1 files changed, 103 insertions, 0 deletions

diff --git a/ipalib/plugins/baseuser.py b/ipalib/plugins/baseuser.py
index 16c7b2a88..4266e876c 100644
--- a/ipalib/plugins/baseuser.py
+++ b/ipalib/plugins/baseuser.py
@@ -459,13 +459,116 @@ class baseuser_mod(LDAPUpdate):
     """
     Prototype command plugin to be implemented by real plugin
     """
+    def check_namelength(self, ldap, **options):
+        if options.get('rename') is not None:
+            config = ldap.get_ipa_config()
+            if 'ipamaxusernamelength' in config:
+                if len(options['rename']) > int(config.get('ipamaxusernamelength')[0]):
+                    raise errors.ValidationError(
+                        name=self.obj.primary_key.cli_name,
+                        error=_('can be at most %(len)d characters') % dict(
+                            len = int(config.get('ipamaxusernamelength')[0])
+                        )
+                    )
+    def check_mail(self, entry_attrs):
+        if 'mail' in entry_attrs:
+            entry_attrs['mail'] = self.obj.normalize_and_validate_email(entry_attrs['mail'])
+
+    def check_manager(self, entry_attrs, container):
+        if 'manager' in entry_attrs:
+            entry_attrs['manager'] = self.obj.normalize_manager(entry_attrs['manager'], container)
+
+    def check_userpassword(self, entry_attrs, **options):
+        if 'userpassword' not in entry_attrs and options.get('random'):
+            entry_attrs['userpassword'] = ipa_generate_password(baseuser_pwdchars)
+            # save the password so it can be displayed in post_callback
+            setattr(context, 'randompassword', entry_attrs['userpassword'])
+
+    def check_objectclass(self, ldap, dn, entry_attrs):
+        if ('ipasshpubkey' in entry_attrs or 'ipauserauthtype' in entry_attrs
+            or 'userclass' in entry_attrs or 'ipatokenradiusconfiglink' in entry_attrs):
+            if 'objectclass' in entry_attrs:
+                obj_classes = entry_attrs['objectclass']
+            else:
+                _entry_attrs = ldap.get_entry(dn, ['objectclass'])
+                obj_classes = entry_attrs['objectclass'] = _entry_attrs['objectclass']
+
+            if 'ipasshpubkey' in entry_attrs and 'ipasshuser' not in obj_classes:
+                obj_classes.append('ipasshuser')
+
+            if 'ipauserauthtype' in entry_attrs and 'ipauserauthtypeclass' not in obj_classes:
+                obj_classes.append('ipauserauthtypeclass')
+
+            if 'userclass' in entry_attrs and 'ipauser' not in obj_classes:
+                obj_classes.append('ipauser')
+
+            if 'ipatokenradiusconfiglink' in entry_attrs:
+                cl = entry_attrs['ipatokenradiusconfiglink']
+                if cl:
+                    if 'ipatokenradiusproxyuser' not in obj_classes:
+                        obj_classes.append('ipatokenradiusproxyuser')
+
+                    answer = self.api.Object['radiusproxy'].get_dn_if_exists(cl)
+                    entry_attrs['ipatokenradiusconfiglink'] = answer
+
+    def pre_common_callback(self, ldap, dn, entry_attrs, **options):
+        assert isinstance(dn, DN)
+        self.check_namelength(ldap, **options)
+
+        self.check_mail(entry_attrs)
+
+        self.check_manager(entry_attrs, self.obj.active_container_dn)
+
+        self.check_userpassword(entry_attrs, **options)
+
+        self.check_objectclass(ldap, dn, entry_attrs)
+
+    def post_common_callback(self, ldap, dn, entry_attrs, **options):
+        assert isinstance(dn, DN)
+        if options.get('random', False):
+            try:
+                entry_attrs['randompassword'] = unicode(getattr(context, 'randompassword'))
+            except AttributeError:
+                # if both randompassword and userpassword options were used
+                pass
+        convert_nsaccountlock(entry_attrs)
+        self.obj.convert_manager(entry_attrs, **options)
+        self.obj.get_password_attributes(ldap, dn, entry_attrs)
+        convert_sshpubkey_post(ldap, dn, entry_attrs)
+        radius_dn2pk(self.api, entry_attrs)
 
 class baseuser_find(LDAPSearch):
     """
     Prototype command plugin to be implemented by real plugin
     """
+    def common_enhance_options(self, newoptions, **options):
+        # assure the manager attr is a dn, not just a bare uid
+        manager = options.get('manager')
+        if manager is not None:
+            newoptions['manager'] = self.obj.normalize_manager(manager, self.obj.active_container_dn)
+
+        # Ensure that the RADIUS config link is a dn, not just the name
+        cl = 'ipatokenradiusconfiglink'
+        if cl in options:
+            newoptions[cl] = self.api.Object['radiusproxy'].get_dn(options[cl])
+
+    def post_common_callback(self, ldap, entries, lockout=False, **options):
+        for attrs in entries:
+            self.obj.convert_manager(attrs, **options)
+            self.obj.get_password_attributes(ldap, attrs.dn, attrs)
+            if (lockout):
+                attrs['nsaccountlock'] = True
+            else:
+                convert_nsaccountlock(attrs)
+            convert_sshpubkey_post(ldap, attrs.dn, attrs)
 
 class baseuser_show(LDAPRetrieve):
     """
     Prototype command plugin to be implemented by real plugin
     """
+    def post_common_callback(self, ldap, dn, entry_attrs, **options):
+        assert isinstance(dn, DN)
+        self.obj.convert_manager(entry_attrs, **options)
+        self.obj.get_password_attributes(ldap, dn, entry_attrs)
+        convert_sshpubkey_post(ldap, dn, entry_attrs)
+        radius_dn2pk(self.api, entry_attrs)