On 09/17/2014 08:51 AM, Jan Cholasta wrote:
> Hi,
> 
> Dne 16.9.2014 v 19:32 Nathaniel McCallum napsal(a):
>> We perform this enforcement at the API level since:
>> * DS level enforcement would be difficult
>> * ipatokenUniqueID generation already happens at the API level
>>
>> It may be nice in the future to perform enforcement in the DS itself.
>> However, the question of the location of enforcement is largely an
>> aesthetic issue.
>>
>> https://fedorahosted.org/freeipa/ticket/4456
> 
> That's a rather beefy check. I would prefer something like this (untested):
> 
>     group_dn = self.api.Object.group.get_dn(u'admins')
>     filter = ldap.make_filter(
>         {'krbprincipalname': context.principal, 'memberof': group_dn},
>         ldap.MATCH_ALL)
>     try:
>         ldap.find_entries(
>             base_dn=self.api.env.basedn, filter=filter, attrs_list=[''])
>     except errors.NotFound:
>         raise ValidationError(name='ipatokenuniqueid',
>                               error='can only be specified by admins')
> 
> Honza
> 

Also, do we want to hard code it to admins group only? Wouldn't it be more
flexible to create a new Virtual Operation and let realm admin configure who
can change the UID. See Jan's patch d6fb110b77e2c585f0bfc5eb11b0187a43263fa1
for an example how that's done.

Martin

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to