[Freeipa-devel] [PATCH] 0202 support UPNs for trusted domain users
Martin Babinsky
mbabinsk at redhat.com
Tue Jun 7 15:50:23 UTC 2016
On 06/06/2016 12:34 PM, Alexander Bokovoy wrote:
> Hi,
>
> Add support for additional user name principal suffixes from
> trusted Active Directory forests. UPN suffixes are property
> of the forest and as such are associated with the forest root
> domain.
>
> FreeIPA stores UPN suffixes as ipaNTAdditionalSuffixes multi-valued
> attribute of ipaNTTrustedDomain object class.
>
> In order to look up UPN suffixes, netr_DsRGetForestTrustInformation
> LSA RPC call is used instead of netr_DsrEnumerateDomainTrusts.
>
> For more details on UPN and naming in Active Directory see
> https://technet.microsoft.com/en-us/library/cc739093%28v=ws.10%29.aspx
>
> https://fedorahosted.org/freeipa/ticket/5354
>
>
>
Hi Alexander,
a few comments:
1.)
there are some PEP8 violations in the patch. Not all of them need to be
fixed, though (line overhangs < 5 characters are OK by me).
"""
./ipaserver/dcerpc.py:1199:80: E501 line too long (80 > 79 characters)
./ipaserver/dcerpc.py:1200:80: E501 line too long (83 > 79 characters)
./ipaserver/dcerpc.py:1258:40: E203 whitespace before ':'
./ipaserver/dcerpc.py:1263:80: E501 line too long (81 > 79 characters)
./ipaserver/dcerpc.py:1271:80: E501 line too long (90 > 79 characters)
./ipaserver/dcerpc.py:1272:80: E501 line too long (82 > 79 characters)
./ipaserver/plugins/trust.py:490:9: E128 continuation line
under-indented for visual indent
./ipaserver/plugins/trust.py:490:80: E501 line too long (93 > 79 characters)
./ipaserver/plugins/trust.py:490:92: E202 whitespace before ']'
./ipaserver/plugins/trust.py:493:80: E501 line too long (83 > 79 characters)
./ipaserver/plugins/trust.py:1461:80: E501 line too long (80 > 79
characters)
./ipaserver/plugins/trust.py:1462:59: E202 whitespace before ']'
./ipaserver/plugins/trust.py:1544:1: E302 expected 2 blank lines, found 1
./ipaserver/plugins/trust.py:1638:1: E302 expected 2 blank lines, found 1
"""
2.)
Should the ipaNTAdditionalSuffixes attribute be case insensitive? It
makes sense but I'm just asking so that we don't end changing the schema
later.
3.)
"""
def post_callback(self, ldap, entries, truncated, *args, **options):
if options.get('pkey_only', False):
return truncated
trust_dn = self.obj.get_dn(args[0], trust_type=u'ad')
trust_entry = ldap.get_entry(trust_dn)
+ blacklist = trust_entry.get('ipantsidblacklistincoming')
for entry in entries:
- sid = entry['ipanttrusteddomainsid'][0]
-
- blacklist = trust_entry.get('ipantsidblacklistincoming')
- if blacklist is None:
+ sid = entry.get('ipanttrusteddomainsid', [None])[0]
+ if sid is None:
continue
if sid in blacklist:
entry['domain_enabled'] = [False]
else:
entry['domain_enabled'] = [True]
return truncated
"""
Again, you can use `entry.single_value.get('ipanttrusteddomainsid',
None)` to test/get the attribute value
4.)
"""
def add_new_domains_from_trust(myapi, trustinstance, trust_entry,
domains, **options):
result = []
if not domains:
return result
trust_name = trust_entry['cn'][0]
# trust range must exist by the time add_new_domains_from_trust is
called
range_name = trust_name.upper() + '_id_range'
old_range = myapi.Command.idrange_show(range_name, raw=True)['result']
idrange_type = old_range['iparangetype'][0]
- for dom in domains:
+ suffixes = list()
+ suffixes.extend(y['cn'] for x,y in domains['suffixes'].iteritems()
if x not in domains['domains'])
+
+ for dom in domains['domains'].itervalues():
dom['trust_type'] = u'ad'
"""
iterkeys/itervalues are not Python 3 compatible, please use
`keys()/values()` and do not worry about performance implications in
Python 2.
5.)
"""
result.append(res['result'])
- if idrange_type != u'ipa-ad-trust-posix':
+ if idrange_type != u'ipa-ad-trust-posix' and
dom.get('ipanttrusteddomainsid', False):
range_name = name.upper() + '_id_range'
"""
Just a nitpick, I am confused by the 'False' default when getting the
value of 'ipanttrusteddomainsid' (which is a string I presume). You
could put an empty string/list there since empty sequences evaluate to
False.
6.)
"""
pass
+
+ try:
+ dn = myapi.Object.trust.get_dn(trust_name, trust_type=u'ad')
+ ldap = myapi.Backend.ldap2
+ entry = ldap.get_entry(dn)
+ tlns = list(entry.get('ipantadditionalsuffixes', []))
+ tlns.extend(x for x in suffixes if x not in tlns)
+ entry['ipantadditionalsuffixes'] = tlns
+ ldap.update_entry(entry)
+ except errors.EmptyModlist:
+ pass
+
"""
On this line:
"""
+ tlns = list(entry.get('ipantadditionalsuffixes', []))
"""
is the additional conversion to list really needed? IIRC for multivalued
attributes you get a list by default.
7.)
"""
dn = self.obj.get_dn(keys[0], keys[1], trust_type=u'ad')
try:
entry = ldap.get_entry(dn)
- sid = entry['ipanttrusteddomainsid'][0]
+ sid = entry.get('ipanttrusteddomainsid', [None])[0]
"""
the same as in point 3.)
--
Martin^3 Babinsky
More information about the Freeipa-devel
mailing list