From 8376979aa77877fd2cb4278eb6241198d7ebeda1 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Tue, 19 Jan 2010 17:02:13 -0500
Subject: Allow cospriority to be updated and fix description of priority
 ordering

Need to add a few more places where the DN will not be automatically
normalized. The krb5 server expects a very specific format and normalizing
causes it to not work.
---
 ipalib/plugins/pwpolicy.py | 34 +++++++++++++++++++++++++++-------
 ipaserver/plugins/ldap2.py | 22 +++++++++++++---------
 2 files changed, 40 insertions(+), 16 deletions(-)

diff --git a/ipalib/plugins/pwpolicy.py b/ipalib/plugins/pwpolicy.py
index faf036418..44c28e785 100644
--- a/ipalib/plugins/pwpolicy.py
+++ b/ipalib/plugins/pwpolicy.py
@@ -26,6 +26,7 @@ from ipalib import api, crud, errors
 from ipalib import Command, Object
 from ipalib import Int, Str
 from ipalib import output
+from ipalib import _, ngettext
 from ldap.functions import explode_dn
 
 _fields = {
@@ -55,6 +56,15 @@ def _convert_time_on_input(entry_attrs):
     if 'krbminpwdlife' in entry_attrs:
         entry_attrs['krbminpwdlife'] = entry_attrs['krbminpwdlife'] * 3600
 
+def find_group_dn(group):
+    """
+    Given a group name find the DN of that group
+    """
+    try:
+        entry = api.Command['group_show'](group)['result']
+    except errors.NotFound:
+        raise errors.NotFound(reason="group '%s' does not exist" % group)
+    return entry['dn']
 
 def make_cos_entry(group, cospriority=None):
     """
@@ -65,11 +75,7 @@ def make_cos_entry(group, cospriority=None):
      cos_entry = entry representing this new object
     """
 
-    try:
-        entry = api.Command['group_show'](group)['result']
-    except errors.NotFound:
-        raise errors.NotFound(reason="group '%s' does not exist" % group)
-    groupdn = entry['dn']
+    groupdn = find_group_dn(group)
 
     cos_entry = {}
     if cospriority:
@@ -157,7 +163,7 @@ class pwpolicy_add(crud.Create):
         Int('cospriority',
             cli_name='priority',
             label='Priority',
-            doc='Priority of the policy. Higher number equals higher priority',
+            doc='Priority of the policy. Higher number equals lower priority',
             minvalue=0,
             attribute=True,
         ),
@@ -206,7 +212,7 @@ class pwpolicy_mod(crud.Update):
         ),
         Int('cospriority?',
             cli_name='priority',
-            doc='Priority of the policy. Higher number equals higher priority',
+            doc='Priority of the policy. Higher number equals lower priority',
             minvalue=0,
             attribute=True,
         ),
@@ -221,9 +227,17 @@ class pwpolicy_mod(crud.Update):
         ldap = self.api.Backend.ldap2
 
         if not 'group' in options:
+            if 'cospriority' in options:
+                raise errors.ValidationError(name='priority', error=_('priority cannot be set on global policy'))
             dn = self.api.env.container_accounts
             entry_attrs = self.args_options_2_entry(*args, **options)
         else:
+            if 'cospriority' in options:
+                groupdn = find_group_dn(options['group'])
+                cos_dn = 'cn="%s", cn=cosTemplates, cn=accounts, %s' % (groupdn, api.env.basedn)
+                self.log.debug('%s' % cos_dn)
+                ldap.update_entry(cos_dn, dict(cospriority = options['cospriority']), normalize=False)
+                del options['cospriority']
             entry_attrs = self.args_options_2_entry(*args, **options)
             (dn, entry_attrs) = make_policy_entry(options['group'], entry_attrs)
         _convert_time_on_input(entry_attrs)
@@ -319,6 +333,12 @@ class pwpolicy_show(Command):
                 (dn, policy_entry) = make_policy_entry(options['group'], policy_entry)
         (dn, entry_attrs) = ldap.get_entry(dn)
 
+        if 'group' in options:
+            groupdn = find_group_dn(options['group'])
+            cos_dn = 'cn="%s", cn=cosTemplates, cn=accounts, %s' % (groupdn, api.env.basedn)
+            (dn, cos_attrs) = ldap.get_entry(cos_dn, normalize=False)
+            entry_attrs['priority'] = cos_attrs['cospriority']
+
         if 'user' in options:
             if group:
                 entry_attrs['group'] = group
diff --git a/ipaserver/plugins/ldap2.py b/ipaserver/plugins/ldap2.py
index 56e6b54fc..89cfc3f40 100644
--- a/ipaserver/plugins/ldap2.py
+++ b/ipaserver/plugins/ldap2.py
@@ -421,7 +421,8 @@ class ldap2(CrudBackend, Encoder):
     @encode_args(1, 2, 3)
     @decode_retval()
     def find_entries(self, filter, attrs_list=None, base_dn='',
-            scope=_ldap.SCOPE_SUBTREE, time_limit=1, size_limit=3000):
+            scope=_ldap.SCOPE_SUBTREE, time_limit=1, size_limit=3000,
+            normalize=True):
         """
         Return a list of entries [(dn, entry_attrs)] matching specified
         search parameters followed by truncated flag. If the truncated flag is
@@ -433,8 +434,10 @@ class ldap2(CrudBackend, Encoder):
         scope -- search scope, see LDAP docs (default ldap2.SCOPE_SUBTREE)
         time_limit -- time limit in seconds (default 1)
         size_limit -- size (number of entries returned) limit (default 3000)
+        normalize -- normalize the DN (default True)
         """
-        base_dn = self.normalize_dn(base_dn)
+        if normalize:
+            base_dn = self.normalize_dn(base_dn)
         if not filter:
             filter = '(objectClass=*)'
         res = []
@@ -475,14 +478,14 @@ class ldap2(CrudBackend, Encoder):
         filter = self.make_filter(search_kw, rules=self.MATCH_ALL)
         return self.find_entries(filter, attrs_list, base_dn)[0][0]
 
-    def get_entry(self, dn, attrs_list=None):
+    def get_entry(self, dn, attrs_list=None, normalize=True):
         """
         Get entry (dn, entry_attrs) by dn.
 
         Keyword arguments:
         attrs_list - list of attributes to return, all if None (default None)
         """
-        return self.find_entries(None, attrs_list, dn, self.SCOPE_BASE)[0][0]
+        return self.find_entries(None, attrs_list, dn, self.SCOPE_BASE, normalize=normalize)[0][0]
 
     def get_ipa_config(self):
         """Returns the IPA configuration entry (dn, entry_attrs)."""
@@ -572,9 +575,9 @@ class ldap2(CrudBackend, Encoder):
         except _ldap.LDAPError, e:
             _handle_errors(e, **{})
 
-    def _generate_modlist(self, dn, entry_attrs):
+    def _generate_modlist(self, dn, entry_attrs, normalize):
         # get original entry
-        (dn, entry_attrs_old) = self.get_entry(dn, entry_attrs.keys())
+        (dn, entry_attrs_old) = self.get_entry(dn, entry_attrs.keys(), normalize)
         # get_entry returns a decoded entry, encode it back
         # we could call search_s directly, but this saves a lot of code at
         # the expense of a little bit of performace
@@ -618,16 +621,17 @@ class ldap2(CrudBackend, Encoder):
         return modlist
 
     @encode_args(1, 2)
-    def update_entry(self, dn, entry_attrs):
+    def update_entry(self, dn, entry_attrs, normalize=True):
         """
         Update entry's attributes.
 
         An attribute value set to None deletes all current values.
         """
-        dn = self.normalize_dn(dn)
+        if normalize:
+            dn = self.normalize_dn(dn)
 
         # generate modlist
-        modlist = self._generate_modlist(dn, entry_attrs)
+        modlist = self._generate_modlist(dn, entry_attrs, normalize)
         if not modlist:
             raise errors.EmptyModlist()
 
-- 
cgit