Fix aci plugin, enhance aci parsing capabilities, add user group support

- The aci plugin didn't quite work with the new ldap2 backend.
- We already walk through the target part of the ACI syntax so skip that
  in the regex altogether. This now lets us handle all current ACIs in IPA
  (some used to be ignored/skipped)
- Add support for user groups so one can do v1-style delegation (group A
  can write attributes x,y,z in group B). It is actually quite a lot more
  flexible than that but you get the idea)
- Improve error messages in the aci library
- Add a bit of documentation to the aci plugin

1 files changed, 3 insertions, 1 deletions

diff --git a/ipaserver/plugins/ldap2.py b/ipaserver/plugins/ldap2.py
index 1b133e570..2bdf51a87 100644
--- a/ipaserver/plugins/ldap2.py
+++ b/ipaserver/plugins/ldap2.py
@@ -39,6 +39,8 @@ from ldap.controls import LDAPControl
 # for backward compatibility
 from ldap.functions import explode_dn
 
+import krbV
+
 from ipalib import api, errors
 from ipalib.crud import CrudBackend
 from ipalib.encoder import Encoder, encode_args, decode_retval
@@ -547,7 +549,7 @@ class ldap2(CrudBackend, Encoder):
 
     def _generate_modlist(self, dn, entry_attrs):
         # get original entry
-        (dn, entry_attrs_old) = self.get_entry(dn)
+        (dn, entry_attrs_old) = self.get_entry(dn, ['*', 'aci'])
         # get_entry returns a decoded entry, encode it back
         # we could call search_s directly, but this saves a lot of code at
         # the expense of a little bit of performace