From e951f1841674fc57a867b9a36eea9d82ca31ad38 Mon Sep 17 00:00:00 2001 From: Petr Viktorin Date: Mon, 6 Jan 2014 15:51:20 +0100 Subject: permissions: Use multivalued targetfilter Change the target filter to be multivalued. Make the `type` option on permissions set location and an (objectclass=...) targetfilter, instead of location and target. Make changing or unsetting `type` remove existing (objectclass=...) targetfilters only, and similarly, changing/unsetting `memberof` to remove (memberof=...) only. Update tests Part of the work for: https://fedorahosted.org/freeipa/ticket/4074 Reviewed-By: Martin Kosek --- API.txt | 6 +- VERSION | 4 +- install/share/60basev3.ldif | 2 +- ipalib/plugins/permission.py | 145 ++++++---- ipatests/test_xmlrpc/test_old_permission_plugin.py | 76 +++--- ipatests/test_xmlrpc/test_permission_plugin.py | 293 +++++++++++---------- ipatests/test_xmlrpc/test_privilege_plugin.py | 4 +- 7 files changed, 296 insertions(+), 234 deletions(-) diff --git a/API.txt b/API.txt index 343ede41b..60df70db4 100644 --- a/API.txt +++ b/API.txt @@ -2332,7 +2332,7 @@ option: StrEnum('ipapermbindruletype', attribute=True, autofill=True, cli_name=' option: DNOrURL('ipapermlocation', alwaysask=True, attribute=True, autofill=False, cli_name='subtree', multivalue=False, query=False, required=False) option: StrEnum('ipapermright', attribute=True, cli_name='permissions', multivalue=True, required=False, values=(u'read', u'search', u'compare', u'write', u'add', u'delete', u'all')) option: DNParam('ipapermtarget', attribute=True, cli_name='target', multivalue=False, required=False) -option: Str('ipapermtargetfilter', attribute=True, cli_name='filter', multivalue=False, required=False) +option: Str('ipapermtargetfilter', attribute=True, cli_name='filter', multivalue=True, required=False) option: Str('memberof', alwaysask=True, attribute=False, autofill=False, cli_name='memberof', multivalue=False, query=False, required=False) option: Flag('no_members', autofill=True, default=False, exclude='webui') option: Str('permissions', attribute=False, cli_name='permissions', multivalue=True, required=False) @@ -2390,7 +2390,7 @@ option: Str('ipapermincludedattr', attribute=True, autofill=False, cli_name='inc option: DNOrURL('ipapermlocation', attribute=True, autofill=False, cli_name='subtree', multivalue=False, query=True, required=False) option: StrEnum('ipapermright', attribute=True, autofill=False, cli_name='permissions', multivalue=True, query=True, required=False, values=(u'read', u'search', u'compare', u'write', u'add', u'delete', u'all')) option: DNParam('ipapermtarget', attribute=True, autofill=False, cli_name='target', multivalue=False, query=True, required=False) -option: Str('ipapermtargetfilter', attribute=True, autofill=False, cli_name='filter', multivalue=False, query=True, required=False) +option: Str('ipapermtargetfilter', attribute=True, autofill=False, cli_name='filter', multivalue=True, query=True, required=False) option: Str('memberof', attribute=False, autofill=False, cli_name='memberof', multivalue=False, query=True, required=False) option: Flag('no_members', autofill=True, default=False, exclude='webui') option: Str('permissions', attribute=False, autofill=False, cli_name='permissions', multivalue=True, query=True, required=False) @@ -2420,7 +2420,7 @@ option: Str('ipapermincludedattr', attribute=True, autofill=False, cli_name='inc option: DNOrURL('ipapermlocation', attribute=True, autofill=False, cli_name='subtree', multivalue=False, required=False) option: StrEnum('ipapermright', attribute=True, autofill=False, cli_name='permissions', multivalue=True, required=False, values=(u'read', u'search', u'compare', u'write', u'add', u'delete', u'all')) option: DNParam('ipapermtarget', attribute=True, autofill=False, cli_name='target', multivalue=False, required=False) -option: Str('ipapermtargetfilter', attribute=True, autofill=False, cli_name='filter', multivalue=False, required=False) +option: Str('ipapermtargetfilter', attribute=True, autofill=False, cli_name='filter', multivalue=True, required=False) option: Str('memberof', attribute=False, autofill=False, cli_name='memberof', multivalue=False, required=False) option: Flag('no_members', autofill=True, default=False, exclude='webui') option: Str('permissions', attribute=False, autofill=False, cli_name='permissions', multivalue=True, required=False) diff --git a/VERSION b/VERSION index 9cb9d71a8..bf5a3707b 100644 --- a/VERSION +++ b/VERSION @@ -89,5 +89,5 @@ IPA_DATA_VERSION=20100614120000 # # ######################################################## IPA_API_VERSION_MAJOR=2 -IPA_API_VERSION_MINOR=73 -# Last change: pviktori - Managed permissions +IPA_API_VERSION_MINOR=74 +# Last change: pviktori - permissions: multivalued targetfilter diff --git a/install/share/60basev3.ldif b/install/share/60basev3.ldif index d7cd390d2..8b92af247 100644 --- a/install/share/60basev3.ldif +++ b/install/share/60basev3.ldif @@ -44,7 +44,7 @@ attributeTypes: (2.16.840.1.113730.3.8.11.44 NAME 'ipaPermExcludedAttr' DESC 'IP attributeTypes: (2.16.840.1.113730.3.8.11.45 NAME 'ipaPermBindRuleType' DESC 'IPA permission bind rule type' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'IPA v3' ) attributeTypes: (2.16.840.1.113730.3.8.11.46 NAME 'ipaPermLocation' DESC 'Location of IPA permission ACI' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE X-ORIGIN 'IPA v3' ) attributeTypes: (2.16.840.1.113730.3.8.11.47 NAME 'ipaPermRight' DESC 'IPA permission rights' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v3' ) -attributeTypes: (2.16.840.1.113730.3.8.11.48 NAME 'ipaPermTargetFilter' DESC 'IPA permission target filter' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'IPA v3' ) +attributeTypes: (2.16.840.1.113730.3.8.11.48 NAME 'ipaPermTargetFilter' DESC 'IPA permission target filter' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v3' ) attributeTypes: (2.16.840.1.113730.3.8.11.49 NAME 'ipaPermTarget' DESC 'IPA permission target' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'IPA v3' ) objectClasses: (2.16.840.1.113730.3.8.12.1 NAME 'ipaExternalGroup' SUP top STRUCTURAL MUST ( cn ) MAY ( ipaExternalMember $ memberOf $ description $ owner) X-ORIGIN 'IPA v3' ) objectClasses: (2.16.840.1.113730.3.8.12.2 NAME 'ipaNTUserAttrs' SUP top AUXILIARY MUST ( ipaNTSecurityIdentifier ) MAY ( ipaNTHash $ ipaNTLogonScript $ ipaNTProfilePath $ ipaNTHomeDirectory $ ipaNTHomeDirectoryDrive ) X-ORIGIN 'IPA v3' ) diff --git a/ipalib/plugins/permission.py b/ipalib/plugins/permission.py index deb069d3a..071544aac 100644 --- a/ipalib/plugins/permission.py +++ b/ipalib/plugins/permission.py @@ -124,6 +124,11 @@ def strip_ldap_prefix(uri): return uri[len(prefix):] +def prevalidate_filter(ugettext, value): + if not value.startswith('(') or not value.endswith(')'): + return _('must be enclosed in parentheses') + + class DNOrURL(DNParam): """DN parameter that allows, and strips, a "ldap:///" prefix on input @@ -219,10 +224,10 @@ class permission(baseldap.LDAPObject): flags={'ask_create'}, ), Str( - 'ipapermtargetfilter?', + 'ipapermtargetfilter*', prevalidate_filter, cli_name='filter', - label=_('ACI target filter'), - doc=_('ACI target filter'), + label=_('Target filter'), + doc=_('Target filter'), ), DNParam( @@ -234,7 +239,7 @@ class permission(baseldap.LDAPObject): Str('memberof?', label=_('Member of group'), # FIXME: Does this label make sense? - doc=_('Target members of a group (sets targetfilter)'), + doc=_('Target members of a group (sets memberOf targetfilter)'), flags={'ask_create', 'virtual_attribute'}, ), Str('targetgroup?', @@ -245,7 +250,8 @@ class permission(baseldap.LDAPObject): StrEnum( 'type?', label=_('Type'), - doc=_('Type of IPA object (sets subtree and filter)'), + doc=_('Type of IPA object ' + '(sets subtree and objectClass targetfilter)'), values=VALID_OBJECT_TYPES, flags={'ask_create', 'virtual_attribute'}, ), @@ -277,18 +283,22 @@ class permission(baseldap.LDAPObject): ``pkey_only``, ``version``. """ if not options.get('raw') and not options.get('pkey_only'): - ipapermtargetfilter = entry.single_value.get('ipapermtargetfilter', - '') + ipapermtargetfilter = entry.get('ipapermtargetfilter', []) ipapermtarget = entry.single_value.get('ipapermtarget') ipapermlocation = entry.single_value.get('ipapermlocation') # memberof - match = re.match('^\(memberof=(.*)\)$', ipapermtargetfilter, re.I) - if match: - dn = DN(match.group(1)) - if dn[1:] == DN(self.api.Object.group.container_dn, - self.api.env.basedn)[:] and dn[0].attr == 'cn': - entry.single_value['memberof'] = dn[0].value + memberof = [] + for targetfilter in ipapermtargetfilter: + match = re.match('^\(memberof=(.*)\)$', targetfilter, re.I) + if match: + dn = DN(match.group(1)) + groups_dn = DN(self.api.Object.group.container_dn, + self.api.env.basedn) + if dn[1:] == groups_dn[:] and dn[0].attr == 'cn': + memberof.append(dn[0].value) + if memberof: + entry['memberof'] = memberof # targetgroup if ipapermtarget: @@ -299,17 +309,20 @@ class permission(baseldap.LDAPObject): entry.single_value['targetgroup'] = dn[0].value # type - if ipapermtarget and ipapermlocation: + if ipapermtargetfilter and ipapermlocation: for objname in VALID_OBJECT_TYPES: obj = self.api.Object[objname] wantdn = DN(obj.container_dn, self.api.env.basedn) - if DN(ipapermlocation) == wantdn: - targetdn = DN( - (obj.rdn_attribute or obj.primary_key.name, '*'), - obj.container_dn, - self.api.env.basedn) - if ipapermtarget == targetdn: - entry.single_value['type'] = objname + if DN(ipapermlocation) != wantdn: + continue + + for objclass in obj.object_class: + filter_re = '\(objectclass=%s\)' % re.escape(objclass) + if not any(re.match(filter_re, tf, re.I) + for tf in ipapermtargetfilter): + break + else: + entry.single_value['type'] = objname break # old output names @@ -324,10 +337,10 @@ class permission(baseldap.LDAPObject): rights['memberof'] = rights['ipapermtargetfilter'] rights['targetgroup'] = rights['ipapermtarget'] - type_rights = set(rights['ipapermtarget']) + type_rights = set(rights['ipapermtargetfilter']) type_rights.intersection_update(rights['ipapermlocation']) - rights['type'] = ''.join(sorted(type_rights, - key=rights['ipapermtarget'].index)) + rights['type'] = ''.join(sorted( + type_rights, key=rights['ipapermtargetfilter'].index)) if 'ipapermincludedattr' in rights: rights['attrs'] = ''.join(sorted( @@ -403,11 +416,15 @@ class permission(baseldap.LDAPObject): 'ldap:///%s' % ipapermtarget) # targetfilter - ipapermtargetfilter = entry.single_value.get('ipapermtargetfilter') + ipapermtargetfilter = entry.get('ipapermtargetfilter') if ipapermtargetfilter: - assert (ipapermtargetfilter.startswith('(') - and ipapermtargetfilter.endswith(')')) - aci_parts.append("(targetfilter = \"%s\")" % ipapermtargetfilter) + assert all(f.startswith('(') and f.endswith(')') + for f in ipapermtargetfilter) + if len(ipapermtargetfilter) == 1: + filter = ipapermtargetfilter[0] + else: + filter = '(&%s)' % ''.join(sorted(ipapermtargetfilter)) + aci_parts.append("(targetfilter = \"%s\")" % filter) # version, name, rights, bind rule ipapermbindruletype = entry.single_value.get('ipapermbindruletype', @@ -582,8 +599,24 @@ class permission(baseldap.LDAPObject): raise ValueError('Cannot convert ACI, %r != %r' % (new_acistring, acistring)) - def preprocess_options(self, options): - """Preprocess options (in-place)""" + def preprocess_options(self, options, return_filter_ops=False): + """Preprocess options (in-place) + + :param options: A dictionary of options + :param return_filter_ops: + If false, assumes there is no pre-existing entry; + additional values of ipapermtargetfilter are added to options. + If true, a dictionary of operations on ipapermtargetfilter is + returned. + These operations must be performed after the existing entry + is retreived. + The dict has the following keys: + - remove: list of regular expression objects; values that match + any of them sould be removed + - add: list of values to be added, after any removals + """ + + filter_ops = {'add': [], 'remove': []} if options.get('subtree'): if isinstance(options['subtree'], (list, tuple)): @@ -613,20 +646,14 @@ class permission(baseldap.LDAPObject): # memberof if 'memberof' in options: memberof = options.pop('memberof') + filter_ops['remove'].append(re.compile(r'\(memberOf=.*\)', re.I)) if memberof: - if 'ipapermtargetfilter' in options: - raise errors.ValidationError( - name='ipapermtargetfilter', - error=_('filter and memberof are mutually exclusive')) try: groupdn = self.api.Object.group.get_dn_if_exists(memberof) except errors.NotFound: raise errors.NotFound( reason=_('%s: group not found') % memberof) - options['ipapermtargetfilter'] = u'(memberOf=%s)' % groupdn - else: - if 'ipapermtargetfilter' not in options: - options['ipapermtargetfilter'] = None + filter_ops['add'].append(u'(memberOf=%s)' % groupdn) # targetgroup if 'targetgroup' in options: @@ -649,35 +676,37 @@ class permission(baseldap.LDAPObject): # type if 'type' in options: objtype = options.pop('type') + filter_ops['remove'].append(re.compile(r'\(objectclass=.*\)', re.I)) if objtype: if 'ipapermlocation' in options: raise errors.ValidationError( name='ipapermlocation', error=_('subtree and type are mutually exclusive')) - if 'ipapermtarget' in options: - raise errors.ValidationError( - name='ipapermtarget', - error=_('target and type are mutually exclusive')) obj = self.api.Object[objtype.lower()] + new_values = [u'(objectclass=%s)' % o + for o in obj.object_class] + filter_ops['add'].extend(new_values) container_dn = DN(obj.container_dn, self.api.env.basedn) - options['ipapermtarget'] = DN( - (obj.rdn_attribute or obj.primary_key.name, '*'), - container_dn) options['ipapermlocation'] = container_dn else: - if 'ipapermtarget' not in options: - options['ipapermtarget'] = None if 'ipapermlocation' not in options: options['ipapermlocation'] = None + if return_filter_ops: + return filter_ops + elif filter_ops['add']: + options['ipapermtargetfilter'] = list(options.get( + 'ipapermtargetfilter', [])) + filter_ops['add'] + def validate_permission(self, entry): ldap = self.Backend.ldap2 # Rough filter validation by a search - if 'ipapermtargetfilter' in entry: + if entry.get('ipapermtargetfilter'): try: ldap.find_entries( - filter=entry.single_value['ipapermtargetfilter'], + filter=ldap.combine_filters(entry['ipapermtargetfilter'], + rules='&'), base_dn=self.env.basedn, scope=ldap.SCOPE_BASE, size_limit=1) @@ -702,7 +731,7 @@ class permission(baseldap.LDAPObject): needed_attrs = ( 'ipapermtarget', 'ipapermtargetfilter', 'ipapermincludedattr', 'ipapermexcludedattr', 'ipapermdefaultattr') - if not any(entry.single_value.get(a) for a in needed_attrs): + if not any(v for a in needed_attrs for v in (entry.get(a) or ())): raise errors.ValidationError( name='target', error=_('there must be at least one target entry specifier ' @@ -823,7 +852,8 @@ class permission_mod(baseldap.LDAPUpdate): has_output_params = baseldap.LDAPUpdate.has_output_params + output_params def execute(self, *keys, **options): - self.obj.preprocess_options(options) + context.filter_ops = self.obj.preprocess_options( + options, return_filter_ops=True) return super(permission_mod, self).execute(*keys, **options) def pre_callback(self, ldap, dn, entry, attrs_list, *keys, **options): @@ -852,6 +882,10 @@ class permission_mod(baseldap.LDAPUpdate): raise errors.ValidationError( name=option_name, error=_('not modifiable on managed permissions')) + if context.filter_ops.get('add'): + raise errors.ValidationError( + name='ipapermtargetfilter', + error=_('not modifiable on managed permissions')) else: if options.get('ipapermexcludedattr'): # prevent setting excluded attributes on normal permissions @@ -888,6 +922,15 @@ class permission_mod(baseldap.LDAPUpdate): key not in self.obj.attribute_members): entry.setdefault(key, value) + filter_ops = context.filter_ops + removes = filter_ops.get('remove', []) + new_filters = set( + filt for filt in (entry.get('ipapermtargetfilter') or []) + if not any(rem.match(filt) for rem in removes)) + new_filters.update(filter_ops.get('add', [])) + new_filters.update(options.get('ipapermtargetfilter') or []) + entry['ipapermtargetfilter'] = list(new_filters) + if not entry.get('ipapermlocation'): entry['ipapermlocation'] = [self.api.env.basedn] diff --git a/ipatests/test_xmlrpc/test_old_permission_plugin.py b/ipatests/test_xmlrpc/test_old_permission_plugin.py index a681ef31e..72c218208 100644 --- a/ipatests/test_xmlrpc/test_old_permission_plugin.py +++ b/ipatests/test_xmlrpc/test_old_permission_plugin.py @@ -155,7 +155,7 @@ class test_old_permission(Declarative): permissions=[u'write'], ipapermbindruletype=[u'permission'], ipapermissiontype=[u'V2', u'SYSTEM'], - ipapermtarget=[DN('uid=*', users_dn)], + filter=[u'objectclass=posixaccount'], subtree=u'ldap:///%s' % users_dn, ), ), @@ -231,7 +231,7 @@ class test_old_permission(Declarative): 'permissions': [u'write'], 'ipapermbindruletype': [u'permission'], 'ipapermissiontype': [u'V2', u'SYSTEM'], - 'ipapermtarget': [DN('uid=*', users_dn)], + 'filter': [u'objectclass=posixaccount'], 'subtree': u'ldap:///%s' % users_dn, }, ), @@ -249,13 +249,16 @@ class test_old_permission(Declarative): 'cn': [permission1], 'objectclass': objectclasses.permission, 'member': [privilege1_dn], - 'aci': u'(target = "ldap:///%s")(version 3.0;acl "permission:testperm";allow (write) groupdn = "ldap:///%s";)' % \ - (DN(('uid', '*'), ('cn', 'users'), ('cn', 'accounts'), api.env.basedn), - DN(('cn', 'testperm'), ('cn', 'permissions'), ('cn', 'pbac'), api.env.basedn)), + 'aci': (u'(targetfilter = "(objectclass=posixaccount)")'+ + u'(version 3.0;acl "permission:testperm";' + + u'allow (write) ' + + u'groupdn = "ldap:///%s";)' % DN( + ('cn', 'testperm'), ('cn', 'permissions'), + ('cn', 'pbac'), api.env.basedn)), 'ipapermright': [u'write'], 'ipapermbindruletype': [u'permission'], 'ipapermissiontype': [u'V2', u'SYSTEM'], - 'ipapermtarget': [DN('uid=*', users_dn)], + 'ipapermtargetfilter': [u'(objectclass=posixaccount)'], 'ipapermlocation': [users_dn], }, ), @@ -279,7 +282,7 @@ class test_old_permission(Declarative): 'permissions': [u'write'], 'ipapermbindruletype': [u'permission'], 'ipapermissiontype': [u'V2', u'SYSTEM'], - 'ipapermtarget': [DN('uid=*', users_dn)], + 'filter': [u'objectclass=posixaccount'], 'subtree': u'ldap:///%s' % users_dn, }, ], @@ -304,7 +307,7 @@ class test_old_permission(Declarative): 'permissions': [u'write'], 'ipapermbindruletype': [u'permission'], 'ipapermissiontype': [u'V2', u'SYSTEM'], - 'ipapermtarget': [DN('uid=*', users_dn)], + 'filter': [u'objectclass=posixaccount'], 'subtree': u'ldap:///%s' % users_dn, }, ], @@ -341,7 +344,7 @@ class test_old_permission(Declarative): 'permissions': [u'write'], 'ipapermbindruletype': [u'permission'], 'ipapermissiontype': [u'V2', u'SYSTEM'], - 'ipapermtarget': [DN('uid=*', users_dn)], + 'filter': [u'objectclass=posixaccount'], 'subtree': u'ldap:///%s' % users_dn, }, ], @@ -362,13 +365,12 @@ class test_old_permission(Declarative): 'cn': [permission1], 'objectclass': objectclasses.permission, 'member': [privilege1_dn], - 'aci': u'(target = "ldap:///%s")(version 3.0;acl "permission:testperm";allow (write) groupdn = "ldap:///%s";)' % \ - (DN(('uid', '*'), ('cn', 'users'), ('cn', 'accounts'), api.env.basedn), - DN(('cn', 'testperm'), ('cn', 'permissions'), ('cn', 'pbac'), api.env.basedn)), + 'aci': u'(targetfilter = "(objectclass=posixaccount)")(version 3.0;acl "permission:testperm";allow (write) groupdn = "ldap:///%s";)' % \ + DN(('cn', 'testperm'), ('cn', 'permissions'), ('cn', 'pbac'), api.env.basedn), 'ipapermright': [u'write'], 'ipapermbindruletype': [u'permission'], 'ipapermissiontype': [u'V2', u'SYSTEM'], - 'ipapermtarget': [DN('uid=*', users_dn)], + 'ipapermtargetfilter': [u'(objectclass=posixaccount)'], 'ipapermlocation': [users_dn], }, ], @@ -398,7 +400,7 @@ class test_old_permission(Declarative): owner=[u'cn=test', u'cn=test2'], ipapermbindruletype=[u'permission'], ipapermissiontype=[u'V2', u'SYSTEM'], - ipapermtarget=[DN('uid=*', users_dn)], + filter=[u'objectclass=posixaccount'], subtree=u'ldap:///%s' % users_dn, ), ), @@ -422,7 +424,7 @@ class test_old_permission(Declarative): 'permissions': [u'write'], 'ipapermbindruletype': [u'permission'], 'ipapermissiontype': [u'V2', u'SYSTEM'], - 'ipapermtarget': [DN('uid=*', users_dn)], + 'filter': [u'objectclass=posixaccount'], 'subtree': u'ldap:///%s' % users_dn, }, { @@ -433,7 +435,7 @@ class test_old_permission(Declarative): 'permissions': [u'write'], 'ipapermbindruletype': [u'permission'], 'ipapermissiontype': [u'V2', u'SYSTEM'], - 'ipapermtarget': [DN('uid=*', users_dn)], + 'filter': [u'objectclass=posixaccount'], 'subtree': u'ldap:///%s' % users_dn, }, ], @@ -517,7 +519,7 @@ class test_old_permission(Declarative): 'permissions': [u'write'], 'ipapermbindruletype': [u'permission'], 'ipapermissiontype': [u'V2', u'SYSTEM'], - 'ipapermtarget': [DN('uid=*', users_dn)], + 'filter': [u'objectclass=posixaccount'], 'subtree': u'ldap:///%s' % users_dn, }, ], @@ -542,7 +544,7 @@ class test_old_permission(Declarative): 'permissions': [u'write'], 'ipapermbindruletype': [u'permission'], 'ipapermissiontype': [u'V2', u'SYSTEM'], - 'ipapermtarget': [DN('uid=*', users_dn)], + 'filter': [u'objectclass=posixaccount'], 'subtree': u'ldap:///%s' % users_dn, }, { @@ -553,7 +555,7 @@ class test_old_permission(Declarative): 'permissions': [u'write'], 'ipapermbindruletype': [u'permission'], 'ipapermissiontype': [u'V2', u'SYSTEM'], - 'ipapermtarget': [DN('uid=*', users_dn)], + 'filter': [u'objectclass=posixaccount'], 'subtree': u'ldap:///%s' % users_dn, }, ], @@ -616,8 +618,8 @@ class test_old_permission(Declarative): owner=[u'cn=other-test', u'cn=other-test2'], ipapermbindruletype=[u'permission'], ipapermissiontype=[u'V2', u'SYSTEM'], - ipapermtarget=[DN('uid=*', users_dn)], - filter=[u'memberOf=%s' % DN('cn=ipausers', groups_dn)], + filter=[u'memberOf=%s' % DN('cn=ipausers', groups_dn), + u'objectclass=posixaccount'], subtree=u'ldap:///%s' % users_dn, ), ), @@ -640,8 +642,8 @@ class test_old_permission(Declarative): 'memberof': u'ipausers', 'ipapermbindruletype': [u'permission'], 'ipapermissiontype': [u'V2', u'SYSTEM'], - 'ipapermtarget': [DN('uid=*', users_dn)], - 'filter': [u'memberOf=%s' % DN('cn=ipausers', groups_dn)], + 'filter': [u'memberOf=%s' % DN('cn=ipausers', groups_dn), + u'objectclass=posixaccount'], 'subtree': u'ldap:///%s' % users_dn, }, ), @@ -687,8 +689,8 @@ class test_old_permission(Declarative): 'memberof': u'ipausers', 'ipapermbindruletype': [u'permission'], 'ipapermissiontype': [u'V2', u'SYSTEM'], - 'ipapermtarget': [DN('uid=*', users_dn)], - 'filter': [u'memberOf=%s' % DN('cn=ipausers', groups_dn)], + 'filter': [u'memberOf=%s' % DN('cn=ipausers', groups_dn), + u'objectclass=posixaccount'], 'subtree': u'ldap:///%s' % users_dn, }, ), @@ -715,8 +717,8 @@ class test_old_permission(Declarative): 'memberof': u'ipausers', 'ipapermbindruletype': [u'permission'], 'ipapermissiontype': [u'V2', u'SYSTEM'], - 'ipapermtarget': [DN('uid=*', users_dn)], - 'filter': [u'memberOf=%s' % DN('cn=ipausers', groups_dn)], + 'filter': [u'memberOf=%s' % DN('cn=ipausers', groups_dn), + u'objectclass=posixaccount'], 'subtree': u'ldap:///%s' % users_dn, }, ), @@ -743,8 +745,8 @@ class test_old_permission(Declarative): 'memberof': u'ipausers', 'ipapermbindruletype': [u'permission'], 'ipapermissiontype': [u'V2', u'SYSTEM'], - 'ipapermtarget': [DN('uid=*', users_dn)], - 'filter': [u'memberOf=%s' % DN('cn=ipausers', groups_dn)], + 'filter': [u'memberOf=%s' % DN('cn=ipausers', groups_dn), + u'objectclass=posixaccount'], 'subtree': u'ldap:///%s' % users_dn, }, ), @@ -944,8 +946,8 @@ class test_old_permission(Declarative): type=u'user', ipapermbindruletype=[u'permission'], ipapermissiontype=[u'V2', u'SYSTEM'], - ipapermtarget=[DN('uid=*', users_dn)], - filter=[u'memberOf=%s' % DN('cn=editors', groups_dn)], + filter=[u'memberOf=%s' % DN('cn=editors', groups_dn), + u'objectclass=posixaccount'], subtree=u'ldap:///%s' % users_dn, ), ), @@ -977,8 +979,8 @@ class test_old_permission(Declarative): type=u'user', ipapermbindruletype=[u'permission'], ipapermissiontype=[u'V2', u'SYSTEM'], - ipapermtarget=[DN('uid=*', users_dn)], - filter=[u'memberOf=%s' % DN('cn=admins', groups_dn)], + filter=[u'memberOf=%s' % DN('cn=admins', groups_dn), + u'objectclass=posixaccount'], subtree=u'ldap:///%s' % users_dn, ), ), @@ -1002,7 +1004,7 @@ class test_old_permission(Declarative): type=u'user', ipapermbindruletype=[u'permission'], ipapermissiontype=[u'V2', u'SYSTEM'], - ipapermtarget=[DN('uid=*', users_dn)], + filter=[u'objectclass=posixaccount'], subtree=u'ldap:///%s' % users_dn, ), ), @@ -1076,7 +1078,7 @@ class test_old_permission(Declarative): attrs=(u'cn',), ipapermbindruletype=[u'permission'], ipapermissiontype=[u'V2', u'SYSTEM'], - ipapermtarget=[DN('uid=*', users_dn)], + filter=[u'objectclass=posixaccount'], subtree=u'ldap:///%s' % users_dn, ), ), @@ -1099,7 +1101,7 @@ class test_old_permission(Declarative): attributelevelrights=permission3_attributelevelrights, ipapermbindruletype=[u'permission'], ipapermissiontype=[u'V2', u'SYSTEM'], - ipapermtarget=[DN('uid=*', users_dn)], + filter=[u'objectclass=posixaccount'], subtree=u'ldap:///%s' % users_dn, ), ), @@ -1122,7 +1124,7 @@ class test_old_permission(Declarative): attributelevelrights=permission3_attributelevelrights, ipapermbindruletype=[u'permission'], ipapermissiontype=[u'V2', u'SYSTEM'], - ipapermtarget=[DN('uid=*', users_dn)], + filter=[u'objectclass=posixaccount'], subtree=u'ldap:///%s' % users_dn, ), ), diff --git a/ipatests/test_xmlrpc/test_permission_plugin.py b/ipatests/test_xmlrpc/test_permission_plugin.py index ad5074c81..69660d4d3 100644 --- a/ipatests/test_xmlrpc/test_permission_plugin.py +++ b/ipatests/test_xmlrpc/test_permission_plugin.py @@ -241,7 +241,7 @@ class test_permission_negative(Declarative): ipapermbindruletype=[u'permission'], ipapermissiontype=[u'SYSTEM', u'V2'], ipapermlocation=[users_dn], - ipapermtarget=[DN(('uid', '*'), users_dn)], + ipapermtargetfilter=[u'(objectclass=posixaccount)'], ), ), ), @@ -271,11 +271,11 @@ class test_permission_negative(Declarative): ), dict( - desc='Try to remove target and memberof from %r' % permission1, + desc='Try to remove targetfilter and memberof from %r' % permission1, command=( 'permission_mod', [permission1], dict( attrs=None, - ipapermtarget=None, + ipapermtargetfilter=None, ) ), expected=errors.ValidationError( @@ -344,7 +344,7 @@ class test_permission(Declarative): ipapermbindruletype=[u'permission'], ipapermissiontype=[u'SYSTEM', u'V2'], ipapermlocation=[users_dn], - ipapermtarget=[DN(('uid', '*'), users_dn)], + ipapermtargetfilter=[u'(objectclass=posixaccount)'], ), ), ), @@ -352,7 +352,7 @@ class test_permission(Declarative): verify_permission_aci( permission1, users_dn, '(targetattr = "sn")' + - '(target = "ldap:///%s")' % DN(('uid', '*'), users_dn) + + '(targetfilter = "(objectclass=posixaccount)")' + '(version 3.0;acl "permission:%s";' % permission1 + 'allow (write) groupdn = "ldap:///%s";)' % permission1_dn, ), @@ -429,7 +429,7 @@ class test_permission(Declarative): 'ipapermbindruletype': [u'permission'], 'ipapermissiontype': [u'SYSTEM', u'V2'], 'ipapermlocation': [users_dn], - 'ipapermtarget': [DN(('uid', '*'), users_dn)], + 'ipapermtargetfilter': [u'(objectclass=posixaccount)'], }, ), ), @@ -451,9 +451,9 @@ class test_permission(Declarative): 'ipapermright': [u'write'], 'ipapermissiontype': [u'SYSTEM', u'V2'], 'ipapermlocation': [users_dn], - 'ipapermtarget': [DN(('uid', '*'), users_dn)], + 'ipapermtargetfilter': [u'(objectclass=posixaccount)'], 'aci': ['(targetattr = "sn")' - '(target = "ldap:///%(tdn)s")' + '(targetfilter = "(objectclass=posixaccount)")' + '(version 3.0;acl "permission:%(name)s";' 'allow (write) groupdn = "ldap:///%(pdn)s";)' % {'tdn': DN(('uid', '*'), users_dn), @@ -483,7 +483,7 @@ class test_permission(Declarative): 'ipapermbindruletype': [u'permission'], 'ipapermissiontype': [u'SYSTEM', u'V2'], 'ipapermlocation': [users_dn], - 'ipapermtarget': [DN(('uid', '*'), users_dn)], + 'ipapermtargetfilter': [u'(objectclass=posixaccount)'], }, ], ), @@ -509,7 +509,7 @@ class test_permission(Declarative): 'ipapermbindruletype': [u'permission'], 'ipapermissiontype': [u'SYSTEM', u'V2'], 'ipapermlocation': [users_dn], - 'ipapermtarget': [DN(('uid', '*'), users_dn)], + 'ipapermtargetfilter': [u'(objectclass=posixaccount)'], }, ], ), @@ -547,7 +547,7 @@ class test_permission(Declarative): 'ipapermbindruletype': [u'permission'], 'ipapermissiontype': [u'SYSTEM', u'V2'], 'ipapermlocation': [users_dn], - 'ipapermtarget': [DN(('uid', '*'), users_dn)], + 'ipapermtargetfilter': [u'(objectclass=posixaccount)'], }, ], ), @@ -572,9 +572,9 @@ class test_permission(Declarative): 'ipapermright': [u'write'], 'ipapermissiontype': [u'SYSTEM', u'V2'], 'ipapermlocation': [users_dn], - 'ipapermtarget': [DN(('uid', '*'), users_dn)], + 'ipapermtargetfilter': [u'(objectclass=posixaccount)'], 'aci': ['(targetattr = "sn")' - '(target = "ldap:///%(tdn)s")' + '(targetfilter = "(objectclass=posixaccount)")' + '(version 3.0;acl "permission:%(name)s";' 'allow (write) groupdn = "ldap:///%(pdn)s";)' % {'tdn': DN(('uid', '*'), users_dn), @@ -611,7 +611,7 @@ class test_permission(Declarative): ipapermbindruletype=[u'permission'], ipapermissiontype=[u'SYSTEM', u'V2'], ipapermlocation=[users_dn], - ipapermtarget=[DN(('uid', '*'), users_dn)], + ipapermtargetfilter=[u'(objectclass=posixaccount)'], ), ), ), @@ -619,12 +619,11 @@ class test_permission(Declarative): verify_permission_aci( permission2, users_dn, '(targetattr = "cn")' + - '(target = "ldap:///%s")' % DN(('uid', '*'), users_dn) + + '(targetfilter = "(objectclass=posixaccount)")' + '(version 3.0;acl "permission:%s";' % permission2 + 'allow (write) groupdn = "ldap:///%s";)' % permission2_dn, ), - dict( desc='Search for %r' % permission1, command=('permission_find', [permission1], {}), @@ -644,7 +643,7 @@ class test_permission(Declarative): 'ipapermbindruletype': [u'permission'], 'ipapermissiontype': [u'SYSTEM', u'V2'], 'ipapermlocation': [users_dn], - 'ipapermtarget': [DN(('uid', '*'), users_dn)], + 'ipapermtargetfilter': [u'(objectclass=posixaccount)'], }, { 'dn': permission2_dn, @@ -656,7 +655,7 @@ class test_permission(Declarative): 'ipapermbindruletype': [u'permission'], 'ipapermissiontype': [u'SYSTEM', u'V2'], 'ipapermlocation': [users_dn], - 'ipapermtarget': [DN(('uid', '*'), users_dn)], + 'ipapermtargetfilter': [u'(objectclass=posixaccount)'], }, ], ), @@ -741,7 +740,7 @@ class test_permission(Declarative): 'ipapermbindruletype': [u'permission'], 'ipapermissiontype': [u'SYSTEM', u'V2'], 'ipapermlocation': [users_dn], - 'ipapermtarget': [DN(('uid', '*'), users_dn)], + 'ipapermtargetfilter': [u'(objectclass=posixaccount)'], }, ], ), @@ -766,7 +765,7 @@ class test_permission(Declarative): 'ipapermbindruletype': [u'permission'], 'ipapermissiontype': [u'SYSTEM', u'V2'], 'ipapermlocation': [users_dn], - 'ipapermtarget': [DN(('uid', '*'), users_dn)], + 'ipapermtargetfilter': [u'(objectclass=posixaccount)'], 'member_privilege': [privilege1], }, { @@ -779,7 +778,7 @@ class test_permission(Declarative): 'ipapermbindruletype': [u'permission'], 'ipapermissiontype': [u'SYSTEM', u'V2'], 'ipapermlocation': [users_dn], - 'ipapermtarget': [DN(('uid', '*'), users_dn)], + 'ipapermtargetfilter': [u'(objectclass=posixaccount)'], }, ], ), @@ -844,12 +843,13 @@ class test_permission(Declarative): memberof=[u'ipausers'], owner=[u'cn=other-test', u'cn=other-test2'], attrs=[u'sn'], - ipapermtargetfilter=[u'(memberOf=%s)' % DN('cn=ipausers', - groups_dn)], + ipapermtargetfilter=[ + u'(memberOf=%s)' % DN('cn=ipausers', groups_dn), + u"(objectclass=posixaccount)", + ], ipapermbindruletype=[u'permission'], ipapermissiontype=[u'SYSTEM', u'V2'], ipapermlocation=[users_dn], - ipapermtarget=[DN(('uid', '*'), users_dn)], ), ), ), @@ -857,13 +857,13 @@ class test_permission(Declarative): verify_permission_aci( permission1, users_dn, '(targetattr = "sn")' + - '(target = "ldap:///%s")' % DN(('uid', '*'), users_dn) + - '(targetfilter = "(memberOf=%s)")' % DN('cn=ipausers', groups_dn) + + '(targetfilter = "(&' + + '(memberOf=%s)' % DN('cn=ipausers', groups_dn) + + '(objectclass=posixaccount))")' + '(version 3.0;acl "permission:%s";' % permission1 + 'allow (read) groupdn = "ldap:///%s";)' % permission1_dn, ), - dict( desc='Retrieve %r to verify update' % permission1, command=('permission_show', [permission1], {}), @@ -879,18 +879,16 @@ class test_permission(Declarative): 'ipapermright': [u'read'], 'memberof': [u'ipausers'], 'attrs': [u'sn'], - 'ipapermtargetfilter': [u'(memberOf=%s)' % DN('cn=ipausers', - groups_dn)], + 'ipapermtargetfilter': [ + u'(memberOf=%s)' % DN('cn=ipausers', groups_dn), + u'(objectclass=posixaccount)'], 'ipapermbindruletype': [u'permission'], 'ipapermissiontype': [u'SYSTEM', u'V2'], 'ipapermlocation': [users_dn], - 'ipapermtarget': [DN(('uid', '*'), users_dn)], }, ), ), - - dict( desc='Try to rename %r to existing permission %r' % (permission1, permission2), @@ -901,7 +899,6 @@ class test_permission(Declarative): expected=errors.DuplicateEntry(), ), - dict( desc='Try to rename %r to empty name' % (permission1), command=( @@ -912,7 +909,6 @@ class test_permission(Declarative): error=u'New name can not be empty'), ), - dict( desc='Check integrity of original permission %r' % permission1, command=('permission_show', [permission1], {}), @@ -928,12 +924,12 @@ class test_permission(Declarative): 'ipapermright': [u'read'], 'memberof': [u'ipausers'], 'attrs': [u'sn'], - 'ipapermtargetfilter': [u'(memberOf=%s)' % DN('cn=ipausers', - groups_dn)], + 'ipapermtargetfilter': [ + u'(memberOf=%s)' % DN('cn=ipausers', groups_dn), + u'(objectclass=posixaccount)'], 'ipapermbindruletype': [u'permission'], 'ipapermissiontype': [u'SYSTEM', u'V2'], 'ipapermlocation': [users_dn], - 'ipapermtarget': [DN(('uid', '*'), users_dn)], }, ), ), @@ -958,12 +954,12 @@ class test_permission(Declarative): 'ipapermright': [u'all'], 'memberof': [u'ipausers'], 'attrs': [u'sn'], - 'ipapermtargetfilter': [u'(memberOf=%s)' % DN('cn=ipausers', - groups_dn)], + 'ipapermtargetfilter': [ + u'(memberOf=%s)' % DN('cn=ipausers', groups_dn), + u'(objectclass=posixaccount)'], 'ipapermbindruletype': [u'permission'], 'ipapermissiontype': [u'SYSTEM', u'V2'], 'ipapermlocation': [users_dn], - 'ipapermtarget': [DN(('uid', '*'), users_dn)], }, ), ), @@ -973,8 +969,9 @@ class test_permission(Declarative): verify_permission_aci( permission1_renamed, users_dn, '(targetattr = "sn")' + - '(target = "ldap:///%s")' % DN(('uid', '*'), users_dn) + - '(targetfilter = "(memberOf=%s)")' % DN('cn=ipausers', groups_dn) + + '(targetfilter = "(&' + + '(memberOf=%s)' % DN('cn=ipausers', groups_dn) + + '(objectclass=posixaccount))")' + '(version 3.0;acl "permission:%s";' % permission1_renamed + 'allow (all) groupdn = "ldap:///%s";)' % permission1_renamed_dn, ), @@ -999,12 +996,12 @@ class test_permission(Declarative): 'ipapermright': [u'write'], 'memberof': [u'ipausers'], 'attrs': [u'sn'], - 'ipapermtargetfilter': [u'(memberOf=%s)' % DN('cn=ipausers', - groups_dn)], + 'ipapermtargetfilter': [ + u'(memberOf=%s)' % DN('cn=ipausers', groups_dn), + u'(objectclass=posixaccount)'], 'ipapermbindruletype': [u'permission'], 'ipapermissiontype': [u'SYSTEM', u'V2'], 'ipapermlocation': [users_dn], - 'ipapermtarget': [DN(('uid', '*'), users_dn)], }, ), ), @@ -1014,8 +1011,9 @@ class test_permission(Declarative): verify_permission_aci( permission1_renamed_ucase, users_dn, '(targetattr = "sn")' + - '(target = "ldap:///%s")' % DN(('uid', '*'), users_dn) + - '(targetfilter = "(memberOf=%s)")' % DN('cn=ipausers', groups_dn) + + '(targetfilter = "(&' + + '(memberOf=%s)' % DN('cn=ipausers', groups_dn) + + '(objectclass=posixaccount))")' + '(version 3.0;acl "permission:%s";' % permission1_renamed_ucase + 'allow (write) groupdn = "ldap:///%s";)' % permission1_renamed_ucase_dn, @@ -1073,7 +1071,7 @@ class test_permission(Declarative): 'attrs': [u'cn'], 'ipapermbindruletype': [u'permission'], 'ipapermissiontype': [u'SYSTEM', u'V2'], - 'ipapermtarget': [DN(('uid', '*'), users_dn)], + 'ipapermtargetfilter': [u'(objectclass=posixaccount)'], 'ipapermlocation': [api.env.basedn], }, ), @@ -1082,7 +1080,7 @@ class test_permission(Declarative): verify_permission_aci( permission2, api.env.basedn, '(targetattr = "cn")' + - '(target = "ldap:///%s")' % DN(('uid', '*'), users_dn) + + '(targetfilter = "(objectclass=posixaccount)")' + '(version 3.0;acl "permission:%s";' % permission2 + 'allow (write) groupdn = "ldap:///%s";)' % permission2_dn, ), @@ -1256,12 +1254,12 @@ class test_permission(Declarative): ipapermright=[u'write'], type=[u'user'], attrs=[u'sn'], - ipapermtargetfilter=[u'(memberOf=%s)' % DN(('cn', 'editors'), - groups_dn)], + ipapermtargetfilter=[ + u'(memberOf=%s)' % DN(('cn', 'editors'), groups_dn), + u'(objectclass=posixaccount)'], ipapermbindruletype=[u'permission'], ipapermissiontype=[u'SYSTEM', u'V2'], ipapermlocation=[users_dn], - ipapermtarget=[DN(('uid', '*'), users_dn)], ), ), ), @@ -1269,8 +1267,8 @@ class test_permission(Declarative): verify_permission_aci( permission1, users_dn, '(targetattr = "sn")' + - '(target = "ldap:///%s")' % DN(('uid', '*'), users_dn) + - '(targetfilter = "(memberOf=%s)")' % DN('cn=editors', groups_dn) + + '(targetfilter = "(&(memberOf=%s)' % DN('cn=editors', groups_dn) + + '(objectclass=posixaccount))")' + '(version 3.0;acl "permission:%s";' % permission1 + 'allow (write) groupdn = "ldap:///%s";)' % permission1_dn, ), @@ -1300,12 +1298,12 @@ class test_permission(Declarative): ipapermright=[u'write'], type=[u'user'], attrs=[u'sn'], - ipapermtargetfilter=[u'(memberOf=%s)' % DN(('cn', 'admins'), - groups_dn)], + ipapermtargetfilter=[ + u'(memberOf=%s)' % DN(('cn', 'admins'), groups_dn), + u'(objectclass=posixaccount)'], ipapermbindruletype=[u'permission'], ipapermissiontype=[u'SYSTEM', u'V2'], ipapermlocation=[users_dn], - ipapermtarget=[DN(('uid', '*'), users_dn)], ), ), ), @@ -1313,8 +1311,9 @@ class test_permission(Declarative): verify_permission_aci( permission1, users_dn, '(targetattr = "sn")' + - '(target = "ldap:///%s")' % DN(('uid', '*'), users_dn) + - '(targetfilter = "(memberOf=%s)")' % DN('cn=admins', groups_dn) + + '(targetfilter = "(&' + + '(memberOf=%s)' % DN('cn=admins', groups_dn) + + '(objectclass=posixaccount))")' + '(version 3.0;acl "permission:%s";' % permission1 + 'allow (write) groupdn = "ldap:///%s";)' % permission1_dn, ), @@ -1339,7 +1338,7 @@ class test_permission(Declarative): ipapermbindruletype=[u'permission'], ipapermissiontype=[u'SYSTEM', u'V2'], ipapermlocation=[users_dn], - ipapermtarget=[DN(('uid', '*'), users_dn)], + ipapermtargetfilter=[u'(objectclass=posixaccount)'], ), ), ), @@ -1347,7 +1346,7 @@ class test_permission(Declarative): verify_permission_aci( permission1, users_dn, '(targetattr = "sn")' + - '(target = "ldap:///%s")' % DN(('uid', '*'), users_dn) + + '(targetfilter = "(objectclass=posixaccount)")' + '(version 3.0;acl "permission:%s";' % permission1 + 'allow (write) groupdn = "ldap:///%s";)' % permission1_dn, ), @@ -1419,7 +1418,7 @@ class test_permission(Declarative): ipapermright=[u'write'], attrs=(u'cn',), ipapermbindruletype=[u'permission'], - ipapermtarget=[DN(('uid', '*'), users_dn)], + ipapermtargetfilter=[u'(objectclass=posixaccount)'], ipapermissiontype=[u'SYSTEM', u'V2'], ipapermlocation=[users_dn], ), @@ -1429,7 +1428,7 @@ class test_permission(Declarative): verify_permission_aci( permission3, users_dn, '(targetattr = "cn")' + - '(target = "ldap:///%s")' % DN(('uid', '*'), users_dn) + + '(targetfilter = "(objectclass=posixaccount)")' + '(version 3.0;acl "permission:%s";' % permission3 + 'allow (write) groupdn = "ldap:///%s";)' % permission3_dn, ), @@ -1450,7 +1449,7 @@ class test_permission(Declarative): ipapermright=[u'write'], attributelevelrights=permission3_attributelevelrights, ipapermbindruletype=[u'permission'], - ipapermtarget=[DN(('uid', '*'),users_dn)], + ipapermtargetfilter=[u'(objectclass=posixaccount)'], ipapermissiontype=[u'SYSTEM', u'V2'], ipapermlocation=[users_dn], ), @@ -1475,7 +1474,7 @@ class test_permission(Declarative): ipapermright=[u'write'], attributelevelrights=permission3_attributelevelrights, ipapermbindruletype=[u'permission'], - ipapermtarget=[DN(('uid', '*'), users_dn)], + ipapermtargetfilter=[u'(objectclass=posixaccount)'], ipapermissiontype=[u'SYSTEM', u'V2'], ipapermlocation=[users_dn], ), @@ -1485,21 +1484,29 @@ class test_permission(Declarative): verify_permission_aci( permission3, users_dn, '(targetattr = "cn || uid")' + - '(target = "ldap:///%s")' % DN(('uid', '*'), users_dn) + + '(targetfilter = "(objectclass=posixaccount)")' + '(version 3.0;acl "permission:%s";' % permission3 + 'allow (write) groupdn = "ldap:///%s";)' % permission3_dn, ), + dict( + desc='Try to modify %r with naked targetfilter' % permission1, + command=('permission_mod', [permission1], + {'ipapermtargetfilter': u"cn=admin"}), + expected=errors.ValidationError( + name='filter', + error='must be enclosed in parentheses'), + ), + dict( desc='Try to modify %r with invalid targetfilter' % permission1, command=('permission_mod', [permission1], - {'ipapermtargetfilter': u"ceci n'est pas un filtre"}), + {'ipapermtargetfilter': u"(ceci n'est pas un filtre)"}), expected=errors.ValidationError( name='ipapermtargetfilter', error='Bad search filter'), ), - dict( desc='Try setting nonexisting location on %r' % permission1, command=( @@ -1630,9 +1637,9 @@ class test_permission_sync_attributes(Declarative): ipapermlocation=users_dn, ipapermright=u'write', attrs=u'sn', - ipapermtargetfilter=u'(memberOf=%s)' % DN(('cn', 'admins'), - groups_dn), - ipapermtarget=DN(('uid', '*'), users_dn), + ipapermtargetfilter=[ + u'(memberOf=%s)' % DN(('cn', 'admins'), groups_dn), + u'(objectclass=posixaccount)'], ) ), expected=dict( @@ -1648,9 +1655,9 @@ class test_permission_sync_attributes(Declarative): ipapermbindruletype=[u'permission'], ipapermissiontype=[u'SYSTEM', u'V2'], ipapermlocation=[users_dn], - ipapermtarget=[DN(('uid', '*'), users_dn)], - ipapermtargetfilter=[u'(memberOf=%s)' % DN(('cn', 'admins'), - groups_dn)], + ipapermtargetfilter=[ + u'(memberOf=%s)' % DN(('cn', 'admins'), groups_dn), + u'(objectclass=posixaccount)'], memberof=[u'admins'], ), ), @@ -1659,8 +1666,8 @@ class test_permission_sync_attributes(Declarative): verify_permission_aci( permission1, users_dn, '(targetattr = "sn")' + - '(target = "ldap:///%s")' % DN(('uid', '*'), users_dn) + - '(targetfilter = "(memberOf=%s)")' % DN('cn=admins', groups_dn) + + '(targetfilter = "(&(memberOf=%s)' % DN('cn=admins', groups_dn) + + '(objectclass=posixaccount))")' '(version 3.0;acl "permission:%s";' % permission1 + 'allow (write) groupdn = "ldap:///%s";)' % permission1_dn, ), @@ -1683,9 +1690,9 @@ class test_permission_sync_attributes(Declarative): attrs=[u'sn'], ipapermbindruletype=[u'permission'], ipapermissiontype=[u'SYSTEM', u'V2'], - ipapermtarget=[DN(('uid', '*'), users_dn)], - ipapermtargetfilter=[u'(memberOf=%s)' % DN(('cn', 'admins'), - groups_dn)], + ipapermtargetfilter=[ + u'(memberOf=%s)' % DN(('cn', 'admins'), groups_dn), + u'(objectclass=posixaccount)'], memberof=[u'admins'], ipapermlocation=[api.env.basedn], ), @@ -1695,12 +1702,14 @@ class test_permission_sync_attributes(Declarative): verify_permission_aci( permission1, api.env.basedn, '(targetattr = "sn")' + - '(target = "ldap:///%s")' % DN(('uid', '*'), users_dn) + - '(targetfilter = "(memberOf=%s)")' % DN('cn=admins', groups_dn) + + '(targetfilter = "(&(memberOf=%s)' % DN('cn=admins', groups_dn) + + '(objectclass=posixaccount))")' '(version 3.0;acl "permission:%s";' % permission1 + 'allow (write) groupdn = "ldap:///%s";)' % permission1_dn, ), + verify_permission_aci_missing(permission1, users_dn), + dict( desc='Reset location on %r' % permission1, command=( @@ -1721,9 +1730,9 @@ class test_permission_sync_attributes(Declarative): ipapermbindruletype=[u'permission'], ipapermissiontype=[u'SYSTEM', u'V2'], ipapermlocation=[users_dn], - ipapermtarget=[DN(('uid', '*'), users_dn)], - ipapermtargetfilter=[u'(memberOf=%s)' % DN(('cn', 'admins'), - groups_dn)], + ipapermtargetfilter=[ + u'(memberOf=%s)' % DN(('cn', 'admins'), groups_dn), + u'(objectclass=posixaccount)'], memberof=[u'admins'], ), ), @@ -1732,17 +1741,20 @@ class test_permission_sync_attributes(Declarative): verify_permission_aci( permission1, users_dn, '(targetattr = "sn")' + - '(target = "ldap:///%s")' % DN(('uid', '*'), users_dn) + - '(targetfilter = "(memberOf=%s)")' % DN('cn=admins', groups_dn) + + '(targetfilter = "(&(memberOf=%s)' % DN('cn=admins', groups_dn) + + '(objectclass=posixaccount))")' '(version 3.0;acl "permission:%s";' % permission1 + 'allow (write) groupdn = "ldap:///%s";)' % permission1_dn, ), + verify_permission_aci_missing(permission1, api.env.basedn), + dict( - desc='Unset target on %r, verify type is gone' % permission1, + desc='Unset objectclass filter on %r, verify type is gone' % permission1, command=( 'permission_mod', [permission1], dict( - ipapermtarget=None, + ipapermtargetfilter=u'(memberOf=%s)' % DN(('cn', 'admins'), + groups_dn), ) ), expected=dict( @@ -1757,8 +1769,8 @@ class test_permission_sync_attributes(Declarative): ipapermbindruletype=[u'permission'], ipapermissiontype=[u'SYSTEM', u'V2'], ipapermlocation=[users_dn], - ipapermtargetfilter=[u'(memberOf=%s)' % DN(('cn', 'admins'), - groups_dn)], + ipapermtargetfilter=[ + u'(memberOf=%s)' % DN(('cn', 'admins'), groups_dn)], memberof=[u'admins'], ), ), @@ -1822,7 +1834,7 @@ class test_permission_sync_attributes(Declarative): ipapermbindruletype=[u'permission'], ipapermissiontype=[u'SYSTEM', u'V2'], ipapermlocation=[groups_dn], - ipapermtarget=[DN(('cn', '*'), groups_dn)], + ipapermtargetfilter=[u'(objectclass=ipausergroup)'], ), ), ), @@ -1830,7 +1842,7 @@ class test_permission_sync_attributes(Declarative): verify_permission_aci( permission1, groups_dn, '(targetattr = "sn")' + - '(target = "ldap:///%s")' % DN(('cn', '*'), groups_dn) + + '(targetfilter = "(objectclass=ipausergroup)")' '(version 3.0;acl "permission:%s";' % permission1 + 'allow (write) groupdn = "ldap:///%s";)' % permission1_dn, ), @@ -1849,6 +1861,7 @@ class test_permission_sync_attributes(Declarative): dn=permission1_dn, cn=[permission1], objectclass=objectclasses.permission, + type=[u'group'], ipapermright=[u'write'], attrs=[u'sn'], ipapermbindruletype=[u'permission'], @@ -1856,6 +1869,7 @@ class test_permission_sync_attributes(Declarative): ipapermtarget=[DN('cn=editors', groups_dn)], ipapermlocation=[groups_dn], targetgroup=[u'editors'], + ipapermtargetfilter=[u'(objectclass=ipausergroup)'], ), ), ), @@ -1864,6 +1878,7 @@ class test_permission_sync_attributes(Declarative): permission1, groups_dn, '(targetattr = "sn")' + '(target = "ldap:///%s")' % DN(('cn', 'editors'), groups_dn) + + '(targetfilter = "(objectclass=ipausergroup)")' '(version 3.0;acl "permission:%s";' % permission1 + 'allow (write) groupdn = "ldap:///%s";)' % permission1_dn, ), @@ -1900,9 +1915,9 @@ class test_permission_sync_nice(Declarative): ipapermbindruletype=[u'permission'], ipapermissiontype=[u'SYSTEM', u'V2'], ipapermlocation=[users_dn], - ipapermtarget=[DN(('uid', '*'), users_dn)], - ipapermtargetfilter=[u'(memberOf=%s)' % DN(('cn', 'admins'), - groups_dn)], + ipapermtargetfilter=[ + u'(memberOf=%s)' % DN(('cn', 'admins'), groups_dn), + u'(objectclass=posixaccount)'], memberof=[u'admins'], ), ), @@ -1911,14 +1926,14 @@ class test_permission_sync_nice(Declarative): verify_permission_aci( permission1, users_dn, '(targetattr = "sn")' + - '(target = "ldap:///%s")' % DN(('uid', '*'), users_dn) + - '(targetfilter = "(memberOf=%s)")' % DN('cn=admins', groups_dn) + + '(targetfilter = "(&(memberOf=%s)' % DN('cn=admins', groups_dn) + + '(objectclass=posixaccount))")' + '(version 3.0;acl "permission:%s";' % permission1 + 'allow (write) groupdn = "ldap:///%s";)' % permission1_dn, ), dict( - desc='Unset type on %r, verify target & location are gone' % permission1, + desc='Unset type on %r, verify target & filter are gone' % permission1, command=( 'permission_mod', [permission1], dict( type=None, @@ -2001,7 +2016,7 @@ class test_permission_sync_nice(Declarative): ipapermbindruletype=[u'permission'], ipapermissiontype=[u'SYSTEM', u'V2'], ipapermlocation=[groups_dn], - ipapermtarget=[DN(('cn', '*'), groups_dn)], + ipapermtargetfilter=[u'(objectclass=ipausergroup)'], ), ), ), @@ -2009,7 +2024,7 @@ class test_permission_sync_nice(Declarative): verify_permission_aci( permission1, groups_dn, '(targetattr = "sn")' + - '(target = "ldap:///%s")' % DN(('cn', '*'), groups_dn) + + '(targetfilter = "(objectclass=ipausergroup)")' + '(version 3.0;acl "permission:%s";' % permission1 + 'allow (write) groupdn = "ldap:///%s";)' % permission1_dn, ), @@ -2028,6 +2043,7 @@ class test_permission_sync_nice(Declarative): dn=permission1_dn, cn=[permission1], objectclass=objectclasses.permission, + type=[u'group'], ipapermright=[u'write'], attrs=[u'sn'], ipapermbindruletype=[u'permission'], @@ -2035,6 +2051,7 @@ class test_permission_sync_nice(Declarative): ipapermtarget=[DN('cn=editors', groups_dn)], ipapermlocation=[groups_dn], targetgroup=[u'editors'], + ipapermtargetfilter=[u'(objectclass=ipausergroup)'], ), ), ), @@ -2043,6 +2060,7 @@ class test_permission_sync_nice(Declarative): permission1, groups_dn, '(targetattr = "sn")' + '(target = "ldap:///%s")' % DN(('cn', 'editors'), groups_dn) + + '(targetfilter = "(objectclass=ipausergroup)")' + '(version 3.0;acl "permission:%s";' % permission1 + 'allow (write) groupdn = "ldap:///%s";)' % permission1_dn, ), @@ -2200,14 +2218,14 @@ class test_permission_bindtype(Declarative): ipapermbindruletype=[u'anonymous'], ipapermissiontype=[u'SYSTEM', u'V2'], ipapermlocation=[users_dn], - ipapermtarget=[DN('uid=*', users_dn)], + ipapermtargetfilter=[u'(objectclass=posixaccount)'], ), ), ), verify_permission_aci( permission1, users_dn, - '(target = "ldap:///%s")' % DN(('uid', '*'), users_dn) + + '(targetfilter = "(objectclass=posixaccount)")' + '(version 3.0;acl "permission:%s";' % permission1 + 'allow (write) userdn = "ldap:///anyone";)', ), @@ -2262,14 +2280,14 @@ class test_permission_bindtype(Declarative): ipapermbindruletype=[u'all'], ipapermissiontype=[u'SYSTEM', u'V2'], ipapermlocation=[users_dn], - ipapermtarget=[DN('uid=*', users_dn)], + ipapermtargetfilter=[u'(objectclass=posixaccount)'], ), ), ), verify_permission_aci( permission1, users_dn, - '(target = "ldap:///%s")' % DN(('uid', '*'), users_dn) + + '(targetfilter = "(objectclass=posixaccount)")' + '(version 3.0;acl "permission:%s";' % permission1 + 'allow (write) userdn = "ldap:///all";)', ), @@ -2304,7 +2322,7 @@ class test_permission_bindtype(Declarative): objectclass=objectclasses.permission, ipapermissiontype=[u'SYSTEM', u'V2'], ipapermlocation=[users_dn], - ipapermtarget=[DN('uid=*', users_dn)], + ipapermtargetfilter=[u'(objectclass=posixaccount)'], ), ], ), @@ -2343,14 +2361,14 @@ class test_permission_bindtype(Declarative): ipapermbindruletype=[u'all'], ipapermissiontype=[u'SYSTEM', u'V2'], ipapermlocation=[users_dn], - ipapermtarget=[DN('uid=*', users_dn)], + ipapermtargetfilter=[u'(objectclass=posixaccount)'], ), ), ), verify_permission_aci( permission1_renamed, users_dn, - '(target = "ldap:///%s")' % DN(('uid', '*'), users_dn) + + '(targetfilter = "(objectclass=posixaccount)")' + '(version 3.0;acl "permission:%s";' % permission1_renamed + 'allow (write) userdn = "ldap:///all";)', ), @@ -2375,14 +2393,14 @@ class test_permission_bindtype(Declarative): ipapermbindruletype=[u'permission'], ipapermissiontype=[u'SYSTEM', u'V2'], ipapermlocation=[users_dn], - ipapermtarget=[DN('uid=*', users_dn)], + ipapermtargetfilter=[u'(objectclass=posixaccount)'], ), ), ), verify_permission_aci( permission1_renamed, users_dn, - '(target = "ldap:///%s")' % DN(('uid', '*'), users_dn) + + '(targetfilter = "(objectclass=posixaccount)")' + '(version 3.0;acl "permission:%s";' % permission1_renamed + 'allow (write) groupdn = "ldap:///%s";)' % permission1_renamed_dn, ), @@ -2405,14 +2423,14 @@ class test_permission_bindtype(Declarative): ipapermbindruletype=[u'permission'], ipapermissiontype=[u'SYSTEM', u'V2'], ipapermlocation=[users_dn], - ipapermtarget=[DN('uid=*', users_dn)], + ipapermtargetfilter=[u'(objectclass=posixaccount)'], ), ), ), verify_permission_aci( permission1, users_dn, - '(target = "ldap:///%s")' % DN(('uid', '*'), users_dn) + + '(targetfilter = "(objectclass=posixaccount)")' + '(version 3.0;acl "permission:%s";' % permission1 + 'allow (write) groupdn = "ldap:///%s";)' % permission1_dn, ), @@ -2510,7 +2528,7 @@ class test_managed_permissions(Declarative): ipapermright=[u'write'], ipapermbindruletype=[u'permission'], ipapermlocation=[users_dn], - ipapermtarget=[DN(('uid', '*'), users_dn)], + ipapermtargetfilter=[u'(objectclass=posixaccount)'], ipapermdefaultattr=[u'l', u'o', u'cn'], attrs=[u'l', u'o', u'cn'], ), @@ -2520,7 +2538,7 @@ class test_managed_permissions(Declarative): verify_permission_aci( permission1, users_dn, '(targetattr = "cn || l || o")' + - '(target = "ldap:///%s")' % DN(('uid', '*'), users_dn) + + '(targetfilter = "(objectclass=posixaccount)")' + '(version 3.0;acl "permission:%s";' % permission1 + 'allow (write) groupdn = "ldap:///%s";)' % permission1_dn, ), @@ -2559,7 +2577,7 @@ class test_managed_permissions(Declarative): verify_permission_aci( permission1, users_dn, '(targetattr = "cn || l || o")' + - '(target = "ldap:///%s")' % DN(('uid', '*'), users_dn) + + '(targetfilter = "(objectclass=posixaccount)")' + '(version 3.0;acl "permission:%s";' % permission1 + 'allow (write) groupdn = "ldap:///%s";)' % permission1_dn, ), @@ -2582,7 +2600,7 @@ class test_managed_permissions(Declarative): ipapermright=[u'write'], ipapermbindruletype=[u'permission'], ipapermlocation=[users_dn], - ipapermtarget=[DN(('uid', '*'), users_dn)], + ipapermtargetfilter=[u'(objectclass=posixaccount)'], ipapermdefaultattr=[u'l', u'o', u'cn'], attrs=[u'l', u'o', u'dc'], ipapermincludedattr=[u'dc'], @@ -2594,7 +2612,7 @@ class test_managed_permissions(Declarative): verify_permission_aci( permission1, users_dn, '(targetattr = "dc || l || o")' + - '(target = "ldap:///%s")' % DN(('uid', '*'), users_dn) + + '(targetfilter = "(objectclass=posixaccount)")' + '(version 3.0;acl "permission:%s";' % permission1 + 'allow (write) groupdn = "ldap:///%s";)' % permission1_dn, ), @@ -2616,7 +2634,7 @@ class test_managed_permissions(Declarative): ipapermright=[u'write'], ipapermbindruletype=[u'permission'], ipapermlocation=[users_dn], - ipapermtarget=[DN(('uid', '*'), users_dn)], + ipapermtargetfilter=[u'(objectclass=posixaccount)'], ipapermdefaultattr=[u'l', u'o', u'cn'], attrs=[u'l', u'o', u'sn'], ipapermincludedattr=[u'cn', u'sn'], @@ -2628,7 +2646,7 @@ class test_managed_permissions(Declarative): verify_permission_aci( permission1, users_dn, '(targetattr = "l || o || sn")' + - '(target = "ldap:///%s")' % DN(('uid', '*'), users_dn) + + '(targetfilter = "(objectclass=posixaccount)")' + '(version 3.0;acl "permission:%s";' % permission1 + 'allow (write) groupdn = "ldap:///%s";)' % permission1_dn, ), @@ -2650,7 +2668,7 @@ class test_managed_permissions(Declarative): ipapermright=[u'write'], ipapermbindruletype=[u'permission'], ipapermlocation=[users_dn], - ipapermtarget=[DN(('uid', '*'), users_dn)], + ipapermtargetfilter=[u'(objectclass=posixaccount)'], ipapermdefaultattr=[u'l', u'o', u'cn'], attrs=[u'l', u'o', u'sn'], ipapermincludedattr=[u'cn', u'sn', u'o'], @@ -2662,7 +2680,7 @@ class test_managed_permissions(Declarative): verify_permission_aci( permission1, users_dn, '(targetattr = "l || o || sn")' + - '(target = "ldap:///%s")' % DN(('uid', '*'), users_dn) + + '(targetfilter = "(objectclass=posixaccount)")' + '(version 3.0;acl "permission:%s";' % permission1 + 'allow (write) groupdn = "ldap:///%s";)' % permission1_dn, ), @@ -2684,7 +2702,7 @@ class test_managed_permissions(Declarative): ipapermright=[u'write'], ipapermbindruletype=[u'permission'], ipapermlocation=[users_dn], - ipapermtarget=[DN(('uid', '*'), users_dn)], + ipapermtargetfilter=[u'(objectclass=posixaccount)'], ipapermdefaultattr=[u'l', u'o', u'cn'], attrs=[u'l', u'o'], ipapermincludedattr=[u'cn', u'sn', u'o'], @@ -2696,7 +2714,7 @@ class test_managed_permissions(Declarative): verify_permission_aci( permission1, users_dn, '(targetattr = "l || o")' + - '(target = "ldap:///%s")' % DN(('uid', '*'), users_dn) + + '(targetfilter = "(objectclass=posixaccount)")' + '(version 3.0;acl "permission:%s";' % permission1 + 'allow (write) groupdn = "ldap:///%s";)' % permission1_dn, ), @@ -2717,7 +2735,7 @@ class test_managed_permissions(Declarative): ipapermright=[u'write'], ipapermbindruletype=[u'all'], ipapermlocation=[users_dn], - ipapermtarget=[DN(('uid', '*'), users_dn)], + ipapermtargetfilter=[u'(objectclass=posixaccount)'], ipapermdefaultattr=[u'l', u'o', u'cn'], attrs=[u'l', u'o'], ipapermincludedattr=[u'cn', u'sn', u'o'], @@ -2729,7 +2747,7 @@ class test_managed_permissions(Declarative): verify_permission_aci( permission1, users_dn, '(targetattr = "l || o")' + - '(target = "ldap:///%s")' % DN(('uid', '*'), users_dn) + + '(targetfilter = "(objectclass=posixaccount)")' + '(version 3.0;acl "permission:%s";' % permission1 + 'allow (write) userdn = "ldap:///all";)', ), @@ -2749,7 +2767,7 @@ class test_managed_permissions(Declarative): ipapermright=[u'write'], ipapermbindruletype=[u'all'], ipapermlocation=[users_dn], - ipapermtarget=[DN(('uid', '*'), users_dn)], + ipapermtargetfilter=[u'(objectclass=posixaccount)'], ipapermdefaultattr=[u'l', u'o', u'cn'], attrs=[u'l', u'o'], ipapermincludedattr=[u'cn', u'sn', u'o'], @@ -2773,7 +2791,7 @@ class test_managed_permissions(Declarative): ipapermright=[u'write'], ipapermbindruletype=[u'all'], ipapermlocation=[users_dn], - ipapermtarget=[DN(('uid', '*'), users_dn)], + ipapermtargetfilter=[u'(objectclass=posixaccount)'], ipapermdefaultattr=[u'l', u'o', u'cn'], attrs=[u'l', u'o'], ipapermincludedattr=[u'cn', u'sn', u'o'], @@ -2792,17 +2810,16 @@ class test_managed_permissions(Declarative): dn=permission1_dn, cn=[permission1], aci=['(targetattr = "l || o")' - '(target = "ldap:///%(tdn)s")' + '(targetfilter = "(objectclass=posixaccount)")' '(version 3.0;acl "permission:%(name)s";' 'allow (write) userdn = "ldap:///all";)' % - {'tdn': DN(('uid', '*'), users_dn), - 'name': permission1}], + {'name': permission1}], objectclass=objectclasses.permission, ipapermissiontype=[u'SYSTEM', u'V2', u'MANAGED'], ipapermright=[u'write'], ipapermbindruletype=[u'all'], ipapermlocation=[users_dn], - ipapermtarget=[DN(('uid', '*'), users_dn)], + ipapermtargetfilter=[u'(objectclass=posixaccount)'], ipapermdefaultattr=[u'l', u'o', u'cn'], ipapermincludedattr=[u'cn', u'sn', u'o'], ipapermexcludedattr=[u'cn', u'sn'], @@ -2826,7 +2843,7 @@ class test_managed_permissions(Declarative): ipapermright=[u'write'], ipapermbindruletype=[u'all'], ipapermlocation=[users_dn], - ipapermtarget=[DN(('uid', '*'), users_dn)], + ipapermtargetfilter=[u'(objectclass=posixaccount)'], ipapermdefaultattr=[u'l', u'o', u'cn'], attrs=[u'l', u'o'], ipapermexcludedattr=[u'cn'], @@ -2837,7 +2854,7 @@ class test_managed_permissions(Declarative): verify_permission_aci( permission1, users_dn, '(targetattr = "l || o")' + - '(target = "ldap:///%s")' % DN(('uid', '*'), users_dn) + + '(targetfilter = "(objectclass=posixaccount)")' + '(version 3.0;acl "permission:%s";' % permission1 + 'allow (write) userdn = "ldap:///all";)', ), @@ -2858,7 +2875,7 @@ class test_managed_permissions(Declarative): ipapermright=[u'write'], ipapermbindruletype=[u'all'], ipapermlocation=[users_dn], - ipapermtarget=[DN(('uid', '*'), users_dn)], + ipapermtargetfilter=[u'(objectclass=posixaccount)'], ipapermdefaultattr=[u'l', u'o', u'cn'], attrs=[u'l', u'o', u'sn'], ipapermincludedattr=[u'sn'], @@ -2870,7 +2887,7 @@ class test_managed_permissions(Declarative): verify_permission_aci( permission1, users_dn, '(targetattr = "l || o || sn")' + - '(target = "ldap:///%s")' % DN(('uid', '*'), users_dn) + + '(targetfilter = "(objectclass=posixaccount)")' + '(version 3.0;acl "permission:%s";' % permission1 + 'allow (write) userdn = "ldap:///all";)', ), @@ -2892,7 +2909,7 @@ class test_managed_permissions(Declarative): ipapermright=[u'write'], ipapermbindruletype=[u'all'], ipapermlocation=[users_dn], - ipapermtarget=[DN(('uid', '*'), users_dn)], + ipapermtargetfilter=[u'(objectclass=posixaccount)'], ipapermdefaultattr=[u'l', u'o', u'cn'], attrs=[u'l', u'o', u'sn'], ipapermincludedattr=[u'sn'], @@ -2918,7 +2935,7 @@ class test_managed_permissions(Declarative): ipapermright=[u'write'], ipapermbindruletype=[u'all'], ipapermlocation=[users_dn], - ipapermtarget=[DN(('uid', '*'), users_dn)], + ipapermtargetfilter=[u'(objectclass=posixaccount)'], ipapermdefaultattr=[u'l', u'o', u'cn'], attrs=[u'l', u'o', u'sn'], ipapermincludedattr=[u'sn'], @@ -2955,7 +2972,7 @@ class test_managed_permissions(Declarative): ipapermright=[u'write'], ipapermbindruletype=[u'all'], ipapermlocation=[users_dn], - ipapermtarget=[DN(('uid', '*'), users_dn)], + ipapermtargetfilter=[u'(objectclass=posixaccount)'], ipapermdefaultattr=[u'l', u'o', u'cn'], attrs=[u'l', u'o', u'sn', u'cn'], ipapermincludedattr=[u'sn'], @@ -2966,7 +2983,7 @@ class test_managed_permissions(Declarative): verify_permission_aci( permission1, users_dn, '(targetattr = "cn || l || o || sn")' + - '(target = "ldap:///%s")' % DN(('uid', '*'), users_dn) + + '(targetfilter = "(objectclass=posixaccount)")' + '(version 3.0;acl "permission:%s";' % permission1 + 'allow (write) userdn = "ldap:///all";)', ), diff --git a/ipatests/test_xmlrpc/test_privilege_plugin.py b/ipatests/test_xmlrpc/test_privilege_plugin.py index b76c87c71..37b1592e0 100644 --- a/ipatests/test_xmlrpc/test_privilege_plugin.py +++ b/ipatests/test_xmlrpc/test_privilege_plugin.py @@ -107,7 +107,7 @@ class test_privilege(Declarative): ipapermbindruletype=[u'permission'], ipapermissiontype=[u'SYSTEM', u'V2'], ipapermlocation=[users_dn], - ipapermtarget=[DN('uid=*', users_dn)], + ipapermtargetfilter=[u'(objectclass=posixaccount)'], ), ), ), @@ -228,7 +228,7 @@ class test_privilege(Declarative): ipapermbindruletype=[u'permission'], ipapermissiontype=[u'SYSTEM', u'V2'], ipapermlocation=[users_dn], - ipapermtarget=[DN('uid=*', users_dn)], + ipapermtargetfilter=[u'(objectclass=posixaccount)'], ), ), ), -- cgit