IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-02-25 18:55:28 -06:00
Code Issues Packages Projects Releases Wiki Activity

Allow presence of LDAP attribute options

Browse Source 
LDAP attribute options aren't enforced in the LDAP schema. They
represent server- and client-side treatment of attribute values but the
schema definition knows nothing about them.

When we check attribute presence in the entry, we should strip options
before comparing attribute names with the schema.

Related: https://pagure.io/freeipa/issue/8001
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
This commit is contained in:
Alexander Bokovoy
2019-09-10 18:02:17 +03:00
committed by Rob Crittenden
parent 7f6b1c99f0
commit 9db6f65a85
1 changed files with 5 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
ipaserver/plugins/baseldap.py
View File

@@ -854,7 +854,11 @@ def _check_limit_object_class(attributes, attrs, allow_only):
""" """
if len(attributes[0]) == 0 and len(attributes[1]) == 0: if len(attributes[0]) == 0 and len(attributes[1]) == 0:
return return
limitattrs = deepcopy(attrs) # Remove options from the attributes names before validating
# LDAP schema does not enforce any of LDAP attribute options
# (e.g. attribute;option), thus we should avoid comparing
# attribute names with options directly.
limitattrs = [x.split(';')[0] for x in attrs]
# Go through the MUST first # Go through the MUST first
for attr in attributes[0].values(): for attr in attributes[0].values():
if attr.names[0].lower() in limitattrs: if attr.names[0].lower() in limitattrs: