This is required for effective filtering of enrollments search
results in the webUI and also gives an edge to the CLI.
After this patch, each LDAPObject can define its relationships
to other LDAPObjects. For now, this is used only for filtering
search results by enrollments, but there are probably more
benefits to come.
You can do this for example:
# search for all users not enrolled in group admins
ipa user-find --not-in-groups=admins
# search for all groups not enrolled in group global with user Pavel
ipa group-find --users=Pavel --not-in-groups=global
# more examples:
ipa group-find --users=Pavel,Jakub --no-users=Honza
ipa hostgroup-find --hosts=webui.pzuna
Pavel
>From 19975e5e2ceb3a3f9fd18be0f3fafe8f42aa626c Mon Sep 17 00:00:00 2001
From: Pavel Zuna <pz...@redhat.com>
Date: Tue, 4 Jan 2011 15:15:54 -0500
Subject: [PATCH 1/2] Improve filtering of enrollments search results.
This is required for effective filtering of enrollments search
results in the webUI and also gives an edge to the CLI.
After this patch, each LDAPObject can define its relationships
to other LDAPObjects. For now, this is used only for filtering
search results by enrollments, but there are probably more
benefits to come.
You can do this for example:
# search for all users not enrolled in group admins
ipa user-find --not-in-groups=admins
# search for all groups not enrolled in group global with user Pavel
ipa group-find --users=Pavel --not-in-groups=global
# more examples:
ipa group-find --users=Pavel,Jakub --no-users=Honza
ipa hostgroup-find --hosts=webui.pzuna
---
ipalib/plugins/baseldap.py | 57 ++++++++++++++++++++++++++++++++++++-------
ipalib/plugins/group.py | 2 +-
ipalib/plugins/host.py | 7 ++++-
ipalib/plugins/hostgroup.py | 2 +-
ipalib/plugins/netgroup.py | 11 +++++++-
ipalib/plugins/user.py | 2 +
6 files changed, 68 insertions(+), 13 deletions(-)
diff --git a/ipalib/plugins/baseldap.py b/ipalib/plugins/baseldap.py
index 1cd181c..d38da89 100644
--- a/ipalib/plugins/baseldap.py
+++ b/ipalib/plugins/baseldap.py
@@ -234,6 +234,15 @@ class LDAPObject(Object):
rdnattr = None
# Can bind as this entry (has userPassword or krbPrincipalKey)
bindable = False
+ relationships = {
+ # attribute: (label, inclusive param prefix, exclusive param prefix)
+ 'member': ('Member', '', 'no_'),
+ 'memberof': ('Parent', 'in_', 'not_in_'),
+ 'memberindirect': (
+ 'Indirect Member', None, 'no_indirect_'
+ ),
+ }
+ label = _('Entry')
container_not_found_msg = _('container entry (%(container)s) not found')
parent_not_found_msg = _('%(parent)s: %(oname)s not found')
@@ -343,7 +352,7 @@ class LDAPObject(Object):
'parent_object', 'container_dn', 'object_name', 'object_name_plural',
'object_class', 'object_class_config', 'default_attributes', 'label',
'hidden_attributes', 'uuid_attribute', 'attribute_members', 'name',
- 'takes_params', 'rdn_attribute', 'bindable',
+ 'takes_params', 'rdn_attribute', 'bindable', 'relationships',
)
def __json__(self):
@@ -1195,7 +1204,8 @@ class LDAPSearch(CallbackInterface, crud.Search):
Retrieve all LDAP entries matching the given criteria.
"""
member_attributes = []
- member_param_doc = 'exclude %s with member %s (comma-separated list)'
+ member_param_incl_doc = 'only %s with %s %s'
+ member_param_excl_doc = 'only %s with no %s %s'
takes_options = (
Int('timelimit?',
@@ -1227,21 +1237,50 @@ class LDAPSearch(CallbackInterface, crud.Search):
for attr in self.member_attributes:
for ldap_obj_name in self.obj.attribute_members[attr]:
ldap_obj = self.api.Object[ldap_obj_name]
- name = to_cli(ldap_obj_name)
- doc = self.member_param_doc % (
- self.obj.object_name_plural, ldap_obj.object_name_plural
+ relationship = self.obj.relationships.get(
+ attr, ['member', '', 'no_']
+ )
+ doc = self.member_param_incl_doc % (
+ self.obj.object_name_plural, relationship[0].lower(),
+ ldap_obj.object_name_plural
+ )
+ name = '%s%s' % (relationship[1], to_cli(ldap_obj_name))
+ yield List(
+ '%s?' % name, cli_name='%ss' % name, doc=doc,
+ label=ldap_obj.object_name
+ )
+ doc = self.member_param_excl_doc % (
+ self.obj.object_name_plural, relationship[0].lower(),
+ ldap_obj.object_name_plural
+ )
+ name = '%s%s' % (relationship[2], to_cli(ldap_obj_name))
+ yield List(
+ '%s?' % name, cli_name='%ss' % name, doc=doc,
+ label=ldap_obj.object_name
)
- yield List('no_%s?' % name, cli_name='no_%ss' % name, doc=doc,
- label=ldap_obj.object_name)
def get_member_filter(self, ldap, **options):
filter = ''
for attr in self.member_attributes:
for ldap_obj_name in self.obj.attribute_members[attr]:
- param_name = 'no_%s' % to_cli(ldap_obj_name)
+ ldap_obj = self.api.Object[ldap_obj_name]
+ relationship = self.obj.relationships.get(
+ attr, ['member', '', 'no_']
+ )
+ param_name = '%s%s' % (relationship[1], to_cli(ldap_obj_name))
+ if param_name in options:
+ dns = []
+ for pkey in options[param_name]:
+ dns.append(ldap_obj.get_dn(pkey))
+ flt = ldap.make_filter_from_attr(
+ attr, dns, ldap.MATCH_ALL
+ )
+ filter = ldap.combine_filters(
+ (filter, flt), ldap.MATCH_ALL
+ )
+ param_name = '%s%s' % (relationship[2], to_cli(ldap_obj_name))
if param_name in options:
dns = []
- ldap_obj = self.api.Object[ldap_obj_name]
for pkey in options[param_name]:
dns.append(ldap_obj.get_dn(pkey))
flt = ldap.make_filter_from_attr(
diff --git a/ipalib/plugins/group.py b/ipalib/plugins/group.py
index 9fd2400..ecf5453 100644
--- a/ipalib/plugins/group.py
+++ b/ipalib/plugins/group.py
@@ -213,7 +213,7 @@ class group_find(LDAPSearch):
"""
Search for groups.
"""
- member_attributes = ['member']
+ member_attributes = ['member', 'memberof']
msg_summary = ngettext(
'%(count)d group matched', '%(count)d groups matched', 0
diff --git a/ipalib/plugins/host.py b/ipalib/plugins/host.py
index 701996b..821673f 100644
--- a/ipalib/plugins/host.py
+++ b/ipalib/plugins/host.py
@@ -170,6 +170,11 @@ class host(LDAPObject):
'managedby': ['host'],
}
bindable = True
+ relationships = {
+ 'memberof': ('Parent', 'in_', 'not_in_'),
+ 'enrolledby': ('Enrolled by', 'enroll_by_', 'not_enroll_by_'),
+ 'managedby': ('Managed by', 'man_by_', 'not_man_by_'),
+ }
label = _('Hosts')
@@ -568,7 +573,7 @@ class host_find(LDAPSearch):
msg_summary = ngettext(
'%(count)d host matched', '%(count)d hosts matched'
)
- member_attributes = ['managedby']
+ member_attributes = ['memberof', 'enrolledby', 'managedby']
def pre_callback(self, ldap, filter, attrs_list, base_dn, scope, *args, **options):
if 'locality' in attrs_list:
diff --git a/ipalib/plugins/hostgroup.py b/ipalib/plugins/hostgroup.py
index db270ae..082e4ef 100644
--- a/ipalib/plugins/hostgroup.py
+++ b/ipalib/plugins/hostgroup.py
@@ -123,7 +123,7 @@ class hostgroup_find(LDAPSearch):
"""
Search for hostgroups.
"""
- member_attributes = ['member']
+ member_attributes = ['member', 'memberof']
msg_summary = ngettext(
'%(count)d hostgroup matched', '%(count)d hostgroups matched'
)
diff --git a/ipalib/plugins/netgroup.py b/ipalib/plugins/netgroup.py
index 83e6999..ce9a51b 100644
--- a/ipalib/plugins/netgroup.py
+++ b/ipalib/plugins/netgroup.py
@@ -85,6 +85,15 @@ class netgroup(LDAPObject):
'memberuser': ['user', 'group'],
'memberhost': ['host', 'hostgroup'],
}
+ relationships = {
+ 'member': ('Member', '', 'no_'),
+ 'memberof': ('Parent', 'in_', 'not_in_'),
+ 'memberindirect': (
+ 'Indirect Member', None, 'no_indirect_'
+ ),
+ 'memberuser': ('Member', '', 'no_'),
+ 'memberhost': ('Member', '', 'no_'),
+ }
label = _('Net Groups')
@@ -171,7 +180,7 @@ class netgroup_find(LDAPSearch):
"""
Search for a netgroup.
"""
- member_attributes = ['member', 'memberuser', 'memberhost']
+ member_attributes = ['member', 'memberuser', 'memberhost', 'memberof']
has_output_params = LDAPSearch.has_output_params + output_params
msg_summary = ngettext(
'%(count)d netgroup matched', '%(count)d netgroups matched'
diff --git a/ipalib/plugins/user.py b/ipalib/plugins/user.py
index 9ccd216..30abf49 100644
--- a/ipalib/plugins/user.py
+++ b/ipalib/plugins/user.py
@@ -315,6 +315,7 @@ class user_find(LDAPSearch):
"""
Search for users.
"""
+ member_attributes = ['memberof']
takes_options = LDAPSearch.takes_options + (
Flag('whoami',
@@ -322,6 +323,7 @@ class user_find(LDAPSearch):
doc=_('Display user record for current Kerberos principal'),
),
)
+
def pre_callback(self, ldap, filter, attrs_list, base_dn, scope, *keys, **options):
if options.get('whoami'):
return ("(&(objectclass=posixaccount)(krbprincipalname=%s))"%\
--
1.7.1.1
_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
