From aa5a5fa8349444c2817feb21dd8c6f8ba6b38fd0 Mon Sep 17 00:00:00 2001

From: Petr Vobornik <pvoborni@redhat.com>

Date: Mon, 13 Oct 2014 14:59:24 +0200

Subject: [PATCH] ldapupdater: set baserid to 0 for ipa-ad-trust-posix ranges

New updater plugin which sets baserid to 0 for ranges with type ipa-ad-trust-posix

https://fedorahosted.org/freeipa/ticket/4221

Reviewed-By: Tomas Babej <tbabej@redhat.com>

---

 ipaserver/install/plugins/update_idranges.py | 69 +++++++++++++++++++++++++++-

 1 file changed, 68 insertions(+), 1 deletion(-)

diff --git a/ipaserver/install/plugins/update_idranges.py b/ipaserver/install/plugins/update_idranges.py

index 9e97c9f74570484a8bae82e99a7561350163a1b1..1aa5fa7631fd35a7aaf4a23a5eee44e4e0a2e904 100644

--- a/ipaserver/install/plugins/update_idranges.py

+++ b/ipaserver/install/plugins/update_idranges.py

@@ -17,7 +17,7 @@

 # You should have received a copy of the GNU General Public License

 # along with this program.  If not, see <http://www.gnu.org/licenses/>.

-from ipaserver.install.plugins import MIDDLE

+from ipaserver.install.plugins import MIDDLE, LAST

 from ipaserver.install.plugins.baseupdate import PostUpdate

 from ipalib import api, errors

 from ipapython.dn import DN

@@ -111,4 +111,71 @@ class update_idrange_type(PostUpdate):

         return (False, False, [])

+

+class update_idrange_baserid(PostUpdate):

+    """

+    Update ipa-ad-trust-posix ranges' base RID to 0. This applies to AD trust

+    posix ranges prior to IPA 4.1.

+    """

+

+    order = LAST

+

+    def execute(self, **options):

+        ldap = self.obj.backend

+

+        base_dn = DN(api.env.container_ranges, api.env.basedn)

+        search_filter = ("(&(objectClass=ipaTrustedADDomainRange)"

+                         "(ipaRangeType=ipa-ad-trust-posix)"

+                         "(!(ipaBaseRID=0)))")

+        root_logger.debug(

+            "update_idrange_baserid: search for ipa-ad-trust-posix ID ranges "

+            "with ipaBaseRID != 0"

+        )

+

+        try:

+            (entries, truncated) = ldap.find_entries(

+                search_filter, ['ipabaserid'], base_dn,

+                paged_search=True, time_limit=0, size_limit=0)

+

+        except errors.NotFound:

+            root_logger.debug("update_idrange_baserid: no AD domain "

+                              "range with posix attributes found")

+            return (False, False, [])

+

+        except errors.ExecutionError, e:

+            root_logger.error("update_idrange_baserid: cannot retrieve "

+                              "list of affected ranges: %s", e)

+            return (False, False, [])

+

+        root_logger.debug("update_idrange_baserid: found %d "

+                          "idranges possible to update",

+                          len(entries))

+

+        error = False

+

+        # Set the range type

+        for entry in entries:

+            entry['ipabaserid'] = 0

+            try:

+                root_logger.info("Updating existing idrange: %s" % (entry.dn))

+                ldap.update_entry(entry)

+                root_logger.info("Done")

+            except (errors.EmptyModlist, errors.NotFound):

+                pass

+            except errors.ExecutionError, e:

+                root_logger.debug("update_idrange_type: cannot "

+                                  "update idrange: %s", e)

+                error = True

+

+        if error:

+            root_logger.error("update_idrange_baserid: error(s) "

+                              "detected during idrange baserid update")

+        else:

+            # All affected entries updated, exit the loop

+            root_logger.debug("update_idrange_baserid: all affected "

+                              "idranges updated")

+

+        return (False, False, [])

+

 api.register(update_idrange_type)

+api.register(update_idrange_baserid)

-- 

2.1.0