On 09/17/2014 08:51 AM, Jan Cholasta wrote: > Hi, > > Dne 16.9.2014 v 19:32 Nathaniel McCallum napsal(a): >> We perform this enforcement at the API level since: >> * DS level enforcement would be difficult >> * ipatokenUniqueID generation already happens at the API level >> >> It may be nice in the future to perform enforcement in the DS itself. >> However, the question of the location of enforcement is largely an >> aesthetic issue. >> >> https://fedorahosted.org/freeipa/ticket/4456 > > That's a rather beefy check. I would prefer something like this (untested): > > group_dn = self.api.Object.group.get_dn(u'admins') > filter = ldap.make_filter( > {'krbprincipalname': context.principal, 'memberof': group_dn}, > ldap.MATCH_ALL) > try: > ldap.find_entries( > base_dn=self.api.env.basedn, filter=filter, attrs_list=['']) > except errors.NotFound: > raise ValidationError(name='ipatokenuniqueid', > error='can only be specified by admins') > > Honza >
Also, do we want to hard code it to admins group only? Wouldn't it be more flexible to create a new Virtual Operation and let realm admin configure who can change the UID. See Jan's patch d6fb110b77e2c585f0bfc5eb11b0187a43263fa1 for an example how that's done. Martin _______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
