def pre_callback(self, ldap, dn, *keys, **options):
dn = self.obj.get_either_dn(*keys, **options)
# For User life Cycle: user-del is a common plugin
# command to delete active user (active container) and
# delete user (delete container).
# If the target entry is a Delete entry, skip the orphaning/removal
# of OTP tokens.
check_protected_member(keys[-1])
if not options.get('preserve', False):
# Remove any ID overrides tied with this user
try:
remove_ipaobject_overrides(self.obj.backend, self.obj.api, dn)
except errors.NotFound:
self.obj.handle_not_found(*keys)
if dn.endswith(DN(self.obj.delete_container_dn, api.env.basedn)):
return dn
# Delete all tokens owned and managed by this user.
# Orphan all tokens owned but not managed by this user.
owner = self.api.Object.user.get_primary_key_from_dn(dn)
results = self.api.Command.otptoken_find(ipatokenowner=owner)['result']
for token in results:
orphan = not [x for x in token.get('managedby_user', []) if x == owner]
token = self.api.Object.otptoken.get_primary_key_from_dn(token['dn'])
if orphan:
self.api.Command.otptoken_mod(token, ipatokenowner=None)
else:
self.api.Command.otptoken_del(token)
return dn
def pre_callback(self, ldap, dn, *keys, **options):
dn = self.obj.get_either_dn(*keys, **options)
# For User life Cycle: user-del is a common plugin
# command to delete active user (active container) and
# delete user (delete container).
# If the target entry is a Delete entry, skip the orphaning/removal
# of OTP tokens.
check_protected_member(keys[-1])
if not options.get('preserve', False):
# Remove any ID overrides tied with this user
try:
remove_ipaobject_overrides(self.obj.backend, self.obj.api, dn)
except errors.NotFound:
self.obj.handle_not_found(*keys)
if dn.endswith(DN(self.obj.delete_container_dn, api.env.basedn)):
return dn
# Delete all tokens owned and managed by this user.
# Orphan all tokens owned but not managed by this user.
owner = self.api.Object.user.get_primary_key_from_dn(dn)
results = self.api.Command.otptoken_find(ipatokenowner=owner)['result']
for token in results:
orphan = not [x for x in token.get('managedby_user', []) if x == owner]
token = self.api.Object.otptoken.get_primary_key_from_dn(token['dn'])
if orphan:
self.api.Command.otptoken_mod(token, ipatokenowner=None)
else:
self.api.Command.otptoken_del(token)
return dn
def pre_callback(self, ldap, dn, *keys, **options):
assert isinstance(dn, DN)
config = ldap.get_ipa_config()
def_primary_group = config.get("ipadefaultprimarygroup", "")
def_primary_group_dn = group_dn = self.obj.get_dn(def_primary_group)
if dn == def_primary_group_dn:
raise errors.DefaultGroupError()
group_attrs = self.obj.methods.show(self.obj.get_primary_key_from_dn(dn), all=True)["result"]
if keys[0] in PROTECTED_GROUPS:
raise errors.ProtectedEntryError(label=_(u"group"), key=keys[0], reason=_(u"privileged group"))
if "mepmanagedby" in group_attrs:
raise errors.ManagedGroupError()
# Remove any ID overrides tied with this group
remove_ipaobject_overrides(ldap, self.obj.api, dn)
return dn
def pre_callback(self, ldap, dn, *keys, **options):
assert isinstance(dn, DN)
config = ldap.get_ipa_config()
def_primary_group = config.get('ipadefaultprimarygroup', '')
def_primary_group_dn = group_dn = self.obj.get_dn(def_primary_group)
if dn == def_primary_group_dn:
raise errors.DefaultGroupError()
group_attrs = self.obj.methods.show(
self.obj.get_primary_key_from_dn(dn), all=True)['result']
if keys[0] in PROTECTED_GROUPS:
raise errors.ProtectedEntryError(label=_(u'group'),
key=keys[0],
reason=_(u'privileged group'))
if 'mepmanagedby' in group_attrs:
raise errors.ManagedGroupError()
# Remove any ID overrides tied with this group
remove_ipaobject_overrides(ldap, self.obj.api, dn)
return dn
def execute(self, *keys, **options):
dn = self.obj.get_dn(*keys, **options)
# We are going to permanent delete or the user is already in the delete container.
delete_container = DN(self.obj.delete_container_dn, self.api.env.basedn)
user_from_delete_container = dn.endswith(delete_container)
if not options.get('preserve', True) or user_from_delete_container:
# Remove any ID overrides tied with this user
remove_ipaobject_overrides(self.obj.backend, self.obj.api, dn)
# Issue a true DEL on that entry
return super(user_del, self).execute(*keys, **options)
# The user to delete is active and there is no 'no_preserve' option
if options.get('preserve', False):
ldap = self.obj.backend
# need to handle multiple keys (e.g. keys[-1]=(u'tb8', u'tb9')..
active_dn = self.obj.get_dn(*keys, **options)
superior_dn = DN(self.obj.delete_container_dn, api.env.basedn)
delete_dn = DN(active_dn[0], self.obj.delete_container_dn, api.env.basedn)
self.log.debug("preserve move %s -> %s" % (active_dn, delete_dn))
# Check that this value is a Active user
try:
original_entry_attrs = self._exc_wrapper(keys, options, ldap.get_entry)(active_dn, ['dn'])
except errors.NotFound:
raise
# start to move the entry to Delete container
self._exc_wrapper(keys, options, ldap.move_entry)(active_dn, delete_dn, del_old=True)
# Then clear the credential attributes
attrs_to_clear = ['krbPrincipalKey', 'krbLastPwdChange', 'krbPasswordExpiration', 'userPassword']
try:
entry_attrs = self._exc_wrapper(keys, options, ldap.get_entry)(delete_dn, attrs_to_clear)
except errors.NotFound:
raise
clearedCredential = False
for attr in attrs_to_clear:
if attr.lower() in entry_attrs:
del entry_attrs[attr]
clearedCredential = True
if clearedCredential:
self._exc_wrapper(keys, options, ldap.update_entry)(entry_attrs)
# Then restore some original entry attributes
attrs_to_restore = [ 'secretary', 'managedby', 'manager', 'ipauniqueid', 'uidnumber', 'gidnumber', 'passwordHistory']
try:
entry_attrs = self._exc_wrapper(keys, options, ldap.get_entry)(delete_dn, attrs_to_restore)
except errors.NotFound:
raise
restoreAttr = False
for attr in attrs_to_restore:
if (attr.lower() in original_entry_attrs) and not (attr.lower() in entry_attrs):
restoreAttr = True
entry_attrs[attr.lower()] = original_entry_attrs[attr.lower()]
if restoreAttr:
self._exc_wrapper(keys, options, ldap.update_entry)(entry_attrs)
val = dict(result=dict(failed=[]), value=[keys[-1][0]])
return val
else:
return super(user_del, self).execute(*keys, **options)