[Freeipa-devel] [PATCH 0065] Don't allow users to create tokens with a specified ID
Jan Cholasta
jcholast at redhat.com
Wed Sep 17 06:51:09 UTC 2014
Hi,
Dne 16.9.2014 v 19:32 Nathaniel McCallum napsal(a):
> We perform this enforcement at the API level since:
> * DS level enforcement would be difficult
> * ipatokenUniqueID generation already happens at the API level
>
> It may be nice in the future to perform enforcement in the DS itself.
> However, the question of the location of enforcement is largely an
> aesthetic issue.
>
> https://fedorahosted.org/freeipa/ticket/4456
That's a rather beefy check. I would prefer something like this (untested):
group_dn = self.api.Object.group.get_dn(u'admins')
filter = ldap.make_filter(
{'krbprincipalname': context.principal, 'memberof': group_dn},
ldap.MATCH_ALL)
try:
ldap.find_entries(
base_dn=self.api.env.basedn, filter=filter, attrs_list=[''])
except errors.NotFound:
raise ValidationError(name='ipatokenuniqueid',
error='can only be specified by admins')
Honza
--
Jan Cholasta
More information about the Freeipa-devel
mailing list