On Tue, 2011-10-11 at 13:57 +0300, Alexander Bokovoy wrote: > On Tue, 11 Oct 2011, Martin Kosek wrote: > > This was done on purpose. When you combine 2 lists in Python using + > > operator, a new list is created without modifying the old one. Check the > > following example: > > > > >>> a = [1,2,3] > > >>> b = [4] > > >>> c = a+b > > >>> print c > > [1, 2, 3, 4] > > >>> print a > > [1, 2, 3] > > >>> print b > > [4] > > >>> c.append(5) > > >>> print c > > [1, 2, 3, 4, 5] > > >>> print a > > [1, 2, 3] > > >>> print b > > [4] > Sorry, but this is not our case: > >>> a = [1,2,3] > >>> b = a > >>> b += [4] > >>> print a > [1, 2, 3, 4] > >>> print b > [1, 2, 3, 4] >
You are right. This is an important Python lesson for me. c=c+a is NOT equal to c+=a as it is in C. Behold: >>> a=[1,2,3] >>> b=a >>> b = b + [4] >>> a [1, 2, 3] >>> b [1, 2, 3, 4] >>> >>> >>> a=[1,2,3] >>> b=a >>> b+= [4] >>> a [1, 2, 3, 4] >>> b [1, 2, 3, 4] Updated patch attached. Martin
>From 5d02e0ac2cbf1ea6fcb41195a3db90e211ed1912 Mon Sep 17 00:00:00 2001 From: Martin Kosek <mko...@redhat.com> Date: Tue, 11 Oct 2011 10:26:21 +0200 Subject: [PATCH] Improve default user/group object class validation When user/group default object class is being modified via ipa config-mod, no validation check is run. Check at least the following: - all object classes are known to LDAP - all default user/group attributes are allowed under the new set of default object classes https://fedorahosted.org/freeipa/ticket/1893 --- ipalib/plugins/config.py | 23 +++++++++++++++++++++++ ipaserver/plugins/ldap2.py | 5 ++++- 2 files changed, 27 insertions(+), 1 deletions(-) diff --git a/ipalib/plugins/config.py b/ipalib/plugins/config.py index 7ef6265536672720bea05947f727767e5b5efa3d..aa0c19d2d5512dfdf69b26017606764f98ee39a7 100644 --- a/ipalib/plugins/config.py +++ b/ipalib/plugins/config.py @@ -24,6 +24,10 @@ from ipalib.plugins.baseldap import * from ipalib import _ from ipalib.errors import ValidationError +# 389-ds attributes that should be skipped in attribute checks +OPERATIONAL_ATTRIBUTES = ('nsaccountlock', 'member', 'memberof', + 'memberindirect', 'memberofindirect',) + __doc__ = _(""" Manage the IPA configuration @@ -212,6 +216,25 @@ class config_mod(LDAPUpdate): raise errors.ValidationError( name=k, error='attribute "%s" not allowed' % a ) + + for (attr, obj) in (('ipauserobjectclasses', 'user'), + ('ipagroupobjectclasses', 'group')): + if attr in entry_attrs: + objectclasses = list(set(entry_attrs[attr] \ + + self.api.Object[obj].possible_objectclasses)) + new_allowed_attrs = ldap.get_allowed_attributes(objectclasses, + raise_on_unknown=True) + checked_attrs = self.api.Object[obj].default_attributes + if self.api.Object[obj].uuid_attribute: + checked_attrs = checked_attrs + [self.api.Object[obj].uuid_attribute] + for obj_attr in checked_attrs: + if obj_attr in OPERATIONAL_ATTRIBUTES: + continue + if obj_attr not in new_allowed_attrs: + raise errors.ValidationError(name=attr, + error=_('%s default attribute %s would not be allowed!') \ + % (obj, obj_attr)) + return dn api.register(config_mod) diff --git a/ipaserver/plugins/ldap2.py b/ipaserver/plugins/ldap2.py index fddfe0f5af8a56f0066aa95ef4e5647b27f00dc4..382cc5760be09ba1633e258342a73adb931f70d4 100644 --- a/ipaserver/plugins/ldap2.py +++ b/ipaserver/plugins/ldap2.py @@ -43,6 +43,7 @@ from ldap.controls import LDAPControl # for backward compatibility from ldap.functions import explode_dn from ipalib.dn import DN +from ipalib import _ import krbV @@ -268,7 +269,7 @@ class ldap2(CrudBackend, Encoder): else: return None - def get_allowed_attributes(self, objectclasses): + def get_allowed_attributes(self, objectclasses, raise_on_unknown=False): if not self.schema: self.get_schema() allowed_attributes = [] @@ -276,6 +277,8 @@ class ldap2(CrudBackend, Encoder): obj = self.schema.get_obj(_ldap.schema.ObjectClass, oc) if obj is not None: allowed_attributes += obj.must + obj.may + elif raise_on_unknown: + raise errors.NotFound(reason=_('objectclass %s not found') % oc) return [unicode(a).lower() for a in list(set(allowed_attributes))] def get_single_value(self, attr): -- 1.7.6.4
_______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
