mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2025-01-28 09:06:44 -06:00
In meta data make ACI attributes lower-case, sorted. Add possible attributes.
The metadata contains a list of possible attributes that an ACI for that object might need. Add a new variable to hold possible objectclasses for optional elements (like posixGroup for groups). To make the list easier to handle sort it and make it all lower-case. Fix a couple of missed camel-case attributes in the default ACI list. ticket 641
This commit is contained in:
parent
1a7f5e0cc4
commit
4d6cd89258
@ -496,7 +496,7 @@ aci: (target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX")(version 3.0;acl "Ad
|
||||
aci: (target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX")(targetattr = "userpassword || krbprincipalkey || sambalmpassword || sambantpassword || passwordhistory")(version 3.0;acl "Change a user password";allow (write) groupdn = "ldap:///cn=change_password,cn=permissions,cn=accounts,$SUFFIX";)
|
||||
aci: (targetattr = "member")(target = "ldap:///cn=ipausers,cn=groups,cn=accounts,$SUFFIX")(version 3.0;acl "Add user to default group";allow (write) groupdn = "ldap:///cn=add_user_to_default_group,cn=permissions,cn=accounts,$SUFFIX";)
|
||||
aci: (target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX")(version 3.0;acl "Remove Users";allow (delete) groupdn = "ldap:///cn=removeusers,cn=permissions,cn=accounts,$SUFFIX";)
|
||||
aci: (targetattr = "givenname || sn || cn || displayname || title || initials || loginshell || gecos || homephone || mobile || pager || facsimiletelephonenumber || telephonenumber || street || roomnumber || l || st || postalcode || manager || secretary || description || carlicense || labeleduri || inetuserhttpurl || seealso || employeetype || businesscategory || ou || mepmanagedEntry || objectclass")(target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX")(version 3.0;acl "Modify Users";allow (write) groupdn = "ldap:///cn=modifyusers,cn=permissions,cn=accounts,$SUFFIX";)
|
||||
aci: (targetattr = "givenname || sn || cn || displayname || title || initials || loginshell || gecos || homephone || mobile || pager || facsimiletelephonenumber || telephonenumber || street || roomnumber || l || st || postalcode || manager || secretary || description || carlicense || labeleduri || inetuserhttpurl || seealso || employeetype || businesscategory || ou || mepmanagedentry || objectclass")(target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX")(version 3.0;acl "Modify Users";allow (write) groupdn = "ldap:///cn=modifyusers,cn=permissions,cn=accounts,$SUFFIX";)
|
||||
|
||||
# Group administration
|
||||
|
||||
@ -508,7 +508,7 @@ aci: (targetattr = "member")(target = "ldap:///cn=*,cn=groups,cn=accounts,$SUFFI
|
||||
aci: (target = "ldap:///cn=*,cn=groups,cn=accounts,$SUFFIX")(version 3.0;acl "Remove Groups";allow (delete) groupdn = "ldap:///cn=removegroups,cn=permissions,cn=accounts,$SUFFIX";)
|
||||
# We need objectclass and gidnumber in modify so a non-posix group can be
|
||||
# promoted. We need mqpManagedBy and ipaUniqueId so a group can be detached.
|
||||
aci: (targetattr = "cn || description || gidnumber || objectclass || mepmanagedby || ipaUniqueId")(target = "ldap:///cn=*,cn=groups,cn=accounts,$SUFFIX")(version 3.0;acl "Modify Groups";allow (write) groupdn = "ldap:///cn=modifygroups,cn=permissions,cn=accounts,$SUFFIX";)
|
||||
aci: (targetattr = "cn || description || gidnumber || objectclass || mepmanagedby || ipauniqueid")(target = "ldap:///cn=*,cn=groups,cn=accounts,$SUFFIX")(version 3.0;acl "Modify Groups";allow (write) groupdn = "ldap:///cn=modifygroups,cn=permissions,cn=accounts,$SUFFIX";)
|
||||
|
||||
# Host administration
|
||||
|
||||
|
@ -233,6 +233,9 @@ class LDAPObject(Object):
|
||||
object_name_plural = 'entries'
|
||||
object_class = []
|
||||
object_class_config = None
|
||||
# If an objectclass is possible but not default in an entry. Needed for
|
||||
# collecting attributes for ACI UI.
|
||||
possible_objectclasses = []
|
||||
search_attributes = []
|
||||
search_attributes_config = None
|
||||
default_attributes = []
|
||||
@ -356,17 +359,19 @@ class LDAPObject(Object):
|
||||
objectclasses = config.get(
|
||||
self.object_class_config, objectclasses
|
||||
)
|
||||
objectclasses += self.possible_objectclasses
|
||||
# Get list of available attributes for this object for use
|
||||
# in the ACI UI.
|
||||
attrs = self.api.Backend.ldap2.schema.attribute_types(objectclasses)
|
||||
attrlist = []
|
||||
# Go through the MUST first
|
||||
for (oid, attr) in attrs[0].iteritems():
|
||||
attrlist.append(attr.names[0])
|
||||
attrlist.append(attr.names[0].lower())
|
||||
# And now the MAY
|
||||
for (oid, attr) in attrs[1].iteritems():
|
||||
attrlist.append(attr.names[0])
|
||||
attrlist.append(attr.names[0].lower())
|
||||
json_dict['aciattrs'] = attrlist
|
||||
attrlist.sort()
|
||||
json_dict['methods'] = [m for m in self.methods]
|
||||
return json_dict
|
||||
|
||||
|
@ -81,6 +81,7 @@ class group(LDAPObject):
|
||||
object_name_plural = 'groups'
|
||||
object_class = ['ipausergroup']
|
||||
object_class_config = 'ipagroupobjectclasses'
|
||||
possible_objectclasses = ['posixGroup', 'mepManagedEntry']
|
||||
search_attributes_config = 'ipagroupsearchfields'
|
||||
default_attributes = [
|
||||
'cn', 'description', 'gidnumber', 'member', 'memberof',
|
||||
|
@ -63,6 +63,7 @@ class user(LDAPObject):
|
||||
object_name_plural = 'users'
|
||||
object_class = ['posixaccount']
|
||||
object_class_config = 'ipauserobjectclasses'
|
||||
possible_objectclasses = ['meporiginentry']
|
||||
search_attributes_config = 'ipausersearchfields'
|
||||
default_attributes = [
|
||||
'uid', 'givenname', 'sn', 'homedirectory', 'loginshell', 'ou',
|
||||
|
Loading…
Reference in New Issue
Block a user