From 70d1870e99ccad9ca41c3f40d380f1348b895bb6 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Wed, 20 Jun 2012 16:08:33 +0300
Subject: Add support for external group members

When using ipaExternalGroup/ipaExternalMember attributes it is
possible to add group members which don't exist in IPA database.
This is primarily is required for AD trusts support and therefore
validation is accepting only secure identifier (SID) format.

https://fedorahosted.org/freeipa/ticket/2664
---
 ipalib/plugins/baseldap.py | 23 ++++++++++++++++-------
 1 file changed, 16 insertions(+), 7 deletions(-)

(limited to 'ipalib/plugins/baseldap.py')

diff --git a/ipalib/plugins/baseldap.py b/ipalib/plugins/baseldap.py
index 475222a6a..b841435fd 100644
--- a/ipalib/plugins/baseldap.py
+++ b/ipalib/plugins/baseldap.py
@@ -362,23 +362,29 @@ def add_external_post_callback(memberattr, membertype, externalattr, ldap, compl
     externalattr is one of externaluser,
     """
     completed_external = 0
+    normalize = options.get('external_callback_normalize', True)
     # Sift through the failures. We assume that these are all
     # entries that aren't stored in IPA, aka external entries.
     if memberattr in failed and membertype in failed[memberattr]:
         (dn, entry_attrs_) = ldap.get_entry(dn, [externalattr])
         members = entry_attrs.get(memberattr, [])
         external_entries = entry_attrs_.get(externalattr, [])
+        lc_external_entries = set(e.lower() for e in external_entries)
         failed_entries = []
         for entry in failed[memberattr][membertype]:
             membername = entry[0].lower()
             member_dn = api.Object[membertype].get_dn(membername)
-            if membername not in external_entries and \
-              member_dn not in members:
+            if (membername not in lc_external_entries and
+                member_dn not in members):
                 # Not an IPA entry, assume external
-                external_entries.append(membername)
+                if normalize:
+                    external_entries.append(membername)
+                else:
+                    external_entries.append(entry[0])
+                lc_external_entries.add(membername)
                 completed_external += 1
-            elif membername in external_entries and \
-              member_dn not in members:
+            elif (membername in lc_external_entries and
+               member_dn not in members):
                 # Already an external member, reset the error message
                 msg = unicode(errors.AlreadyGroupMember().message)
                 newerror = (entry[0], msg)
@@ -409,8 +415,11 @@ def remove_external_post_callback(memberattr, membertype, externalattr, ldap, co
         completed_external = 0
         for entry in failed[memberattr][membertype]:
             membername = entry[0].lower()
-            if membername in external_entries:
-                external_entries.remove(membername)
+            if membername in external_entries or entry[0] in external_entries:
+                try:
+                    external_entries.remove(membername)
+                except ValueError:
+                    external_entries.remove(entry[0])
                 completed_external += 1
             else:
                 failed_entries.append(membername)
-- 
cgit