def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys,
**options):
assert isinstance(dn, DN)
associateddomain = entry_attrs.get('associateddomain')
add_domain = entry_attrs.get('add_domain')
del_domain = entry_attrs.get('del_domain')
force = options.get('force')
if associateddomain:
if add_domain or del_domain:
raise errors.MutuallyExclusiveError(reason=_(
"you cannot specify the --domain option together with --add-domain or --del-domain"
))
if get_domain_name() not in associateddomain:
raise errors.ValidationError(
name='domain',
error=_("cannot delete domain of IPA server"))
if not force:
bad_domains = [
d for d in associateddomain if not has_soa_or_ns_record(d)
]
if bad_domains:
bad_domains = ', '.join(bad_domains)
raise errors.ValidationError(
name='domain',
error=_("no SOA or NS records found for domains: %s" %
bad_domains))
return dn
# If --add-domain or --del-domain options were provided, read
# the curent list from LDAP, modify it, and write the changes back
domains = ldap.get_entry(dn)['associateddomain']
if add_domain:
if not force and not has_soa_or_ns_record(add_domain):
raise errors.ValidationError(
name='add_domain',
error=_("no SOA or NS records found for domain %s" %
add_domain))
del entry_attrs['add_domain']
domains.append(add_domain)
if del_domain:
if del_domain == get_domain_name():
raise errors.ValidationError(
name='del_domain',
error=_("cannot delete domain of IPA server"))
del entry_attrs['del_domain']
try:
domains.remove(del_domain)
except ValueError:
raise errors.AttrValueNotFound(attr='associateddomain',
value=del_domain)
entry_attrs['associateddomain'] = domains
return dn
def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options):
assert isinstance(dn, DN)
associateddomain = entry_attrs.get('associateddomain')
add_domain = entry_attrs.get('add_domain')
del_domain = entry_attrs.get('del_domain')
force = options.get('force')
if associateddomain:
if add_domain or del_domain:
raise errors.MutuallyExclusiveError(reason=_("you cannot specify the --domain option together with --add-domain or --del-domain"))
if get_domain_name() not in associateddomain:
raise errors.ValidationError(name='domain', error=_("cannot delete domain of IPA server"))
if not force:
bad_domains = [d for d in associateddomain if not has_soa_or_ns_record(d)]
if bad_domains:
bad_domains = ', '.join(bad_domains)
raise errors.ValidationError(name='domain', error=_("no SOA or NS records found for domains: %s" % bad_domains))
return dn
# If --add-domain or --del-domain options were provided, read
# the curent list from LDAP, modify it, and write the changes back
domains = ldap.get_entry(dn)['associateddomain']
if add_domain:
if not force and not has_soa_or_ns_record(add_domain):
raise errors.ValidationError(name='add_domain', error=_("no SOA or NS records found for domain %s" % add_domain))
del entry_attrs['add_domain']
domains.append(add_domain)
if del_domain:
if del_domain == get_domain_name():
raise errors.ValidationError(name='del_domain', error=_("cannot delete domain of IPA server"))
del entry_attrs['del_domain']
try:
domains.remove(del_domain)
except ValueError:
raise errors.AttrValueNotFound(attr='associateddomain', value=del_domain)
entry_attrs['associateddomain'] = domains
return dn
def validate_domains(self, domains, force):
"""
Validates the list of domains as candidates for additions to the
realmdomains list.
Requirements:
- Each domain has SOA or NS record
- Each domain belongs to the current realm
"""
# Unless forced, check that each domain has SOA or NS records
if not force:
invalid_domains = [
d for d in domains if not has_soa_or_ns_record(d)
]
if invalid_domains:
raise errors.ValidationError(
name='domain',
error=_("DNS zone for each realmdomain must contain "
"SOA or NS records. No records found for: %s") %
','.join(invalid_domains))
# Check realm alliegence for each domain
domains_with_realm = [(domain,
detect_dns_zone_realm_type(self.api, domain))
for domain in domains]
foreign_domains = [
domain for domain, realm in domains_with_realm
if realm == 'foreign'
]
unknown_domains = [
domain for domain, realm in domains_with_realm
if realm == 'unknown'
]
# If there are any foreing realm domains, bail out
if foreign_domains:
raise errors.ValidationError(
name='domain',
error=_('The following domains do not belong '
'to this realm: %(domains)s') %
dict(domains=','.join(foreign_domains)))
# If there are any unknown domains, error out,
# asking for _kerberos TXT records
# Note: This can be forced, since realmdomains-mod
# is called from dnszone-add where we know that
# the domain being added belongs to our realm
if not force and unknown_domains:
raise errors.ValidationError(
name='domain',
error=_('The realm of the following domains could '
'not be detected: %(domains)s. If these are '
'domains that belong to the this realm, please '
'create a _kerberos TXT record containing "%(realm)s" '
'in each of them.') %
dict(domains=','.join(unknown_domains),
realm=self.api.env.realm))
def validate_domains(self, domains, force):
"""
Validates the list of domains as candidates for additions to the
realmdomains list.
Requirements:
- Each domain has SOA or NS record
- Each domain belongs to the current realm
"""
# Unless forced, check that each domain has SOA or NS records
if not force:
invalid_domains = [
d for d in domains
if not has_soa_or_ns_record(d)
]
if invalid_domains:
raise errors.ValidationError(
name='domain',
error= _(
"DNS zone for each realmdomain must contain "
"SOA or NS records. No records found for: %s"
) % ','.join(invalid_domains)
)
# Check realm alliegence for each domain
domains_with_realm = [
(domain, detect_dns_zone_realm_type(self.api, domain))
for domain in domains
]
foreign_domains = [
domain for domain, realm in domains_with_realm
if realm == 'foreign'
]
unknown_domains = [
domain for domain, realm in domains_with_realm
if realm == 'unknown'
]
# If there are any foreing realm domains, bail out
if foreign_domains:
raise errors.ValidationError(
name='domain',
error=_(
'The following domains do not belong '
'to this realm: %(domains)s'
) % dict(domains=','.join(foreign_domains))
)
# If there are any unknown domains, error out,
# asking for _kerberos TXT records
# Note: This can be forced, since realmdomains-mod
# is called from dnszone-add where we know that
# the domain being added belongs to our realm
if not force and unknown_domains:
raise errors.ValidationError(
name='domain',
error=_(
'The realm of the following domains could '
'not be detected: %(domains)s. If these are '
'domains that belong to the this realm, please '
'create a _kerberos TXT record containing "%(realm)s" '
'in each of them.'
) % dict(domains=','.join(unknown_domains),
realm=self.api.env.realm)
)
