diff options
| author | Martin Kosek <mkosek@redhat.com> | 2011-10-11 10:26:21 +0200 |
|---|---|---|
| committer | Martin Kosek <mkosek@redhat.com> | 2011-10-11 14:49:46 +0200 |
| commit | 38817664c6688dd713d9ad07a4d8dec2925192d1 (patch) | |
| tree | e3d005ef739b2d444ba82a92ab701a4ddee285e8 /ipaserver | |
| parent | 91893736d026764c75942915ad606ff59981aa7a (diff) | |
| download | freeipa.git-38817664c6688dd713d9ad07a4d8dec2925192d1.tar.gz freeipa.git-38817664c6688dd713d9ad07a4d8dec2925192d1.tar.xz freeipa.git-38817664c6688dd713d9ad07a4d8dec2925192d1.zip | |
Improve default user/group object class validation
When user/group default object class is being modified via
ipa config-mod, no validation check is run. Check at least
the following:
- all object classes are known to LDAP
- all default user/group attributes are allowed under the new
set of default object classes
https://fedorahosted.org/freeipa/ticket/1893
Diffstat (limited to 'ipaserver')
| -rw-r--r-- | ipaserver/plugins/ldap2.py | 5 |
1 files changed, 4 insertions, 1 deletions
diff --git a/ipaserver/plugins/ldap2.py b/ipaserver/plugins/ldap2.py index fddfe0f5..382cc576 100644 --- a/ipaserver/plugins/ldap2.py +++ b/ipaserver/plugins/ldap2.py @@ -43,6 +43,7 @@ from ldap.controls import LDAPControl # for backward compatibility from ldap.functions import explode_dn from ipalib.dn import DN +from ipalib import _ import krbV @@ -268,7 +269,7 @@ class ldap2(CrudBackend, Encoder): else: return None - def get_allowed_attributes(self, objectclasses): + def get_allowed_attributes(self, objectclasses, raise_on_unknown=False): if not self.schema: self.get_schema() allowed_attributes = [] @@ -276,6 +277,8 @@ class ldap2(CrudBackend, Encoder): obj = self.schema.get_obj(_ldap.schema.ObjectClass, oc) if obj is not None: allowed_attributes += obj.must + obj.may + elif raise_on_unknown: + raise errors.NotFound(reason=_('objectclass %s not found') % oc) return [unicode(a).lower() for a in list(set(allowed_attributes))] def get_single_value(self, attr): |