[Freeipa-devel] [PATCH] 773-777 ranges: prohibit setting --rid-base with ipa-trust-ad-posix type

Petr Vobornik pvoborni at redhat.com
Fri Oct 24 13:46:36 UTC 2014 

On 23.10.2014 10:39, Martin Kosek wrote:
> On 10/22/2014 07:39 PM, Tomas Babej wrote:
>> Hi,
>>
>> thank you for the patches, comments inline.
>>
>>
>> On 10/15/2014 02:20 PM, Petr Vobornik wrote:
>>> ticket: https://fedorahosted.org/freeipa/ticket/4221
>>>
>>> == [PATCH] 773 ranges: prohibit setting --rid-base with
>>> ipa-trust-ad-posix type ==
>>>
>>> We should not allow setting --rid-base for ranges of
>>> ipa-trust-ad-posix since we do not perform any RID -> UID/GID mappings
>>> for these ranges (objects have UID/GID set in AD). Thus, setting RID
>>> base makes no sense.
>>>
>>> Since ipaBaseRID is a MUST in ipaTrustedADDomainRange object class,
>>> value '0' is allowed and used internally for 'ipa-trust-ad-posix'
>>> range type.
>>
>> We probably don't want to display the first RID if it is 0 and the type
>> is ad-posix. This occurs in idrange-find:
>>
>> [tbabej at vm-043 labtool]$ ipa idrange-find
>>
>> ----------------
>> 2 ranges matched
>> ----------------
>>    Range name: DOM043.TBAD.IDM.LAB.ENG.BRQ.REDHAT.COM_id_range
>>    First Posix ID of the range: 514800000
>>    Number of IDs in the range: 200000
>>    First RID of the corresponding RID range: 1000
>>    First RID of the secondary RID range: 100000000
>>    Range type: local domain range
>>
>>    Range name: TBAD.IDM.LAB.ENG.BRQ.REDHAT.COM_id_range
>>    First Posix ID of the range: 10000
>>    Number of IDs in the range: 200000
>>    First RID of the corresponding RID range: 0
>>    Domain SID of the trusted domain: S-1-5-21-2997650941-1802118864-3094776726
>>    Range type: Active Directory trust range with POSIX attributes
>>
>> ----------------------------
>> Number of entries returned 2
>> ----------------------------
>>
>> And also idrange-show:
>>
>> [tbabej at vm-043 labtool]$ ipa idrange-show TBAD.IDM.LAB.ENG.BRQ.REDHAT.COM_id_range
>>    Range name: TBAD.IDM.LAB.ENG.BRQ.REDHAT.COM_id_range
>>    First Posix ID of the range: 10000
>>    Number of IDs in the range: 200000
>>    First RID of the corresponding RID range: 0
>>    Domain SID of the trusted domain: S-1-5-21-2997650941-1802118864-3094776726
>>    Range type: Active Directory trust range with POSIX attributes
>>
>>
>>>
>>> No schema change is done.

Fixed


snip

>>>
>>> == [PATCH] 775 ldapupdater: set baserid to 0 for ipa-ad-trust-posix
>>> ranges ==
>>
>> Can you use the paged_search=True in find_entries instead of having a
>> infinite loop? It would make this code quite cleaner.
>
> I also saw you did not update Makefile.am.

Because I did not add a new file.


updated patches attached (only 773-775 are changed)
-- 
Petr Vobornik
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-pvoborni-0777-1-webui-prohibit-setting-rid-base-with-ipa-trust-ad-po.patch
Type: text/x-patch
Size: 5415 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20141024/c36fea36/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-pvoborni-0776-1-idrange-include-raw-range-type-in-output.patch
Type: text/x-patch
Size: 4540 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20141024/c36fea36/attachment-0001.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-pvoborni-0775-1-ldapupdater-set-baserid-to-0-for-ipa-ad-trust-posix-.patch
Type: text/x-patch
Size: 3810 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20141024/c36fea36/attachment-0002.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-pvoborni-0774-1-unittests-baserid-for-ipa-ad-trust-posix-idranges.patch
Type: text/x-patch
Size: 12972 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20141024/c36fea36/attachment-0003.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-pvoborni-0773-1-ranges-prohibit-setting-rid-base-with-ipa-trust-ad-p.patch
Type: text/x-patch
Size: 6651 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20141024/c36fea36/attachment-0004.bin>

More information about the Freeipa-devel mailing list