diff options
| author | Rob Crittenden <rcritten@redhat.com> | 2010-06-25 16:14:46 -0400 |
|---|---|---|
| committer | Rob Crittenden <rcritten@redhat.com> | 2010-07-06 15:39:34 -0400 |
| commit | ba59d9d648d7ee9f3e5b03ede9aeccab97f13a13 (patch) | |
| tree | f333b0335b3ebdd0d198f3afcd0f274daae5950a /ipaserver/plugins | |
| parent | 83fd9ef7cc7823619692a0286cbcec5297245153 (diff) | |
| download | freeipa-ba59d9d648d7ee9f3e5b03ede9aeccab97f13a13.tar.gz freeipa-ba59d9d648d7ee9f3e5b03ede9aeccab97f13a13.tar.xz freeipa-ba59d9d648d7ee9f3e5b03ede9aeccab97f13a13.zip | |
Add support for User-Private Groups
This uses a new 389-ds plugin, Managed Entries, to automatically create
a group entry when a user is created. The DNA plugin ensures that the
group has a gidNumber that matches the users uidNumber. When the user is
removed the group is automatically removed as well.
If the managed entries plugin is not available or if a specific, separate
range for gidNumber is passed in at install time then User-Private Groups
will not be configured.
The code checking for the Managed Entries plugin may be removed at some
point. This is there because this plugin is only available in a 389-ds
alpha release currently (1.2.6-a4).
Diffstat (limited to 'ipaserver/plugins')
| -rw-r--r-- | ipaserver/plugins/ldap2.py | 37 |
1 files changed, 30 insertions, 7 deletions
diff --git a/ipaserver/plugins/ldap2.py b/ipaserver/plugins/ldap2.py index d1c083f20..987203caa 100644 --- a/ipaserver/plugins/ldap2.py +++ b/ipaserver/plugins/ldap2.py @@ -103,9 +103,12 @@ def _handle_errors(e, **kw): raise errors.DatabaseError(desc=desc, info=info) -def load_schema(url): +def global_init(url): """ - Retrieve the LDAP schema from the provided url. + Perform global initialization when the module is loaded. + + Retrieve the LDAP schema from the provided url and determine if + User-Private Groups (upg) are configured. Bind using kerberos credentials. If in the context of the in-tree "lite" server then use the current ccache. If in the context of @@ -113,10 +116,11 @@ def load_schema(url): principal. """ tmpdir = None + upg = False if not api.env.in_server or api.env.context not in ['lite', 'server']: # The schema is only needed on the server side - return + return (None, None) try: if api.env.context == 'server': @@ -139,9 +143,17 @@ def load_schema(url): 'cn=schema', _ldap.SCOPE_BASE, attrlist=['attributetypes', 'objectclasses'] )[0] + try: + upg_entry = conn.search_s( + 'cn=UPG Template, %s' % api.env.basedn, _ldap.SCOPE_BASE, + attrlist=['*'] + )[0] + upg = True + except _ldap.NO_SUCH_OBJECT, e: + upg = False conn.unbind_s() except _ldap.SERVER_DOWN: - return None + return (None, upg) except _ldap.LDAPError, e: # TODO: raise a more appropriate exception _handle_errors(e, **{}) @@ -154,13 +166,14 @@ def load_schema(url): if tmpdir: shutil.rmtree(tmpdir) - return _ldap.schema.SubSchema(schema_entry[1]) + return (_ldap.schema.SubSchema(schema_entry[1]), upg) -# cache schema when importing module +# cache schema and User-Private Groups when importing module try: - _schema = load_schema(api.env.ldap_uri) + (_schema, _upg) = global_init(api.env.ldap_uri) except AttributeError: _schema = None + _upg = None def get_syntax(attr, value): @@ -524,6 +537,16 @@ class ldap2(CrudBackend, Encoder): """Returns a copy of the current LDAP schema.""" return copy.deepcopy(self.schema) + def has_upg(self): + """Returns True/False whether User-Private Groups are enabled. + This is determined based on whether the UPG Template exists. + We determine this at module load so we don't have to test for + it every time. + """ + global _upg + + return _upg + @encode_args(1, 2) def get_effective_rights(self, dn, entry_attrs): """Returns the rights the currently bound user has for the given DN. |