[Freeipa-devel] [PATCH 0065] Don't allow users to create tokens with a specified ID
Nathaniel McCallum
npmccallum at redhat.com
Sun Sep 21 19:11:03 UTC 2014
On Sat, 2014-09-20 at 16:21 -0400, Nathaniel McCallum wrote:
> On Wed, 2014-09-17 at 08:51 +0200, Jan Cholasta wrote:
> > Hi,
> >
> > Dne 16.9.2014 v 19:32 Nathaniel McCallum napsal(a):
> > > We perform this enforcement at the API level since:
> > > * DS level enforcement would be difficult
> > > * ipatokenUniqueID generation already happens at the API level
> > >
> > > It may be nice in the future to perform enforcement in the DS itself.
> > > However, the question of the location of enforcement is largely an
> > > aesthetic issue.
> > >
> > > https://fedorahosted.org/freeipa/ticket/4456
> >
> > That's a rather beefy check. I would prefer something like this (untested):
> >
> > group_dn = self.api.Object.group.get_dn(u'admins')
> > filter = ldap.make_filter(
> > {'krbprincipalname': context.principal, 'memberof': group_dn},
> > ldap.MATCH_ALL)
> > try:
> > ldap.find_entries(
> > base_dn=self.api.env.basedn, filter=filter, attrs_list=[''])
> > except errors.NotFound:
> > raise ValidationError(name='ipatokenuniqueid',
> > error='can only be specified by admins')
>
> Fixed.
Please note that another approach has been posted here:
https://www.redhat.com/archives/freeipa-devel/2014-September/msg00433.html
More information about the Freeipa-devel
mailing list