diff --git a/freeipa.spec.in b/freeipa.spec.in index 6b2c0813f..b4d2acc92 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -315,8 +315,10 @@ Requires: python3-pyldap >= %{python3_ldap_version} Requires: python2-ipaserver = %{version}-%{release} Requires: python2-ldap >= %{python2_ldap_version} %endif -# 1.3.7.6-1: https://bugzilla.redhat.com/show_bug.cgi?id=1488295 -Requires: 389-ds-base >= 1.3.7.6-1 +# 1.3.7.9-1: https://bugzilla.redhat.com/show_bug.cgi?id=1459946 +# https://bugzilla.redhat.com/show_bug.cgi?id=1511462 +# https://bugzilla.redhat.com/show_bug.cgi?id=1514033 +Requires: 389-ds-base >= 1.3.7.9-1 Requires: openldap-clients > 2.4.35-4 Requires: nss >= 3.14.3-12.0 Requires: nss-tools >= 3.14.3-12.0 @@ -361,8 +363,10 @@ Requires(postun): systemd-units Requires: policycoreutils >= 2.1.12-5 Requires: tar Requires(pre): certmonger >= 0.79.5-1 -# 1.3.7.6-1: https://bugzilla.redhat.com/show_bug.cgi?id=1488295 -Requires(pre): 389-ds-base >= 1.3.7.6-1 +# 1.3.7.9-1: https://bugzilla.redhat.com/show_bug.cgi?id=1459946 +# https://bugzilla.redhat.com/show_bug.cgi?id=1511462 +# https://bugzilla.redhat.com/show_bug.cgi?id=1514033 +Requires(pre): 389-ds-base >= 1.3.7.9-1 Requires: fontawesome-fonts Requires: open-sans-fonts Requires: openssl diff --git a/ipaserver/plugins/ca.py b/ipaserver/plugins/ca.py index 6557ce2a0..88e7ec2a9 100644 --- a/ipaserver/plugins/ca.py +++ b/ipaserver/plugins/ca.py @@ -235,7 +235,7 @@ class ca_add(LDAPCreate): def pre_callback(self, ldap, dn, entry, entry_attrs, *keys, **options): ca_enabled_check(self.api) - if not ldap.can_add(dn[1:]): + if not ldap.can_add(dn[1:], 'ipaca'): raise errors.ACIError( info=_("Insufficient 'add' privilege for entry '%s'.") % dn) diff --git a/ipaserver/plugins/ldap2.py b/ipaserver/plugins/ldap2.py index 20c8fda2a..f79a07ad5 100644 --- a/ipaserver/plugins/ldap2.py +++ b/ipaserver/plugins/ldap2.py @@ -330,18 +330,38 @@ class ldap2(CrudBackend, LDAPClient): return False - def can_add(self, dn): - """Returns True/False if the currently bound user has add permissions - on the entry. + def can_add(self, parent_dn, objectclass): """ - assert isinstance(dn, DN) - attrs = self.get_effective_rights(dn, ["*"]) - if 'entrylevelrights' in attrs: - entry_rights = attrs['entrylevelrights'][0] - if 'a' in entry_rights: - return True + Returns True/False if the currently bound user has + permission to add an entry with the given objectclass + immediately below the entry with the given DN. - return False + For example, to check if an entry with objectclass=ipaca + can be added under cn=cas,cn=ca,{basedn}, you should call + ``can_add(DN('cn=cas,...'), 'ipaca')``. + + """ + assert isinstance(parent_dn, DN) + + # the rules for how to request the template entry, and + # the expectations about how 389 constructs the template + # entry, are described here: + # + # https://pagure.io/389-ds-base/issue/49278#comment-480856 + # + try: + entry = self.get_entries( + parent_dn, + _ldap.SCOPE_ONELEVEL, + # rdn value of template entry is: template__objectclass + '(cn=template_{}_objectclass)'.format(objectclass), + # request tempalate entry with given objectclass + ['cn@{}'.format(objectclass)], + get_effective_rights=True, + )[0] + return 'a' in entry['entrylevelrights'][0] + except errors.NotFound: + return False def modify_password(self, dn, new_pass, old_pass='', otp='', skip_bind=False): """Set user password."""