Re: [Freeipa-devel] [PATCH 0016] Add RADIUS proxy support to ipalib CLI

Fri, 13 Sep 2013 23:21:59 -0700 

On 13.9.2013 09:21, Jan Cholasta wrote:

Hi,

On 12.9.2013 22:48, Nathaniel McCallum wrote:

On Thu, 2013-09-05 at 00:06 -0400, Nathaniel McCallum wrote:

patch attached


Update for ./makeapi attached.



+        if 'ipatokenradiusconfiglink' in entry_attrs:
+            cl = entry_attrs['ipatokenradiusconfiglink']
+            if not cl:
+                entry_attrs['ipatokenradiususername'] = None
+                if 'ipatokenradiusproxyuser' in
entry_attrs['objectclass']:
+ entry_attrs['objectclass'].remove('ipatokenradiusproxyuser')

Is there are particular reason to remove the object class? I think you
can just leave it there, that is what we do in other plugins.

+            else:
+                if 'ipatokenradiusproxyuser' not in
entry_attrs['objectclass']:
+ entry_attrs['objectclass'].append('ipatokenradiusproxyuser')
+
+                answer = self.api.Command.radius_show(cl)
+                entry_attrs['ipatokenradiusconfiglink'] =
answer['result']['dn']

Please use self.api.Object.radius.get_dn_if_exists(cl) to get the DN
instead of radius_show.

The whole code block should be added to user_add as well.


+        radius = options.get('ipatokenradiusconfiglink', None)
+        if radius is not None:
+            answer = self.api.Command.radius_show(radius)
+            filter = filter.replace('(ipatokenradiusconfiglink=%s)' %
radius,
+                                    '(ipatokenradiusconfiglink=%s)' %
answer['result']['dn'])

Again, use get_dn_if_exists instead of radius_show to get the DN.

As for the filter processing, I think it would be safer to override
args_options_2_entry in user_find and do it in there:

     def args_options_2_entry(self, *keys, **options):
         if 'ipatokenradiusconfiglink' in options:
             options['ipatokenradiusconfiglink'] =
self.api.Object.radius.get_dn(options['ipatokenradiusconfiglink'])
         return super(user_find, self).args_options_2_entry(
... or you can do this in user_find.execute, as there already is something similar done for the "manager" attribute. 




Honza
BTW, I think you should configure the referential integrity plugin so that when a radius object is deleted, all ipatokenradiusconfiglink's to it are deleted as well. 

Honza

--
Jan Cholasta

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to