This depends on Adam's patch 0118.

In meta data make ACI attributes lower-case, sorted. Add possible attributes.


The metadata contains a list of possible attributes that an ACI for that object might need. Add a new variable to hold possible objectclasses for optional elements (like posixGroup for groups).

To make the list easier to handle sort it and make it all lower-case.

Fix a couple of missed camel-case attributes in the default ACI list.

ticket 641

rob
>From 5e38eed733b1e45c9d1819a9c746c1008df98686 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcrit...@redhat.com>
Date: Mon, 20 Dec 2010 23:28:33 -0500
Subject: [PATCH] In meta data make ACI attributes lower-case, sorted. Add possible attributes.

The metadata contains a list of possible attributes that an ACI for that
object might need. Add a new variable to hold possible objectclasses for
optional elements (like posixGroup for groups).

To make the list easier to handle sort it and make it all lower-case.

Fix a couple of missed camel-case attributes in the default ACI list.

ticket 641
---
 install/share/delegation.ldif |    4 ++--
 ipalib/plugins/baseldap.py    |    9 +++++++--
 ipalib/plugins/group.py       |    1 +
 ipalib/plugins/user.py        |    1 +
 4 files changed, 11 insertions(+), 4 deletions(-)

diff --git a/install/share/delegation.ldif b/install/share/delegation.ldif
index abd2aae..69050df 100644
--- a/install/share/delegation.ldif
+++ b/install/share/delegation.ldif
@@ -496,7 +496,7 @@ aci: (target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX";)(version 3.0;acl "Ad
 aci: (target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX";)(targetattr = "userpassword || krbprincipalkey || sambalmpassword || sambantpassword || passwordhistory")(version 3.0;acl "Change a user password";allow (write) groupdn = "ldap:///cn=change_password,cn=permissions,cn=accounts,$SUFFIX";;)
 aci: (targetattr = "member")(target = "ldap:///cn=ipausers,cn=groups,cn=accounts,$SUFFIX";)(version 3.0;acl "Add user to default group";allow (write) groupdn = "ldap:///cn=add_user_to_default_group,cn=permissions,cn=accounts,$SUFFIX";;)
 aci: (target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX";)(version 3.0;acl "Remove Users";allow (delete) groupdn = "ldap:///cn=removeusers,cn=permissions,cn=accounts,$SUFFIX";;)
-aci: (targetattr = "givenname || sn || cn || displayname || title || initials || loginshell || gecos || homephone || mobile || pager || facsimiletelephonenumber || telephonenumber || street || roomnumber || l || st || postalcode || manager || secretary || description || carlicense || labeleduri || inetuserhttpurl || seealso || employeetype || businesscategory || ou || mepmanagedEntry || objectclass")(target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX";)(version 3.0;acl "Modify Users";allow (write) groupdn = "ldap:///cn=modifyusers,cn=permissions,cn=accounts,$SUFFIX";;)
+aci: (targetattr = "givenname || sn || cn || displayname || title || initials || loginshell || gecos || homephone || mobile || pager || facsimiletelephonenumber || telephonenumber || street || roomnumber || l || st || postalcode || manager || secretary || description || carlicense || labeleduri || inetuserhttpurl || seealso || employeetype || businesscategory || ou || mepmanagedentry || objectclass")(target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX";)(version 3.0;acl "Modify Users";allow (write) groupdn = "ldap:///cn=modifyusers,cn=permissions,cn=accounts,$SUFFIX";;)
 
 # Group administration
 
@@ -508,7 +508,7 @@ aci: (targetattr = "member")(target = "ldap:///cn=*,cn=groups,cn=accounts,$SUFFI
 aci: (target = "ldap:///cn=*,cn=groups,cn=accounts,$SUFFIX";)(version 3.0;acl "Remove Groups";allow (delete) groupdn = "ldap:///cn=removegroups,cn=permissions,cn=accounts,$SUFFIX";;)
 # We need objectclass and gidnumber in modify so a non-posix group can be
 # promoted. We need mqpManagedBy and ipaUniqueId so a group can be detached.
-aci: (targetattr = "cn || description || gidnumber || objectclass || mepmanagedby || ipaUniqueId")(target = "ldap:///cn=*,cn=groups,cn=accounts,$SUFFIX";)(version 3.0;acl "Modify Groups";allow (write) groupdn = "ldap:///cn=modifygroups,cn=permissions,cn=accounts,$SUFFIX";;)
+aci: (targetattr = "cn || description || gidnumber || objectclass || mepmanagedby || ipauniqueid")(target = "ldap:///cn=*,cn=groups,cn=accounts,$SUFFIX";)(version 3.0;acl "Modify Groups";allow (write) groupdn = "ldap:///cn=modifygroups,cn=permissions,cn=accounts,$SUFFIX";;)
 
 # Host administration
 
diff --git a/ipalib/plugins/baseldap.py b/ipalib/plugins/baseldap.py
index f8e5445..1a8f10a 100644
--- a/ipalib/plugins/baseldap.py
+++ b/ipalib/plugins/baseldap.py
@@ -233,6 +233,9 @@ class LDAPObject(Object):
     object_name_plural = 'entries'
     object_class = []
     object_class_config = None
+    # If an objectclass is possible but not default in an entry. Needed for
+    # collecting attributes for ACI UI.
+    possible_objectclasses = []
     search_attributes = []
     search_attributes_config = None
     default_attributes = []
@@ -356,17 +359,19 @@ class LDAPObject(Object):
             objectclasses = config.get(
                 self.object_class_config, objectclasses
             )
+        objectclasses += self.possible_objectclasses
         # Get list of available attributes for this object for use
         # in the ACI UI.
         attrs = self.api.Backend.ldap2.schema.attribute_types(objectclasses)
         attrlist = []
         # Go through the MUST first
         for (oid, attr) in attrs[0].iteritems():
-            attrlist.append(attr.names[0])
+            attrlist.append(attr.names[0].lower())
         # And now the MAY
         for (oid, attr) in attrs[1].iteritems():
-            attrlist.append(attr.names[0])
+            attrlist.append(attr.names[0].lower())
         json_dict['aciattrs'] = attrlist
+        attrlist.sort()
         json_dict['methods'] = [m for m in self.methods]
         return json_dict
 
diff --git a/ipalib/plugins/group.py b/ipalib/plugins/group.py
index 4ba9b61..9fd2400 100644
--- a/ipalib/plugins/group.py
+++ b/ipalib/plugins/group.py
@@ -81,6 +81,7 @@ class group(LDAPObject):
     object_name_plural = 'groups'
     object_class = ['ipausergroup']
     object_class_config = 'ipagroupobjectclasses'
+    possible_objectclasses = ['posixGroup', 'mepManagedEntry']
     search_attributes_config = 'ipagroupsearchfields'
     default_attributes = [
         'cn', 'description', 'gidnumber', 'member', 'memberof',
diff --git a/ipalib/plugins/user.py b/ipalib/plugins/user.py
index f76fbd6..d46f35b 100644
--- a/ipalib/plugins/user.py
+++ b/ipalib/plugins/user.py
@@ -63,6 +63,7 @@ class user(LDAPObject):
     object_name_plural = 'users'
     object_class = ['posixaccount']
     object_class_config = 'ipauserobjectclasses'
+    possible_objectclasses = ['meporiginentry']
     search_attributes_config = 'ipausersearchfields'
     default_attributes = [
         'uid', 'givenname', 'sn', 'homedirectory', 'loginshell', 'ou',
-- 
1.7.2.1

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to