Re: [Freeipa-devel] [PATCH 0405] idviews: Add user certificate attribute to user ID overrides

2016-05-05 Thread Jan Cholasta 

On 28.4.2016 12:19, Tomas Babej wrote:



On 04/19/2016 08:20 AM, Jan Cholasta wrote:

On 13.4.2016 14:13, Tomas Babej wrote:

On 04/13/2016 09:55 AM, Tomas Babej wrote:

On 04/07/2016 01:53 PM, Sumit Bose wrote:

On Mon, Apr 04, 2016 at 04:27:02PM +0200, Jan Cholasta wrote:

Hi,

On 1.4.2016 16:53, Tomas Babej wrote:

Hi,

this extends the user ID overrides with capability to store the user
certificate.

https://fedorahosted.org/freeipa/ticket/4955


The preferred way of managing certificates nowadays is using
$OBJ-add-cert
and $OBJ-remove-cert commands, you should add them here as well.

I would even go as far as not allowing to modify certificates using
idoverrideuser-mod - in user-mod and host-mod, it's there just for
backward
compatibility, which is not the case here. But I don't have a
strong opinion
on that.

For consistency with user-find and host-find, the full certificate
blob
should not be shown in idoverrideuser-find. You can do that by setting
search_display_attributes attribute on the idoverrideuser class
appropriately.


I tested the current patch with my related patches for SSSD and all is
working as expected.

bye,
Sumit



Honza

--
Jan Cholasta

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code




Thanks for the reviews,

attaching a updated patch that addresses Honza's comments.

Tomas



Sending an improved version addressing a couple of additional issues.


1) This bit in idoverrideuser_add.pre_callback() is redundant, as the
certificate will always be DER here already:

# Normalize the certificate to DER format
certs = options.get('usercertificate', [])
certs_der = [x509.normalize_certificate(c) for c in certs]
entry_attrs['usercertificate'] = certs_der


2) You need to call convert_usercertificate_pre() in
idoverrideuser_mod.pre_callback() and convert_usercertificate_post() in
idoverrideuser_{mod,find,show}.post_callback() as well.

Honza



Updated patch attached, mentioned issues should be fixed, I also removed
one redundant import which escaped my careful eye.


Thanks, ACK.

Added ticket URL and pushed to master: 
6adf86378108cdf8b0825277431419a5e803aeb5


--
Jan Cholasta

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0405] idviews: Add user certificate attribute to user ID overrides

2016-04-28 Thread Tomas Babej 


On 04/19/2016 08:20 AM, Jan Cholasta wrote:
> On 13.4.2016 14:13, Tomas Babej wrote:
>> On 04/13/2016 09:55 AM, Tomas Babej wrote:
>>> On 04/07/2016 01:53 PM, Sumit Bose wrote:
 On Mon, Apr 04, 2016 at 04:27:02PM +0200, Jan Cholasta wrote:
> Hi,
>
> On 1.4.2016 16:53, Tomas Babej wrote:
>> Hi,
>>
>> this extends the user ID overrides with capability to store the user
>> certificate.
>>
>> https://fedorahosted.org/freeipa/ticket/4955
>
> The preferred way of managing certificates nowadays is using
> $OBJ-add-cert
> and $OBJ-remove-cert commands, you should add them here as well.
>
> I would even go as far as not allowing to modify certificates using
> idoverrideuser-mod - in user-mod and host-mod, it's there just for
> backward
> compatibility, which is not the case here. But I don't have a
> strong opinion
> on that.
>
> For consistency with user-find and host-find, the full certificate
> blob
> should not be shown in idoverrideuser-find. You can do that by setting
> search_display_attributes attribute on the idoverrideuser class
> appropriately.

 I tested the current patch with my related patches for SSSD and all is
 working as expected.

 bye,
 Sumit

>
> Honza
>
> -- 
> Jan Cholasta
>
> -- 
> Manage your subscription for the Freeipa-devel mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-devel
> Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

>>>
>>> Thanks for the reviews,
>>>
>>> attaching a updated patch that addresses Honza's comments.
>>>
>>> Tomas
>>>
>>
>> Sending an improved version addressing a couple of additional issues.
> 
> 1) This bit in idoverrideuser_add.pre_callback() is redundant, as the
> certificate will always be DER here already:
> 
> # Normalize the certificate to DER format
> certs = options.get('usercertificate', [])
> certs_der = [x509.normalize_certificate(c) for c in certs]
> entry_attrs['usercertificate'] = certs_der
> 
> 
> 2) You need to call convert_usercertificate_pre() in
> idoverrideuser_mod.pre_callback() and convert_usercertificate_post() in
> idoverrideuser_{mod,find,show}.post_callback() as well.
> 
> Honza
> 

Updated patch attached, mentioned issues should be fixed, I also removed
one redundant import which escaped my careful eye.

Tomas
From ecfb6dbfb39120fa1c2caf83fd0d6c22471c212d Mon Sep 17 00:00:00 2001
From: Tomas Babej 
Date: Thu, 3 Mar 2016 15:14:10 +0100
Subject: [PATCH] idviews: Add user certificate attribute to user ID overrides

---
 ACI.txt  |  2 +-
 API.txt  | 30 +++--
 VERSION  |  4 +--
 install/share/71idviews.ldif |  2 +-
 ipalib/plugins/idviews.py| 79 ++--
 5 files changed, 109 insertions(+), 8 deletions(-)

diff --git a/ACI.txt b/ACI.txt
index 24cb332ce6e10c82a5bfab76d084fb6c0277800d..ae00cf7a1b8e2ea0e33798993bb24dc5f06127e3 100644
--- a/ACI.txt
+++ b/ACI.txt
@@ -149,7 +149,7 @@ aci: (targetfilter = "(objectclass=ipahostgroup)")(version 3.0;acl "permission:S
 dn: cn=views,cn=accounts,dc=ipa,dc=example
 aci: (targetattr = "cn || createtimestamp || description || entryusn || gidnumber || ipaanchoruuid || modifytimestamp || objectclass")(targetfilter = "(objectclass=ipaGroupOverride)")(version 3.0;acl "permission:System: Read Group ID Overrides";allow (compare,read,search) userdn = "ldap:///all;;)
 dn: cn=views,cn=accounts,dc=ipa,dc=example
-aci: (targetattr = "createtimestamp || description || entryusn || gecos || gidnumber || homedirectory || ipaanchoruuid || ipaoriginaluid || ipasshpubkey || loginshell || modifytimestamp || objectclass || uid || uidnumber")(targetfilter = "(objectclass=ipaUserOverride)")(version 3.0;acl "permission:System: Read User ID Overrides";allow (compare,read,search) userdn = "ldap:///all;;)
+aci: (targetattr = "createtimestamp || description || entryusn || gecos || gidnumber || homedirectory || ipaanchoruuid || ipaoriginaluid || ipasshpubkey || loginshell || modifytimestamp || objectclass || uid || uidnumber || usercertificate")(targetfilter = "(objectclass=ipaUserOverride)")(version 3.0;acl "permission:System: Read User ID Overrides";allow (compare,read,search) userdn = "ldap:///all;;)
 dn: cn=ranges,cn=etc,dc=ipa,dc=example
 aci: (targetattr = "cn || createtimestamp || entryusn || ipabaseid || ipabaserid || ipaidrangesize || ipanttrusteddomainsid || iparangetype || ipasecondarybaserid || modifytimestamp || objectclass")(targetfilter = "(objectclass=ipaidrange)")(version 3.0;acl "permission:System: Read ID Ranges";allow (compare,read,search) userdn = "ldap:///all;;)
 dn: cn=views,cn=accounts,dc=ipa,dc=example
diff --git a/API.txt b/API.txt
index 3598b08198cae536754259f7463669052efa3f86..b2aec7313b6b9496179beddb68e4a0f5a09608bf 100644
---

Re: [Freeipa-devel] [PATCH 0405] idviews: Add user certificate attribute to user ID overrides

2016-04-19 Thread Jan Cholasta 

On 13.4.2016 14:13, Tomas Babej wrote:

On 04/13/2016 09:55 AM, Tomas Babej wrote:

On 04/07/2016 01:53 PM, Sumit Bose wrote:

On Mon, Apr 04, 2016 at 04:27:02PM +0200, Jan Cholasta wrote:

Hi,

On 1.4.2016 16:53, Tomas Babej wrote:

Hi,

this extends the user ID overrides with capability to store the user
certificate.

https://fedorahosted.org/freeipa/ticket/4955


The preferred way of managing certificates nowadays is using $OBJ-add-cert
and $OBJ-remove-cert commands, you should add them here as well.

I would even go as far as not allowing to modify certificates using
idoverrideuser-mod - in user-mod and host-mod, it's there just for backward
compatibility, which is not the case here. But I don't have a strong opinion
on that.

For consistency with user-find and host-find, the full certificate blob
should not be shown in idoverrideuser-find. You can do that by setting
search_display_attributes attribute on the idoverrideuser class
appropriately.


I tested the current patch with my related patches for SSSD and all is
working as expected.

bye,
Sumit



Honza

--
Jan Cholasta

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code




Thanks for the reviews,

attaching a updated patch that addresses Honza's comments.

Tomas



Sending an improved version addressing a couple of additional issues.


1) This bit in idoverrideuser_add.pre_callback() is redundant, as the 
certificate will always be DER here already:


# Normalize the certificate to DER format
certs = options.get('usercertificate', [])
certs_der = [x509.normalize_certificate(c) for c in certs]
entry_attrs['usercertificate'] = certs_der


2) You need to call convert_usercertificate_pre() in 
idoverrideuser_mod.pre_callback() and convert_usercertificate_post() in 
idoverrideuser_{mod,find,show}.post_callback() as well.


Honza

--
Jan Cholasta

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0405] idviews: Add user certificate attribute to user ID overrides

2016-04-13 Thread Tomas Babej 
On 04/13/2016 09:55 AM, Tomas Babej wrote:
> On 04/07/2016 01:53 PM, Sumit Bose wrote:
>> On Mon, Apr 04, 2016 at 04:27:02PM +0200, Jan Cholasta wrote:
>>> Hi,
>>>
>>> On 1.4.2016 16:53, Tomas Babej wrote:
 Hi,

 this extends the user ID overrides with capability to store the user
 certificate.

 https://fedorahosted.org/freeipa/ticket/4955
>>>
>>> The preferred way of managing certificates nowadays is using $OBJ-add-cert
>>> and $OBJ-remove-cert commands, you should add them here as well.
>>>
>>> I would even go as far as not allowing to modify certificates using
>>> idoverrideuser-mod - in user-mod and host-mod, it's there just for backward
>>> compatibility, which is not the case here. But I don't have a strong opinion
>>> on that.
>>>
>>> For consistency with user-find and host-find, the full certificate blob
>>> should not be shown in idoverrideuser-find. You can do that by setting
>>> search_display_attributes attribute on the idoverrideuser class
>>> appropriately.
>>
>> I tested the current patch with my related patches for SSSD and all is
>> working as expected.
>>
>> bye,
>> Sumit
>>
>>>
>>> Honza
>>>
>>> -- 
>>> Jan Cholasta
>>>
>>> -- 
>>> Manage your subscription for the Freeipa-devel mailing list:
>>> https://www.redhat.com/mailman/listinfo/freeipa-devel
>>> Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
>>
> 
> Thanks for the reviews,
> 
> attaching a updated patch that addresses Honza's comments.
> 
> Tomas
> 

Sending an improved version addressing a couple of additional issues.

Tomas
From f56129024fecfe1522cd6bd85f7daddfd3bf5129 Mon Sep 17 00:00:00 2001
From: Tomas Babej 
Date: Thu, 3 Mar 2016 15:14:10 +0100
Subject: [PATCH] idviews: Add user certificate attribute to user ID overrides

---
 ACI.txt  |  2 +-
 API.txt  | 30 ++--
 install/share/71idviews.ldif |  2 +-
 ipalib/plugins/idviews.py| 82 ++--
 4 files changed, 110 insertions(+), 6 deletions(-)

diff --git a/ACI.txt b/ACI.txt
index 24cb332ce6e10c82a5bfab76d084fb6c0277800d..ae00cf7a1b8e2ea0e33798993bb24dc5f06127e3 100644
--- a/ACI.txt
+++ b/ACI.txt
@@ -149,7 +149,7 @@ aci: (targetfilter = "(objectclass=ipahostgroup)")(version 3.0;acl "permission:S
 dn: cn=views,cn=accounts,dc=ipa,dc=example
 aci: (targetattr = "cn || createtimestamp || description || entryusn || gidnumber || ipaanchoruuid || modifytimestamp || objectclass")(targetfilter = "(objectclass=ipaGroupOverride)")(version 3.0;acl "permission:System: Read Group ID Overrides";allow (compare,read,search) userdn = "ldap:///all;;)
 dn: cn=views,cn=accounts,dc=ipa,dc=example
-aci: (targetattr = "createtimestamp || description || entryusn || gecos || gidnumber || homedirectory || ipaanchoruuid || ipaoriginaluid || ipasshpubkey || loginshell || modifytimestamp || objectclass || uid || uidnumber")(targetfilter = "(objectclass=ipaUserOverride)")(version 3.0;acl "permission:System: Read User ID Overrides";allow (compare,read,search) userdn = "ldap:///all;;)
+aci: (targetattr = "createtimestamp || description || entryusn || gecos || gidnumber || homedirectory || ipaanchoruuid || ipaoriginaluid || ipasshpubkey || loginshell || modifytimestamp || objectclass || uid || uidnumber || usercertificate")(targetfilter = "(objectclass=ipaUserOverride)")(version 3.0;acl "permission:System: Read User ID Overrides";allow (compare,read,search) userdn = "ldap:///all;;)
 dn: cn=ranges,cn=etc,dc=ipa,dc=example
 aci: (targetattr = "cn || createtimestamp || entryusn || ipabaseid || ipabaserid || ipaidrangesize || ipanttrusteddomainsid || iparangetype || ipasecondarybaserid || modifytimestamp || objectclass")(targetfilter = "(objectclass=ipaidrange)")(version 3.0;acl "permission:System: Read ID Ranges";allow (compare,read,search) userdn = "ldap:///all;;)
 dn: cn=views,cn=accounts,dc=ipa,dc=example
diff --git a/API.txt b/API.txt
index 5b75413f930d0e9caaffc68023bed8106d786653..76b260da72533ee88027f72d56a591c7566c72b7 100644
--- a/API.txt
+++ b/API.txt
@@ -2429,7 +2429,7 @@ output: Entry('result', , Gettext('A dictionary representing an LDA
 output: Output('summary', (, ), None)
 output: PrimaryKey('value', None, None)
 command: idoverrideuser_add
-args: 2,15,3
+args: 2,16,3
 arg: Str('idviewcn', cli_name='idview', multivalue=False, primary_key=True, query=True, required=True)
 arg: Str('ipaanchoruuid', attribute=True, cli_name='anchor', multivalue=False, primary_key=True, required=True)
 option: Str('addattr*', cli_name='addattr', exclude='webui')
@@ -2446,6 +2446,19 @@ option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui
 option: Str('setattr*', cli_name='setattr', exclude='webui')
 option: Str('uid', attribute=True, cli_name='login', maxlength=255, multivalue=False, pattern='^[a-zA-Z0-9_.][a-zA-Z0-9_.-]{0,252}[a-zA-Z0-9_.$-]?$', required=False)
 option: Int('uidnumber', attribute=True, cli_name='uid', minvalue=1,

Re: [Freeipa-devel] [PATCH 0405] idviews: Add user certificate attribute to user ID overrides

2016-04-13 Thread Tomas Babej 
On 04/07/2016 01:53 PM, Sumit Bose wrote:
> On Mon, Apr 04, 2016 at 04:27:02PM +0200, Jan Cholasta wrote:
>> Hi,
>>
>> On 1.4.2016 16:53, Tomas Babej wrote:
>>> Hi,
>>>
>>> this extends the user ID overrides with capability to store the user
>>> certificate.
>>>
>>> https://fedorahosted.org/freeipa/ticket/4955
>>
>> The preferred way of managing certificates nowadays is using $OBJ-add-cert
>> and $OBJ-remove-cert commands, you should add them here as well.
>>
>> I would even go as far as not allowing to modify certificates using
>> idoverrideuser-mod - in user-mod and host-mod, it's there just for backward
>> compatibility, which is not the case here. But I don't have a strong opinion
>> on that.
>>
>> For consistency with user-find and host-find, the full certificate blob
>> should not be shown in idoverrideuser-find. You can do that by setting
>> search_display_attributes attribute on the idoverrideuser class
>> appropriately.
> 
> I tested the current patch with my related patches for SSSD and all is
> working as expected.
> 
> bye,
> Sumit
> 
>>
>> Honza
>>
>> -- 
>> Jan Cholasta
>>
>> -- 
>> Manage your subscription for the Freeipa-devel mailing list:
>> https://www.redhat.com/mailman/listinfo/freeipa-devel
>> Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
> 

Thanks for the reviews,

attaching a updated patch that addresses Honza's comments.

Tomas
From bc7a20b942931e43b4d7e4e79b88cae8a113385d Mon Sep 17 00:00:00 2001
From: Tomas Babej 
Date: Thu, 3 Mar 2016 15:14:10 +0100
Subject: [PATCH] idviews: Add user certificate attribute to user ID overrides

---
 ACI.txt  |  2 +-
 API.txt  | 30 +++--
 install/share/71idviews.ldif |  2 +-
 ipalib/plugins/idviews.py| 80 ++--
 4 files changed, 108 insertions(+), 6 deletions(-)

diff --git a/ACI.txt b/ACI.txt
index 24cb332ce6e10c82a5bfab76d084fb6c0277800d..ae00cf7a1b8e2ea0e33798993bb24dc5f06127e3 100644
--- a/ACI.txt
+++ b/ACI.txt
@@ -149,7 +149,7 @@ aci: (targetfilter = "(objectclass=ipahostgroup)")(version 3.0;acl "permission:S
 dn: cn=views,cn=accounts,dc=ipa,dc=example
 aci: (targetattr = "cn || createtimestamp || description || entryusn || gidnumber || ipaanchoruuid || modifytimestamp || objectclass")(targetfilter = "(objectclass=ipaGroupOverride)")(version 3.0;acl "permission:System: Read Group ID Overrides";allow (compare,read,search) userdn = "ldap:///all;;)
 dn: cn=views,cn=accounts,dc=ipa,dc=example
-aci: (targetattr = "createtimestamp || description || entryusn || gecos || gidnumber || homedirectory || ipaanchoruuid || ipaoriginaluid || ipasshpubkey || loginshell || modifytimestamp || objectclass || uid || uidnumber")(targetfilter = "(objectclass=ipaUserOverride)")(version 3.0;acl "permission:System: Read User ID Overrides";allow (compare,read,search) userdn = "ldap:///all;;)
+aci: (targetattr = "createtimestamp || description || entryusn || gecos || gidnumber || homedirectory || ipaanchoruuid || ipaoriginaluid || ipasshpubkey || loginshell || modifytimestamp || objectclass || uid || uidnumber || usercertificate")(targetfilter = "(objectclass=ipaUserOverride)")(version 3.0;acl "permission:System: Read User ID Overrides";allow (compare,read,search) userdn = "ldap:///all;;)
 dn: cn=ranges,cn=etc,dc=ipa,dc=example
 aci: (targetattr = "cn || createtimestamp || entryusn || ipabaseid || ipabaserid || ipaidrangesize || ipanttrusteddomainsid || iparangetype || ipasecondarybaserid || modifytimestamp || objectclass")(targetfilter = "(objectclass=ipaidrange)")(version 3.0;acl "permission:System: Read ID Ranges";allow (compare,read,search) userdn = "ldap:///all;;)
 dn: cn=views,cn=accounts,dc=ipa,dc=example
diff --git a/API.txt b/API.txt
index 5b75413f930d0e9caaffc68023bed8106d786653..76b260da72533ee88027f72d56a591c7566c72b7 100644
--- a/API.txt
+++ b/API.txt
@@ -2429,7 +2429,7 @@ output: Entry('result', , Gettext('A dictionary representing an LDA
 output: Output('summary', (, ), None)
 output: PrimaryKey('value', None, None)
 command: idoverrideuser_add
-args: 2,15,3
+args: 2,16,3
 arg: Str('idviewcn', cli_name='idview', multivalue=False, primary_key=True, query=True, required=True)
 arg: Str('ipaanchoruuid', attribute=True, cli_name='anchor', multivalue=False, primary_key=True, required=True)
 option: Str('addattr*', cli_name='addattr', exclude='webui')
@@ -2446,6 +2446,19 @@ option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui
 option: Str('setattr*', cli_name='setattr', exclude='webui')
 option: Str('uid', attribute=True, cli_name='login', maxlength=255, multivalue=False, pattern='^[a-zA-Z0-9_.][a-zA-Z0-9_.-]{0,252}[a-zA-Z0-9_.$-]?$', required=False)
 option: Int('uidnumber', attribute=True, cli_name='uid', minvalue=1, multivalue=False, required=False)
+option: Bytes('usercertificate', attribute=True, cli_name='certificate', multivalue=True, required=False)
+option: Str('version?', exclude='webui')

Re: [Freeipa-devel] [PATCH 0405] idviews: Add user certificate attribute to user ID overrides

2016-04-07 Thread Sumit Bose 
On Mon, Apr 04, 2016 at 04:27:02PM +0200, Jan Cholasta wrote:
> Hi,
> 
> On 1.4.2016 16:53, Tomas Babej wrote:
> >Hi,
> >
> >this extends the user ID overrides with capability to store the user
> >certificate.
> >
> >https://fedorahosted.org/freeipa/ticket/4955
> 
> The preferred way of managing certificates nowadays is using $OBJ-add-cert
> and $OBJ-remove-cert commands, you should add them here as well.
> 
> I would even go as far as not allowing to modify certificates using
> idoverrideuser-mod - in user-mod and host-mod, it's there just for backward
> compatibility, which is not the case here. But I don't have a strong opinion
> on that.
> 
> For consistency with user-find and host-find, the full certificate blob
> should not be shown in idoverrideuser-find. You can do that by setting
> search_display_attributes attribute on the idoverrideuser class
> appropriately.

I tested the current patch with my related patches for SSSD and all is
working as expected.

bye,
Sumit

> 
> Honza
> 
> -- 
> Jan Cholasta
> 
> -- 
> Manage your subscription for the Freeipa-devel mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-devel
> Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0405] idviews: Add user certificate attribute to user ID overrides

2016-04-04 Thread Jan Cholasta 

Hi,

On 1.4.2016 16:53, Tomas Babej wrote:

Hi,

this extends the user ID overrides with capability to store the user
certificate.

https://fedorahosted.org/freeipa/ticket/4955


The preferred way of managing certificates nowadays is using 
$OBJ-add-cert and $OBJ-remove-cert commands, you should add them here as 
well.


I would even go as far as not allowing to modify certificates using 
idoverrideuser-mod - in user-mod and host-mod, it's there just for 
backward compatibility, which is not the case here. But I don't have a 
strong opinion on that.


For consistency with user-find and host-find, the full certificate blob 
should not be shown in idoverrideuser-find. You can do that by setting 
search_display_attributes attribute on the idoverrideuser class 
appropriately.


Honza

--
Jan Cholasta

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [PATCH 0405] idviews: Add user certificate attribute to user ID overrides

2016-04-01 Thread Tomas Babej 
Hi,

this extends the user ID overrides with capability to store the user
certificate.

https://fedorahosted.org/freeipa/ticket/4955

Tomas
From 4ab4ac5871f14d164544298fc5763321b8ef7558 Mon Sep 17 00:00:00 2001
From: Tomas Babej 
Date: Thu, 3 Mar 2016 15:14:10 +0100
Subject: [PATCH] idviews: Add user certificate attribute to user ID overrides

---
 ACI.txt  |  2 +-
 API.txt  |  6 --
 install/share/71idviews.ldif |  2 +-
 ipalib/plugins/idviews.py| 34 +++---
 4 files changed, 37 insertions(+), 7 deletions(-)

diff --git a/ACI.txt b/ACI.txt
index 24cb332ce6e10c82a5bfab76d084fb6c0277800d..ae00cf7a1b8e2ea0e33798993bb24dc5f06127e3 100644
--- a/ACI.txt
+++ b/ACI.txt
@@ -149,7 +149,7 @@ aci: (targetfilter = "(objectclass=ipahostgroup)")(version 3.0;acl "permission:S
 dn: cn=views,cn=accounts,dc=ipa,dc=example
 aci: (targetattr = "cn || createtimestamp || description || entryusn || gidnumber || ipaanchoruuid || modifytimestamp || objectclass")(targetfilter = "(objectclass=ipaGroupOverride)")(version 3.0;acl "permission:System: Read Group ID Overrides";allow (compare,read,search) userdn = "ldap:///all;;)
 dn: cn=views,cn=accounts,dc=ipa,dc=example
-aci: (targetattr = "createtimestamp || description || entryusn || gecos || gidnumber || homedirectory || ipaanchoruuid || ipaoriginaluid || ipasshpubkey || loginshell || modifytimestamp || objectclass || uid || uidnumber")(targetfilter = "(objectclass=ipaUserOverride)")(version 3.0;acl "permission:System: Read User ID Overrides";allow (compare,read,search) userdn = "ldap:///all;;)
+aci: (targetattr = "createtimestamp || description || entryusn || gecos || gidnumber || homedirectory || ipaanchoruuid || ipaoriginaluid || ipasshpubkey || loginshell || modifytimestamp || objectclass || uid || uidnumber || usercertificate")(targetfilter = "(objectclass=ipaUserOverride)")(version 3.0;acl "permission:System: Read User ID Overrides";allow (compare,read,search) userdn = "ldap:///all;;)
 dn: cn=ranges,cn=etc,dc=ipa,dc=example
 aci: (targetattr = "cn || createtimestamp || entryusn || ipabaseid || ipabaserid || ipaidrangesize || ipanttrusteddomainsid || iparangetype || ipasecondarybaserid || modifytimestamp || objectclass")(targetfilter = "(objectclass=ipaidrange)")(version 3.0;acl "permission:System: Read ID Ranges";allow (compare,read,search) userdn = "ldap:///all;;)
 dn: cn=views,cn=accounts,dc=ipa,dc=example
diff --git a/API.txt b/API.txt
index 5b75413f930d0e9caaffc68023bed8106d786653..34053640ccc0928ae76d9ae658a55e171478ceab 100644
--- a/API.txt
+++ b/API.txt
@@ -2429,7 +2429,7 @@ output: Entry('result', , Gettext('A dictionary representing an LDA
 output: Output('summary', (, ), None)
 output: PrimaryKey('value', None, None)
 command: idoverrideuser_add
-args: 2,15,3
+args: 2,16,3
 arg: Str('idviewcn', cli_name='idview', multivalue=False, primary_key=True, query=True, required=True)
 arg: Str('ipaanchoruuid', attribute=True, cli_name='anchor', multivalue=False, primary_key=True, required=True)
 option: Str('addattr*', cli_name='addattr', exclude='webui')
@@ -2446,6 +2446,7 @@ option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui
 option: Str('setattr*', cli_name='setattr', exclude='webui')
 option: Str('uid', attribute=True, cli_name='login', maxlength=255, multivalue=False, pattern='^[a-zA-Z0-9_.][a-zA-Z0-9_.-]{0,252}[a-zA-Z0-9_.$-]?$', required=False)
 option: Int('uidnumber', attribute=True, cli_name='uid', minvalue=1, multivalue=False, required=False)
+option: Bytes('usercertificate', attribute=True, cli_name='certificate', multivalue=True, required=False)
 option: Str('version?', exclude='webui')
 output: Entry('result', , Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None))
 output: Output('summary', (, ), None)
@@ -2485,7 +2486,7 @@ output: ListOfEntries('result', (, ), Gettext('A list
 output: Output('summary', (, ), None)
 output: Output('truncated', , None)
 command: idoverrideuser_mod
-args: 2,18,3
+args: 2,19,3
 arg: Str('idviewcn', cli_name='idview', multivalue=False, primary_key=True, query=True, required=True)
 arg: Str('ipaanchoruuid', attribute=True, cli_name='anchor', multivalue=False, primary_key=True, query=True, required=True)
 option: Str('addattr*', cli_name='addattr', exclude='webui')
@@ -2505,6 +2506,7 @@ option: Flag('rights', autofill=True, default=False)
 option: Str('setattr*', cli_name='setattr', exclude='webui')
 option: Str('uid', attribute=True, autofill=False, cli_name='login', maxlength=255, multivalue=False, pattern='^[a-zA-Z0-9_.][a-zA-Z0-9_.-]{0,252}[a-zA-Z0-9_.$-]?$', required=False)
 option: Int('uidnumber', attribute=True, autofill=False, cli_name='uid', minvalue=1, multivalue=False, required=False)
+option: Bytes('usercertificate', attribute=True, autofill=False, cli_name='certificate', multivalue=True, required=False)
 option: Str('version?', exclude='webui')
 output: Entry('result', ,