On 09/17/2014 08:51 AM, Jan Cholasta wrote:
> Hi,
> Dne 16.9.2014 v 19:32 Nathaniel McCallum napsal(a):
>> We perform this enforcement at the API level since:
>> * DS level enforcement would be difficult
>> * ipatokenUniqueID generation already happens at the API level
>> It may be nice in the future to perform enforcement in the DS itself.
>> However, the question of the location of enforcement is largely an
>> aesthetic issue.
>> https://fedorahosted.org/freeipa/ticket/4456
> That's a rather beefy check. I would prefer something like this (untested):
>     group_dn = self.api.Object.group.get_dn(u'admins')
>     filter = ldap.make_filter(
>         {'krbprincipalname': context.principal, 'memberof': group_dn},
>         ldap.MATCH_ALL)
>     try:
>         ldap.find_entries(
>             base_dn=self.api.env.basedn, filter=filter, attrs_list=[''])
>     except errors.NotFound:
>         raise ValidationError(name='ipatokenuniqueid',
>                               error='can only be specified by admins')
> Honza

Also, do we want to hard code it to admins group only? Wouldn't it be more
flexible to create a new Virtual Operation and let realm admin configure who
can change the UID. See Jan's patch d6fb110b77e2c585f0bfc5eb11b0187a43263fa1
for an example how that's done.


Freeipa-devel mailing list

Reply via email to