[Freeipa-devel] [PATCH 0024] Add OTP support to ipalib CLI

Jan Cholasta jcholast at redhat.com
Mon Dec 16 16:31:21 UTC 2013 

On 13.12.2013 21:15, Nathaniel McCallum wrote:
> On Fri, 2013-12-13 at 14:50 -0500, Nathaniel McCallum wrote:
>> On Wed, 2013-12-11 at 13:24 +0100, Jan Cholasta wrote:
>>> +        # Resolve the user's dn
>>> +        owner = entry_attrs.get('ipatokenowner', None)
>>> +        if owner is not None:
>>> +            owner = self.api.Object.user.get_dn(owner)
>>> +            entry_attrs['ipatokenowner'] = owner
>>>
>>> You have a _normalize_owner function, I think the code above should go
>>> into a _convert_owner function (use the function in
>>> otptoken_{mod,show,find} as well).
>>
>> Fixed for mod and find. Show doesn't make sense.

Please rename _normalize_owner to _convert_owner and vice versa, to 
match the convention used in other plugins (sorry for noticing this 
earlier).


This bit in otptoken_add should be replaced by a call to 
_normalize_owner (after the rename):

+        # Resolve the user's dn
+        owner = entry_attrs.get('ipatokenowner', None)
+        if owner is not None:
+            owner = self.api.Object.user.get_dn(owner)
+            entry_attrs['ipatokenowner'] = owner


You do the conversion from uid to DN in otptoken_find twice:

+        _convert_owner(self.api.Object.user, kwargs)
+        return super(otptoken_find, self).pre_callback(ldap, filters, 
*args, **kwargs)
+
+    def args_options_2_entry(self, *args, **options):
+        o = 'ipatokenowner'
+        if o in options:
+            options[o] = self.api.Object.user.get_dn(options[o])

I would suggest to do it only in args_options_2_entry like this (again, 
after the rename):

     def args_options_2_entry(self, *args, **options):
         entry = super(otptoken_find, self).args_options_2_entry(*args, 
**options)
         _convert_owner(self.api.Object.user, entry)
         return entry

>>> +        # Delete all tokens owned by this user
>>> +        owner = self.api.Object.user.get_primary_key_from_dn(dn)
>>> +        results =
>>> self.api.Command.otptoken_find(ipatokenowner=owner)['result']
>>> +        for token in results:
>>> +            token =
>>> self.api.Object.otptoken.get_primary_key_from_dn(token['dn'])
>>> +            self.api.Command.otptoken_del(token)
>>>
>>> This should probably be handled by the referint plugin.
>>
>> See my reply to Martin.

I see, my mistake.

>
> ARGH! I should try not to break stuff. New patch attached...
>

The patch needs a rebase (for the sake of ipapermlocation default value).

-- 
Jan Cholasta

More information about the Freeipa-devel mailing list