|
 |
590d18 |
From 6087dd789833738e99040d031473c76ed9d8723c Mon Sep 17 00:00:00 2001
|
|
|
590d18 |
From: Jan Cholasta <jcholast@redhat.com>
|
|
|
590d18 |
Date: Wed, 12 Aug 2015 11:03:40 +0200
|
|
|
590d18 |
Subject: [PATCH] ULC: Prevent preserved users from being assigned membership
|
|
|
590d18 |
|
|
|
590d18 |
https://fedorahosted.org/freeipa/ticket/5170
|
|
|
590d18 |
|
|
|
590d18 |
Reviewed-By: David Kupka <dkupka@redhat.com>
|
|
|
590d18 |
---
|
|
|
590d18 |
ipalib/plugins/user.py | 31 ++++++++++++++++++-------------
|
|
|
590d18 |
1 file changed, 18 insertions(+), 13 deletions(-)
|
|
|
590d18 |
|
|
|
590d18 |
diff --git a/ipalib/plugins/user.py b/ipalib/plugins/user.py
|
|
|
590d18 |
index 859939205f903fa4832524c8d2601141f3674bb5..4ea770ede7525149780f1486b5e4eb44699c8533 100644
|
|
|
590d18 |
--- a/ipalib/plugins/user.py
|
|
|
590d18 |
+++ b/ipalib/plugins/user.py
|
|
|
590d18 |
@@ -342,7 +342,7 @@ class user(baseuser):
|
|
|
590d18 |
),
|
|
|
590d18 |
)
|
|
|
590d18 |
|
|
|
590d18 |
- def get_dn(self, *keys, **options):
|
|
|
590d18 |
+ def get_either_dn(self, *keys, **options):
|
|
|
590d18 |
'''
|
|
|
590d18 |
Returns the DN of a user
|
|
|
590d18 |
The user can be active (active container) or delete (delete container)
|
|
|
590d18 |
@@ -351,7 +351,7 @@ class user(baseuser):
|
|
|
590d18 |
ldap = self.backend
|
|
|
590d18 |
# Check that this value is a Active user
|
|
|
590d18 |
try:
|
|
|
590d18 |
- active_dn = super(user, self).get_dn(*keys, **options)
|
|
|
590d18 |
+ active_dn = self.get_dn(*keys, **options)
|
|
|
590d18 |
ldap.get_entry(active_dn, ['dn'])
|
|
|
590d18 |
|
|
|
590d18 |
# The Active user exists
|
|
|
590d18 |
@@ -402,7 +402,7 @@ class user_add(baseuser_add):
|
|
|
590d18 |
)
|
|
|
590d18 |
|
|
|
590d18 |
def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options):
|
|
|
590d18 |
- assert isinstance(dn, DN)
|
|
|
590d18 |
+ dn = self.obj.get_either_dn(*keys, **options)
|
|
|
590d18 |
if not options.get('noprivate', False):
|
|
|
590d18 |
try:
|
|
|
590d18 |
# The Managed Entries plugin will allow a user to be created
|
|
|
590d18 |
@@ -599,7 +599,7 @@ class user_del(baseuser_del):
|
|
|
590d18 |
return super(user_del, self).forward(*keys, **options)
|
|
|
590d18 |
|
|
|
590d18 |
def pre_callback(self, ldap, dn, *keys, **options):
|
|
|
590d18 |
- assert isinstance(dn, DN)
|
|
|
590d18 |
+ dn = self.obj.get_either_dn(*keys, **options)
|
|
|
590d18 |
|
|
|
590d18 |
# For User life Cycle: user-del is a common plugin
|
|
|
590d18 |
# command to delete active user (active container) and
|
|
|
590d18 |
@@ -625,7 +625,7 @@ class user_del(baseuser_del):
|
|
|
590d18 |
|
|
|
590d18 |
def execute(self, *keys, **options):
|
|
|
590d18 |
|
|
|
590d18 |
- dn = self.obj.get_dn(*keys, **options)
|
|
|
590d18 |
+ dn = self.obj.get_either_dn(*keys, **options)
|
|
|
590d18 |
|
|
|
590d18 |
# We are going to permanent delete or the user is already in the delete container.
|
|
|
590d18 |
delete_container = DN(self.obj.delete_container_dn, self.api.env.basedn)
|
|
|
590d18 |
@@ -644,7 +644,7 @@ class user_del(baseuser_del):
|
|
|
590d18 |
ldap = self.obj.backend
|
|
|
590d18 |
|
|
|
590d18 |
# need to handle multiple keys (e.g. keys[-1]=(u'tb8', u'tb9')..
|
|
|
590d18 |
- active_dn = self.obj.get_dn(*keys, **options)
|
|
|
590d18 |
+ active_dn = self.obj.get_either_dn(*keys, **options)
|
|
|
590d18 |
superior_dn = DN(self.obj.delete_container_dn, api.env.basedn)
|
|
|
590d18 |
delete_dn = DN(active_dn[0], self.obj.delete_container_dn, api.env.basedn)
|
|
|
590d18 |
self.log.debug("preserve move %s -> %s" % (active_dn, delete_dn))
|
|
|
590d18 |
@@ -701,6 +701,7 @@ class user_mod(baseuser_mod):
|
|
|
590d18 |
has_output_params = baseuser_mod.has_output_params + user_output_params
|
|
|
590d18 |
|
|
|
590d18 |
def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options):
|
|
|
590d18 |
+ dn = self.obj.get_either_dn(*keys, **options)
|
|
|
590d18 |
self.pre_common_callback(ldap, dn, entry_attrs, **options)
|
|
|
590d18 |
validate_nsaccountlock(entry_attrs)
|
|
|
590d18 |
return dn
|
|
|
590d18 |
@@ -777,6 +778,10 @@ class user_show(baseuser_show):
|
|
|
590d18 |
),
|
|
|
590d18 |
)
|
|
|
590d18 |
|
|
|
590d18 |
+ def pre_callback(self, ldap, dn, attrs_list, *keys, **options):
|
|
|
590d18 |
+ dn = self.obj.get_either_dn(*keys, **options)
|
|
|
590d18 |
+ return dn
|
|
|
590d18 |
+
|
|
|
590d18 |
def post_callback(self, ldap, dn, entry_attrs, *keys, **options):
|
|
|
590d18 |
convert_nsaccountlock(entry_attrs)
|
|
|
590d18 |
self.post_common_callback(ldap, dn, entry_attrs, **options)
|
|
|
590d18 |
@@ -813,7 +818,7 @@ class user_undel(LDAPQuery):
|
|
|
590d18 |
ldap = self.obj.backend
|
|
|
590d18 |
|
|
|
590d18 |
# First check that the user exists and is a delete one
|
|
|
590d18 |
- delete_dn = self.obj.get_dn(*keys, **options)
|
|
|
590d18 |
+ delete_dn = self.obj.get_either_dn(*keys, **options)
|
|
|
590d18 |
if delete_dn.endswith(DN(self.obj.active_container_dn, api.env.basedn)):
|
|
|
590d18 |
raise errors.ValidationError(
|
|
|
590d18 |
name=self.obj.primary_key.cli_name,
|
|
|
590d18 |
@@ -860,7 +865,7 @@ class user_disable(LDAPQuery):
|
|
|
590d18 |
|
|
|
590d18 |
check_protected_member(keys[-1])
|
|
|
590d18 |
|
|
|
590d18 |
- dn = self.obj.get_dn(*keys, **options)
|
|
|
590d18 |
+ dn = self.obj.get_either_dn(*keys, **options)
|
|
|
590d18 |
ldap.deactivate_entry(dn)
|
|
|
590d18 |
|
|
|
590d18 |
return dict(
|
|
|
590d18 |
@@ -880,7 +885,7 @@ class user_enable(LDAPQuery):
|
|
|
590d18 |
def execute(self, *keys, **options):
|
|
|
590d18 |
ldap = self.obj.backend
|
|
|
590d18 |
|
|
|
590d18 |
- dn = self.obj.get_dn(*keys, **options)
|
|
|
590d18 |
+ dn = self.obj.get_either_dn(*keys, **options)
|
|
|
590d18 |
|
|
|
590d18 |
ldap.activate_entry(dn)
|
|
|
590d18 |
|
|
|
590d18 |
@@ -904,7 +909,7 @@ class user_unlock(LDAPQuery):
|
|
|
590d18 |
msg_summary = _('Unlocked account "%(value)s"')
|
|
|
590d18 |
|
|
|
590d18 |
def execute(self, *keys, **options):
|
|
|
590d18 |
- dn = self.obj.get_dn(*keys, **options)
|
|
|
590d18 |
+ dn = self.obj.get_either_dn(*keys, **options)
|
|
|
590d18 |
entry = self.obj.backend.get_entry(
|
|
|
590d18 |
dn, ['krbLastAdminUnlock', 'krbLoginFailedCount'])
|
|
|
590d18 |
|
|
|
590d18 |
@@ -948,7 +953,7 @@ class user_status(LDAPQuery):
|
|
|
590d18 |
|
|
|
590d18 |
def execute(self, *keys, **options):
|
|
|
590d18 |
ldap = self.obj.backend
|
|
|
590d18 |
- dn = self.obj.get_dn(*keys, **options)
|
|
|
590d18 |
+ dn = self.obj.get_either_dn(*keys, **options)
|
|
|
590d18 |
attr_list = ['krbloginfailedcount', 'krblastsuccessfulauth', 'krblastfailedauth', 'nsaccountlock']
|
|
|
590d18 |
|
|
|
590d18 |
disabled = False
|
|
|
590d18 |
@@ -1037,7 +1042,7 @@ class user_add_cert(LDAPAddAttribute):
|
|
|
590d18 |
|
|
|
590d18 |
def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys,
|
|
|
590d18 |
**options):
|
|
|
590d18 |
- assert isinstance(dn, DN)
|
|
|
590d18 |
+ dn = self.obj.get_either_dn(*keys, **options)
|
|
|
590d18 |
|
|
|
590d18 |
self.obj.convert_usercertificate_pre(entry_attrs)
|
|
|
590d18 |
|
|
|
590d18 |
@@ -1059,7 +1064,7 @@ class user_remove_cert(LDAPRemoveAttribute):
|
|
|
590d18 |
|
|
|
590d18 |
def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys,
|
|
|
590d18 |
**options):
|
|
|
590d18 |
- assert isinstance(dn, DN)
|
|
|
590d18 |
+ dn = self.obj.get_either_dn(*keys, **options)
|
|
|
590d18 |
|
|
|
590d18 |
self.obj.convert_usercertificate_pre(entry_attrs)
|
|
|
590d18 |
|
|
|
590d18 |
--
|
|
|
590d18 |
2.4.3
|
|
|
590d18 |
|