diff options
| author | Rob Crittenden <rcritten@redhat.com> | 2010-12-10 13:31:58 -0500 |
|---|---|---|
| committer | Adam Young <ayoung@redhat.com> | 2010-12-13 20:15:46 -0500 |
| commit | cd7b64103b24ce4b71420c8c93707046169c2c22 (patch) | |
| tree | 23f9d54d58b983d87b59426520a49a70e19966d8 /ipalib/plugins/aci.py | |
| parent | 8a534bf07b55b20566c50211c9f90d638aead3da (diff) | |
| download | freeipa-cd7b64103b24ce4b71420c8c93707046169c2c22.tar.gz freeipa-cd7b64103b24ce4b71420c8c93707046169c2c22.tar.xz freeipa-cd7b64103b24ce4b71420c8c93707046169c2c22.zip | |
Add group to group delegation plugin.
This is a thin wrapper around the ACI plugin that manages granting group A
the ability to write a set of attributes of group B.
ticket 532
Diffstat (limited to 'ipalib/plugins/aci.py')
| -rw-r--r-- | ipalib/plugins/aci.py | 48 |
1 files changed, 41 insertions, 7 deletions
diff --git a/ipalib/plugins/aci.py b/ipalib/plugins/aci.py index d5f7d996f..5a57a309a 100644 --- a/ipalib/plugins/aci.py +++ b/ipalib/plugins/aci.py @@ -124,6 +124,8 @@ from ipalib import Flag, Int, List, Str, StrEnum from ipalib.aci import ACI from ipalib import output from ipalib import _, ngettext +if api.env.in_server and api.env.context in ['lite', 'server']: + from ldap import explode_dn import logging _type_map = { @@ -272,7 +274,9 @@ def _aci_to_kw(ldap, a, test=False): # See if the target is a group. If so we set the # targetgroup attr, otherwise we consider it a subtree if api.env.container_group in target: - kw['targetgroup'] = unicode(target) + targetdn = unicode(target.replace('ldap:///','')) + (dn, entry_attrs) = ldap.get_entry(targetdn, ['cn']) + kw['targetgroup'] = entry_attrs['cn'][0] else: kw['subtree'] = unicode(target) @@ -638,9 +642,10 @@ class aci_find(crud.Search): if 'memberof' in kw: try: - self.api.Command['group_show']( + result = self.api.Command['group_show']( kw['memberof'] - ) + )['result'] + dn = result['dn'] except errors.NotFound: pass else: @@ -652,11 +657,9 @@ class aci_find(crud.Search): results.remove(a) else: results.remove(a) - # uncomment next line if you add more search criteria - # acis = list(results) - for a in acis: - if 'type' in kw: + if 'type' in kw: + for a in acis: if 'target' in a.target: target = a.target['target']['expression'] else: @@ -681,6 +684,37 @@ class aci_find(crud.Search): except ValueError: pass + if 'group' in kw: + for a in acis: + groupdn = a.bindrule['expression'] + groupdn = groupdn.replace('ldap:///','') + cn = None + if groupdn.startswith('cn='): + cn = explode_dn(groupdn)[0] + cn = cn.replace('cn=','') + if cn is None or cn != kw['group']: + try: + results.remove(a) + except ValueError: + pass + + if 'targetgroup' in kw: + for a in acis: + found = False + if 'target' in a.target: + target = a.target['target']['expression'] + if api.env.container_group in target: + targetdn = unicode(target.replace('ldap:///','')) + cn = explode_dn(targetdn)[0] + cn = cn.replace('cn=','') + if cn == kw['targetgroup']: + found = True + if not found: + try: + results.remove(a) + except ValueError: + pass + # TODO: searching by: filter, subtree acis = [] |