From dff2ff830073c638582c3708cec422c47994f36a Mon Sep 17 00:00:00 2001
From: Pavel Zuna <pzuna@redhat.com>
Date: Thu, 14 Oct 2010 13:05:43 -0400
Subject: Disallow RDN change and single-value bypass using setattr/addattr.

When setting or adding an attribute wiht setatt/addattr check to
see if there is a Param for the attribute and enforce the multi-value.
If there is no Param check the LDAP schema for SINGLE-VALUE.

Catch RDN mods and try to return a more reasonable error message.

Ticket #230
Ticket #246
---
 ipalib/plugins/baseldap.py | 14 +++++++++++++-
 1 file changed, 13 insertions(+), 1 deletion(-)

(limited to 'ipalib/plugins/baseldap.py')

diff --git a/ipalib/plugins/baseldap.py b/ipalib/plugins/baseldap.py
index 2335a7a2..caa616a7 100644
--- a/ipalib/plugins/baseldap.py
+++ b/ipalib/plugins/baseldap.py
@@ -157,6 +157,14 @@ _attr_options = (
     ),
 )
 
+# addattr can cause parameters to have more than one value even if not defined
+# as multivalue, make sure this isn't the case
+def _check_single_value_attrs(params, entry_attrs):
+    for (a, v) in entry_attrs.iteritems():
+        if isinstance(v, (list, tuple)) and len(v) > 1:
+            if a in params and not params[a].multivalue:
+                raise errors.OnlyOneValueAllowed(attr=a)
+
 
 class CallbackInterface(Method):
     """
@@ -277,6 +285,8 @@ class LDAPCreate(CallbackInterface, crud.Create):
                     self, ldap, dn, entry_attrs, attrs_list, *keys, **options
                 )
 
+        _check_single_value_attrs(self.params, entry_attrs)
+
         try:
             ldap.add_entry(dn, entry_attrs, normalize=self.obj.normalize_dn)
         except errors.ExecutionError, e:
@@ -464,7 +474,7 @@ class LDAPUpdate(LDAPQuery, crud.Update):
                 except errors.ExecutionError, e:
                     try:
                         (dn, old_entry) = self._call_exc_callbacks(
-                            keys, options, e, ldap.get_entry, dn, attrs_list,
+                            keys, options, e, ldap.get_entry, dn, [],
                             normalize=self.obj.normalize_dn
                         )
                     except errors.NotFound:
@@ -491,6 +501,8 @@ class LDAPUpdate(LDAPQuery, crud.Update):
                     self, ldap, dn, entry_attrs, attrs_list, *keys, **options
                 )
 
+        _check_single_value_attrs(self.params, entry_attrs)
+
         try:
             ldap.update_entry(dn, entry_attrs, normalize=self.obj.normalize_dn)
         except errors.ExecutionError, e:
-- 
cgit