mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2024-12-24 08:00:02 -06:00
ipa user-add: add optional objectclass for radius-username
The command "ipa user-add --radius-username" fails with ipa: ERROR: attribute "ipatokenRadiusUserName" not allowed because it does not add the objectclass ipatokenradiusproxyuser that is required by the attribute ipatokenradiususername. The issue happens with ipa user-add / stageuser-add / user-mod / stageuser-mod. The fix adds the objectclass when needed in the pre_common_callback method of baseuser_add and baseuser_mod (ensuring that user and stageuser commands are fixed). Fixes https://pagure.io/freeipa/issue/7569 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> Reviewed-By: Christian Heimes <cheimes@redhat.com>
This commit is contained in:
parent
d39bb65a2f
commit
19cd960387
@ -485,6 +485,9 @@ class baseuser_add(LDAPCreate):
|
||||
assert isinstance(dn, DN)
|
||||
set_krbcanonicalname(entry_attrs)
|
||||
self.obj.convert_usercertificate_pre(entry_attrs)
|
||||
if entry_attrs.get('ipatokenradiususername', None):
|
||||
add_missing_object_class(ldap, u'ipatokenradiusproxyuser', dn,
|
||||
entry_attrs, update=False)
|
||||
|
||||
def post_common_callback(self, ldap, dn, entry_attrs, *keys, **options):
|
||||
assert isinstance(dn, DN)
|
||||
@ -573,8 +576,10 @@ class baseuser_mod(LDAPUpdate):
|
||||
setattr(context, 'randompassword', entry_attrs['userpassword'])
|
||||
|
||||
def check_objectclass(self, ldap, dn, entry_attrs):
|
||||
if ('ipasshpubkey' in entry_attrs or 'ipauserauthtype' in entry_attrs
|
||||
or 'userclass' in entry_attrs or 'ipatokenradiusconfiglink' in entry_attrs):
|
||||
# Some attributes may require additional object classes
|
||||
special_attrs = {'ipasshpubkey', 'ipauserauthtype', 'userclass',
|
||||
'ipatokenradiusconfiglink', 'ipatokenradiususername'}
|
||||
if special_attrs.intersection(entry_attrs):
|
||||
if 'objectclass' in entry_attrs:
|
||||
obj_classes = entry_attrs['objectclass']
|
||||
else:
|
||||
@ -602,6 +607,15 @@ class baseuser_mod(LDAPUpdate):
|
||||
answer = self.api.Object['radiusproxy'].get_dn_if_exists(cl)
|
||||
entry_attrs['ipatokenradiusconfiglink'] = answer
|
||||
|
||||
# Note: we could have used the method add_missing_object_class
|
||||
# but since the data is already fetched and lowercased in
|
||||
# obj_classes, it is more efficient to use the same approach
|
||||
# as the code right above these lines
|
||||
if 'ipatokenradiususername' in entry_attrs:
|
||||
if 'ipatokenradiusproxyuser' not in obj_classes:
|
||||
entry_attrs['objectclass'].append(
|
||||
'ipatokenradiusproxyuser')
|
||||
|
||||
def pre_common_callback(self, ldap, dn, entry_attrs, attrs_list, *keys,
|
||||
**options):
|
||||
assert isinstance(dn, DN)
|
||||
|
Loading…
Reference in New Issue
Block a user