Give a detached group a full set of group objectclasses.

The UUID plugin handles adding ipaUniqueId for us as well as the access control for it. ticket 250
2025-02-25 18:55:28 -06:00 · 2010-11-01 12:05:53 -04:00
parent 5c4dc1c2e9
commit 53d1553755
3 changed files with 26 additions and 9 deletions
--- a/install/share/default-aci.ldif
+++ b/install/share/default-aci.ldif
@@ -4,7 +4,7 @@ dn: $SUFFIX
 changetype: modify
 add: aci
 aci: (targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey")(version 3.0; acl "Enable Anonymous access"; allow (read, search, compare) userdn = "ldap:///anyone";)
-aci: (targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || ipaUniqueId || memberOf || serverHostName")(version 3.0; acl "Admin can manage any entry"; allow (all) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";)
+aci: (targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || memberOf || serverHostName || enrolledBy")(version 3.0; acl "Admin can manage any entry"; allow (all) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";)
 aci: (targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword")(version 3.0; acl "Self can write own password"; allow (write) userdn="ldap:///self";)
 aci: (targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory")(version 3.0; acl "Admins can write passwords"; allow (add,delete,write) groupdn="ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";)
 aci: (targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory")(version 3.0; acl "Password change service can read/write passwords"; allow (read, write) userdn="ldap:///krbprincipalname=kadmin/changepw@$REALM,cn=$REALM,cn=kerberos,$SUFFIX";)
--- a/ipalib/plugins/baseldap.py
+++ b/ipalib/plugins/baseldap.py
@@ -234,6 +234,10 @@ class LDAPObject(Object):
            if parent_obj.primary_key:
                yield parent_obj.primary_key.clone(query=True)

+    def has_objectclass(self, classes, objectclass):
+        oc = map(lambda x:x.lower(),classes)
+        return objectclass.lower() in oc
+
    def convert_attribute_members(self, entry_attrs, *keys, **options):
        if options.get('raw', False):
            return
--- a/ipalib/plugins/group.py
+++ b/ipalib/plugins/group.py
@@ -291,23 +291,28 @@ class group_detach(LDAPRemoveMember):
        group_dn = self.obj.get_dn(*keys, **options)
        user_dn = self.api.Object['user'].get_dn(*keys)

+        (user_dn, user_attrs) = ldap.get_entry(user_dn)
+        is_managed = self.obj.has_objectclass(user_attrs['objectclass'], 'mepmanagedentry')
        if (not ldap.can_write(user_dn, "objectclass") or
-            not ldap.can_write(user_dn, "mepManagedEntry")):
+            not (ldap.can_write(user_dn, "mepManagedEntry")) and is_managed):
            raise errors.ACIError(info=_('not allowed to modify user entries'))

+        (group_dn, group_attrs) = ldap.get_entry(group_dn)
+        is_managed = self.obj.has_objectclass(group_attrs['objectclass'], 'mepmanagedby')
        if (not ldap.can_write(group_dn, "objectclass") or
-            not ldap.can_write(group_dn, "mepManagedBy")):
+            not (ldap.can_write(group_dn, "mepManagedBy")) and is_managed):
            raise errors.ACIError(info=_('not allowed to modify group entries'))

-        (user_dn, user_attrs) = ldap.get_entry(user_dn)
        objectclasses = user_attrs['objectclass']
        try:
            i = objectclasses.index('mepOriginEntry')
+            del objectclasses[i]
+            update_attrs = {'objectclass': objectclasses, 'mepManagedEntry': None}
+            ldap.update_entry(user_dn, update_attrs)
        except ValueError:
-            raise NotFound(reason=_('Not a managed group'))
-        del objectclasses[i]
-        update_attrs = {'objectclass': objectclasses, 'mepManagedEntry': None}
-        ldap.update_entry(user_dn, update_attrs)
+            # Somehow the user isn't managed, let it pass for now. We'll
+            # let the group throw "Not managed".
+            pass

        (group_dn, group_attrs) = ldap.get_entry(group_dn)
        objectclasses = group_attrs['objectclass']
@@ -315,8 +320,16 @@ class group_detach(LDAPRemoveMember):
            i = objectclasses.index('mepManagedEntry')
        except ValueError:
            # this should never happen
-            raise NotFound(reason=_('Not a managed group'))
+            raise errors.NotFound(reason=_('Not a managed group'))
        del objectclasses[i]
+
+        # Make sure the resulting group has the default group objectclasses
+        config = ldap.get_ipa_config()[1]
+        def_objectclass = config.get(
+            self.obj.object_class_config, objectclasses
+        )
+        objectclasses = list(set(def_objectclass + objectclasses))
+
        update_attrs = {'objectclass': objectclasses, 'mepManagedBy': None}
        ldap.update_entry(group_dn, update_attrs)