#4137 Missing checks during ipa idrange-add
Closed: Fixed None Opened 6 years ago by sbose.

With the following existing idrange

# ipa idrange-show AD18.IPA18.DEVEL_id_range
  Range name: AD18.IPA18.DEVEL_id_range
  First Posix ID of the range: 1670800000
  Number of IDs in the range: 200000
  First RID of the corresponding RID range: 0
  Domain SID of the trusted domain: S-1-5-21-3090815309-2627318493-3395719201
  Range type: Active Directory domain range

I can add the following two idranges

# ipa idrange-add test-range --base-id=123456 --rid-base=0 --range-size=10 --dom-sid=S-1-5-21-3090815309-2627318493-3395719201
---------------------------
Added ID range "test-range"
---------------------------
  Range name: test-range
  First Posix ID of the range: 123456
  Number of IDs in the range: 10
  First RID of the corresponding RID range: 0
  Domain SID of the trusted domain: S-1-5-21-3090815309-2627318493-3395719201
  Range type: Active Directory domain range

and

# ipa idrange-add test-range2 --base-id=223456 --rid-base=1 --range-size=10 --dom-sid=S-1-5-21-3090815309-2627318493-3395719201 --type=ipa-ad-trust-posix
----------------------------
Added ID range "test-range2"
----------------------------
  Range name: test-range2
  First Posix ID of the range: 223456
  Number of IDs in the range: 10
  First RID of the corresponding RID range: 1
  Domain SID of the trusted domain: S-1-5-21-3090815309-2627318493-3395719201
  Range type: Active Directory trust range with POSIX attributes

Both should not be possible. In the first case the RID-ranges overlap, since the first RID in the existing idrange is 0 and the size is 200000 the first available RID range can start at 200000.

In the second case (besides the RID issue) an idrange with a different type was added.

Both collisions should be detected and the creation of the new idrange rejected preferable by the DS plugin which detects the other idrange collisions.


I had a discussion with Alexander, this fix seems too complicated to be added to 3.3.5 stabilization release. So to not break it, I would propose to move it to 3.4 or later.

In 3.3.x versions, user need to be careful about overlaps themselves.

Tomas pointed out that the checks are done by ipa-range-check SLAPI plugin. It might be that instead of fixing Python code we actually need to look into a bug in ipa-range-check plugin code.

Sumit will take the review of this one, eventually.

master:

  • 218a261 Extend ipa-range-check DS plugin to handle range types

Regressions found by our CI fixed:

master:

  • 2011392 ipa_range_check: Use special attributes to determine presence of RID bases
  • 2c4d412 ipa_range_check: Connect the new node of the linked list
  • 246e722 ipa_range_check: Make a new copy of forest_root_id attribute for range_info struct
  • 6c8b40a ipa_range_check: Do not fail when no trusted domain is available
  • 91d6886 ipa_range_check: Fix typo when comparing strings using strcasecmp
  • 5e5d481 ipa_range_check: Change range_check return values from int to range_check_result_t enum

ID Range test extended to cover new functionality:

master:

  • 01558a7 ipatests: Extend test suite for ID ranges

Additional fix in master, ipa-4-0, ipa-4-1:

Metadata Update from @sbose:
- Issue assigned to tbabej
- Issue set to the milestone: FreeIPA 4.0 - 2014/03

2 years ago

Login to comment on this ticket.

Metadata