From 82738f7ef90586668761a4f1215a734ab8c25f5a Mon Sep 17 00:00:00 2001 From: "Endi S. Dewata" Date: Mon, 10 Aug 2015 20:57:58 +0200 Subject: [PATCH] Fixed vault container ownership. The vault-add command has been fixed such that if the user/service private vault container does not exist yet it will be created and owned by the user/service instead of the vault creator. https://fedorahosted.org/freeipa/ticket/5194 Reviewed-By: Petr Vobornik --- ipalib/plugins/vault.py | 27 ++++++++++++++++++++++++--- 1 file changed, 24 insertions(+), 3 deletions(-) diff --git a/ipalib/plugins/vault.py b/ipalib/plugins/vault.py index b5a12d5c3da599d7f5afaed90f579ad3a23c27cd..88c63071f04462aa240a70d3a3eeac2d04e66062 100644 --- a/ipalib/plugins/vault.py +++ b/ipalib/plugins/vault.py @@ -704,12 +704,33 @@ class vault_add_internal(LDAPCreate): else: owner_dn = self.api.Object.user.get_dn(name) + parent_dn = DN(*dn[1:]) + + container_dn = DN(self.api.Object.vault.container_dn, + self.api.env.basedn) + + services_dn = DN(('cn', 'services'), container_dn) + users_dn = DN(('cn', 'users'), container_dn) + + if dn.endswith(services_dn): + # service container should be owned by the service + service = parent_dn[0]['cn'] + parent_owner_dn = self.api.Object.service.get_dn(service) + + elif dn.endswith(users_dn): + # user container should be owned by the user + user = parent_dn[0]['cn'] + parent_owner_dn = self.api.Object.user.get_dn(user) + + else: + parent_owner_dn = owner_dn + try: - parent_dn = DN(*dn[1:]) - self.obj.create_container(parent_dn, owner_dn) - except errors.DuplicateEntry, e: + self.obj.create_container(parent_dn, parent_owner_dn) + except errors.DuplicateEntry as e: pass + # vault should be owned by the creator entry_attrs['owner'] = owner_dn return dn -- 2.4.3