Add managed read permission for the UPG Definition

Since user_add checks the UPG definition to see if UPG is enabled, user admins need read access to add users correctly. All attributes are allowed since UPG Definition is an extensibleObject; the needed attributes are not in the schema. Part of the work for: https://fedorahosted.org/freeipa/ticket/3566 Reviewed-By: Martin Kosek <mkosek@redhat.com>
2024-12-25 16:31:08 -06:00 · 2014-05-28 12:42:02 +02:00 · 2014-05-28 12:42:02 +02:00 · 32efe5a887
commit 32efe5a887
parent 647fa1db85
1 changed files with 17 additions and 0 deletions
--- a/ipalib/plugins/user.py
+++ b/ipalib/plugins/user.py
@ -111,6 +111,12 @@ status_output_params = (
    ),
   )

+UPG_DEFINITION_DN = DN(('cn', 'UPG Definition'),
+                       ('cn', 'Definitions'),
+                       ('cn', 'Managed Entries'),
+                       ('cn', 'etc'),
+                       api.env.basedn)
+
 # characters to be used for generating random user passwords
 user_pwdchars = string.digits + string.ascii_letters + '_,.@+-='

@ -319,6 +325,17 @@ class user(LDAPObject):
                'memberof',
            },
        },
+        'System: Read UPG Definition': {
+            # Required for adding users
+            'replaces_global_anonymous_aci': True,
+            'non_object': True,
+            'ipapermlocation': UPG_DEFINITION_DN,
+            'ipapermtarget': UPG_DEFINITION_DN,
+            'ipapermbindruletype': 'permission',
+            'ipapermright': {'read', 'search', 'compare'},
+            'ipapermdefaultattr': {'*'},
+            'default_privileges': {'User Administrators'},
+        },
    }

    label = _('Users')