[Freeipa-devel] [PATCH] 142 Improve default user/group object class validation

Martin Kosek Tue, 11 Oct 2011 01:30:18 -0700

When user/group default object class is being modified via
ipa config-mod, no validation check is run. Check at least
the following:


- all object classes are known to LDAP
- all default user/group attributes are allowed under the new
  set of default object classes

https://fedorahosted.org/freeipa/ticket/1893

>From 486650c26ae8773b09a2e32e4c12461cbedf3f07 Mon Sep 17 00:00:00 2001
From: Martin Kosek <mko...@redhat.com>
Date: Tue, 11 Oct 2011 10:26:21 +0200
Subject: [PATCH] Improve default user/group object class validation

When user/group default object class is being modified via
ipa config-mod, no validation check is run. Check at least
the following:

- all object classes are known to LDAP
- all default user/group attributes are allowed under the new
  set of default object classes

https://fedorahosted.org/freeipa/ticket/1893
---
 ipalib/plugins/config.py   |   22 ++++++++++++++++++++++
 ipaserver/plugins/ldap2.py |    5 ++++-
 2 files changed, 26 insertions(+), 1 deletions(-)

diff --git a/ipalib/plugins/config.py b/ipalib/plugins/config.py
index 7ef6265536672720bea05947f727767e5b5efa3d..48326a8babd2de8a15dbcbcb93d8ee99be567754 100644
--- a/ipalib/plugins/config.py
+++ b/ipalib/plugins/config.py
@@ -24,6 +24,10 @@ from ipalib.plugins.baseldap import *
 from ipalib import _
 from ipalib.errors import ValidationError
 
+# 389-ds attributes that should be skipped in attribute checks
+OPERATIONAL_ATTRIBUTES = ('nsaccountlock', 'member', 'memberof',
+    'memberindirect', 'memberofindirect',)
+
 __doc__ = _("""
 Manage the IPA configuration
 
@@ -212,6 +216,24 @@ class config_mod(LDAPUpdate):
                         raise errors.ValidationError(
                             name=k, error='attribute "%s" not allowed' % a
                         )
+
+        for (attr, obj) in (('ipauserobjectclasses', 'user'),
+                            ('ipagroupobjectclasses', 'group')):
+            if attr in entry_attrs:
+                objectclasses = entry_attrs[attr] + self.api.Object[obj].possible_objectclasses
+                new_allowed_attrs = ldap.get_allowed_attributes(objectclasses,
+                                        raise_on_unknown=True)
+                checked_attrs = self.api.Object[obj].default_attributes
+                if self.api.Object[obj].uuid_attribute:
+                    checked_attrs.append(self.api.Object[obj].uuid_attribute)
+                for obj_attr in self.api.Object[obj].default_attributes:
+                    if obj_attr in OPERATIONAL_ATTRIBUTES:
+                        continue
+                    if obj_attr not in new_allowed_attrs:
+                        raise errors.ValidationError(name=attr,
+                                error=_('%s default attribute %s would not be allowed!') \
+                                % (obj, obj_attr))
+
         return dn
 
 api.register(config_mod)
diff --git a/ipaserver/plugins/ldap2.py b/ipaserver/plugins/ldap2.py
index fddfe0f5af8a56f0066aa95ef4e5647b27f00dc4..382cc5760be09ba1633e258342a73adb931f70d4 100644
--- a/ipaserver/plugins/ldap2.py
+++ b/ipaserver/plugins/ldap2.py
@@ -43,6 +43,7 @@ from ldap.controls import LDAPControl
 # for backward compatibility
 from ldap.functions import explode_dn
 from ipalib.dn import DN
+from ipalib import _
 
 import krbV
 
@@ -268,7 +269,7 @@ class ldap2(CrudBackend, Encoder):
         else:
             return None
 
-    def get_allowed_attributes(self, objectclasses):
+    def get_allowed_attributes(self, objectclasses, raise_on_unknown=False):
         if not self.schema:
             self.get_schema()
         allowed_attributes = []
@@ -276,6 +277,8 @@ class ldap2(CrudBackend, Encoder):
             obj = self.schema.get_obj(_ldap.schema.ObjectClass, oc)
             if obj is not None:
                 allowed_attributes += obj.must + obj.may
+            elif raise_on_unknown:
+                raise errors.NotFound(reason=_('objectclass %s not found') % oc)
         return [unicode(a).lower() for a in list(set(allowed_attributes))]
 
     def get_single_value(self, attr):
-- 
1.7.6.4

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

[Freeipa-devel] [PATCH] 142 Improve default user/group object class validation

Reply via email to