IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-02-25 18:55:28 -06:00
Code Issues Packages Projects Releases Wiki Activity

permissions: Use multivalued targetfilter

Browse Source 
Change the target filter to be multivalued.

Make the `type` option on permissions set location and an
(objectclass=...) targetfilter, instead of location and target.
Make changing or unsetting `type` remove existing
(objectclass=...) targetfilters only, and similarly,
changing/unsetting `memberof` to remove (memberof=...) only.

Update tests

Part of the work for: https://fedorahosted.org/freeipa/ticket/4074

Reviewed-By: Martin Kosek <mkosek@redhat.com>
This commit is contained in:
Petr Viktorin 2014-01-06 15:51:20 +01:00
parent 0824d12c95
commit e951f18416
7 changed files with 296 additions and 234 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
API.txt
View File

@ -2332,7 +2332,7 @@ option: StrEnum('ipapermbindruletype', attribute=True, autofill=True, cli_name='
option: DNOrURL('ipapermlocation', alwaysask=True, attribute=True, autofill=False, cli_name='subtree', multivalue=False, query=False, required=False)
option: StrEnum('ipapermright', attribute=True, cli_name='permissions', multivalue=True, required=False, values=(u'read', u'search', u'compare', u'write', u'add', u'delete', u'all'))
option: DNParam('ipapermtarget', attribute=True, cli_name='target', multivalue=False, required=False)
option: Str('ipapermtargetfilter', attribute=True, cli_name='filter', multivalue=False, required=False)
option: Str('ipapermtargetfilter', attribute=True, cli_name='filter', multivalue=True, required=False)
option: Str('memberof', alwaysask=True, attribute=False, autofill=False, cli_name='memberof', multivalue=False, query=False, required=False)
option: Flag('no_members', autofill=True, default=False, exclude='webui')
option: Str('permissions', attribute=False, cli_name='permissions', multivalue=True, required=False)
@ -2390,7 +2390,7 @@ option: Str('ipapermincludedattr', attribute=True, autofill=False, cli_name='inc
option: DNOrURL('ipapermlocation', attribute=True, autofill=False, cli_name='subtree', multivalue=False, query=True, required=False)
option: StrEnum('ipapermright', attribute=True, autofill=False, cli_name='permissions', multivalue=True, query=True, required=False, values=(u'read', u'search', u'compare', u'write', u'add', u'delete', u'all'))
option: DNParam('ipapermtarget', attribute=True, autofill=False, cli_name='target', multivalue=False, query=True, required=False)
option: Str('ipapermtargetfilter', attribute=True, autofill=False, cli_name='filter', multivalue=False, query=True, required=False)
option: Str('ipapermtargetfilter', attribute=True, autofill=False, cli_name='filter', multivalue=True, query=True, required=False)
option: Str('memberof', attribute=False, autofill=False, cli_name='memberof', multivalue=False, query=True, required=False)
option: Flag('no_members', autofill=True, default=False, exclude='webui')
option: Str('permissions', attribute=False, autofill=False, cli_name='permissions', multivalue=True, query=True, required=False)
@ -2420,7 +2420,7 @@ option: Str('ipapermincludedattr', attribute=True, autofill=False, cli_name='inc
option: DNOrURL('ipapermlocation', attribute=True, autofill=False, cli_name='subtree', multivalue=False, required=False)
option: StrEnum('ipapermright', attribute=True, autofill=False, cli_name='permissions', multivalue=True, required=False, values=(u'read', u'search', u'compare', u'write', u'add', u'delete', u'all'))
option: DNParam('ipapermtarget', attribute=True, autofill=False, cli_name='target', multivalue=False, required=False)
option: Str('ipapermtargetfilter', attribute=True, autofill=False, cli_name='filter', multivalue=False, required=False)
option: Str('ipapermtargetfilter', attribute=True, autofill=False, cli_name='filter', multivalue=True, required=False)
option: Str('memberof', attribute=False, autofill=False, cli_name='memberof', multivalue=False, required=False)
option: Flag('no_members', autofill=True, default=False, exclude='webui')
option: Str('permissions', attribute=False, autofill=False, cli_name='permissions', multivalue=True, required=False)

4
VERSION
View File

@ -89,5 +89,5 @@ IPA_DATA_VERSION=20100614120000
# #
########################################################
IPA_API_VERSION_MAJOR=2
IPA_API_VERSION_MINOR=73
# Last change: pviktori - Managed permissions
IPA_API_VERSION_MINOR=74
# Last change: pviktori - permissions: multivalued targetfilter

2
install/share/60basev3.ldif
View File

@ -44,7 +44,7 @@ attributeTypes: (2.16.840.1.113730.3.8.11.44 NAME 'ipaPermExcludedAttr' DESC 'IP
attributeTypes: (2.16.840.1.113730.3.8.11.45 NAME 'ipaPermBindRuleType' DESC 'IPA permission bind rule type' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'IPA v3' )
attributeTypes: (2.16.840.1.113730.3.8.11.46 NAME 'ipaPermLocation' DESC 'Location of IPA permission ACI' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE X-ORIGIN 'IPA v3' )
attributeTypes: (2.16.840.1.113730.3.8.11.47 NAME 'ipaPermRight' DESC 'IPA permission rights' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v3' )
attributeTypes: (2.16.840.1.113730.3.8.11.48 NAME 'ipaPermTargetFilter' DESC 'IPA permission target filter' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'IPA v3' )
attributeTypes: (2.16.840.1.113730.3.8.11.48 NAME 'ipaPermTargetFilter' DESC 'IPA permission target filter' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v3' )
attributeTypes: (2.16.840.1.113730.3.8.11.49 NAME 'ipaPermTarget' DESC 'IPA permission target' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'IPA v3' )
objectClasses: (2.16.840.1.113730.3.8.12.1 NAME 'ipaExternalGroup' SUP top STRUCTURAL MUST ( cn ) MAY ( ipaExternalMember $ memberOf $ description $ owner) X-ORIGIN 'IPA v3' )
objectClasses: (2.16.840.1.113730.3.8.12.2 NAME 'ipaNTUserAttrs' SUP top AUXILIARY MUST ( ipaNTSecurityIdentifier ) MAY ( ipaNTHash $ ipaNTLogonScript $ ipaNTProfilePath $ ipaNTHomeDirectory $ ipaNTHomeDirectoryDrive ) X-ORIGIN 'IPA v3' )

145
ipalib/plugins/permission.py
View File

@ -124,6 +124,11 @@ def strip_ldap_prefix(uri):
return uri[len(prefix):]
def prevalidate_filter(ugettext, value):
if not value.startswith('(') or not value.endswith(')'):
return _('must be enclosed in parentheses')
class DNOrURL(DNParam):
"""DN parameter that allows, and strips, a "ldap:///" prefix on input
@ -219,10 +224,10 @@ class permission(baseldap.LDAPObject):
flags={'ask_create'},
),
Str(
'ipapermtargetfilter?',
'ipapermtargetfilter*', prevalidate_filter,
cli_name='filter',
label=_('ACI target filter'),
doc=_('ACI target filter'),
label=_('Target filter'),
doc=_('Target filter'),
),
DNParam(
@ -234,7 +239,7 @@ class permission(baseldap.LDAPObject):
Str('memberof?',
label=_('Member of group'), # FIXME: Does this label make sense?
doc=_('Target members of a group (sets targetfilter)'),
doc=_('Target members of a group (sets memberOf targetfilter)'),
flags={'ask_create', 'virtual_attribute'},
),
Str('targetgroup?',
@ -245,7 +250,8 @@ class permission(baseldap.LDAPObject):
StrEnum(
'type?',
label=_('Type'),
doc=_('Type of IPA object (sets subtree and filter)'),
doc=_('Type of IPA object '
'(sets subtree and objectClass targetfilter)'),
values=VALID_OBJECT_TYPES,
flags={'ask_create', 'virtual_attribute'},
),
@ -277,18 +283,22 @@ class permission(baseldap.LDAPObject):
``pkey_only``, ``version``.
"""
if not options.get('raw') and not options.get('pkey_only'):
ipapermtargetfilter = entry.single_value.get('ipapermtargetfilter',
'')
ipapermtargetfilter = entry.get('ipapermtargetfilter', [])
ipapermtarget = entry.single_value.get('ipapermtarget')
ipapermlocation = entry.single_value.get('ipapermlocation')
# memberof
match = re.match('^\(memberof=(.*)\)$', ipapermtargetfilter, re.I)
if match:
dn = DN(match.group(1))
if dn[1:] == DN(self.api.Object.group.container_dn,
self.api.env.basedn)[:] and dn[0].attr == 'cn':
entry.single_value['memberof'] = dn[0].value
memberof = []
for targetfilter in ipapermtargetfilter:
match = re.match('^\(memberof=(.*)\)$', targetfilter, re.I)
if match:
dn = DN(match.group(1))
groups_dn = DN(self.api.Object.group.container_dn,
self.api.env.basedn)
if dn[1:] == groups_dn[:] and dn[0].attr == 'cn':
memberof.append(dn[0].value)
if memberof:
entry['memberof'] = memberof
# targetgroup
if ipapermtarget:
@ -299,17 +309,20 @@ class permission(baseldap.LDAPObject):
entry.single_value['targetgroup'] = dn[0].value
# type
if ipapermtarget and ipapermlocation:
if ipapermtargetfilter and ipapermlocation:
for objname in VALID_OBJECT_TYPES:
obj = self.api.Object[objname]
wantdn = DN(obj.container_dn, self.api.env.basedn)
if DN(ipapermlocation) == wantdn:
targetdn = DN(
(obj.rdn_attribute or obj.primary_key.name, '*'),
obj.container_dn,
self.api.env.basedn)
if ipapermtarget == targetdn:
entry.single_value['type'] = objname
if DN(ipapermlocation) != wantdn:
continue
for objclass in obj.object_class:
filter_re = '\(objectclass=%s\)' % re.escape(objclass)
if not any(re.match(filter_re, tf, re.I)
for tf in ipapermtargetfilter):
break
else:
entry.single_value['type'] = objname
break
# old output names
@ -324,10 +337,10 @@ class permission(baseldap.LDAPObject):
rights['memberof'] = rights['ipapermtargetfilter']
rights['targetgroup'] = rights['ipapermtarget']
type_rights = set(rights['ipapermtarget'])
type_rights = set(rights['ipapermtargetfilter'])
type_rights.intersection_update(rights['ipapermlocation'])
rights['type'] = ''.join(sorted(type_rights,
key=rights['ipapermtarget'].index))
rights['type'] = ''.join(sorted(
type_rights, key=rights['ipapermtargetfilter'].index))
if 'ipapermincludedattr' in rights:
rights['attrs'] = ''.join(sorted(
@ -403,11 +416,15 @@ class permission(baseldap.LDAPObject):
'ldap:///%s' % ipapermtarget)
# targetfilter
ipapermtargetfilter = entry.single_value.get('ipapermtargetfilter')
ipapermtargetfilter = entry.get('ipapermtargetfilter')
if ipapermtargetfilter:
assert (ipapermtargetfilter.startswith('(')
and ipapermtargetfilter.endswith(')'))
aci_parts.append("(targetfilter = \"%s\")" % ipapermtargetfilter)
assert all(f.startswith('(') and f.endswith(')')
for f in ipapermtargetfilter)
if len(ipapermtargetfilter) == 1:
filter = ipapermtargetfilter[0]
else:
filter = '(&%s)' % ''.join(sorted(ipapermtargetfilter))
aci_parts.append("(targetfilter = \"%s\")" % filter)
# version, name, rights, bind rule
ipapermbindruletype = entry.single_value.get('ipapermbindruletype',
@ -582,8 +599,24 @@ class permission(baseldap.LDAPObject):
raise ValueError('Cannot convert ACI, %r != %r' % (new_acistring,
acistring))
def preprocess_options(self, options):
"""Preprocess options (in-place)"""
def preprocess_options(self, options, return_filter_ops=False):
"""Preprocess options (in-place)
:param options: A dictionary of options
:param return_filter_ops:
If false, assumes there is no pre-existing entry;
additional values of ipapermtargetfilter are added to options.
If true, a dictionary of operations on ipapermtargetfilter is
returned.
These operations must be performed after the existing entry
is retreived.
The dict has the following keys:
- remove: list of regular expression objects; values that match
any of them sould be removed
- add: list of values to be added, after any removals
"""
filter_ops = {'add': [], 'remove': []}
if options.get('subtree'):
if isinstance(options['subtree'], (list, tuple)):
@ -613,20 +646,14 @@ class permission(baseldap.LDAPObject):
# memberof
if 'memberof' in options:
memberof = options.pop('memberof')
filter_ops['remove'].append(re.compile(r'\(memberOf=.*\)', re.I))
if memberof:
if 'ipapermtargetfilter' in options:
raise errors.ValidationError(
name='ipapermtargetfilter',
error=_('filter and memberof are mutually exclusive'))
try:
groupdn = self.api.Object.group.get_dn_if_exists(memberof)
except errors.NotFound:
raise errors.NotFound(
reason=_('%s: group not found') % memberof)
options['ipapermtargetfilter'] = u'(memberOf=%s)' % groupdn
else:
if 'ipapermtargetfilter' not in options:
options['ipapermtargetfilter'] = None
filter_ops['add'].append(u'(memberOf=%s)' % groupdn)
# targetgroup
if 'targetgroup' in options:
@ -649,35 +676,37 @@ class permission(baseldap.LDAPObject):
# type
if 'type' in options:
objtype = options.pop('type')
filter_ops['remove'].append(re.compile(r'\(objectclass=.*\)', re.I))
if objtype:
if 'ipapermlocation' in options:
raise errors.ValidationError(
name='ipapermlocation',
error=_('subtree and type are mutually exclusive'))
if 'ipapermtarget' in options:
raise errors.ValidationError(
name='ipapermtarget',
error=_('target and type are mutually exclusive'))
obj = self.api.Object[objtype.lower()]
new_values = [u'(objectclass=%s)' % o
for o in obj.object_class]
filter_ops['add'].extend(new_values)
container_dn = DN(obj.container_dn, self.api.env.basedn)
options['ipapermtarget'] = DN(
(obj.rdn_attribute or obj.primary_key.name, '*'),
container_dn)
options['ipapermlocation'] = container_dn
else:
if 'ipapermtarget' not in options:
options['ipapermtarget'] = None
if 'ipapermlocation' not in options:
options['ipapermlocation'] = None
if return_filter_ops:
return filter_ops
elif filter_ops['add']:
options['ipapermtargetfilter'] = list(options.get(
'ipapermtargetfilter', [])) + filter_ops['add']
def validate_permission(self, entry):
ldap = self.Backend.ldap2
# Rough filter validation by a search
if 'ipapermtargetfilter' in entry:
if entry.get('ipapermtargetfilter'):
try:
ldap.find_entries(
filter=entry.single_value['ipapermtargetfilter'],
filter=ldap.combine_filters(entry['ipapermtargetfilter'],
rules='&'),
base_dn=self.env.basedn,
scope=ldap.SCOPE_BASE,
size_limit=1)
@ -702,7 +731,7 @@ class permission(baseldap.LDAPObject):
needed_attrs = (
'ipapermtarget', 'ipapermtargetfilter',
'ipapermincludedattr', 'ipapermexcludedattr', 'ipapermdefaultattr')
if not any(entry.single_value.get(a) for a in needed_attrs):
if not any(v for a in needed_attrs for v in (entry.get(a) or ())):
raise errors.ValidationError(
name='target',
error=_('there must be at least one target entry specifier '
@ -823,7 +852,8 @@ class permission_mod(baseldap.LDAPUpdate):
has_output_params = baseldap.LDAPUpdate.has_output_params + output_params
def execute(self, *keys, **options):
self.obj.preprocess_options(options)
context.filter_ops = self.obj.preprocess_options(
options, return_filter_ops=True)
return super(permission_mod, self).execute(*keys, **options)
def pre_callback(self, ldap, dn, entry, attrs_list, *keys, **options):
@ -852,6 +882,10 @@ class permission_mod(baseldap.LDAPUpdate):
raise errors.ValidationError(
name=option_name,
error=_('not modifiable on managed permissions'))
if context.filter_ops.get('add'):
raise errors.ValidationError(
name='ipapermtargetfilter',
error=_('not modifiable on managed permissions'))
else:
if options.get('ipapermexcludedattr'):
# prevent setting excluded attributes on normal permissions
@ -888,6 +922,15 @@ class permission_mod(baseldap.LDAPUpdate):
key not in self.obj.attribute_members):
entry.setdefault(key, value)
filter_ops = context.filter_ops
removes = filter_ops.get('remove', [])
new_filters = set(
filt for filt in (entry.get('ipapermtargetfilter') or [])
if not any(rem.match(filt) for rem in removes))
new_filters.update(filter_ops.get('add', []))
new_filters.update(options.get('ipapermtargetfilter') or [])
entry['ipapermtargetfilter'] = list(new_filters)
if not entry.get('ipapermlocation'):
entry['ipapermlocation'] = [self.api.env.basedn]

76
ipatests/test_xmlrpc/test_old_permission_plugin.py
View File

@ -155,7 +155,7 @@ class test_old_permission(Declarative):
permissions=[u'write'],
ipapermbindruletype=[u'permission'],
ipapermissiontype=[u'V2', u'SYSTEM'],
ipapermtarget=[DN('uid=*', users_dn)],
filter=[u'objectclass=posixaccount'],
subtree=u'ldap:///%s' % users_dn,
),
),
@ -231,7 +231,7 @@ class test_old_permission(Declarative):
'permissions': [u'write'],
'ipapermbindruletype': [u'permission'],
'ipapermissiontype': [u'V2', u'SYSTEM'],
'ipapermtarget': [DN('uid=*', users_dn)],
'filter': [u'objectclass=posixaccount'],
'subtree': u'ldap:///%s' % users_dn,
},
),
@ -249,13 +249,16 @@ class test_old_permission(Declarative):
'cn': [permission1],
'objectclass': objectclasses.permission,
'member': [privilege1_dn],
'aci': u'(target = "ldap:///%s")(version 3.0;acl "permission:testperm";allow (write) groupdn = "ldap:///%s";)' % \
(DN(('uid', '*'), ('cn', 'users'), ('cn', 'accounts'), api.env.basedn),
DN(('cn', 'testperm'), ('cn', 'permissions'), ('cn', 'pbac'), api.env.basedn)),
'aci': (u'(targetfilter = "(objectclass=posixaccount)")'+
u'(version 3.0;acl "permission:testperm";' +
u'allow (write) ' +
u'groupdn = "ldap:///%s";)' % DN(
('cn', 'testperm'), ('cn', 'permissions'),
('cn', 'pbac'), api.env.basedn)),
'ipapermright': [u'write'],
'ipapermbindruletype': [u'permission'],
'ipapermissiontype': [u'V2', u'SYSTEM'],
'ipapermtarget': [DN('uid=*', users_dn)],
'ipapermtargetfilter': [u'(objectclass=posixaccount)'],
'ipapermlocation': [users_dn],
},
),
@ -279,7 +282,7 @@ class test_old_permission(Declarative):
'permissions': [u'write'],
'ipapermbindruletype': [u'permission'],
'ipapermissiontype': [u'V2', u'SYSTEM'],
'ipapermtarget': [DN('uid=*', users_dn)],
'filter': [u'objectclass=posixaccount'],
'subtree': u'ldap:///%s' % users_dn,
},
],
@ -304,7 +307,7 @@ class test_old_permission(Declarative):
'permissions': [u'write'],
'ipapermbindruletype': [u'permission'],
'ipapermissiontype': [u'V2', u'SYSTEM'],
'ipapermtarget': [DN('uid=*', users_dn)],
'filter': [u'objectclass=posixaccount'],
'subtree': u'ldap:///%s' % users_dn,
},
],
@ -341,7 +344,7 @@ class test_old_permission(Declarative):
'permissions': [u'write'],
'ipapermbindruletype': [u'permission'],
'ipapermissiontype': [u'V2', u'SYSTEM'],
'ipapermtarget': [DN('uid=*', users_dn)],
'filter': [u'objectclass=posixaccount'],
'subtree': u'ldap:///%s' % users_dn,
},
],
@ -362,13 +365,12 @@ class test_old_permission(Declarative):
'cn': [permission1],
'objectclass': objectclasses.permission,
'member': [privilege1_dn],
'aci': u'(target = "ldap:///%s")(version 3.0;acl "permission:testperm";allow (write) groupdn = "ldap:///%s";)' % \
(DN(('uid', '*'), ('cn', 'users'), ('cn', 'accounts'), api.env.basedn),
DN(('cn', 'testperm'), ('cn', 'permissions'), ('cn', 'pbac'), api.env.basedn)),
'aci': u'(targetfilter = "(objectclass=posixaccount)")(version 3.0;acl "permission:testperm";allow (write) groupdn = "ldap:///%s";)' % \
DN(('cn', 'testperm'), ('cn', 'permissions'), ('cn', 'pbac'), api.env.basedn),
'ipapermright': [u'write'],
'ipapermbindruletype': [u'permission'],
'ipapermissiontype': [u'V2', u'SYSTEM'],
'ipapermtarget': [DN('uid=*', users_dn)],
'ipapermtargetfilter': [u'(objectclass=posixaccount)'],
'ipapermlocation': [users_dn],
},
],
@ -398,7 +400,7 @@ class test_old_permission(Declarative):
owner=[u'cn=test', u'cn=test2'],
ipapermbindruletype=[u'permission'],
ipapermissiontype=[u'V2', u'SYSTEM'],
ipapermtarget=[DN('uid=*', users_dn)],
filter=[u'objectclass=posixaccount'],
subtree=u'ldap:///%s' % users_dn,
),
),
@ -422,7 +424,7 @@ class test_old_permission(Declarative):
'permissions': [u'write'],
'ipapermbindruletype': [u'permission'],
'ipapermissiontype': [u'V2', u'SYSTEM'],
'ipapermtarget': [DN('uid=*', users_dn)],
'filter': [u'objectclass=posixaccount'],
'subtree': u'ldap:///%s' % users_dn,
},
{
@ -433,7 +435,7 @@ class test_old_permission(Declarative):
'permissions': [u'write'],
'ipapermbindruletype': [u'permission'],
'ipapermissiontype': [u'V2', u'SYSTEM'],
'ipapermtarget': [DN('uid=*', users_dn)],
'filter': [u'objectclass=posixaccount'],
'subtree': u'ldap:///%s' % users_dn,
},
],
@ -517,7 +519,7 @@ class test_old_permission(Declarative):
'permissions': [u'write'],
'ipapermbindruletype': [u'permission'],
'ipapermissiontype': [u'V2', u'SYSTEM'],
'ipapermtarget': [DN('uid=*', users_dn)],
'filter': [u'objectclass=posixaccount'],
'subtree': u'ldap:///%s' % users_dn,
},
],
@ -542,7 +544,7 @@ class test_old_permission(Declarative):
'permissions': [u'write'],
'ipapermbindruletype': [u'permission'],
'ipapermissiontype': [u'V2', u'SYSTEM'],
'ipapermtarget': [DN('uid=*', users_dn)],
'filter': [u'objectclass=posixaccount'],
'subtree': u'ldap:///%s' % users_dn,
},
{
@ -553,7 +555,7 @@ class test_old_permission(Declarative):
'permissions': [u'write'],
'ipapermbindruletype': [u'permission'],
'ipapermissiontype': [u'V2', u'SYSTEM'],
'ipapermtarget': [DN('uid=*', users_dn)],
'filter': [u'objectclass=posixaccount'],
'subtree': u'ldap:///%s' % users_dn,
},
],
@ -616,8 +618,8 @@ class test_old_permission(Declarative):
owner=[u'cn=other-test', u'cn=other-test2'],
ipapermbindruletype=[u'permission'],
ipapermissiontype=[u'V2', u'SYSTEM'],
ipapermtarget=[DN('uid=*', users_dn)],
filter=[u'memberOf=%s' % DN('cn=ipausers', groups_dn)],
filter=[u'memberOf=%s' % DN('cn=ipausers', groups_dn),
u'objectclass=posixaccount'],
subtree=u'ldap:///%s' % users_dn,
),
),
@ -640,8 +642,8 @@ class test_old_permission(Declarative):
'memberof': u'ipausers',
'ipapermbindruletype': [u'permission'],
'ipapermissiontype': [u'V2', u'SYSTEM'],
'ipapermtarget': [DN('uid=*', users_dn)],
'filter': [u'memberOf=%s' % DN('cn=ipausers', groups_dn)],
'filter': [u'memberOf=%s' % DN('cn=ipausers', groups_dn),
u'objectclass=posixaccount'],
'subtree': u'ldap:///%s' % users_dn,
},
),
@ -687,8 +689,8 @@ class test_old_permission(Declarative):
'memberof': u'ipausers',
'ipapermbindruletype': [u'permission'],
'ipapermissiontype': [u'V2', u'SYSTEM'],
'ipapermtarget': [DN('uid=*', users_dn)],
'filter': [u'memberOf=%s' % DN('cn=ipausers', groups_dn)],
'filter': [u'memberOf=%s' % DN('cn=ipausers', groups_dn),
u'objectclass=posixaccount'],
'subtree': u'ldap:///%s' % users_dn,
},
),
@ -715,8 +717,8 @@ class test_old_permission(Declarative):
'memberof': u'ipausers',
'ipapermbindruletype': [u'permission'],
'ipapermissiontype': [u'V2', u'SYSTEM'],
'ipapermtarget': [DN('uid=*', users_dn)],
'filter': [u'memberOf=%s' % DN('cn=ipausers', groups_dn)],
'filter': [u'memberOf=%s' % DN('cn=ipausers', groups_dn),
u'objectclass=posixaccount'],
'subtree': u'ldap:///%s' % users_dn,
},
),
@ -743,8 +745,8 @@ class test_old_permission(Declarative):
'memberof': u'ipausers',
'ipapermbindruletype': [u'permission'],
'ipapermissiontype': [u'V2', u'SYSTEM'],
'ipapermtarget': [DN('uid=*', users_dn)],
'filter': [u'memberOf=%s' % DN('cn=ipausers', groups_dn)],
'filter': [u'memberOf=%s' % DN('cn=ipausers', groups_dn),
u'objectclass=posixaccount'],
'subtree': u'ldap:///%s' % users_dn,
},
),
@ -944,8 +946,8 @@ class test_old_permission(Declarative):
type=u'user',
ipapermbindruletype=[u'permission'],
ipapermissiontype=[u'V2', u'SYSTEM'],
ipapermtarget=[DN('uid=*', users_dn)],
filter=[u'memberOf=%s' % DN('cn=editors', groups_dn)],
filter=[u'memberOf=%s' % DN('cn=editors', groups_dn),
u'objectclass=posixaccount'],
subtree=u'ldap:///%s' % users_dn,
),
),
@ -977,8 +979,8 @@ class test_old_permission(Declarative):
type=u'user',
ipapermbindruletype=[u'permission'],
ipapermissiontype=[u'V2', u'SYSTEM'],
ipapermtarget=[DN('uid=*', users_dn)],
filter=[u'memberOf=%s' % DN('cn=admins', groups_dn)],
filter=[u'memberOf=%s' % DN('cn=admins', groups_dn),
u'objectclass=posixaccount'],
subtree=u'ldap:///%s' % users_dn,
),
),
@ -1002,7 +1004,7 @@ class test_old_permission(Declarative):
type=u'user',
ipapermbindruletype=[u'permission'],
ipapermissiontype=[u'V2', u'SYSTEM'],
ipapermtarget=[DN('uid=*', users_dn)],
filter=[u'objectclass=posixaccount'],
subtree=u'ldap:///%s' % users_dn,
),
),
@ -1076,7 +1078,7 @@ class test_old_permission(Declarative):
attrs=(u'cn',),
ipapermbindruletype=[u'permission'],
ipapermissiontype=[u'V2', u'SYSTEM'],
ipapermtarget=[DN('uid=*', users_dn)],
filter=[u'objectclass=posixaccount'],
subtree=u'ldap:///%s' % users_dn,
),
),
@ -1099,7 +1101,7 @@ class test_old_permission(Declarative):
attributelevelrights=permission3_attributelevelrights,
ipapermbindruletype=[u'permission'],
ipapermissiontype=[u'V2', u'SYSTEM'],
ipapermtarget=[DN('uid=*', users_dn)],
filter=[u'objectclass=posixaccount'],
subtree=u'ldap:///%s' % users_dn,
),
),
@ -1122,7 +1124,7 @@ class test_old_permission(Declarative):
attributelevelrights=permission3_attributelevelrights,
ipapermbindruletype=[u'permission'],
ipapermissiontype=[u'V2', u'SYSTEM'],
ipapermtarget=[DN('uid=*', users_dn)],
filter=[u'objectclass=posixaccount'],
subtree=u'ldap:///%s' % users_dn,
),
),

293
ipatests/test_xmlrpc/test_permission_plugin.py
View File

@ -241,7 +241,7 @@ class test_permission_negative(Declarative):
ipapermbindruletype=[u'permission'],
ipapermissiontype=[u'SYSTEM', u'V2'],
ipapermlocation=[users_dn],
ipapermtarget=[DN(('uid', '*'), users_dn)],
ipapermtargetfilter=[u'(objectclass=posixaccount)'],
),
),
),
@ -271,11 +271,11 @@ class test_permission_negative(Declarative):
),
dict(
desc='Try to remove target and memberof from %r' % permission1,
desc='Try to remove targetfilter and memberof from %r' % permission1,
command=(
'permission_mod', [permission1], dict(
attrs=None,
ipapermtarget=None,
ipapermtargetfilter=None,
)
),
expected=errors.ValidationError(
@ -344,7 +344,7 @@ class test_permission(Declarative):
ipapermbindruletype=[u'permission'],
ipapermissiontype=[u'SYSTEM', u'V2'],
ipapermlocation=[users_dn],
ipapermtarget=[DN(('uid', '*'), users_dn)],
ipapermtargetfilter=[u'(objectclass=posixaccount)'],
),
),
),
@ -352,7 +352,7 @@ class test_permission(Declarative):
verify_permission_aci(
permission1, users_dn,
'(targetattr = "sn")' +
'(target = "ldap:///%s")' % DN(('uid', '*'), users_dn) +
'(targetfilter = "(objectclass=posixaccount)")' +
'(version 3.0;acl "permission:%s";' % permission1 +
'allow (write) groupdn = "ldap:///%s";)' % permission1_dn,
),
@ -429,7 +429,7 @@ class test_permission(Declarative):
'ipapermbindruletype': [u'permission'],
'ipapermissiontype': [u'SYSTEM', u'V2'],
'ipapermlocation': [users_dn],
'ipapermtarget': [DN(('uid', '*'), users_dn)],
'ipapermtargetfilter': [u'(objectclass=posixaccount)'],
},
),
),
@ -451,9 +451,9 @@ class test_permission(Declarative):
'ipapermright': [u'write'],
'ipapermissiontype': [u'SYSTEM', u'V2'],
'ipapermlocation': [users_dn],
'ipapermtarget': [DN(('uid', '*'), users_dn)],
'ipapermtargetfilter': [u'(objectclass=posixaccount)'],
'aci': ['(targetattr = "sn")'
'(target = "ldap:///%(tdn)s")'
'(targetfilter = "(objectclass=posixaccount)")' +
'(version 3.0;acl "permission:%(name)s";'
'allow (write) groupdn = "ldap:///%(pdn)s";)' %
{'tdn': DN(('uid', '*'), users_dn),
@ -483,7 +483,7 @@ class test_permission(Declarative):
'ipapermbindruletype': [u'permission'],
'ipapermissiontype': [u'SYSTEM', u'V2'],
'ipapermlocation': [users_dn],
'ipapermtarget': [DN(('uid', '*'), users_dn)],
'ipapermtargetfilter': [u'(objectclass=posixaccount)'],
},
],
),
@ -509,7 +509,7 @@ class test_permission(Declarative):
'ipapermbindruletype': [u'permission'],
'ipapermissiontype': [u'SYSTEM', u'V2'],
'ipapermlocation': [users_dn],
'ipapermtarget': [DN(('uid', '*'), users_dn)],
'ipapermtargetfilter': [u'(objectclass=posixaccount)'],
},
],
),
@ -547,7 +547,7 @@ class test_permission(Declarative):
'ipapermbindruletype': [u'permission'],
'ipapermissiontype': [u'SYSTEM', u'V2'],
'ipapermlocation': [users_dn],
'ipapermtarget': [DN(('uid', '*'), users_dn)],
'ipapermtargetfilter': [u'(objectclass=posixaccount)'],
},
],
),
@ -572,9 +572,9 @@ class test_permission(Declarative):
'ipapermright': [u'write'],
'ipapermissiontype': [u'SYSTEM', u'V2'],
'ipapermlocation': [users_dn],
'ipapermtarget': [DN(('uid', '*'), users_dn)],
'ipapermtargetfilter': [u'(objectclass=posixaccount)'],
'aci': ['(targetattr = "sn")'
'(target = "ldap:///%(tdn)s")'
'(targetfilter = "(objectclass=posixaccount)")' +
'(version 3.0;acl "permission:%(name)s";'
'allow (write) groupdn = "ldap:///%(pdn)s";)' %
{'tdn': DN(('uid', '*'), users_dn),
@ -611,7 +611,7 @@ class test_permission(Declarative):
ipapermbindruletype=[u'permission'],
ipapermissiontype=[u'SYSTEM', u'V2'],
ipapermlocation=[users_dn],
ipapermtarget=[DN(('uid', '*'), users_dn)],
ipapermtargetfilter=[u'(objectclass=posixaccount)'],
),
),
),
@ -619,12 +619,11 @@ class test_permission(Declarative):
verify_permission_aci(
permission2, users_dn,
'(targetattr = "cn")' +
'(target = "ldap:///%s")' % DN(('uid', '*'), users_dn) +
'(targetfilter = "(objectclass=posixaccount)")' +
'(version 3.0;acl "permission:%s";' % permission2 +
'allow (write) groupdn = "ldap:///%s";)' % permission2_dn,
),
dict(
desc='Search for %r' % permission1,
command=('permission_find', [permission1], {}),
@ -644,7 +643,7 @@ class test_permission(Declarative):
'ipapermbindruletype': [u'permission'],
'ipapermissiontype': [u'SYSTEM', u'V2'],
'ipapermlocation': [users_dn],
'ipapermtarget': [DN(('uid', '*'), users_dn)],
'ipapermtargetfilter': [u'(objectclass=posixaccount)'],
},
{
'dn': permission2_dn,
@ -656,7 +655,7 @@ class test_permission(Declarative):
'ipapermbindruletype': [u'permission'],
'ipapermissiontype': [u'SYSTEM', u'V2'],
'ipapermlocation': [users_dn],
'ipapermtarget': [DN(('uid', '*'), users_dn)],
'ipapermtargetfilter': [u'(objectclass=posixaccount)'],
},
],
),
@ -741,7 +740,7 @@ class test_permission(Declarative):
'ipapermbindruletype': [u'permission'],
'ipapermissiontype': [u'SYSTEM', u'V2'],
'ipapermlocation': [users_dn],
'ipapermtarget': [DN(('uid', '*'), users_dn)],
'ipapermtargetfilter': [u'(objectclass=posixaccount)'],
},
],
),
@ -766,7 +765,7 @@ class test_permission(Declarative):
'ipapermbindruletype': [u'permission'],
'ipapermissiontype': [u'SYSTEM', u'V2'],
'ipapermlocation': [users_dn],
'ipapermtarget': [DN(('uid', '*'), users_dn)],
'ipapermtargetfilter': [u'(objectclass=posixaccount)'],
'member_privilege': [privilege1],
},
{
@ -779,7 +778,7 @@ class test_permission(Declarative):
'ipapermbindruletype': [u'permission'],
'ipapermissiontype': [u'SYSTEM', u'V2'],
'ipapermlocation': [users_dn],
'ipapermtarget': [DN(('uid', '*'), users_dn)],
'ipapermtargetfilter': [u'(objectclass=posixaccount)'],
},
],
),
@ -844,12 +843,13 @@ class test_permission(Declarative):
memberof=[u'ipausers'],
owner=[u'cn=other-test', u'cn=other-test2'],
attrs=[u'sn'],
ipapermtargetfilter=[u'(memberOf=%s)' % DN('cn=ipausers',
groups_dn)],
ipapermtargetfilter=[
u'(memberOf=%s)' % DN('cn=ipausers', groups_dn),
u"(objectclass=posixaccount)",
],
ipapermbindruletype=[u'permission'],
ipapermissiontype=[u'SYSTEM', u'V2'],
ipapermlocation=[users_dn],
ipapermtarget=[DN(('uid', '*'), users_dn)],
),
),
),
@ -857,13 +857,13 @@ class test_permission(Declarative):
verify_permission_aci(
permission1, users_dn,
'(targetattr = "sn")' +
'(target = "ldap:///%s")' % DN(('uid', '*'), users_dn) +
'(targetfilter = "(memberOf=%s)")' % DN('cn=ipausers', groups_dn) +
'(targetfilter = "(&' +
'(memberOf=%s)' % DN('cn=ipausers', groups_dn) +
'(objectclass=posixaccount))")' +
'(version 3.0;acl "permission:%s";' % permission1 +
'allow (read) groupdn = "ldap:///%s";)' % permission1_dn,
),
dict(
desc='Retrieve %r to verify update' % permission1,
command=('permission_show', [permission1], {}),
@ -879,18 +879,16 @@ class test_permission(Declarative):
'ipapermright': [u'read'],
'memberof': [u'ipausers'],
'attrs': [u'sn'],
'ipapermtargetfilter': [u'(memberOf=%s)' % DN('cn=ipausers',
groups_dn)],
'ipapermtargetfilter': [
u'(memberOf=%s)' % DN('cn=ipausers', groups_dn),
u'(objectclass=posixaccount)'],
'ipapermbindruletype': [u'permission'],
'ipapermissiontype': [u'SYSTEM', u'V2'],
'ipapermlocation': [users_dn],
'ipapermtarget': [DN(('uid', '*'), users_dn)],
},
),
),
dict(
desc='Try to rename %r to existing permission %r' % (permission1,
permission2),
@ -901,7 +899,6 @@ class test_permission(Declarative):
expected=errors.DuplicateEntry(),
),
dict(
desc='Try to rename %r to empty name' % (permission1),
command=(
@ -912,7 +909,6 @@ class test_permission(Declarative):
error=u'New name can not be empty'),
),
dict(
desc='Check integrity of original permission %r' % permission1,
command=('permission_show', [permission1], {}),
@ -928,12 +924,12 @@ class test_permission(Declarative):
'ipapermright': [u'read'],
'memberof': [u'ipausers'],
'attrs': [u'sn'],
'ipapermtargetfilter': [u'(memberOf=%s)' % DN('cn=ipausers',
groups_dn)],
'ipapermtargetfilter': [
u'(memberOf=%s)' % DN('cn=ipausers', groups_dn),
u'(objectclass=posixaccount)'],
'ipapermbindruletype': [u'permission'],
'ipapermissiontype': [u'SYSTEM', u'V2'],
'ipapermlocation': [users_dn],
'ipapermtarget': [DN(('uid', '*'), users_dn)],
},
),
),
@ -958,12 +954,12 @@ class test_permission(Declarative):
'ipapermright': [u'all'],
'memberof': [u'ipausers'],
'attrs': [u'sn'],
'ipapermtargetfilter': [u'(memberOf=%s)' % DN('cn=ipausers',
groups_dn)],
'ipapermtargetfilter': [
u'(memberOf=%s)' % DN('cn=ipausers', groups_dn),
u'(objectclass=posixaccount)'],
'ipapermbindruletype': [u'permission'],
'ipapermissiontype': [u'SYSTEM', u'V2'],
'ipapermlocation': [users_dn],
'ipapermtarget': [DN(('uid', '*'), users_dn)],
},
),
),
@ -973,8 +969,9 @@ class test_permission(Declarative):
verify_permission_aci(
permission1_renamed, users_dn,
'(targetattr = "sn")' +
'(target = "ldap:///%s")' % DN(('uid', '*'), users_dn) +
'(targetfilter = "(memberOf=%s)")' % DN('cn=ipausers', groups_dn) +
'(targetfilter = "(&' +
'(memberOf=%s)' % DN('cn=ipausers', groups_dn) +
'(objectclass=posixaccount))")' +
'(version 3.0;acl "permission:%s";' % permission1_renamed +
'allow (all) groupdn = "ldap:///%s";)' % permission1_renamed_dn,
),
@ -999,12 +996,12 @@ class test_permission(Declarative):
'ipapermright': [u'write'],
'memberof': [u'ipausers'],
'attrs': [u'sn'],
'ipapermtargetfilter': [u'(memberOf=%s)' % DN('cn=ipausers',
groups_dn)],
'ipapermtargetfilter': [
u'(memberOf=%s)' % DN('cn=ipausers', groups_dn),
u'(objectclass=posixaccount)'],
'ipapermbindruletype': [u'permission'],
'ipapermissiontype': [u'SYSTEM', u'V2'],
'ipapermlocation': [users_dn],
'ipapermtarget': [DN(('uid', '*'), users_dn)],
},
),
),
@ -1014,8 +1011,9 @@ class test_permission(Declarative):
verify_permission_aci(
permission1_renamed_ucase, users_dn,
'(targetattr = "sn")' +
'(target = "ldap:///%s")' % DN(('uid', '*'), users_dn) +
'(targetfilter = "(memberOf=%s)")' % DN('cn=ipausers', groups_dn) +
'(targetfilter = "(&' +
'(memberOf=%s)' % DN('cn=ipausers', groups_dn) +
'(objectclass=posixaccount))")' +
'(version 3.0;acl "permission:%s";' % permission1_renamed_ucase +
'allow (write) groupdn = "ldap:///%s";)' %
permission1_renamed_ucase_dn,
@ -1073,7 +1071,7 @@ class test_permission(Declarative):
'attrs': [u'cn'],
'ipapermbindruletype': [u'permission'],
'ipapermissiontype': [u'SYSTEM', u'V2'],
'ipapermtarget': [DN(('uid', '*'), users_dn)],
'ipapermtargetfilter': [u'(objectclass=posixaccount)'],
'ipapermlocation': [api.env.basedn],
},
),
@ -1082,7 +1080,7 @@ class test_permission(Declarative):
verify_permission_aci(
permission2, api.env.basedn,
'(targetattr = "cn")' +
'(target = "ldap:///%s")' % DN(('uid', '*'), users_dn) +
'(targetfilter = "(objectclass=posixaccount)")' +
'(version 3.0;acl "permission:%s";' % permission2 +
'allow (write) groupdn = "ldap:///%s";)' % permission2_dn,
),
@ -1256,12 +1254,12 @@ class test_permission(Declarative):
ipapermright=[u'write'],
type=[u'user'],
attrs=[u'sn'],
ipapermtargetfilter=[u'(memberOf=%s)' % DN(('cn', 'editors'),
groups_dn)],
ipapermtargetfilter=[
u'(memberOf=%s)' % DN(('cn', 'editors'), groups_dn),
u'(objectclass=posixaccount)'],
ipapermbindruletype=[u'permission'],
ipapermissiontype=[u'SYSTEM', u'V2'],
ipapermlocation=[users_dn],
ipapermtarget=[DN(('uid', '*'), users_dn)],
),
),
),
@ -1269,8 +1267,8 @@ class test_permission(Declarative):
verify_permission_aci(
permission1, users_dn,
'(targetattr = "sn")' +
'(target = "ldap:///%s")' % DN(('uid', '*'), users_dn) +
'(targetfilter = "(memberOf=%s)")' % DN('cn=editors', groups_dn) +
'(targetfilter = "(&(memberOf=%s)' % DN('cn=editors', groups_dn) +
'(objectclass=posixaccount))")' +
'(version 3.0;acl "permission:%s";' % permission1 +
'allow (write) groupdn = "ldap:///%s";)' % permission1_dn,
),
@ -1300,12 +1298,12 @@ class test_permission(Declarative):
ipapermright=[u'write'],
type=[u'user'],
attrs=[u'sn'],
ipapermtargetfilter=[u'(memberOf=%s)' % DN(('cn', 'admins'),
groups_dn)],
ipapermtargetfilter=[
u'(memberOf=%s)' % DN(('cn', 'admins'), groups_dn),
u'(objectclass=posixaccount)'],
ipapermbindruletype=[u'permission'],
ipapermissiontype=[u'SYSTEM', u'V2'],
ipapermlocation=[users_dn],
ipapermtarget=[DN(('uid', '*'), users_dn)],
),
),
),
@ -1313,8 +1311,9 @@ class test_permission(Declarative):
verify_permission_aci(
permission1, users_dn,
'(targetattr = "sn")' +
'(target = "ldap:///%s")' % DN(('uid', '*'), users_dn) +
'(targetfilter = "(memberOf=%s)")' % DN('cn=admins', groups_dn) +
'(targetfilter = "(&' +
'(memberOf=%s)' % DN('cn=admins', groups_dn) +
'(objectclass=posixaccount))")' +
'(version 3.0;acl "permission:%s";' % permission1 +
'allow (write) groupdn = "ldap:///%s";)' % permission1_dn,
),
@ -1339,7 +1338,7 @@ class test_permission(Declarative):
ipapermbindruletype=[u'permission'],
ipapermissiontype=[u'SYSTEM', u'V2'],
ipapermlocation=[users_dn],
ipapermtarget=[DN(('uid', '*'), users_dn)],
ipapermtargetfilter=[u'(objectclass=posixaccount)'],
),
),
),
@ -1347,7 +1346,7 @@ class test_permission(Declarative):
verify_permission_aci(
permission1, users_dn,
'(targetattr = "sn")' +
'(target = "ldap:///%s")' % DN(('uid', '*'), users_dn) +
'(targetfilter = "(objectclass=posixaccount)")' +
'(version 3.0;acl "permission:%s";' % permission1 +
'allow (write) groupdn = "ldap:///%s";)' % permission1_dn,
),
@ -1419,7 +1418,7 @@ class test_permission(Declarative):
ipapermright=[u'write'],
attrs=(u'cn',),
ipapermbindruletype=[u'permission'],
ipapermtarget=[DN(('uid', '*'), users_dn)],
ipapermtargetfilter=[u'(objectclass=posixaccount)'],
ipapermissiontype=[u'SYSTEM', u'V2'],
ipapermlocation=[users_dn],
),
@ -1429,7 +1428,7 @@ class test_permission(Declarative):
verify_permission_aci(
permission3, users_dn,
'(targetattr = "cn")' +
'(target = "ldap:///%s")' % DN(('uid', '*'), users_dn) +
'(targetfilter = "(objectclass=posixaccount)")' +
'(version 3.0;acl "permission:%s";' % permission3 +
'allow (write) groupdn = "ldap:///%s";)' % permission3_dn,
),
@ -1450,7 +1449,7 @@ class test_permission(Declarative):
ipapermright=[u'write'],
attributelevelrights=permission3_attributelevelrights,
ipapermbindruletype=[u'permission'],
ipapermtarget=[DN(('uid', '*'),users_dn)],
ipapermtargetfilter=[u'(objectclass=posixaccount)'],
ipapermissiontype=[u'SYSTEM', u'V2'],
ipapermlocation=[users_dn],
),
@ -1475,7 +1474,7 @@ class test_permission(Declarative):
ipapermright=[u'write'],
attributelevelrights=permission3_attributelevelrights,
ipapermbindruletype=[u'permission'],
ipapermtarget=[DN(('uid', '*'), users_dn)],
ipapermtargetfilter=[u'(objectclass=posixaccount)'],
ipapermissiontype=[u'SYSTEM', u'V2'],
ipapermlocation=[users_dn],
),
@ -1485,21 +1484,29 @@ class test_permission(Declarative):
verify_permission_aci(
permission3, users_dn,
'(targetattr = "cn || uid")' +
'(target = "ldap:///%s")' % DN(('uid', '*'), users_dn) +
'(targetfilter = "(objectclass=posixaccount)")' +
'(version 3.0;acl "permission:%s";' % permission3 +
'allow (write) groupdn = "ldap:///%s";)' % permission3_dn,
),
dict(
desc='Try to modify %r with naked targetfilter' % permission1,
command=('permission_mod', [permission1],
{'ipapermtargetfilter': u"cn=admin"}),
expected=errors.ValidationError(
name='filter',
error='must be enclosed in parentheses'),
),
dict(
desc='Try to modify %r with invalid targetfilter' % permission1,
command=('permission_mod', [permission1],
{'ipapermtargetfilter': u"ceci n'est pas un filtre"}),
{'ipapermtargetfilter': u"(ceci n'est pas un filtre)"}),
expected=errors.ValidationError(
name='ipapermtargetfilter',
error='Bad search filter'),
),
dict(
desc='Try setting nonexisting location on %r' % permission1,
command=(
@ -1630,9 +1637,9 @@ class test_permission_sync_attributes(Declarative):
ipapermlocation=users_dn,
ipapermright=u'write',
attrs=u'sn',
ipapermtargetfilter=u'(memberOf=%s)' % DN(('cn', 'admins'),
groups_dn),
ipapermtarget=DN(('uid', '*'), users_dn),
ipapermtargetfilter=[
u'(memberOf=%s)' % DN(('cn', 'admins'), groups_dn),
u'(objectclass=posixaccount)'],
)
),
expected=dict(
@ -1648,9 +1655,9 @@ class test_permission_sync_attributes(Declarative):
ipapermbindruletype=[u'permission'],
ipapermissiontype=[u'SYSTEM', u'V2'],
ipapermlocation=[users_dn],
ipapermtarget=[DN(('uid', '*'), users_dn)],
ipapermtargetfilter=[u'(memberOf=%s)' % DN(('cn', 'admins'),
groups_dn)],
ipapermtargetfilter=[
u'(memberOf=%s)' % DN(('cn', 'admins'), groups_dn),
u'(objectclass=posixaccount)'],
memberof=[u'admins'],
),
),
@ -1659,8 +1666,8 @@ class test_permission_sync_attributes(Declarative):
verify_permission_aci(
permission1, users_dn,
'(targetattr = "sn")' +
'(target = "ldap:///%s")' % DN(('uid', '*'), users_dn) +
'(targetfilter = "(memberOf=%s)")' % DN('cn=admins', groups_dn) +
'(targetfilter = "(&(memberOf=%s)' % DN('cn=admins', groups_dn) +
'(objectclass=posixaccount))")'
'(version 3.0;acl "permission:%s";' % permission1 +
'allow (write) groupdn = "ldap:///%s";)' % permission1_dn,
),
@ -1683,9 +1690,9 @@ class test_permission_sync_attributes(Declarative):
attrs=[u'sn'],
ipapermbindruletype=[u'permission'],
ipapermissiontype=[u'SYSTEM', u'V2'],
ipapermtarget=[DN(('uid', '*'), users_dn)],
ipapermtargetfilter=[u'(memberOf=%s)' % DN(('cn', 'admins'),
groups_dn)],
ipapermtargetfilter=[
u'(memberOf=%s)' % DN(('cn', 'admins'), groups_dn),
u'(objectclass=posixaccount)'],
memberof=[u'admins'],
ipapermlocation=[api.env.basedn],
),
@ -1695,12 +1702,14 @@ class test_permission_sync_attributes(Declarative):
verify_permission_aci(
permission1, api.env.basedn,
'(targetattr = "sn")' +
'(target = "ldap:///%s")' % DN(('uid', '*'), users_dn) +
'(targetfilter = "(memberOf=%s)")' % DN('cn=admins', groups_dn) +
'(targetfilter = "(&(memberOf=%s)' % DN('cn=admins', groups_dn) +
'(objectclass=posixaccount))")'
'(version 3.0;acl "permission:%s";' % permission1 +
'allow (write) groupdn = "ldap:///%s";)' % permission1_dn,
),
verify_permission_aci_missing(permission1, users_dn),
dict(
desc='Reset location on %r' % permission1,
command=(
@ -1721,9 +1730,9 @@ class test_permission_sync_attributes(Declarative):
ipapermbindruletype=[u'permission'],
ipapermissiontype=[u'SYSTEM', u'V2'],
ipapermlocation=[users_dn],
ipapermtarget=[DN(('uid', '*'), users_dn)],
ipapermtargetfilter=[u'(memberOf=%s)' % DN(('cn', 'admins'),
groups_dn)],
ipapermtargetfilter=[
u'(memberOf=%s)' % DN(('cn', 'admins'), groups_dn),
u'(objectclass=posixaccount)'],
memberof=[u'admins'],
),
),
@ -1732,17 +1741,20 @@ class test_permission_sync_attributes(Declarative):
verify_permission_aci(
permission1, users_dn,
'(targetattr = "sn")' +
'(target = "ldap:///%s")' % DN(('uid', '*'), users_dn) +
'(targetfilter = "(memberOf=%s)")' % DN('cn=admins', groups_dn) +
'(targetfilter = "(&(memberOf=%s)' % DN('cn=admins', groups_dn) +
'(objectclass=posixaccount))")'
'(version 3.0;acl "permission:%s";' % permission1 +
'allow (write) groupdn = "ldap:///%s";)' % permission1_dn,
),
verify_permission_aci_missing(permission1, api.env.basedn),
dict(
desc='Unset target on %r, verify type is gone' % permission1,
desc='Unset objectclass filter on %r, verify type is gone' % permission1,
command=(
'permission_mod', [permission1], dict(
ipapermtarget=None,
ipapermtargetfilter=u'(memberOf=%s)' % DN(('cn', 'admins'),
groups_dn),
)
),
expected=dict(
@ -1757,8 +1769,8 @@ class test_permission_sync_attributes(Declarative):
ipapermbindruletype=[u'permission'],
ipapermissiontype=[u'SYSTEM', u'V2'],
ipapermlocation=[users_dn],
ipapermtargetfilter=[u'(memberOf=%s)' % DN(('cn', 'admins'),
groups_dn)],
ipapermtargetfilter=[
u'(memberOf=%s)' % DN(('cn', 'admins'), groups_dn)],
memberof=[u'admins'],
),
),
@ -1822,7 +1834,7 @@ class test_permission_sync_attributes(Declarative):
ipapermbindruletype=[u'permission'],
ipapermissiontype=[u'SYSTEM', u'V2'],
ipapermlocation=[groups_dn],
ipapermtarget=[DN(('cn', '*'), groups_dn)],
ipapermtargetfilter=[u'(objectclass=ipausergroup)'],
),
),
),
@ -1830,7 +1842,7 @@ class test_permission_sync_attributes(Declarative):
verify_permission_aci(
permission1, groups_dn,
'(targetattr = "sn")' +
'(target = "ldap:///%s")' % DN(('cn', '*'), groups_dn) +
'(targetfilter = "(objectclass=ipausergroup)")'
'(version 3.0;acl "permission:%s";' % permission1 +
'allow (write) groupdn = "ldap:///%s";)' % permission1_dn,
),
@ -1849,6 +1861,7 @@ class test_permission_sync_attributes(Declarative):
dn=permission1_dn,
cn=[permission1],
objectclass=objectclasses.permission,
type=[u'group'],
ipapermright=[u'write'],
attrs=[u'sn'],
ipapermbindruletype=[u'permission'],
@ -1856,6 +1869,7 @@ class test_permission_sync_attributes(Declarative):
ipapermtarget=[DN('cn=editors', groups_dn)],
ipapermlocation=[groups_dn],
targetgroup=[u'editors'],
ipapermtargetfilter=[u'(objectclass=ipausergroup)'],
),
),
),
@ -1864,6 +1878,7 @@ class test_permission_sync_attributes(Declarative):
permission1, groups_dn,
'(targetattr = "sn")' +
'(target = "ldap:///%s")' % DN(('cn', 'editors'), groups_dn) +
'(targetfilter = "(objectclass=ipausergroup)")'
'(version 3.0;acl "permission:%s";' % permission1 +
'allow (write) groupdn = "ldap:///%s";)' % permission1_dn,
),
@ -1900,9 +1915,9 @@ class test_permission_sync_nice(Declarative):
ipapermbindruletype=[u'permission'],
ipapermissiontype=[u'SYSTEM', u'V2'],
ipapermlocation=[users_dn],
ipapermtarget=[DN(('uid', '*'), users_dn)],
ipapermtargetfilter=[u'(memberOf=%s)' % DN(('cn', 'admins'),
groups_dn)],
ipapermtargetfilter=[
u'(memberOf=%s)' % DN(('cn', 'admins'), groups_dn),
u'(objectclass=posixaccount)'],
memberof=[u'admins'],
),
),
@ -1911,14 +1926,14 @@ class test_permission_sync_nice(Declarative):
verify_permission_aci(
permission1, users_dn,
'(targetattr = "sn")' +
'(target = "ldap:///%s")' % DN(('uid', '*'), users_dn) +
'(targetfilter = "(memberOf=%s)")' % DN('cn=admins', groups_dn) +
'(targetfilter = "(&(memberOf=%s)' % DN('cn=admins', groups_dn) +
'(objectclass=posixaccount))")' +
'(version 3.0;acl "permission:%s";' % permission1 +
'allow (write) groupdn = "ldap:///%s";)' % permission1_dn,
),
dict(
desc='Unset type on %r, verify target & location are gone' % permission1,
desc='Unset type on %r, verify target & filter are gone' % permission1,
command=(
'permission_mod', [permission1], dict(
type=None,
@ -2001,7 +2016,7 @@ class test_permission_sync_nice(Declarative):
ipapermbindruletype=[u'permission'],
ipapermissiontype=[u'SYSTEM', u'V2'],
ipapermlocation=[groups_dn],
ipapermtarget=[DN(('cn', '*'), groups_dn)],
ipapermtargetfilter=[u'(objectclass=ipausergroup)'],
),
),
),
@ -2009,7 +2024,7 @@ class test_permission_sync_nice(Declarative):
verify_permission_aci(
permission1, groups_dn,
'(targetattr = "sn")' +
'(target = "ldap:///%s")' % DN(('cn', '*'), groups_dn) +
'(targetfilter = "(objectclass=ipausergroup)")' +
'(version 3.0;acl "permission:%s";' % permission1 +
'allow (write) groupdn = "ldap:///%s";)' % permission1_dn,
),
@ -2028,6 +2043,7 @@ class test_permission_sync_nice(Declarative):
dn=permission1_dn,
cn=[permission1],
objectclass=objectclasses.permission,
type=[u'group'],
ipapermright=[u'write'],
attrs=[u'sn'],
ipapermbindruletype=[u'permission'],
@ -2035,6 +2051,7 @@ class test_permission_sync_nice(Declarative):
ipapermtarget=[DN('cn=editors', groups_dn)],
ipapermlocation=[groups_dn],
targetgroup=[u'editors'],
ipapermtargetfilter=[u'(objectclass=ipausergroup)'],
),
),
),
@ -2043,6 +2060,7 @@ class test_permission_sync_nice(Declarative):
permission1, groups_dn,
'(targetattr = "sn")' +
'(target = "ldap:///%s")' % DN(('cn', 'editors'), groups_dn) +
'(targetfilter = "(objectclass=ipausergroup)")' +
'(version 3.0;acl "permission:%s";' % permission1 +
'allow (write) groupdn = "ldap:///%s";)' % permission1_dn,
),
@ -2200,14 +2218,14 @@ class test_permission_bindtype(Declarative):
ipapermbindruletype=[u'anonymous'],
ipapermissiontype=[u'SYSTEM', u'V2'],
ipapermlocation=[users_dn],
ipapermtarget=[DN('uid=*', users_dn)],
ipapermtargetfilter=[u'(objectclass=posixaccount)'],
),
),
),
verify_permission_aci(
permission1, users_dn,
'(target = "ldap:///%s")' % DN(('uid', '*'), users_dn) +
'(targetfilter = "(objectclass=posixaccount)")' +
'(version 3.0;acl "permission:%s";' % permission1 +
'allow (write) userdn = "ldap:///anyone";)',
),
@ -2262,14 +2280,14 @@ class test_permission_bindtype(Declarative):
ipapermbindruletype=[u'all'],
ipapermissiontype=[u'SYSTEM', u'V2'],
ipapermlocation=[users_dn],
ipapermtarget=[DN('uid=*', users_dn)],
ipapermtargetfilter=[u'(objectclass=posixaccount)'],
),
),
),
verify_permission_aci(
permission1, users_dn,
'(target = "ldap:///%s")' % DN(('uid', '*'), users_dn) +
'(targetfilter = "(objectclass=posixaccount)")' +
'(version 3.0;acl "permission:%s";' % permission1 +
'allow (write) userdn = "ldap:///all";)',
),
@ -2304,7 +2322,7 @@ class test_permission_bindtype(Declarative):
objectclass=objectclasses.permission,
ipapermissiontype=[u'SYSTEM', u'V2'],
ipapermlocation=[users_dn],
ipapermtarget=[DN('uid=*', users_dn)],
ipapermtargetfilter=[u'(objectclass=posixaccount)'],
),
],
),
@ -2343,14 +2361,14 @@ class test_permission_bindtype(Declarative):
ipapermbindruletype=[u'all'],
ipapermissiontype=[u'SYSTEM', u'V2'],
ipapermlocation=[users_dn],
ipapermtarget=[DN('uid=*', users_dn)],
ipapermtargetfilter=[u'(objectclass=posixaccount)'],
),
),
),
verify_permission_aci(
permission1_renamed, users_dn,
'(target = "ldap:///%s")' % DN(('uid', '*'), users_dn) +
'(targetfilter = "(objectclass=posixaccount)")' +
'(version 3.0;acl "permission:%s";' % permission1_renamed +
'allow (write) userdn = "ldap:///all";)',
),
@ -2375,14 +2393,14 @@ class test_permission_bindtype(Declarative):
ipapermbindruletype=[u'permission'],
ipapermissiontype=[u'SYSTEM', u'V2'],
ipapermlocation=[users_dn],
ipapermtarget=[DN('uid=*', users_dn)],
ipapermtargetfilter=[u'(objectclass=posixaccount)'],
),
),
),
verify_permission_aci(
permission1_renamed, users_dn,
'(target = "ldap:///%s")' % DN(('uid', '*'), users_dn) +
'(targetfilter = "(objectclass=posixaccount)")' +
'(version 3.0;acl "permission:%s";' % permission1_renamed +
'allow (write) groupdn = "ldap:///%s";)' % permission1_renamed_dn,
),
@ -2405,14 +2423,14 @@ class test_permission_bindtype(Declarative):
ipapermbindruletype=[u'permission'],
ipapermissiontype=[u'SYSTEM', u'V2'],
ipapermlocation=[users_dn],
ipapermtarget=[DN('uid=*', users_dn)],
ipapermtargetfilter=[u'(objectclass=posixaccount)'],
),
),
),
verify_permission_aci(
permission1, users_dn,
'(target = "ldap:///%s")' % DN(('uid', '*'), users_dn) +
'(targetfilter = "(objectclass=posixaccount)")' +
'(version 3.0;acl "permission:%s";' % permission1 +
'allow (write) groupdn = "ldap:///%s";)' % permission1_dn,
),
@ -2510,7 +2528,7 @@ class test_managed_permissions(Declarative):
ipapermright=[u'write'],
ipapermbindruletype=[u'permission'],
ipapermlocation=[users_dn],
ipapermtarget=[DN(('uid', '*'), users_dn)],
ipapermtargetfilter=[u'(objectclass=posixaccount)'],
ipapermdefaultattr=[u'l', u'o', u'cn'],
attrs=[u'l', u'o', u'cn'],
),
@ -2520,7 +2538,7 @@ class test_managed_permissions(Declarative):
verify_permission_aci(
permission1, users_dn,
'(targetattr = "cn || l || o")' +
'(target = "ldap:///%s")' % DN(('uid', '*'), users_dn) +
'(targetfilter = "(objectclass=posixaccount)")' +
'(version 3.0;acl "permission:%s";' % permission1 +
'allow (write) groupdn = "ldap:///%s";)' % permission1_dn,
),
@ -2559,7 +2577,7 @@ class test_managed_permissions(Declarative):
verify_permission_aci(
permission1, users_dn,
'(targetattr = "cn || l || o")' +
'(target = "ldap:///%s")' % DN(('uid', '*'), users_dn) +
'(targetfilter = "(objectclass=posixaccount)")' +
'(version 3.0;acl "permission:%s";' % permission1 +
'allow (write) groupdn = "ldap:///%s";)' % permission1_dn,
),
@ -2582,7 +2600,7 @@ class test_managed_permissions(Declarative):
ipapermright=[u'write'],
ipapermbindruletype=[u'permission'],
ipapermlocation=[users_dn],
ipapermtarget=[DN(('uid', '*'), users_dn)],
ipapermtargetfilter=[u'(objectclass=posixaccount)'],
ipapermdefaultattr=[u'l', u'o', u'cn'],
attrs=[u'l', u'o', u'dc'],
ipapermincludedattr=[u'dc'],
@ -2594,7 +2612,7 @@ class test_managed_permissions(Declarative):
verify_permission_aci(
permission1, users_dn,
'(targetattr = "dc || l || o")' +
'(target = "ldap:///%s")' % DN(('uid', '*'), users_dn) +
'(targetfilter = "(objectclass=posixaccount)")' +
'(version 3.0;acl "permission:%s";' % permission1 +
'allow (write) groupdn = "ldap:///%s";)' % permission1_dn,
),
@ -2616,7 +2634,7 @@ class test_managed_permissions(Declarative):
ipapermright=[u'write'],
ipapermbindruletype=[u'permission'],
ipapermlocation=[users_dn],
ipapermtarget=[DN(('uid', '*'), users_dn)],
ipapermtargetfilter=[u'(objectclass=posixaccount)'],
ipapermdefaultattr=[u'l', u'o', u'cn'],
attrs=[u'l', u'o', u'sn'],
ipapermincludedattr=[u'cn', u'sn'],
@ -2628,7 +2646,7 @@ class test_managed_permissions(Declarative):
verify_permission_aci(
permission1, users_dn,
'(targetattr = "l || o || sn")' +
'(target = "ldap:///%s")' % DN(('uid', '*'), users_dn) +
'(targetfilter = "(objectclass=posixaccount)")' +
'(version 3.0;acl "permission:%s";' % permission1 +
'allow (write) groupdn = "ldap:///%s";)' % permission1_dn,
),
@ -2650,7 +2668,7 @@ class test_managed_permissions(Declarative):
ipapermright=[u'write'],
ipapermbindruletype=[u'permission'],
ipapermlocation=[users_dn],
ipapermtarget=[DN(('uid', '*'), users_dn)],
ipapermtargetfilter=[u'(objectclass=posixaccount)'],
ipapermdefaultattr=[u'l', u'o', u'cn'],
attrs=[u'l', u'o', u'sn'],
ipapermincludedattr=[u'cn', u'sn', u'o'],
@ -2662,7 +2680,7 @@ class test_managed_permissions(Declarative):
verify_permission_aci(
permission1, users_dn,
'(targetattr = "l || o || sn")' +
'(target = "ldap:///%s")' % DN(('uid', '*'), users_dn) +
'(targetfilter = "(objectclass=posixaccount)")' +
'(version 3.0;acl "permission:%s";' % permission1 +
'allow (write) groupdn = "ldap:///%s";)' % permission1_dn,
),
@ -2684,7 +2702,7 @@ class test_managed_permissions(Declarative):
ipapermright=[u'write'],
ipapermbindruletype=[u'permission'],
ipapermlocation=[users_dn],
ipapermtarget=[DN(('uid', '*'), users_dn)],
ipapermtargetfilter=[u'(objectclass=posixaccount)'],
ipapermdefaultattr=[u'l', u'o', u'cn'],
attrs=[u'l', u'o'],
ipapermincludedattr=[u'cn', u'sn', u'o'],
@ -2696,7 +2714,7 @@ class test_managed_permissions(Declarative):
verify_permission_aci(
permission1, users_dn,
'(targetattr = "l || o")' +
'(target = "ldap:///%s")' % DN(('uid', '*'), users_dn) +
'(targetfilter = "(objectclass=posixaccount)")' +
'(version 3.0;acl "permission:%s";' % permission1 +
'allow (write) groupdn = "ldap:///%s";)' % permission1_dn,
),
@ -2717,7 +2735,7 @@ class test_managed_permissions(Declarative):
ipapermright=[u'write'],
ipapermbindruletype=[u'all'],
ipapermlocation=[users_dn],
ipapermtarget=[DN(('uid', '*'), users_dn)],
ipapermtargetfilter=[u'(objectclass=posixaccount)'],
ipapermdefaultattr=[u'l', u'o', u'cn'],
attrs=[u'l', u'o'],
ipapermincludedattr=[u'cn', u'sn', u'o'],
@ -2729,7 +2747,7 @@ class test_managed_permissions(Declarative):
verify_permission_aci(
permission1, users_dn,
'(targetattr = "l || o")' +
'(target = "ldap:///%s")' % DN(('uid', '*'), users_dn) +
'(targetfilter = "(objectclass=posixaccount)")' +
'(version 3.0;acl "permission:%s";' % permission1 +
'allow (write) userdn = "ldap:///all";)',
),
@ -2749,7 +2767,7 @@ class test_managed_permissions(Declarative):
ipapermright=[u'write'],
ipapermbindruletype=[u'all'],
ipapermlocation=[users_dn],
ipapermtarget=[DN(('uid', '*'), users_dn)],
ipapermtargetfilter=[u'(objectclass=posixaccount)'],
ipapermdefaultattr=[u'l', u'o', u'cn'],
attrs=[u'l', u'o'],
ipapermincludedattr=[u'cn', u'sn', u'o'],
@ -2773,7 +2791,7 @@ class test_managed_permissions(Declarative):
ipapermright=[u'write'],
ipapermbindruletype=[u'all'],
ipapermlocation=[users_dn],
ipapermtarget=[DN(('uid', '*'), users_dn)],
ipapermtargetfilter=[u'(objectclass=posixaccount)'],
ipapermdefaultattr=[u'l', u'o', u'cn'],
attrs=[u'l', u'o'],
ipapermincludedattr=[u'cn', u'sn', u'o'],
@ -2792,17 +2810,16 @@ class test_managed_permissions(Declarative):
dn=permission1_dn,
cn=[permission1],
aci=['(targetattr = "l || o")'
'(target = "ldap:///%(tdn)s")'
'(targetfilter = "(objectclass=posixaccount)")'
'(version 3.0;acl "permission:%(name)s";'
'allow (write) userdn = "ldap:///all";)' %
{'tdn': DN(('uid', '*'), users_dn),
'name': permission1}],
{'name': permission1}],
objectclass=objectclasses.permission,
ipapermissiontype=[u'SYSTEM', u'V2', u'MANAGED'],
ipapermright=[u'write'],
ipapermbindruletype=[u'all'],
ipapermlocation=[users_dn],
ipapermtarget=[DN(('uid', '*'), users_dn)],
ipapermtargetfilter=[u'(objectclass=posixaccount)'],
ipapermdefaultattr=[u'l', u'o', u'cn'],
ipapermincludedattr=[u'cn', u'sn', u'o'],
ipapermexcludedattr=[u'cn', u'sn'],
@ -2826,7 +2843,7 @@ class test_managed_permissions(Declarative):
ipapermright=[u'write'],
ipapermbindruletype=[u'all'],
ipapermlocation=[users_dn],
ipapermtarget=[DN(('uid', '*'), users_dn)],
ipapermtargetfilter=[u'(objectclass=posixaccount)'],
ipapermdefaultattr=[u'l', u'o', u'cn'],
attrs=[u'l', u'o'],
ipapermexcludedattr=[u'cn'],
@ -2837,7 +2854,7 @@ class test_managed_permissions(Declarative):
verify_permission_aci(
permission1, users_dn,
'(targetattr = "l || o")' +
'(target = "ldap:///%s")' % DN(('uid', '*'), users_dn) +
'(targetfilter = "(objectclass=posixaccount)")' +
'(version 3.0;acl "permission:%s";' % permission1 +
'allow (write) userdn = "ldap:///all";)',
),
@ -2858,7 +2875,7 @@ class test_managed_permissions(Declarative):
ipapermright=[u'write'],
ipapermbindruletype=[u'all'],
ipapermlocation=[users_dn],
ipapermtarget=[DN(('uid', '*'), users_dn)],
ipapermtargetfilter=[u'(objectclass=posixaccount)'],
ipapermdefaultattr=[u'l', u'o', u'cn'],
attrs=[u'l', u'o', u'sn'],
ipapermincludedattr=[u'sn'],
@ -2870,7 +2887,7 @@ class test_managed_permissions(Declarative):
verify_permission_aci(
permission1, users_dn,
'(targetattr = "l || o || sn")' +
'(target = "ldap:///%s")' % DN(('uid', '*'), users_dn) +
'(targetfilter = "(objectclass=posixaccount)")' +
'(version 3.0;acl "permission:%s";' % permission1 +
'allow (write) userdn = "ldap:///all";)',
),
@ -2892,7 +2909,7 @@ class test_managed_permissions(Declarative):
ipapermright=[u'write'],
ipapermbindruletype=[u'all'],
ipapermlocation=[users_dn],
ipapermtarget=[DN(('uid', '*'), users_dn)],
ipapermtargetfilter=[u'(objectclass=posixaccount)'],
ipapermdefaultattr=[u'l', u'o', u'cn'],
attrs=[u'l', u'o', u'sn'],
ipapermincludedattr=[u'sn'],
@ -2918,7 +2935,7 @@ class test_managed_permissions(Declarative):
ipapermright=[u'write'],
ipapermbindruletype=[u'all'],
ipapermlocation=[users_dn],
ipapermtarget=[DN(('uid', '*'), users_dn)],
ipapermtargetfilter=[u'(objectclass=posixaccount)'],
ipapermdefaultattr=[u'l', u'o', u'cn'],
attrs=[u'l', u'o', u'sn'],
ipapermincludedattr=[u'sn'],
@ -2955,7 +2972,7 @@ class test_managed_permissions(Declarative):
ipapermright=[u'write'],
ipapermbindruletype=[u'all'],
ipapermlocation=[users_dn],
ipapermtarget=[DN(('uid', '*'), users_dn)],
ipapermtargetfilter=[u'(objectclass=posixaccount)'],
ipapermdefaultattr=[u'l', u'o', u'cn'],
attrs=[u'l', u'o', u'sn', u'cn'],
ipapermincludedattr=[u'sn'],
@ -2966,7 +2983,7 @@ class test_managed_permissions(Declarative):
verify_permission_aci(
permission1, users_dn,
'(targetattr = "cn || l || o || sn")' +
'(target = "ldap:///%s")' % DN(('uid', '*'), users_dn) +
'(targetfilter = "(objectclass=posixaccount)")' +
'(version 3.0;acl "permission:%s";' % permission1 +
'allow (write) userdn = "ldap:///all";)',
),

4
ipatests/test_xmlrpc/test_privilege_plugin.py
View File

@ -107,7 +107,7 @@ class test_privilege(Declarative):
ipapermbindruletype=[u'permission'],
ipapermissiontype=[u'SYSTEM', u'V2'],
ipapermlocation=[users_dn],
ipapermtarget=[DN('uid=*', users_dn)],
ipapermtargetfilter=[u'(objectclass=posixaccount)'],
),
),
),
@ -228,7 +228,7 @@ class test_privilege(Declarative):
ipapermbindruletype=[u'permission'],
ipapermissiontype=[u'SYSTEM', u'V2'],
ipapermlocation=[users_dn],
ipapermtarget=[DN('uid=*', users_dn)],
ipapermtargetfilter=[u'(objectclass=posixaccount)'],
),
),
),