diff options
| author | Rob Crittenden <rcritten@redhat.com> | 2011-12-06 18:15:41 -0500 |
|---|---|---|
| committer | Rob Crittenden <rcritten@redhat.com> | 2012-01-04 20:27:26 -0500 |
| commit | 64ee2464e8f21d070358d82f40b4ec13a9546c6b (patch) | |
| tree | 758cdd2ed18481bd9fd73165fbb4caf0c8fd4f1c /ipalib | |
| parent | de0444defea0868bc2b3ec1ee8624a514c67a04e (diff) | |
| download | freeipa.git-64ee2464e8f21d070358d82f40b4ec13a9546c6b.tar.gz freeipa.git-64ee2464e8f21d070358d82f40b4ec13a9546c6b.tar.xz freeipa.git-64ee2464e8f21d070358d82f40b4ec13a9546c6b.zip | |
Display the value of memberOf ACIs in permission plugin.
There were two problems:
1. memberof wasn't in the list of things we looked for in the return value
from aci_show()
2. The value wasn't being translated into a group name.
Use the DN class to retrieve the group name from the memberof URI.
Note that I changed the parsing for targetgroup as well. We now save a lookup
and potentially returning a NotFound if an aci points to a group that no
longer exists.
https://fedorahosted.org/freeipa/ticket/2100
Diffstat (limited to 'ipalib')
| -rw-r--r-- | ipalib/plugins/aci.py | 11 | ||||
| -rw-r--r-- | ipalib/plugins/permission.py | 4 |
2 files changed, 9 insertions, 6 deletions
diff --git a/ipalib/plugins/aci.py b/ipalib/plugins/aci.py index 7ace05eb..4b85bc93 100644 --- a/ipalib/plugins/aci.py +++ b/ipalib/plugins/aci.py @@ -122,6 +122,7 @@ from ipalib import api, crud, errors from ipalib import Object, Command from ipalib import Flag, Int, Str, StrEnum from ipalib.aci import ACI +from ipalib.dn import DN from ipalib import output from ipalib import _, ngettext if api.env.in_server and api.env.context in ['lite', 'server']: @@ -312,8 +313,10 @@ def _aci_to_kw(ldap, a, test=False): kw['attrs'] = tuple(kw['attrs']) if 'targetfilter' in a.target: target = a.target['targetfilter']['expression'] - if target.startswith('(memberOf') or target.startswith('memberOf'): - kw['memberof'] = unicode(target) + if target.startswith('(memberOf=') or target.startswith('memberOf='): + (junk, memberof) = target.split('memberOf=', 1) + memberof = DN(memberof) + kw['memberof'] = memberof['cn'] else: kw['filter'] = unicode(target) if 'target' in a.target: @@ -332,8 +335,8 @@ def _aci_to_kw(ldap, a, test=False): # targetgroup attr, otherwise we consider it a subtree if api.env.container_group in target: targetdn = unicode(target.replace('ldap:///','')) - (dn, entry_attrs) = ldap.get_entry(targetdn, ['cn']) - kw['targetgroup'] = entry_attrs['cn'][0] + target = DN(targetdn) + kw['targetgroup'] = target['cn'] else: kw['subtree'] = unicode(target) diff --git a/ipalib/plugins/permission.py b/ipalib/plugins/permission.py index c48979f9..e4d11f0d 100644 --- a/ipalib/plugins/permission.py +++ b/ipalib/plugins/permission.py @@ -98,7 +98,7 @@ class permission(LDAPObject): 'memberindirect', 'ipapermissiontype', ] aci_attributes = ['group', 'permissions', 'attrs', 'type', - 'filter', 'subtree', 'targetgroup', + 'filter', 'subtree', 'targetgroup', 'memberof', ] attribute_members = { 'member': ['privilege'], @@ -338,7 +338,7 @@ class permission_mod(LDAPUpdate): result = self.api.Command.permission_show(cn, **options)['result'] for r in result: - if not r.startswith('member'): + if not r.startswith('member_'): entry_attrs[r] = result[r] return dn |