From ba59d9d648d7ee9f3e5b03ede9aeccab97f13a13 Mon Sep 17 00:00:00 2001 From: Rob Crittenden Date: Fri, 25 Jun 2010 16:14:46 -0400 Subject: Add support for User-Private Groups This uses a new 389-ds plugin, Managed Entries, to automatically create a group entry when a user is created. The DNA plugin ensures that the group has a gidNumber that matches the users uidNumber. When the user is removed the group is automatically removed as well. If the managed entries plugin is not available or if a specific, separate range for gidNumber is passed in at install time then User-Private Groups will not be configured. The code checking for the Managed Entries plugin may be removed at some point. This is there because this plugin is only available in a 389-ds alpha release currently (1.2.6-a4). --- ipaserver/plugins/ldap2.py | 37 ++++++++++++++++++++++++++++++------- 1 file changed, 30 insertions(+), 7 deletions(-) (limited to 'ipaserver/plugins/ldap2.py') diff --git a/ipaserver/plugins/ldap2.py b/ipaserver/plugins/ldap2.py index d1c083f20..987203caa 100644 --- a/ipaserver/plugins/ldap2.py +++ b/ipaserver/plugins/ldap2.py @@ -103,9 +103,12 @@ def _handle_errors(e, **kw): raise errors.DatabaseError(desc=desc, info=info) -def load_schema(url): +def global_init(url): """ - Retrieve the LDAP schema from the provided url. + Perform global initialization when the module is loaded. + + Retrieve the LDAP schema from the provided url and determine if + User-Private Groups (upg) are configured. Bind using kerberos credentials. If in the context of the in-tree "lite" server then use the current ccache. If in the context of @@ -113,10 +116,11 @@ def load_schema(url): principal. """ tmpdir = None + upg = False if not api.env.in_server or api.env.context not in ['lite', 'server']: # The schema is only needed on the server side - return + return (None, None) try: if api.env.context == 'server': @@ -139,9 +143,17 @@ def load_schema(url): 'cn=schema', _ldap.SCOPE_BASE, attrlist=['attributetypes', 'objectclasses'] )[0] + try: + upg_entry = conn.search_s( + 'cn=UPG Template, %s' % api.env.basedn, _ldap.SCOPE_BASE, + attrlist=['*'] + )[0] + upg = True + except _ldap.NO_SUCH_OBJECT, e: + upg = False conn.unbind_s() except _ldap.SERVER_DOWN: - return None + return (None, upg) except _ldap.LDAPError, e: # TODO: raise a more appropriate exception _handle_errors(e, **{}) @@ -154,13 +166,14 @@ def load_schema(url): if tmpdir: shutil.rmtree(tmpdir) - return _ldap.schema.SubSchema(schema_entry[1]) + return (_ldap.schema.SubSchema(schema_entry[1]), upg) -# cache schema when importing module +# cache schema and User-Private Groups when importing module try: - _schema = load_schema(api.env.ldap_uri) + (_schema, _upg) = global_init(api.env.ldap_uri) except AttributeError: _schema = None + _upg = None def get_syntax(attr, value): @@ -524,6 +537,16 @@ class ldap2(CrudBackend, Encoder): """Returns a copy of the current LDAP schema.""" return copy.deepcopy(self.schema) + def has_upg(self): + """Returns True/False whether User-Private Groups are enabled. + This is determined based on whether the UPG Template exists. + We determine this at module load so we don't have to test for + it every time. + """ + global _upg + + return _upg + @encode_args(1, 2) def get_effective_rights(self, dn, entry_attrs): """Returns the rights the currently bound user has for the given DN. -- cgit