Fix delegation in the UI and add a missing aci that allows writes.

Make ipa-deldelegation more user-friendly.
2025-02-25 18:55:28 -06:00 · 2007-12-07 16:08:12 -05:00
parent 0c0cc370cf
commit 5e4a162954
3 changed files with 5 additions and 2 deletions
--- a/ipa-admintools/ipa-deldelegation
+++ b/ipa-admintools/ipa-deldelegation
@@ -65,6 +65,7 @@ def main():
        if not(isinstance(aci_str_list,list) or isinstance(aci_str_list,tuple)):
            aci_str_list = [aci_str_list]

+        acistr = None
        for aci_str in aci_str_list:
            try:
                aci = ipa.aci.ACI(aci_str)
@@ -76,7 +77,7 @@ def main():
                pass

        if acistr is None:
-            print "No delegation %s found." % args[1]
+            print "No delegation '%s' found." % args[1]
            return 2

        old_aci_index = aci_str_list.index(acistr)
@@ -86,6 +87,7 @@ def main():
        aci_entry.setValue('aci', new_aci_str_list)

        client.update_entry(aci_entry)
+        print "Delegation removed."
    except xmlrpclib.Fault, fault:
        if fault.faultCode == errno.ECONNREFUSED:
            print "The IPA XML-RPC service is not responding."
--- a/ipa-server/ipa-gui/ipagui/subcontrollers/delegation.py
+++ b/ipa-server/ipa-gui/ipagui/subcontrollers/delegation.py
@@ -71,7 +71,7 @@ class DelegationController(IPAController):
            new_aci.source_group = kw.get('source_group_dn')
            new_aci.dest_group = kw.get('dest_group_dn')
            new_aci.attrs = kw.get('attrs')
-            if (new_aci.attrs, str):
+            if isinstance(new_aci.attrs, str):
                new_aci.attrs = [new_aci.attrs]

            # Look for an existing ACI of the same name
--- a/ipa-server/ipa-install/share/default-aci.ldif
+++ b/ipa-server/ipa-install/share/default-aci.ldif
@@ -22,6 +22,7 @@ dn: cn=accounts,$SUFFIX
 changetype: modify
 add: aci
 aci: (targetattr = "krbMaxPwdLife || krbMinPwdLife || krbPwdMinDiffChars || krbPwdMinLength || krbPwdHistoryLength")(version 3.0;acl "Admins can write password policy"; allow (write) groupdn="ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";)
+aci: (targetattr = "aci")(version 3.0;acl "Admins can manage delegations"; allow (write, delete) groupdn="ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";)

 dn: cn=services,cn=accounts,$SUFFIX
 changetype: modify