def testExpectedHash(self):
sid_str = "S-1-5-21-2153326666-2176343378-3404031434"
seed = 0xdeadbeef
hash_val = pysss_murmur.murmurhash3(sid_str, 0, seed)
self.assertEqual(hash_val, 233162409)
hash_val = pysss_murmur.murmurhash3(sid_str, len(sid_str), seed)
self.assertEqual(hash_val, 93103853)
def testExpectedHash(self):
sid_str = "S-1-5-21-2153326666-2176343378-3404031434"
seed = 0xdeadbeef
hash_val = pysss_murmur.murmurhash3(sid_str, 0, seed)
self.assertEqual(hash_val, 233162409)
hash_val = pysss_murmur.murmurhash3(sid_str, len(sid_str), seed)
self.assertEqual(hash_val, 93103853)
def test_memory_cache_usage(self):
seed = 0xbeefdead
input_str = "test_user1"
input_len = len(input_str)
val_bin = pysss_murmur.murmurhash3(input_str + '\0',
input_len + 1, seed)
self.assertEqual(val_bin, 1198610880)
val_bin = pysss_murmur.murmurhash3(input_str + '\0' * 5,
input_len + 5, seed)
self.assertEqual(val_bin, 2917868047)
def test_memory_cache_usage(self):
seed = 0xbeefdead
input_str = "test_user1"
input_len = len(input_str)
val_bin = pysss_murmur.murmurhash3(input_str + '\0',
input_len + 1, seed)
self.assertEqual(val_bin, 1198610880)
val_bin = pysss_murmur.murmurhash3(input_str + '\0' * 5,
input_len + 5, seed)
self.assertEqual(val_bin, 2917868047)
def calculate_range(domain_sid, slice_num=-1):
idmap_lower = 200000
idmap_upper = 2000200000
rangesize = 200000
autorid_mode = True
new_slice = 0
max_slices = (idmap_upper - idmap_lower) / rangesize
if slice_num != -1:
new_slice = slice_num
min_id = (rangesize * new_slice) + idmap_lower
max_id = min_id + rangesize - 1
else:
if autorid_mode:
orig_slice = 0
else:
hash_val = murmurhash3(domain_sid, len(domain_sid), 0xdeadbeef)
new_slice = hash_val % max_slices
orig_slice = new_slice
min_id = (rangesize * new_slice) + idmap_lower
max_id = min_id + rangesize - 1
return ({
"min": min_id,
"max": max_id,
"first_rid": 0,
"slice_num": new_slice
})
def get_sub_dict(realm, domain, suffix, fqdn, idstart=None, idmax=None):
"""LDAP template substitution dict for installer and updater
"""
if idstart is None:
idrange_size = None
subid_base_rid = None
else:
idrange_size = idmax - idstart + 1
subid_base_rid = constants.SUBID_RANGE_START - idrange_size
# uid / gid for autobind
# user is only defined when ipa-server-dns and bind are installed
try:
named_uid = platformconstants.NAMED_USER.uid
named_gid = platformconstants.NAMED_GROUP.gid
except ValueError:
named_uid = None
named_gid = None
return dict(
REALM=realm,
DOMAIN=domain,
SUFFIX=suffix,
ESCAPED_SUFFIX=str(suffix),
FQDN=fqdn,
HOST=fqdn,
LIBARCH=paths.LIBARCH,
TIME=int(time.time()),
FIPS="#" if tasks.is_fips_enabled() else "",
# idstart, idmax, and idrange_size may be None
IDSTART=idstart,
IDMAX=idmax,
IDRANGE_SIZE=idrange_size,
SUBID_COUNT=constants.SUBID_COUNT,
SUBID_RANGE_START=constants.SUBID_RANGE_START,
SUBID_RANGE_SIZE=constants.SUBID_RANGE_SIZE,
SUBID_RANGE_MAX=constants.SUBID_RANGE_MAX,
SUBID_DNA_THRESHOLD=constants.SUBID_DNA_THRESHOLD,
SUBID_BASE_RID=subid_base_rid,
DOMAIN_HASH=murmurhash3(domain, len(domain), 0xdeadbeef),
MAX_DOMAIN_LEVEL=constants.MAX_DOMAIN_LEVEL,
MIN_DOMAIN_LEVEL=constants.MIN_DOMAIN_LEVEL,
STRIP_ATTRS=" ".join(replication.STRIP_ATTRS),
EXCLUDES=(
'(objectclass=*) $ EXCLUDE ' + ' '.join(replication.EXCLUDES)
),
TOTAL_EXCLUDES=(
'(objectclass=*) $ EXCLUDE '
+ ' '.join(replication.TOTAL_EXCLUDES)
),
DEFAULT_SHELL=platformconstants.DEFAULT_SHELL,
DEFAULT_ADMIN_SHELL=platformconstants.DEFAULT_ADMIN_SHELL,
SELINUX_USERMAP_DEFAULT=platformconstants.SELINUX_USERMAP_DEFAULT,
SELINUX_USERMAP_ORDER=platformconstants.SELINUX_USERMAP_ORDER,
NAMED_UID=named_uid,
NAMED_GID=named_gid,
)
def sss_nss_mc_hash(self, key):
input_key = key + '\0'
input_len = len(key) + 1
murmur_hash = pysss_murmur.murmurhash3(input_key, input_len, self.seed)
return murmur_hash % self.hash_size
def sss_nss_mc_hash(self, key):
input_key = key + '\0'
input_len = len(key) + 1
murmur_hash = pysss_murmur.murmurhash3(input_key, input_len, self.seed)
return murmur_hash % self.hash_size
def testExpectedHash(self):
hash = pysss_murmur.murmurhash3("S-1-5-21-2153326666-2176343378-3404031434", 41, 0xdeadbeef)
self.assertEqual(hash, 93103853)
def testExpectedHash(self):
hash = pysss_murmur.murmurhash3("S-1-5-21-2153326666-2176343378-3404031434", 41, 0xdeadbeef)
self.assertEqual(hash, 93103853)
class trust_add(LDAPCreate):
__doc__ = _('''
Add new trust to use.
This command establishes trust relationship to another domain
which becomes 'trusted'. As result, users of the trusted domain
may access resources of this domain.
Only trusts to Active Directory domains are supported right now.
The command can be safely run multiple times against the same domain,
this will cause change to trust relationship credentials on both
sides.
''')
takes_options = LDAPCreate.takes_options + (
StrEnum(
'trust_type',
cli_name='type',
label=_('Trust type (ad for Active Directory, default)'),
values=(u'ad', ),
default=u'ad',
autofill=True,
),
Str(
'realm_admin?',
cli_name='admin',
label=_("Active Directory domain administrator"),
),
Password(
'realm_passwd?',
cli_name='password',
label=_("Active directory domain administrator's password"),
confirm=False,
),
Str(
'realm_server?',
cli_name='server',
label=_(
'Domain controller for the Active Directory domain (optional)'
),
),
Password(
'trust_secret?',
cli_name='trust_secret',
label=_('Shared secret for the trust'),
confirm=False,
),
Int(
'base_id?',
cli_name='base_id',
label=_(
'First Posix ID of the range reserved for the trusted domain'),
),
Int('range_size?',
cli_name='range_size',
label=_('Size of the ID range reserved for the trusted domain'),
default=200000,
autofill=True),
)
msg_summary = _('Added Active Directory trust for realm "%(value)s"')
has_output_params = LDAPCreate.has_output_params + trust_output_params
def execute(self, *keys, **options):
if not _murmur_installed and 'base_id' not in options:
raise errors.ValidationError(name=_('missing base_id'),
error=_('pysss_murmur is not available on the server ' \
'and no base-id is given.'))
if 'trust_type' in options:
if options['trust_type'] == u'ad':
result = self.execute_ad(*keys, **options)
else:
raise errors.ValidationError(name=_('trust type'),
error=_('only "ad" is supported'))
else:
raise errors.RequirementError(name=_('trust type'))
self.add_range(*keys, **options)
trust_filter = "cn=%s" % result['value']
ldap = self.obj.backend
(trusts,
truncated) = ldap.find_entries(base_dn=DN(api.env.container_trusts,
api.env.basedn),
filter=trust_filter)
result['result'] = trusts[0][1]
result['result']['trusttype'] = [
trust_type_string(result['result']['ipanttrusttype'][0])
]
result['result']['trustdirection'] = [
trust_direction_string(result['result']['ipanttrustdirection'][0])
]
result['result']['truststatus'] = [
trust_status_string(result['verified'])
]
del result['verified']
return result
def add_range(self, *keys, **options):
new_obj = api.Command['trust_show'](keys[-1])
dom_sid = new_obj['result']['ipanttrusteddomainsid'][0]
range_name = keys[-1].upper() + '_id_range'
try:
old_range = api.Command['idrange_show'](range_name)
except errors.NotFound, e:
old_range = None
if old_range:
old_dom_sid = old_range['result']['ipanttrusteddomainsid'][0]
if old_dom_sid == dom_sid:
return
raise errors.ValidationError(name=_('range exists'),
error=_('ID range with the same name but different ' \
'domain SID already exists. The ID range for ' \
'the new trusted domain must be created manually.'))
if 'base_id' in options:
base_id = options['base_id']
else:
base_id = 200000 + (pysss_murmur.murmurhash3(
dom_sid, len(dom_sid), 0xdeadbeef) % 10000) * 200000
try:
new_range = api.Command['idrange_add'](
range_name,
ipabaseid=base_id,
ipaidrangesize=options['range_size'],
ipabaserid=0,
ipanttrusteddomainsid=dom_sid)
except Exception, e:
raise errors.ValidationError(
name=_('ID range exists'),
error=_('ID range already exists, must be added manually'))