In meta data make ACI attributes lower-case, sorted. Add possible attributes.

The metadata contains a list of possible attributes that an ACI for that
object might need. Add a new variable to hold possible objectclasses for
optional elements (like posixGroup for groups).

To make the list easier to handle sort it and make it all lower-case.

Fix a couple of missed camel-case attributes in the default ACI list.

ticket 641
This commit is contained in:
Rob Crittenden 2010-12-20 23:28:33 -05:00
parent 1a7f5e0cc4
commit 4d6cd89258
4 changed files with 11 additions and 4 deletions

View File

@ -496,7 +496,7 @@ aci: (target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX")(version 3.0;acl "Ad
aci: (target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX")(targetattr = "userpassword || krbprincipalkey || sambalmpassword || sambantpassword || passwordhistory")(version 3.0;acl "Change a user password";allow (write) groupdn = "ldap:///cn=change_password,cn=permissions,cn=accounts,$SUFFIX";)
aci: (targetattr = "member")(target = "ldap:///cn=ipausers,cn=groups,cn=accounts,$SUFFIX")(version 3.0;acl "Add user to default group";allow (write) groupdn = "ldap:///cn=add_user_to_default_group,cn=permissions,cn=accounts,$SUFFIX";)
aci: (target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX")(version 3.0;acl "Remove Users";allow (delete) groupdn = "ldap:///cn=removeusers,cn=permissions,cn=accounts,$SUFFIX";)
aci: (targetattr = "givenname || sn || cn || displayname || title || initials || loginshell || gecos || homephone || mobile || pager || facsimiletelephonenumber || telephonenumber || street || roomnumber || l || st || postalcode || manager || secretary || description || carlicense || labeleduri || inetuserhttpurl || seealso || employeetype || businesscategory || ou || mepmanagedEntry || objectclass")(target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX")(version 3.0;acl "Modify Users";allow (write) groupdn = "ldap:///cn=modifyusers,cn=permissions,cn=accounts,$SUFFIX";)
aci: (targetattr = "givenname || sn || cn || displayname || title || initials || loginshell || gecos || homephone || mobile || pager || facsimiletelephonenumber || telephonenumber || street || roomnumber || l || st || postalcode || manager || secretary || description || carlicense || labeleduri || inetuserhttpurl || seealso || employeetype || businesscategory || ou || mepmanagedentry || objectclass")(target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX")(version 3.0;acl "Modify Users";allow (write) groupdn = "ldap:///cn=modifyusers,cn=permissions,cn=accounts,$SUFFIX";)
# Group administration
@ -508,7 +508,7 @@ aci: (targetattr = "member")(target = "ldap:///cn=*,cn=groups,cn=accounts,$SUFFI
aci: (target = "ldap:///cn=*,cn=groups,cn=accounts,$SUFFIX")(version 3.0;acl "Remove Groups";allow (delete) groupdn = "ldap:///cn=removegroups,cn=permissions,cn=accounts,$SUFFIX";)
# We need objectclass and gidnumber in modify so a non-posix group can be
# promoted. We need mqpManagedBy and ipaUniqueId so a group can be detached.
aci: (targetattr = "cn || description || gidnumber || objectclass || mepmanagedby || ipaUniqueId")(target = "ldap:///cn=*,cn=groups,cn=accounts,$SUFFIX")(version 3.0;acl "Modify Groups";allow (write) groupdn = "ldap:///cn=modifygroups,cn=permissions,cn=accounts,$SUFFIX";)
aci: (targetattr = "cn || description || gidnumber || objectclass || mepmanagedby || ipauniqueid")(target = "ldap:///cn=*,cn=groups,cn=accounts,$SUFFIX")(version 3.0;acl "Modify Groups";allow (write) groupdn = "ldap:///cn=modifygroups,cn=permissions,cn=accounts,$SUFFIX";)
# Host administration

View File

@ -233,6 +233,9 @@ class LDAPObject(Object):
object_name_plural = 'entries'
object_class = []
object_class_config = None
# If an objectclass is possible but not default in an entry. Needed for
# collecting attributes for ACI UI.
possible_objectclasses = []
search_attributes = []
search_attributes_config = None
default_attributes = []
@ -356,17 +359,19 @@ class LDAPObject(Object):
objectclasses = config.get(
self.object_class_config, objectclasses
)
objectclasses += self.possible_objectclasses
# Get list of available attributes for this object for use
# in the ACI UI.
attrs = self.api.Backend.ldap2.schema.attribute_types(objectclasses)
attrlist = []
# Go through the MUST first
for (oid, attr) in attrs[0].iteritems():
attrlist.append(attr.names[0])
attrlist.append(attr.names[0].lower())
# And now the MAY
for (oid, attr) in attrs[1].iteritems():
attrlist.append(attr.names[0])
attrlist.append(attr.names[0].lower())
json_dict['aciattrs'] = attrlist
attrlist.sort()
json_dict['methods'] = [m for m in self.methods]
return json_dict

View File

@ -81,6 +81,7 @@ class group(LDAPObject):
object_name_plural = 'groups'
object_class = ['ipausergroup']
object_class_config = 'ipagroupobjectclasses'
possible_objectclasses = ['posixGroup', 'mepManagedEntry']
search_attributes_config = 'ipagroupsearchfields'
default_attributes = [
'cn', 'description', 'gidnumber', 'member', 'memberof',

View File

@ -63,6 +63,7 @@ class user(LDAPObject):
object_name_plural = 'users'
object_class = ['posixaccount']
object_class_config = 'ipauserobjectclasses'
possible_objectclasses = ['meporiginentry']
search_attributes_config = 'ipausersearchfields'
default_attributes = [
'uid', 'givenname', 'sn', 'homedirectory', 'loginshell', 'ou',