[Freeipa-devel] [PATCH] Do not ask for memberindirect when updating managed permissions

Fri, 11 Apr 2014 04:32:28 -0700

One of the default_attributes of permission is memberofindirect, a virtual attribute manufactured by ldap2, which is set when a permission is part of a role. When update_entry is called on an entry with memberofindirect, ipaldap tries to add the attribute to LDAP and fails with an objectclass violation. 

Do not ask for memberindirect when retrieving the entry.
CCing Honza since he designs ipaldap. Virtual attributes are often helpful, and in any case IPA uses them a lot and having to filter them out every time is error-prone. Maybe we should add support for them directly in ipaldap -- e.g. an attribute set by `entry.virtual[attr_name] = [x]` would be visible in entry[attr_name] but would not be synced back to LDAP? 

--
PetrĀ³

From 2449c1e9a589001188fe4085c3d2dd219bdbc4e8 Mon Sep 17 00:00:00 2001
From: Petr Viktorin <[email protected]>
Date: Fri, 11 Apr 2014 12:09:32 +0200
Subject: [PATCH] Do not ask for memberindirect when updating managed
 permissions

One of the default_attributes of permission is memberofindirect,
a virtual attribute manufactured by ldap2, which is set when a permission
is part of a role.
When update_entry is called on an entry with memberofindirect,
ipaldap tries to add the attribute to LDAP and fails with an objectclass
violation.

Do not ask for memberindirect when retrieving the entry.
---
 ipaserver/install/plugins/update_managed_permissions.py | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/ipaserver/install/plugins/update_managed_permissions.py b/ipaserver/install/plugins/update_managed_permissions.py
index efd87d0d197e463dc07efc8ae7fb9a88c87642a6..3bba1f06e75fc2a0e57bce682827992e31f27708 100644
--- a/ipaserver/install/plugins/update_managed_permissions.py
+++ b/ipaserver/install/plugins/update_managed_permissions.py
@@ -133,7 +133,8 @@ def update_permission(self, ldap, obj, name, template,
         dn = self.api.Object[permission].get_dn(name)
 
         try:
-            attrs_list = self.api.Object[permission].default_attributes
+            attrs_list = list(self.api.Object[permission].default_attributes)
+            attrs_list.remove('memberindirect')
             entry = ldap.get_entry(dn, attrs_list)
             is_new = False
         except errors.NotFound:
-- 
1.9.0


_______________________________________________
Freeipa-devel mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to