On 10/19/2015 07:35 AM, Martin Babinsky wrote:
On 10/16/2015 07:28 PM, Martin Babinsky wrote:
fixes tickets:
https://fedorahosted.org/freeipa/ticket/5362
https://fedorahosted.org/freeipa/ticket/5372
Upon discussion with Simo we decided that OTP tokens should be
orphaned/deleted also during the user preservation.
self-NACK, the current patch violates what we agreed on with Tomas
regarding removal of ID overrides.
Reworked patch attached.
--
Martin^3 Babinsky
From bdb643323d5129eb6ebd05874cbc887d022bf3aa Mon Sep 17 00:00:00 2001
From: Martin Babinsky <[email protected]>
Date: Fri, 16 Oct 2015 19:16:46 +0200
Subject: [PATCH] execute user-del pre-callback also during user preservation
user preservation code was not using the pre-callback function which did check
whether a protected member is being deleted and facilitated the
orphaning/deletion of OTP tokens owner/managed by the user.
https://fedorahosted.org/freeipa/ticket/5362
https://fedorahosted.org/freeipa/ticket/5372
---
ipalib/plugins/user.py | 47 +++++++++++++++++++++++++++--------------------
1 file changed, 27 insertions(+), 20 deletions(-)
diff --git a/ipalib/plugins/user.py b/ipalib/plugins/user.py
index 848836cd15add707f002b032e31c54d520472bb7..5c3e78b138acb89eb66a6f724019b0c1041b76ce 100644
--- a/ipalib/plugins/user.py
+++ b/ipalib/plugins/user.py
@@ -617,6 +617,10 @@ class user_del(baseuser_del):
except errors.NotFound:
self.obj.handle_not_found(pkey)
+ for callback in self.get_callbacks('pre'):
+ dn = callback(self, ldap, dn, pkey, **options)
+ assert isinstance(dn, DN)
+
# start to move the entry to Delete container
self._exc_wrapper(pkey, options, ldap.move_entry)(dn, delete_dn,
del_old=True)
@@ -671,28 +675,31 @@ class user_del(baseuser_del):
# For User life Cycle: user-del is a common plugin
# command to delete active user (active container) and
# delete user (delete container).
- # If the target entry is a Delete entry, skip the updates
- # protected member and otptoken owner
- if not dn.endswith(DN(self.obj.delete_container_dn, api.env.basedn)):
- check_protected_member(keys[-1])
+ # If the target entry is a Delete entry, skip the orphaning/removal
+ # of OTP tokens.
+ check_protected_member(keys[-1])
- # Delete all tokens owned and managed by this user.
- # Orphan all tokens owned but not managed by this user.
- owner = self.api.Object.user.get_primary_key_from_dn(dn)
- results = self.api.Command.otptoken_find(ipatokenowner=owner)['result']
- for token in results:
- orphan = not [x for x in token.get('managedby_user', []) if x == owner]
- token = self.api.Object.otptoken.get_primary_key_from_dn(token['dn'])
- if orphan:
- self.api.Command.otptoken_mod(token, ipatokenowner=None)
- else:
- self.api.Command.otptoken_del(token)
+ if not options.get('preserve', False):
+ # Remove any ID overrides tied with this user
+ try:
+ remove_ipaobject_overrides(self.obj.backend, self.obj.api, dn)
+ except errors.NotFound:
+ self.obj.handle_not_found(*keys)
- # Remove any ID overrides tied with this user
- try:
- remove_ipaobject_overrides(self.obj.backend, self.obj.api, dn)
- except errors.NotFound:
- self.obj.handle_not_found(*keys)
+ if dn.endswith(DN(self.obj.delete_container_dn, api.env.basedn)):
+ return dn
+
+ # Delete all tokens owned and managed by this user.
+ # Orphan all tokens owned but not managed by this user.
+ owner = self.api.Object.user.get_primary_key_from_dn(dn)
+ results = self.api.Command.otptoken_find(ipatokenowner=owner)['result']
+ for token in results:
+ orphan = not [x for x in token.get('managedby_user', []) if x == owner]
+ token = self.api.Object.otptoken.get_primary_key_from_dn(token['dn'])
+ if orphan:
+ self.api.Command.otptoken_mod(token, ipatokenowner=None)
+ else:
+ self.api.Command.otptoken_del(token)
return dn
--
2.4.3
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
