Configurable actions on LDAP backend in users Active Directory (bug 1052929)

Change-Id: I99092eb4aee3b3b1b9cf297561577f1915c0e886
author: Jose Castro Leon <jose.castro.leon@cern.ch> 2012-09-20 09:15:05 +0200
committer: Jose Castro Leon <jose.castro.leon@cern.ch> 2012-10-05 16:26:59 +0200
commit: 8152c2cb8698ce1fc868c02f2fa4d4301afc5738 (patch)
tree: 0fc1c196cfdd4e8c5a6b2d6c03f780cbe4e104af /keystone/common/ldap
parent: 1262a07277468dd48ba2167849fecf4c4766784b (diff)
download: keystone-8152c2cb8698ce1fc868c02f2fa4d4301afc5738.tar.gz
keystone-8152c2cb8698ce1fc868c02f2fa4d4301afc5738.tar.xz
keystone-8152c2cb8698ce1fc868c02f2fa4d4301afc5738.zip
1 files changed, 21 insertions, 0 deletions
diff --git a/keystone/common/ldap/core.py b/keystone/common/ldap/core.py
index b077ad97..a8b8e970 100644
--- a/keystone/common/ldap/core.py
+++ b/keystone/common/ldap/core.py
@@ -92,6 +92,15 @@ class BaseLdap(object):
             self.object_class = (getattr(conf.ldap, objclass)
                                  or self.DEFAULT_OBJECTCLASS)
 
+            allow_create = '%s_allow_create' % self.options_name
+            self.allow_create = getattr(conf.ldap, allow_create)
+
+            allow_update = '%s_allow_update' % self.options_name
+            self.allow_update = getattr(conf.ldap, allow_update)
+
+            allow_delete = '%s_allow_delete' % self.options_name
+            self.allow_delete = getattr(conf.ldap, allow_delete)
+
             self.structural_classes = self.DEFAULT_STRUCTURAL_CLASSES
         self.use_dumb_member = getattr(conf.ldap, 'use_dumb_member') or True
 
@@ -163,6 +172,10 @@ class BaseLdap(object):
                                                  values['id'])
 
     def create(self, values):
+        if not self.allow_create:
+            msg = 'LDAP backend does not allow %s create' % self.options_name
+            raise exception.ForbiddenAction(msg)
+
         conn = self.get_connection()
         object_classes = self.structural_classes + [self.object_class]
         attrs = [('objectClass', object_classes)]
@@ -262,6 +275,10 @@ class BaseLdap(object):
         return (prv, nxt)
 
     def update(self, id, values, old_obj=None):
+        if not self.allow_update:
+            msg = 'LDAP backend does not allow %s update' % self.options_name
+            raise exception.ForbiddenAction(msg)
+
         if old_obj is None:
             old_obj = self.get(id)
 
@@ -285,6 +302,10 @@ class BaseLdap(object):
         conn.modify_s(self._id_to_dn(id), modlist)
 
     def delete(self, id):
+        if not self.allow_delete:
+            msg = 'LDAP backend does not allow %s delete' % self.options_name
+            raise exception.ForbiddenAction(msg)
+
         conn = self.get_connection()
         conn.delete_s(self._id_to_dn(id))
author	Jose Castro Leon <jose.castro.leon@cern.ch>	2012-09-20 09:15:05 +0200
committer	Jose Castro Leon <jose.castro.leon@cern.ch>	2012-10-05 16:26:59 +0200
commit	8152c2cb8698ce1fc868c02f2fa4d4301afc5738 (patch)
tree	0fc1c196cfdd4e8c5a6b2d6c03f780cbe4e104af /keystone/common/ldap
parent	1262a07277468dd48ba2167849fecf4c4766784b (diff)
download	keystone-8152c2cb8698ce1fc868c02f2fa4d4301afc5738.tar.gz keystone-8152c2cb8698ce1fc868c02f2fa4d4301afc5738.tar.xz keystone-8152c2cb8698ce1fc868c02f2fa4d4301afc5738.zip