Update objectclasses for groups, by default not posix groups.

This change depends on DS bugs 487574 and 487725. Groups cannot be
promoted properly without these fixed. It will fail with an
Object Class violation because gidNumber isn't set.

install/share/bootstrap-template.ldif

@@ -145,8 +145,8 @@ ipaMaxUsernameLength: 8
 ipaPwdExpAdvNotify: 4
 ipaGroupObjectClasses: top
 ipaGroupObjectClasses: groupofnames
-ipaGroupObjectClasses: posixGroup
-ipaGroupObjectClasses: inetUser
+ipaGroupObjectClasses: nestedGroup
+ipaGroupObjectClasses: ipaUserGroup
 ipaUserObjectClasses: top
 ipaUserObjectClasses: person
 ipaUserObjectClasses: organizationalPerson

ipalib/errors2.py

@@ -726,6 +726,22 @@ class RequiresRoot(ExecutionError):
     errno = 4006
     format = _('This command requires root access')
 
+class AlreadyPosixGroup(ExecutionError):
+    """
+    **4007** Raised when a group is already a posix group
+
+    For example:
+
+    >>> raise AlreadyPosixGroup
+    Traceback (most recent call last):
+      ...
+    AlreadyPosixGroup: This is already a posix group
+
+    """
+
+    errno = 4007
+    format = _('This is already a posix group')
+
 class BuiltinError(ExecutionError):
     """
     **4100** Base class for builtin execution errors (*4100 - 4199*).

ipalib/plugins/f_group.py

@@ -48,15 +48,18 @@ class group(Object):
     takes_params = (
         Str('description',
             doc='A description of this group',
+            attribute=True,
         ),
         Int('gidnumber?',
             cli_name='gid',
             doc='The gid to use for this group. If not included one is automatically set.',
+            attribute=True,
         ),
         Str('cn',
             cli_name='name',
             primary_key=True,
             normalizer=lambda value: value.lower(),
+            attribute=True,
         ),
     )
 api.register(group)
@@ -64,6 +67,12 @@ api.register(group)
 
 class group_add(crud.Add):
     'Add a new group.'
+    takes_options = (
+        Flag('posix',
+             doc='Create as a posix group',
+             attribute=False,
+        ),
+    )
 
     def execute(self, cn, **kw):
         """
@@ -83,16 +92,18 @@ class group_add(crud.Add):
         assert 'cn' not in kw
         assert 'dn' not in kw
         ldap = self.api.Backend.ldap
-        kw['cn'] = cn
-        kw['dn'] = ldap.make_group_dn(cn)
+        entry = self.args_options_2_entry(cn, **kw)
+        entry['dn'] = ldap.make_group_dn(cn)
 
         # Get our configuration
         config = ldap.get_ipa_config()
 
         # some required objectclasses
-        kw['objectClass'] =  config.get('ipagroupobjectclasses')
+        entry['objectClass'] = config.get('ipagroupobjectclasses')
+        if kw.get('posix'):
+            entry['objectClass'].append('posixGroup')
 
-        return ldap.create(**kw)
+        return ldap.create(**entry)
 
     def output_for_cli(self, textui, result, *args, **options):
         """
@@ -122,14 +133,17 @@ class group_del(crud.Del):
 #            raise ipaerror.gen_exception(ipaerror.CONFIG_REQUIRED_GROUPS)
 
         ldap = self.api.Backend.ldap
-        dn = ldap.find_entry_dn("cn", cn, "posixGroup")
+        dn = ldap.find_entry_dn("cn", cn, "ipaUserGroup")
         self.log.info("IPA: group-del '%s'" % dn)
 
         # Don't allow the default user group to be removed
-        config=ldap.get_ipa_config()
-        default_group = ldap.find_entry_dn("cn", config.get('ipadefaultprimarygroup'), "posixGroup")
-        if dn == default_group:
-            raise errors.DefaultGroup
+        try:
+            config=ldap.get_ipa_config()
+            default_group = ldap.find_entry_dn("cn", config.get('ipadefaultprimarygroup'), "ipaUserGroup")
+            if dn == default_group:
+                raise errors.DefaultGroup
+        except errors2.NotFound:
+            pass
 
         return ldap.delete(dn)
 
@@ -144,6 +158,12 @@ api.register(group_del)
 
 class group_mod(crud.Mod):
     'Edit an existing group.'
+    takes_options = (
+        Flag('posix',
+             doc='Make this group a posix group',
+             attribute=False,
+        ),
+    )
     def execute(self, cn, **kw):
         """
         Execute the group-mod operation.
@@ -159,7 +179,27 @@ class group_mod(crud.Mod):
         assert 'cn' not in kw
         assert 'dn' not in kw
         ldap = self.api.Backend.ldap
-        dn = ldap.find_entry_dn("cn", cn, "posixGroup")
+        dn = ldap.find_entry_dn("cn", cn, "ipaUserGroup")
+
+        # Are we promoting a non-posix group into a posix one? We just
+        # need to add the posixGroup objectclass to the list and the
+        # DNA plugin will handle assigning a new gidNumber for us.
+        if kw.get('posix'):
+            groupkw = {'all': True}
+            oldgroup = api.Command['group_show'](cn, **groupkw)
+            if oldgroup.get('gidnumber'):
+                raise errors2.AlreadyPosixGroup
+            else:
+                oldgroup['objectclass'].append('posixgroup')
+                kw['objectclass'] = oldgroup['objectclass']
+
+        if kw.has_key('posix'):
+            del kw['posix']
+
+        if isinstance(kw.get('gidnumber',''), int):
+            # python-ldap wants this as a string
+            kw['gidnumber'] = str(kw['gidnumber'])
+
         return ldap.update(dn, **kw)
 
     def output_for_cli(self, textui, result, cn, **options):
@@ -231,7 +271,7 @@ class group_show(crud.Get):
         :param kw: Not used.
         """
         ldap = self.api.Backend.ldap
-        dn = ldap.find_entry_dn("cn", cn, "posixGroup")
+        dn = ldap.find_entry_dn("cn", cn, "ipaUserGroup")
 
         # FIXME: should kw contain the list of attributes to display?
         if kw.get('all', False):

ipaserver/plugins/b_ldap.py

@@ -202,7 +202,7 @@ class ldap(CrudBackend):
         if attribute == "uid": # User
             object_type = "posixAccount"
         elif attribute == "cn": # Group
-            object_type = "posixGroup"
+            object_type = "ipaUserGroup"
         elif attribute == "krbprincipalname": # Service
             object_type = "krbPrincipal"