summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorRich Megginson <rmeggins@redhat.com>2008-10-01 09:38:43 -0600
committerRob Crittenden <rcritten@redhat.com>2008-10-13 14:15:19 -0400
commita93e2b0d0215010e82496558a175b04f729ae812 (patch)
treef712fd15a4ff981df08f2f95219d7075af7c5498
parentb4ead84f6aae5828a4088a565487fb965069c93d (diff)
downloadfreeipa-a93e2b0d0215010e82496558a175b04f729ae812.zip
freeipa-a93e2b0d0215010e82496558a175b04f729ae812.tar.gz
freeipa-a93e2b0d0215010e82496558a175b04f729ae812.tar.xz
Do not add enabled user to activated group - clean up parse_acct_disable
If a user needs to be enabled, just delete the user from the inactivated group, but do not add to the activated group. If a user is in no group, the user is active by default. IPA uses the activated group for override purposes. parse_acct_disable is only used when the config changes, but I cleaned it up anyway to make the code clearer.
-rw-r--r--ipa-server/ipa-slapi-plugins/ipa-winsync/ipa-winsync-config.c9
-rw-r--r--ipa-server/ipa-slapi-plugins/ipa-winsync/ipa-winsync.c38
2 files changed, 28 insertions, 19 deletions
diff --git a/ipa-server/ipa-slapi-plugins/ipa-winsync/ipa-winsync-config.c b/ipa-server/ipa-slapi-plugins/ipa-winsync/ipa-winsync-config.c
index a887e89..45efa6d 100644
--- a/ipa-server/ipa-slapi-plugins/ipa-winsync/ipa-winsync-config.c
+++ b/ipa-server/ipa-slapi-plugins/ipa-winsync/ipa-winsync-config.c
@@ -166,14 +166,11 @@ parse_acct_disable(const char *theval)
}
if (!PL_strcasecmp(theval, IPA_WINSYNC_ACCT_DISABLE_NONE)) {
retval = ACCT_DISABLE_NONE;
- }
- if (!PL_strcasecmp(theval, IPA_WINSYNC_ACCT_DISABLE_TO_AD)) {
+ } else if (!PL_strcasecmp(theval, IPA_WINSYNC_ACCT_DISABLE_TO_AD)) {
retval = ACCT_DISABLE_TO_AD;
- }
- if (!PL_strcasecmp(theval, IPA_WINSYNC_ACCT_DISABLE_TO_DS)) {
+ } else if (!PL_strcasecmp(theval, IPA_WINSYNC_ACCT_DISABLE_TO_DS)) {
retval = ACCT_DISABLE_TO_DS;
- }
- if (!PL_strcasecmp(theval, IPA_WINSYNC_ACCT_DISABLE_BOTH)) {
+ } else if (!PL_strcasecmp(theval, IPA_WINSYNC_ACCT_DISABLE_BOTH)) {
retval = ACCT_DISABLE_BOTH;
}
diff --git a/ipa-server/ipa-slapi-plugins/ipa-winsync/ipa-winsync.c b/ipa-server/ipa-slapi-plugins/ipa-winsync/ipa-winsync.c
index f18a939..4a6c80d 100644
--- a/ipa-server/ipa-slapi-plugins/ipa-winsync/ipa-winsync.c
+++ b/ipa-server/ipa-slapi-plugins/ipa-winsync/ipa-winsync.c
@@ -1011,9 +1011,15 @@ sync_acct_disable(
char *adddn, *deldn;
const char *dsdn;
int rc;
+ /* in the case of disabling a user, need to remove that user from
+ the activated group, if in there, and add to the inactivated group
+ however, in the case of enabling a user, we just have to remove
+ the user from the inactivated group, if in there - if the user
+ is not in any group, the user is activated by default
+ */
if (ad_is_enabled) {
/* add user to activated group, delete from inactivated group */
- adddn = ipaconfig->activated_group_dn;
+ adddn = NULL; /* no group means active by default */
deldn = ipaconfig->inactivated_group_dn;
} else {
/* add user to inactivated group, delete from activated group */
@@ -1046,7 +1052,11 @@ sync_acct_disable(
}
/* next, add the user to the adddn group - ignore (but log)
if the user is already in that group */
- rc = do_group_modify(adddn, "member", LDAP_MOD_ADD, dsdn);
+ if (adddn) {
+ rc = do_group_modify(adddn, "member", LDAP_MOD_ADD, dsdn);
+ } else {
+ rc = LDAP_SUCCESS;
+ }
if (rc == LDAP_TYPE_OR_VALUE_EXISTS) {
/* user already in that group */
slapi_log_error(SLAPI_LOG_PLUGIN, ipa_winsync_plugin_name,
@@ -1080,18 +1090,20 @@ sync_acct_disable(
"memberOf", deldn);
}
}
- slapi_value_set_string(sv, adddn);
- if (!slapi_entry_attr_has_syntax_value(ds_entry,
- "memberOf", sv)) {
- if (smods) {
- slapi_mods_add_string(smods, LDAP_MOD_ADD,
- "memberOf", adddn);
- if (do_modify) {
- *do_modify = 1; /* added mods */
+ if (adddn) {
+ slapi_value_set_string(sv, adddn);
+ if (!slapi_entry_attr_has_syntax_value(ds_entry,
+ "memberOf", sv)) {
+ if (smods) {
+ slapi_mods_add_string(smods, LDAP_MOD_ADD,
+ "memberOf", adddn);
+ if (do_modify) {
+ *do_modify = 1; /* added mods */
+ }
+ } else if (update_entry) {
+ slapi_entry_add_string(update_entry,
+ "memberOf", adddn);
}
- } else if (update_entry) {
- slapi_entry_add_string(update_entry,
- "memberOf", adddn);
}
}
slapi_value_free(&sv);