diff options
author | Petr Vobornik <pvoborni@redhat.com> | 2014-10-02 16:57:08 +0200 |
---|---|---|
committer | Petr Vobornik <pvoborni@redhat.com> | 2014-10-17 14:11:35 +0200 |
commit | 59ee6314afc7f0f7735ab1349caa970f0f00d78a (patch) | |
tree | f1269db1d7a48c144f0cb2824b25056514439490 /ipalib/plugins/baseldap.py | |
parent | 6f81217c18a416dcbd23360ad3d7f3fea0174fc0 (diff) | |
download | freeipa-59ee6314afc7f0f7735ab1349caa970f0f00d78a.tar.gz freeipa-59ee6314afc7f0f7735ab1349caa970f0f00d78a.tar.xz freeipa-59ee6314afc7f0f7735ab1349caa970f0f00d78a.zip |
keytab manipulation permission management
Adds new API:
ipa host-allow-retrieve-keytab HOSTNAME --users=STR --groups STR
ipa host-disallow-retrieve-keytab HOSTNAME --users=STR --groups STR
ipa host-allow-create-keytab HOSTNAME --users=STR --groups STR
ipa host-disallow-create-keytab HOSTNAME --users=STR --groups STR
ipa service-allow-retrieve-keytab PRINCIPAL --users=STR --groups STR
ipa service-disallow-retrieve-keytab PRINCIPAL --users=STR --groups STR
ipa service-allow-create-keytab PRINCIPAL --users=STR --groups STR
ipa service-disallow-create-keytab PRINCIPAL --users=STR --groups STR
these methods add or remove user or group DNs in `ipaallowedtoperform` attr with
`read_keys` and `write_keys` subtypes.
service|host-mod|show outputs these attrs only with --all option as:
Users allowed to retrieve keytab: user1
Groups allowed to retrieve keytab: group1
Users allowed to create keytab: user1
Groups allowed to create keytab: group1
Adding of object class is implemented as a reusable method since this code is
used on many places and most likely will be also used in new features. Older
code may be refactored later.
https://fedorahosted.org/freeipa/ticket/4419
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Diffstat (limited to 'ipalib/plugins/baseldap.py')
-rw-r--r-- | ipalib/plugins/baseldap.py | 17 |
1 files changed, 17 insertions, 0 deletions
diff --git a/ipalib/plugins/baseldap.py b/ipalib/plugins/baseldap.py index e589a5321..375441c0f 100644 --- a/ipalib/plugins/baseldap.py +++ b/ipalib/plugins/baseldap.py @@ -494,6 +494,23 @@ def host_is_master(ldap, fqdn): return +def add_missing_object_class(ldap, objectclass, dn, entry_attrs=None, update=True): + """ + Add object class if missing into entry. Fetches entry if not passed. Updates + the entry by default. + + Returns the entry + """ + + if not entry_attrs: + entry_attrs = ldap.get_entry(dn, ['objectclass']) + if (objectclass.lower() not in (o.lower() for o in entry_attrs['objectclass'])): + entry_attrs['objectclass'].append(objectclass) + if update: + ldap.update_entry(entry_attrs) + return entry_attrs + + class LDAPObject(Object): """ Object representing a LDAP entry. |