From 9cc0754b710500519c6f5fd41a0a0237a43e04b0 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Mon, 16 May 2011 17:39:23 -0400
Subject: Add option to limit the attributes allowed in an entry.

Kerberos ticket policy can update policy in a user entry. This allowed
set/addattr to be used to modify attributes outside of the ticket policy
perview, also bypassing all validation/normalization. Likewise the
ticket policy was updatable by the user plugin bypassing all validation.

Add two new LDAPObject values to control this behavior:

limit_object_classes: only attributes in these are allowed
disallow_object_classes: attributes in these are disallowed

By default both of these lists are empty so are skipped.

ticket 744
---
 ipalib/plugins/user.py | 2 ++
 1 file changed, 2 insertions(+)

(limited to 'ipalib/plugins/user.py')

diff --git a/ipalib/plugins/user.py b/ipalib/plugins/user.py
index fa47cae8..c4d875a2 100644
--- a/ipalib/plugins/user.py
+++ b/ipalib/plugins/user.py
@@ -62,6 +62,7 @@ from ipalib.plugins.baseldap import *
 from ipalib import _, ngettext
 from ipalib.request import context
 from time import gmtime, strftime
+import copy
 
 
 NO_UPG_MAGIC = '__no_upg__'
@@ -84,6 +85,7 @@ class user(LDAPObject):
     object_class = ['posixaccount']
     object_class_config = 'ipauserobjectclasses'
     possible_objectclasses = ['meporiginentry']
+    disallow_object_classes = ['krbticketpolicyaux']
     search_attributes_config = 'ipausersearchfields'
     default_attributes = [
         'uid', 'givenname', 'sn', 'homedirectory', 'loginshell', 'ou',
-- 
cgit