mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2025-02-25 18:55:28 -06:00
Add new schema to store information about permissions.
There are some permissions we can't display because they are stored outside of the basedn (such as the replication permissions). We are adding a new attribute to store extra information to make this clear, in this case SYSTEM. ticket 853
This commit is contained in:
parent
685c516e88
commit
c6ef39b2c0
@ -13,6 +13,7 @@ attributeTypes: (2.16.840.1.113730.3.8.3.4 NAME 'fqdn' DESC 'FQDN' EQUALITY case
|
||||
attributeTypes: (2.16.840.1.113730.3.8.3.18 NAME 'managedBy' DESC 'DNs of entries allowed to manage' SUP distinguishedName EQUALITY distinguishedNameMatch ORDERING distinguishedNameMatch SUBSTR distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 X-ORIGIN 'IPA v2')
|
||||
objectClasses: (2.16.840.1.113730.3.8.4.1 NAME 'ipaHost' AUXILIARY MUST ( fqdn ) MAY ( userPassword $ ipaClientVersion $ enrolledBy $ memberOf) X-ORIGIN 'IPA v2' )
|
||||
objectClasses: (2.16.840.1.113730.3.8.4.12 NAME 'ipaObject' DESC 'IPA objectclass' AUXILIARY MUST ( ipaUniqueId ) X-ORIGIN 'IPA v2' )
|
||||
objectClasses: (2.16.840.1.113730.3.8.4.15 NAME 'ipaPermission' DESC 'IPA Permission objectclass' AUXILIARY MAY ( ipaPermissionType ) X-ORIGIN 'IPA v2' )
|
||||
objectClasses: (2.16.840.1.113730.3.8.4.2 NAME 'ipaService' DESC 'IPA service objectclass' AUXILIARY MAY ( memberOf $ managedBy ) X-ORIGIN 'IPA v2' )
|
||||
objectClasses: (2.16.840.1.113730.3.8.4.3 NAME 'nestedGroup' DESC 'Group that supports nesting' SUP groupOfNames STRUCTURAL MAY memberOf X-ORIGIN 'IPA v2' )
|
||||
objectClasses: (2.16.840.1.113730.3.8.4.4 NAME 'ipaUserGroup' DESC 'IPA user group object class' SUP nestedGroup STRUCTURAL X-ORIGIN 'IPA v2' )
|
||||
@ -23,6 +24,7 @@ attributeTypes: (2.16.840.1.113730.3.8.3.7 NAME 'memberHost' DESC 'Reference to
|
||||
attributeTypes: (2.16.840.1.113730.3.8.3.8 NAME 'hostCategory' DESC 'Additional classification for hosts' EQUALITY caseIgnoreMatch ORDERING caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v2' )
|
||||
attributeTypes: (2.16.840.1.113730.3.8.3.19 NAME 'serviceCategory' DESC 'Additional classification for services' EQUALITY caseIgnoreMatch ORDERING caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v2' )
|
||||
attributeTypes: (2.16.840.1.113730.3.8.3.20 NAME 'memberService' DESC 'Reference to the pam service of this operation.' SUP distinguishedName EQUALITY distinguishedNameMatch ORDERING distinguishedNameMatch SUBSTR distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 X-ORIGIN 'IPA v2' )
|
||||
attributeTypes: (2.16.840.1.113730.3.8.3.25 NAME 'ipaPermissionType' DESC 'IPA permission flags' EQUALITY caseIgnoreMatch ORDERING caseIgnoreMatch SUBSTR caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v2' )
|
||||
attributeTypes: (2.16.840.1.113730.3.8.3.9 NAME 'ipaEnabledFlag' DESC 'The flag to show if the association is active or should be ignored' EQUALITY booleanMatch ORDERING booleanMatch SUBSTR booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN 'IPA v2' )
|
||||
objectClasses: (2.16.840.1.113730.3.8.4.6 NAME 'ipaAssociation' ABSTRACT MUST ( ipaUniqueID $ cn ) MAY ( memberUser $ userCategory $ memberHost $ hostCategory $ ipaEnabledFlag $ description ) X-ORIGIN 'IPA v2' )
|
||||
attributeTypes: (2.16.840.1.113730.3.8.3.10 NAME 'sourceHost' DESC 'Link to a host or group of hosts' SUP memberHost SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 X-ORIGIN 'IPA v2' )
|
||||
|
@ -147,6 +147,7 @@ dn: cn=Add Users,cn=permissions,cn=pbac,$SUFFIX
|
||||
changetype: add
|
||||
objectClass: top
|
||||
objectClass: groupofnames
|
||||
objectClass: ipapermission
|
||||
cn: Add Users
|
||||
member: cn=User Administrators,cn=privileges,cn=pbac,$SUFFIX
|
||||
|
||||
@ -154,6 +155,7 @@ dn: cn=Change a user password,cn=permissions,cn=pbac,$SUFFIX
|
||||
changetype: add
|
||||
objectClass: top
|
||||
objectClass: groupofnames
|
||||
objectClass: ipapermission
|
||||
cn: Change a user password
|
||||
member: cn=User Administrators,cn=privileges,cn=pbac,$SUFFIX
|
||||
|
||||
@ -161,6 +163,7 @@ dn: cn=Add user to default group,cn=permissions,cn=pbac,$SUFFIX
|
||||
changetype: add
|
||||
objectClass: top
|
||||
objectClass: groupofnames
|
||||
objectClass: ipapermission
|
||||
cn: Add user to default group
|
||||
member: cn=User Administrators,cn=privileges,cn=pbac,$SUFFIX
|
||||
|
||||
@ -168,6 +171,7 @@ dn: cn=Unlock user accounts,cn=permissions,cn=pbac,$SUFFIX
|
||||
changetype: add
|
||||
objectclass: top
|
||||
objectclass: groupofnames
|
||||
objectClass: ipapermission
|
||||
cn: Unlock user accounts
|
||||
member: cn=User Administrators,cn=privileges,cn=pbac,$SUFFIX
|
||||
member: cn=admins,cn=groups,cn=accounts,$SUFFIX
|
||||
@ -176,6 +180,7 @@ dn: cn=Remove Users,cn=permissions,cn=pbac,$SUFFIX
|
||||
changetype: add
|
||||
objectClass: top
|
||||
objectClass: groupofnames
|
||||
objectClass: ipapermission
|
||||
cn: Remove Users
|
||||
member: cn=User Administrators,cn=privileges,cn=pbac,$SUFFIX
|
||||
|
||||
@ -183,6 +188,7 @@ dn: cn=Modify Users,cn=permissions,cn=pbac,$SUFFIX
|
||||
changetype: add
|
||||
objectClass: top
|
||||
objectClass: groupofnames
|
||||
objectClass: ipapermission
|
||||
cn: Modify Users
|
||||
member: cn=User Administrators,cn=privileges,cn=pbac,$SUFFIX
|
||||
|
||||
@ -192,6 +198,7 @@ dn: cn=Add Groups,cn=permissions,cn=pbac,$SUFFIX
|
||||
changetype: add
|
||||
objectClass: top
|
||||
objectClass: groupofnames
|
||||
objectClass: ipapermission
|
||||
cn: Add Groups
|
||||
member: cn=Group Administrators,cn=privileges,cn=pbac,$SUFFIX
|
||||
|
||||
@ -199,6 +206,7 @@ dn: cn=Remove Groups,cn=permissions,cn=pbac,$SUFFIX
|
||||
changetype: add
|
||||
objectClass: top
|
||||
objectClass: groupofnames
|
||||
objectClass: ipapermission
|
||||
cn: Remove Groups
|
||||
member: cn=Group Administrators,cn=privileges,cn=pbac,$SUFFIX
|
||||
|
||||
@ -206,6 +214,7 @@ dn: cn=Modify Groups,cn=permissions,cn=pbac,$SUFFIX
|
||||
changetype: add
|
||||
objectClass: top
|
||||
objectClass: groupofnames
|
||||
objectClass: ipapermission
|
||||
cn: Modify Groups
|
||||
member: cn=Group Administrators,cn=privileges,cn=pbac,$SUFFIX
|
||||
|
||||
@ -213,6 +222,7 @@ dn: cn=Modify Group membership,cn=permissions,cn=pbac,$SUFFIX
|
||||
changetype: add
|
||||
objectClass: top
|
||||
objectClass: groupofnames
|
||||
objectClass: ipapermission
|
||||
cn: Modify Group membership
|
||||
member: cn=Group Administrators,cn=privileges,cn=pbac,$SUFFIX
|
||||
|
||||
@ -222,6 +232,7 @@ dn: cn=Add Hosts,cn=permissions,cn=pbac,$SUFFIX
|
||||
changetype: add
|
||||
objectClass: top
|
||||
objectClass: groupofnames
|
||||
objectClass: ipapermission
|
||||
cn: Add Hosts
|
||||
member: cn=Host Administrators,cn=privileges,cn=pbac,$SUFFIX
|
||||
|
||||
@ -229,6 +240,7 @@ dn: cn=Remove Hosts,cn=permissions,cn=pbac,$SUFFIX
|
||||
changetype: add
|
||||
objectClass: top
|
||||
objectClass: groupofnames
|
||||
objectClass: ipapermission
|
||||
cn: Remove Hosts
|
||||
member: cn=Host Administrators,cn=privileges,cn=pbac,$SUFFIX
|
||||
|
||||
@ -236,6 +248,7 @@ dn: cn=Modify Hosts,cn=permissions,cn=pbac,$SUFFIX
|
||||
changetype: add
|
||||
objectClass: top
|
||||
objectClass: groupofnames
|
||||
objectClass: ipapermission
|
||||
cn: Modify Hosts
|
||||
member: cn=Host Administrators,cn=privileges,cn=pbac,$SUFFIX
|
||||
|
||||
@ -245,6 +258,7 @@ dn: cn=Add Hostgroups,cn=permissions,cn=pbac,$SUFFIX
|
||||
changetype: add
|
||||
objectClass: top
|
||||
objectClass: groupofnames
|
||||
objectClass: ipapermission
|
||||
cn: Add Hostgroups
|
||||
member: cn=Host Group Administrators,cn=privileges,cn=pbac,$SUFFIX
|
||||
|
||||
@ -252,6 +266,7 @@ dn: cn=Remove Hostgroups,cn=permissions,cn=pbac,$SUFFIX
|
||||
changetype: add
|
||||
objectClass: top
|
||||
objectClass: groupofnames
|
||||
objectClass: ipapermission
|
||||
cn: Remove Hostgroups
|
||||
member: cn=Host Group Administrators,cn=privileges,cn=pbac,$SUFFIX
|
||||
|
||||
@ -259,6 +274,7 @@ dn: cn=Modify Hostgroups,cn=permissions,cn=pbac,$SUFFIX
|
||||
changetype: add
|
||||
objectClass: top
|
||||
objectClass: groupofnames
|
||||
objectClass: ipapermission
|
||||
cn: Modify Hostgroups
|
||||
member: cn=Host Group Administrators,cn=privileges,cn=pbac,$SUFFIX
|
||||
|
||||
@ -266,6 +282,7 @@ dn: cn=Modify Hostgroup membership,cn=permissions,cn=pbac,$SUFFIX
|
||||
changetype: add
|
||||
objectClass: top
|
||||
objectClass: groupofnames
|
||||
objectClass: ipapermission
|
||||
cn: Modify Hostgroup membership
|
||||
member: cn=Host Group Administrators,cn=privileges,cn=pbac,$SUFFIX
|
||||
|
||||
@ -275,6 +292,7 @@ dn: cn=Add Services,cn=permissions,cn=pbac,$SUFFIX
|
||||
changetype: add
|
||||
objectClass: top
|
||||
objectClass: groupofnames
|
||||
objectClass: ipapermission
|
||||
cn: Add Services
|
||||
member: cn=Service Administrators,cn=privileges,cn=pbac,$SUFFIX
|
||||
|
||||
@ -282,6 +300,7 @@ dn: cn=Remove Services,cn=permissions,cn=pbac,$SUFFIX
|
||||
changetype: add
|
||||
objectClass: top
|
||||
objectClass: groupofnames
|
||||
objectClass: ipapermission
|
||||
cn: Remove Services
|
||||
member: cn=Service Administrators,cn=privileges,cn=pbac,$SUFFIX
|
||||
|
||||
@ -289,6 +308,7 @@ dn: cn=Modify Services,cn=permissions,cn=pbac,$SUFFIX
|
||||
changetype: add
|
||||
objectClass: top
|
||||
objectClass: groupofnames
|
||||
objectClass: ipapermission
|
||||
cn: Modify Services
|
||||
member: cn=Service Administrators,cn=privileges,cn=pbac,$SUFFIX
|
||||
|
||||
@ -298,6 +318,7 @@ dn: cn=Add Roles,cn=permissions,cn=pbac,$SUFFIX
|
||||
changetype: add
|
||||
objectClass: top
|
||||
objectClass: groupofnames
|
||||
objectClass: ipapermission
|
||||
cn: Add Roles
|
||||
member: cn=Delegation Administrator,cn=privileges,cn=pbac,$SUFFIX
|
||||
|
||||
@ -305,6 +326,7 @@ dn: cn=Remove Roles,cn=permissions,cn=pbac,$SUFFIX
|
||||
changetype: add
|
||||
objectClass: top
|
||||
objectClass: groupofnames
|
||||
objectClass: ipapermission
|
||||
cn: Remove Roles
|
||||
member: cn=Delegation Administrator,cn=privileges,cn=pbac,$SUFFIX
|
||||
|
||||
@ -312,6 +334,7 @@ dn: cn=Modify Roles,cn=permissions,cn=pbac,$SUFFIX
|
||||
changetype: add
|
||||
objectClass: top
|
||||
objectClass: groupofnames
|
||||
objectClass: ipapermission
|
||||
cn: Modify Roles
|
||||
member: cn=Delegation Administrator,cn=privileges,cn=pbac,$SUFFIX
|
||||
|
||||
@ -319,6 +342,7 @@ dn: cn=Modify Role membership,cn=permissions,cn=pbac,$SUFFIX
|
||||
changetype: add
|
||||
objectClass: top
|
||||
objectClass: groupofnames
|
||||
objectClass: ipapermission
|
||||
cn: Modify Role membership
|
||||
member: cn=Delegation Administrator,cn=privileges,cn=pbac,$SUFFIX
|
||||
|
||||
@ -326,6 +350,7 @@ dn: cn=Modify privilege membership,cn=permissions,cn=pbac,$SUFFIX
|
||||
changetype: add
|
||||
objectClass: top
|
||||
objectClass: groupofnames
|
||||
objectClass: ipapermission
|
||||
cn: Modify privilege membership
|
||||
member: cn=Delegation Administrator,cn=privileges,cn=pbac,$SUFFIX
|
||||
|
||||
@ -335,6 +360,7 @@ dn: cn=Add Automount maps,cn=permissions,cn=pbac,$SUFFIX
|
||||
changetype: add
|
||||
objectClass: top
|
||||
objectClass: groupofnames
|
||||
objectClass: ipapermission
|
||||
cn: Add Automount maps
|
||||
member: cn=Automount Administrators,cn=privileges,cn=pbac,$SUFFIX
|
||||
|
||||
@ -342,6 +368,7 @@ dn: cn=Remove Automount maps,cn=permissions,cn=pbac,$SUFFIX
|
||||
changetype: add
|
||||
objectClass: top
|
||||
objectClass: groupofnames
|
||||
objectClass: ipapermission
|
||||
cn: Remove Automount maps
|
||||
member: cn=Automount Administrators,cn=privileges,cn=pbac,$SUFFIX
|
||||
|
||||
@ -349,6 +376,7 @@ dn: cn=Add Automount keys,cn=permissions,cn=pbac,$SUFFIX
|
||||
changetype: add
|
||||
objectClass: top
|
||||
objectClass: groupofnames
|
||||
objectClass: ipapermission
|
||||
cn: Add Automount keys
|
||||
member: cn=Automount Administrators,cn=privileges,cn=pbac,$SUFFIX
|
||||
|
||||
@ -356,6 +384,7 @@ dn: cn=Remove Automount keys,cn=permissions,cn=pbac,$SUFFIX
|
||||
changetype: add
|
||||
objectClass: top
|
||||
objectClass: groupofnames
|
||||
objectClass: ipapermission
|
||||
cn: Remove Automount keys
|
||||
member: cn=Automount Administrators,cn=privileges,cn=pbac,$SUFFIX
|
||||
|
||||
@ -365,6 +394,7 @@ dn: cn=Add netgroups,cn=permissions,cn=pbac,$SUFFIX
|
||||
changetype: add
|
||||
objectClass: top
|
||||
objectClass: groupofnames
|
||||
objectClass: ipapermission
|
||||
cn: Add netgroups
|
||||
member: cn=Netgroups Administrators,cn=privileges,cn=pbac,$SUFFIX
|
||||
|
||||
@ -372,6 +402,7 @@ dn: cn=Remove netgroups,cn=permissions,cn=pbac,$SUFFIX
|
||||
changetype: add
|
||||
objectClass: top
|
||||
objectClass: groupofnames
|
||||
objectClass: ipapermission
|
||||
cn: Remove netgroups
|
||||
member: cn=Netgroups Administrators,cn=privileges,cn=pbac,$SUFFIX
|
||||
|
||||
@ -379,6 +410,7 @@ dn: cn=Modify netgroups,cn=permissions,cn=pbac,$SUFFIX
|
||||
changetype: add
|
||||
objectClass: top
|
||||
objectClass: groupofnames
|
||||
objectClass: ipapermission
|
||||
cn: Modify netgroups
|
||||
member: cn=Netgroups Administrators,cn=privileges,cn=pbac,$SUFFIX
|
||||
|
||||
@ -386,6 +418,7 @@ dn: cn=Modify netgroup membership,cn=permissions,cn=pbac,$SUFFIX
|
||||
changetype: add
|
||||
objectClass: top
|
||||
objectClass: groupofnames
|
||||
objectClass: ipapermission
|
||||
cn: Modify netgroup membership
|
||||
member: cn=Netgroups Administrators,cn=privileges,cn=pbac,$SUFFIX
|
||||
|
||||
@ -395,6 +428,7 @@ dn: cn=Manage host keytab,cn=permissions,cn=pbac,$SUFFIX
|
||||
changetype: add
|
||||
objectClass: top
|
||||
objectClass: groupofnames
|
||||
objectClass: ipapermission
|
||||
cn: Manage host keytab
|
||||
member: cn=Host Administrators,cn=privileges,cn=pbac,$SUFFIX
|
||||
member: cn=Host Enrollment,cn=privileges,cn=pbac,$SUFFIX
|
||||
@ -403,6 +437,7 @@ dn: cn=Manage service keytab,cn=permissions,cn=pbac,$SUFFIX
|
||||
changetype: add
|
||||
objectClass: top
|
||||
objectClass: groupofnames
|
||||
objectClass: ipapermission
|
||||
cn: Manage service keytab
|
||||
member: cn=Service Administrators,cn=privileges,cn=pbac,$SUFFIX
|
||||
member: cn=admins,cn=groups,cn=accounts,$SUFFIX
|
||||
@ -415,6 +450,7 @@ dn: cn=Enroll a host,cn=permissions,cn=pbac,$SUFFIX
|
||||
changetype: add
|
||||
objectClass: top
|
||||
objectClass: groupofnames
|
||||
objectClass: ipapermission
|
||||
cn: Enroll a host
|
||||
member: cn=Host Administrators,cn=privileges,cn=pbac,$SUFFIX
|
||||
member: cn=Host Enrollment,cn=privileges,cn=pbac,$SUFFIX
|
||||
@ -425,21 +461,27 @@ dn: cn=Add Replication Agreements,cn=permissions,cn=pbac,$SUFFIX
|
||||
changetype: add
|
||||
objectClass: top
|
||||
objectClass: groupofnames
|
||||
objectClass: ipapermission
|
||||
cn: Add Replication Agreements
|
||||
ipapermissiontype: SYSTEM
|
||||
member: cn=Replication Administrators,cn=privileges,cn=pbac,$SUFFIX
|
||||
|
||||
dn: cn=Modify Replication Agreements,cn=permissions,cn=pbac,$SUFFIX
|
||||
changetype: add
|
||||
objectClass: top
|
||||
objectClass: groupofnames
|
||||
objectClass: ipapermission
|
||||
cn: Modify Replication Agreements
|
||||
ipapermissiontype: SYSTEM
|
||||
member: cn=Replication Administrators,cn=privileges,cn=pbac,$SUFFIX
|
||||
|
||||
dn: cn=Remove Replication Agreements,cn=permissions,cn=pbac,$SUFFIX
|
||||
changetype: add
|
||||
objectClass: top
|
||||
objectClass: groupofnames
|
||||
objectClass: ipapermission
|
||||
cn: Remove Replication Agreements
|
||||
ipapermissiontype: SYSTEM
|
||||
member: cn=Replication Administrators,cn=privileges,cn=pbac,$SUFFIX
|
||||
|
||||
# Entitlement management
|
||||
@ -448,6 +490,7 @@ dn: cn=addentitlements,cn=permissions,cn=pbac,$SUFFIX
|
||||
changetype: add
|
||||
objectClass: top
|
||||
objectClass: groupofnames
|
||||
objectClass: ipapermission
|
||||
cn: addentitlements
|
||||
description: Add Entitlements
|
||||
member: cn=entitlementadmin,cn=privileges,cn=pbac,$SUFFIX
|
||||
@ -619,6 +662,7 @@ dn: cn=Retrieve Certificates from the CA,cn=permissions,cn=pbac,$SUFFIX
|
||||
changetype: add
|
||||
objectClass: top
|
||||
objectClass: groupofnames
|
||||
objectClass: ipapermission
|
||||
cn: Retrieve Certificates from the CA
|
||||
member: cn=Certificate Administrators,cn=privileges,cn=pbac,$SUFFIX
|
||||
|
||||
@ -638,6 +682,7 @@ dn: cn=Request Certificate,cn=permissions,cn=pbac,$SUFFIX
|
||||
changetype: add
|
||||
objectClass: top
|
||||
objectClass: groupofnames
|
||||
objectClass: ipapermission
|
||||
cn: Request Certificate
|
||||
member: cn=Certificate Administrators,cn=privileges,cn=pbac,$SUFFIX
|
||||
|
||||
@ -657,6 +702,7 @@ dn: cn=Request Certificates from a different host,cn=permissions,cn=pbac,$SUFFIX
|
||||
changetype: add
|
||||
objectClass: top
|
||||
objectClass: groupofnames
|
||||
objectClass: ipapermission
|
||||
cn: Request Certificates from a different host
|
||||
member: cn=Certificate Administrators,cn=privileges,cn=pbac,$SUFFIX
|
||||
|
||||
@ -676,6 +722,7 @@ dn: cn=Get Certificates status from the CA,cn=permissions,cn=pbac,$SUFFIX
|
||||
changetype: add
|
||||
objectClass: top
|
||||
objectClass: groupofnames
|
||||
objectClass: ipapermission
|
||||
cn: Get Certificates status from the CA
|
||||
member: cn=Certificate Administrators,cn=privileges,cn=pbac,$SUFFIX
|
||||
|
||||
@ -695,6 +742,7 @@ dn: cn=Revoke Certificate,cn=permissions,cn=pbac,$SUFFIX
|
||||
changetype: add
|
||||
objectClass: top
|
||||
objectClass: groupofnames
|
||||
objectClass: ipapermission
|
||||
cn: Revoke Certificate
|
||||
member: cn=Certificate Administrators,cn=privileges,cn=pbac,$SUFFIX
|
||||
|
||||
@ -714,6 +762,7 @@ dn: cn=Certificate Remove Hold,cn=permissions,cn=pbac,$SUFFIX
|
||||
changetype: add
|
||||
objectClass: top
|
||||
objectClass: groupofnames
|
||||
objectClass: ipapermission
|
||||
cn: Certificate Remove Hold
|
||||
member: cn=Certificate Administrators,cn=privileges,cn=pbac,$SUFFIX
|
||||
|
||||
|
@ -73,9 +73,16 @@ from ipalib.plugins.baseldap import *
|
||||
from ipalib import api, _, ngettext
|
||||
from ipalib import Flag, Str, StrEnum
|
||||
from ipalib.request import context
|
||||
from ipalib import errors
|
||||
|
||||
ACI_PREFIX=u"permission"
|
||||
|
||||
output_params = (
|
||||
Str('ipapermissiontype',
|
||||
label=_('Permission Type'),
|
||||
),
|
||||
)
|
||||
|
||||
class permission(LDAPObject):
|
||||
"""
|
||||
Permission object.
|
||||
@ -83,9 +90,9 @@ class permission(LDAPObject):
|
||||
container_dn = api.env.container_permission
|
||||
object_name = 'permission'
|
||||
object_name_plural = 'permissions'
|
||||
object_class = ['groupofnames']
|
||||
object_class = ['groupofnames', 'ipapermission']
|
||||
default_attributes = ['cn', 'member', 'memberof',
|
||||
'memberindirect',
|
||||
'memberindirect', 'ipapermissiontype',
|
||||
]
|
||||
aci_attributes = ['group', 'permissions', 'attrs', 'type',
|
||||
'filter', 'subtree', 'targetgroup',
|
||||
@ -150,6 +157,17 @@ class permission(LDAPObject):
|
||||
),
|
||||
)
|
||||
|
||||
# Don't allow SYSTEM permissions to be modified or removed
|
||||
def check_system(self, ldap, dn, *keys):
|
||||
try:
|
||||
(dn, entry_attrs) = ldap.get_entry(dn, ['ipapermissiontype'])
|
||||
except errors.NotFound:
|
||||
self.handle_not_found(*keys)
|
||||
if 'ipapermissiontype' in entry_attrs:
|
||||
if 'SYSTEM' in entry_attrs['ipapermissiontype']:
|
||||
return False
|
||||
return True
|
||||
|
||||
api.register(permission)
|
||||
|
||||
|
||||
@ -220,6 +238,8 @@ class permission_del(LDAPDelete):
|
||||
msg_summary = _('Deleted permission "%(value)s"')
|
||||
|
||||
def pre_callback(self, ldap, dn, *keys, **options):
|
||||
if not self.obj.check_system(ldap, dn, *keys):
|
||||
raise errors.ACIError(info='A SYSTEM permission may not be removed')
|
||||
# remove permission even when the underlying ACI is missing
|
||||
try:
|
||||
self.api.Command.aci_del(keys[-1], aciprefix=ACI_PREFIX)
|
||||
@ -236,8 +256,12 @@ class permission_mod(LDAPUpdate):
|
||||
"""
|
||||
|
||||
msg_summary = _('Modified permission "%(value)s"')
|
||||
has_output_params = LDAPUpdate.has_output_params + output_params
|
||||
|
||||
def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options):
|
||||
if not self.obj.check_system(ldap, dn, *keys):
|
||||
raise errors.ACIError(info='A SYSTEM permission may not be modified')
|
||||
|
||||
# check if permission is in LDAP
|
||||
try:
|
||||
(dn, attrs) = ldap.get_entry(
|
||||
@ -330,6 +354,7 @@ class permission_find(LDAPSearch):
|
||||
msg_summary = ngettext(
|
||||
'%(count)d permission matched', '%(count)d permissions matched'
|
||||
)
|
||||
has_output_params = LDAPSearch.has_output_params + output_params
|
||||
|
||||
def post_callback(self, ldap, entries, truncated, *args, **options):
|
||||
for entry in entries:
|
||||
@ -378,6 +403,7 @@ class permission_show(LDAPRetrieve):
|
||||
"""
|
||||
Display information about a permission.
|
||||
"""
|
||||
has_output_params = LDAPRetrieve.has_output_params + output_params
|
||||
def post_callback(self, ldap, dn, entry_attrs, *keys, **options):
|
||||
try:
|
||||
aci = self.api.Command.aci_show(keys[-1], aciprefix=ACI_PREFIX)['result']
|
||||
|
@ -68,6 +68,7 @@ role = [
|
||||
|
||||
permission = [
|
||||
u'groupofnames',
|
||||
u'ipapermission',
|
||||
u'top'
|
||||
]
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user