diff options
author | Rob Crittenden <rcritten@redhat.com> | 2010-10-26 14:31:00 -0400 |
---|---|---|
committer | Rob Crittenden <rcritten@redhat.com> | 2010-10-28 17:36:05 -0400 |
commit | 7486ead6c910d13ae4d7cbae6fae738ce2bf47eb (patch) | |
tree | 32ce7ca9a1407e5506e965f1c85b8b9b07047b18 | |
parent | c1dfb50ee9be266e3448ad53acd8a6464938c604 (diff) | |
download | freeipa-7486ead6c910d13ae4d7cbae6fae738ce2bf47eb.tar.gz freeipa-7486ead6c910d13ae4d7cbae6fae738ce2bf47eb.tar.xz freeipa-7486ead6c910d13ae4d7cbae6fae738ce2bf47eb.zip |
Don't allow managed groups to have group password policy.
UPG cannot have members and we use memberOf in class of service to determine
which policy to apply.
ticket 160
-rw-r--r-- | ipalib/errors.py | 15 | ||||
-rw-r--r-- | ipalib/plugins/pwpolicy.py | 5 | ||||
-rw-r--r-- | tests/test_xmlrpc/test_pwpolicy.py | 13 |
3 files changed, 31 insertions, 2 deletions
diff --git a/ipalib/errors.py b/ipalib/errors.py index bce433d2a..79ce42dac 100644 --- a/ipalib/errors.py +++ b/ipalib/errors.py @@ -1095,6 +1095,21 @@ class ManagedGroupError(ExecutionError): errno = 4020 format = _('Deleting a managed group is not allowed. It must be detached first.') +class ManagedPolicyError(ExecutionError): + """ + **4021** Raised when password policy is assigned to a managed group + + For example: + + >>> raise ManagedPolicyError() + Traceback (most recent call last): + ... + ManagedPolicyError: A managed group cannot have a password policy. + """ + + errno = 4021 + format = _('A managed group cannot have a password policy.') + class BuiltinError(ExecutionError): """ **4100** Base class for builtin execution errors (*4100 - 4199*). diff --git a/ipalib/plugins/pwpolicy.py b/ipalib/plugins/pwpolicy.py index 5e81631f4..893473611 100644 --- a/ipalib/plugins/pwpolicy.py +++ b/ipalib/plugins/pwpolicy.py @@ -115,7 +115,10 @@ class cosentry_add(LDAPCreate): def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options): # check for existence of the group - self.api.Command.group_show(keys[-1]) + result = self.api.Command.group_show(keys[-1], all=True)['result'] + oc = map(lambda x:x.lower(),result['objectclass']) + if 'mepmanagedentry' in oc: + raise errors.ManagedPolicyError() self.obj.check_priority_uniqueness(*keys, **options) del entry_attrs['cn'] return dn diff --git a/tests/test_xmlrpc/test_pwpolicy.py b/tests/test_xmlrpc/test_pwpolicy.py index 94063c568..8a384ca56 100644 --- a/tests/test_xmlrpc/test_pwpolicy.py +++ b/tests/test_xmlrpc/test_pwpolicy.py @@ -149,7 +149,18 @@ class test_pwpolicy(XMLRPC_test): entry = api.Command['pwpolicy_mod'](self.group, krbminpwdlife=50)['result'] assert_attr_equal(entry, 'krbminpwdlife', '50') - def test_a_pwpolicy_del(self): + def test_a_pwpolicy_managed(self): + """ + Test adding password policy to a managed group. + """ + try: + entry = api.Command['pwpolicy_add'](self.user, krbminpwdlife=50, cospriority=2)['result'] + except errors.ManagedPolicyError: + pass + else: + assert False + + def test_b_pwpolicy_del(self): """ Test the `xmlrpc.pwpolicy_del` method. """ |