diff options
author | Tomas Babej <tbabej@redhat.com> | 2015-05-27 15:06:15 +0200 |
---|---|---|
committer | Tomas Babej <tbabej@redhat.com> | 2015-07-01 13:00:07 +0200 |
commit | 77b64e60231492b7c009a32bcf0cbdcd5ef9922a (patch) | |
tree | e82151f726fcbe73239ee48ff683b4b38c04185a | |
parent | a6d448b8bf70ef29aa4a2c16afb9aee068a95ae4 (diff) | |
download | freeipa-77b64e60231492b7c009a32bcf0cbdcd5ef9922a.tar.gz freeipa-77b64e60231492b7c009a32bcf0cbdcd5ef9922a.tar.xz freeipa-77b64e60231492b7c009a32bcf0cbdcd5ef9922a.zip |
idviews: Allow users specify the raw anchor directly as identifier
For various reasons, it can happen that the users or groups that
have overrides defined in a given ID view are no longer resolvable.
Since user and group names are used to specify the ID override objects
too by leveraging the respective user's or group's ipaUniqueID,
we need to provide a fallback in case these user or group entries
no longer exist.
https://fedorahosted.org/freeipa/ticket/5026
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
-rw-r--r-- | ipalib/plugins/idviews.py | 42 |
1 files changed, 31 insertions, 11 deletions
diff --git a/ipalib/plugins/idviews.py b/ipalib/plugins/idviews.py index a7b1e0a78..2c843462a 100644 --- a/ipalib/plugins/idviews.py +++ b/ipalib/plugins/idviews.py @@ -17,6 +17,7 @@ # # You should have received a copy of the GNU General Public License # along with this program. If not, see <http://www.gnu.org/licenses/>. +import re from ipalib.plugins.baseldap import (LDAPQuery, LDAPObject, LDAPCreate, LDAPDelete, LDAPUpdate, LDAPSearch, @@ -57,6 +58,12 @@ protected_default_trust_view_error = errors.ProtectedEntryError( DEFAULT_TRUST_VIEW_NAME = "default trust view" +ANCHOR_REGEX = re.compile( + r':IPA:.*:[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}' + r'|' + r':SID:S-[0-9\-]+' +) + @register() class idview(LDAPObject): """ @@ -559,11 +566,19 @@ class baseidoverride(LDAPObject): override_object = None def get_dn(self, *keys, **options): - anchor = resolve_object_to_anchor( - self.backend, - self.override_object, - keys[-1] - ) + # If user passed raw anchor, do not try + # to translate it. + if ANCHOR_REGEX.match(keys[-1]): + anchor = keys[-1] + + # Otherwise, translate object into a + # legitimate object anchor. + else: + anchor = resolve_object_to_anchor( + self.backend, + self.override_object, + keys[-1] + ) keys = keys[:-1] + (anchor, ) return super(baseidoverride, self).get_dn(*keys, **options) @@ -578,12 +593,17 @@ class baseidoverride(LDAPObject): anchor = entry_attrs.single_value['ipaanchoruuid'] if anchor: - object_name = resolve_anchor_to_object_name( - self.backend, - self.override_object, - anchor - ) - entry_attrs.single_value['ipaanchoruuid'] = object_name + try: + object_name = resolve_anchor_to_object_name( + self.backend, + self.override_object, + anchor + ) + entry_attrs.single_value['ipaanchoruuid'] = object_name + except errors.NotFound: + # If we were unable to resolve the anchor, + # keep it in the raw form + pass def prohibit_ipa_users_in_default_view(self, dn, entry_attrs): # Check if parent object is Default Trust View, if so, prohibit |