diff options
| author | Florence Blanc-Renaud <[email protected]> | 2018-11-06 16:43:29 +0100 |
|---|---|---|
| committer | Christian Heimes <[email protected]> | 2018-11-13 12:40:44 +0100 |
| commit | 19cd9603876845ea068b7fd0778e2f0d5ac4fc70 (patch) | |
| tree | 559249d6f8e1f34ef8b32a91ca7fecdf2f17226b | |
| parent | d39bb65a2f6e322b9870f2550bb977ffd4b4cad6 (diff) | |
| download | freeipa-19cd9603876845ea068b7fd0778e2f0d5ac4fc70.tar.gz freeipa-19cd9603876845ea068b7fd0778e2f0d5ac4fc70.tar.xz freeipa-19cd9603876845ea068b7fd0778e2f0d5ac4fc70.zip | |
ipa user-add: add optional objectclass for radius-username
The command "ipa user-add --radius-username" fails with
ipa: ERROR: attribute "ipatokenRadiusUserName" not allowed
because it does not add the objectclass ipatokenradiusproxyuser
that is required by the attribute ipatokenradiususername.
The issue happens with ipa user-add / stageuser-add / user-mod / stageuser-mod.
The fix adds the objectclass when needed in the pre_common_callback method
of baseuser_add and baseuser_mod (ensuring that user and stageuser commands
are fixed).
Fixes https://pagure.io/freeipa/issue/7569
Reviewed-By: Alexander Bokovoy <[email protected]>
Reviewed-By: Christian Heimes <[email protected]>
| -rw-r--r-- | ipaserver/plugins/baseuser.py | 18 |
1 files changed, 16 insertions, 2 deletions
diff --git a/ipaserver/plugins/baseuser.py b/ipaserver/plugins/baseuser.py index fac2f4d1c..3a591f2fd 100644 --- a/ipaserver/plugins/baseuser.py +++ b/ipaserver/plugins/baseuser.py @@ -485,6 +485,9 @@ class baseuser_add(LDAPCreate): assert isinstance(dn, DN) set_krbcanonicalname(entry_attrs) self.obj.convert_usercertificate_pre(entry_attrs) + if entry_attrs.get('ipatokenradiususername', None): + add_missing_object_class(ldap, u'ipatokenradiusproxyuser', dn, + entry_attrs, update=False) def post_common_callback(self, ldap, dn, entry_attrs, *keys, **options): assert isinstance(dn, DN) @@ -573,8 +576,10 @@ class baseuser_mod(LDAPUpdate): setattr(context, 'randompassword', entry_attrs['userpassword']) def check_objectclass(self, ldap, dn, entry_attrs): - if ('ipasshpubkey' in entry_attrs or 'ipauserauthtype' in entry_attrs - or 'userclass' in entry_attrs or 'ipatokenradiusconfiglink' in entry_attrs): + # Some attributes may require additional object classes + special_attrs = {'ipasshpubkey', 'ipauserauthtype', 'userclass', + 'ipatokenradiusconfiglink', 'ipatokenradiususername'} + if special_attrs.intersection(entry_attrs): if 'objectclass' in entry_attrs: obj_classes = entry_attrs['objectclass'] else: @@ -602,6 +607,15 @@ class baseuser_mod(LDAPUpdate): answer = self.api.Object['radiusproxy'].get_dn_if_exists(cl) entry_attrs['ipatokenradiusconfiglink'] = answer + # Note: we could have used the method add_missing_object_class + # but since the data is already fetched and lowercased in + # obj_classes, it is more efficient to use the same approach + # as the code right above these lines + if 'ipatokenradiususername' in entry_attrs: + if 'ipatokenradiusproxyuser' not in obj_classes: + entry_attrs['objectclass'].append( + 'ipatokenradiusproxyuser') + def pre_common_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options): assert isinstance(dn, DN) |