diff options
author | Ana Krivokapic <akrivoka@redhat.com> | 2013-02-21 10:56:03 -0500 |
---|---|---|
committer | Rob Crittenden <rcritten@redhat.com> | 2013-03-14 11:44:24 -0400 |
commit | 66356f0daf2a55c7e64dc648e0f8c765e9a56151 (patch) | |
tree | 8816618e93bd1d681af4a52e11042ba9842b097a /ipalib/plugins | |
parent | c4ab8dae35e952ae74e49c5ad0fbfbc0718f60f8 (diff) | |
download | freeipa-66356f0daf2a55c7e64dc648e0f8c765e9a56151.tar.gz freeipa-66356f0daf2a55c7e64dc648e0f8c765e9a56151.tar.xz freeipa-66356f0daf2a55c7e64dc648e0f8c765e9a56151.zip |
Improve error messages for external group members
When adding a duplicate member to a group, an error message is issued,
informing the user that the entry is already a member of the group.
Similarly, when trying to delete an entry which is not a member,
an error message is issued, informing the user that the entry is not
a member of the group. These error messages were missing in case of
external members.
This patch also adds support for using the AD\name or name@ad.domain.com
format in ipa group-remove-member command. This format was supported in
group-add-member, but not in group-remove-member.
Unit test file covering these cases was also added.
https://fedorahosted.org/freeipa/ticket/3254
Diffstat (limited to 'ipalib/plugins')
-rw-r--r-- | ipalib/plugins/baseldap.py | 4 | ||||
-rw-r--r-- | ipalib/plugins/group.py | 27 |
2 files changed, 27 insertions, 4 deletions
diff --git a/ipalib/plugins/baseldap.py b/ipalib/plugins/baseldap.py index 3d013ced9..bb0de989c 100644 --- a/ipalib/plugins/baseldap.py +++ b/ipalib/plugins/baseldap.py @@ -391,6 +391,10 @@ def remove_external_post_callback(memberattr, membertype, externalattr, ldap, co external_entries.remove(entry[0]) completed_external += 1 else: + msg = unicode(errors.NotGroupMember().message) + newerror = (entry[0], msg) + ind = failed[memberattr][membertype].index(entry) + failed[memberattr][membertype][ind] = newerror failed_entries.append(membername) if completed_external: diff --git a/ipalib/plugins/group.py b/ipalib/plugins/group.py index bde002a8d..21ee00490 100644 --- a/ipalib/plugins/group.py +++ b/ipalib/plugins/group.py @@ -398,7 +398,7 @@ class group_add_member(LDAPAddMember): result = add_external_post_callback('member', 'group', 'ipaexternalmember', ldap, completed, failed, dn, entry_attrs, keys, options, external_callback_normalize=False) - failed['member']['group'] = restore + failed_sids + failed['member']['group'] += restore + failed_sids return result api.register(group_add_member) @@ -425,15 +425,34 @@ class group_remove_member(LDAPRemoveMember): assert isinstance(dn, DN) result = (completed, dn) if 'ipaexternalmember' in options: - sids = options['ipaexternalmember'] - restore = list() + if not _dcerpc_bindings_installed: + raise errors.NotFound(reason=_('Cannot perform external member validation without ' + 'Samba 4 support installed. Make sure you have installed ' + 'server-trust-ad sub-package of IPA on the server')) + domain_validator = ipaserver.dcerpc.DomainValidator(self.api) + if not domain_validator.is_configured(): + raise errors.NotFound(reason=_('Cannot perform join operation without own domain configured. ' + 'Make sure you have run ipa-adtrust-install on the IPA server first')) + sids = [] + failed_sids = [] + for sid in options['ipaexternalmember']: + if domain_validator.is_trusted_sid_valid(sid): + sids.append(sid) + else: + try: + actual_sid = domain_validator.get_trusted_domain_object_sid(sid) + except errors.PublicError, e: + failed_sids.append((sid, unicode(e))) + else: + sids.append(actual_sid) + restore = [] if 'member' in failed and 'group' in failed['member']: restore = failed['member']['group'] failed['member']['group'] = list((id,id) for id in sids) result = remove_external_post_callback('member', 'group', 'ipaexternalmember', ldap, completed, failed, dn, entry_attrs, keys, options) - failed['member']['group'] = restore + failed['member']['group'] += restore + failed_sids return result api.register(group_remove_member) |