diff options
| author | Alexander Bokovoy <abokovoy@redhat.com> | 2012-06-20 16:08:33 +0300 |
|---|---|---|
| committer | Alexander Bokovoy <abokovoy@redhat.com> | 2012-06-27 17:13:42 +0300 |
| commit | 70d1870e99ccad9ca41c3f40d380f1348b895bb6 (patch) | |
| tree | 71af3fb7544c3582be69fee48a920c00abfa4dc5 /ipalib/plugins/baseldap.py | |
| parent | 724c685f21117c994b4e4d793c509827be97a56e (diff) | |
| download | freeipa-70d1870e99ccad9ca41c3f40d380f1348b895bb6.tar.gz freeipa-70d1870e99ccad9ca41c3f40d380f1348b895bb6.tar.xz freeipa-70d1870e99ccad9ca41c3f40d380f1348b895bb6.zip | |
Add support for external group members
When using ipaExternalGroup/ipaExternalMember attributes it is
possible to add group members which don't exist in IPA database.
This is primarily is required for AD trusts support and therefore
validation is accepting only secure identifier (SID) format.
https://fedorahosted.org/freeipa/ticket/2664
Diffstat (limited to 'ipalib/plugins/baseldap.py')
| -rw-r--r-- | ipalib/plugins/baseldap.py | 23 |
1 files changed, 16 insertions, 7 deletions
diff --git a/ipalib/plugins/baseldap.py b/ipalib/plugins/baseldap.py index 475222a6a..b841435fd 100644 --- a/ipalib/plugins/baseldap.py +++ b/ipalib/plugins/baseldap.py @@ -362,23 +362,29 @@ def add_external_post_callback(memberattr, membertype, externalattr, ldap, compl externalattr is one of externaluser, """ completed_external = 0 + normalize = options.get('external_callback_normalize', True) # Sift through the failures. We assume that these are all # entries that aren't stored in IPA, aka external entries. if memberattr in failed and membertype in failed[memberattr]: (dn, entry_attrs_) = ldap.get_entry(dn, [externalattr]) members = entry_attrs.get(memberattr, []) external_entries = entry_attrs_.get(externalattr, []) + lc_external_entries = set(e.lower() for e in external_entries) failed_entries = [] for entry in failed[memberattr][membertype]: membername = entry[0].lower() member_dn = api.Object[membertype].get_dn(membername) - if membername not in external_entries and \ - member_dn not in members: + if (membername not in lc_external_entries and + member_dn not in members): # Not an IPA entry, assume external - external_entries.append(membername) + if normalize: + external_entries.append(membername) + else: + external_entries.append(entry[0]) + lc_external_entries.add(membername) completed_external += 1 - elif membername in external_entries and \ - member_dn not in members: + elif (membername in lc_external_entries and + member_dn not in members): # Already an external member, reset the error message msg = unicode(errors.AlreadyGroupMember().message) newerror = (entry[0], msg) @@ -409,8 +415,11 @@ def remove_external_post_callback(memberattr, membertype, externalattr, ldap, co completed_external = 0 for entry in failed[memberattr][membertype]: membername = entry[0].lower() - if membername in external_entries: - external_entries.remove(membername) + if membername in external_entries or entry[0] in external_entries: + try: + external_entries.remove(membername) + except ValueError: + external_entries.remove(entry[0]) completed_external += 1 else: failed_entries.append(membername) |