From 88e693a1a5b95e9da94b927a0b827b3a0e39b7b7 Mon Sep 17 00:00:00 2001 From: Martin Kosek Date: Tue, 11 Oct 2011 10:26:21 +0200 Subject: Improve default user/group object class validation When user/group default object class is being modified via ipa config-mod, no validation check is run. Check at least the following: - all object classes are known to LDAP - all default user/group attributes are allowed under the new set of default object classes https://fedorahosted.org/freeipa/ticket/1893 --- ipaserver/plugins/ldap2.py | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) (limited to 'ipaserver') diff --git a/ipaserver/plugins/ldap2.py b/ipaserver/plugins/ldap2.py index fddfe0f5a..382cc5760 100644 --- a/ipaserver/plugins/ldap2.py +++ b/ipaserver/plugins/ldap2.py @@ -43,6 +43,7 @@ from ldap.controls import LDAPControl # for backward compatibility from ldap.functions import explode_dn from ipalib.dn import DN +from ipalib import _ import krbV @@ -268,7 +269,7 @@ class ldap2(CrudBackend, Encoder): else: return None - def get_allowed_attributes(self, objectclasses): + def get_allowed_attributes(self, objectclasses, raise_on_unknown=False): if not self.schema: self.get_schema() allowed_attributes = [] @@ -276,6 +277,8 @@ class ldap2(CrudBackend, Encoder): obj = self.schema.get_obj(_ldap.schema.ObjectClass, oc) if obj is not None: allowed_attributes += obj.must + obj.may + elif raise_on_unknown: + raise errors.NotFound(reason=_('objectclass %s not found') % oc) return [unicode(a).lower() for a in list(set(allowed_attributes))] def get_single_value(self, attr): -- cgit