|
|
6ec482 |
From 5731aa2850d150a90ad84ce5492cd5d8b154e413 Mon Sep 17 00:00:00 2001
|
|
|
6ec482 |
From: Florence Blanc-Renaud <flo@redhat.com>
|
|
|
6ec482 |
Date: Tue, 23 Jul 2019 09:31:53 +0200
|
|
|
6ec482 |
Subject: [PATCH] user-stage: transfer all attributes from preserved to stage
|
|
|
6ec482 |
user
|
|
|
6ec482 |
|
|
|
6ec482 |
The user-stage command is internally implemented as:
|
|
|
6ec482 |
- user_show(all=True) in order to read the user attributes
|
|
|
6ec482 |
- loop on the attributes defined as possible to add using stageuser-add and
|
|
|
6ec482 |
transform them into new options for stageuser_add (for instance stageuser-add
|
|
|
6ec482 |
provides the option --shell for the attribute loginshell, but there is no
|
|
|
6ec482 |
option for the attribute businesscategory).
|
|
|
6ec482 |
- call stageuser_add in order to create a new entry in the active users subtree
|
|
|
6ec482 |
- user-del to remove the previous entry in the staged users subtree
|
|
|
6ec482 |
|
|
|
6ec482 |
The issue is in the 2nd step. Only the attributes with a stageuser-add option
|
|
|
6ec482 |
are processed.
|
|
|
6ec482 |
The logic of the code should be slightly modified, so that all the attributes
|
|
|
6ec482 |
read in the first step are processed:
|
|
|
6ec482 |
- if they correspond to an option of stageuser-add, process them like it's
|
|
|
6ec482 |
currently done. For instance if the entry contains displayname, then it
|
|
|
6ec482 |
should be processed as --displayName=value in the stageuser-add cmd
|
|
|
6ec482 |
- if they do not correspond to an option of stageuser-add, add them with
|
|
|
6ec482 |
--setattr=<attrname>=<attrvalue>
|
|
|
6ec482 |
|
|
|
6ec482 |
Note that some attributes may need to be filtered, for instance user-show
|
|
|
6ec482 |
returns has_password or has_keytab, which do not correspond to attributes
|
|
|
6ec482 |
in the LDAP entry.
|
|
|
6ec482 |
|
|
|
6ec482 |
Fixes: https://pagure.io/freeipa/issue/7597
|
|
|
6ec482 |
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
|
|
6ec482 |
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
|
|
|
6ec482 |
---
|
|
|
6ec482 |
ipaserver/plugins/user.py | 44 +++++++++++++++++++++++++++++++++++++++
|
|
|
6ec482 |
1 file changed, 44 insertions(+)
|
|
|
6ec482 |
|
|
|
6ec482 |
diff --git a/ipaserver/plugins/user.py b/ipaserver/plugins/user.py
|
|
|
6ec482 |
index 980385dc83e93ec4a65726077b34917e21115efa..fbf7b11789c58377366f187211c4e403d0cf7ffe 100644
|
|
|
6ec482 |
--- a/ipaserver/plugins/user.py
|
|
|
6ec482 |
+++ b/ipaserver/plugins/user.py
|
|
|
6ec482 |
@@ -919,7 +919,29 @@ class user_stage(LDAPMultiQuery):
|
|
|
6ec482 |
has_output = output.standard_multi_delete
|
|
|
6ec482 |
msg_summary = _('Staged user account "%(value)s"')
|
|
|
6ec482 |
|
|
|
6ec482 |
+ # when moving from preserved to stage, some attributes may be
|
|
|
6ec482 |
+ # present in the preserved entry but cannot be provided to
|
|
|
6ec482 |
+ # stageuser_add
|
|
|
6ec482 |
+ # For instance: dn and uid are derived from LOGIN argument
|
|
|
6ec482 |
+ # has_keytab, has_password, preserved are virtual attributes
|
|
|
6ec482 |
+ # ipauniqueid, krbcanonicalname, sshpubkeyfp, krbextradata
|
|
|
6ec482 |
+ # are automatically generated
|
|
|
6ec482 |
+ # ipacertmapdata can only be provided with user_add_certmapdata
|
|
|
6ec482 |
+ ignore_attrs = [u'dn', u'uid',
|
|
|
6ec482 |
+ u'has_keytab', u'has_password', u'preserved',
|
|
|
6ec482 |
+ u'ipauniqueid', u'krbcanonicalname',
|
|
|
6ec482 |
+ u'sshpubkeyfp', u'krbextradata',
|
|
|
6ec482 |
+ u'ipacertmapdata',
|
|
|
6ec482 |
+ u'nsaccountlock']
|
|
|
6ec482 |
+
|
|
|
6ec482 |
def execute(self, *keys, **options):
|
|
|
6ec482 |
+
|
|
|
6ec482 |
+ def _build_setattr_arg(key, val):
|
|
|
6ec482 |
+ if isinstance(val, bytes):
|
|
|
6ec482 |
+ return u"{}={}".format(key, val.decode('UTF-8'))
|
|
|
6ec482 |
+ else:
|
|
|
6ec482 |
+ return u"{}={}".format(key, val)
|
|
|
6ec482 |
+
|
|
|
6ec482 |
staged = []
|
|
|
6ec482 |
failed = []
|
|
|
6ec482 |
|
|
|
6ec482 |
@@ -940,8 +962,30 @@ class user_stage(LDAPMultiQuery):
|
|
|
6ec482 |
value = value[0]
|
|
|
6ec482 |
new_options[param.name] = value
|
|
|
6ec482 |
|
|
|
6ec482 |
+ # Some attributes may not be accessible through the Command
|
|
|
6ec482 |
+ # options and need to be added with --setattr
|
|
|
6ec482 |
+ set_attr = []
|
|
|
6ec482 |
+ for userkey in user.keys():
|
|
|
6ec482 |
+ if userkey in new_options or userkey in self.ignore_attrs:
|
|
|
6ec482 |
+ continue
|
|
|
6ec482 |
+ value = user[userkey]
|
|
|
6ec482 |
+
|
|
|
6ec482 |
+ if isinstance(value, (list, tuple)):
|
|
|
6ec482 |
+ for val in value:
|
|
|
6ec482 |
+ set_attr.append(_build_setattr_arg(userkey, val))
|
|
|
6ec482 |
+ else:
|
|
|
6ec482 |
+ set_attr.append(_build_setattr_arg(userkey, val))
|
|
|
6ec482 |
+ if set_attr:
|
|
|
6ec482 |
+ new_options[u'setattr'] = set_attr
|
|
|
6ec482 |
+
|
|
|
6ec482 |
try:
|
|
|
6ec482 |
self.api.Command.stageuser_add(*single_keys, **new_options)
|
|
|
6ec482 |
+ # special handling for certmapdata
|
|
|
6ec482 |
+ certmapdata = user.get(u'ipacertmapdata')
|
|
|
6ec482 |
+ if certmapdata:
|
|
|
6ec482 |
+ self.api.Command.stageuser_add_certmapdata(
|
|
|
6ec482 |
+ *single_keys,
|
|
|
6ec482 |
+ ipacertmapdata=certmapdata)
|
|
|
6ec482 |
try:
|
|
|
6ec482 |
self.api.Command.user_del(*multi_keys, preserve=False)
|
|
|
6ec482 |
except errors.ExecutionError:
|
|
|
6ec482 |
--
|
|
|
6ec482 |
2.20.1
|
|
|
6ec482 |
|