summaryrefslogtreecommitdiffstats
path: root/ipaserver/plugins
diff options
context:
space:
mode:
authorRob Crittenden <rcritten@redhat.com>2010-06-25 16:14:46 -0400
committerRob Crittenden <rcritten@redhat.com>2010-07-06 15:39:34 -0400
commitba59d9d648d7ee9f3e5b03ede9aeccab97f13a13 (patch)
treef333b0335b3ebdd0d198f3afcd0f274daae5950a /ipaserver/plugins
parent83fd9ef7cc7823619692a0286cbcec5297245153 (diff)
downloadfreeipa-ba59d9d648d7ee9f3e5b03ede9aeccab97f13a13.tar.gz
freeipa-ba59d9d648d7ee9f3e5b03ede9aeccab97f13a13.tar.xz
freeipa-ba59d9d648d7ee9f3e5b03ede9aeccab97f13a13.zip
Add support for User-Private Groups
This uses a new 389-ds plugin, Managed Entries, to automatically create a group entry when a user is created. The DNA plugin ensures that the group has a gidNumber that matches the users uidNumber. When the user is removed the group is automatically removed as well. If the managed entries plugin is not available or if a specific, separate range for gidNumber is passed in at install time then User-Private Groups will not be configured. The code checking for the Managed Entries plugin may be removed at some point. This is there because this plugin is only available in a 389-ds alpha release currently (1.2.6-a4).
Diffstat (limited to 'ipaserver/plugins')
-rw-r--r--ipaserver/plugins/ldap2.py37
1 files changed, 30 insertions, 7 deletions
diff --git a/ipaserver/plugins/ldap2.py b/ipaserver/plugins/ldap2.py
index d1c083f20..987203caa 100644
--- a/ipaserver/plugins/ldap2.py
+++ b/ipaserver/plugins/ldap2.py
@@ -103,9 +103,12 @@ def _handle_errors(e, **kw):
raise errors.DatabaseError(desc=desc, info=info)
-def load_schema(url):
+def global_init(url):
"""
- Retrieve the LDAP schema from the provided url.
+ Perform global initialization when the module is loaded.
+
+ Retrieve the LDAP schema from the provided url and determine if
+ User-Private Groups (upg) are configured.
Bind using kerberos credentials. If in the context of the
in-tree "lite" server then use the current ccache. If in the context of
@@ -113,10 +116,11 @@ def load_schema(url):
principal.
"""
tmpdir = None
+ upg = False
if not api.env.in_server or api.env.context not in ['lite', 'server']:
# The schema is only needed on the server side
- return
+ return (None, None)
try:
if api.env.context == 'server':
@@ -139,9 +143,17 @@ def load_schema(url):
'cn=schema', _ldap.SCOPE_BASE,
attrlist=['attributetypes', 'objectclasses']
)[0]
+ try:
+ upg_entry = conn.search_s(
+ 'cn=UPG Template, %s' % api.env.basedn, _ldap.SCOPE_BASE,
+ attrlist=['*']
+ )[0]
+ upg = True
+ except _ldap.NO_SUCH_OBJECT, e:
+ upg = False
conn.unbind_s()
except _ldap.SERVER_DOWN:
- return None
+ return (None, upg)
except _ldap.LDAPError, e:
# TODO: raise a more appropriate exception
_handle_errors(e, **{})
@@ -154,13 +166,14 @@ def load_schema(url):
if tmpdir:
shutil.rmtree(tmpdir)
- return _ldap.schema.SubSchema(schema_entry[1])
+ return (_ldap.schema.SubSchema(schema_entry[1]), upg)
-# cache schema when importing module
+# cache schema and User-Private Groups when importing module
try:
- _schema = load_schema(api.env.ldap_uri)
+ (_schema, _upg) = global_init(api.env.ldap_uri)
except AttributeError:
_schema = None
+ _upg = None
def get_syntax(attr, value):
@@ -524,6 +537,16 @@ class ldap2(CrudBackend, Encoder):
"""Returns a copy of the current LDAP schema."""
return copy.deepcopy(self.schema)
+ def has_upg(self):
+ """Returns True/False whether User-Private Groups are enabled.
+ This is determined based on whether the UPG Template exists.
+ We determine this at module load so we don't have to test for
+ it every time.
+ """
+ global _upg
+
+ return _upg
+
@encode_args(1, 2)
def get_effective_rights(self, dn, entry_attrs):
"""Returns the rights the currently bound user has for the given DN.