From b1cefe64e4e91966e59d81c778abc8057af4cd6f Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy Date: Tue, 10 Sep 2019 13:39:39 +0300 Subject: [PATCH] add default access control when migrating trust objects It looks like for some cases we do not have proper set up keytab retrieval configuration in the old trusted domain object. This mostly affects two-way trust cases. In such cases, create default configuration as ipasam would have created when trust was established. Resolves: https://pagure.io/freeipa/issue/8067 Signed-off-by: Alexander Bokovoy Reviewed-By: Florence Blanc-Renaud Reviewed-By: Rob Crittenden Reviewed-By: Florence Blanc-Renaud --- ipaserver/install/plugins/adtrust.py | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/ipaserver/install/plugins/adtrust.py b/ipaserver/install/plugins/adtrust.py index 12596d5bfe71c16a2cb87acb755a88051676e3e5..0dd2c840899abe3b51b9308d38a9d0f4d1fb2f9b 100644 --- a/ipaserver/install/plugins/adtrust.py +++ b/ipaserver/install/plugins/adtrust.py @@ -28,6 +28,9 @@ logger = logging.getLogger(__name__) register = Registry() DEFAULT_ID_RANGE_SIZE = 200000 +trust_read_keys_template = \ + ["cn=adtrust agents,cn=sysaccounts,cn=etc,{basedn}", + "cn=trust admins,cn=groups,cn=accounts,{basedn}"] @register() @@ -575,8 +578,15 @@ class update_tdo_to_new_layout(Updater): 'krbprincipalkey') entry_data['krbextradata'] = en.single_value.get( 'krbextradata') - entry_data['ipaAllowedToPerform;read_keys'] = en.get( - 'ipaAllowedToPerform;read_keys', []) + read_keys = en.get('ipaAllowedToPerform;read_keys', []) + if not read_keys: + # Old style, no ipaAllowedToPerform;read_keys in the entry, + # use defaults that ipasam should have set when creating a + # trust + read_keys = list(map( + lambda x: x.format(basedn=self.api.env.basedn), + trust_read_keys_template)) + entry_data['ipaAllowedToPerform;read_keys'] = read_keys entry.update(entry_data) try: -- 2.20.1