Import Upstream version 4.12.4

2025-08-12 22:28:56 +02:00
parent 03a8170b15
commit 9181ee2487
1629 changed files with 874094 additions and 554378 deletions
--- a/ipaserver/install/plugins/add_admin_krbcanonicalname.py
+++ b/ipaserver/install/plugins/add_admin_krbcanonicalname.py
@@ -0,0 +1,79 @@
+#
+# Copyright (C) 2025  FreeIPA Contributors see COPYING for license
+#
+
+from __future__ import absolute_import
+
+import logging
+
+from ipalib import errors
+from ipalib import Registry
+from ipalib import Updater
+from ipapython.dn import DN
+
+logger = logging.getLogger(__name__)
+
+register = Registry()
+
+
+@register()
+class add_admin_krbcanonicalname(Updater):
+    """
+    Ensures that only the admin user has the krbCanonicalName of
+    admin@$REALM.
+    """
+
+    def execute(self, **options):
+        ldap = self.api.Backend.ldap2
+
+        search_filter = (
+            "(krbcanonicalname=admin@{})".format(self.api.env.realm))
+        try:
+            (entries, _truncated) = ldap.find_entries(
+                filter=search_filter, base_dn=self.api.env.basedn,
+                time_limit=0, size_limit=0)
+        except errors.EmptyResult:
+            logger.debug("add_admin_krbcanonicalname: No user set with "
+                         "admin krbcanonicalname")
+            entries = []
+            # fall through
+        except errors.ExecutionError as e:
+            logger.error("add_admin_krbcanonicalname: Can not get list "
+                         "of krbcanonicalname: %s", e)
+            return False, []
+
+        admin_set = False
+        # admin should be only user with admin@ as krbcanonicalname
+        # It has a uniquness setting so there can be only one, we
+        # just didn't automatically set it for admin.
+        for entry in entries:
+            if entry.single_value.get('uid') != 'admin':
+                logger.critical(
+                    "add_admin_krbcanonicalname: "
+                    "entry %s has a krbcanonicalname of admin. Removing.",
+                    entry.dn)
+                del entry['krbcanonicalname']
+                ldap.update_entry(entry)
+            else:
+                admin_set = True
+
+        if not admin_set:
+            dn = DN(
+                ('uid', 'admin'),
+                self.api.env.container_user,
+                self.api.env.basedn)
+            entry = ldap.get_entry(dn)
+            entry['krbcanonicalname'] = 'admin@%s' % self.api.env.realm
+            try:
+                ldap.update_entry(entry)
+            except errors.DuplicateEntry:
+                logger.critical(
+                    "add_admin_krbcanonicalname: "
+                    "Failed to set krbcanonicalname on admin. It is set "
+                    "on another entry.")
+            except errors.ExecutionError as e:
+                logger.critical(
+                    "add_admin_krbcanonicalname: "
+                    "Failed to set krbcanonicalname on admin: %s", e)
+
+        return False, []