[Freeipa-devel] [PATCH 0179] Preserve user principal aliases during rename operation
Alexander Bokovoy
abokovoy at redhat.com
Mon Jul 11 11:04:42 UTC 2016
On Mon, 11 Jul 2016, Martin Babinsky wrote:
>From 7742cab5aebb26b3a82baac379be01120c95c400 Mon Sep 17 00:00:00 2001
>From: Martin Babinsky <mbabinsk at redhat.com>
>Date: Fri, 1 Jul 2016 18:09:04 +0200
>Subject: [PATCH] Preserve user principal aliases during rename operation
>
>When a MODRDN is performed on the user entry, the MODRDN plugin resets both
>krbPrincipalName and krbCanonicalName to the value constructed from uid. In
>doing so, hovewer, any principal aliases added to the krbPrincipalName are
>wiped clean. In this patch old aliases are fetched before the MODRDN operation
>takes place and inserted back after it is performed.
>
>This also preserves previous user logins which can be used further for
>authentication as aliases.
>
>https://fedorahosted.org/freeipa/ticket/6028
>---
> ipaserver/plugins/baseuser.py | 49 +++++++++++++++++++++++++++++++++++++++++++
> 1 file changed, 49 insertions(+)
>
>diff --git a/ipaserver/plugins/baseuser.py b/ipaserver/plugins/baseuser.py
>index 0052e718afe639bcc1c0a698ded39ea8407a0551..1d07284181e9db84609642cd61837fd8c23778af 100644
>--- a/ipaserver/plugins/baseuser.py
>+++ b/ipaserver/plugins/baseuser.py
>@@ -498,6 +498,53 @@ class baseuser_mod(LDAPUpdate):
> len = int(config.get('ipamaxusernamelength')[0])
> )
> )
>+
>+ def preserve_krbprincipalname_pre(self, ldap, entry_attrs, *keys, **options):
>+ """
>+ preserve user principal aliases during rename operation. This is the
>+ pre-callback part of this. Another method called during post-callback
>+ shall insert the principals back
>+ """
>+ if options.get('rename') is None:
>+ return
>+
>+ try:
>+ old_entry = ldap.get_entry(
>+ entry_attrs.dn, attrs_list=(
>+ 'krbprincipalname', 'krbcanonicalname'))
>+
>+ if 'krbcanonicalname' not in old_entry:
>+ return
>+ except errors.NotFound:
>+ self.obj.handle_not_found(*keys)
>+
>+ self.context.krbprincipalname = old_entry.get(
>+ 'krbprincipalname', [])
>+ self.log.critical(
>+ "krbprincipalname pre: {}".format(self.context.krbprincipalname))
>+
>+ def preserve_krbprincipalname_post(self, ldap, entry_attrs, **options):
>+ """
>+ Insert the preserved aliases back to the user entry during rename
>+ operation
>+ """
>+ if options.get('rename') is None or not hasattr(
>+ self.context, 'krbprincipalname'):
>+ return
>+
>+ self.log.critical(
>+ "krbprincipalname post: {}".format(self.context.krbprincipalname))
>+ new_aliases = entry_attrs.get('krbprincipalname', [])
>+
>+ new_aliases.extend(self.context.krbprincipalname)
>+ entry_attrs['krbprincipalname'] = new_aliases
>+ effective_rights = entry_attrs.pop('attributelevelrights', [])
>+
>+ ldap.update_entry(entry_attrs)
>+
>+ if effective_rights:
>+ entry_attrs['attributelevelrights'] = effective_rights
Why do you need to mess with effective rights here?
Can you describe what happens on update that you need to drop them in
the entry_attrs?
>+
> def check_mail(self, entry_attrs):
> if 'mail' in entry_attrs:
> entry_attrs['mail'] = self.obj.normalize_and_validate_email(entry_attrs['mail'])
>@@ -557,9 +604,11 @@ class baseuser_mod(LDAPUpdate):
>
> self.check_objectclass(ldap, dn, entry_attrs)
> self.obj.convert_usercertificate_pre(entry_attrs)
>+ self.preserve_krbprincipalname_pre(ldap, entry_attrs, *keys, **options)
>
> def post_common_callback(self, ldap, dn, entry_attrs, *keys, **options):
> assert isinstance(dn, DN)
>+ self.preserve_krbprincipalname_post(ldap, entry_attrs, **options)
> if options.get('random', False):
> try:
> entry_attrs['randompassword'] = unicode(getattr(context, 'randompassword'))
>--
>2.5.5
>
--
/ Alexander Bokovoy
More information about the Freeipa-devel
mailing list