ipa user-add: add optional objectclass for radius-username

The command "ipa user-add --radius-username" fails with
ipa: ERROR: attribute "ipatokenRadiusUserName" not allowed
because it does not add the objectclass ipatokenradiusproxyuser
that is required by the attribute ipatokenradiususername.

The issue happens with ipa user-add / stageuser-add / user-mod / stageuser-mod.

The fix adds the objectclass when needed in the pre_common_callback method
of baseuser_add and baseuser_mod (ensuring that user and stageuser commands
are fixed).

Fixes https://pagure.io/freeipa/issue/7569

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
This commit is contained in:
Florence Blanc-Renaud 2018-11-06 16:43:29 +01:00 committed by Christian Heimes
parent d39bb65a2f
commit 19cd960387

View File

@ -485,6 +485,9 @@ class baseuser_add(LDAPCreate):
assert isinstance(dn, DN)
set_krbcanonicalname(entry_attrs)
self.obj.convert_usercertificate_pre(entry_attrs)
if entry_attrs.get('ipatokenradiususername', None):
add_missing_object_class(ldap, u'ipatokenradiusproxyuser', dn,
entry_attrs, update=False)
def post_common_callback(self, ldap, dn, entry_attrs, *keys, **options):
assert isinstance(dn, DN)
@ -573,8 +576,10 @@ class baseuser_mod(LDAPUpdate):
setattr(context, 'randompassword', entry_attrs['userpassword'])
def check_objectclass(self, ldap, dn, entry_attrs):
if ('ipasshpubkey' in entry_attrs or 'ipauserauthtype' in entry_attrs
or 'userclass' in entry_attrs or 'ipatokenradiusconfiglink' in entry_attrs):
# Some attributes may require additional object classes
special_attrs = {'ipasshpubkey', 'ipauserauthtype', 'userclass',
'ipatokenradiusconfiglink', 'ipatokenradiususername'}
if special_attrs.intersection(entry_attrs):
if 'objectclass' in entry_attrs:
obj_classes = entry_attrs['objectclass']
else:
@ -602,6 +607,15 @@ class baseuser_mod(LDAPUpdate):
answer = self.api.Object['radiusproxy'].get_dn_if_exists(cl)
entry_attrs['ipatokenradiusconfiglink'] = answer
# Note: we could have used the method add_missing_object_class
# but since the data is already fetched and lowercased in
# obj_classes, it is more efficient to use the same approach
# as the code right above these lines
if 'ipatokenradiususername' in entry_attrs:
if 'ipatokenradiusproxyuser' not in obj_classes:
entry_attrs['objectclass'].append(
'ipatokenradiusproxyuser')
def pre_common_callback(self, ldap, dn, entry_attrs, attrs_list, *keys,
**options):
assert isinstance(dn, DN)