IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-02-25 18:55:28 -06:00
Code Issues Packages Projects Releases Wiki Activity

Improve default user/group object class validation

Browse Source 
When user/group default object class is being modified via
ipa config-mod, no validation check is run. Check at least
the following:

- all object classes are known to LDAP
- all default user/group attributes are allowed under the new
  set of default object classes

https://fedorahosted.org/freeipa/ticket/1893
This commit is contained in:
Martin Kosek 2011-10-11 10:26:21 +02:00
parent 59c2e0fbd1
commit 88e693a1a5
2 changed files with 27 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
ipalib/plugins/config.py
View File

@ -24,6 +24,10 @@ from ipalib.plugins.baseldap import *
from ipalib import _ from ipalib import _
from ipalib.errors import ValidationError from ipalib.errors import ValidationError
# 389-ds attributes that should be skipped in attribute checks
OPERATIONAL_ATTRIBUTES = ('nsaccountlock', 'member', 'memberof',
'memberindirect', 'memberofindirect',)
__doc__ = _(""" __doc__ = _("""
Manage the IPA configuration Manage the IPA configuration
@ -212,6 +216,25 @@ class config_mod(LDAPUpdate):
raise errors.ValidationError( raise errors.ValidationError(
name=k, error='attribute "%s" not allowed' % a name=k, error='attribute "%s" not allowed' % a
) )
for (attr, obj) in (('ipauserobjectclasses', 'user'),
('ipagroupobjectclasses', 'group')):
if attr in entry_attrs:
objectclasses = list(set(entry_attrs[attr] \
+ self.api.Object[obj].possible_objectclasses))
new_allowed_attrs = ldap.get_allowed_attributes(objectclasses,
raise_on_unknown=True)
checked_attrs = self.api.Object[obj].default_attributes
if self.api.Object[obj].uuid_attribute:
checked_attrs = checked_attrs + [self.api.Object[obj].uuid_attribute]
for obj_attr in checked_attrs:
if obj_attr in OPERATIONAL_ATTRIBUTES:
continue
if obj_attr not in new_allowed_attrs:
raise errors.ValidationError(name=attr,
error=_('%s default attribute %s would not be allowed!') \
% (obj, obj_attr))
return dn return dn
api.register(config_mod) api.register(config_mod)

5
ipaserver/plugins/ldap2.py
View File

@ -43,6 +43,7 @@ from ldap.controls import LDAPControl
# for backward compatibility # for backward compatibility
from ldap.functions import explode_dn from ldap.functions import explode_dn
from ipalib.dn import DN from ipalib.dn import DN
from ipalib import _
import krbV import krbV
@ -268,7 +269,7 @@ class ldap2(CrudBackend, Encoder):
else: else:
return None return None
def get_allowed_attributes(self, objectclasses): def get_allowed_attributes(self, objectclasses, raise_on_unknown=False):
if not self.schema: if not self.schema:
self.get_schema() self.get_schema()
allowed_attributes = [] allowed_attributes = []
@ -276,6 +277,8 @@ class ldap2(CrudBackend, Encoder):
obj = self.schema.get_obj(_ldap.schema.ObjectClass, oc) obj = self.schema.get_obj(_ldap.schema.ObjectClass, oc)
if obj is not None: if obj is not None:
allowed_attributes += obj.must + obj.may allowed_attributes += obj.must + obj.may
elif raise_on_unknown:
raise errors.NotFound(reason=_('objectclass %s not found') % oc)
return [unicode(a).lower() for a in list(set(allowed_attributes))] return [unicode(a).lower() for a in list(set(allowed_attributes))]
def get_single_value(self, attr): def get_single_value(self, attr):