[Freeipa-devel] [PATCH 0065] Don't allow users to create tokens with a specified ID
Martin Kosek
mkosek at redhat.com
Wed Sep 17 10:31:34 UTC 2014
On 09/17/2014 08:51 AM, Jan Cholasta wrote:
> Hi,
>
> Dne 16.9.2014 v 19:32 Nathaniel McCallum napsal(a):
>> We perform this enforcement at the API level since:
>> * DS level enforcement would be difficult
>> * ipatokenUniqueID generation already happens at the API level
>>
>> It may be nice in the future to perform enforcement in the DS itself.
>> However, the question of the location of enforcement is largely an
>> aesthetic issue.
>>
>> https://fedorahosted.org/freeipa/ticket/4456
>
> That's a rather beefy check. I would prefer something like this (untested):
>
> group_dn = self.api.Object.group.get_dn(u'admins')
> filter = ldap.make_filter(
> {'krbprincipalname': context.principal, 'memberof': group_dn},
> ldap.MATCH_ALL)
> try:
> ldap.find_entries(
> base_dn=self.api.env.basedn, filter=filter, attrs_list=[''])
> except errors.NotFound:
> raise ValidationError(name='ipatokenuniqueid',
> error='can only be specified by admins')
>
> Honza
>
Also, do we want to hard code it to admins group only? Wouldn't it be more
flexible to create a new Virtual Operation and let realm admin configure who
can change the UID. See Jan's patch d6fb110b77e2c585f0bfc5eb11b0187a43263fa1
for an example how that's done.
Martin
More information about the Freeipa-devel
mailing list