Allow presence of LDAP attribute options

LDAP attribute options aren't enforced in the LDAP schema. They represent server- and client-side treatment of attribute values but the schema definition knows nothing about them. When we check attribute presence in the entry, we should strip options before comparing attribute names with the schema. Related: https://pagure.io/freeipa/issue/8001 Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> Reviewed-By: Rob Crittenden <rcritten@redhat.com> Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com> Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com> Reviewed-By: Rob Crittenden <rcritten@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2025-02-25 18:55:28 -06:00 · 2019-09-10 18:02:17 +03:00
parent d26429ea28
commit 4dbd689e30
1 changed files with 5 additions and 1 deletions
--- a/ipaserver/plugins/baseldap.py
+++ b/ipaserver/plugins/baseldap.py
@@ -854,7 +854,11 @@ def _check_limit_object_class(attributes, attrs, allow_only):
    """
    if len(attributes[0]) == 0 and len(attributes[1]) == 0:
        return
-    limitattrs = deepcopy(attrs)
+    # Remove options from the attributes names before validating
+    # LDAP schema does not enforce any of LDAP attribute options
+    # (e.g. attribute;option), thus we should avoid comparing
+    # attribute names with options directly.
+    limitattrs = [x.split(';')[0] for x in attrs]
    # Go through the MUST first
    for attr in attributes[0].values():
        if attr.names[0].lower() in limitattrs: