[Freeipa-devel] [PATCH 0179] Preserve user principal aliases during rename operation
Alexander Bokovoy
abokovoy at redhat.com
Tue Jul 12 11:05:29 UTC 2016
On Mon, 11 Jul 2016, Martin Babinsky wrote:
>From 185bde00a76459430d95ff207bf1fb3fe31e811a Mon Sep 17 00:00:00 2001
>From: Martin Babinsky <mbabinsk at redhat.com>
>Date: Fri, 1 Jul 2016 18:09:04 +0200
>Subject: [PATCH] Preserve user principal aliases during rename operation
>
>When a MODRDN is performed on the user entry, the MODRDN plugin resets both
>krbPrincipalName and krbCanonicalName to the value constructed from uid. In
>doing so, hovewer, any principal aliases added to the krbPrincipalName are
>wiped clean. In this patch old aliases are fetched before the MODRDN operation
>takes place and inserted back after it is performed.
>
>This also preserves previous user logins which can be used further for
>authentication as aliases.
>
>https://fedorahosted.org/freeipa/ticket/6028
>---
> ipaserver/plugins/baseuser.py | 46 +++++++++++++++++++++++++++++++++++++++++++
> 1 file changed, 46 insertions(+)
>
>diff --git a/ipaserver/plugins/baseuser.py b/ipaserver/plugins/baseuser.py
>index 0052e718afe639bcc1c0a698ded39ea8407a0551..e4288a5a131157815ffb2452692a7edb342f6ac3 100644
>--- a/ipaserver/plugins/baseuser.py
>+++ b/ipaserver/plugins/baseuser.py
>@@ -498,6 +498,50 @@ class baseuser_mod(LDAPUpdate):
> len = int(config.get('ipamaxusernamelength')[0])
> )
> )
>+
>+ def preserve_krbprincipalname_pre(self, ldap, entry_attrs, *keys, **options):
>+ """
>+ preserve user principal aliases during rename operation. This is the
>+ pre-callback part of this. Another method called during post-callback
>+ shall insert the principals back
>+ """
>+ if options.get('rename', None) is None:
>+ return
>+
>+ try:
>+ old_entry = ldap.get_entry(
>+ entry_attrs.dn, attrs_list=(
>+ 'krbprincipalname', 'krbcanonicalname'))
>+
>+ if 'krbcanonicalname' not in old_entry:
>+ return
>+ except errors.NotFound:
>+ self.obj.handle_not_found(*keys)
>+
>+ self.context.krbprincipalname = old_entry.get(
>+ 'krbprincipalname', [])
>+
>+ def preserve_krbprincipalname_post(self, ldap, entry_attrs, **options):
>+ """
>+ Insert the preserved aliases back to the user entry during rename
>+ operation
>+ """
>+ if options.get('rename', None) is None or not hasattr(
>+ self.context, 'krbprincipalname'):
>+ return
>+
>+ obj_pkey = self.obj.get_primary_key_from_dn(entry_attrs.dn)
>+ canonical_name = entry_attrs['krbcanonicalname'][0]
>+
>+ principals_to_add = tuple(p for p in self.context.krbprincipalname if
>+ p != canonical_name)
>+
>+ if principals_to_add:
>+ result = self.api.Command.user_add_principal(
>+ obj_pkey, principals_to_add)['result']
>+
>+ entry_attrs['krbprincipalname'] = result.get('krbprincipalname', [])
>+
> def check_mail(self, entry_attrs):
> if 'mail' in entry_attrs:
> entry_attrs['mail'] = self.obj.normalize_and_validate_email(entry_attrs['mail'])
>@@ -557,9 +601,11 @@ class baseuser_mod(LDAPUpdate):
>
> self.check_objectclass(ldap, dn, entry_attrs)
> self.obj.convert_usercertificate_pre(entry_attrs)
>+ self.preserve_krbprincipalname_pre(ldap, entry_attrs, *keys, **options)
>
> def post_common_callback(self, ldap, dn, entry_attrs, *keys, **options):
> assert isinstance(dn, DN)
>+ self.preserve_krbprincipalname_post(ldap, entry_attrs, **options)
> if options.get('random', False):
> try:
> entry_attrs['randompassword'] = unicode(getattr(context, 'randompassword'))
>--
>2.5.5
>
The approach looks good.
For the record, we also support aliases for hosts and service kerberos
principals but we don't support rename options for them, so there is no
need to add similar logic there.
--
/ Alexander Bokovoy
More information about the Freeipa-devel
mailing list