Rob Crittenden wrote:
Jakub Hrozek wrote:
On Mon, Nov 01, 2010 at 12:08:36PM -0400, Rob Crittenden wrote:
Make sure a detached group has the default list of objectclasses.
ipaUniqueId is handled by the new uuid plugin.
https://fedorahosted.org/freeipa/ticket/250
rob
I haven't fully tested the patch yet, but this caught my attention:
+ (group_dn, group_attrs) = ldap.get_entry(group_dn)
+ is_managed = self.obj.has_objectclass(group_attrs['objectclass'], '')
I think that is_managed is guaranteed to be False in this case, since
has_objectclass would do:
return '' in group_attrs['objectclass']
Gah! Good catch, that should be mepManagedBy. Can you fix this and
continue testing?
rob
I rebased this and fix this error (I rebased it with patches 604 and 607
on my tree in case that makes a difference).
To test this do:
# ipa user-add --first=Tim --last=User tuser
# ipa group-show tuser --all
[ note the objectclasses ]
# ipa group-detach tuser
# ipa group-show --all tuser
It should now be a full POSIX group with a ipaUniqueId and a full set of
objectclass. You should be able to add a user to it.
# ipa group-add-member --users=tuser tuser
rob
>From a54b25044426cf70477efa11a0eb7a32e8f47f59 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcrit...@redhat.com>
Date: Mon, 1 Nov 2010 12:05:53 -0400
Subject: [PATCH] Give a detached group a full set of group objectclasses.
The UUID plugin handles adding ipaUniqueId for us as well as the access
control for it.
ticket 250
---
install/share/default-aci.ldif | 2 +-
ipalib/plugins/baseldap.py | 4 ++++
ipalib/plugins/group.py | 29 +++++++++++++++++++++--------
3 files changed, 26 insertions(+), 9 deletions(-)
diff --git a/install/share/default-aci.ldif b/install/share/default-aci.ldif
index e03c65c..2805e2f 100644
--- a/install/share/default-aci.ldif
+++ b/install/share/default-aci.ldif
@@ -4,7 +4,7 @@ dn: $SUFFIX
changetype: modify
add: aci
aci: (targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey")(version 3.0; acl "Enable Anonymous access"; allow (read, search, compare) userdn = "ldap:///anyone";;)
-aci: (targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || ipaUniqueId || memberOf || serverHostName")(version 3.0; acl "Admin can manage any entry"; allow (all) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";;)
+aci: (targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || memberOf || serverHostName || enrolledBy")(version 3.0; acl "Admin can manage any entry"; allow (all) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";;)
aci: (targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword")(version 3.0; acl "Self can write own password"; allow (write) userdn="ldap:///self";;)
aci: (targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory")(version 3.0; acl "Admins can write passwords"; allow (add,delete,write) groupdn="ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";;)
aci: (targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory")(version 3.0; acl "Password change service can read/write passwords"; allow (read, write) userdn="ldap:///krbprincipalname=kadmin/chang...@$realm,cn=$REALM,cn=kerberos,$SUFFIX";;)
diff --git a/ipalib/plugins/baseldap.py b/ipalib/plugins/baseldap.py
index 6bf9b3b..1b56cc4 100644
--- a/ipalib/plugins/baseldap.py
+++ b/ipalib/plugins/baseldap.py
@@ -234,6 +234,10 @@ class LDAPObject(Object):
if parent_obj.primary_key:
yield parent_obj.primary_key.clone(query=True)
+ def has_objectclass(self, classes, objectclass):
+ oc = map(lambda x:x.lower(),classes)
+ return objectclass.lower() in oc
+
def convert_attribute_members(self, entry_attrs, *keys, **options):
if options.get('raw', False):
return
diff --git a/ipalib/plugins/group.py b/ipalib/plugins/group.py
index 1994c01..5ecc72a 100644
--- a/ipalib/plugins/group.py
+++ b/ipalib/plugins/group.py
@@ -291,23 +291,28 @@ class group_detach(LDAPRemoveMember):
group_dn = self.obj.get_dn(*keys, **options)
user_dn = self.api.Object['user'].get_dn(*keys)
+ (user_dn, user_attrs) = ldap.get_entry(user_dn)
+ is_managed = self.obj.has_objectclass(user_attrs['objectclass'], 'mepmanagedentry')
if (not ldap.can_write(user_dn, "objectclass") or
- not ldap.can_write(user_dn, "mepManagedEntry")):
+ not (ldap.can_write(user_dn, "mepManagedEntry")) and is_managed):
raise errors.ACIError(info=_('not allowed to modify user entries'))
+ (group_dn, group_attrs) = ldap.get_entry(group_dn)
+ is_managed = self.obj.has_objectclass(group_attrs['objectclass'], 'mepmanagedby')
if (not ldap.can_write(group_dn, "objectclass") or
- not ldap.can_write(group_dn, "mepManagedBy")):
+ not (ldap.can_write(group_dn, "mepManagedBy")) and is_managed):
raise errors.ACIError(info=_('not allowed to modify group entries'))
- (user_dn, user_attrs) = ldap.get_entry(user_dn)
objectclasses = user_attrs['objectclass']
try:
i = objectclasses.index('mepOriginEntry')
+ del objectclasses[i]
+ update_attrs = {'objectclass': objectclasses, 'mepManagedEntry': None}
+ ldap.update_entry(user_dn, update_attrs)
except ValueError:
- raise NotFound(reason=_('Not a managed group'))
- del objectclasses[i]
- update_attrs = {'objectclass': objectclasses, 'mepManagedEntry': None}
- ldap.update_entry(user_dn, update_attrs)
+ # Somehow the user isn't managed, let it pass for now. We'll
+ # let the group throw "Not managed".
+ pass
(group_dn, group_attrs) = ldap.get_entry(group_dn)
objectclasses = group_attrs['objectclass']
@@ -315,8 +320,16 @@ class group_detach(LDAPRemoveMember):
i = objectclasses.index('mepManagedEntry')
except ValueError:
# this should never happen
- raise NotFound(reason=_('Not a managed group'))
+ raise errors.NotFound(reason=_('Not a managed group'))
del objectclasses[i]
+
+ # Make sure the resulting group has the default group objectclasses
+ config = ldap.get_ipa_config()[1]
+ def_objectclass = config.get(
+ self.obj.object_class_config, objectclasses
+ )
+ objectclasses = list(set(def_objectclass + objectclasses))
+
update_attrs = {'objectclass': objectclasses, 'mepManagedBy': None}
ldap.update_entry(group_dn, update_attrs)
--
1.7.3.1
_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
