summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorRob Crittenden <rcritten@redhat.com>2010-11-01 12:05:53 -0400
committerRob Crittenden <rcritten@redhat.com>2010-11-19 13:47:09 -0500
commit53d15537553e20a732d041ebddfd4ba69d5bb8dd (patch)
tree34fa2e91f2e34a231e1952fce3086b352f27a680
parent5c4dc1c2e95749559dac9c625859f4e1ced5a6e1 (diff)
downloadfreeipa-53d15537553e20a732d041ebddfd4ba69d5bb8dd.tar.gz
freeipa-53d15537553e20a732d041ebddfd4ba69d5bb8dd.tar.xz
freeipa-53d15537553e20a732d041ebddfd4ba69d5bb8dd.zip
Give a detached group a full set of group objectclasses.
The UUID plugin handles adding ipaUniqueId for us as well as the access control for it. ticket 250
-rw-r--r--install/share/default-aci.ldif2
-rw-r--r--ipalib/plugins/baseldap.py4
-rw-r--r--ipalib/plugins/group.py29
3 files changed, 26 insertions, 9 deletions
diff --git a/install/share/default-aci.ldif b/install/share/default-aci.ldif
index e03c65c4d..2805e2f6f 100644
--- a/install/share/default-aci.ldif
+++ b/install/share/default-aci.ldif
@@ -4,7 +4,7 @@ dn: $SUFFIX
changetype: modify
add: aci
aci: (targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey")(version 3.0; acl "Enable Anonymous access"; allow (read, search, compare) userdn = "ldap:///anyone";)
-aci: (targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || ipaUniqueId || memberOf || serverHostName")(version 3.0; acl "Admin can manage any entry"; allow (all) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";)
+aci: (targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || memberOf || serverHostName || enrolledBy")(version 3.0; acl "Admin can manage any entry"; allow (all) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";)
aci: (targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword")(version 3.0; acl "Self can write own password"; allow (write) userdn="ldap:///self";)
aci: (targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory")(version 3.0; acl "Admins can write passwords"; allow (add,delete,write) groupdn="ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";)
aci: (targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory")(version 3.0; acl "Password change service can read/write passwords"; allow (read, write) userdn="ldap:///krbprincipalname=kadmin/changepw@$REALM,cn=$REALM,cn=kerberos,$SUFFIX";)
diff --git a/ipalib/plugins/baseldap.py b/ipalib/plugins/baseldap.py
index d742a791e..61fedd98a 100644
--- a/ipalib/plugins/baseldap.py
+++ b/ipalib/plugins/baseldap.py
@@ -234,6 +234,10 @@ class LDAPObject(Object):
if parent_obj.primary_key:
yield parent_obj.primary_key.clone(query=True)
+ def has_objectclass(self, classes, objectclass):
+ oc = map(lambda x:x.lower(),classes)
+ return objectclass.lower() in oc
+
def convert_attribute_members(self, entry_attrs, *keys, **options):
if options.get('raw', False):
return
diff --git a/ipalib/plugins/group.py b/ipalib/plugins/group.py
index 1994c010f..5ecc72ae8 100644
--- a/ipalib/plugins/group.py
+++ b/ipalib/plugins/group.py
@@ -291,23 +291,28 @@ class group_detach(LDAPRemoveMember):
group_dn = self.obj.get_dn(*keys, **options)
user_dn = self.api.Object['user'].get_dn(*keys)
+ (user_dn, user_attrs) = ldap.get_entry(user_dn)
+ is_managed = self.obj.has_objectclass(user_attrs['objectclass'], 'mepmanagedentry')
if (not ldap.can_write(user_dn, "objectclass") or
- not ldap.can_write(user_dn, "mepManagedEntry")):
+ not (ldap.can_write(user_dn, "mepManagedEntry")) and is_managed):
raise errors.ACIError(info=_('not allowed to modify user entries'))
+ (group_dn, group_attrs) = ldap.get_entry(group_dn)
+ is_managed = self.obj.has_objectclass(group_attrs['objectclass'], 'mepmanagedby')
if (not ldap.can_write(group_dn, "objectclass") or
- not ldap.can_write(group_dn, "mepManagedBy")):
+ not (ldap.can_write(group_dn, "mepManagedBy")) and is_managed):
raise errors.ACIError(info=_('not allowed to modify group entries'))
- (user_dn, user_attrs) = ldap.get_entry(user_dn)
objectclasses = user_attrs['objectclass']
try:
i = objectclasses.index('mepOriginEntry')
+ del objectclasses[i]
+ update_attrs = {'objectclass': objectclasses, 'mepManagedEntry': None}
+ ldap.update_entry(user_dn, update_attrs)
except ValueError:
- raise NotFound(reason=_('Not a managed group'))
- del objectclasses[i]
- update_attrs = {'objectclass': objectclasses, 'mepManagedEntry': None}
- ldap.update_entry(user_dn, update_attrs)
+ # Somehow the user isn't managed, let it pass for now. We'll
+ # let the group throw "Not managed".
+ pass
(group_dn, group_attrs) = ldap.get_entry(group_dn)
objectclasses = group_attrs['objectclass']
@@ -315,8 +320,16 @@ class group_detach(LDAPRemoveMember):
i = objectclasses.index('mepManagedEntry')
except ValueError:
# this should never happen
- raise NotFound(reason=_('Not a managed group'))
+ raise errors.NotFound(reason=_('Not a managed group'))
del objectclasses[i]
+
+ # Make sure the resulting group has the default group objectclasses
+ config = ldap.get_ipa_config()[1]
+ def_objectclass = config.get(
+ self.obj.object_class_config, objectclasses
+ )
+ objectclasses = list(set(def_objectclass + objectclasses))
+
update_attrs = {'objectclass': objectclasses, 'mepManagedBy': None}
ldap.update_entry(group_dn, update_attrs)