[Freeipa-devel] [PATCH 0016] Add RADIUS proxy support to ipalib CLI

Jan Cholasta jcholast at redhat.com
Sat Sep 14 06:22:34 UTC 2013 

On 13.9.2013 09:21, Jan Cholasta wrote:
> Hi,
>
> On 12.9.2013 22:48, Nathaniel McCallum wrote:
>> On Thu, 2013-09-05 at 00:06 -0400, Nathaniel McCallum wrote:
>>> patch attached
>>
>> Update for ./makeapi attached.
>>
>
> +        if 'ipatokenradiusconfiglink' in entry_attrs:
> +            cl = entry_attrs['ipatokenradiusconfiglink']
> +            if not cl:
> +                entry_attrs['ipatokenradiususername'] = None
> +                if 'ipatokenradiusproxyuser' in
> entry_attrs['objectclass']:
> + entry_attrs['objectclass'].remove('ipatokenradiusproxyuser')
>
> Is there are particular reason to remove the object class? I think you
> can just leave it there, that is what we do in other plugins.
>
> +            else:
> +                if 'ipatokenradiusproxyuser' not in
> entry_attrs['objectclass']:
> + entry_attrs['objectclass'].append('ipatokenradiusproxyuser')
> +
> +                answer = self.api.Command.radius_show(cl)
> +                entry_attrs['ipatokenradiusconfiglink'] =
> answer['result']['dn']
>
> Please use self.api.Object.radius.get_dn_if_exists(cl) to get the DN
> instead of radius_show.
>
> The whole code block should be added to user_add as well.
>
>
> +        radius = options.get('ipatokenradiusconfiglink', None)
> +        if radius is not None:
> +            answer = self.api.Command.radius_show(radius)
> +            filter = filter.replace('(ipatokenradiusconfiglink=%s)' %
> radius,
> +                                    '(ipatokenradiusconfiglink=%s)' %
> answer['result']['dn'])
>
> Again, use get_dn_if_exists instead of radius_show to get the DN.
>
> As for the filter processing, I think it would be safer to override
> args_options_2_entry in user_find and do it in there:
>
>      def args_options_2_entry(self, *keys, **options):
>          if 'ipatokenradiusconfiglink' in options:
>              options['ipatokenradiusconfiglink'] =
> self.api.Object.radius.get_dn(options['ipatokenradiusconfiglink'])
>          return super(user_find, self).args_options_2_entry(

... or you can do this in user_find.execute, as there already is 
something similar done for the "manager" attribute.

>
>
> Honza
>

BTW, I think you should configure the referential integrity plugin so 
that when a radius object is deleted, all ipatokenradiusconfiglink's to 
it are deleted as well.

Honza

-- 
Jan Cholasta

More information about the Freeipa-devel mailing list