From e21dad4e1c37bc171a4bc6095a8c9bdd2cc53f5c Mon Sep 17 00:00:00 2001 From: Tomas Babej Date: Wed, 27 May 2015 16:30:48 +0200 Subject: idviews: Remove ID overrides for permanently removed users and groups For IPA users and groups we are able to trigger a removal of any relevant ID overrides in user-del and group-del commands. https://fedorahosted.org/freeipa/ticket/5026 Reviewed-By: Alexander Bokovoy --- ipalib/plugins/group.py | 5 +++++ ipalib/plugins/idviews.py | 25 +++++++++++++++++++++++++ ipalib/plugins/user.py | 15 ++++++++++----- 3 files changed, 40 insertions(+), 5 deletions(-) (limited to 'ipalib') diff --git a/ipalib/plugins/group.py b/ipalib/plugins/group.py index 5d33ba217..edecebb06 100644 --- a/ipalib/plugins/group.py +++ b/ipalib/plugins/group.py @@ -22,6 +22,7 @@ from ipalib import api from ipalib import Int, Str from ipalib.plugable import Registry from ipalib.plugins.baseldap import * +from ipalib.plugins.idviews import remove_ipaobject_overrides from ipalib.plugins import baseldap from ipalib import _, ngettext if api.env.in_server and api.env.context in ['lite', 'server']: @@ -316,6 +317,10 @@ class group_del(LDAPDelete): reason=_(u'privileged group')) if 'mepmanagedby' in group_attrs: raise errors.ManagedGroupError() + + # Remove any ID overrides tied with this group + remove_ipaobject_overrides(ldap, self.obj.api, dn) + return dn def post_callback(self, ldap, dn, *keys, **options): diff --git a/ipalib/plugins/idviews.py b/ipalib/plugins/idviews.py index 2c843462a..9f58c8327 100644 --- a/ipalib/plugins/idviews.py +++ b/ipalib/plugins/idviews.py @@ -537,6 +537,31 @@ def resolve_anchor_to_object_name(ldap, obj_type, anchor): % dict(anchor=anchor)) +def remove_ipaobject_overrides(ldap, api, dn): + """ + Removes all ID overrides for given object. This method is to be + consumed by -del commands of the given objects (users, groups). + """ + + entry = ldap.get_entry(dn, attrs_list=['ipaUniqueID']) + object_uuid = entry.single_value['ipaUniqueID'] + + override_filter = '(ipaanchoruuid=:IPA:{0}:{1})'.format(api.env.domain, + object_uuid) + try: + entries, truncated = ldap.find_entries( + override_filter, + base_dn=DN(api.env.container_views, api.env.basedn), + paged_search=True + ) + except errors.EmptyResult: + pass + else: + # In case we found something, delete it + for entry in entries: + ldap.delete_entry(entry) + + # This is not registered on purpose, it's a base class for ID overrides class baseidoverride(LDAPObject): """ diff --git a/ipalib/plugins/user.py b/ipalib/plugins/user.py index d2404e2ed..0b90519b2 100644 --- a/ipalib/plugins/user.py +++ b/ipalib/plugins/user.py @@ -31,6 +31,7 @@ from ipalib.plugins.baseuser import baseuser, baseuser_add, baseuser_del, \ status_baseuser_output_params, baseuser_pwdchars, \ validate_nsaccountlock, radius_dn2pk, convert_nsaccountlock, split_principal, validate_principal, \ normalize_principal, fix_addressbook_permission_bindrule +from ipalib.plugins.idviews import remove_ipaobject_overrides from ipalib.plugable import Registry from ipalib.plugins.baseldap import * from ipalib.plugins import baseldap @@ -620,11 +621,15 @@ class user_del(baseuser_del): dn = self.obj.get_dn(*keys, **options) - if (not options.get('preserve', True) or - dn.endswith(DN(self.obj.delete_container_dn, - self.api.env.basedn))): - # We are going to permanent delete or the user is already in the delete container. - # So we issue a true DEL on that entry + # We are going to permanent delete or the user is already in the delete container. + delete_container = DN(self.obj.delete_container_dn, self.api.env.basedn) + user_from_delete_container = dn.endswith(delete_container) + + if not options.get('preserve', True) or user_from_delete_container: + # Remove any ID overrides tied with this user + remove_ipaobject_overrides(self.obj.backend, self.obj.api, dn) + + # Issue a true DEL on that entry return super(user_del, self).execute(*keys, **options) # The user to delete is active and there is no 'no_preserve' option -- cgit