diff options
| author | Rob Crittenden <rcritten@redhat.com> | 2011-01-03 15:00:35 -0500 |
|---|---|---|
| committer | Rob Crittenden <rcritten@redhat.com> | 2011-01-04 17:09:56 -0500 |
| commit | 4f2a6e0a25cd5d92bdd436d23963f77b86f818ea (patch) | |
| tree | c5ff38c20f166253708207285fa274e654160d9d /ipaserver | |
| parent | e7afe1dec202de8064b90c526f0d4a2fdf224824 (diff) | |
| download | freeipa-4f2a6e0a25cd5d92bdd436d23963f77b86f818ea.tar.gz freeipa-4f2a6e0a25cd5d92bdd436d23963f77b86f818ea.tar.xz freeipa-4f2a6e0a25cd5d92bdd436d23963f77b86f818ea.zip | |
Don't use Class of Service for account activation, use attribute.
To support group-based account disablement we created a Class of Service
where group membership controlled whether an account was active or not.
Since we aren't doing group-based account locking drop that and use
nsaccountlock directly.
ticket 568
Diffstat (limited to 'ipaserver')
| -rw-r--r-- | ipaserver/plugins/ldap2.py | 51 |
1 files changed, 4 insertions, 47 deletions
diff --git a/ipaserver/plugins/ldap2.py b/ipaserver/plugins/ldap2.py index 06a940773..f90b40564 100644 --- a/ipaserver/plugins/ldap2.py +++ b/ipaserver/plugins/ldap2.py @@ -904,7 +904,7 @@ class ldap2(CrudBackend, Encoder): """Mark entry active/inactive.""" assert isinstance(active, bool) # get the entry in question - (dn, entry_attrs) = self.get_entry(dn, ['nsaccountlock', 'memberof']) + (dn, entry_attrs) = self.get_entry(dn, ['nsaccountlock']) # check nsAccountLock attribute account_lock_attr = entry_attrs.get('nsaccountlock', ['false']) @@ -915,53 +915,10 @@ class ldap2(CrudBackend, Encoder): else: if account_lock_attr == 'true': raise errors.AlreadyInactive() + account_lock_attr = str(not active) - # check if nsAccountLock attribute is in the entry itself - is_member = False - member_of_attr = entry_attrs.get('memberof', []) - for m in member_of_attr: - if m.find('cn=activated') >= 0 or m.find('cn=inactivated') >=0: - is_member = True - break - if not is_member and entry_attrs.has_key('nsaccountlock'): - raise errors.HasNSAccountLock() - - activated_filter = '(cn=activated)' - inactivated_filter = '(cn=inactivated)' - parent_rdn = self.get_container_rdn('accounts') - - # try to remove the entry from activated/inactivated group - if active: - entries = self.find_entries(inactivated_filter, [], parent_rdn)[0] - else: - entries = self.find_entries(activated_filter, [], parent_rdn)[0] - (group_dn, group_entry_attrs) = entries[0] - try: - self.remove_entry_from_group(dn, group_dn) - except errors.NotGroupMember: - pass - - # add the entry to the activated/inactivated group if necessary - if active: - (dn, entry_attrs) = self.get_entry(dn, ['nsaccountlock']) - - # check if we still need to add entry to the activated group - account_lock_attr = entry_attrs.get('nsaccountlock', ['false']) - account_lock_attr = account_lock_attr[0].lower() - if account_lock_attr == 'false': - return # we don't - - entries = self.find_entries(activated_filter, [], parent_rdn)[0] - else: - entries = self.find_entries(inactivated_filter, [], parent_rdn)[0] - (group_dn, group_entry_attrs) = entries[0] - try: - self.add_entry_to_group(dn, group_dn) - except errors.EmptyModlist: - if active: - raise errors.AlreadyActive() - else: - raise errors.AlreadyInactive() + entry_attrs['nsaccountlock'] = account_lock_attr + self.update_entry(dn, entry_attrs) def activate_entry(self, dn): """Mark entry active.""" |