diff options
| author | Tomas Babej <tbabej@redhat.com> | 2015-10-12 13:15:20 +0200 |
|---|---|---|
| committer | Tomas Babej <tbabej@redhat.com> | 2015-10-14 16:11:25 +0200 |
| commit | 4c2276f7ec9a049ea9088030b23badecd88c73e4 (patch) | |
| tree | bbf351e1e1e4de60ca5d499d172dc70e00ca7b1b | |
| parent | 5484ae014ea991335d2fa2478d94169ad29c0f55 (diff) | |
idoverride: Ignore ValidationErrors when converting the anchor
When converting the anchor to a human readable form, SID validation
may fail, i.e. if the domain is no longer trusted.
Ignore such cases and pass along the anchor in the raw format.
https://fedorahosted.org/freeipa/ticket/5322
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
| -rw-r--r-- | ipalib/plugins/idviews.py | 57 |
1 files changed, 33 insertions, 24 deletions
diff --git a/ipalib/plugins/idviews.py b/ipalib/plugins/idviews.py index a910486cd..aeaf9d1f5 100644 --- a/ipalib/plugins/idviews.py +++ b/ipalib/plugins/idviews.py @@ -197,16 +197,23 @@ class idview_show(LDAPRetrieve): scope=ldap.SCOPE_ONELEVEL, paged_search=True) - entry_attrs[attr_name] = [ - resolve_anchor_to_object_name( - ldap, - obj_type, - override.single_value['ipaanchoruuid'] - ) - for override in overrides - ] + resolved_overrides = [] + for override in overrides: + anchor = override.single_value['ipaanchoruuid'] + + try: + name = resolve_anchor_to_object_name(ldap, obj_type, + anchor) + resolved_overrides.append(name) + + except (errors.NotFound, errors.ValidationError): + # Anchor could not be resolved, use raw + resolved_overrides.append(anchor) + + entry_attrs[attr_name] = resolved_overrides except errors.NotFound: + # No overrides found, nothing to do pass def enumerate_hosts(self, dn, entry_attrs): @@ -689,6 +696,11 @@ class baseidoverride(LDAPObject): # If we were unable to resolve the anchor, # keep it in the raw form pass + except errors.ValidationError: + # Same as above, ValidationError may be raised when SIDs + # are attempted to be converted, but the domain is no + # longer trusted + pass def prohibit_ipa_users_in_default_view(self, dn, entry_attrs): # Check if parent object is Default Trust View, if so, prohibit @@ -773,12 +785,7 @@ class baseidoverride_find(LDAPSearch): def post_callback(self, ldap, entries, truncated, *args, **options): for entry in entries: - try: - self.obj.convert_anchor_to_human_readable_form(entry, **options) - except errors.NotFound: - # If the conversion to readle form went wrong, do not - # abort the whole find command. Use non-converted entry. - pass + self.obj.convert_anchor_to_human_readable_form(entry, **options) return truncated @@ -788,12 +795,7 @@ class baseidoverride_show(LDAPRetrieve): takes_options = LDAPRetrieve.takes_options + (fallback_to_ldap_option,) def post_callback(self, ldap, dn, entry_attrs, *keys, **options): - try: - self.obj.convert_anchor_to_human_readable_form(entry_attrs, **options) - except errors.NotFound: - # If the conversion to readle form went wrong, do not - # abort the whole show command. Use non-converted entry. - pass + self.obj.convert_anchor_to_human_readable_form(entry_attrs, **options) return dn @@ -874,10 +876,17 @@ class idoverrideuser(baseidoverride): def update_original_uid_reference(self, entry_attrs): anchor = entry_attrs.single_value['ipaanchoruuid'] - original_uid = resolve_anchor_to_object_name(self.backend, - self.override_object, - anchor) - entry_attrs['ipaOriginalUid'] = original_uid + try: + original_uid = resolve_anchor_to_object_name(self.backend, + self.override_object, + anchor) + entry_attrs['ipaOriginalUid'] = original_uid + + except (errors.NotFound, errors.ValidationError): + # Anchor could not be resolved, this means we had to specify the + # object to manipulate using a raw anchor value already, hence + # we have no way to update the original_uid + pass @register() |