def create(entity):
try:
attrs = {}
attrs.update({'objectClass': ROLE_OCS})
attrs.update({global_ids.CN: entity.name})
attrs.update({ROLE_NAME: entity.name})
# generate random id:
entity.internal_id = str(uuid.uuid4())
attrs.update({global_ids.INTERNAL_ID: entity.internal_id})
# string:
if entity.description:
attrs.update({global_ids.DESC: entity.description})
# list of strings
if entity.props is not None and len(entity.props) > 0:
attrs.update({global_ids.PROPS: entity.props})
# list of comma delimited strings:
if entity.constraint is None:
entity.constraint = Constraint(name=entity.name)
#if entity.constraint is not None:
attrs.update({global_ids.CONSTRAINT: entity.constraint.get_raw()})
conn = ldaphelper.open()
conn.add_s(__get_dn(entity), add_to_modlist(attrs))
except ldap.ALREADY_EXISTS:
raise NotUnique(msg='Role create failed, already exists:' + entity.uid,
id=global_ids.ROLE_ADD_FAILED)
except ldap.LDAPError as e:
raise RbacError(msg='Role create failed result=' + str(e),
id=global_ids.ROLE_ADD_FAILED)
except Exception as e:
raise RbacError(msg='Role create error=' + str(e),
id=global_ids.ROLE_ADD_FAILED)
return entity
def update(entity):
try:
attrs = {}
if entity.description:
attrs.update(
{global_ids.DESC: [(MOD_REPLACE, [entity.description])]})
if entity.type:
attrs.update({TYPE: [(MOD_REPLACE, [entity.type])]})
# list of strings:
if entity.props is not None and len(entity.props) > 0:
attrs.update({global_ids.PROPS: [(MOD_REPLACE, entity.props)]})
if entity.users is not None and len(entity.users) > 0:
attrs.update({USERS: [(MOD_REPLACE, entity.users)]})
if entity.roles is not None and len(entity.roles) > 0:
attrs.update({ROLES: [(MOD_REPLACE, entity.roles)]})
if len(attrs) > 0:
conn = ldaphelper.open()
conn.modify_s(__get_dn(entity), attrs_to_modlist(attrs))
except ldap.NO_SUCH_OBJECT:
raise NotFound(msg='Perm update failed, not found:' + entity.obj_name,
id=global_ids.PERM_OP_NOT_FOUND)
except ldap.LDAPError as e:
raise RbacError(msg='Perm update failed result=' + str(e),
id=global_ids.PERM_UPDATE_FAILED)
except Exception as e:
raise RbacError(msg='Perm update error=' + str(e),
id=global_ids.PERM_UPDATE_FAILED)
return entity
def add_active_role(session, role):
"""
This function adds a role as an active role of a session whose owner is a given user.
required parameters:
session - as returned from create_session api
role.name - maps to existing role
return:
None
"""
__validate(session)
__validate_user_constraint(session, 'add_active_role')
if any(s.lower() == role.lower() for s in session.user.roles):
raise RbacError(msg='add_active_role uid=' + session.user.uid +
', previously activated role=' + role,
id=global_ids.URLE_ALREADY_ACTIVE)
user = userdao.read(session.user)
constraint = __find_role_constraint(role, user.role_constraints)
if constraint is not None:
__activate_role(session.user, constraint)
else:
raise RbacError(msg='add_active_role uid=' + session.user.uid +
', has not been assigned role=' + role,
id=global_ids.URLE_ASSIGN_NOT_EXIST)
__validate_role_constraints(session)
__refresh(session)
def validate_perm_obj(perm):
if perm is None:
raise RbacError(msg='Perm object is None',
id=global_ids.PERM_OBJECT_NULL)
elif not perm.obj_name:
raise RbacError(msg='Perm object name is None',
id=global_ids.PERM_OBJECT_NM_NULL)
def update(entity):
try:
attrs = {}
if entity.description:
attrs.update(
{global_ids.DESC: [(MOD_REPLACE, [entity.description])]})
# list of srings:
if entity.props is not None and len(entity.props) > 0:
attrs.update({global_ids.PROPS: [(MOD_REPLACE, [entity.props])]})
# list of comma delimited strings:
if entity.constraint is not None:
attrs.update({
global_ids.CONSTRAINT:
[(MOD_REPLACE, [entity.constraint.get_raw()])]
})
if len(attrs) > 0:
conn = ldaphelper.open()
conn.modify_s(__get_dn(entity), mods_to_modlist(attrs))
except ldap.NO_SUCH_OBJECT:
raise NotFound(msg='Role update failed, not found:' + entity.name,
id=global_ids.ROLE_NOT_FOUND)
except ldap.LDAPError as e:
raise RbacError('Role update failed result=' + str(e),
global_ids.ROLE_UPDATE_FAILED)
except Exception as e:
raise RbacError(msg='Role update error=' + str(e),
id=global_ids.ROLE_UPDATE_FAILED)
return entity
def deassign(user, role):
"""
This command deletes the assignment of the User from the Role entities.
The command is valid if and only if the user is a member of the USERS data set, the role is a member of the ROLES data set,
and the user is assigned to the role. Any sessions that currently have this role activated will not be effected.
Successful completion includes:
User entity in USER data set has role assignment removed.
Role entity in ROLE data set has userId removed as role occupant.
required parameters:
user.uid - existing user.
role.name - existing role.
"""
utils.validate_user(user)
utils.validate_role(role)
out_user = userdao.read(user)
for constraint in out_user.role_constraints:
if constraint.name == role.name:
found = True
userdao.deassign(user, constraint)
try:
roledao.remove_member(role, user.uid)
except RbacError as e:
if e.id != global_ids.URLE_ASSIGN_NOT_EXIST:
raise RbacError(msg=e.msg, id=e.id)
else:
logger.warn('admin.deassign remove member failed because not occupant. user:'******', role:' + role.name)
if not found:
raise RbacError(msg='Role deassign failed constraint not found', id=global_ids.URLE_DEASSIGN_FAILED)
def __validate_perm(perm):
if perm is None:
raise RbacError(msg='Perm is None', id=global_ids.PERM_NULL)
elif perm.obj_name is None:
raise RbacError(msg='Perm object name is None',
id=global_ids.PERM_OBJECT_NM_NULL)
elif perm.op_name is None:
raise RbacError(msg='Perm op name is None',
id=global_ids.PERM_OPERATION_NM_NULL)
def validate_perm(perm):
if perm is None:
raise RbacError(msg='Permission is None',
id=global_ids.PERM_OPERATION_NULL)
elif not perm.obj_name:
raise RbacError(msg='Permission object name is None',
id=global_ids.PERM_OBJECT_NM_NULL)
elif not perm.op_name:
raise RbacError(msg='Permission operation name is None',
id=global_ids.PERM_OPERATION_NM_NULL)
def delete_ou(name):
__validate(name)
try:
conn = ldaphelper.open()
conn.delete_s(ldaphelper.get_container_dn(name))
except ldap.NO_SUCH_OBJECT:
raise NotFound(msg='OU delete not found:' + name,
id=global_ids.CNTR_NOT_FOUND)
except ldap.LDAPError as e:
raise RbacError(msg='OU delete failed result=' + str(e),
id=global_ids.CNTR_DELETE_FAILED)
except Exception as e:
raise RbacError(msg='OU delete error=' + str(e),
id=global_ids.CNTR_DELETE_FAILED)
def delete(entity):
try:
conn = ldaphelper.open()
conn.delete_s(__get_dn(entity))
except ldap.NO_SUCH_OBJECT:
raise RbacError(msg='User delete not found:' + entity.uid,
id=global_ids.USER_NOT_FOUND)
except ldap.LDAPError as e:
raise RbacError(msg='User delete failed result=' + str(e),
id=global_ids.USER_DELETE_FAILED)
except Exception as e:
raise RbacError(msg='User delete error=' + str(e),
id=global_ids.USER_DELETE_FAILED)
return entity
def delete_suffix():
try:
conn = ldaphelper.open()
conn.delete_s(__SUFX_DN)
except ldap.NO_SUCH_OBJECT:
raise NotFound(msg='Suffix delete not found dn=' + __SUFX_DN,
id=global_ids.SUFX_NOT_EXIST)
except ldap.LDAPError as e:
raise RbacError(msg='Suffix delete failed, dn=' + __SUFX_DN +
', result=' + str(e),
id=global_ids.SUFX_DELETE_FAILED)
except Exception as e:
raise RbacError(msg='Suffix delete failed, dn=' + __SUFX_DN +
', error=' + str(e),
id=global_ids.SUFX_DELETE_FAILED)
def search(entity):
conn = None
permList = []
search_filter = '(&(objectClass=' + PERM_OC_NAME + ')'
if entity.obj_name:
search_filter += '(' + OBJ_NM + '=' + entity.obj_name + ')'
if entity.op_name:
search_filter += '(' + OP_NM + '=' + entity.op_name + ')'
if entity.obj_id:
search_filter += '(' + OBJ_ID + '=' + entity.obj_id + ')'
search_filter += ')'
try:
conn = ldaphelper.open()
entries = conn.search_s(__CONTAINER_DN,
scope=ldap.SCOPE_SUBTREE,
filterstr=search_filter,
attrlist=SEARCH_ATTRS)
for dn, attrs in entries:
permList.append(__unload(dn, attrs))
except Exception as e:
raise RbacError(msg='Perm search error=' + str(e),
id=global_ids.PERM_SEARCH_FAILED)
finally:
if conn:
ldaphelper.close(conn)
return permList
def get_members_constraint(entity):
conn = None
mList = []
search_filter = '(&(objectClass=' + ROLE_OC_NAME + ')'
search_filter += '(' + ROLE_NAME + '=' + entity.name + '))'
try:
conn = ldaphelper.open()
# TODO: use sizelimit=1
entries = conn.search_s(__CONTAINER_DN,
scope=ldap.SCOPE_SUBTREE,
filterstr=search_filter,
attrlist=[MEMBER, global_ids.CONSTRAINT])
if not entries:
raise NotFound(msg="Role not found, name=" + entity.name,
id=global_ids.ROLE_NOT_FOUND)
elif len(entries) > 1:
raise NotUnique(msg="Role not unique, name=" + entity.name,
id=global_ids.ROLE_SEARCH_FAILED)
dn, attrs = entries[0]
member_dns = ldaphelper.get_list(attrs.get(MEMBER, []))
constraint = Constraint(
ldaphelper.get_attr_val(attrs.get(global_ids.CONSTRAINT, [])))
mList = __convert_list(member_dns)
except Exception as e: # FIXME: change to LDAPError
raise RbacError(msg='Get members search error=' + str(e),
id=global_ids.ROLE_OCCUPANT_SEARCH_FAILED)
finally:
if conn:
ldaphelper.close(conn)
return [mList, constraint]
def delete_user(user):
"""
This command deletes an existing user from the RBAC database. The command is valid if and only if the user to be deleted is a member of the USERS data set.
The USERS and UA data sets and the assigned_users function are updated. This method performs a "hard" delete.
It completely removes all data associated with this user from the directory.
User entity must exist in directory prior to making this call else exception will be thrown.
required parameters:
user.uid - maps to INetOrgPerson uid
"""
utils.validate_user(user)
# get the user's role assignments from its entry.
out_user = userdao.read(user)
# it's needed to remove the user membership from associated role entries.
for role_nm in out_user.roles:
try:
roledao.remove_member(Role(name=role_nm), user.uid)
logger.info('admin.delete_user:'******', removed as member of role:' + role_nm)
except RbacError as e:
if e.id != global_ids.URLE_ASSIGN_NOT_EXIST:
raise RbacError(msg=e.msg, id=e.id)
else:
logger.warn('admin.delete_user:'******', is not occupant of role:' + role_nm)
# now remove the user entry:
return userdao.delete(user)
def delete_role(role):
"""
This command deletes an existing role from the RBAC database. The command is valid if and only if the role to be deleted is a member of the ROLES data set.
This command will also deassign role from all users.
required parameters:
role.name - maps to INetOrgPerson uid
"""
utils.validate_role(role)
# if role has members, deassign all.
members, constraint = roledao.get_members_constraint (role)
for member in members:
try:
userdao.deassign(User(uid=member), constraint)
logger.info('admin.delete_role:' + role.name + ', remove assign for user:'******'admin.delete_role:' + role.name + ', assign not exist for user:'******'admin.delete_role:' + role.name + ', remove grant for perm obj_name:' + perm.obj_name + ', op_name:' + perm.op_name)
# now remove the role entry.
return roledao.delete(role)
def search_on_roles(roles):
conn = None
userList = []
search_filter = '(&(objectClass=' + USER_OC_NAME + ')'
if len(roles) > 1:
search_filter += '(|'
end_filter = '))'
else:
end_filter = ')'
for role in roles:
search_filter += '(' + ROLES + '=' + role + ')'
search_filter += end_filter
try:
conn = ldaphelper.open()
entries = conn.search_s(CONTAINER_DN,
scope=ldap.SCOPE_SUBTREE,
filterstr=search_filter,
attrlist=SEARCH_ATTRS)
for dn, attrs in entries:
userList.append(__unload(dn, attrs))
except Exception as e:
raise RbacError(msg='User Search Roles error=' + str(e),
id=global_ids.URLE_SEARCH_FAILED)
finally:
if conn:
ldaphelper.close(conn)
return userList
def delete_object(perm_obj):
"""
This method will remove permission object to perms container in directory. This method will also remove in associated permissions that are attached to this object.
required parameters:
perm.obj_name - maps to existing perm object.
"""
utils.validate_perm_obj(perm_obj)
try:
permdao.delete_obj(perm_obj)
except RbacError as e:
# if entry has children.
if e.id == global_ids.PERM_OBJECT_DELETE_FAILED_NONLEAF:
logger.warn('admin.delete_object non-leaf, obj_name:' + perm_obj.obj_name)
# remove all of them.
pList = permdao.search(Perm(obj_name=perm_obj.obj_name, op_name='*'))
for perm in pList:
permdao.delete(perm)
logger.warn('admin.delete_object child obj_name:' + perm.obj_name + ', op_name:' + perm.op_name)
# now try to remove this node once again
permdao.delete_obj(perm_obj)
logger.warn('admin.delete_object success after retry, obj_name:' + perm.obj_name)
else:
# can't handle this error so rethrow.
raise RbacError(msg=e.msg, id=e.id)
return
def create_suffix(name):
dn = DC_NAME + '=' + name + ',' + DC_NAME + '=com'
try:
attrs = {}
attrs.update({'objectClass': SUFX_OCS})
attrs.update({DC_NAME: name})
attrs.update({O: name})
conn = ldaphelper.open()
conn.add_s(dn, add_to_modlist(attrs))
except Exception as e:
raise NotUnique(msg='Suffix create failed, already exists:' + dn,
id=global_ids.SUFX_ALREADY_EXISTS)
except ldap.ALREADY_EXISTS:
raise RbacError(msg='Suffix create failed, dn=' + dn + ', result=' +
str(e),
id=global_ids.SUFX_CREATE_FAILED)
except Exception as e:
raise RbacError(msg='Suffix create dn=' + dn + ', error=' + str(e),
id=global_ids.SUFX_CREATE_FAILED)
def add_member(entity, uid):
try:
attrs = {}
if uid:
user_dn = __get_user_dn(uid)
attrs.update({MEMBER: [(MOD_ADD, user_dn)]})
conn = ldaphelper.open()
conn.modify_s(__get_dn(entity), mods_to_modlist(attrs))
except ldap.NO_SUCH_OBJECT:
raise NotFound(msg='Add member failed, not found, role=' +
entity.name + ', member dn=' + user_dn,
id=global_ids.ROLE_NOT_FOUND)
except ldap.LDAPError as e:
raise RbacError(msg='Add member failed result=' + str(e),
id=global_ids.ROLE_USER_ASSIGN_FAILED)
except Exception as e:
raise RbacError(msg='Add member error=' + str(e),
id=global_ids.ROLE_USER_ASSIGN_FAILED)
return entity
def remove_member(entity, uid):
try:
attrs = {}
if uid:
user_dn = __get_user_dn(uid)
attrs.update({MEMBER: [(MOD_DELETE, user_dn)]})
conn = ldaphelper.open()
conn.modify_s(__get_dn(entity), mods_to_modlist(attrs))
except ldap.NO_SUCH_ATTRIBUTE:
raise RbacError(msg='Remove member failed, not assigned, role=' +
entity.name + ', member dn=' + user_dn,
id=global_ids.URLE_ASSIGN_NOT_EXIST)
except ldap.LDAPError as e:
raise RbacError(msg='Remove member failed result=' + str(e),
id=global_ids.ROLE_REMOVE_OCCUPANT_FAILED)
except Exception as e:
raise RbacError(msg='Remove member error=' + str(e),
id=global_ids.ROLE_REMOVE_OCCUPANT_FAILED)
return entity
def assign(entity, constraint):
try:
attrs = {}
if constraint is not None:
attrs.update({ROLE_CONSTRAINTS: [(MOD_ADD, constraint.get_raw())]})
attrs.update({ROLES: [(MOD_ADD, constraint.name)]})
if len(attrs) > 0:
conn = ldaphelper.open()
conn.modify_s(__get_dn(entity), mods_to_modlist(attrs))
except ldap.NO_SUCH_OBJECT:
raise RbacError(msg='User assign failed, not found:' + entity.uid,
id=global_ids.USER_NOT_FOUND)
except ldap.LDAPError as e:
raise RbacError(msg='User assign failed result=' + str(e),
id=global_ids.URLE_ASSIGN_FAILED)
except Exception as e:
raise RbacError(msg='User assign error=' + str(e),
id=global_ids.URLE_ASSIGN_FAILED)
return entity
def grant(entity, role):
try:
attrs = {}
# constraint type:
if role is not None:
attrs.update({ROLES: [(MOD_ADD, role.name)]})
conn = ldaphelper.open()
conn.modify_s(__get_dn(entity), attrs_to_modlist(attrs))
except ldap.NO_SUCH_OBJECT:
raise NotFound(msg='Perm grant failed, not found, obj name=' +
entity.obj_name + ', op_name=' + entity.op_name +
', op id=' + entity.obj_id + ', role=' + role.name,
id=global_ids.PERM_OP_NOT_FOUND)
except ldap.LDAPError as e:
raise RbacError(msg='Perm grant failed result=' + str(e),
id=global_ids.PERM_GRANT_FAILED)
except Exception as e:
raise RbacError(msg='Perm grant error=' + str(e),
id=global_ids.PERM_GRANT_FAILED)
return entity
def create_ou(name, desc=None):
__validate(name)
try:
attrs = {}
attrs.update({'objectClass': OU_OCS})
attrs.update({OU_NAME: name})
if not desc:
desc = 'py-fortress Container ' + name
attrs.update({global_ids.DESC: desc})
conn = ldaphelper.open()
conn.add_s(ldaphelper.get_container_dn(name), add_to_modlist(attrs))
except Exception as e:
raise RbacError(msg='OU create error=' + str(e),
id=global_ids.CNTR_CREATE_FAILED)
except ldap.ALREADY_EXISTS:
raise NotUnique(msg='OU create failed, already exists:' + name,
id=global_ids.CNTR_ALREADY_EXISTS)
except ldap.LDAPError as e:
raise RbacError(msg='OU create failed result=' + str(e),
id=global_ids.CNTR_CREATE_FAILED)
def create(entity):
try:
attrs = {}
attrs.update({'objectClass': PERM_OCS})
attrs.update({OBJ_NM: entity.obj_name})
attrs.update({OP_NM: entity.op_name})
entity.abstract_name = entity.obj_name + '.' + entity.op_name
attrs.update({global_ids.CN: entity.abstract_name})
# generate random id:
entity.internal_id = str(uuid.uuid4())
attrs.update({global_ids.INTERNAL_ID: entity.internal_id})
if entity.obj_id:
attrs.update({OBJ_ID: entity.obj_id})
if entity.description:
attrs.update({global_ids.DESC: entity.description})
if entity.abstract_name:
attrs.update({PERM_NAME: entity.abstract_name})
if entity.type:
attrs.update({TYPE: entity.type})
# list of strings:
if entity.props is not None and len(entity.props) > 0:
attrs.update({global_ids.PROPS: entity.props})
if entity.users is not None and len(entity.users) > 0:
attrs.update({USERS: entity.users})
if entity.roles is not None and len(entity.roles) > 0:
attrs.update({ROLES: entity.roles})
conn = ldaphelper.open()
conn.add_s(__get_dn(entity), add_to_modlist(attrs))
except ldap.ALREADY_EXISTS:
raise NotUnique(msg='Perm create failed, already exists:' +
entity.obj_name,
id=global_ids.PERM_ADD_FAILED)
except ldap.LDAPError as e:
raise RbacError(msg='Perm create failed result=' + str(e),
id=global_ids.PERM_ADD_FAILED)
except Exception as e:
raise RbacError(msg='Perm create error=' + str(e),
id=global_ids.PERM_ADD_FAILED)
return entity
def authenticate(entity):
conn = None
result = False
try:
conn = ldaphelper.open_user(__get_dn(entity), entity.password)
# result = conn.bind() # TODO: WTH?
except Exception as e:
raise RbacError(msg='User Authenticate error for uid=' + entity.uid +
', LDAP error=' + str(e),
id=global_ids.USER_PW_CHK_FAILED)
finally:
if conn:
ldaphelper.close_user(conn)
return True
def __validate_user_constraint(session, op):
result = SUCCESS
if __is_constraint(session.user.constraint):
for validator in validators:
result = validator.validate(session.user.constraint,
CurrentDateTime(), session)
if result is not SUCCESS:
logger.debug(validator.__class__.__name__ +
' validation failed:' +
session.user.constraint.name + ', result=' +
str(result))
raise RbacError(msg=op + ' constraint validation failed uid:' +
session.user.uid,
id=result)
return result
def search(entity):
conn = None
roleList = []
search_filter = '(&(objectClass=' + ROLE_OC_NAME + ')'
search_filter += '(' + ROLE_NAME + '=' + entity.name + '))'
try:
conn = ldaphelper.open()
entries = conn.search_s(__CONTAINER_DN,
scope=ldap.SCOPE_SUBTREE,
filterstr=search_filter,
attrlist=SEARCH_ATTRS)
for dn, attrs in entries:
roleList.append(__unload(dn, attrs))
except Exception as e:
raise RbacError(msg='Role search error=' + str(e),
id=global_ids.ROLE_SEARCH_FAILED)
finally:
if conn:
ldaphelper.close(conn)
return roleList
def search(entity):
conn = None
userList = []
search_filter = '(&(objectClass=' + USER_OC_NAME + ')'
if entity.uid:
search_filter += '(' + global_ids.UID + '=' + entity.uid + ')'
if entity.ou:
search_filter += '(' + global_ids.OU + '=' + entity.ou + ')'
search_filter += ')'
try:
conn = ldaphelper.open()
entries = conn.search_s(CONTAINER_DN,
scope=ldap.SCOPE_SUBTREE,
filterstr=search_filter,
attrlist=SEARCH_ATTRS)
for dn, attrs in entries:
userList.append(__unload(dn, attrs))
except Exception as e:
raise RbacError(msg='User Search error=' + str(e))
finally:
if conn:
ldaphelper.close(conn)
return userList
def drop_active_role(session, role):
"""
This function deletes a role from the active role set of a session owned by a given user.
The function is valid if and only if the user is a member of the USERS data set, the session object contains a valid Fortress session,
the session is owned by the user, and the role is an active role of that session.
required parameters:
session - as returned from create_session api
role.name - maps to existing role
return:
None
"""
__validate(session)
__validate_user_constraint(session, 'drop_active_role')
constraint = __find_role_constraint(role, session.user.role_constraints)
if constraint is not None:
__deactivate_role(session.user, constraint)
else:
raise RbacError(msg='drop_active_role uid=' + session.user.uid +
', has not activated role=' + role,
id=global_ids.URLE_NOT_ACTIVE)
__validate_role_constraints(session)
__refresh(session)
def update(entity):
try:
attrs = {}
# strings:
if entity.cn:
attrs.update({global_ids.CN: [(MOD_REPLACE, [entity.cn])]})
if entity.sn:
attrs.update({global_ids.SN: [(MOD_REPLACE, [entity.sn])]})
if entity.password:
attrs.update({PW: [(MOD_REPLACE, [entity.password])]})
if entity.description:
attrs.update(
{global_ids.DESC: [(MOD_REPLACE, [entity.description])]})
if entity.ou:
attrs.update({global_ids.OU: [(MOD_REPLACE, [entity.ou])]})
if entity.display_name:
attrs.update(
{DISPLAY_NAME: [(MOD_REPLACE, [entity.display_name])]})
if entity.employee_type:
attrs.update(
{EMPLOYEE_TYPE: [(MOD_REPLACE, entity.employee_type)]})
if entity.title:
attrs.update({TITLE: [(MOD_REPLACE, [entity.title])]})
if entity.department_number:
attrs.update({DEPT_NUM: [(MOD_REPLACE, entity.department_number)]})
if entity.l:
attrs.update({LOCATION: [(MOD_REPLACE, entity.l)]})
if entity.physical_delivery_office_name:
attrs.update({
PHYSICAL_OFFICE_NM:
[(MOD_REPLACE, entity.physical_delivery_office_name)]
})
if entity.postal_code:
attrs.update({POSTAL_CODE: [(MOD_REPLACE, entity.postal_code)]})
if entity.room_number:
attrs.update({RM_NUM: [(MOD_REPLACE, entity.room_number)]})
if entity.pw_policy:
attrs.update({PW_POLICY: [(MOD_REPLACE, entity.pw_policy)]})
# list of strings:
if entity.phones is not None and len(entity.phones) > 0:
attrs.update({TELEPHONE_NUMBER: [(MOD_REPLACE, entity.phones)]})
if entity.mobiles is not None and len(entity.mobiles) > 0:
attrs.update({MOBILE: [(MOD_REPLACE, entity.mobiles)]})
if entity.emails is not None and len(entity.emails) > 0:
attrs.update({MAIL: [(MOD_REPLACE, entity.emails)]})
if entity.system is not None:
attrs.update({
IS_SYSTEM:
[(MOD_REPLACE, 'TRUE' if entity.system else 'FALSE')]
})
# list of delimited strings::
if entity.constraint is not None:
attrs.update({
global_ids.CONSTRAINT:
[(MOD_REPLACE, entity.constraint.get_raw())]
})
# boolean:
if entity.props is not None and len(entity.props) > 0:
attrs.update({global_ids.PROPS: [(MOD_REPLACE, entity.props)]})
if len(attrs) > 0:
conn = ldaphelper.open()
conn.modify_s(__get_dn(entity), mods_to_modlist(attrs))
except ldap.NO_SUCH_OBJECT:
raise NotFound(msg='User update failed, not found:' + entity.name,
id=global_ids.USER_UPDATE_FAILED)
except ldap.LDAPError as e:
raise RbacError(msg='User update failed result=' + str(e),
id=global_ids.USER_UPDATE_FAILED)
except Exception as e:
raise RbacError(msg='User update error=' + str(e),
id=global_ids.USER_UPDATE_FAILED)
return entity