diff options
author | Rob Crittenden <rcritten@redhat.com> | 2010-12-20 23:28:33 -0500 |
---|---|---|
committer | Rob Crittenden <rcritten@redhat.com> | 2010-12-21 13:00:15 -0500 |
commit | 4d6cd892581d6ce402feb3351c6cb41b932a54f5 (patch) | |
tree | b9e66e40160902c1cd7e6efb28d6e6b6e2561300 | |
parent | 1a7f5e0cc4e66db243ce29f09d77479fc981099e (diff) | |
download | freeipa-4d6cd892581d6ce402feb3351c6cb41b932a54f5.tar.gz freeipa-4d6cd892581d6ce402feb3351c6cb41b932a54f5.tar.xz freeipa-4d6cd892581d6ce402feb3351c6cb41b932a54f5.zip |
In meta data make ACI attributes lower-case, sorted. Add possible attributes.
The metadata contains a list of possible attributes that an ACI for that
object might need. Add a new variable to hold possible objectclasses for
optional elements (like posixGroup for groups).
To make the list easier to handle sort it and make it all lower-case.
Fix a couple of missed camel-case attributes in the default ACI list.
ticket 641
-rw-r--r-- | install/share/delegation.ldif | 4 | ||||
-rw-r--r-- | ipalib/plugins/baseldap.py | 9 | ||||
-rw-r--r-- | ipalib/plugins/group.py | 1 | ||||
-rw-r--r-- | ipalib/plugins/user.py | 1 |
4 files changed, 11 insertions, 4 deletions
diff --git a/install/share/delegation.ldif b/install/share/delegation.ldif index abd2aae71..69050dfee 100644 --- a/install/share/delegation.ldif +++ b/install/share/delegation.ldif @@ -496,7 +496,7 @@ aci: (target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX")(version 3.0;acl "Ad aci: (target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX")(targetattr = "userpassword || krbprincipalkey || sambalmpassword || sambantpassword || passwordhistory")(version 3.0;acl "Change a user password";allow (write) groupdn = "ldap:///cn=change_password,cn=permissions,cn=accounts,$SUFFIX";) aci: (targetattr = "member")(target = "ldap:///cn=ipausers,cn=groups,cn=accounts,$SUFFIX")(version 3.0;acl "Add user to default group";allow (write) groupdn = "ldap:///cn=add_user_to_default_group,cn=permissions,cn=accounts,$SUFFIX";) aci: (target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX")(version 3.0;acl "Remove Users";allow (delete) groupdn = "ldap:///cn=removeusers,cn=permissions,cn=accounts,$SUFFIX";) -aci: (targetattr = "givenname || sn || cn || displayname || title || initials || loginshell || gecos || homephone || mobile || pager || facsimiletelephonenumber || telephonenumber || street || roomnumber || l || st || postalcode || manager || secretary || description || carlicense || labeleduri || inetuserhttpurl || seealso || employeetype || businesscategory || ou || mepmanagedEntry || objectclass")(target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX")(version 3.0;acl "Modify Users";allow (write) groupdn = "ldap:///cn=modifyusers,cn=permissions,cn=accounts,$SUFFIX";) +aci: (targetattr = "givenname || sn || cn || displayname || title || initials || loginshell || gecos || homephone || mobile || pager || facsimiletelephonenumber || telephonenumber || street || roomnumber || l || st || postalcode || manager || secretary || description || carlicense || labeleduri || inetuserhttpurl || seealso || employeetype || businesscategory || ou || mepmanagedentry || objectclass")(target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX")(version 3.0;acl "Modify Users";allow (write) groupdn = "ldap:///cn=modifyusers,cn=permissions,cn=accounts,$SUFFIX";) # Group administration @@ -508,7 +508,7 @@ aci: (targetattr = "member")(target = "ldap:///cn=*,cn=groups,cn=accounts,$SUFFI aci: (target = "ldap:///cn=*,cn=groups,cn=accounts,$SUFFIX")(version 3.0;acl "Remove Groups";allow (delete) groupdn = "ldap:///cn=removegroups,cn=permissions,cn=accounts,$SUFFIX";) # We need objectclass and gidnumber in modify so a non-posix group can be # promoted. We need mqpManagedBy and ipaUniqueId so a group can be detached. -aci: (targetattr = "cn || description || gidnumber || objectclass || mepmanagedby || ipaUniqueId")(target = "ldap:///cn=*,cn=groups,cn=accounts,$SUFFIX")(version 3.0;acl "Modify Groups";allow (write) groupdn = "ldap:///cn=modifygroups,cn=permissions,cn=accounts,$SUFFIX";) +aci: (targetattr = "cn || description || gidnumber || objectclass || mepmanagedby || ipauniqueid")(target = "ldap:///cn=*,cn=groups,cn=accounts,$SUFFIX")(version 3.0;acl "Modify Groups";allow (write) groupdn = "ldap:///cn=modifygroups,cn=permissions,cn=accounts,$SUFFIX";) # Host administration diff --git a/ipalib/plugins/baseldap.py b/ipalib/plugins/baseldap.py index d91fd938f..259d02b01 100644 --- a/ipalib/plugins/baseldap.py +++ b/ipalib/plugins/baseldap.py @@ -233,6 +233,9 @@ class LDAPObject(Object): object_name_plural = 'entries' object_class = [] object_class_config = None + # If an objectclass is possible but not default in an entry. Needed for + # collecting attributes for ACI UI. + possible_objectclasses = [] search_attributes = [] search_attributes_config = None default_attributes = [] @@ -356,17 +359,19 @@ class LDAPObject(Object): objectclasses = config.get( self.object_class_config, objectclasses ) + objectclasses += self.possible_objectclasses # Get list of available attributes for this object for use # in the ACI UI. attrs = self.api.Backend.ldap2.schema.attribute_types(objectclasses) attrlist = [] # Go through the MUST first for (oid, attr) in attrs[0].iteritems(): - attrlist.append(attr.names[0]) + attrlist.append(attr.names[0].lower()) # And now the MAY for (oid, attr) in attrs[1].iteritems(): - attrlist.append(attr.names[0]) + attrlist.append(attr.names[0].lower()) json_dict['aciattrs'] = attrlist + attrlist.sort() json_dict['methods'] = [m for m in self.methods] return json_dict diff --git a/ipalib/plugins/group.py b/ipalib/plugins/group.py index 4ba9b6185..9fd24008c 100644 --- a/ipalib/plugins/group.py +++ b/ipalib/plugins/group.py @@ -81,6 +81,7 @@ class group(LDAPObject): object_name_plural = 'groups' object_class = ['ipausergroup'] object_class_config = 'ipagroupobjectclasses' + possible_objectclasses = ['posixGroup', 'mepManagedEntry'] search_attributes_config = 'ipagroupsearchfields' default_attributes = [ 'cn', 'description', 'gidnumber', 'member', 'memberof', diff --git a/ipalib/plugins/user.py b/ipalib/plugins/user.py index 620975496..17e5e3c58 100644 --- a/ipalib/plugins/user.py +++ b/ipalib/plugins/user.py @@ -63,6 +63,7 @@ class user(LDAPObject): object_name_plural = 'users' object_class = ['posixaccount'] object_class_config = 'ipauserobjectclasses' + possible_objectclasses = ['meporiginentry'] search_attributes_config = 'ipausersearchfields' default_attributes = [ 'uid', 'givenname', 'sn', 'homedirectory', 'loginshell', 'ou', |