commit 215e7fb68ed2c3500d97a7b38332f480bcd42bfb Author: Florian Best Date: Thu Oct 29 00:03:26 2020 +0100 Only search for umcPolicy diff --git base/univention-python/modules/uldap.py base/univention-python/modules/uldap.py index 410129ec2a..ec4aeb7530 100644 --- base/univention-python/modules/uldap.py +++ base/univention-python/modules/uldap.py @@ -420,7 +420,7 @@ class access(object): return self.__recode_attribute(attr, val) @_fix_reconnect_handling - def get(self, dn, attr=[], required=False): + def get(self, dn, attr=[], required=False, ldap_filter=None): # type: (str, List[str], bool) -> Dict[str, List[str]] """ Return multiple attributes of a single LDAP object. @@ -435,7 +435,7 @@ class access(object): """ if dn: try: - result = self.lo.search_s(dn, ldap.SCOPE_BASE, '(objectClass=*)', attr) + result = self.lo.search_s(dn, ldap.SCOPE_BASE, ldap_filter or '(objectClass=*)', attr) except ldap.NO_SUCH_OBJECT: result = [] if result: @@ -544,13 +544,13 @@ class access(object): return [x[0] for x in self.search(filter, base, scope, ['dn'], unique, required, timeout, sizelimit, serverctrls, response)] @_fix_reconnect_handling - def getPolicies(self, dn, policies=None, attrs=None, result=None, fixedattrs=None): + def getPolicies(self, dn, policies=None, attrs=None, result=None, fixedattrs=None, ldap_filter=None): # type: (str, List[str], Dict[str, List[Any]], Any, Any) -> Dict[str, Dict[str, Any]] """ Return |UCS| policies for |LDAP| entry. :param str dn: The distinguished name of the |LDAP| entry. - :param list policies: List of policy object classes... + :param list policies: List of policy DNs... :param dict attrs: |LDAP| attributes. If not given, the data is fetched from LDAP. :param result: UNUSED! :param fixedattrs: UNUSED! @@ -582,12 +582,12 @@ class access(object): obj_dn = dn while True: for policy_dn in policies: - self._merge_policy(policy_dn, obj_dn, object_classes, result) + self._merge_policy(policy_dn, obj_dn, object_classes, result, ldap_filter) dn = self.parentDn(dn) if not dn: break try: - parent = self.get(dn, attr=['univentionPolicyReference'], required=True) + parent = self.get(dn, attr=['univentionPolicyReference'], required=True, ldap_filter=ldap_filter) except ldap.NO_SUCH_OBJECT: break policies = parent.get('univentionPolicyReference', []) @@ -597,7 +597,7 @@ class access(object): "getPolicies: result: %s" % result) return result - def _merge_policy(self, policy_dn, obj_dn, object_classes, result): + def _merge_policy(self, policy_dn, obj_dn, object_classes, result, ldap_filter): # type: (str, str, Set[str], Dict[str, Dict[str, Any]]) -> None """ Merge policies into result. @@ -607,7 +607,7 @@ class access(object): :param object_classes set: the set of object classes of the LDAP object. :param result list: A mapping, into which the policy is merged. """ - pattrs = self.get(policy_dn) + pattrs = self.get(policy_dn, ldap_filter=ldap_filter) if not pattrs: return diff --git management/univention-directory-manager-modules/modules/univention/admin/uldap.py management/univention-directory-manager-modules/modules/univention/admin/uldap.py index 453752eb44..18d3ac0cad 100644 --- management/univention-directory-manager-modules/modules/univention/admin/uldap.py +++ management/univention-directory-manager-modules/modules/univention/admin/uldap.py @@ -810,7 +810,7 @@ class access: except ldap.LDAPError as msg: raise univention.admin.uexceptions.ldapError(_err2str(msg), original_exception=msg) - def getPolicies(self, dn, policies=None, attrs=None, result=None, fixedattrs=None): + def getPolicies(self, dn, policies=None, attrs=None, result=None, fixedattrs=None, ldap_filter=None): # type: (str, Optional[List[str]], Optional[Dict[str, List[Any]]], Any, Any) -> Dict[str, Dict[str, Any]] """ Return |UCS| policies for |LDAP| entry. @@ -823,7 +823,7 @@ class access: :returns: A mapping of policy names to """ ud.debug(ud.ADMIN, ud.INFO, 'getPolicies modules dn %s result' % dn) - return self.lo.getPolicies(dn, policies, attrs, result, fixedattrs) + return self.lo.getPolicies(dn, policies, attrs, result, fixedattrs, ldap_filter) def add(self, dn, al, exceptions=False, serverctrls=None, response=None): # type: (str, List[Tuple], bool, Optional[List[ldap.controls.LDAPControl]], Optional[Dict]) -> None diff --git management/univention-management-console/src/univention/management/console/acl.py management/univention-management-console/src/univention/management/console/acl.py index 0fe9efc0c7..3073c29c94 100644 --- management/univention-management-console/src/univention/management/console/acl.py +++ management/univention-management-console/src/univention/management/console/acl.py @@ -373,7 +373,7 @@ class LDAP_ACLs(ACLs): self._dump() def _get_policy_for_dn(self, dn): - policy = self.lo.getPolicies(dn, policies=[], attrs={}, result={}, fixedattrs={}) + policy = self.lo.getPolicies(dn, policies=[], attrs={}, result={}, fixedattrs={}, ldap_filter='(&(objectClass=umcPolicy)(umcPolicyGrantedOperationSet=*))') return policy.get('umcPolicy', None) @@ -390,7 +390,7 @@ class LDAP_ACLs(ACLs): if policy and 'umcPolicyGrantedOperationSet' in policy: for value in policy['umcPolicyGrantedOperationSet']['value']: - self._append(LDAP_ACLs.FROM_USER, self.lo.get(value)) + self._append(LDAP_ACLs.FROM_USER, self.lo.get(value, ['umcOperationSetHost', 'umcOperationSetFlavor', 'umcOperationSetCommand'])) # TODO: check for nested groups groupDNs = self.lo.searchDn(filter=filter_format('uniqueMember=%s', [userdn])) @@ -401,7 +401,7 @@ class LDAP_ACLs(ACLs): continue if 'umcPolicyGrantedOperationSet' in policy: for value in policy['umcPolicyGrantedOperationSet']['value']: - self._append(LDAP_ACLs.FROM_GROUP, self.lo.get(value)) + self._append(LDAP_ACLs.FROM_GROUP, self.lo.get(value, ['umcOperationSetHost', 'umcOperationSetFlavor', 'umcOperationSetCommand'])) # make the ACLs unique getvals = operator.itemgetter('fromUser', 'host', 'command', 'options', 'flavor')