diff options
| author | Martin Kosek <mkosek@redhat.com> | 2012-05-31 12:39:24 +0200 |
|---|---|---|
| committer | Martin Kosek <mkosek@redhat.com> | 2012-06-01 07:51:59 +0200 |
| commit | 6ff5f28142c46bf5f08fef74c261f75e1baa9f66 (patch) | |
| tree | 68d497483906af2844f2668747fcce360b409306 /ipalib | |
| parent | 0ca29fac9af4cd437a8536f28ffd25923ec3f8cd (diff) | |
| download | freeipa-6ff5f28142c46bf5f08fef74c261f75e1baa9f66.tar.gz freeipa-6ff5f28142c46bf5f08fef74c261f75e1baa9f66.tar.xz freeipa-6ff5f28142c46bf5f08fef74c261f75e1baa9f66.zip | |
permission-find missed some results with --pkey-only option
When permission-find post callback detected a --pkey-only option,
it just terminated. However, this way the results that could have
been added from aci_find matches were not included.
Fix the post callback to go through the entire matching process.
Also make sure that DNS permissions have a correct objectclass
(ipapermission), otherwise such objects are not matched by the
permission LDAP search.
https://fedorahosted.org/freeipa/ticket/2658
Diffstat (limited to 'ipalib')
| -rw-r--r-- | ipalib/plugins/permission.py | 34 |
1 files changed, 20 insertions, 14 deletions
diff --git a/ipalib/plugins/permission.py b/ipalib/plugins/permission.py index a484ff640..d6fe385b1 100644 --- a/ipalib/plugins/permission.py +++ b/ipalib/plugins/permission.py @@ -350,19 +350,19 @@ class permission_find(LDAPSearch): has_output_params = LDAPSearch.has_output_params + output_params def post_callback(self, ldap, entries, truncated, *args, **options): - if options.pop('pkey_only', False): - return truncated - for entry in entries: - (dn, attrs) = entry - try: - aci = self.api.Command.aci_show(attrs['cn'][0], aciprefix=ACI_PREFIX, **options)['result'] - - # copy information from respective ACI to permission entry - for attr in self.obj.aci_attributes: - if attr in aci: - attrs[attr] = aci[attr] - except errors.NotFound: - self.debug('ACI not found for %s' % attrs['cn'][0]) + pkey_only = options.pop('pkey_only', False) + if not pkey_only: + for entry in entries: + (dn, attrs) = entry + try: + aci = self.api.Command.aci_show(attrs['cn'][0], aciprefix=ACI_PREFIX, **options)['result'] + + # copy information from respective ACI to permission entry + for attr in self.obj.aci_attributes: + if attr in aci: + attrs[attr] = aci[attr] + except errors.NotFound: + self.debug('ACI not found for %s' % attrs['cn'][0]) if truncated: # size/time limit met, no need to search acis return truncated @@ -406,9 +406,15 @@ class permission_find(LDAPSearch): permission = self.api.Command.permission_show(aci['permission'], **options)['result'] dn = permission['dn'] del permission['dn'] + if pkey_only: + new_entry = (dn, {self.obj.primary_key.name: \ + permission[self.obj.primary_key.name]}) + else: + new_entry = (dn, permission) + if (dn, permission) not in entries: if len(entries) < max_entries: - entries.append((dn, permission)) + entries.append(new_entry) else: truncated = True break |