinate ID Administrators,cn=privileges,cn=pbac,$SUFFIX";)
+dn: cn=subids,cn=accounts,$SUFFIX
+add: aci: (targetfilter = "(objectclass=ipasubordinateidentry)")(targetattr="description || ipaowner || ipauniqueid")(targattrfilters = "add=objectClass:(|(objectClass=top)(objectClass=ipasubordinateid)(objectClass=ipasubordinateidentry)(objectClass=ipasubordinategid)(objectClass=ipasubordinateuid)) && ipasubuidnumber:(|(ipasubuidnumber>=eval($SUBID_RANGE_START))(ipasubuidnumber=-1)) && ipasubuidcount:(ipasubuidcount=eval($SUBID_COUNT)) && ipasubgidnumber:(|(ipasubgidnumber>=eval($SUBID_RANGE_START))(ipasubgidnumber=-1)) && ipasubgidcount:(ipasubgidcount=eval($SUBID_COUNT)), del=ipasubuidnumber:(!(ipasubuidnumber=*)) && ipasubuidcount:(!(ipasubuidcount=*)) && ipasubgidnumber:(!(ipasubgidnumber=*)) && ipasubgidcount:(!(ipasubgidcount=*))")(version 3.0;acl "selfservice: Add subordinate id";allow (add, write) userattr = "ipaowner#SELFDN" and groupdn="ldap:///cn=Self-service subordinate ID,cn=permissions,cn=pbac,$SUFFIX";)
+add: aci: (targetfilter = "(objectclass=ipasubordinateidentry)")(targetattr="description || ipaowner || ipauniqueid")(targattrfilters = "add=objectClass:(|(objectClass=top)(objectClass=ipasubordinateid)(objectClass=ipasubordinateidentry)(objectClass=ipasubordinategid)(objectClass=ipasubordinateuid)) && ipasubuidnumber:(|(ipasubuidnumber>=1)(ipasubuidnumber=-1)) && ipasubuidcount:(ipasubuidcount=eval($SUBID_COUNT)) && ipasubgidnumber:(|(ipasubgidnumber>=1)(ipasubgidnumber=-1)) && ipasubgidcount:(ipasubgidcount=eval($SUBID_COUNT)), del=ipasubuidnumber:(!(ipasubuidnumber=*)) && ipasubuidcount:(!(ipasubuidcount=*)) && ipasubgidnumber:(!(ipasubgidnumber=*)) && ipasubgidcount:(!(ipasubgidcount=*))")(version 3.0;acl "Add subordinate ids to any user";allow (add, write) groupdn="ldap:///cn=Subordinate ID Administrators,cn=privileges,cn=pbac,$SUFFIX";)
# DNA plugin and idrange configuration
dn: cn=subordinate-ids,cn=dna,cn=ipa,cn=etc,$SUFFIX
@@ -78,14 +88,14 @@ default: dnaMagicRegen: -1
default: dnaFilter: (objectClass=ipaSubordinateId)
default: dnaScope: $SUFFIX
default: dnaThreshold: eval($SUBID_DNA_THRESHOLD)
-# TODO: enable when 389-DS' DNA plugin supports dnaStepAttr
-# default: dnaStepAttr: ipaSubUidCount
-# default: dnaStepAttr: ipaSubGidCount
-# default: dnaStepAllowedValues: eval($SUBID_COUNT)
default: dnaSharedCfgDN: cn=subordinate-ids,cn=dna,cn=ipa,cn=etc,$SUFFIX
default: dnaExcludeScope: cn=provisioning,$SUFFIX
-default: aci: (targetattr = "dnaNextRange || dnaNextValue || dnaMaxValue")(version 3.0;acl "permission:Modify DNA Range";allow (write) groupdn = "ldap:///cn=Modify DNA Range,cn=permissions,cn=pbac,$SUFFIX";)
-default: aci: (targetattr = "cn || dnaMaxValue || dnaNextRange || dnaNextValue || dnaThreshold || dnaType || objectclass")(version 3.0;acl "permission:Read DNA Range";allow (read, search, compare) groupdn = "ldap:///cn=Read DNA Range,cn=permissions,cn=pbac,$SUFFIX";)
+# TODO: enable when 389-DS' DNA plugin supports dnaStepAttr
+# add: dnaIntervalAttr: ipasubuidcount
+# add: dnaIntervalAttr: ipasubgidcount
+# addifnew: dnaMaxInterval: eval($SUBID_COUNT)
+add: aci: (targetattr = "dnaNextRange || dnaNextValue || dnaMaxValue")(version 3.0;acl "permission:Modify DNA Range";allow (write) groupdn = "ldap:///cn=Modify DNA Range,cn=permissions,cn=pbac,$SUFFIX";)
+add: aci: (targetattr = "cn || dnaMaxValue || dnaNextRange || dnaNextValue || dnaThreshold || dnaType || objectclass")(version 3.0;acl "permission:Read DNA Range";allow (read, search, compare) groupdn = "ldap:///cn=Read DNA Range,cn=permissions,cn=pbac,$SUFFIX";)
dn: cn=${REALM}_subid_range,cn=ranges,cn=etc,$SUFFIX
default: objectClass: top
diff --git a/ipalib/constants.py b/ipalib/constants.py
index bee4c92fb39769d427e315116575f217924915be..bff899ba64c75832e2037870ccbca4587458d97b 100644
--- a/ipalib/constants.py
+++ b/ipalib/constants.py
@@ -131,6 +131,9 @@ DEFAULT_CONFIG = (
('container_ranges', DN(('cn', 'ranges'), ('cn', 'etc'))),
('container_dna', DN(('cn', 'dna'), ('cn', 'ipa'), ('cn', 'etc'))),
('container_dna_posix_ids', DN(('cn', 'posix-ids'), ('cn', 'dna'), ('cn', 'ipa'), ('cn', 'etc'))),
+ ('container_dna_subordinate_ids', DN(
+ ('cn', 'subordinate-ids'), ('cn', 'dna'), ('cn', 'ipa'), ('cn', 'etc')
+ )),
('container_realm_domains', DN(('cn', 'Realm Domains'), ('cn', 'ipa'), ('cn', 'etc'))),
('container_otp', DN(('cn', 'otp'))),
('container_radiusproxy', DN(('cn', 'radiusproxy'))),
@@ -148,6 +151,7 @@ DEFAULT_CONFIG = (
('container_certmaprules', DN(('cn', 'certmaprules'), ('cn', 'certmap'))),
('container_ca_renewal',
DN(('cn', 'ca_renewal'), ('cn', 'ipa'), ('cn', 'etc'))),
+ ('container_subids', DN(('cn', 'subids'), ('cn', 'accounts'))),
# Ports, hosts, and URIs:
# Following values do not have any reasonable default.
@@ -355,4 +359,4 @@ SUBID_RANGE_START = 2 ** 31
SUBID_RANGE_MAX = (2 ** 32) - (2 * SUBID_COUNT)
SUBID_RANGE_SIZE = SUBID_RANGE_MAX - SUBID_RANGE_START
# threshold before DNA plugin requests a new range
-SUBID_DNA_THRESHOLD = 500 * SUBID_COUNT
+SUBID_DNA_THRESHOLD = 500
diff --git a/ipaserver/install/ipa_subids.py b/ipaserver/install/ipa_subids.py
index ac77a4008aec58d92c8b24df5e00b83c6998401f..2b33b667084f529fa50e2f11eeefda8a8927f68c 100644
--- a/ipaserver/install/ipa_subids.py
+++ b/ipaserver/install/ipa_subids.py
@@ -10,7 +10,7 @@ from ipalib.facts import is_ipa_configured
from ipaplatform.paths import paths
from ipapython.admintool import AdminTool, ScriptError
from ipapython.dn import DN
-from ipaserver.plugins.baseldap import DNA_MAGIC
+from ipapython.version import API_VERSION
logger = logging.getLogger(__name__)
@@ -77,7 +77,7 @@ class IPASubids(AdminTool):
# only users with posixAccount
"(objectClass=posixAccount)",
# without subordinate ids
- "(!(objectClass=ipaSubordinateId))",
+ f"(!(memberOf=*,cn=subids,cn=accounts,{api.env.basedn}))",
]
if groupinfo is not None:
filters.append(
@@ -89,7 +89,7 @@ class IPASubids(AdminTool):
def search_users(self, filters):
users_dn = DN(api.env.container_user, api.env.basedn)
- attrs = ["objectclass", "uid", "uidnumber"]
+ attrs = ["objectclass", "uid"]
logger.debug("basedn: %s", users_dn)
logger.debug("attrs: %s", attrs)
@@ -116,7 +116,7 @@ class IPASubids(AdminTool):
api.finalize()
api.Backend.ldap2.connect()
self.ldap2 = api.Backend.ldap2
- user_obj = api.Object["user"]
+ subid_generate = api.Command.subid_generate
dry_run = self.safe_options.dry_run
group_info = self.get_group_info()
@@ -136,11 +136,13 @@ class IPASubids(AdminTool):
i,
total
)
- user_obj.set_subordinate_ids(
- self.ldap2, entry.dn, entry, DNA_MAGIC
- )
if not dry_run:
- self.ldap2.update_entry(entry)
+ # TODO: check for duplicate entry (race condition)
+ # TODO: log new subid
+ subid_generate(
+ ipaowner=entry.single_value["uid"],
+ version=API_VERSION
+ )
if dry_run:
logger.info("Dry run mode, no user was modified")
diff --git a/ipaserver/install/plugins/update_dna_shared_config.py b/ipaserver/install/plugins/update_dna_shared_config.py
index 0f704c68a0551a7b7db6d42275498d02885b70fc..955bee5dd830f0dcad3f0810e7e2f1a1c725a0aa 100644
--- a/ipaserver/install/plugins/update_dna_shared_config.py
+++ b/ipaserver/install/plugins/update_dna_shared_config.py
@@ -17,7 +17,7 @@ register = Registry()
@register()
class update_dna_shared_config(Updater):
- dna_plugin_names = ('posix IDs',)
+ dna_plugin_names = ('posix IDs', 'Subordinate IDs')
dna_plugin_dn = DN(
('cn', 'Distributed Numeric Assignment Plugin'),
diff --git a/ipaserver/plugins/baseldap.py b/ipaserver/plugins/baseldap.py
index 3ccd2e38a254e274ba3685b9233f23b2313f8eec..0b7839536f66740a60377460c7432ade7c0654c2 100644
--- a/ipaserver/plugins/baseldap.py
+++ b/ipaserver/plugins/baseldap.py
@@ -121,6 +121,8 @@ global_output_params = (
Str('memberof_hbacrule?',
label='Member of HBAC rule',
),
+ Str('memberof_subid?',
+ label='Subordinate ids',),
Str('member_idoverrideuser?',
label=_('Member ID user overrides'),),
Str('memberindirect_idoverrideuser?',
@@ -795,7 +797,13 @@ class LDAPObject(Object):
dn = entry.dn
filter = self.backend.make_filter(
- {'member': dn, 'memberuser': dn, 'memberhost': dn})
+ {
+ 'member': dn,
+ 'memberuser': dn,
+ 'memberhost': dn,
+ 'ipaowner': dn
+ }
+ )
try:
result = self.backend.get_entries(
self.api.env.basedn,
diff --git a/ipaserver/plugins/baseuser.py b/ipaserver/plugins/baseuser.py
index 12ff03c2302ff08aabb9369306965e0c125724f8..14a71b2217d3370701662b35c43f4207c1ab9b95 100644
--- a/ipaserver/plugins/baseuser.py
+++ b/ipaserver/plugins/baseuser.py
@@ -17,10 +17,9 @@
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
-import random
import six
-from ipalib import api, errors, output, constants
+from ipalib import api, errors, constants
from ipalib import (
Flag, Int, Password, Str, Bool, StrEnum, DateTime, DNParam)
from ipalib.parameters import Principal, Certificate
@@ -28,9 +27,9 @@ from ipalib.plugable import Registry
from .baseldap import (
DN, LDAPObject, LDAPCreate, LDAPUpdate, LDAPSearch, LDAPDelete,
LDAPRetrieve, LDAPAddAttribute, LDAPModAttribute, LDAPRemoveAttribute,
- LDAPQuery, LDAPAddMember, LDAPRemoveMember,
+ LDAPAddMember, LDAPRemoveMember,
LDAPAddAttributeViaOption, LDAPRemoveAttributeViaOption,
- add_missing_object_class, DNA_MAGIC, pkey_to_value, entry_to_dict
+ add_missing_object_class
)
from ipaserver.plugins.service import (validate_realm, normalize_principal)
from ipalib.request import context
@@ -162,7 +161,7 @@ class baseuser(LDAPObject):
possible_objectclasses = [
'meporiginentry', 'ipauserauthtypeclass', 'ipauser',
'ipatokenradiusproxyuser', 'ipacertmapobject',
- 'ipantuserattrs', 'ipasubordinateid',
+ 'ipantuserattrs',
]
disallow_object_classes = ['krbticketpolicyaux']
permission_filter_objectclasses = ['posixaccount']
@@ -183,13 +182,13 @@ class baseuser(LDAPObject):
'krbprincipalname', 'loginshell',
'mail', 'telephonenumber', 'title', 'nsaccountlock',
'uidnumber', 'gidnumber', 'sshpubkeyfp',
- 'ipasubuidnumber', 'ipasubuidcount', 'ipasubgidnumber',
- 'ipasubgidcount',
]
uuid_attribute = 'ipauniqueid'
attribute_members = {
'manager': ['user'],
- 'memberof': ['group', 'netgroup', 'role', 'hbacrule', 'sudorule'],
+ 'memberof': [
+ 'group', 'netgroup', 'role', 'hbacrule', 'sudorule', 'subid'
+ ],
'memberofindirect': ['group', 'netgroup', 'role', 'hbacrule', 'sudorule'],
}
allow_rename = True
@@ -432,41 +431,6 @@ class baseuser(LDAPObject):
'J:', 'K:', 'L:', 'M:', 'N:', 'O:', 'P:', 'Q:', 'R:',
'S:', 'T:', 'U:', 'V:', 'W:', 'X:', 'Y:', 'Z:'),
),
- Int(
- 'ipasubuidnumber?',
- label=_('SubUID range start'),
- cli_name='subuid',
- doc=_('Start value for subordinate user ID (subuid) range'),
- minvalue=constants.SUBID_RANGE_START,
- maxvalue=constants.SUBID_RANGE_MAX,
- ),
- Int(
- 'ipasubuidcount?',
- label=_('SubUID range size'),
- cli_name='subuidcount',
- doc=_('Subordinate user ID count'),
- flags={'no_create', 'no_update', 'no_search'},
- minvalue=constants.SUBID_COUNT,
- maxvalue=constants.SUBID_COUNT,
- ),
- Int(
- 'ipasubgidnumber?',
- label=_('SubGID range start'),
- cli_name='subgid',
- doc=_('Start value for subordinate group ID (subgid) range'),
- flags={'no_create', 'no_update'},
- minvalue=constants.SUBID_RANGE_START,
- maxvalue=constants.SUBID_RANGE_MAX,
- ),
- Int(
- 'ipasubgidcount?',
- label=_('SubGID range size'),
- cli_name='subgidcount',
- doc=_('Subordinate group ID count'),
- flags={'no_create', 'no_update', 'no_search'},
- minvalue=constants.SUBID_COUNT,
- maxvalue=constants.SUBID_COUNT,
- ),
)
def normalize_and_validate_email(self, email, config=None):
@@ -564,131 +528,6 @@ class baseuser(LDAPObject):
except KeyError:
pass
- def handle_subordinate_ids(self, ldap, dn, entry_attrs):
- """Handle ipaSubordinateId object class
- """
- obj_classes = entry_attrs.get("objectclass")
- new_subuid = entry_attrs.single_value.get("ipasubuidnumber")
- new_subgid = entry_attrs.single_value.get("ipasubgidnumber")
-
- # entry has object class ipaSubordinateId
- # default to auto-assigment of subuids
- if (
- new_subuid is None
- and obj_classes is not None
- and self.has_objectclass(obj_classes, "ipasubordinateid")
- ):
- new_subuid = DNA_MAGIC
-
- # neither auto-assignment nor explicit assignment
- if new_subuid is None:
- # nothing to do
- return False
-
- # enforce subuid == subgid
- if new_subgid is not None and new_subgid != new_subuid:
- raise errors.ValidationError(
- name="ipasubgidnumber",
- error=_("subgidnumber must be equal to subuidnumber")
- )
-
- self.set_subordinate_ids(ldap, dn, entry_attrs, new_subuid)
- return True
-
- def set_subordinate_ids(self, ldap, dn, entry_attrs, subuid):
- """Set subuid value of an entry
-
- Takes care of objectclass and sibbling attributes
- """
- if "objectclass" in entry_attrs:
- obj_classes = entry_attrs["objectclass"]
- else:
- _entry_attrs = ldap.get_entry(dn, ["objectclass"])
- entry_attrs["objectclass"] = _entry_attrs["objectclass"]
- obj_classes = entry_attrs["objectclass"]
-
- if not self.has_objectclass(obj_classes, "ipasubordinateid"):
- # could append ipasubordinategid and ipasubordinateuid, too
- obj_classes.append("ipasubordinateid")
-
- # XXX HACK, remove later
- if subuid == DNA_MAGIC:
- subuid = self._fake_dna_plugin(ldap, dn, entry_attrs)
-
- entry_attrs["ipasubuidnumber"] = subuid
- # enforice subuid == subgid for now
- entry_attrs["ipasubgidnumber"] = subuid
- # hard-coded constants
- entry_attrs["ipasubuidcount"] = constants.SUBID_COUNT
- entry_attrs["ipasubgidcount"] = constants.SUBID_COUNT
-
- def get_subid_match_candidate_filter(
- self, ldap, *, subuid, subgid, extra_filters=(), offset=None,
- ):
- """Create LDAP filter to locate matching/overlapping subids
- """
- if subuid is None and subgid is None:
- raise ValueError("subuid and subgid are both None")
- if offset is None:
- # assumes that no subordinate count is larger than SUBID_COUNT
- offset = constants.SUBID_COUNT - 1
-
- class_filters = "(objectclass=ipasubordinateid)"
- subid_filters = []
- if subuid is not None:
- subid_filters.append(
- ldap.combine_filters(
- [
- f"(ipasubuidnumber>={subuid - offset})",
- f"(ipasubuidnumber<={subuid + offset})",
- ],
- rules=ldap.MATCH_ALL
- )
- )
- if subgid is not None:
- subid_filters.append(
- ldap.combine_filters(
- [
- f"(ipasubgidnumber>={subgid - offset})",
- f"(ipasubgidnumber<={subgid + offset})",
- ],
- rules=ldap.MATCH_ALL
- )
- )
-
- subid_filters = ldap.combine_filters(
- subid_filters, rules=ldap.MATCH_ANY
- )
- filters = [class_filters, subid_filters]
- filters.extend(extra_filters)
- return ldap.combine_filters(filters, rules=ldap.MATCH_ALL)
-
- def _fake_dna_plugin(self, ldap, dn, entry_attrs):
- """XXX HACK, remove when 389-DS DNA plugin supports steps"""
- uidnumber = entry_attrs.single_value.get("uidnumber")
- if uidnumber is None:
- entry = ldap.get_entry(dn, ["uidnumber"])
- uidnumber = entry.single_value["uidnumber"]
- uidnumber = int(uidnumber)
-
- if uidnumber == DNA_MAGIC:
- return (
- 3221225472
- + random.randint(1, 16382) * constants.SUBID_COUNT
- )
-
- if not hasattr(context, "idrange_ipabaseid"):
- range_name = f"{self.api.env.realm}_id_range"
- range = self.api.Command.idrange_show(range_name)["result"]
- context.idrange_ipabaseid = int(range["ipabaseid"][0])
-
- range_start = context.idrange_ipabaseid
-
- assert uidnumber >= range_start
- assert uidnumber < range_start + 2**14
-
- return (uidnumber - range_start) * constants.SUBID_COUNT + 2**31
-
class baseuser_add(LDAPCreate):
"""
@@ -699,7 +538,6 @@ class baseuser_add(LDAPCreate):
assert isinstance(dn, DN)
set_krbcanonicalname(entry_attrs)
self.obj.convert_usercertificate_pre(entry_attrs)
- self.obj.handle_subordinate_ids(ldap, dn, entry_attrs)
if entry_attrs.get('ipatokenradiususername', None):
add_missing_object_class(ldap, u'ipatokenradiusproxyuser', dn,
entry_attrs, update=False)
@@ -852,7 +690,6 @@ class baseuser_mod(LDAPUpdate):
self.check_objectclass(ldap, dn, entry_attrs)
self.obj.convert_usercertificate_pre(entry_attrs)
- self.obj.handle_subordinate_ids(ldap, dn, entry_attrs)
self.preserve_krbprincipalname_pre(ldap, entry_attrs, *keys, **options)
update_samba_attrs(ldap, dn, entry_attrs, **options)
@@ -1133,98 +970,3 @@ class baseuser_remove_certmapdata(ModCertMapData,
LDAPRemoveAttribute):
__doc__ = _("Remove one or more certificate mappings from the user entry.")
msg_summary = _('Removed certificate mappings from user "%(value)s"')
-
-
-class baseuser_auto_subid(LDAPQuery):
- __doc__ = _("Auto-assign subuid and subgid range to user entry")
-
- has_output = output.standard_entry
-
- def execute(self, cn, **options):
- ldap = self.obj.backend
- dn = self.obj.get_dn(cn)
-
- try:
- entry_attrs = ldap.get_entry(
- dn, ["objectclass", "ipasubuidnumber"]
- )
- except errors.NotFound:
- raise self.obj.handle_not_found(cn)
-
- if "ipasubuidnumber" in entry_attrs:
- raise errors.AlreadyContainsValueError(attr="ipasubuidnumber")
-
- self.obj.set_subordinate_ids(ldap, dn, entry_attrs, subuid=DNA_MAGIC)
- ldap.update_entry(entry_attrs)
-
- # fetch updated entry (use search display attribute to show subids)
- if options.get('all', False):
- attrs_list = ['*'] + self.obj.search_display_attributes
- else:
- attrs_list = set(self.obj.search_display_attributes)
- attrs_list.update(entry_attrs.keys())
- if options.get('no_members', False):
- attrs_list.difference_update(self.obj.attribute_members)
- attrs_list = list(attrs_list)
-
- entry = self._exc_wrapper((cn,), options, ldap.get_entry)(
- dn, attrs_list
- )
- entry_attrs = entry_to_dict(entry, **options)
- entry_attrs['dn'] = dn
-
- return dict(result=entry_attrs, value=pkey_to_value(cn, options))
-
-
-class baseuser_match_subid(baseuser_find):
- __doc__ = _("Match users by any subordinate uid in their range")
-
- _subid_attrs = {
- "ipasubuidnumber",
- "ipasubuidcount",
- "ipasubgidnumber",
- "ipasubgidcount"
- }
-
- def get_options(self):
- base_options = {p.name for p in self.obj.takes_params}
- for option in super().get_options():
- if option.name == "ipasubuidnumber":
- yield option.clone(
- label=_('SubUID match'),
- doc=_('Match value for subordinate user ID'),
- required=True,
- )
- elif option.name not in base_options:
- # raw, version
- yield option.clone()
-
- def pre_callback(
- self, ldap, filters, attrs_list, base_dn, scope, *args, **options
- ):
- # search for candidates in range
- # Code assumes that no subordinate count is larger than SUBID_COUNT
- filters = self.obj.get_subid_match_candidate_filter(
- ldap, subuid=options["ipasubuidnumber"], subgid=None,
- )
- # always include subid attributes
- for missing in self._subid_attrs.difference(attrs_list):
- attrs_list.append(missing)
-
- return filters, base_dn, scope
-
- def post_callback(self, ldap, entries, truncated, *args, **options):
- # filter out mismatches manually
- osubuid = options["ipasubuidnumber"]
- new_entries = []
- for entry in entries:
- esubuid = int(entry.single_value["ipasubuidnumber"])
- esubcount = int(entry.single_value["ipasubuidcount"])
- minsubuid = esubuid
- maxsubuid = esubuid + esubcount - 1
- if minsubuid <= osubuid <= maxsubuid:
- new_entries.append(entry)
-
- entries[:] = new_entries
-
- return truncated
diff --git a/ipaserver/plugins/config.py b/ipaserver/plugins/config.py
index ace66e589e50dac098aefd6b393b5e835cac9d7f..3526153ec117a05846daca7d42447ff50b5b7934 100644
--- a/ipaserver/plugins/config.py
+++ b/ipaserver/plugins/config.py
@@ -121,6 +121,7 @@ class config(LDAPObject):
'ipapwdexpadvnotify', 'ipaselinuxusermaporder',
'ipaselinuxusermapdefault', 'ipaconfigstring', 'ipakrbauthzdata',
'ipauserauthtype', 'ipadomainresolutionorder', 'ipamaxhostnamelength',
+ 'ipauserdefaultsubordinateid',
]
container_dn = DN(('cn', 'ipaconfig'), ('cn', 'etc'))
permission_filter_objectclasses = ['ipaguiconfig']
@@ -142,7 +143,7 @@ class config(LDAPObject):
'ipasearchrecordslimit', 'ipasearchtimelimit',
'ipauserauthtype', 'ipauserobjectclasses',
'ipausersearchfields', 'ipacustomfields',
- 'ipamaxhostnamelength',
+ 'ipamaxhostnamelength', 'ipauserdefaultsubordinateid',
},
},
}
@@ -261,6 +262,11 @@ class config(LDAPObject):
values=(u'password', u'radius', u'otp',
u'pkinit', u'hardened', u'disabled'),
),
+ Bool('ipauserdefaultsubordinateid?',
+ cli_name='user_default_subid',
+ label=_('Enable adding subids to new users'),
+ doc=_('Enable adding subids to new users'),
+ ),
Str(
'ipa_master_server*',
label=_('IPA masters'),
diff --git a/ipaserver/plugins/internal.py b/ipaserver/plugins/internal.py
index 199838b199eb4cdabf597bd34d571d05547fd32e..5ef940c2b88cc2b132a15d619772349b30731306 100644
--- a/ipaserver/plugins/internal.py
+++ b/ipaserver/plugins/internal.py
@@ -1547,7 +1547,7 @@ class i18n_messages(Command):
"Drive to mount a home directory"
),
},
- "subordinate": {
+ "subid": {
"identity": _("Subordinate user and group id"),
"subuidnumber": _("Subordinate user id"),
"subuidcount": _("Subordinate user id count"),
diff --git a/ipaserver/plugins/subid.py b/ipaserver/plugins/subid.py
new file mode 100644
index 0000000000000000000000000000000000000000..7d9a2f33e84bc7cdf17900346343e49d5eda0d8c
--- /dev/null
+++ b/ipaserver/plugins/subid.py
@@ -0,0 +1,608 @@
+#
+# Copyright (C) 2021 FreeIPA Contributors see COPYING for license
+#
+
+import random
+import uuid
+
+from ipalib import api
+from ipalib import constants
+from ipalib import errors
+from ipalib import output
+from ipalib.plugable import Registry
+from ipalib.parameters import Int, Str
+from ipalib.request import context
+from ipalib.text import _, ngettext
+from ipapython.dn import DN
+
+from .baseldap import (
+ LDAPObject,
+ LDAPCreate,
+ LDAPDelete,
+ LDAPUpdate,
+ LDAPSearch,
+ LDAPRetrieve,
+ LDAPQuery,
+ DNA_MAGIC,
+)
+
+__doc__ = _(
+ """
+Subordinate ids
+
+Manage subordinate user and group ids for users
+
+EXAMPLES:
+
+ Auto-assign a subordinate id range to current user
+ ipa subid-generate
+
+ Auto-assign a subordinate id range to user alice:
+ ipa subid-generate --owner=alice
+
+ Find subordinate ids for user alice:
+ ipa subid-find --owner=alice
+
+ Match entry by any subordinate uid in range:
+ ipa subid-match --subuid=2147483649
+"""
+)
+
+register = Registry()
+
+
+@register()
+class subid(LDAPObject):
+ """Subordinate id object."""
+
+ container_dn = api.env.container_subids
+
+ object_name = _("Subordinate id")
+ object_name_plural = _("Subordinate ids")
+ label = _("Subordinate ids")
+ label_singular = _("Subordinate id")
+
+ object_class = ["ipasubordinateidentry"]
+ possible_objectclasses = [
+ "ipasubordinategid",
+ "ipasubordinateuid",
+ "ipasubordinateid",
+ ]
+ default_attributes = [
+ "ipauniqueid",
+ "ipaowner",
+ "ipasubuidnumber",
+ "ipasubuidcount",
+ "ipasubgidnumber",
+ "ipasubgidcount",
+ ]
+ allow_rename = False
+
+ permission_filter_objectclasses_string = (
+ "(objectclass=ipasubordinateidentry)"
+ )
+ managed_permissions = {
+ # all authenticated principals can read subordinate id information
+ "System: Read Subordinate Id Attributes": {
+ "ipapermbindruletype": "all",
+ "ipapermright": {"read", "search", "compare"},
+ "ipapermtargetfilter": [
+ permission_filter_objectclasses_string,
+ ],
+ "ipapermdefaultattr": {
+ "objectclass",
+ "ipauniqueid",
+ "description",
+ "ipaowner",
+ "ipasubuidnumber",
+ "ipasubuidcount",
+ "ipasubgidnumber",
+ "ipasubgidcount",
+ },
+ },
+ "System: Read Subordinate Id Count": {
+ "ipapermbindruletype": "all",
+ "ipapermright": {"read", "search", "compare"},
+ "ipapermtargetfilter": [],
+ "ipapermtarget": DN(container_dn, api.env.basedn),
+ "ipapermdefaultattr": {"numSubordinates"},
+ },
+ # user administrators can remove subordinate ids or update the
+ # ipaowner attribute. This enables user admins to remove users
+ # with assigned subids or move them to staging area (--preserve).
+ "System: Manage Subordinate Ids": {
+ "ipapermright": {"write"},
+ "ipapermtargetfilter": [
+ permission_filter_objectclasses_string,
+ ],
+ "ipapermdefaultattr": {
+ "description",
+ "ipaowner", # allow user admins to preserve users
+ },
+ "default_privileges": {"User Administrators"},
+ },
+ "System: Remove Subordinate Ids": {
+ "ipapermright": {"delete"},
+ "ipapermtargetfilter": [
+ permission_filter_objectclasses_string,
+ ],
+ "default_privileges": {"User Administrators"},
+ },
+ }
+
+ takes_params = (
+ Str(
+ "ipauniqueid",
+ cli_name="id",
+ label=_("Unique ID"),
+ primary_key=True,
+ flags={"optional_create"},
+ ),
+ Str(
+ "description?",
+ cli_name="desc",
+ label=_("Description"),
+ doc=_("Subordinate id description"),
+ ),
+ Str(
+ "ipaowner",
+ cli_name="owner",
+ label=_("Owner"),
+ doc=_("Owning user of subordinate id entry"),
+ flags={"no_update"},
+ ),
+ Int(
+ "ipasubuidnumber?",
+ label=_("SubUID range start"),
+ cli_name="subuid",
+ doc=_("Start value for subordinate user ID (subuid) range"),
+ flags={"no_update"},
+ minvalue=constants.SUBID_RANGE_START,
+ maxvalue=constants.SUBID_RANGE_MAX,
+ ),
+ Int(
+ "ipasubuidcount?",
+ label=_("SubUID range size"),
+ cli_name="subuidcount",
+ doc=_("Subordinate user ID count"),
+ flags={"no_create", "no_update", "no_search"}, # auto-assigned
+ minvalue=constants.SUBID_COUNT,
+ maxvalue=constants.SUBID_COUNT,
+ ),
+ Int(
+ "ipasubgidnumber?",
+ label=_("SubGID range start"),
+ cli_name="subgid",
+ doc=_("Start value for subordinate group ID (subgid) range"),
+ flags={"no_create", "no_update"}, # auto-assigned
+ minvalue=constants.SUBID_RANGE_START,
+ maxvalue=constants.SUBID_RANGE_MAX,
+ ),
+ Int(
+ "ipasubgidcount?",
+ label=_("SubGID range size"),
+ cli_name="subgidcount",
+ doc=_("Subordinate group ID count"),
+ flags={"no_create", "no_update", "no_search"}, # auto-assigned
+ minvalue=constants.SUBID_COUNT,
+ maxvalue=constants.SUBID_COUNT,
+ ),
+ )
+
+ def fixup_objectclass(self, entry_attrs):
+ """Add missing object classes to entry"""
+ has_subuid = "ipasubuidnumber" in entry_attrs
+ has_subgid = "ipasubgidnumber" in entry_attrs
+
+ candicates = set(self.object_class)
+ if has_subgid:
+ candicates.add("ipasubordinategid")
+ if has_subuid:
+ candicates.add("ipasubordinateuid")
+ if has_subgid and has_subuid:
+ candicates.add("ipasubordinateid")
+
+ entry_oc = entry_attrs.setdefault("objectclass", [])
+ current_oc = {x.lower() for x in entry_oc}
+ for oc in candicates.difference(current_oc):
+ entry_oc.append(oc)
+
+ def handle_duplicate_entry(self, *keys):
+ if hasattr(context, "subid_owner_dn"):
+ uid = context.subid_owner_dn[0].value
+ msg = _(
+ '%(oname)s with with name "%(pkey)s" or for user "%(uid)s" '
+ "already exists."
+ ) % {
+ "uid": uid,
+ "pkey": keys[-1] if keys else "",
+ "oname": self.object_name,
+ }
+ raise errors.DuplicateEntry(message=msg) from None
+ else:
+ super().handle_duplicate_entry(*keys)
+
+ def convert_owner(self, entry_attrs, options):
+ """Change owner from DN to uid string"""
+ if not options.get("raw", False) and "ipaowner" in entry_attrs:
+ userobj = self.api.Object.user
+ entry_attrs["ipaowner"] = [
+ userobj.get_primary_key_from_dn(entry_attrs["ipaowner"][0])
+ ]
+
+ def get_owner_dn(self, *keys, **options):
+ """Get owning user entry entry (username or DN)"""
+ owner = keys[-1]
+ userobj = self.api.Object.user
+ if isinstance(owner, DN):
+ # it's already a DN, validate it's either an active or preserved
+ # user. Ref integrity plugin checks that it's not a dangling DN.
+ user_dns = (
+ DN(userobj.active_container_dn, self.api.env.basedn),
+ DN(userobj.delete_container_dn, self.api.env.basedn),
+ )
+ if not owner.endswith(user_dns):
+ raise errors.ValidationError(
+ name="ipaowner",
+ error=_("'%(dn)s is not a valid user") % {"dn": owner},
+ )
+ return owner
+
+ # similar to user.get_either_dn() but with error reporting and
+ # returns an entry
+ ldap = self.backend
+ try:
+ active_dn = userobj.get_dn(owner, **options)
+ entry = ldap.get_entry(active_dn, attrs_list=[])
+ return entry.dn
+ except errors.NotFound:
+ # fall back to deleted user
+ try:
+ delete_dn = userobj.get_delete_dn(owner, **options)
+ entry = ldap.get_entry(delete_dn, attrs_list=[])
+ return entry.dn
+ except errors.NotFound:
+ raise userobj.handle_not_found(owner)
+
+ def handle_subordinate_ids(self, ldap, dn, entry_attrs):
+ """Handle ipaSubordinateId object class"""
+ new_subuid = entry_attrs.single_value.get("ipasubuidnumber")
+ new_subgid = entry_attrs.single_value.get("ipasubgidnumber")
+
+ if new_subuid is None:
+ new_subuid = DNA_MAGIC
+
+ # enforce subuid == subgid
+ if new_subgid is not None and new_subgid != new_subuid:
+ raise errors.ValidationError(
+ name="ipasubgidnumber",
+ error=_("subgidnumber must be equal to subuidnumber"),
+ )
+
+ self.set_subordinate_ids(ldap, dn, entry_attrs, new_subuid)
+ return True
+
+ def set_subordinate_ids(self, ldap, dn, entry_attrs, subuid):
+ """Set subuid value of an entry
+
+ Takes care of objectclass and sibbling attributes
+ """
+ if "objectclass" not in entry_attrs:
+ _entry_attrs = ldap.get_entry(dn, ["objectclass"])
+ entry_attrs["objectclass"] = _entry_attrs["objectclass"]
+
+ # XXX HACK, remove later
+ if subuid == DNA_MAGIC:
+ subuid = self._fake_dna_plugin(ldap, dn, entry_attrs)
+
+ entry_attrs["ipasubuidnumber"] = subuid
+ # enforice subuid == subgid for now
+ entry_attrs["ipasubgidnumber"] = subuid
+ # hard-coded constants
+ entry_attrs["ipasubuidcount"] = constants.SUBID_COUNT
+ entry_attrs["ipasubgidcount"] = constants.SUBID_COUNT
+
+ self.fixup_objectclass(entry_attrs)
+
+ def get_subid_match_candidate_filter(
+ self,
+ ldap,
+ *,
+ subuid,
+ subgid,
+ extra_filters=(),
+ offset=None,
+ ):
+ """Create LDAP filter to locate matching/overlapping subids"""
+ if subuid is None and subgid is None:
+ raise ValueError("subuid and subgid are both None")
+ if offset is None:
+ # assumes that no subordinate count is larger than SUBID_COUNT
+ offset = constants.SUBID_COUNT - 1
+
+ class_filters = "(objectclass=ipasubordinateid)"
+ subid_filters = []
+ if subuid is not None:
+ subid_filters.append(
+ ldap.combine_filters(
+ [
+ f"(ipasubuidnumber>={subuid - offset})",
+ f"(ipasubuidnumber<={subuid + offset})",
+ ],
+ rules=ldap.MATCH_ALL,
+ )
+ )
+ if subgid is not None:
+ subid_filters.append(
+ ldap.combine_filters(
+ [
+ f"(ipasubgidnumber>={subgid - offset})",
+ f"(ipasubgidnumber<={subgid + offset})",
+ ],
+ rules=ldap.MATCH_ALL,
+ )
+ )
+
+ subid_filters = ldap.combine_filters(
+ subid_filters, rules=ldap.MATCH_ANY
+ )
+ filters = [class_filters, subid_filters]
+ filters.extend(extra_filters)
+ return ldap.combine_filters(filters, rules=ldap.MATCH_ALL)
+
+ def _fake_dna_plugin(self, ldap, dn, entry_attrs):
+ """XXX HACK, remove when 389-DS DNA plugin supports steps"""
+ return (
+ constants.SUBID_RANGE_START
+ + random.randint(1, 32764 - 2) * constants.SUBID_COUNT
+ )
+
+
+@register()
+class subid_add(LDAPCreate):
+ __doc__ = _("Add a new subordinate id.")
+ msg_summary = _('Added subordinate id "%(value)s"')
+
+ # internal command, use subid-auto to auto-assign subids
+ NO_CLI = True
+
+ def pre_callback(
+ self, ldap, dn, entry_attrs, attrs_list, *keys, **options
+ ):
+ # XXX let ref integrity plugin validate DN?
+ owner_dn = self.obj.get_owner_dn(entry_attrs["ipaowner"], **options)
+ context.subid_owner_dn = owner_dn
+ entry_attrs["ipaowner"] = owner_dn
+
+ self.obj.handle_subordinate_ids(ldap, dn, entry_attrs)
+ attrs_list.append("objectclass")
+
+ return dn
+
+ def execute(self, ipauniqueid=None, **options):
+ if ipauniqueid is None:
+ ipauniqueid = str(uuid.uuid4())
+ return super().execute(ipauniqueid, **options)
+
+ def post_callback(self, ldap, dn, entry_attrs, *keys, **options):
+ self.obj.convert_owner(entry_attrs, options)
+ return super(subid_add, self).post_callback(
+ ldap, dn, entry_attrs, *keys, **options
+ )
+
+
+@register()
+class subid_del(LDAPDelete):
+ __doc__ = _("Delete a subordinate id.")
+ msg_summary = _('Deleted subordinate id "%(value)s"')
+
+ # internal command, subids cannot be removed
+ NO_CLI = True
+
+
+@register()
+class subid_mod(LDAPUpdate):
+ __doc__ = _("Modify a subordinate id.")
+ msg_summary = _('Modified subordinate id "%(value)s"')
+
+ def post_callback(self, ldap, dn, entry_attrs, *keys, **options):
+ self.obj.convert_owner(entry_attrs, options)
+ return super(subid_mod, self).post_callback(
+ ldap, dn, entry_attrs, *keys, **options
+ )
+
+
+@register()
+class subid_find(LDAPSearch):
+ __doc__ = _("Search for subordinate id.")
+ msg_summary = ngettext(
+ "%(count)d subordinate id matched",
+ "%(count)d subordinate ids matched",
+ 0,
+ )
+
+ def pre_callback(
+ self, ldap, filters, attrs_list, base_dn, scope, *args, **options
+ ):
+ attrs_list.append("objectclass")
+ return super(subid_find, self).pre_callback(
+ ldap, filters, attrs_list, base_dn, scope, *args, **options
+ )
+
+ def args_options_2_entry(self, *args, **options):
+ entry_attrs = super(subid_find, self).args_options_2_entry(
+ *args, **options
+ )
+ owner = entry_attrs.get("ipaowner")
+ if owner is not None:
+ owner_dn = self.obj.get_owner_dn(owner, **options)
+ entry_attrs["ipaowner"] = owner_dn
+ return entry_attrs
+
+ def post_callback(self, ldap, entries, truncated, *args, **options):
+ for entry in entries:
+ self.obj.convert_owner(entry, options)
+ return super(subid_find, self).post_callback(
+ ldap, entries, truncated, *args, **options
+ )
+
+
+@register()
+class subid_show(LDAPRetrieve):
+ __doc__ = _("Display information about a subordinate id.")
+
+ def pre_callback(self, ldap, dn, attrs_list, *keys, **options):
+ attrs_list.append("objectclass")
+ return super(subid_show, self).pre_callback(
+ ldap, dn, attrs_list, *keys, **options
+ )
+
+ def post_callback(self, ldap, dn, entry_attrs, *keys, **options):
+ self.obj.convert_owner(entry_attrs, options)
+ return super(subid_show, self).post_callback(
+ ldap, dn, entry_attrs, *keys, **options
+ )
+
+
+@register()
+class subid_generate(LDAPQuery):
+ __doc__ = _(
+ "Generate and auto-assign subuid and subgid range to user entry"
+ )
+
+ has_output = output.standard_entry
+
+ takes_options = LDAPQuery.takes_options + (
+ Str(
+ "ipaowner?",
+ cli_name="owner",
+ label=_("Owner"),
+ doc=_("Owning user of subordinate id entry"),
+ ),
+ )
+
+ def get_args(self):
+ return []
+
+ def execute(self, *keys, **options):
+ owner_uid = options.get("ipaowner")
+ # default to current user
+ if owner_uid is None:
+ owner_dn = DN(self.api.Backend.ldap2.conn.whoami_s()[4:])
+ # validate it's a user and not a service or host
+ owner_dn = self.obj.get_owner_dn(owner_dn)
+ owner_uid = owner_dn[0].value
+
+ return self.api.Command.subid_add(
+ description="auto-assigned subid",
+ ipaowner=owner_uid,
+ version=options["version"],
+ )
+
+
+@register()
+class subid_match(subid_find):
+ __doc__ = _("Match users by any subordinate uid in their range")
+
+ def get_options(self):
+ base_options = {p.name for p in self.obj.takes_params}
+ for option in super().get_options():
+ if option.name == "ipasubuidnumber":
+ yield option.clone(
+ label=_("SubUID match"),
+ doc=_("Match value for subordinate user ID"),
+ required=True,
+ )
+ elif option.name not in base_options:
+ # raw, version
+ yield option.clone()
+
+ def pre_callback(
+ self, ldap, filters, attrs_list, base_dn, scope, *args, **options
+ ):
+ # search for candidates in range
+ # Code assumes that no subordinate count is larger than SUBID_COUNT
+ filters = self.obj.get_subid_match_candidate_filter(
+ ldap,
+ subuid=options["ipasubuidnumber"],
+ subgid=None,
+ )
+ attrs_list.extend(self.obj.default_attributes)
+
+ return filters, base_dn, scope
+
+ def post_callback(self, ldap, entries, truncated, *args, **options):
+ # filter out mismatches manually
+ osubuid = options["ipasubuidnumber"]
+ new_entries = []
+ for entry in entries:
+ esubuid = int(entry.single_value["ipasubuidnumber"])
+ esubcount = int(entry.single_value["ipasubuidcount"])
+ minsubuid = esubuid
+ maxsubuid = esubuid + esubcount - 1
+ if minsubuid <= osubuid <= maxsubuid:
+ new_entries.append(entry)
+
+ entries[:] = new_entries
+
+ return truncated
+
+
+@register()
+class subid_stats(LDAPQuery):
+ __doc__ = _("Subordinate id statistics")
+
+ takes_options = ()
+ has_output = (
+ output.summary,
+ output.Entry("result"),
+ )
+
+ def get_args(self):
+ return ()
+
+ def get_remaining_dna(self, ldap, **options):
+ base_dn = DN(
+ self.api.env.container_dna_subordinate_ids, self.api.env.basedn
+ )
+ entries, _truncated = ldap.find_entries(
+ "(objectClass=dnaSharedConfig)",
+ attrs_list=["dnaRemainingValues"],
+ base_dn=base_dn,
+ scope=ldap.SCOPE_ONELEVEL,
+ )
+ return sum(
+ int(entry.single_value["dnaRemainingValues"]) for entry in entries
+ )
+
+ def get_idrange(self, ldap, **options):
+ cn = f"{self.api.env.realm}_subid_range"
+ result = self.api.Command.idrange_show(cn, version=options["version"])
+ baseid = int(result["result"]["ipabaseid"][0])
+ rangesize = int(result["result"]["ipaidrangesize"][0])
+ return baseid, rangesize
+
+ def get_subid_assigned(self, ldap, **options):
+ dn = DN(self.api.env.container_subids, self.api.env.basedn)
+ entry = ldap.get_entry(dn=dn, attrs_list=["numSubordinates"])
+ return int(entry.single_value["numSubordinates"])
+
+ def execute(self, *keys, **options):
+ ldap = self.obj.backend
+ dna_remaining = self.get_remaining_dna(ldap, **options)
+ baseid, rangesize = self.get_idrange(ldap, **options)
+ assigned_subids = self.get_subid_assigned(ldap, **options)
+ remaining_subids = dna_remaining // constants.SUBID_COUNT
+ return dict(
+ summary=_("%(remaining)i remaining subordinate id ranges")
+ % {
+ "remaining": remaining_subids,
+ },
+ result=dict(
+ baseid=baseid,
+ rangesize=rangesize,
+ dna_remaining=dna_remaining,
+ assigned_subids=assigned_subids,
+ remaining_subids=remaining_subids,
+ ),
+ )
diff --git a/ipaserver/plugins/user.py b/ipaserver/plugins/user.py
index f89b3ad5d9c994fe1ceb3da560fde7cc5bf5155a..19d07e6d61a451a0b1177adf2cf8ae1b7fceeb67 100644
--- a/ipaserver/plugins/user.py
+++ b/ipaserver/plugins/user.py
@@ -51,8 +51,6 @@ from .baseuser import (
baseuser_remove_principal,
baseuser_add_certmapdata,
baseuser_remove_certmapdata,
- baseuser_auto_subid,
- baseuser_match_subid,
)
from .idviews import remove_ipaobject_overrides
from ipalib.plugable import Registry
@@ -205,8 +203,6 @@ class user(baseuser):
'ipapermright': {'read', 'search', 'compare'},
'ipapermdefaultattr': {
'ipauniqueid', 'ipasshpubkey', 'ipauserauthtype', 'userclass',
- 'ipasubuidnumber', 'ipasubuidcount', 'ipasubgidnumber',
- 'ipasubgidcount',
},
'fixup_function': fix_addressbook_permission_bindrule,
},
@@ -670,6 +666,17 @@ class user_add(baseuser_add):
# if both randompassword and userpassword options were used
pass
+ # generate subid
+ default_subid = config.single_value.get(
+ 'ipaUserDefaultSubordinateId', 'FALSE'
+ )
+ if default_subid == 'TRUE':
+ result = self.api.Command.subid_generate(
+ ipaowner=entry_attrs.single_value['uid'],
+ version=options['version']
+ )
+ entry_attrs["memberOf"].append(result['result']['dn'])
+
self.obj.get_preserved_attribute(entry_attrs, options)
self.post_common_callback(ldap, dn, entry_attrs, *keys, **options)
@@ -757,7 +764,9 @@ class user_del(baseuser_del):
# of OTP tokens.
check_protected_member(keys[-1])
- if not options.get('preserve', False):
+ preserve = options.get('preserve', False)
+
+ if not preserve:
# Remove any ID overrides tied with this user
try:
remove_ipaobject_overrides(self.obj.backend, self.obj.api, dn)
@@ -780,6 +789,15 @@ class user_del(baseuser_del):
else:
self.api.Command.otptoken_del(token)
+ # XXX: preserving doesn't work yet, see subordinate-ids.md
+ # Delete all subid entries owned by this user.
+ results = self.api.Command.subid_find(ipaowner=owner)["result"]
+ for subid_entry in results:
+ subid_pkey = self.api.Object.subid.get_primary_key_from_dn(
+ subid_entry["dn"]
+ )
+ self.api.Command.subid_del(subid_pkey)
+
return dn
def execute(self, *keys, **options):
@@ -829,6 +847,7 @@ class user_mod(baseuser_mod):
self.pre_common_callback(ldap, dn, entry_attrs, attrs_list, *keys,
**options)
validate_nsaccountlock(entry_attrs)
+ # TODO: forward uidNumber changes and rename to subids
return dn
def post_callback(self, ldap, dn, entry_attrs, *keys, **options):
@@ -1311,13 +1330,3 @@ class user_add_principal(baseuser_add_principal):
class user_remove_principal(baseuser_remove_principal):
__doc__ = _('Remove principal alias from the user entry')
msg_summary = _('Removed aliases from user "%(value)s"')
-
-
-@register()
-class user_auto_subid(baseuser_auto_subid):
- __doc__ = baseuser_auto_subid.__doc__
-
-
-@register()
-class user_match_subid(baseuser_match_subid):
- __doc__ = baseuser_match_subid.__doc__
diff --git a/ipatests/test_integration/test_subids.py b/ipatests/test_integration/test_subids.py
index b462f22ac067f3e1e97ef3f6d63d4e14e4ae79af..48e58c26464f52605438afe865575e5ca4c8f1f8 100644
--- a/ipatests/test_integration/test_subids.py
+++ b/ipatests/test_integration/test_subids.py
@@ -17,6 +17,7 @@ class TestSubordinateId(IntegrationTest):
topology = "star"
def _parse_result(self, result):
+ # ipa CLI should get an --outform json option
info = {}
for line in result.stdout_text.split("\n"):
line = line.strip()
@@ -42,39 +43,69 @@ class TestSubordinateId(IntegrationTest):
info[k] = set(v)
return info
- def get_user(self, uid):
- cmd = ["ipa", "user-show", "--all", "--raw", uid]
- result = self.master.run_command(cmd)
- return self._parse_result(result)
+ def assert_subid_info(self, uid, info):
+ assert info["ipauniqueid"]
+ basedn = self.master.domain.basedn
+ assert info["ipaowner"] == f"uid={uid},cn=users,cn=accounts,{basedn}"
+ assert info["ipasubuidnumber"] == info["ipasubuidnumber"]
+ assert info["ipasubuidnumber"] >= SUBID_RANGE_START
+ assert info["ipasubuidnumber"] <= SUBID_RANGE_MAX
+ assert info["ipasubuidcount"] == SUBID_COUNT
+ assert info["ipasubgidnumber"] == info["ipasubgidnumber"]
+ assert info["ipasubgidnumber"] == info["ipasubuidnumber"]
+ assert info["ipasubgidcount"] == SUBID_COUNT
+
+ def assert_subid(self, uid, *, match):
+ cmd = ["ipa", "subid-find", "--raw", "--owner", uid]
+ result = self.master.run_command(cmd, raiseonerr=False)
+ if not match:
+ assert result.returncode >= 1
+ if result.returncode == 1:
+ assert "0 subordinate ids matched" in result.stdout_text
+ elif result.returncode == 2:
+ assert "user not found" in result.stderr_text
+ return None
+ else:
+ assert result.returncode == 0
+ assert "1 subordinate id matched" in result.stdout_text
+ info = self._parse_result(result)
+ self.assert_subid_info(uid, info)
+ self.master.run_command(
+ ["ipa", "subid-show", info["ipauniqueid"]]
+ )
+ return info
- def user_auto_subid(self, uid, **kwargs):
- cmd = ["ipa", "user-auto-subid", uid]
+ def subid_generate(self, uid, **kwargs):
+ cmd = ["ipa", "subid-generate"]
+ if uid is not None:
+ cmd.extend(("--owner", uid))
return self.master.run_command(cmd, **kwargs)
- def test_auto_subid(self):
- tasks.kinit_admin(self.master)
+ def test_auto_generate_subid(self):
uid = "testuser_auto1"
- tasks.user_add(self.master, uid)
- info = self.get_user(uid)
- assert "ipasubuidcount" not in info
+ passwd = "Secret123"
+ tasks.create_active_user(self.master, uid, password=passwd)
- self.user_auto_subid(uid)
- info = self.get_user(uid)
- assert "ipasubuidcount" in info
+ tasks.kinit_admin(self.master)
+ self.assert_subid(uid, match=False)
+
+ # add subid by name
+ self.subid_generate(uid)
+ info = self.assert_subid(uid, match=True)
+
+ # second generate fails due to unique index on ipaowner
+ result = self.subid_generate(uid, raiseonerr=False)
+ assert result.returncode > 0
+ assert f'for user "{uid}" already exists' in result.stderr_text
+ # check matching
subuid = info["ipasubuidnumber"]
- result = self.master.run_command(
- ["ipa", "user-match-subid", f"--subuid={subuid}", "--raw"]
- )
- match = self._parse_result(result)
- assert match["uid"] == uid
- assert match["ipasubuidnumber"] == info["ipasubuidnumber"]
- assert match["ipasubuidnumber"] >= SUBID_RANGE_START
- assert match["ipasubuidnumber"] <= SUBID_RANGE_MAX
- assert match["ipasubuidcount"] == SUBID_COUNT
- assert match["ipasubgidnumber"] == info["ipasubgidnumber"]
- assert match["ipasubgidnumber"] == match["ipasubuidnumber"]
- assert match["ipasubgidcount"] == SUBID_COUNT
+ for offset in (0, 1, 65535):
+ result = self.master.run_command(
+ ["ipa", "subid-match", f"--subuid={subuid + offset}", "--raw"]
+ )
+ match = self._parse_result(result)
+ self.assert_subid_info(uid, match)
def test_ipa_subid_script(self):
tasks.kinit_admin(self.master)
@@ -85,34 +116,28 @@ class TestSubordinateId(IntegrationTest):
uid = f"testuser_script{i}"
users.append(uid)
tasks.user_add(self.master, uid)
- info = self.get_user(uid)
- assert "ipasubuidcount" not in info
+ self.assert_subid(uid, match=False)
cmd = [tool, "--verbose", "--group", "ipausers"]
self.master.run_command(cmd)
for uid in users:
- info = self.get_user(uid)
- assert info["ipasubuidnumber"] >= SUBID_RANGE_START
- assert info["ipasubuidnumber"] <= SUBID_RANGE_MAX
- assert info["ipasubuidnumber"] == info["ipasubgidnumber"]
- assert info["ipasubuidcount"] == SUBID_COUNT
- assert info["ipasubuidcount"] == info["ipasubgidcount"]
+ self.assert_subid(uid, match=True)
def test_subid_selfservice(self):
- tasks.kinit_admin(self.master)
-
- uid = "testuser_selfservice1"
+ uid1 = "testuser_selfservice1"
+ uid2 = "testuser_selfservice2"
password = "Secret123"
role = "Subordinate ID Selfservice User"
- tasks.user_add(self.master, uid, password=password)
- tasks.kinit_user(
- self.master, uid, f"{password}\n{password}\n{password}\n"
- )
- info = self.get_user(uid)
- assert "ipasubuidcount" not in info
- result = self.user_auto_subid(uid, raiseonerr=False)
+ tasks.create_active_user(self.master, uid1, password=password)
+ tasks.create_active_user(self.master, uid2, password=password)
+
+ tasks.kinit_user(self.master, uid1, password=password)
+ self.assert_subid(uid1, match=False)
+ result = self.subid_generate(uid1, raiseonerr=False)
+ assert result.returncode > 0
+ result = self.subid_generate(None, raiseonerr=False)
assert result.returncode > 0
tasks.kinit_admin(self.master)
@@ -121,10 +146,14 @@ class TestSubordinateId(IntegrationTest):
)
try:
- tasks.kinit_user(self.master, uid, password)
- self.user_auto_subid(uid)
- info = self.get_user(uid)
- assert "ipasubuidcount" in info
+ tasks.kinit_user(self.master, uid1, password)
+ self.subid_generate(uid1)
+ self.assert_subid(uid1, match=True)
+
+ # add subid from whoami
+ tasks.kinit_as_user(self.master, uid2, password=password)
+ self.subid_generate(None)
+ self.assert_subid(uid2, match=True)
finally:
tasks.kinit_admin(self.master)
self.master.run_command(
@@ -140,45 +169,46 @@ class TestSubordinateId(IntegrationTest):
password = "Secret123"
# create user administrator
- tasks.user_add(self.master, uid_useradmin, password=password)
+ tasks.create_active_user(
+ self.master, uid_useradmin, password=password
+ )
# add user to user admin group
tasks.kinit_admin(self.master)
self.master.run_command(
["ipa", "role-add-member", role, f"--users={uid_useradmin}"],
)
# kinit as user admin
- tasks.kinit_user(
- self.master,
- uid_useradmin,
- f"{password}\n{password}\n{password}\n",
- )
+ tasks.kinit_user(self.master, uid_useradmin, password)
+
# create new user as user admin
tasks.user_add(self.master, uid)
# assign new subid to user (with useradmin credentials)
- self.user_auto_subid(uid)
-
- def test_subordinate_default_objclass(self):
+ self.subid_generate(uid)
+
+ # test that user admin can preserve and delete users with subids
+ self.master.run_command(["ipa", "user-del", "--preserve", uid])
+ # XXX does not work, see subordinate-ids.md
+ # subid should still exist
+ # self.assert_subid(uid, match=True)
+ # final delete should remove the user and subid
+ self.master.run_command(["ipa", "user-del", uid])
+ self.assert_subid(uid, match=False)
+
+ def tset_subid_auto_assign(self):
tasks.kinit_admin(self.master)
+ uid = "testuser_autoassign_user1"
- result = self.master.run_command(
- ["ipa", "config-show", "--raw", "--all"]
+ self.master.run_command(
+ ["ipa", "config-mod", "--user-default-subid=true"]
)
- info = self._parse_result(result)
- usercls = info["ipauserobjectclasses"]
- assert "ipasubordinateid" not in usercls
-
- cmd = [
- "ipa",
- "config-mod",
- "--addattr",
- "ipaUserObjectClasses=ipasubordinateid",
- ]
- self.master.run_command(cmd)
- uid = "testuser_usercls1"
- tasks.user_add(self.master, uid)
- info = self.get_user(uid)
- assert "ipasubuidcount" in info
+ try:
+ tasks.user_add(self.master, uid)
+ self.assert_subid(uid, match=True)
+ finally:
+ self.master.run_command(
+ ["ipa", "config-mod", "--user-default-subid=false"]
+ )
def test_idrange_subid(self):
tasks.kinit_admin(self.master)
@@ -199,3 +229,7 @@ class TestSubordinateId(IntegrationTest):
assert info["ipanttrusteddomainsid"].startswith(
"S-1-5-21-738065-838566-"
)
+
+ def test_subid_stats(self):
+ tasks.kinit_admin(self.master)
+ self.master.run_command(["ipa", "subid-stats"])
--
2.26.3