[Freeipa-devel] [PATCH] 79 Add SIDs for existing users and groups at the end of ipa-adtrust-install

Sumit Bose sbose at redhat.com
Wed Oct 3 09:35:07 UTC 2012 

Hi,

this patch adds a new option to ipa-adtrust-install to generate the SID
for users and groups at the end of the run. This fixes
https://fedorahosted.org/freeipa/ticket/3104 .

bye,
Sumit
-------------- next part --------------
From 64f5b76c1869dbbc5e63035baa13642b43854839 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose at redhat.com>
Date: Tue, 2 Oct 2012 22:11:17 +0200
Subject: [PATCH] Add SIDs for existing users and groups at the end of
 ipa-adtrust-install

Fixes https://fedorahosted.org/freeipa/ticket/3104
---
 daemons/ipa-slapi-plugins/ipa-sidgen/Makefile.am      |  1 +
 .../ipa-sidgen/ipa-sidgen-task-example.ldif           | 10 ----------
 .../ipa-sidgen/ipa-sidgen-task-run.ldif               | 10 ++++++++++
 install/tools/ipa-adtrust-install                     |  5 ++++-
 install/tools/man/ipa-adtrust-install.1               | 10 ++++++++++
 ipaserver/install/adtrustinstance.py                  | 19 ++++++++++++++++++-
 6 Dateien ge?ndert, 43 Zeilen hinzugef?gt(+), 12 Zeilen entfernt(-)
 delete mode 100644 daemons/ipa-slapi-plugins/ipa-sidgen/ipa-sidgen-task-example.ldif
 create mode 100644 daemons/ipa-slapi-plugins/ipa-sidgen/ipa-sidgen-task-run.ldif

diff --git a/daemons/ipa-slapi-plugins/ipa-sidgen/Makefile.am b/daemons/ipa-slapi-plugins/ipa-sidgen/Makefile.am
index 0d8b74e86369ae9c972e090ff0e6feddc840cfde..a0d0e9ecf366b23cc6f054945544cd88cd846cad 100644
--- a/daemons/ipa-slapi-plugins/ipa-sidgen/Makefile.am
+++ b/daemons/ipa-slapi-plugins/ipa-sidgen/Makefile.am
@@ -49,6 +49,7 @@ appdir = $(IPA_DATA_DIR)
 app_DATA =				\
 	ipa-sidgen-conf.ldif		\
 	ipa-sidgen-task-conf.ldif	\
+	ipa-sidgen-task-run.ldif	\
 	$(NULL)
 
 EXTRA_DIST =			\
diff --git a/daemons/ipa-slapi-plugins/ipa-sidgen/ipa-sidgen-task-example.ldif b/daemons/ipa-slapi-plugins/ipa-sidgen/ipa-sidgen-task-example.ldif
deleted file mode 100644
index 9cfded73b1b53461c0c0aa4f563452f51d258aae..0000000000000000000000000000000000000000
--- a/daemons/ipa-slapi-plugins/ipa-sidgen/ipa-sidgen-task-example.ldif
+++ /dev/null
@@ -1,10 +0,0 @@
-dn: cn=sidgen,cn=ipa-sidgen-task,cn=plugins,cn=config
-changetype: add
-objectClass: top
-objectClass: nsSlapdPlugin
-objectClass: extensibleObject
-cn: ipa-sidgen-task
-nsslapd-pluginPath: libipa_sidgen_task
-nsslapd-pluginInitfunc: sidgen_task_init
-nsslapd-basedn: $SUFFIX
-delay: 0
diff --git a/daemons/ipa-slapi-plugins/ipa-sidgen/ipa-sidgen-task-run.ldif b/daemons/ipa-slapi-plugins/ipa-sidgen/ipa-sidgen-task-run.ldif
new file mode 100644
index 0000000000000000000000000000000000000000..663b7597b90a59c88c658dbcc5f483a6693f88dc
--- /dev/null
+++ b/daemons/ipa-slapi-plugins/ipa-sidgen/ipa-sidgen-task-run.ldif
@@ -0,0 +1,10 @@
+dn: cn=sidgen,cn=ipa-sidgen-task,cn=tasks,cn=config
+changetype: add
+objectClass: top
+objectClass: extensibleObject
+cn: sidgen
+# $SUFFIX must be replaced with the base DN of the IPA directory tree
+nsslapd-basedn: $SUFFIX
+# delay specifies the time the task should sleep between the generation of SIDs
+# in nanoseconds
+delay: 0
diff --git a/install/tools/ipa-adtrust-install b/install/tools/ipa-adtrust-install
index 12e218de62dd4b4d795f7372e0108e6a208f1285..f50bb58213ac0681cd8bda0a449ae21c48e6adb8 100755
--- a/install/tools/ipa-adtrust-install
+++ b/install/tools/ipa-adtrust-install
@@ -61,6 +61,9 @@ def parse_options():
     parser.add_option("-A", "--admin-name",
                       sensitive=True, dest="admin_name", default='admin',
                       help="admin user principal")
+    parser.add_option("--add-sids", dest="add_sids", action="store_true",
+                      default=False, help="Add SIDs for existing users and" \
+                                          "groups as the final step")
 
     options, args = parser.parse_args()
     safe_options = parser.get_safe_opts(options)
@@ -254,7 +257,7 @@ def main():
     smb.autobind = service.ENABLED
     smb.setup(api.env.host, ip_address, api.env.realm, api.env.domain,
               netbios_name, options.rid_base, options.secondary_rid_base,
-              options.no_msdcs)
+              options.no_msdcs, options.add_sids)
     smb.find_local_id_range()
     smb.create_instance()
 
diff --git a/install/tools/man/ipa-adtrust-install.1 b/install/tools/man/ipa-adtrust-install.1
index fa63bca3c4859325acb5891de6ad1e21b97dc754..9204b7d5fde7493a4c268eb71693e86a63a1b4b7 100644
--- a/install/tools/man/ipa-adtrust-install.1
+++ b/install/tools/man/ipa-adtrust-install.1
@@ -71,6 +71,16 @@ are needed for the IPA domain which should point to all IPA servers:
 .IP
 \(bu _kerberos._udp.Default-First-Site-Name._sites.dc._msdcs
 .TP
+\fB\-\-add\-sids\fR
+Add SIDs to existing users and groups as a final step of the
+ipa\-adtrust\-install run. If there a many existing users and groups and a
+couple of replicas in the environment this operation might lead to a high
+replication traffic and a performance degradation of all IPA servers in the
+environment. To avoid this the SID generation can be run after
+ipa\-adtrust\-install is run and scheduled independently. To start this task
+you have to load an edited version of ipa-sidgen-task-run.ldif with the
+ldapmodify command info the directory server.
+.TP
 \fB\-U\fR, \fB\-\-unattended\fR
 An unattended installation that will never prompt for user input
 .TP
diff --git a/ipaserver/install/adtrustinstance.py b/ipaserver/install/adtrustinstance.py
index 8b8364929a9f063ad66fac0d7bca4d13977f9543..8822c2855eff3b9855914679ac7cedd016ea9185 100644
--- a/ipaserver/install/adtrustinstance.py
+++ b/ipaserver/install/adtrustinstance.py
@@ -109,6 +109,7 @@ class ADTRUSTInstance(service.Service):
         self.domain_name = None
         self.netbios_name = None
         self.no_msdcs = None
+        self.add_sids = None
         self.smbd_user = None
         self.suffix = DN()
         self.ldapi_socket = None
@@ -332,6 +333,16 @@ class ADTRUSTInstance(service.Service):
         try:
             self._ldap_mod("ipa-sidgen-conf.ldif", self.sub_dict)
             self._ldap_mod("ipa-sidgen-task-conf.ldif", self.sub_dict)
+        except Exception:
+            pass
+
+    def __add_sids(self):
+        """
+        Add SIDs for existing users and groups
+        """
+
+        try:
+            self._ldap_mod("ipa-sidgen-task-run.ldif", self.sub_dict)
         except:
             pass
 
@@ -574,7 +585,8 @@ class ADTRUSTInstance(service.Service):
                              FQDN = self.fqdn)
 
     def setup(self, fqdn, ip_address, realm_name, domain_name, netbios_name,
-              rid_base, secondary_rid_base, no_msdcs=False, smbd_user="samba"):
+              rid_base, secondary_rid_base, no_msdcs=False, add_sids=False,
+              smbd_user="samba"):
         self.fqdn = fqdn
         self.ip_address = ip_address
         self.realm = realm_name
@@ -583,6 +595,7 @@ class ADTRUSTInstance(service.Service):
         self.rid_base = rid_base
         self.secondary_rid_base = secondary_rid_base
         self.no_msdcs = no_msdcs
+        self.add_sids = add_sids
         self.smbd_user = smbd_user
         self.suffix = ipautil.realm_to_suffix(self.realm)
         self.ldapi_socket = "%%2fvar%%2frun%%2fslapd-%s.socket" % \
@@ -671,6 +684,10 @@ class ADTRUSTInstance(service.Service):
                   self.__configure_selinux_for_smbd)
         self.step("starting CIFS services", self.__start)
 
+        if self.add_sids:
+            self.step("adding SIDs to existing users and groups",
+                      self.__add_sids)
+
         self.start_creation("Configuring CIFS:")
 
     def uninstall(self):
-- 
1.7.11.4

More information about the Freeipa-devel mailing list