diff options
author | Rob Crittenden <rcritten@redhat.com> | 2011-01-31 13:10:37 -0500 |
---|---|---|
committer | Rob Crittenden <rcritten@redhat.com> | 2011-02-01 11:59:24 -0500 |
commit | 4b7e5721d4520c7bd6db6aab8fc92b3a208da719 (patch) | |
tree | f1e19554e0e8381f52470428b52c012281bb9cc8 /ipalib/plugins/aci.py | |
parent | 613a3d0f5628a2e844c4f0e8629f0916e3a44794 (diff) | |
download | freeipa.git-4b7e5721d4520c7bd6db6aab8fc92b3a208da719.tar.gz freeipa.git-4b7e5721d4520c7bd6db6aab8fc92b3a208da719.tar.xz freeipa.git-4b7e5721d4520c7bd6db6aab8fc92b3a208da719.zip |
Fix changing membergroup in a delegation.
This is mostly due to inconsistent option name usage but also due
to the aci plugin not always treating memberof as a special kind
of filter.
ticket 869
Diffstat (limited to 'ipalib/plugins/aci.py')
-rw-r--r-- | ipalib/plugins/aci.py | 25 |
1 files changed, 18 insertions, 7 deletions
diff --git a/ipalib/plugins/aci.py b/ipalib/plugins/aci.py index 4ddaf98a..903c600b 100644 --- a/ipalib/plugins/aci.py +++ b/ipalib/plugins/aci.py @@ -189,6 +189,17 @@ def _parse_aci_name(aciname): return (aciparts[0], aciparts[2]) +def _group_from_memberof(memberof): + """ + Pull the group name out of a memberOf filter + """ + st = memberof.find('memberOf=') + if st == -1: + # We have a raw group name, use that + return api.Object['group'].get_dn(memberof) + en = memberof.find(')', st) + return memberof[st+9:en] + def _make_aci(ldap, current, aciname, kw): """ Given a name and a set of keywords construct an ACI. @@ -209,6 +220,9 @@ def _make_aci(ldap, current, aciname, kw): if t1 + t2 + t3 + t4 + t5 + t6 == 0: raise errors.ValidationError(name='target', error=_('at least one of: type, filter, subtree, targetgroup, attrs or memberof are required')) + if t2 + t6 > 1: + raise errors.ValidationError(name='target', error=_('filter and memberof are mutually exclusive')) + group = 'group' in kw permission = 'permission' in kw selfaci = 'selfaci' in kw and kw['selfaci'] == True @@ -248,8 +262,8 @@ def _make_aci(ldap, current, aciname, kw): if 'attrs' in kw: a.set_target_attr(kw['attrs']) if 'memberof' in kw: - entry_attrs = api.Command['group_show'](kw['memberof'])['result'] - a.set_target_filter('memberOf=%s' % entry_attrs['dn']) + groupdn = _group_from_memberof(kw['memberof']) + a.set_target_filter('memberOf=%s' % groupdn) if 'filter' in kw: # Test the filter by performing a simple search on it. The # filter is considered valid if either it returns some entries @@ -298,7 +312,7 @@ def _aci_to_kw(ldap, a, test=False): kw['attrs'] = tuple(kw['attrs']) if 'targetfilter' in a.target: target = a.target['targetfilter']['expression'] - if target.startswith('memberOf'): + if target.startswith('(memberOf') or target.startswith('memberOf'): kw['memberof'] = unicode(target) else: kw['filter'] = unicode(target) @@ -707,10 +721,7 @@ class aci_find(crud.Search): if 'memberof' in kw: try: - result = self.api.Command['group_show']( - kw['memberof'] - )['result'] - dn = result['dn'] + dn = _group_from_memberof(kw['memberof']) except errors.NotFound: pass else: |