From 9cc0754b710500519c6f5fd41a0a0237a43e04b0 Mon Sep 17 00:00:00 2001 From: Rob Crittenden Date: Mon, 16 May 2011 17:39:23 -0400 Subject: Add option to limit the attributes allowed in an entry. Kerberos ticket policy can update policy in a user entry. This allowed set/addattr to be used to modify attributes outside of the ticket policy perview, also bypassing all validation/normalization. Likewise the ticket policy was updatable by the user plugin bypassing all validation. Add two new LDAPObject values to control this behavior: limit_object_classes: only attributes in these are allowed disallow_object_classes: attributes in these are disallowed By default both of these lists are empty so are skipped. ticket 744 --- ipalib/plugins/krbtpolicy.py | 1 + 1 file changed, 1 insertion(+) (limited to 'ipalib/plugins/krbtpolicy.py') diff --git a/ipalib/plugins/krbtpolicy.py b/ipalib/plugins/krbtpolicy.py index c9d86ea6..4347f414 100644 --- a/ipalib/plugins/krbtpolicy.py +++ b/ipalib/plugins/krbtpolicy.py @@ -74,6 +74,7 @@ class krbtpolicy(LDAPObject): container_dn = 'cn=%s,cn=kerberos' % api.env.realm object_name = 'kerberos ticket policy settings' default_attributes = ['krbmaxticketlife', 'krbmaxrenewableage'] + limit_object_classes = ['krbticketpolicyaux'] label=_('Kerberos Ticket Policy') -- cgit