From cd5b6cdcf3e6bfc5776f2865f460f608421dfa3f Mon Sep 17 00:00:00 2001 From: Sumit Bose Date: Mon, 14 Jun 2021 08:42:21 +0200 Subject: [PATCH 2/2] Add delattr option Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1690920 --- doc/adcli.xml | 11 ++++++++ library/adenroll.c | 66 ++++++++++++++++++++++++++++++++++++++++++++++ library/adenroll.h | 4 +++ tools/computer.c | 9 +++++++ 4 files changed, 90 insertions(+) diff --git a/doc/adcli.xml b/doc/adcli.xml index 8383aa7..bcf4857 100644 --- a/doc/adcli.xml +++ b/doc/adcli.xml @@ -577,6 +577,17 @@ $ adcli update --login-ccache=/tmp/krbcc_123 adcli options cannot be set with this option. + + + Remove the LDAP attribute + from the + LDAP host object. This option can be used multiple + times to remove multiple different attributes. + Please note that the account used to update the + host object must have the required privileges to delete + the given attributes. Attributes managed by other adcli + options cannot be removed. + After a successful join print out information diff --git a/library/adenroll.c b/library/adenroll.c index dd51567..9a06d52 100644 --- a/library/adenroll.c +++ b/library/adenroll.c @@ -151,5 +151,6 @@ struct _adcli_enroll { char *description; char **setattr; + char **delattr; }; static const char * @@ -845,6 +846,39 @@ get_mods_for_attrs (adcli_enroll *enroll, int mod_op) return mods; } +static LDAPMod ** +get_del_mods_for_attrs (adcli_enroll *enroll, int mod_op) +{ + size_t len; + size_t c; + LDAPMod **mods = NULL; + + len = _adcli_strv_len (enroll->delattr); + if (len == 0) { + return NULL; + } + + mods = calloc (len + 1, sizeof (LDAPMod *)); + return_val_if_fail (mods != NULL, NULL); + + for (c = 0; c < len; c++) { + mods[c] = calloc (1, sizeof (LDAPMod)); + if (mods[c] == NULL) { + ldap_mods_free (mods, 1); + return NULL; + } + + mods[c]->mod_op = mod_op; + mods[c]->mod_type = strdup (enroll->delattr[c]); + mods[c]->mod_values = NULL; + if (mods[c]->mod_type == NULL) { + ldap_mods_free (mods, 1); + return NULL; + } + } + + return mods; +} static adcli_result create_computer_account (adcli_enroll *enroll, @@ -1775,6 +1809,14 @@ update_computer_account (adcli_enroll *enroll) } } + if (res == ADCLI_SUCCESS && enroll->delattr != NULL) { + LDAPMod **mods = get_del_mods_for_attrs (enroll, LDAP_MOD_DELETE); + if (mods != NULL) { + res |= update_computer_attribute (enroll, ldap, mods); + ldap_mods_free (mods, 1); + } + } + if (res != 0) _adcli_info ("Updated existing computer account: %s", enroll->computer_dn); } @@ -3475,6 +3517,30 @@ adcli_enroll_get_setattr (adcli_enroll *enroll) return (const char **) enroll->setattr; } +adcli_result +adcli_enroll_add_delattr (adcli_enroll *enroll, const char *value) +{ + return_val_if_fail (enroll != NULL, ADCLI_ERR_CONFIG); + return_val_if_fail (value != NULL, ADCLI_ERR_CONFIG); + + if (_adcli_strv_has_ex (default_ad_ldap_attrs, value, strcasecmp) == 1) { + _adcli_err ("Attribute [%s] cannot be removed with delattr", value); + return ADCLI_ERR_CONFIG; + } + + enroll->delattr = _adcli_strv_add (enroll->delattr, strdup (value), + NULL); + return_val_if_fail (enroll->delattr != NULL, ADCLI_ERR_CONFIG); + + return ADCLI_SUCCESS; +} + +const char ** +adcli_enroll_get_delattr (adcli_enroll *enroll) +{ + return_val_if_fail (enroll != NULL, NULL); + return (const char **) enroll->delattr; +} #ifdef ADENROLL_TESTS diff --git a/library/adenroll.h b/library/adenroll.h index 862bb60..e3ada33 100644 --- a/library/adenroll.h +++ b/library/adenroll.h @@ -142,6 +142,10 @@ const char ** adcli_enroll_get_setattr (adcli_enroll *enroll); adcli_result adcli_enroll_add_setattr (adcli_enroll *enroll, const char *value); +const char ** adcli_enroll_get_delattr (adcli_enroll *enroll); +adcli_result adcli_enroll_add_delattr (adcli_enroll *enroll, + const char *value); + bool adcli_enroll_get_is_service (adcli_enroll *enroll); void adcli_enroll_set_is_service (adcli_enroll *enroll, bool value); diff --git a/tools/computer.c b/tools/computer.c index af38894..dffeecb 100644 --- a/tools/computer.c +++ b/tools/computer.c @@ -115,6 +115,7 @@ typedef enum { opt_remove_service_principal, opt_description, opt_setattr, + opt_delattr, opt_use_ldaps, } Option; @@ -154,6 +155,7 @@ static adcli_tool_desc common_usages[] = { { opt_remove_service_principal, "remove the given service principal from the account\n" }, { opt_description, "add a description to the account\n" }, { opt_setattr, "add an attribute with a value\n" }, + { opt_delattr, "remove an attribute\n" }, { opt_no_password, "don't prompt for or read a password" }, { opt_prompt_password, "prompt for a password if necessary" }, { opt_stdin_password, "read a password from stdin (until EOF) if\n" @@ -341,6 +343,12 @@ parse_option (Option opt, warnx ("parsing setattr option failed"); } return ret; + case opt_delattr: + ret = adcli_enroll_add_delattr (enroll, optarg); + if (ret != ADCLI_SUCCESS) { + warnx ("parsing delattr option failed"); + } + return ret; case opt_use_ldaps: adcli_conn_set_use_ldaps (conn, true); return ADCLI_SUCCESS; @@ -534,6 +542,7 @@ adcli_tool_computer_update (adcli_conn *conn, { "os-service-pack", optional_argument, NULL, opt_os_service_pack }, { "description", optional_argument, NULL, opt_description }, { "setattr", required_argument, NULL, opt_setattr }, + { "delattr", required_argument, NULL, opt_delattr }, { "user-principal", optional_argument, NULL, opt_user_principal }, { "computer-password-lifetime", optional_argument, NULL, opt_computer_password_lifetime }, { "trusted-for-delegation", required_argument, NULL, opt_trusted_for_delegation }, -- 2.31.1