diff --git a/ucs-4.0-2/base/univention-policy/lib/policy.c b/ucs-4.0-2/base/univention-policy/lib/policy.c index c653f3d..10f1b07 100644 --- a/ucs-4.0-2/base/univention-policy/lib/policy.c +++ b/ucs-4.0-2/base/univention-policy/lib/policy.c @@ -204,7 +204,7 @@ static void univention_policy_cleanup(univention_policy_handle_t* handle) } /* Retrieve policy 'dn' */ -static void univention_policy_merge(LDAP *ld, const char *dn, univention_policy_handle_t *handle, char **object_classes) +static void univention_policy_merge(LDAP *ld, const char *dn, univention_policy_handle_t *handle, char **object_classes, const char *objectdn) { int rc; LDAPMessage *res; @@ -266,6 +266,25 @@ static void univention_policy_merge(LDAP *ld, const char *dn, univention_policy_ } ldap_value_free_len(vals); } + + if (apply && (vals = ldap_get_values_len(ld, entry, "ldapFilter")) != NULL) { + int ldap_filter_rc; + for (i = 0; (vals[i] != NULL && vals[i]->bv_val != NULL); i++) { + LDAPMessage *ldap_filter_res; + char *search_attrs[] = { LDAP_NO_ATTRS, NULL }; + ldap_filter_rc = ldap_search_ext_s(ld, objectdn, LDAP_SCOPE_BASE, vals[i]->bv_val, search_attrs, 0, NULL, NULL, &timeout, 0, &ldap_filter_res); + if (ldap_filter_rc != LDAP_SUCCESS) { + univention_debug(UV_DEBUG_LDAP, UV_DEBUG_ERROR, "search filter '%s' caused error: %s: %s", vals[i]->bv_val, objectdn, ldap_err2string(ldap_filter_rc)); + } else { + if (!ldap_count_entries(ld, ldap_filter_res)) + apply = false; + } + ldap_msgfree(ldap_filter_res); + break; // single-value + } + ldap_value_free_len(vals); + } + if (fixed_attributes == NULL && (vals = ldap_get_values_len(ld, entry, "fixedAttributes")) != NULL) { i = ldap_count_values_len(vals); if ((fixed_attributes = calloc(i + 1, sizeof(char *))) == NULL) @@ -327,6 +346,7 @@ static void univention_policy_merge(LDAP *ld, const char *dn, univention_policy_ strcmp(attr, "emptyAttributes") && strcmp(attr, "requiredObjectClasses") && strcmp(attr, "prohibitedObjectClasses") && + strcmp(attr, "ldapFilter") && strcmp(attr, "univentionObjectType") && (vals = ldap_get_values_len(ld, entry, attr)) != NULL) { @@ -431,7 +451,7 @@ univention_policy_handle_t* univention_policy_open(LDAP* ld, const char *base, c univention_debug(UV_DEBUG_POLICY, UV_DEBUG_INFO, "found policies for %s", pdn); for (i = 0; (vals[i] != NULL && vals[i]->bv_val != NULL); i++) { univention_debug(UV_DEBUG_POLICY, UV_DEBUG_INFO, " policy: %s", vals[i]->bv_val); - univention_policy_merge(ld, vals[i]->bv_val, handle, object_classes); + univention_policy_merge(ld, vals[i]->bv_val, handle, object_classes, dn); } ldap_value_free_len(vals); } diff --git a/ucs-4.0-2/base/univention-policy/python-lib/policy_result.py b/ucs-4.0-2/base/univention-policy/python-lib/policy_result.py index 2a7e24e..3b38305 100644 --- a/ucs-4.0-2/base/univention-policy/python-lib/policy_result.py +++ b/ucs-4.0-2/base/univention-policy/python-lib/policy_result.py @@ -38,7 +38,7 @@ def policy_result(dn, binddn="", bindpw=""): Return a tuple of hash-lists, mapping attributes to a list of values and mapping attributes to the matching Policy-DN. - >>> (results, policies) = policy_result('dc=opendvdi,dc=local' [, binddn=BINDDN, bindpw=BINDPW]) + >>> (results, policies) = policy_result('dc=opendvdi,dc=local', [binddn=BINDDN, bindpw=BINDPW]) >>> policies['univentionDhcpDomainNameServers'] 'cn=default-settings,cn=dns,cn=dhcp,cn=policies,dc=opendvdi,dc=local' results['univentionDhcpDomainNameServers'] diff --git a/ucs-4.0-2/management/univention-ldap/schema/policy.schema b/ucs-4.0-2/management/univention-ldap/schema/policy.schema index 1485b8e..2d4b14f 100644 --- a/ucs-4.0-2/management/univention-ldap/schema/policy.schema +++ b/ucs-4.0-2/management/univention-ldap/schema/policy.schema @@ -63,11 +63,16 @@ attributetype ( 1.3.6.1.4.1.10176.1000.2.1.4 NAME 'emptyAttributes' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) +attributetype ( 1.3.6.1.4.1.10176.1000.2.1.5 NAME 'ldapFilter' + DESC 'ldap filter string' + EQUALITY caseExactMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) + objectclass ( 1.3.6.1.4.1.10176.1000.2.2.1 NAME 'univentionPolicy' SUP 'top' STRUCTURAL DESC 'policy object' MUST ( cn ) - MAY ( requiredObjectClasses $ prohibitedObjectClasses $ fixedAttributes $ emptyAttributes)) + MAY ( requiredObjectClasses $ prohibitedObjectClasses $ fixedAttributes $ emptyAttributes $ ldapFilter)) attributetype ( 1.3.6.1.4.1.10176.1000.2.1.10 NAME 'univentionRegistry' DESC 'registry entry'