[Freeipa-devel] [PATCHES] 22-24 Add initial support for ID ranges
Sumit Bose
sbose at redhat.com
Wed Jun 13 19:17:26 UTC 2012
Hi,
to keep track of the different ranges we use for UIDs/GIDs for local
users/groups and users from trusted domains new range objects are
introduced which are stored below cn=range,cn=etc,$SUFFIX.
0022: LDAP schema update
0023: Create a range object during installation fir the local ID range
0024: add primary and secondary RID base to the local range object
during ipa-adtrust-install
bye,
Sumit
-------------- next part --------------
From f9dbf28c52feabeae801d41bd4f69d2eb898a8b0 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose at redhat.com>
Date: Mon, 11 Jun 2012 18:31:36 +0200
Subject: [PATCH] Extend LDAP schema
The objectclass ipaIDobject can be used to reserve local UIDs, GIDs or
SIDs for objects that are no neither users nor groups.
The ipa*IDRange objectclasses will be used to store the used Posix ID
ranges of the local domains (ipaLocalIDrange) or the ranges reserved
for AD domains (ipaNTIDrange). To be able to map the Posix IDs to a RID
and back the corresponding ranges can be saved here as well.
---
install/share/60basev3.ldif | 8 ++++++++
1 Datei ge?ndert, 8 Zeilen hinzugef?gt(+)
diff --git a/install/share/60basev3.ldif b/install/share/60basev3.ldif
index 2c24137b0dc39f215ed0e4b97079ffce0ec630d3..03561d13f45768006eb22e3dc00f41f35944dc56 100644
--- a/install/share/60basev3.ldif
+++ b/install/share/60basev3.ldif
@@ -29,6 +29,10 @@ attributeTypes: ( 2.16.840.1.113730.3.8.11.21 NAME 'ipaAllowToImpersonate' DESC
attributeTypes: ( 2.16.840.1.113730.3.8.11.22 NAME 'ipaAllowedTarget' DESC 'Target principals alowed to get a ticket for' SUP distinguishedName X-ORIGIN 'IPA-v3')
attributeTypes: (2.16.840.1.113730.3.8.11.30 NAME 'ipaSELinuxUser' DESC 'An SELinux user' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'IPA v3')
attributeTypes: (2.16.840.1.113730.3.8.11.31 NAME 'ipaSshPubKey' DESC 'SSH public key' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 X-ORIGIN 'IPA v3' )
+attributeTypes: (2.16.840.1.113730.3.8.11.33 NAME 'ipaBaseID' DESC 'First value of a Posix ID range' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'IPA v3' )
+attributeTypes: (2.16.840.1.113730.3.8.11.34 NAME 'ipaIDRangeSize' DESC 'Size of a Posix ID range' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'IPA v3' )
+attributeTypes: (2.16.840.1.113730.3.8.11.35 NAME 'ipaBaseRID' DESC 'First value of a RID range' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'IPA v3' )
+attributeTypes: (2.16.840.1.113730.3.8.11.36 NAME 'ipaSecondaryBaseRID' DESC 'First value of a secondary RID range' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'IPA v3' )
objectClasses: (2.16.840.1.113730.3.8.12.1 NAME 'ipaExternalGroup' SUP top STRUCTURAL MUST ( cn ) MAY ( ipaExternalMember $ memberOf $ description $ owner) X-ORIGIN 'IPA v3' )
objectClasses: (2.16.840.1.113730.3.8.12.2 NAME 'ipaNTUserAttrs' SUP top AUXILIARY MUST ( ipaNTSecurityIdentifier ) MAY ( ipaNTHash $ ipaNTLogonScript $ ipaNTProfilePath $ ipaNTHomeDirectory $ ipaNTHomeDirectoryDrive ) X-ORIGIN 'IPA v3' )
objectClasses: (2.16.840.1.113730.3.8.12.3 NAME 'ipaNTGroupAttrs' SUP top AUXILIARY MUST ( ipaNTSecurityIdentifier ) X-ORIGIN 'IPA v3' )
@@ -40,3 +44,7 @@ objectClasses: (2.16.840.1.113730.3.8.12.10 NAME 'ipaSELinuxUserMap' SUP ipaAsso
objectClasses: (2.16.840.1.113730.3.8.12.11 NAME 'ipaSshGroupOfPubKeys' ABSTRACT MAY ipaSshPubKey X-ORIGIN 'IPA v3' )
objectClasses: (2.16.840.1.113730.3.8.12.12 NAME 'ipaSshUser' SUP ipaSshGroupOfPubKeys AUXILIARY X-ORIGIN 'IPA v3' )
objectClasses: (2.16.840.1.113730.3.8.12.13 NAME 'ipaSshHost' SUP ipaSshGroupOfPubKeys AUXILIARY X-ORIGIN 'IPA v3' )
+objectClasses: (2.16.840.1.113730.3.8.12.14 NAME 'ipaIDobject' SUP top AUXILIARY MAY ( uidNumber $ gidNumber $ ipaNTSecurityIdentifier ) X-ORIGIN 'IPA v3' )
+objectClasses: (2.16.840.1.113730.3.8.12.15 NAME 'ipaIDrange' ABSTRACT MUST ( cn $ ipaBaseID $ ipaIDRangeSize ) X-ORIGIN 'IPA v3' )
+objectClasses: (2.16.840.1.113730.3.8.12.16 NAME 'ipaDomainIDRange' SUP ipaIDrange STRUCTURAL MAY ( ipaBaseRID $ ipaSecondaryBaseRID ) X-ORIGIN 'IPA v3' )
+objectClasses: (2.16.840.1.113730.3.8.12.17 NAME 'ipaTrustedADDomainRange' SUP ipaIDrange STRUCTURAL MUST ( ipaBaseRID $ ipaNTTrustedDomainSID ) X-ORIGIN 'IPA v3' )
--
1.7.10.2
-------------- next part --------------
From f4cce6c9952e1429cd0bf404b3b53f22f5f2b45a Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose at redhat.com>
Date: Tue, 12 Jun 2012 11:58:41 +0200
Subject: [PATCH] Add objects for initial ID range
---
install/share/bootstrap-template.ldif | 14 ++++++++++++++
install/updates/62-ranges.update | 13 +++++++++++++
install/updates/Makefile.am | 1 +
ipaserver/install/dsinstance.py | 1 +
4 Dateien ge?ndert, 29 Zeilen hinzugef?gt(+)
create mode 100644 install/updates/62-ranges.update
diff --git a/install/share/bootstrap-template.ldif b/install/share/bootstrap-template.ldif
index 149b6c9b29c6fd363eb7baccd9648d49c260ff85..ca74bf6fade5f4e0591ee511f96cc3d58542887d 100644
--- a/install/share/bootstrap-template.ldif
+++ b/install/share/bootstrap-template.ldif
@@ -409,3 +409,17 @@ objectClass: top
objectClass: nsContainer
cn: usermap
+dn: cn=ranges,cn=etc,$SUFFIX
+changetype: add
+objectClass: top
+objectClass: nsContainer
+cn: ranges
+
+dn: cn=local_id_range,cn=ranges,cn=etc,$SUFFIX
+changetype: add
+objectClass: top
+objectClass: ipaIDrange
+objectClass: ipaDomainIDRange
+cn: local_id_range
+ipaBaseID: $IDSTART
+ipaIDRangeSize: $IDRANGE_SIZE
diff --git a/install/updates/62-ranges.update b/install/updates/62-ranges.update
new file mode 100644
index 0000000000000000000000000000000000000000..42c1e2a98b8b64164ae9ae0292aa7b91beac2b26
--- /dev/null
+++ b/install/updates/62-ranges.update
@@ -0,0 +1,13 @@
+dn: cn=schema
+add:attributeTypes: (2.16.840.1.113730.3.8.11.33 NAME 'ipaBaseID' DESC 'First value of a Posix ID range' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'IPA v3' )
+add:attributeTypes: (2.16.840.1.113730.3.8.11.34 NAME 'ipaIDRangeSize' DESC 'Size of a Posix ID range' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'IPA v3' )
+add:attributeTypes: (2.16.840.1.113730.3.8.11.35 NAME 'ipaBaseRID' DESC 'First value of a RID range' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'IPA v3' )
+add:attributeTypes: (2.16.840.1.113730.3.8.11.36 NAME 'ipaSecondaryBaseRID' DESC 'First value of a secondary RID range' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'IPA v3' )
+add:objectClasses: (2.16.840.1.113730.3.8.12.15 NAME 'ipaIDrange' ABSTRACT MUST ( cn $$ ipaBaseID $$ ipaIDRangeSize ) X-ORIGIN 'IPA v3' )
+add:objectClasses: (2.16.840.1.113730.3.8.12.16 NAME 'ipaDomainIDRange' SUP ipaIDrange STRUCTURAL MAY ( ipaBaseRID $$ ipaSecondaryBaseRID ) X-ORIGIN 'IPA v3' )
+add:objectClasses: (2.16.840.1.113730.3.8.12.17 NAME 'ipaTrustedADDomainRange' SUP ipaIDrange STRUCTURAL MUST ( ipaBaseRID $$ ipaNTTrustedDomainSID ) X-ORIGIN 'IPA v3' )
+
+dn: cn=ranges,cn=etc,$SUFFIX
+default: obectClass: top
+default: objectClass: nsContainer
+default: cn: ranges
diff --git a/install/updates/Makefile.am b/install/updates/Makefile.am
index 412630e4e6d13167e2c0ae17c54f8ad84a4797fa..e45690f14c41dbd9eb10b5969ee14a257b8c7883 100644
--- a/install/updates/Makefile.am
+++ b/install/updates/Makefile.am
@@ -35,6 +35,7 @@ app_DATA = \
55-pbacmemberof.update \
60-trusts.update \
61-trusts-s4u2proxy.update \
+ 62-ranges.update \
$(NULL)
EXTRA_DIST = \
diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py
index fb620a82e0d432d50e6c40ab8a7053ced153965a..93c6b50c274506949d1cdb81ad952141de10dab1 100644
--- a/ipaserver/install/dsinstance.py
+++ b/ipaserver/install/dsinstance.py
@@ -313,6 +313,7 @@ class DsInstance(service.Service):
IDMAX=self.idmax, HOST=self.fqdn,
ESCAPED_SUFFIX= escape_dn_chars(self.suffix.lower()),
GROUP=DS_GROUP,
+ IDRANGE_SIZE=self.idmax-self.idstart+1
)
def __create_ds_user(self):
--
1.7.10.2
-------------- next part --------------
From cfef8f1f1f24e682bbd7851715ff195cf8bf5b59 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose at redhat.com>
Date: Tue, 12 Jun 2012 17:53:36 +0200
Subject: [PATCH] Set RID bases for local domain during ipa-adtrust-install
---
install/tools/ipa-adtrust-install | 9 ++++++-
ipaserver/install/adtrustinstance.py | 48 +++++++++++++++++++++++++++++++++-
2 Dateien ge?ndert, 55 Zeilen hinzugef?gt(+), 2 Zeilen entfernt(-)
diff --git a/install/tools/ipa-adtrust-install b/install/tools/ipa-adtrust-install
index c0b477102462e128400436f52d2f78b092f5272d..c104b5113c16acec09d88a665f56bbb10ede4ed1 100755
--- a/install/tools/ipa-adtrust-install
+++ b/install/tools/ipa-adtrust-install
@@ -48,6 +48,12 @@ def parse_options():
parser.add_option("--no-msdcs", dest="no_msdcs", action="store_true",
default=False, help="Do not create DNS service records " \
"for Windows in managed DNS server")
+ parser.add_option("--rid-base", dest="rid_base", type=int, default=1000,
+ help="Start value for mapping UIDs and GIDs to RIDs")
+ parser.add_option("--secondary-rid-base", dest="secondary_rid_base",
+ type=int, default=100000000,
+ help="Start value of the secondary range for mapping " \
+ "UIDs and GIDs to RIDs")
parser.add_option("-U", "--unattended", dest="unattended", action="store_true",
default=False, help="unattended installation never prompts the user")
@@ -207,7 +213,8 @@ def main():
api.Backend.ldap2.connect(ccache)
smb.setup(api.env.host, ip_address, api.env.realm, api.env.domain,
- netbios_name, options.no_msdcs)
+ netbios_name, options.rid_base, options.secondary_rid_base,
+ options.no_msdcs)
smb.create_instance()
print "=============================================================================="
diff --git a/ipaserver/install/adtrustinstance.py b/ipaserver/install/adtrustinstance.py
index 0e9e9ef245a0897dfee9bcb0940d0de35c1bfd61..43a2790831c9e941380c9ce705cc5dc441b4538b 100644
--- a/ipaserver/install/adtrustinstance.py
+++ b/ipaserver/install/adtrustinstance.py
@@ -114,6 +114,8 @@ class ADTRUSTInstance(service.Service):
self.cifs_principal = None
self.cifs_agent = None
self.selinux_booleans = None
+ self.rid_base = None
+ self.secondary_rid_base = None
service.Service.__init__(self, "smb", dm_password=dm_password)
@@ -174,6 +176,47 @@ class ADTRUSTInstance(service.Service):
except:
print "Failed to modify IPA admin group object"
+ def __add_rid_bases(self):
+ """
+ Add RID bases to the range object for the local ID range.
+
+ TODO: handle missing or multiple ranges more gracefully.
+ """
+
+ try:
+ res = self.admin_conn.search_s("cn=ranges,cn=etc,"+self.suffix,
+ ldap.SCOPE_ONELEVEL,
+ "(objectclass=ipaDomainIDRange)")
+ if len(res) != 1:
+ root_logger.critical("Found more than one ID range for the " \
+ "local domain.")
+ raise RuntimeError("Too many ID ranges\n")
+
+ if res[0].getValue('ipaBaseRID') or \
+ res[0].getValue('ipaSecondaryBaseRID'):
+ print "RID bases already set, nothing to do"
+ return
+
+ size = res[0].getValue('ipaIDRangeSize')
+ if abs(self.rid_base - self.secondary_rid_base) > size:
+ print "Primary and secondary RID base are too close. " \
+ "They have to differ at least by %d." % size
+ raise RuntimeError("RID bases too close.\n")
+
+ try:
+ self.admin_conn.modify_s(res[0].dn,
+ [(ldap.MOD_ADD, "ipaBaseRID", \
+ str(self.rid_base)), \
+ (ldap.MOD_ADD, "ipaSecondaryBaseRID", \
+ str(self.secondary_rid_base))])
+ except:
+ print "Failed to add RID bases to the local range object"
+
+ except errors.NotFound as e:
+ root_logger.critical("ID range of the local domain not found, " \
+ "define it and run again.")
+ raise e
+
def __create_samba_domain_object(self):
try:
@@ -402,12 +445,14 @@ class ADTRUSTInstance(service.Service):
FQDN = self.fqdn)
def setup(self, fqdn, ip_address, realm_name, domain_name, netbios_name,
- no_msdcs=False, smbd_user="samba"):
+ rid_base, secondary_rid_base, no_msdcs=False, smbd_user="samba"):
self.fqdn = fqdn
self.ip_address = ip_address
self.realm_name = realm_name
self.domain_name = domain_name
self.netbios_name = netbios_name
+ self.rid_base = rid_base
+ self.secondary_rid_base = secondary_rid_base
self.no_msdcs = no_msdcs
self.smbd_user = smbd_user
self.suffix = ipautil.realm_to_suffix(self.realm_name)
@@ -440,6 +485,7 @@ class ADTRUSTInstance(service.Service):
self.step("writing samba config file", self.__write_smb_conf)
self.step("adding cifs Kerberos principal", self.__setup_principal)
self.step("adding admin(group) SIDs", self.__add_admin_sids)
+ self.step("adding RID bases", self.__add_rid_bases)
self.step("activating CLDAP plugin", self.__add_cldap_module)
self.step("activating extdom plugin", self.__add_extdom_module)
self.step("configuring smbd to start on boot", self.__enable)
--
1.7.10.2
More information about the Freeipa-devel
mailing list