From 55da8328674877801bcb17bbe8c9e9bec3fb9022 Mon Sep 17 00:00:00 2001 From: Jan Cholasta Date: Tue, 25 Jun 2013 13:08:18 +0000 Subject: Use LDAP search instead of *group_show to check for a group objectclass. https://fedorahosted.org/freeipa/ticket/3706 --- ipalib/plugins/host.py | 36 +++++++++++++++++++----------------- ipalib/plugins/hostgroup.py | 39 ++++++++++++++++++++------------------- ipalib/plugins/pwpolicy.py | 3 ++- 3 files changed, 41 insertions(+), 37 deletions(-) diff --git a/ipalib/plugins/host.py b/ipalib/plugins/host.py index e61525917..6be069425 100644 --- a/ipalib/plugins/host.py +++ b/ipalib/plugins/host.py @@ -364,22 +364,24 @@ class host(LDAPObject): return managed_hosts - def suppress_netgroup_memberof(self, entry_attrs): + def suppress_netgroup_memberof(self, ldap, entry_attrs): """ We don't want to show managed netgroups so remove them from the memberofindirect list. """ ng_container = DN(api.env.container_netgroup, api.env.basedn) - if 'memberofindirect' in entry_attrs: - for member in list(entry_attrs['memberofindirect']): - memberdn = DN(member) - if memberdn.endswith(ng_container): - try: - netgroup = api.Command['netgroup_show'](memberdn['cn'], all=True)['result'] - if self.has_objectclass(netgroup['objectclass'], 'mepmanagedentry'): - entry_attrs['memberofindirect'].remove(member) - except errors.NotFound: - pass + for member in list(entry_attrs.get('memberofindirect', [])): + memberdn = DN(member) + if not memberdn.endswith(ng_container): + continue + + filter = ldap.make_filter({'objectclass': 'mepmanagedentry'}) + try: + ldap.get_entries(memberdn, ldap.SCOPE_BASE, filter, ['']) + except errors.NotFound: + pass + else: + entry_attrs['memberofindirect'].remove(member) api.register(host) @@ -753,7 +755,7 @@ class host_mod(LDAPUpdate): if options.get('all', False): entry_attrs['managing'] = self.obj.get_managed_hosts(dn) - self.obj.suppress_netgroup_memberof(entry_attrs) + self.obj.suppress_netgroup_memberof(ldap, entry_attrs) convert_sshpubkey_post(ldap, dn, entry_attrs) @@ -832,7 +834,7 @@ class host_find(LDAPSearch): set_certificate_attrs(entry_attrs) set_kerberos_attrs(entry_attrs, options) self.obj.get_password_attributes(ldap, dn, entry_attrs) - self.obj.suppress_netgroup_memberof(entry_attrs) + self.obj.suppress_netgroup_memberof(ldap, entry_attrs) if entry_attrs['has_password']: # If an OTP is set there is no keytab, at least not one # fetched anywhere. @@ -874,7 +876,7 @@ class host_show(LDAPRetrieve): if options.get('all', False): entry_attrs['managing'] = self.obj.get_managed_hosts(dn) - self.obj.suppress_netgroup_memberof(entry_attrs) + self.obj.suppress_netgroup_memberof(ldap, entry_attrs) convert_sshpubkey_post(ldap, dn, entry_attrs) @@ -987,7 +989,7 @@ class host_disable(LDAPQuery): def post_callback(self, ldap, dn, entry_attrs, *keys, **options): assert isinstance(dn, DN) - self.obj.suppress_netgroup_memberof(entry_attrs) + self.obj.suppress_netgroup_memberof(ldap, entry_attrs) return dn api.register(host_disable) @@ -1001,7 +1003,7 @@ class host_add_managedby(LDAPAddMember): def post_callback(self, ldap, completed, failed, dn, entry_attrs, *keys, **options): assert isinstance(dn, DN) - self.obj.suppress_netgroup_memberof(entry_attrs) + self.obj.suppress_netgroup_memberof(ldap, entry_attrs) return (completed, dn) api.register(host_add_managedby) @@ -1015,7 +1017,7 @@ class host_remove_managedby(LDAPRemoveMember): def post_callback(self, ldap, completed, failed, dn, entry_attrs, *keys, **options): assert isinstance(dn, DN) - self.obj.suppress_netgroup_memberof(entry_attrs) + self.obj.suppress_netgroup_memberof(ldap, entry_attrs) return (completed, dn) api.register(host_remove_managedby) diff --git a/ipalib/plugins/hostgroup.py b/ipalib/plugins/hostgroup.py index bc10994d4..8a4957309 100644 --- a/ipalib/plugins/hostgroup.py +++ b/ipalib/plugins/hostgroup.py @@ -92,23 +92,24 @@ class hostgroup(LDAPObject): ), ) - def suppress_netgroup_memberof(self, dn, entry_attrs): + def suppress_netgroup_memberof(self, ldap, dn, entry_attrs): """ We don't want to show managed netgroups so remove them from the memberOf list. """ - if 'memberof' in entry_attrs: - hgdn = DN(dn) - for member in list(entry_attrs['memberof']): - ngdn = DN(member) - if ngdn['cn'] == hgdn['cn']: - try: - netgroup = api.Command['netgroup_show'](ngdn['cn'], all=True)['result'] - if self.has_objectclass(netgroup['objectclass'], 'mepmanagedentry'): - entry_attrs['memberof'].remove(member) - return - except errors.NotFound: - pass + hgdn = DN(dn) + for member in list(entry_attrs.get('memberof', [])): + ngdn = DN(member) + if ngdn['cn'] != hgdn['cn']: + continue + + filter = ldap.make_filter({'objectclass': 'mepmanagedentry'}) + try: + ldap.get_entries(ngdn, ldap.SCOPE_BASE, filter, ['']) + except errors.NotFound: + pass + else: + entry_attrs['memberof'].remove(member) api.register(hostgroup) @@ -146,7 +147,7 @@ class hostgroup_add(LDAPCreate): # be sure to ignore it in memberOf newentry = wait_for_value(ldap, dn, 'objectclass', 'mepOriginEntry') entry_from_entry(entry_attrs, newentry) - self.obj.suppress_netgroup_memberof(dn, entry_attrs) + self.obj.suppress_netgroup_memberof(ldap, dn, entry_attrs) return dn @@ -169,7 +170,7 @@ class hostgroup_mod(LDAPUpdate): def post_callback(self, ldap, dn, entry_attrs, *keys, **options): assert isinstance(dn, DN) - self.obj.suppress_netgroup_memberof(dn, entry_attrs) + self.obj.suppress_netgroup_memberof(ldap, dn, entry_attrs) return dn api.register(hostgroup_mod) @@ -188,7 +189,7 @@ class hostgroup_find(LDAPSearch): return truncated for entry in entries: (dn, entry_attrs) = entry - self.obj.suppress_netgroup_memberof(dn, entry_attrs) + self.obj.suppress_netgroup_memberof(ldap, dn, entry_attrs) return truncated api.register(hostgroup_find) @@ -199,7 +200,7 @@ class hostgroup_show(LDAPRetrieve): def post_callback(self, ldap, dn, entry_attrs, *keys, **options): assert isinstance(dn, DN) - self.obj.suppress_netgroup_memberof( dn, entry_attrs) + self.obj.suppress_netgroup_memberof(ldap, dn, entry_attrs) return dn api.register(hostgroup_show) @@ -210,7 +211,7 @@ class hostgroup_add_member(LDAPAddMember): def post_callback(self, ldap, completed, failed, dn, entry_attrs, *keys, **options): assert isinstance(dn, DN) - self.obj.suppress_netgroup_memberof(dn, entry_attrs) + self.obj.suppress_netgroup_memberof(ldap, dn, entry_attrs) return (completed, dn) api.register(hostgroup_add_member) @@ -221,7 +222,7 @@ class hostgroup_remove_member(LDAPRemoveMember): def post_callback(self, ldap, completed, failed, dn, entry_attrs, *keys, **options): assert isinstance(dn, DN) - self.obj.suppress_netgroup_memberof(dn, entry_attrs) + self.obj.suppress_netgroup_memberof(ldap, dn, entry_attrs) return (completed, dn) api.register(hostgroup_remove_member) diff --git a/ipalib/plugins/pwpolicy.py b/ipalib/plugins/pwpolicy.py index c92b268b5..9bbecf7cb 100644 --- a/ipalib/plugins/pwpolicy.py +++ b/ipalib/plugins/pwpolicy.py @@ -121,7 +121,8 @@ class cosentry_add(LDAPCreate): def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options): assert isinstance(dn, DN) # check for existence of the group - result = self.api.Command.group_show(keys[-1], all=True)['result'] + group_dn = self.api.Object.group.get_dn(keys[-1]) + result = ldap.get_entry(group_dn, ['objectclass']) oc = map(lambda x:x.lower(),result['objectclass']) if 'mepmanagedentry' in oc: raise errors.ManagedPolicyError() -- cgit