ldap2: fix implementation of can_add

ldap2.can_add checks for add permission of a given entry. It did not work properly due to a defect in 389 DS. Now that the defect has been fixed, we also need to update can_add to work with the mechanism 389 DS provides for checking add permission for entries where ACIs are in effect. Update the ldap2.can_add implementation to perform the add permission check properly. Also update call sites accordingly. Update the spec file to require 389-ds-base-1.3.7.9-1 which is the first release containing the fix. This version of 389-ds-base also resolves a couple of other issues related to replication and connection management. Fixes: https://pagure.io/freeipa/issue/6609 Fixes: https://pagure.io/freeipa/issue/7165 Fixes: https://pagure.io/freeipa/issue/7228 Reviewed-By: Christian Heimes <cheimes@redhat.com>
2025-02-25 18:55:28 -06:00 · 2018-02-05 19:47:33 +11:00
parent 4daac52ddd
commit b466172d68
3 changed files with 39 additions and 15 deletions
--- a/ipaserver/plugins/ca.py
+++ b/ipaserver/plugins/ca.py
@@ -235,7 +235,7 @@ class ca_add(LDAPCreate):

    def pre_callback(self, ldap, dn, entry, entry_attrs, *keys, **options):
        ca_enabled_check(self.api)
-        if not ldap.can_add(dn[1:]):
+        if not ldap.can_add(dn[1:], 'ipaca'):
            raise errors.ACIError(
                info=_("Insufficient 'add' privilege for entry '%s'.") % dn)