IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-02-25 18:55:28 -06:00
Code Issues Packages Projects Releases Wiki Activity

ipa user-add: add optional objectclass for radius-username

Browse Source 
The command "ipa user-add --radius-username" fails with
ipa: ERROR: attribute "ipatokenRadiusUserName" not allowed
because it does not add the objectclass ipatokenradiusproxyuser
that is required by the attribute ipatokenradiususername.

The issue happens with ipa user-add / stageuser-add / user-mod / stageuser-mod.

The fix adds the objectclass when needed in the pre_common_callback method
of baseuser_add and baseuser_mod (ensuring that user and stageuser commands
are fixed).

Fixes https://pagure.io/freeipa/issue/7569

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
This commit is contained in:
Florence Blanc-Renaud
2018-11-06 16:43:29 +01:00
committed by Christian Heimes
parent d39bb65a2f
commit 19cd960387
1 changed files with 16 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
ipaserver/plugins/baseuser.py
View File

@@ -485,6 +485,9 @@ class baseuser_add(LDAPCreate):
assert isinstance(dn, DN) assert isinstance(dn, DN)
set_krbcanonicalname(entry_attrs) set_krbcanonicalname(entry_attrs)
self.obj.convert_usercertificate_pre(entry_attrs) self.obj.convert_usercertificate_pre(entry_attrs)
if entry_attrs.get('ipatokenradiususername', None):
add_missing_object_class(ldap, u'ipatokenradiusproxyuser', dn,
entry_attrs, update=False)
def post_common_callback(self, ldap, dn, entry_attrs, *keys, **options): def post_common_callback(self, ldap, dn, entry_attrs, *keys, **options):
assert isinstance(dn, DN) assert isinstance(dn, DN)
@@ -573,8 +576,10 @@ class baseuser_mod(LDAPUpdate):
setattr(context, 'randompassword', entry_attrs['userpassword']) setattr(context, 'randompassword', entry_attrs['userpassword'])
def check_objectclass(self, ldap, dn, entry_attrs): def check_objectclass(self, ldap, dn, entry_attrs):
if ('ipasshpubkey' in entry_attrs or 'ipauserauthtype' in entry_attrs # Some attributes may require additional object classes
or 'userclass' in entry_attrs or 'ipatokenradiusconfiglink' in entry_attrs): special_attrs = {'ipasshpubkey', 'ipauserauthtype', 'userclass',
'ipatokenradiusconfiglink', 'ipatokenradiususername'}
if special_attrs.intersection(entry_attrs):
if 'objectclass' in entry_attrs: if 'objectclass' in entry_attrs:
obj_classes = entry_attrs['objectclass'] obj_classes = entry_attrs['objectclass']
else: else:
@@ -602,6 +607,15 @@ class baseuser_mod(LDAPUpdate):
answer = self.api.Object['radiusproxy'].get_dn_if_exists(cl) answer = self.api.Object['radiusproxy'].get_dn_if_exists(cl)
entry_attrs['ipatokenradiusconfiglink'] = answer entry_attrs['ipatokenradiusconfiglink'] = answer
# Note: we could have used the method add_missing_object_class
# but since the data is already fetched and lowercased in
# obj_classes, it is more efficient to use the same approach
# as the code right above these lines
if 'ipatokenradiususername' in entry_attrs:
if 'ipatokenradiusproxyuser' not in obj_classes:
entry_attrs['objectclass'].append(
'ipatokenradiusproxyuser')
def pre_common_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, def pre_common_callback(self, ldap, dn, entry_attrs, attrs_list, *keys,
**options): **options):
assert isinstance(dn, DN) assert isinstance(dn, DN)