On Wed, 2014-09-17 at 12:31 +0200, Martin Kosek wrote:
> On 09/17/2014 08:51 AM, Jan Cholasta wrote:
> > Hi,
> > 
> > Dne 16.9.2014 v 19:32 Nathaniel McCallum napsal(a):
> >> We perform this enforcement at the API level since:
> >> * DS level enforcement would be difficult
> >> * ipatokenUniqueID generation already happens at the API level
> >>
> >> It may be nice in the future to perform enforcement in the DS itself.
> >> However, the question of the location of enforcement is largely an
> >> aesthetic issue.
> >>
> >> https://fedorahosted.org/freeipa/ticket/4456
> > 
> > That's a rather beefy check. I would prefer something like this (untested):
> > 
> >     group_dn = self.api.Object.group.get_dn(u'admins')
> >     filter = ldap.make_filter(
> >         {'krbprincipalname': context.principal, 'memberof': group_dn},
> >         ldap.MATCH_ALL)
> >     try:
> >         ldap.find_entries(
> >             base_dn=self.api.env.basedn, filter=filter, attrs_list=[''])
> >     except errors.NotFound:
> >         raise ValidationError(name='ipatokenuniqueid',
> >                               error='can only be specified by admins')
> > 
> > Honza
> > 
> 
> Also, do we want to hard code it to admins group only?

Preferably, no. But I don't have another workable solution.

> Wouldn't it be more
> flexible to create a new Virtual Operation and let realm admin configure who
> can change the UID. See Jan's patch d6fb110b77e2c585f0bfc5eb11b0187a43263fa1
> for an example how that's done.

Modifications are already not permitted. The problem is that we need to
restrict the format of an attribute for only some users on add only.

Nathaniel

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to