Re: [Freeipa-devel] [PATCH 0065] Don't allow users to create tokens with a specified ID

Jan Cholasta Tue, 16 Sep 2014 23:50:56 -0700

Hi,

Dne 16.9.2014 v 19:32 Nathaniel McCallum napsal(a):

We perform this enforcement at the API level since:
* DS level enforcement would be difficult
* ipatokenUniqueID generation already happens at the API level


It may be nice in the future to perform enforcement in the DS itself.
However, the question of the location of enforcement is largely an
aesthetic issue.

https://fedorahosted.org/freeipa/ticket/4456


That's a rather beefy check. I would prefer something like this (untested):

    group_dn = self.api.Object.group.get_dn(u'admins')
    filter = ldap.make_filter(
        {'krbprincipalname': context.principal, 'memberof': group_dn},
        ldap.MATCH_ALL)
    try:
        ldap.find_entries(
            base_dn=self.api.env.basedn, filter=filter, attrs_list=[''])
    except errors.NotFound:
        raise ValidationError(name='ipatokenuniqueid',
                              error='can only be specified by admins')

Honza

--
Jan Cholasta

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH 0065] Don't allow users to create tokens with a specified ID

Reply via email to