summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorMartin Kosek <mkosek@redhat.com>2011-10-11 10:26:21 +0200
committerMartin Kosek <mkosek@redhat.com>2011-10-11 14:49:36 +0200
commit88e693a1a5b95e9da94b927a0b827b3a0e39b7b7 (patch)
tree9b1af3d90a50cc8157f1e05c0e7ac9ea19456d0c
parent59c2e0fbd10f98a460f11e6bd024741845922562 (diff)
downloadfreeipa-88e693a1a5b95e9da94b927a0b827b3a0e39b7b7.zip
freeipa-88e693a1a5b95e9da94b927a0b827b3a0e39b7b7.tar.gz
freeipa-88e693a1a5b95e9da94b927a0b827b3a0e39b7b7.tar.xz
Improve default user/group object class validation
When user/group default object class is being modified via ipa config-mod, no validation check is run. Check at least the following: - all object classes are known to LDAP - all default user/group attributes are allowed under the new set of default object classes https://fedorahosted.org/freeipa/ticket/1893
-rw-r--r--ipalib/plugins/config.py23
-rw-r--r--ipaserver/plugins/ldap2.py5
2 files changed, 27 insertions, 1 deletions
diff --git a/ipalib/plugins/config.py b/ipalib/plugins/config.py
index 7ef6265..aa0c19d 100644
--- a/ipalib/plugins/config.py
+++ b/ipalib/plugins/config.py
@@ -24,6 +24,10 @@ from ipalib.plugins.baseldap import *
from ipalib import _
from ipalib.errors import ValidationError
+# 389-ds attributes that should be skipped in attribute checks
+OPERATIONAL_ATTRIBUTES = ('nsaccountlock', 'member', 'memberof',
+ 'memberindirect', 'memberofindirect',)
+
__doc__ = _("""
Manage the IPA configuration
@@ -212,6 +216,25 @@ class config_mod(LDAPUpdate):
raise errors.ValidationError(
name=k, error='attribute "%s" not allowed' % a
)
+
+ for (attr, obj) in (('ipauserobjectclasses', 'user'),
+ ('ipagroupobjectclasses', 'group')):
+ if attr in entry_attrs:
+ objectclasses = list(set(entry_attrs[attr] \
+ + self.api.Object[obj].possible_objectclasses))
+ new_allowed_attrs = ldap.get_allowed_attributes(objectclasses,
+ raise_on_unknown=True)
+ checked_attrs = self.api.Object[obj].default_attributes
+ if self.api.Object[obj].uuid_attribute:
+ checked_attrs = checked_attrs + [self.api.Object[obj].uuid_attribute]
+ for obj_attr in checked_attrs:
+ if obj_attr in OPERATIONAL_ATTRIBUTES:
+ continue
+ if obj_attr not in new_allowed_attrs:
+ raise errors.ValidationError(name=attr,
+ error=_('%s default attribute %s would not be allowed!') \
+ % (obj, obj_attr))
+
return dn
api.register(config_mod)
diff --git a/ipaserver/plugins/ldap2.py b/ipaserver/plugins/ldap2.py
index fddfe0f..382cc57 100644
--- a/ipaserver/plugins/ldap2.py
+++ b/ipaserver/plugins/ldap2.py
@@ -43,6 +43,7 @@ from ldap.controls import LDAPControl
# for backward compatibility
from ldap.functions import explode_dn
from ipalib.dn import DN
+from ipalib import _
import krbV
@@ -268,7 +269,7 @@ class ldap2(CrudBackend, Encoder):
else:
return None
- def get_allowed_attributes(self, objectclasses):
+ def get_allowed_attributes(self, objectclasses, raise_on_unknown=False):
if not self.schema:
self.get_schema()
allowed_attributes = []
@@ -276,6 +277,8 @@ class ldap2(CrudBackend, Encoder):
obj = self.schema.get_obj(_ldap.schema.ObjectClass, oc)
if obj is not None:
allowed_attributes += obj.must + obj.may
+ elif raise_on_unknown:
+ raise errors.NotFound(reason=_('objectclass %s not found') % oc)
return [unicode(a).lower() for a in list(set(allowed_attributes))]
def get_single_value(self, attr):