On Аўт, 17 сне 2024, Lars Kagrath via FreeIPA-users wrote:
Hello,
I hope someone can help me with my plugin.
I have implemented a checkbox in the WEB UI. When activated, the
attribute “nextsambaenabled” is set to True, when deactivated to
“False”. My python plugin should now copy the value of
ipaNTSecurityIdentifier into the sambaSID attribute when the value is
set to “True”. But the attribute is not read and the default values
are always entered. I have already tried to change the permissions to
ipantsecurityidentifier, unfortunately without success. Maybe someone
has an idea and can help me:
At the time 'pre' callbacks are called, we have a Python object
representing the entry as if it was filled in with the arguments/options
of the modifying command. It is not the actual LDAP entry yet.
The purpose of 'pre' plugins is to apply some modifications or do checks
of these parameters.
Then we'd fetch the LDAP entry based on the entry_attrs (what you call
'entry' in your callback's arguments) attributes and apply update to
them.
So if you want to fetch an existing data and then apply changes based on
it, you'd have to do it either in post callback, when you have access to
the whole entry content, or do fetch yourself an entry (using
ldap.getentry) and process that content.
Now, regarding what you are attempting to do. Why are you trying to set
up attributes that aren't really used? If you want to deploy Samba on
IPA client, we have a tool 'ipa-client-samba' that does configure Samba
to enable proper integration with FreeIPA. This approach will use SSSD
as a backend to Samba/Winbind and will work as it is without any
additional plugin.
from ipaserver.plugins import user
from ipalib.parameters import Str, Bool
from ipalib.text import _
def useradd_precallback(self, ldap, dn, entry, attrs_list, *keys,
**options):
if 'nextsambauser' not in entry['objectclass']:
entry['objectclass'].append('nextsambauser')
return dn
def usermod_precallback(self, ldap, dn, entry, attrs_list, *keys,
**options):
if 'objectclass' not in entry.keys():
old_entry = ldap.get_entry(dn, ['objectclass'])
entry['objectclass'] = old_entry['objectclass']
if 'nextsambauser' not in entry['objectclass']:
entry['objectclass'].append('nextsambauser')
nextsambaenabled = entry.get('nextsambaenabled')
if nextsambaenabled is None:
nextsambaenabled = False # Defaultwert, falls nicht gesetzt
if not nextsambaenabled: # Wenn nextsambaenabled == False
entry['sambaSID'] =
['S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-1000']
else: # Wenn nextsambaenabled auf True gesetzt ist
ipa_sid = entry.get('ipaNTSecurityIdentifier')
if ipa_sid and isinstance(ipa_sid, list) and len(ipa_sid) > 0:
entry['sambaSID'] = [ipa_sid[0]] # Setze den ersten Wert
von ipa_sid
else:
entry['sambaSID'] =
['S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-1001'] # Standardwert
# Keine direkte ldap.modify_entry mehr verwenden!
# Änderungen werden jetzt über das normale `user_mod` Verfahren
weitergegeben.
return dn
user.user.takes_params = user.user.takes_params + (
Bool('nextsambaenabled?',
cli_name='nextsambaenabled',
label=_('Nextsamba enabled?'),
doc=_('Whether or not a nextsamba is enabled for this user
(default is false).'),
default=False,
autofill=True,
),
)
user.user.default_attributes = user.user.default_attributes +
['nextsambaenabled']
user.user_add.register_pre_callback(useradd_precallback)
user.user_mod.register_pre_callback(usermod_precallback)
--
best regards
Lars Kagrath
--
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
--
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
