summaryrefslogtreecommitdiffstats
path: root/ipa-server
diff options
context:
space:
mode:
Diffstat (limited to 'ipa-server')
-rw-r--r--ipa-server/ipa-gui/ipagui/proxyprovider.py23
-rw-r--r--ipa-server/ipa-gui/ipagui/subcontrollers/delegation.py51
-rw-r--r--ipa-server/xmlrpc-server/funcs.py9
3 files changed, 71 insertions, 12 deletions
diff --git a/ipa-server/ipa-gui/ipagui/proxyprovider.py b/ipa-server/ipa-gui/ipagui/proxyprovider.py
index ab45a6db8..5a145de14 100644
--- a/ipa-server/ipa-gui/ipagui/proxyprovider.py
+++ b/ipa-server/ipa-gui/ipagui/proxyprovider.py
@@ -24,6 +24,7 @@ from ipaserver import funcs
import ipa.config
import ipa.group
import ipa.user
+import ldap
log = logging.getLogger("turbogears.identity")
@@ -41,18 +42,18 @@ class IPA_User(object):
client = ipa.ipaclient.IPAClient(transport)
client.set_krbccache(os.environ["KRB5CCNAME"])
try:
- user = client.get_user_by_principal(user_name, ['dn'])
+ # Use memberof so we can see recursive group memberships as well.
+ user = client.get_user_by_principal(user_name, ['dn', 'memberof'])
self.groups = []
- groups = client.get_groups_by_member(user.dn, ['dn', 'cn'])
- if isinstance(groups, str):
- groups = [groups]
- for ginfo in groups:
- # cn may be multi-valued, add them all just in case
- cn = ginfo.getValue('cn')
- if isinstance(cn, str):
- cn = [cn]
- for c in cn:
- self.groups.append(c)
+ memberof = user.getValues('memberof')
+ if isinstance(memberof, str):
+ memberof = [memberof]
+ for mo in memberof:
+ rdn_list = ldap.explode_dn(mo, 0)
+ first_rdn = rdn_list[0]
+ (type,value) = first_rdn.split('=')
+ if type == "cn":
+ self.groups.append(value)
except:
raise
diff --git a/ipa-server/ipa-gui/ipagui/subcontrollers/delegation.py b/ipa-server/ipa-gui/ipagui/subcontrollers/delegation.py
index 9b7e93059..73b0cbe6c 100644
--- a/ipa-server/ipa-gui/ipagui/subcontrollers/delegation.py
+++ b/ipa-server/ipa-gui/ipagui/subcontrollers/delegation.py
@@ -134,6 +134,15 @@ class DelegationController(IPAController):
aci_entry.setValue('aci', new_aci.export_to_string())
client.update_entry(aci_entry)
+
+ # Now add to the editors group so they can make changes in the UI
+ try:
+ group = client.get_entry_by_cn("editors")
+ client.add_group_to_group(new_aci.source_group, group.dn)
+ except ipa.ipaerror.exception_for(ipa.ipaerror.LDAP_EMPTY_MODLIST):
+ # This is ok, ignore it
+ pass
+
except ipaerror.IPAError, e:
turbogears.flash("Delgate add failed: " + str(e) + "<br/>" + e.detail[0]['desc'])
return dict(form=delegate_form, delegate=kw,
@@ -216,11 +225,37 @@ class DelegationController(IPAController):
new_aci_str = new_aci.export_to_string()
new_aci_str_list = copy.copy(aci_str_list)
+ old_aci = ipa.aci.ACI(new_aci_str_list[old_aci_index])
new_aci_str_list[old_aci_index] = new_aci_str
aci_entry.setValue('aci', new_aci_str_list)
client.update_entry(aci_entry)
+ if new_aci.source_group != old_aci.source_group:
+ aci_list = []
+ last = True
+ for aci_str in new_aci_str_list:
+ try:
+ aci = ipa.aci.ACI(aci_str)
+ if aci.source_group == old_aci.source_group:
+ last = False
+ break
+ except SyntaxError:
+ # ignore aci_str's that ACI can't parse
+ pass
+ if last:
+ group = client.get_entry_by_cn("editors")
+ client.remove_member_from_group(old_aci.source_group, group.dn)
+
+ # Now add to the editors group so they can make changes in the UI
+ try:
+ group = client.get_entry_by_cn("editors")
+ client.add_group_to_group(new_aci.source_group, group.dn)
+ except ipa.ipaerror.exception_for(ipa.ipaerror.LDAP_EMPTY_MODLIST):
+ # This is ok, ignore it
+ pass
+
+
turbogears.flash("delegate updated")
raise turbogears.redirect('/delegate/list')
except (SyntaxError, ipaerror.IPAError), e:
@@ -291,12 +326,28 @@ class DelegationController(IPAController):
"concurrently modified.")
raise turbogears.redirect('/delegate/list')
+ old_aci = ipa.aci.ACI(aci_str_list[old_aci_index])
new_aci_str_list = copy.copy(aci_str_list)
del new_aci_str_list[old_aci_index]
aci_entry.setValue('aci', new_aci_str_list)
client.update_entry(aci_entry)
+ aci_list = []
+ last = True
+ for aci_str in new_aci_str_list:
+ try:
+ aci = ipa.aci.ACI(aci_str)
+ if aci.source_group == old_aci.source_group:
+ last = False
+ break
+ except SyntaxError:
+ # ignore aci_str's that ACI can't parse
+ pass
+ if last:
+ group = client.get_entry_by_cn("editors")
+ client.remove_member_from_group(old_aci.source_group, group.dn)
+
turbogears.flash("delegate deleted")
raise turbogears.redirect('/delegate/list')
except (SyntaxError, ipaerror.IPAError), e:
diff --git a/ipa-server/xmlrpc-server/funcs.py b/ipa-server/xmlrpc-server/funcs.py
index 6bd404012..d4cbb3ef4 100644
--- a/ipa-server/xmlrpc-server/funcs.py
+++ b/ipa-server/xmlrpc-server/funcs.py
@@ -1123,7 +1123,14 @@ class IPAServer:
return True
def get_groups_by_member (self, member_dn, sattrs, opts=None):
- """Get a specific group's entry. Return as a dict of values.
+ """Get all of the groups an object is explicitly a member of.
+
+ This does not include groups an entry may be a member of as a
+ result of recursion (being a group that is a member of another
+ group). In other words, this searches on 'member' and not
+ 'memberof'.
+
+ Return as a dict of values.
Multi-valued fields are represented as lists.
"""
if not member_dn:
generated by cgit (git 2.34.1) at 2024-11-12 04:44:42 +0000