On 09/05/2013 06:04 AM, Nathaniel McCallum wrote:
patch attached

Thanks, some comments below.

Git complains about trailing whitespace in the patch, please strip it.


From 757436ccc431d26a3e62de830dad0b107a6c48ff Mon Sep 17 00:00:00 2001
From: Nathaniel McCallum<npmccal...@redhat.com>
Date: Wed, 4 Sep 2013 23:35:36 -0400
Subject: [PATCH] Add support for managing user auth types

  ipalib/plugins/config.py | 16 ++++++++++++++++
  ipalib/plugins/user.py   | 32 ++++++++++++++++++++++----------
  2 files changed, 38 insertions(+), 10 deletions(-)

diff --git a/ipalib/plugins/config.py b/ipalib/plugins/config.py
@@ -210,6 +218,14 @@ class config_mod(LDAPUpdate):

      def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, 
          assert isinstance(dn, DN)
+        if 'ipauserauthtype' in entry_attrs:
+            if 'objectclass' not in entry_attrs:
+                (_dn, _entry_attrs) = ldap.get_entry(dn, ['objectclass'])
+                entry_attrs['objectclass'] = _entry_attrs['objectclass']
+            if 'ipauserauthtypeclass' not in entry_attrs['objectclass']:
+                entry_attrs['objectclass'].append('ipauserauthtypeclass')

Shouldn't we rather add ipaUserAuthType to the ipaGuiConfig objectclass?

If not, we should still update ipaConfig on IPA update update rather than here; install/updates/50-ipaconfig.update would be a good place.

diff --git a/ipalib/plugins/user.py b/ipalib/plugins/user.py
@@ -633,14 +640,19 @@ class user_mod(LDAPUpdate):
              entry_attrs['userpassword'] = ipa_generate_password(user_pwdchars)
              # save the password so it can be displayed in post_callback
              setattr(context, 'randompassword', entry_attrs['userpassword'])
+        if 'objectclass' not in entry_attrs:
+            (_dn, _entry_attrs) = ldap.get_entry(dn, ['objectclass'])
+            entry_attrs['objectclass'] = _entry_attrs['objectclass']

The framework is forcing some pretty ugly code here.
I've filed https://fedorahosted.org/freeipa/ticket/3914 to simplify this in the future.

Just a note, it's no longer necessary to use (_dn, _entry_attrs) here; ldap.get_entry() now returns a dict-like entry directly so you can use:

    _entry = ldap.get_entry(dn, ['objectclass'])
    entry_attrs['objectclass'] = _entry['objectclass']

In fact, unpacking the entry into a tuple returns the DN and the entry object itself. This:
    (dn, entry) = ldap.get_entry(...)
is exactly equivalent to:
    entry = ldap.get_entry(...)
    dn = entry.dn
but the former is deprecated.


Freeipa-devel mailing list

Reply via email to