ipa user_add: do not check group if UPG is disabled

The UPG plugin is used to create a user private group when a new IPA user is created, with the same name as the user. When this plugin is enabled, the user creation must ensure that no group exists with the same name. When the UPG plugin is disabled, or when the user is created with the --noprivate option, there is no need to perform this check as the private group will not get created. Currently, the --noprivate option correctly skips the test, but a disabled UPG plugin does not skip the test. The fix ensures that UPG plugin status is checked. Fixes: https://pagure.io/freeipa/issue/4972 Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2025-02-25 18:55:28 -06:00 · 2019-09-26 12:12:39 +02:00
parent af5f2b847a
commit 624144ded5
1 changed files with 3 additions and 2 deletions
--- a/ipaserver/plugins/user.py
+++ b/ipaserver/plugins/user.py
@@ -475,7 +475,7 @@ class user_add(baseuser_add):
        else:
            raise self.obj.handle_duplicate_entry(*keys)

-        if not options.get('noprivate', False):
+        if not options.get('noprivate', False) and ldap.has_upg():
            try:
                # The Managed Entries plugin will allow a user to be created
                # even if a group has a duplicate name. This would leave a user
@@ -609,7 +609,8 @@ class user_add(baseuser_add):
        newentry = ldap.get_entry(dn, ['*'])

        # delete description attribute NO_UPG_MAGIC if present
-        if options.get('noprivate', False) and 'description' in newentry and \
+        if (options.get('noprivate', False) or not ldap.has_upg()) and \
+                'description' in newentry and \
                NO_UPG_MAGIC in newentry['description']:
            newentry['description'].remove(NO_UPG_MAGIC)
            ldap.update_entry(newentry)