|
 |
403b09 |
From 843d21620c118f283f53db77b1114d15d26dc176 Mon Sep 17 00:00:00 2001
|
|
|
403b09 |
From: Martin Babinsky <mbabinsk@redhat.com>
|
|
|
403b09 |
Date: Wed, 20 Jul 2016 15:46:22 +0200
|
|
|
403b09 |
Subject: [PATCH] harden the check for trust namespace overlap in new
|
|
|
403b09 |
principals
|
|
|
403b09 |
|
|
|
403b09 |
This check must handle the possibility of optional attributes
|
|
|
403b09 |
(ipantadditionalsuffixes and ipantflatname) missing in the trusted domain
|
|
|
403b09 |
entry.
|
|
|
403b09 |
|
|
|
403b09 |
https://fedorahosted.org/freeipa/ticket/6099
|
|
|
403b09 |
|
|
|
403b09 |
Reviewed-By: David Kupka <dkupka@redhat.com>
|
|
|
403b09 |
---
|
|
|
403b09 |
ipalib/util.py | 10 +++++++---
|
|
|
403b09 |
1 file changed, 7 insertions(+), 3 deletions(-)
|
|
|
403b09 |
|
|
|
403b09 |
diff --git a/ipalib/util.py b/ipalib/util.py
|
|
|
403b09 |
index d101514cad4f35fd9a09d84b549ffa86de432f70..e0fc178c4af2056d04ad88a3923daa7d127fe307 100644
|
|
|
403b09 |
--- a/ipalib/util.py
|
|
|
403b09 |
+++ b/ipalib/util.py
|
|
|
403b09 |
@@ -968,11 +968,15 @@ def check_principal_realm_in_trust_namespace(api_instance, *keys):
|
|
|
403b09 |
trust_suffix_namespace = set()
|
|
|
403b09 |
|
|
|
403b09 |
for obj in trust_objects:
|
|
|
403b09 |
- trust_suffix_namespace.update(
|
|
|
403b09 |
- set(upn.lower() for upn in obj['ipantadditionalsuffixes']))
|
|
|
403b09 |
+ nt_suffixes = obj.get('ipantadditionalsuffixes', [])
|
|
|
403b09 |
|
|
|
403b09 |
trust_suffix_namespace.update(
|
|
|
403b09 |
- set((obj['cn'][0].lower(), obj['ipantflatname'][0].lower())))
|
|
|
403b09 |
+ set(upn.lower() for upn in nt_suffixes))
|
|
|
403b09 |
+
|
|
|
403b09 |
+ if 'ipantflatname' in obj:
|
|
|
403b09 |
+ trust_suffix_namespace.add(obj['ipantflatname'][0].lower())
|
|
|
403b09 |
+
|
|
|
403b09 |
+ trust_suffix_namespace.add(obj['cn'][0].lower())
|
|
|
403b09 |
|
|
|
403b09 |
for principal in keys[-1]:
|
|
|
403b09 |
realm = principal.realm
|
|
|
403b09 |
--
|
|
|
403b09 |
2.7.4
|
|
|
403b09 |
|