diff options
Diffstat (limited to 'ipalib/plugins/aci.py')
-rw-r--r-- | ipalib/plugins/aci.py | 52 |
1 files changed, 26 insertions, 26 deletions
diff --git a/ipalib/plugins/aci.py b/ipalib/plugins/aci.py index 7a27ce116..7d5bf504c 100644 --- a/ipalib/plugins/aci.py +++ b/ipalib/plugins/aci.py @@ -123,24 +123,22 @@ from ipalib import api, crud, errors from ipalib import Object, Command from ipalib import Flag, Int, Str, StrEnum from ipalib.aci import ACI -from ipalib.dn import DN from ipalib import output from ipalib import _, ngettext from ipalib.plugins.baseldap import gen_pkey_only_option -if api.env.in_server and api.env.context in ['lite', 'server']: - from ldap import explode_dn from ipapython.ipa_log_manager import * +from ipapython.dn import DN ACI_NAME_PREFIX_SEP = ":" _type_map = { - 'user': 'ldap:///uid=*,%s,%s' % (api.env.container_user, api.env.basedn), - 'group': 'ldap:///cn=*,%s,%s' % (api.env.container_group, api.env.basedn), - 'host': 'ldap:///fqdn=*,%s,%s' % (api.env.container_host, api.env.basedn), - 'hostgroup': 'ldap:///cn=*,%s,%s' % (api.env.container_hostgroup, api.env.basedn), - 'service': 'ldap:///krbprincipalname=*,%s,%s' % (api.env.container_service, api.env.basedn), - 'netgroup': 'ldap:///ipauniqueid=*,%s,%s' % (api.env.container_netgroup, api.env.basedn), - 'dnsrecord': 'ldap:///idnsname=*,%s,%s' % (api.env.container_dns, api.env.basedn), + 'user': 'ldap:///' + str(DN(('uid', '*'), api.env.container_user, api.env.basedn)), + 'group': 'ldap:///' + str(DN(('cn', '*'), api.env.container_group, api.env.basedn)), + 'host': 'ldap:///' + str(DN(('fqdn', '*'), api.env.container_host, api.env.basedn)), + 'hostgroup': 'ldap:///' + str(DN(('cn', '*'), api.env.container_hostgroup, api.env.basedn)), + 'service': 'ldap:///' + str(DN(('krbprincipalname', '*'), api.env.container_service, api.env.basedn)), + 'netgroup': 'ldap:///' + str(DN(('ipauniqueid', '*'), api.env.container_netgroup, api.env.basedn)), + 'dnsrecord': 'ldap:///' + str(DN(('idnsname', '*'), api.env.container_dns, api.env.basedn)), } _valid_permissions_values = [ @@ -247,7 +245,7 @@ def _make_aci(ldap, current, aciname, kw): if 'test' in kw and not kw.get('test'): raise e else: - entry_attrs = {'dn': 'cn=%s,%s' % (kw['permission'], api.env.container_permission)} + entry_attrs = {'dn': DN(('cn', kw['permission']), api.env.container_permission)} elif group: # Not so friendly with groups. This will raise try: @@ -343,10 +341,9 @@ def _aci_to_kw(ldap, a, test=False, pkey_only=False): else: # See if the target is a group. If so we set the # targetgroup attr, otherwise we consider it a subtree - if api.env.container_group in target: - targetdn = unicode(target.replace('ldap:///','')) - target = DN(targetdn) - kw['targetgroup'] = target['cn'] + targetdn = DN(target.replace('ldap:///','')) + if targetdn.endswith(DN(api.env.container_group, api.env.basedn)): + kw['targetgroup'] = targetdn[0]['cn'] else: kw['subtree'] = unicode(target) @@ -357,15 +354,16 @@ def _aci_to_kw(ldap, a, test=False, pkey_only=False): elif groupdn == 'anyone': pass else: - if groupdn.startswith('cn='): - dn = '' + groupdn = DN(groupdn) + if len(groupdn) and groupdn[0].attr == 'cn': + dn = DN() entry_attrs = {} try: (dn, entry_attrs) = ldap.get_entry(groupdn, ['cn']) except errors.NotFound, e: # FIXME, use real name here if test: - dn = 'cn=%s,%s' % ('test', api.env.container_permission) + dn = DN(('cn', 'test'), api.env.container_permission) entry_attrs = {'cn': [u'test']} if api.env.container_permission in dn: kw['permission'] = entry_attrs['cn'][0] @@ -801,11 +799,11 @@ class aci_find(crud.Search): if kw.get('group'): for a in acis: groupdn = a.bindrule['expression'] - groupdn = groupdn.replace('ldap:///','') - cn = None - if groupdn.startswith('cn='): - cn = explode_dn(groupdn)[0] - cn = cn.replace('cn=','') + groupdn = DN(groupdn.replace('ldap:///','')) + try: + cn = groupdn[0]['cn'].value + except (IndexError, KeyError): + cn = None if cn is None or cn != kw['group']: try: results.remove(a) @@ -818,9 +816,11 @@ class aci_find(crud.Search): if 'target' in a.target: target = a.target['target']['expression'] if api.env.container_group in target: - targetdn = unicode(target.replace('ldap:///','')) - cn = explode_dn(targetdn)[0] - cn = cn.replace('cn=','') + targetdn = DN(target.replace('ldap:///','')) + try: + cn = targetdn[0]['cn'] + except (IndexError, KeyError): + cn = None if cn == kw['targetgroup']: found = True if not found: |