From c9bae715b24df0f5476bdb70a2209d5f55e46a93 Mon Sep 17 00:00:00 2001
From: Christian Heimes <cheimes@redhat.com>
Date: Fri, 21 May 2021 09:26:33 +0200
Subject: [PATCH] Use 389-DS' dnaInterval setting to assign intervals

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
---
 freeipa.spec.in                 |  3 ++-
 install/share/dna.ldif          |  1 +
 install/updates/73-subid.update |  7 ++-----
 ipaserver/plugins/subid.py      | 14 +-------------
 4 files changed, 6 insertions(+), 19 deletions(-)

diff --git a/freeipa.spec.in b/freeipa.spec.in
index 044e3559975c399f6697d4da94b5a059eb5b407c..fa649cf4e1abe8e9928ef340a66d48d78f7e3521 100755
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -106,8 +106,9 @@
 %global python_ldap_version 3.1.0-1
 
 # Make sure to use 389-ds-base versions that fix https://github.com/389ds/389-ds-base/issues/4700
+# and has DNA interval enabled
 %if 0%{?fedora} < 34
-%global ds_version %{lua: local v={}; v['32']='1.4.3.20-2'; v['33']='1.4.4.16-1'; print(v[rpm.expand('%{fedora}')])}
+%global ds_version 1.4.4.16-1
 %else
 %global ds_version 2.0.5-1
 %endif
diff --git a/install/share/dna.ldif b/install/share/dna.ldif
index 735faab8261feef59486f7c933b01c57ad511166..9023fcd7db5a2c121c493559e2546c85c0daf69a 100644
--- a/install/share/dna.ldif
+++ b/install/share/dna.ldif
@@ -31,6 +31,7 @@ dnaScope: $SUFFIX
 dnaThreshold: eval($SUBID_DNA_THRESHOLD)
 dnaSharedCfgDN: cn=subordinate-ids,cn=dna,cn=ipa,cn=etc,$SUFFIX
 dnaExcludeScope: cn=provisioning,$SUFFIX
+dnaInterval: eval($SUBID_COUNT)
 # TODO: enable when 389-DS' DNA plugin supports dnaStepAttr
 # dnaIntervalAttr: ipasubuidcount
 # dnaIntervalAttr: ipasubgidcount
diff --git a/install/updates/73-subid.update b/install/updates/73-subid.update
index 1aa43822a8b8c220583b81e08d70b648ca594363..e10703aa3f9528751233ddebe00b8c8c8fc5ed3f 100644
--- a/install/updates/73-subid.update
+++ b/install/updates/73-subid.update
@@ -62,12 +62,8 @@ default:member: cn=Subordinate ID Administrators,cn=privileges,cn=pbac,$SUFFIX
 # The delete-when-empty check is required because IPA uses MOD_REPLACE to
 # set attributes, see https://github.com/389ds/389-ds-base/issues/4597.
 #
-# TODO: remove (ipasubuidnumber>=eval($SUBID_RANGE_START) from
-# self-service permission when 389-DS' DNA plugin supports dnaStepAttr and
-# fake_dna_plugin hack has been removed.
-#
 dn: cn=subids,cn=accounts,$SUFFIX
-add: aci: (targetfilter = "(objectclass=ipasubordinateidentry)")(targetattr="description || ipaowner || ipauniqueid")(targattrfilters = "add=objectClass:(|(objectClass=top)(objectClass=ipasubordinateid)(objectClass=ipasubordinateidentry)(objectClass=ipasubordinategid)(objectClass=ipasubordinateuid)) && ipasubuidnumber:(|(ipasubuidnumber>=eval($SUBID_RANGE_START))(ipasubuidnumber=-1)) && ipasubuidcount:(ipasubuidcount=eval($SUBID_COUNT)) && ipasubgidnumber:(|(ipasubgidnumber>=eval($SUBID_RANGE_START))(ipasubgidnumber=-1)) && ipasubgidcount:(ipasubgidcount=eval($SUBID_COUNT)), del=ipasubuidnumber:(!(ipasubuidnumber=*)) && ipasubuidcount:(!(ipasubuidcount=*)) && ipasubgidnumber:(!(ipasubgidnumber=*)) && ipasubgidcount:(!(ipasubgidcount=*))")(version 3.0;acl "selfservice: Add subordinate id";allow (add, write) userattr = "ipaowner#SELFDN" and groupdn="ldap:///cn=Self-service subordinate ID,cn=permissions,cn=pbac,$SUFFIX";)
+add: aci: (targetfilter = "(objectclass=ipasubordinateidentry)")(targetattr="description || ipaowner || ipauniqueid")(targattrfilters = "add=objectClass:(|(objectClass=top)(objectClass=ipasubordinateid)(objectClass=ipasubordinateidentry)(objectClass=ipasubordinategid)(objectClass=ipasubordinateuid)) && ipasubuidnumber:(ipasubuidnumber=-1) && ipasubuidcount:(ipasubuidcount=eval($SUBID_COUNT)) && ipasubgidnumber:(ipasubgidnumber=-1) && ipasubgidcount:(ipasubgidcount=eval($SUBID_COUNT)), del=ipasubuidnumber:(!(ipasubuidnumber=*)) && ipasubuidcount:(!(ipasubuidcount=*)) && ipasubgidnumber:(!(ipasubgidnumber=*)) && ipasubgidcount:(!(ipasubgidcount=*))")(version 3.0;acl "selfservice: Add subordinate id";allow (add, write) userattr = "ipaowner#SELFDN" and groupdn="ldap:///cn=Self-service subordinate ID,cn=permissions,cn=pbac,$SUFFIX";)
 add: aci: (targetfilter = "(objectclass=ipasubordinateidentry)")(targetattr="description || ipaowner || ipauniqueid")(targattrfilters = "add=objectClass:(|(objectClass=top)(objectClass=ipasubordinateid)(objectClass=ipasubordinateidentry)(objectClass=ipasubordinategid)(objectClass=ipasubordinateuid)) && ipasubuidnumber:(|(ipasubuidnumber>=1)(ipasubuidnumber=-1)) && ipasubuidcount:(ipasubuidcount=eval($SUBID_COUNT)) && ipasubgidnumber:(|(ipasubgidnumber>=1)(ipasubgidnumber=-1)) && ipasubgidcount:(ipasubgidcount=eval($SUBID_COUNT)), del=ipasubuidnumber:(!(ipasubuidnumber=*)) && ipasubuidcount:(!(ipasubuidcount=*)) && ipasubgidnumber:(!(ipasubgidnumber=*)) && ipasubgidcount:(!(ipasubgidcount=*))")(version 3.0;acl "Add subordinate ids to any user";allow (add, write) groupdn="ldap:///cn=Subordinate ID Administrators,cn=privileges,cn=pbac,$SUFFIX";)
 
 # DNA plugin and idrange configuration
@@ -90,6 +86,7 @@ default: dnaScope: $SUFFIX
 default: dnaThreshold: eval($SUBID_DNA_THRESHOLD)
 default: dnaSharedCfgDN: cn=subordinate-ids,cn=dna,cn=ipa,cn=etc,$SUFFIX
 default: dnaExcludeScope: cn=provisioning,$SUFFIX
+default: dnaInterval: eval($SUBID_COUNT)
 # TODO: enable when 389-DS' DNA plugin supports dnaStepAttr
 # add: dnaIntervalAttr: ipasubuidcount
 # add: dnaIntervalAttr: ipasubgidcount
diff --git a/ipaserver/plugins/subid.py b/ipaserver/plugins/subid.py
index 7d9a2f33e84bc7cdf17900346343e49d5eda0d8c..440f24ee627f0736100f63026158c564b04520c2 100644
--- a/ipaserver/plugins/subid.py
+++ b/ipaserver/plugins/subid.py
@@ -2,7 +2,6 @@
 # Copyright (C) 2021  FreeIPA Contributors see COPYING for license
 #
 
-import random
 import uuid
 
 from ipalib import api
@@ -291,12 +290,8 @@ class subid(LDAPObject):
             _entry_attrs = ldap.get_entry(dn, ["objectclass"])
             entry_attrs["objectclass"] = _entry_attrs["objectclass"]
 
-        # XXX HACK, remove later
-        if subuid == DNA_MAGIC:
-            subuid = self._fake_dna_plugin(ldap, dn, entry_attrs)
-
         entry_attrs["ipasubuidnumber"] = subuid
-        # enforice subuid == subgid for now
+        # enforce subuid == subgid for now
         entry_attrs["ipasubgidnumber"] = subuid
         # hard-coded constants
         entry_attrs["ipasubuidcount"] = constants.SUBID_COUNT
@@ -350,13 +345,6 @@ class subid(LDAPObject):
         filters.extend(extra_filters)
         return ldap.combine_filters(filters, rules=ldap.MATCH_ALL)
 
-    def _fake_dna_plugin(self, ldap, dn, entry_attrs):
-        """XXX HACK, remove when 389-DS DNA plugin supports steps"""
-        return (
-            constants.SUBID_RANGE_START
-            + random.randint(1, 32764 - 2) * constants.SUBID_COUNT
-        )
-
 
 @register()
 class subid_add(LDAPCreate):
-- 
2.26.3