diff options
author | Rob Crittenden <rcritten@redhat.com> | 2010-11-01 12:05:53 -0400 |
---|---|---|
committer | Rob Crittenden <rcritten@redhat.com> | 2010-11-19 13:47:09 -0500 |
commit | 53d15537553e20a732d041ebddfd4ba69d5bb8dd (patch) | |
tree | 34fa2e91f2e34a231e1952fce3086b352f27a680 | |
parent | 5c4dc1c2e95749559dac9c625859f4e1ced5a6e1 (diff) | |
download | freeipa-53d15537553e20a732d041ebddfd4ba69d5bb8dd.tar.gz freeipa-53d15537553e20a732d041ebddfd4ba69d5bb8dd.tar.xz freeipa-53d15537553e20a732d041ebddfd4ba69d5bb8dd.zip |
Give a detached group a full set of group objectclasses.
The UUID plugin handles adding ipaUniqueId for us as well as the access
control for it.
ticket 250
-rw-r--r-- | install/share/default-aci.ldif | 2 | ||||
-rw-r--r-- | ipalib/plugins/baseldap.py | 4 | ||||
-rw-r--r-- | ipalib/plugins/group.py | 29 |
3 files changed, 26 insertions, 9 deletions
diff --git a/install/share/default-aci.ldif b/install/share/default-aci.ldif index e03c65c4d..2805e2f6f 100644 --- a/install/share/default-aci.ldif +++ b/install/share/default-aci.ldif @@ -4,7 +4,7 @@ dn: $SUFFIX changetype: modify add: aci aci: (targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey")(version 3.0; acl "Enable Anonymous access"; allow (read, search, compare) userdn = "ldap:///anyone";) -aci: (targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || ipaUniqueId || memberOf || serverHostName")(version 3.0; acl "Admin can manage any entry"; allow (all) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";) +aci: (targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || memberOf || serverHostName || enrolledBy")(version 3.0; acl "Admin can manage any entry"; allow (all) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";) aci: (targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword")(version 3.0; acl "Self can write own password"; allow (write) userdn="ldap:///self";) aci: (targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory")(version 3.0; acl "Admins can write passwords"; allow (add,delete,write) groupdn="ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";) aci: (targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory")(version 3.0; acl "Password change service can read/write passwords"; allow (read, write) userdn="ldap:///krbprincipalname=kadmin/changepw@$REALM,cn=$REALM,cn=kerberos,$SUFFIX";) diff --git a/ipalib/plugins/baseldap.py b/ipalib/plugins/baseldap.py index d742a791e..61fedd98a 100644 --- a/ipalib/plugins/baseldap.py +++ b/ipalib/plugins/baseldap.py @@ -234,6 +234,10 @@ class LDAPObject(Object): if parent_obj.primary_key: yield parent_obj.primary_key.clone(query=True) + def has_objectclass(self, classes, objectclass): + oc = map(lambda x:x.lower(),classes) + return objectclass.lower() in oc + def convert_attribute_members(self, entry_attrs, *keys, **options): if options.get('raw', False): return diff --git a/ipalib/plugins/group.py b/ipalib/plugins/group.py index 1994c010f..5ecc72ae8 100644 --- a/ipalib/plugins/group.py +++ b/ipalib/plugins/group.py @@ -291,23 +291,28 @@ class group_detach(LDAPRemoveMember): group_dn = self.obj.get_dn(*keys, **options) user_dn = self.api.Object['user'].get_dn(*keys) + (user_dn, user_attrs) = ldap.get_entry(user_dn) + is_managed = self.obj.has_objectclass(user_attrs['objectclass'], 'mepmanagedentry') if (not ldap.can_write(user_dn, "objectclass") or - not ldap.can_write(user_dn, "mepManagedEntry")): + not (ldap.can_write(user_dn, "mepManagedEntry")) and is_managed): raise errors.ACIError(info=_('not allowed to modify user entries')) + (group_dn, group_attrs) = ldap.get_entry(group_dn) + is_managed = self.obj.has_objectclass(group_attrs['objectclass'], 'mepmanagedby') if (not ldap.can_write(group_dn, "objectclass") or - not ldap.can_write(group_dn, "mepManagedBy")): + not (ldap.can_write(group_dn, "mepManagedBy")) and is_managed): raise errors.ACIError(info=_('not allowed to modify group entries')) - (user_dn, user_attrs) = ldap.get_entry(user_dn) objectclasses = user_attrs['objectclass'] try: i = objectclasses.index('mepOriginEntry') + del objectclasses[i] + update_attrs = {'objectclass': objectclasses, 'mepManagedEntry': None} + ldap.update_entry(user_dn, update_attrs) except ValueError: - raise NotFound(reason=_('Not a managed group')) - del objectclasses[i] - update_attrs = {'objectclass': objectclasses, 'mepManagedEntry': None} - ldap.update_entry(user_dn, update_attrs) + # Somehow the user isn't managed, let it pass for now. We'll + # let the group throw "Not managed". + pass (group_dn, group_attrs) = ldap.get_entry(group_dn) objectclasses = group_attrs['objectclass'] @@ -315,8 +320,16 @@ class group_detach(LDAPRemoveMember): i = objectclasses.index('mepManagedEntry') except ValueError: # this should never happen - raise NotFound(reason=_('Not a managed group')) + raise errors.NotFound(reason=_('Not a managed group')) del objectclasses[i] + + # Make sure the resulting group has the default group objectclasses + config = ldap.get_ipa_config()[1] + def_objectclass = config.get( + self.obj.object_class_config, objectclasses + ) + objectclasses = list(set(def_objectclass + objectclasses)) + update_attrs = {'objectclass': objectclasses, 'mepManagedBy': None} ldap.update_entry(group_dn, update_attrs) |