Changing the owner of a token also implicitly sets the new owner as its manager if following conditions are met:

1.) The original token owner was also its manager

2.) The new manager is not set explicitly via CLI interface.

If the owner is unset and the above conditions are met, then the manager of the token will also be unset.

From c6d32af7359f29b53f518ce1c0b66e64e78f9566 Mon Sep 17 00:00:00 2001
From: Martin Babinsky <>
Date: Wed, 14 Jan 2015 15:57:45 +0100
Subject: [PATCH] Changing the token owner changes also the manager.

This works if the change is made to a token which is owned and managed by the same person. The new owner then automatically becomes token's manager unless the attribute 'managedBy' is explicitly set otherwise.

 ipalib/plugins/ | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/ipalib/plugins/ b/ipalib/plugins/
index 41a7f1087b783486704a066fe35e16a4db125bf2..3b25ed35962e143a8bdb86b138d4143c6d98fab8 100644
--- a/ipalib/plugins/
+++ b/ipalib/plugins/
@@ -393,8 +393,22 @@ class otptoken_mod(LDAPUpdate):
                 raise ValidationError(name='not_before',
                                       error='is after the validity end')
         _normalize_owner(self.api.Object.user, entry_attrs)
+        # ticket #4681: if the owner of the token is changed and the
+        # user also manages this token, then we should automatically
+        # set the 'managedby' attribute to the new owner
+        if 'ipatokenowner' in entry_attrs and 'managedby' not in entry_attrs:
+            new_owner = entry_attrs.get('ipatokenowner', None)
+            prev_entry = ldap.get_entry(dn, attrs_list=['ipatokenowner',
+                                                        'managedby'])
+            prev_owner = prev_entry.get('ipatokenowner', None)
+            prev_managed_by = prev_entry.get('managedby', None)
+            if (new_owner != prev_owner) and (prev_owner == prev_managed_by):
+                entry_attrs.setdefault('managedby', new_owner)
         return dn

Freeipa-devel mailing list

Reply via email to