This depends on Adam's patch 0118.
In meta data make ACI attributes lower-case, sorted. Add possible
attributes.
The metadata contains a list of possible attributes that an ACI for that
object might need. Add a new variable to hold possible objectclasses for
optional elements (like posixGroup for groups).
To make the list easier to handle sort it and make it all lower-case.
Fix a couple of missed camel-case attributes in the default ACI list.
ticket 641
rob
>From 5e38eed733b1e45c9d1819a9c746c1008df98686 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcrit...@redhat.com>
Date: Mon, 20 Dec 2010 23:28:33 -0500
Subject: [PATCH] In meta data make ACI attributes lower-case, sorted. Add possible attributes.
The metadata contains a list of possible attributes that an ACI for that
object might need. Add a new variable to hold possible objectclasses for
optional elements (like posixGroup for groups).
To make the list easier to handle sort it and make it all lower-case.
Fix a couple of missed camel-case attributes in the default ACI list.
ticket 641
---
install/share/delegation.ldif | 4 ++--
ipalib/plugins/baseldap.py | 9 +++++++--
ipalib/plugins/group.py | 1 +
ipalib/plugins/user.py | 1 +
4 files changed, 11 insertions(+), 4 deletions(-)
diff --git a/install/share/delegation.ldif b/install/share/delegation.ldif
index abd2aae..69050df 100644
--- a/install/share/delegation.ldif
+++ b/install/share/delegation.ldif
@@ -496,7 +496,7 @@ aci: (target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX";)(version 3.0;acl "Ad
aci: (target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX";)(targetattr = "userpassword || krbprincipalkey || sambalmpassword || sambantpassword || passwordhistory")(version 3.0;acl "Change a user password";allow (write) groupdn = "ldap:///cn=change_password,cn=permissions,cn=accounts,$SUFFIX";;)
aci: (targetattr = "member")(target = "ldap:///cn=ipausers,cn=groups,cn=accounts,$SUFFIX";)(version 3.0;acl "Add user to default group";allow (write) groupdn = "ldap:///cn=add_user_to_default_group,cn=permissions,cn=accounts,$SUFFIX";;)
aci: (target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX";)(version 3.0;acl "Remove Users";allow (delete) groupdn = "ldap:///cn=removeusers,cn=permissions,cn=accounts,$SUFFIX";;)
-aci: (targetattr = "givenname || sn || cn || displayname || title || initials || loginshell || gecos || homephone || mobile || pager || facsimiletelephonenumber || telephonenumber || street || roomnumber || l || st || postalcode || manager || secretary || description || carlicense || labeleduri || inetuserhttpurl || seealso || employeetype || businesscategory || ou || mepmanagedEntry || objectclass")(target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX";)(version 3.0;acl "Modify Users";allow (write) groupdn = "ldap:///cn=modifyusers,cn=permissions,cn=accounts,$SUFFIX";;)
+aci: (targetattr = "givenname || sn || cn || displayname || title || initials || loginshell || gecos || homephone || mobile || pager || facsimiletelephonenumber || telephonenumber || street || roomnumber || l || st || postalcode || manager || secretary || description || carlicense || labeleduri || inetuserhttpurl || seealso || employeetype || businesscategory || ou || mepmanagedentry || objectclass")(target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX";)(version 3.0;acl "Modify Users";allow (write) groupdn = "ldap:///cn=modifyusers,cn=permissions,cn=accounts,$SUFFIX";;)
# Group administration
@@ -508,7 +508,7 @@ aci: (targetattr = "member")(target = "ldap:///cn=*,cn=groups,cn=accounts,$SUFFI
aci: (target = "ldap:///cn=*,cn=groups,cn=accounts,$SUFFIX";)(version 3.0;acl "Remove Groups";allow (delete) groupdn = "ldap:///cn=removegroups,cn=permissions,cn=accounts,$SUFFIX";;)
# We need objectclass and gidnumber in modify so a non-posix group can be
# promoted. We need mqpManagedBy and ipaUniqueId so a group can be detached.
-aci: (targetattr = "cn || description || gidnumber || objectclass || mepmanagedby || ipaUniqueId")(target = "ldap:///cn=*,cn=groups,cn=accounts,$SUFFIX";)(version 3.0;acl "Modify Groups";allow (write) groupdn = "ldap:///cn=modifygroups,cn=permissions,cn=accounts,$SUFFIX";;)
+aci: (targetattr = "cn || description || gidnumber || objectclass || mepmanagedby || ipauniqueid")(target = "ldap:///cn=*,cn=groups,cn=accounts,$SUFFIX";)(version 3.0;acl "Modify Groups";allow (write) groupdn = "ldap:///cn=modifygroups,cn=permissions,cn=accounts,$SUFFIX";;)
# Host administration
diff --git a/ipalib/plugins/baseldap.py b/ipalib/plugins/baseldap.py
index f8e5445..1a8f10a 100644
--- a/ipalib/plugins/baseldap.py
+++ b/ipalib/plugins/baseldap.py
@@ -233,6 +233,9 @@ class LDAPObject(Object):
object_name_plural = 'entries'
object_class = []
object_class_config = None
+ # If an objectclass is possible but not default in an entry. Needed for
+ # collecting attributes for ACI UI.
+ possible_objectclasses = []
search_attributes = []
search_attributes_config = None
default_attributes = []
@@ -356,17 +359,19 @@ class LDAPObject(Object):
objectclasses = config.get(
self.object_class_config, objectclasses
)
+ objectclasses += self.possible_objectclasses
# Get list of available attributes for this object for use
# in the ACI UI.
attrs = self.api.Backend.ldap2.schema.attribute_types(objectclasses)
attrlist = []
# Go through the MUST first
for (oid, attr) in attrs[0].iteritems():
- attrlist.append(attr.names[0])
+ attrlist.append(attr.names[0].lower())
# And now the MAY
for (oid, attr) in attrs[1].iteritems():
- attrlist.append(attr.names[0])
+ attrlist.append(attr.names[0].lower())
json_dict['aciattrs'] = attrlist
+ attrlist.sort()
json_dict['methods'] = [m for m in self.methods]
return json_dict
diff --git a/ipalib/plugins/group.py b/ipalib/plugins/group.py
index 4ba9b61..9fd2400 100644
--- a/ipalib/plugins/group.py
+++ b/ipalib/plugins/group.py
@@ -81,6 +81,7 @@ class group(LDAPObject):
object_name_plural = 'groups'
object_class = ['ipausergroup']
object_class_config = 'ipagroupobjectclasses'
+ possible_objectclasses = ['posixGroup', 'mepManagedEntry']
search_attributes_config = 'ipagroupsearchfields'
default_attributes = [
'cn', 'description', 'gidnumber', 'member', 'memberof',
diff --git a/ipalib/plugins/user.py b/ipalib/plugins/user.py
index f76fbd6..d46f35b 100644
--- a/ipalib/plugins/user.py
+++ b/ipalib/plugins/user.py
@@ -63,6 +63,7 @@ class user(LDAPObject):
object_name_plural = 'users'
object_class = ['posixaccount']
object_class_config = 'ipauserobjectclasses'
+ possible_objectclasses = ['meporiginentry']
search_attributes_config = 'ipausersearchfields'
default_attributes = [
'uid', 'givenname', 'sn', 'homedirectory', 'loginshell', 'ou',
--
1.7.2.1
_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
