[Freeipa-devel] [PATCH 0016] Add RADIUS proxy support to ipalib CLI
Jan Cholasta
jcholast at redhat.com
Sat Sep 14 06:22:34 UTC 2013
On 13.9.2013 09:21, Jan Cholasta wrote:
> Hi,
>
> On 12.9.2013 22:48, Nathaniel McCallum wrote:
>> On Thu, 2013-09-05 at 00:06 -0400, Nathaniel McCallum wrote:
>>> patch attached
>>
>> Update for ./makeapi attached.
>>
>
> + if 'ipatokenradiusconfiglink' in entry_attrs:
> + cl = entry_attrs['ipatokenradiusconfiglink']
> + if not cl:
> + entry_attrs['ipatokenradiususername'] = None
> + if 'ipatokenradiusproxyuser' in
> entry_attrs['objectclass']:
> + entry_attrs['objectclass'].remove('ipatokenradiusproxyuser')
>
> Is there are particular reason to remove the object class? I think you
> can just leave it there, that is what we do in other plugins.
>
> + else:
> + if 'ipatokenradiusproxyuser' not in
> entry_attrs['objectclass']:
> + entry_attrs['objectclass'].append('ipatokenradiusproxyuser')
> +
> + answer = self.api.Command.radius_show(cl)
> + entry_attrs['ipatokenradiusconfiglink'] =
> answer['result']['dn']
>
> Please use self.api.Object.radius.get_dn_if_exists(cl) to get the DN
> instead of radius_show.
>
> The whole code block should be added to user_add as well.
>
>
> + radius = options.get('ipatokenradiusconfiglink', None)
> + if radius is not None:
> + answer = self.api.Command.radius_show(radius)
> + filter = filter.replace('(ipatokenradiusconfiglink=%s)' %
> radius,
> + '(ipatokenradiusconfiglink=%s)' %
> answer['result']['dn'])
>
> Again, use get_dn_if_exists instead of radius_show to get the DN.
>
> As for the filter processing, I think it would be safer to override
> args_options_2_entry in user_find and do it in there:
>
> def args_options_2_entry(self, *keys, **options):
> if 'ipatokenradiusconfiglink' in options:
> options['ipatokenradiusconfiglink'] =
> self.api.Object.radius.get_dn(options['ipatokenradiusconfiglink'])
> return super(user_find, self).args_options_2_entry(
... or you can do this in user_find.execute, as there already is
something similar done for the "manager" attribute.
>
>
> Honza
>
BTW, I think you should configure the referential integrity plugin so
that when a radius object is deleted, all ipatokenradiusconfiglink's to
it are deleted as well.
Honza
--
Jan Cholasta
More information about the Freeipa-devel
mailing list