From 81b0e7466d739a61b16c0e79c660a9f85d073c8c Mon Sep 17 00:00:00 2001
From: Petr Viktorin <pviktori@redhat.com>
Date: Fri, 11 Apr 2014 12:09:32 +0200
Subject: Do not ask for memberindirect when updating managed permissions

One of the default_attributes of permission is memberofindirect,
a virtual attribute manufactured by ldap2, which is set when a permission
is part of a role.
When update_entry is called on an entry with memberofindirect,
ipaldap tries to add the attribute to LDAP and fails with an objectclass
violation.

Do not ask for memberindirect when retrieving the entry.

Reviewed-By: Martin Kosek <mkosek@redhat.com>
---
 ipaserver/install/plugins/update_managed_permissions.py | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/ipaserver/install/plugins/update_managed_permissions.py b/ipaserver/install/plugins/update_managed_permissions.py
index efd87d0d1..3bba1f06e 100644
--- a/ipaserver/install/plugins/update_managed_permissions.py
+++ b/ipaserver/install/plugins/update_managed_permissions.py
@@ -133,7 +133,8 @@ class update_managed_permissions(PostUpdate):
         dn = self.api.Object[permission].get_dn(name)
 
         try:
-            attrs_list = self.api.Object[permission].default_attributes
+            attrs_list = list(self.api.Object[permission].default_attributes)
+            attrs_list.remove('memberindirect')
             entry = ldap.get_entry(dn, attrs_list)
             is_new = False
         except errors.NotFound:
-- 
cgit