Drop using a Class of Service for account activation. It added a lot of
unnecessary complexity. Instead just update the nsaccountlock attribute
directly.
ticket 568
rob
>From 8b6be18478f69dda094ef6680ffd08956cbf1882 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <[email protected]>
Date: Mon, 3 Jan 2011 15:00:35 -0500
Subject: [PATCH] Don't use Class of Service for account activation, use attribute.
To support group-based account disablement we created a Class of Service
where group membership controlled whether an account was active or not.
Since we aren't doing group-based account locking drop that and use
nsaccountlock directly.
ticket 568
---
install/share/bootstrap-template.ldif | 38 ------------------------
ipalib/plugins/user.py | 2 +-
ipaserver/plugins/ldap2.py | 51 ++------------------------------
3 files changed, 5 insertions(+), 86 deletions(-)
diff --git a/install/share/bootstrap-template.ldif b/install/share/bootstrap-template.ldif
index fdb2cc4..52f0c97 100644
--- a/install/share/bootstrap-template.ldif
+++ b/install/share/bootstrap-template.ldif
@@ -352,50 +352,12 @@ ipaDefaultEmailDomain: $DOMAIN
ipaMigrationEnabled: FALSE
ipaConfigString: AllowNThash
-dn: cn=account inactivation,cn=accounts,$SUFFIX
-changetype: add
-description: Lock accounts based on group membership
-objectClass: top
-objectClass: ldapsubentry
-objectClass: cosSuperDefinition
-objectClass: cosClassicDefinition
-cosTemplateDn: cn=cosTemplates,cn=accounts,$SUFFIX
-cosAttribute: nsAccountLock operational
-cosSpecifier: memberOf
-cn: Account Inactivation
-
dn: cn=cosTemplates,cn=accounts,$SUFFIX
changetype: add
objectclass: top
objectclass: nsContainer
cn: cosTemplates
-dn: cn=cn\=inactivated\,cn\=account inactivation\,cn\=accounts\,$ESCAPED_SUFFIX,cn=cosTemplates,cn=accounts,$SUFFIX
-changetype: add
-objectClass: top
-objectClass: cosTemplate
-objectClass: extensibleobject
-nsAccountLock: True
-cosPriority: 1
-
-dn: cn=inactivated,cn=account inactivation,cn=accounts,$SUFFIX
-changetype: add
-objectclass: top
-objectclass: groupofnames
-
-dn: cn=cn\=activated\,cn\=account inactivation\,cn\=accounts\,$ESCAPED_SUFFIX,cn=cosTemplates,cn=accounts,$SUFFIX
-changetype: add
-objectClass: top
-objectClass: cosTemplate
-objectClass: extensibleobject
-nsAccountLock: False
-cosPriority: 0
-
-dn: cn=Activated,cn=Account Inactivation,cn=accounts,$SUFFIX
-changetype: add
-objectclass: top
-objectclass: groupofnames
-
# templates for this cos definition are managed by the pwpolicy plugin
dn: cn=Password Policy,cn=accounts,$SUFFIX
changetype: add
diff --git a/ipalib/plugins/user.py b/ipalib/plugins/user.py
index 9ccd216..b53e19a 100644
--- a/ipalib/plugins/user.py
+++ b/ipalib/plugins/user.py
@@ -203,7 +203,7 @@ class user(LDAPObject):
label=_('Car License'),
),
Bool('nsaccountlock?',
- label=_('Account activation status:'),
+ label=_('Account activation status'),
flags=['no_create', 'no_update', 'no_search'],
),
)
diff --git a/ipaserver/plugins/ldap2.py b/ipaserver/plugins/ldap2.py
index 2bbc322..5ac3a84 100644
--- a/ipaserver/plugins/ldap2.py
+++ b/ipaserver/plugins/ldap2.py
@@ -918,7 +918,7 @@ class ldap2(CrudBackend, Encoder):
"""Mark entry active/inactive."""
assert isinstance(active, bool)
# get the entry in question
- (dn, entry_attrs) = self.get_entry(dn, ['nsaccountlock', 'memberof'])
+ (dn, entry_attrs) = self.get_entry(dn, ['nsaccountlock'])
# check nsAccountLock attribute
account_lock_attr = entry_attrs.get('nsaccountlock', ['false'])
@@ -929,53 +929,10 @@ class ldap2(CrudBackend, Encoder):
else:
if account_lock_attr == 'true':
raise errors.AlreadyInactive()
+ account_lock_attr = str(not active)
- # check if nsAccountLock attribute is in the entry itself
- is_member = False
- member_of_attr = entry_attrs.get('memberof', [])
- for m in member_of_attr:
- if m.find('cn=activated') >= 0 or m.find('cn=inactivated') >=0:
- is_member = True
- break
- if not is_member and entry_attrs.has_key('nsaccountlock'):
- raise errors.HasNSAccountLock()
-
- activated_filter = '(cn=activated)'
- inactivated_filter = '(cn=inactivated)'
- parent_rdn = self.get_container_rdn('accounts')
-
- # try to remove the entry from activated/inactivated group
- if active:
- entries = self.find_entries(inactivated_filter, [], parent_rdn)[0]
- else:
- entries = self.find_entries(activated_filter, [], parent_rdn)[0]
- (group_dn, group_entry_attrs) = entries[0]
- try:
- self.remove_entry_from_group(dn, group_dn)
- except errors.NotGroupMember:
- pass
-
- # add the entry to the activated/inactivated group if necessary
- if active:
- (dn, entry_attrs) = self.get_entry(dn, ['nsaccountlock'])
-
- # check if we still need to add entry to the activated group
- account_lock_attr = entry_attrs.get('nsaccountlock', ['false'])
- account_lock_attr = account_lock_attr[0].lower()
- if account_lock_attr == 'false':
- return # we don't
-
- entries = self.find_entries(activated_filter, [], parent_rdn)[0]
- else:
- entries = self.find_entries(inactivated_filter, [], parent_rdn)[0]
- (group_dn, group_entry_attrs) = entries[0]
- try:
- self.add_entry_to_group(dn, group_dn)
- except errors.EmptyModlist:
- if active:
- raise errors.AlreadyActive()
- else:
- raise errors.AlreadyInactive()
+ entry_attrs['nsaccountlock'] = account_lock_attr
+ self.update_entry(dn, entry_attrs)
def activate_entry(self, dn):
"""Mark entry active."""
--
1.7.3.4
_______________________________________________
Freeipa-devel mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/freeipa-devel
