diff options
| author | Rob Crittenden <rcritten@redhat.com> | 2011-08-22 16:24:07 -0400 |
|---|---|---|
| committer | Martin Kosek <mkosek@redhat.com> | 2011-08-24 14:12:10 +0200 |
| commit | be7de56e5d403fb97bcb583f6b7b5dd7e3fb914c (patch) | |
| tree | 722fdd0af9246c027dedf0db3fa4caaa132688c7 | |
| parent | ae06f7b68e04000b748f702d553a5b691eb6cb3c (diff) | |
| download | freeipa-be7de56e5d403fb97bcb583f6b7b5dd7e3fb914c.tar.gz freeipa-be7de56e5d403fb97bcb583f6b7b5dd7e3fb914c.tar.xz freeipa-be7de56e5d403fb97bcb583f6b7b5dd7e3fb914c.zip | |
Change the way has_keytab is determined, also check for password.
We need an indicator to see if a keytab has been set on host and
service entries. We also need a way to know if a one-time password is
set on a host.
This adds an ACI that grants search on userPassword and
krbPrincipalKey so we can do an existence search on them. This way
we can tell if the attribute is set and create a fake attribute
accordingly.
When a userPassword is set on a host a keytab is generated against
that password so we always set has_keytab to False if a password
exists. This is fine because when keytab gets generated for the
host the password is removed (hence one-time).
This adds has_keytab/has_password to the user, host and service plugins.
ticket https://fedorahosted.org/freeipa/ticket/1538
| -rw-r--r-- | install/share/default-aci.ldif | 8 | ||||
| -rw-r--r-- | install/updates/20-aci.update | 4 | ||||
| -rw-r--r-- | ipalib/plugins/baseldap.py | 26 | ||||
| -rw-r--r-- | ipalib/plugins/host.py | 33 | ||||
| -rw-r--r-- | ipalib/plugins/service.py | 27 | ||||
| -rw-r--r-- | ipalib/plugins/user.py | 6 | ||||
| -rw-r--r-- | tests/test_xmlrpc/test_attr.py | 16 | ||||
| -rw-r--r-- | tests/test_xmlrpc/test_group_plugin.py | 4 | ||||
| -rw-r--r-- | tests/test_xmlrpc/test_host_plugin.py | 22 | ||||
| -rw-r--r-- | tests/test_xmlrpc/test_hostgroup_plugin.py | 2 | ||||
| -rw-r--r-- | tests/test_xmlrpc/test_krbtpolicy.py | 2 | ||||
| -rw-r--r-- | tests/test_xmlrpc/test_nesting.py | 11 | ||||
| -rw-r--r-- | tests/test_xmlrpc/test_netgroup_plugin.py | 6 | ||||
| -rw-r--r-- | tests/test_xmlrpc/test_replace.py | 14 | ||||
| -rw-r--r-- | tests/test_xmlrpc/test_service_plugin.py | 8 | ||||
| -rw-r--r-- | tests/test_xmlrpc/test_user_plugin.py | 30 |
16 files changed, 185 insertions, 34 deletions
diff --git a/install/share/default-aci.ldif b/install/share/default-aci.ldif index 88269d282..586ec61fc 100644 --- a/install/share/default-aci.ldif +++ b/install/share/default-aci.ldif @@ -79,3 +79,11 @@ dn: cn=sudo,$SUFFIX changetype: modify add: aci aci: (targetattr = "*")(version 3.0; acl "No anonymous access to sudo"; deny (read,search,compare) userdn != "ldap:///all";) + +# This is used for the host/service one-time passwordn and keytab indirectors. +# We can do a query on a DN to see if an attribute exists. +dn: cn=accounts,$SUFFIX +changetype: modify +add: aci +aci: (targetattr="userPassword || krbPrincipalKey")(version 3.0; acl "Search existence of password and kerberos keys"; allow(search) userdn = "ldap:///all";) + diff --git a/install/updates/20-aci.update b/install/updates/20-aci.update index 42f1e9fe6..41d35da35 100644 --- a/install/updates/20-aci.update +++ b/install/updates/20-aci.update @@ -2,3 +2,7 @@ dn: cn=ng,cn=alt,$SUFFIX add:aci: '(targetfilter = "(objectClass=mepManagedEntry)")(targetattr = "*")(version 3.0; acl "Managed netgroups cannot be modified"; deny (write) userdn = "ldap:///all";)' +# This is used for the host/service one-time passwordn and keytab indirectors. +# We can do a query on a DN to see if an attribute exists. +dn: cn=accounts,$SUFFIX +add:aci: (targetattr="userPassword || krbPrincipalKey")(version 3.0; acl "Search existence of password and kerberos keys"; allow(search) userdn = "ldap:///all";) diff --git a/ipalib/plugins/baseldap.py b/ipalib/plugins/baseldap.py index 1ff7a2a6d..94f57388d 100644 --- a/ipalib/plugins/baseldap.py +++ b/ipalib/plugins/baseldap.py @@ -36,6 +36,12 @@ from ipalib.util import json_serialize from ipalib.dn import * global_output_params = ( + Flag('has_keytab', + label=_('Keytab'), + ), + Flag('has_password', + label=_('Password'), + ), Str('member', label=_('Failed members'), ), @@ -319,6 +325,7 @@ class LDAPObject(Object): uuid_attribute = '' attribute_members = {} rdnattr = None + password_attributes = [] # Can bind as this entry (has userPassword or krbPrincipalKey) bindable = False relationships = { @@ -407,6 +414,25 @@ class LDAPObject(Object): ) del entry_attrs[attr] + def get_password_attributes(self, ldap, dn, entry_attrs): + """ + Search on the entry to determine if it has a password or + keytab set. + + A tuple is used to determine which attribute is set + in entry_attrs. The value is set to True/False whether a + given password type is set. + """ + for (pwattr, attr) in self.password_attributes: + search_filter = '(%s=*)' % pwattr + try: + (entries, truncated) = ldap.find_entries( + search_filter, [pwattr], dn, ldap.SCOPE_BASE + ) + entry_attrs[attr] = True + except errors.NotFound: + entry_attrs[attr] = False + def handle_not_found(self, *keys): pkey = '' if self.primary_key: diff --git a/ipalib/plugins/host.py b/ipalib/plugins/host.py index 5cd1056ec..6e9efec1a 100644 --- a/ipalib/plugins/host.py +++ b/ipalib/plugins/host.py @@ -162,9 +162,6 @@ def remove_fwd_ptr(ipaddr, host, domain, recordtype): pass host_output_params = ( - Flag('has_keytab', - label=_('Keytab'), - ), Str('managedby_host', label='Managed by', ), @@ -224,7 +221,7 @@ class host(LDAPObject): default_attributes = [ 'fqdn', 'description', 'l', 'nshostlocation', 'krbprincipalname', 'nshardwareplatform', 'nsosversion', 'usercertificate', 'memberof', - 'krblastpwdchange', 'managedby', 'memberindirect', 'memberofindirect', + 'managedby', 'memberindirect', 'memberofindirect', ] uuid_attribute = 'ipauniqueid' attribute_members = { @@ -242,6 +239,8 @@ class host(LDAPObject): 'managedby': ('Managed by', 'man_by_', 'not_man_by_'), 'managing': ('Managing', 'man_', 'not_man_'), } + password_attributes = [('userpassword', 'has_password'), + ('krbprincipalkey', 'has_keytab')] label = _('Hosts') label_singular = _('Host') @@ -466,6 +465,11 @@ class host_add(LDAPCreate): if options.get('all', False): entry_attrs['managing'] = self.obj.get_managed_hosts(dn) + self.obj.get_password_attributes(ldap, dn, entry_attrs) + if entry_attrs['has_password']: + # If an OTP is set there is no keytab, at least not one + # fetched anywhere. + entry_attrs['has_keytab'] = False return dn @@ -691,8 +695,13 @@ class host_find(LDAPSearch): def post_callback(self, ldap, entries, truncated, *args, **options): for entry in entries: - entry_attrs = entry[1] + (dn, entry_attrs) = entry set_certificate_attrs(entry_attrs) + self.obj.get_password_attributes(ldap, dn, entry_attrs) + if entry_attrs['has_password']: + # If an OTP is set there is no keytab, at least not one + # fetched anywhere. + entry_attrs['has_keytab'] = False if options.get('all', False): entry_attrs['managing'] = self.obj.get_managed_hosts(entry[0]) @@ -714,11 +723,10 @@ class host_show(LDAPRetrieve): member_attributes = ['managedby'] def post_callback(self, ldap, dn, entry_attrs, *keys, **options): - if 'krblastpwdchange' in entry_attrs: - entry_attrs['has_keytab'] = True - if not options.get('all', False): - del entry_attrs['krblastpwdchange'] - else: + self.obj.get_password_attributes(ldap, dn, entry_attrs) + if entry_attrs['has_password']: + # If an OTP is set there is no keytab, at least not one + # fetched anywhere. entry_attrs['has_keytab'] = False set_certificate_attrs(entry_attrs) @@ -766,7 +774,7 @@ class host_disable(LDAPQuery): dn = self.obj.get_dn(*keys, **options) try: - (dn, entry_attrs) = ldap.get_entry(dn, ['krblastpwdchange', 'usercertificate']) + (dn, entry_attrs) = ldap.get_entry(dn, ['usercertificate']) except errors.NotFound: self.obj.handle_not_found(*keys) @@ -816,7 +824,8 @@ class host_disable(LDAPQuery): ldap.update_entry(dn, {'usercertificate': None}) done_work = True - if 'krblastpwdchange' in entry_attrs: + self.obj.get_password_attributes(ldap, dn, entry_attrs) + if entry_attrs['has_keytab']: ldap.remove_principal_key(dn) done_work = True diff --git a/ipalib/plugins/service.py b/ipalib/plugins/service.py index 11970f401..bcaa76afb 100644 --- a/ipalib/plugins/service.py +++ b/ipalib/plugins/service.py @@ -83,9 +83,6 @@ from ipapython.ipautil import file_exists output_params = ( - Flag('has_keytab', - label=_('Keytab'), - ), Str('managedby_host', label='Managed by', ), @@ -207,7 +204,7 @@ class service(LDAPObject): 'ipaservice', 'pkiuser' ] search_attributes = ['krbprincipalname', 'managedby'] - default_attributes = ['krbprincipalname', 'usercertificate', 'managedby', 'krblastpwdchange'] + default_attributes = ['krbprincipalname', 'usercertificate', 'managedby'] uuid_attribute = 'ipauniqueid' attribute_members = { 'managedby': ['host'], @@ -216,6 +213,7 @@ class service(LDAPObject): relationships = { 'managedby': ('Managed by', 'man_by_', 'not_man_by_'), } + password_attributes = [('krbprincipalkey', 'has_keytab')] label = _('Services') label_singular = _('Service') @@ -379,13 +377,8 @@ class service_find(LDAPSearch): def post_callback(self, ldap, entries, truncated, *args, **options): for entry in entries: - entry_attrs = entry[1] - if 'krblastpwdchange' in entry_attrs: - entry_attrs['has_keytab'] = True - if not options.get('all', False): - del entry_attrs['krblastpwdchange'] - else: - entry_attrs['has_keytab'] = False + (dn, entry_attrs) = entry + self.obj.get_password_attributes(ldap, dn, entry_attrs) set_certificate_attrs(entry_attrs) api.register(service_find) @@ -403,12 +396,7 @@ class service_show(LDAPRetrieve): ) def post_callback(self, ldap, dn, entry_attrs, *keys, **options): - if 'krblastpwdchange' in entry_attrs: - entry_attrs['has_keytab'] = True - if not options.get('all', False): - del entry_attrs['krblastpwdchange'] - else: - entry_attrs['has_keytab'] = False + self.obj.get_password_attributes(ldap, dn, entry_attrs) set_certificate_attrs(entry_attrs) @@ -461,7 +449,7 @@ class service_disable(LDAPQuery): ldap = self.obj.backend dn = self.obj.get_dn(*keys, **options) - (dn, entry_attrs) = ldap.get_entry(dn, ['krblastpwdchange', 'usercertificate']) + (dn, entry_attrs) = ldap.get_entry(dn, ['usercertificate']) # See if we do any work at all here and if not raise an exception done_work = False @@ -493,7 +481,8 @@ class service_disable(LDAPQuery): ldap.update_entry(dn, {'usercertificate': None}) done_work = True - if 'krblastpwdchange' in entry_attrs: + self.obj.get_password_attributes(ldap, dn, entry_attrs) + if entry_attrs['has_keytab']: ldap.remove_principal_key(dn) done_work = True diff --git a/ipalib/plugins/user.py b/ipalib/plugins/user.py index 3068c6291..2112c03d0 100644 --- a/ipalib/plugins/user.py +++ b/ipalib/plugins/user.py @@ -113,6 +113,8 @@ class user(LDAPObject): } rdnattr = 'uid' bindable = True + password_attributes = [('userpassword', 'has_password'), + ('krbprincipalkey', 'has_keytab')] label = _('Users') label_singular = _('User') @@ -407,6 +409,7 @@ class user_add(LDAPCreate): newentry = wait_for_value(ldap, dn, 'objectclass', 'mepOriginEntry') entry_from_entry(entry_attrs, newentry) + self.obj.get_password_attributes(ldap, dn, entry_attrs) return dn api.register(user_add) @@ -443,6 +446,7 @@ class user_mod(LDAPUpdate): def post_callback(self, ldap, dn, entry_attrs, *keys, **options): convert_nsaccountlock(entry_attrs) self.obj._convert_manager(entry_attrs, **options) + self.obj.get_password_attributes(ldap, dn, entry_attrs) return dn api.register(user_mod) @@ -472,6 +476,7 @@ class user_find(LDAPSearch): for entry in entries: (dn, attrs) = entry self.obj._convert_manager(attrs, **options) + self.obj.get_password_attributes(ldap, dn, attrs) convert_nsaccountlock(attrs) msg_summary = ngettext( @@ -488,6 +493,7 @@ class user_show(LDAPRetrieve): def post_callback(self, ldap, dn, entry_attrs, *keys, **options): convert_nsaccountlock(entry_attrs) self.obj._convert_manager(entry_attrs, **options) + self.obj.get_password_attributes(ldap, dn, entry_attrs) return dn api.register(user_show) diff --git a/tests/test_xmlrpc/test_attr.py b/tests/test_xmlrpc/test_attr.py index 3f78a678d..11aaa01e3 100644 --- a/tests/test_xmlrpc/test_attr.py +++ b/tests/test_xmlrpc/test_attr.py @@ -69,6 +69,8 @@ class test_attr(Declarative): dn=lambda x: DN(x) == \ DN(('uid','tuser1'),('cn','users'),('cn','accounts'), api.env.basedn), + has_keytab=False, + has_password=False, ), ), ), @@ -91,6 +93,8 @@ class test_attr(Declarative): mail=[u'test@example.com'], memberof_group=[u'ipausers'], nsaccountlock=False, + has_keytab=False, + has_password=False, ), summary=u'Modified user "tuser1"', value=user1, @@ -115,6 +119,8 @@ class test_attr(Declarative): mail=[u'test@example.com', u'test2@example.com'], memberof_group=[u'ipausers'], nsaccountlock=False, + has_keytab=False, + has_password=False, ), summary=u'Modified user "tuser1"', value=user1, @@ -140,6 +146,8 @@ class test_attr(Declarative): memberof_group=[u'ipausers'], telephonenumber=[u'410-555-1212', u'301-555-1212'], nsaccountlock=False, + has_keytab=False, + has_password=False, ), summary=u'Modified user "tuser1"', value=user1, @@ -165,6 +173,8 @@ class test_attr(Declarative): memberof_group=[u'ipausers'], telephonenumber=[u'301-555-1212'], nsaccountlock=False, + has_keytab=False, + has_password=False, ), summary=u'Modified user "tuser1"', value=user1, @@ -190,6 +200,8 @@ class test_attr(Declarative): memberof_group=[u'ipausers'], telephonenumber=[u'301-555-1212', u'202-888-9833', u'703-555-1212'], nsaccountlock=False, + has_keytab=False, + has_password=False, ), summary=u'Modified user "tuser1"', value=user1, @@ -233,6 +245,8 @@ class test_attr(Declarative): memberof_group=[u'ipausers'], telephonenumber=[u'301-555-1212', u'202-888-9833', u'703-555-1212'], nsaccountlock=False, + has_keytab=False, + has_password=False, ), summary=u'Modified user "tuser1"', value=user1, @@ -258,6 +272,8 @@ class test_attr(Declarative): memberof_group=[u'ipausers'], telephonenumber=[u'301-555-1212', u'202-888-9833', u'703-555-1212'], nsaccountlock=False, + has_keytab=False, + has_password=False, ), summary=u'Modified user "tuser1"', value=user1, diff --git a/tests/test_xmlrpc/test_group_plugin.py b/tests/test_xmlrpc/test_group_plugin.py index 096bab2de..6403251e6 100644 --- a/tests/test_xmlrpc/test_group_plugin.py +++ b/tests/test_xmlrpc/test_group_plugin.py @@ -637,6 +637,8 @@ class test_group(Declarative): dn=lambda x: DN(x) == \ DN(('uid',user1),('cn','users'),('cn','accounts'), api.env.basedn), + has_keytab=False, + has_password=False, ), ), ), @@ -753,6 +755,8 @@ class test_group(Declarative): dn=lambda x: DN(x) == \ DN(('uid','tuser1'),('cn','users'),('cn','accounts'), api.env.basedn), + has_keytab=False, + has_password=False, ), ), ), diff --git a/tests/test_xmlrpc/test_host_plugin.py b/tests/test_xmlrpc/test_host_plugin.py index 87eb93768..f7746407b 100644 --- a/tests/test_xmlrpc/test_host_plugin.py +++ b/tests/test_xmlrpc/test_host_plugin.py @@ -109,6 +109,8 @@ class test_host(Declarative): objectclass=objectclasses.host, ipauniqueid=[fuzzy_uuid], managedby_host=[fqdn1], + has_keytab=False, + has_password=False, ), ), ), @@ -140,6 +142,7 @@ class test_host(Declarative): l=[u'Undisclosed location 1'], krbprincipalname=[u'host/%s@%s' % (fqdn1, api.env.realm)], has_keytab=False, + has_password=False, managedby_host=[fqdn1], ), ), @@ -168,7 +171,8 @@ class test_host(Declarative): managedby_host=[fqdn1], managing_host=[fqdn1], ipauniqueid=[fuzzy_uuid], - has_keytab=False + has_keytab=False, + has_password=False, ), ), ), @@ -189,6 +193,8 @@ class test_host(Declarative): l=[u'Undisclosed location 1'], krbprincipalname=[u'host/%s@%s' % (fqdn1, api.env.realm)], managedby_host=[u'%s' % fqdn1], + has_keytab=False, + has_password=False, ), ], ), @@ -219,6 +225,8 @@ class test_host(Declarative): ipauniqueid=[fuzzy_uuid], managedby_host=[u'%s' % fqdn1], managing_host=[u'%s' % fqdn1], + has_keytab=False, + has_password=False, ), ], ), @@ -265,6 +273,7 @@ class test_host(Declarative): l=[u'Undisclosed location 1'], krbprincipalname=[u'host/%s@%s' % (fqdn1, api.env.realm)], has_keytab=False, + has_password=False, managedby_host=[u'%s' % fqdn1], usercertificate=[base64.b64decode(servercert)], valid_not_before=fuzzy_date, @@ -300,6 +309,8 @@ class test_host(Declarative): objectclass=objectclasses.host, ipauniqueid=[fuzzy_uuid], managedby_host=[u'%s' % fqdn3], + has_keytab=False, + has_password=False, ), ), ), @@ -326,6 +337,8 @@ class test_host(Declarative): objectclass=objectclasses.host, ipauniqueid=[fuzzy_uuid], managedby_host=[u'%s' % fqdn4], + has_keytab=False, + has_password=False, ), ), ), @@ -369,6 +382,7 @@ class test_host(Declarative): l=[u'Undisclosed location 2'], krbprincipalname=[u'host/%s@%s' % (fqdn3, api.env.realm)], has_keytab=False, + has_password=False, managedby_host=[u'%s' % fqdn3, u'%s' % fqdn1], ), ), @@ -468,6 +482,8 @@ class test_host(Declarative): objectclass=objectclasses.host, ipauniqueid=[fuzzy_uuid], managedby_host=[u'%s' % fqdn1], + has_keytab=False, + has_password=False, ), ), ), @@ -479,7 +495,7 @@ class test_host(Declarative): value=service1, summary=u'Added service "%s"' % service1, result=dict( - dn=service1dn, + dn=lambda x: DN(x) == service1dn, krbprincipalname=[service1], objectclass=objectclasses.service, managedby_host=[fqdn1], @@ -539,6 +555,8 @@ class test_host(Declarative): objectclass=objectclasses.host, ipauniqueid=[fuzzy_uuid], managedby_host=[u'%s' % fqdn2], + has_keytab=False, + has_password=False, ), ), ), diff --git a/tests/test_xmlrpc/test_hostgroup_plugin.py b/tests/test_xmlrpc/test_hostgroup_plugin.py index 1bfbae43e..e0d115854 100644 --- a/tests/test_xmlrpc/test_hostgroup_plugin.py +++ b/tests/test_xmlrpc/test_hostgroup_plugin.py @@ -121,6 +121,8 @@ class test_hostgroup(Declarative): objectclass=objectclasses.host, ipauniqueid=[fuzzy_uuid], managedby_host=[fqdn1], + has_keytab=False, + has_password=False, ), ), ), diff --git a/tests/test_xmlrpc/test_krbtpolicy.py b/tests/test_xmlrpc/test_krbtpolicy.py index 3db743d51..3ef603b3a 100644 --- a/tests/test_xmlrpc/test_krbtpolicy.py +++ b/tests/test_xmlrpc/test_krbtpolicy.py @@ -116,6 +116,8 @@ class test_krbtpolicy(Declarative): [DN(('cn',user1),('cn','groups'),('cn','accounts'), api.env.basedn)], memberof_group=[u'ipausers'], + has_keytab=False, + has_password=False, dn=lambda x: DN(x) == \ DN(('uid',user1),('cn','users'),('cn','accounts'), api.env.basedn) diff --git a/tests/test_xmlrpc/test_nesting.py b/tests/test_xmlrpc/test_nesting.py index f28d47935..cb2d1d0b2 100644 --- a/tests/test_xmlrpc/test_nesting.py +++ b/tests/test_xmlrpc/test_nesting.py @@ -186,6 +186,8 @@ class test_nesting(Declarative): [DN(('cn',user1),('cn','groups'),('cn','accounts'), api.env.basedn)], memberof_group=[u'ipausers'], + has_keytab=False, + has_password=False, dn=lambda x: DN(x) == \ DN(('uid',user1),('cn','users'),('cn','accounts'), api.env.basedn) @@ -224,6 +226,8 @@ class test_nesting(Declarative): [DN(('cn',user2),('cn','groups'),('cn','accounts'), api.env.basedn)], memberof_group=[u'ipausers'], + has_keytab=False, + has_password=False, dn=lambda x: DN(x) == \ DN(('uid',user2),('cn','users'),('cn','accounts'), api.env.basedn) @@ -262,6 +266,8 @@ class test_nesting(Declarative): [DN(('cn',user3),('cn','groups'),('cn','accounts'), api.env.basedn)], memberof_group=[u'ipausers'], + has_keytab=False, + has_password=False, dn=lambda x: DN(x) == \ DN(('uid',user3),('cn','users'),('cn','accounts'), api.env.basedn) @@ -300,6 +306,8 @@ class test_nesting(Declarative): [DN(('cn',user4),('cn','groups'),('cn','accounts'), api.env.basedn)], memberof_group=[u'ipausers'], + has_keytab=False, + has_password=False, dn=lambda x: DN(x) == \ DN(('uid',user4),('cn','users'),('cn','accounts'), api.env.basedn) @@ -676,6 +684,8 @@ class test_nesting(Declarative): objectclass=objectclasses.host, ipauniqueid=[fuzzy_uuid], managedby_host=[fqdn1], + has_keytab=False, + has_password=False, ), ), ), @@ -801,6 +811,7 @@ class test_nesting(Declarative): l=[u'Undisclosed location 1'], krbprincipalname=[u'host/%s@%s' % (fqdn1, api.env.realm)], has_keytab=False, + has_password=False, managedby_host=[fqdn1], memberof_hostgroup = [u'testhostgroup2'], memberofindirect_hostgroup = [u'testhostgroup1'], diff --git a/tests/test_xmlrpc/test_netgroup_plugin.py b/tests/test_xmlrpc/test_netgroup_plugin.py index fc3bb5456..9194b5492 100644 --- a/tests/test_xmlrpc/test_netgroup_plugin.py +++ b/tests/test_xmlrpc/test_netgroup_plugin.py @@ -168,6 +168,8 @@ class test_netgroup(Declarative): objectclass=objectclasses.host, ipauniqueid=[fuzzy_uuid], managedby_host=[host1], + has_keytab=False, + has_password=False, ), ), ), @@ -225,6 +227,8 @@ class test_netgroup(Declarative): [DN(('cn',user1),('cn','groups'),('cn','accounts'), api.env.basedn)], memberof_group=[u'ipausers'], + has_keytab=False, + has_password=False, dn=lambda x: DN(x) == \ DN(('uid',user1),('cn','users'),('cn','accounts'), api.env.basedn), @@ -262,6 +266,8 @@ class test_netgroup(Declarative): [DN(('cn',user2),('cn','groups'),('cn','accounts'), api.env.basedn)], memberof_group=[u'ipausers'], + has_keytab=False, + has_password=False, dn=lambda x: DN(x) == \ DN(('uid',user2),('cn','users'),('cn','accounts'), api.env.basedn), diff --git a/tests/test_xmlrpc/test_replace.py b/tests/test_xmlrpc/test_replace.py index a1fd5d280..f5203607c 100644 --- a/tests/test_xmlrpc/test_replace.py +++ b/tests/test_xmlrpc/test_replace.py @@ -73,6 +73,8 @@ class test_replace(Declarative): [DN(('cn',user1),('cn','groups'),('cn','accounts'), api.env.basedn)], memberof_group=[u'ipausers'], + has_keytab=False, + has_password=False, dn=lambda x: DN(x) == \ DN(('uid','tuser1'),('cn','users'),('cn','accounts'), api.env.basedn), @@ -98,6 +100,8 @@ class test_replace(Declarative): mail=[u'test1@example.com', u'test3@example.com'], memberof_group=[u'ipausers'], nsaccountlock=False, + has_keytab=False, + has_password=False, ), summary=u'Modified user "tuser1"', value=user1, @@ -122,6 +126,8 @@ class test_replace(Declarative): mail=[u'test4@example.com'], memberof_group=[u'ipausers'], nsaccountlock=False, + has_keytab=False, + has_password=False, ), summary=u'Modified user "tuser1"', value=user1, @@ -146,6 +152,8 @@ class test_replace(Declarative): mail=[u'test6@example.com', u'test7@example.com', u'test5@example.com'], memberof_group=[u'ipausers'], nsaccountlock=False, + has_keytab=False, + has_password=False, ), summary=u'Modified user "tuser1"', value=user1, @@ -169,6 +177,8 @@ class test_replace(Declarative): gidnumber=[fuzzy_digits], memberof_group=[u'ipausers'], nsaccountlock=False, + has_keytab=False, + has_password=False, ), summary=u'Modified user "tuser1"', value=user1, @@ -193,6 +203,8 @@ class test_replace(Declarative): initials=[u'ABC'], memberof_group=[u'ipausers'], nsaccountlock=False, + has_keytab=False, + has_password=False, ), summary=u'Modified user "tuser1"', value=user1, @@ -216,6 +228,8 @@ class test_replace(Declarative): gidnumber=[fuzzy_digits], memberof_group=[u'ipausers'], nsaccountlock=False, + has_keytab=False, + has_password=False, ), summary=u'Modified user "tuser1"', value=user1, diff --git a/tests/test_xmlrpc/test_service_plugin.py b/tests/test_xmlrpc/test_service_plugin.py index d424eeedd..d36dac984 100644 --- a/tests/test_xmlrpc/test_service_plugin.py +++ b/tests/test_xmlrpc/test_service_plugin.py @@ -47,7 +47,7 @@ fd.close() badservercert = 'MIICbzCCAdigAwIBAgICA/4wDQYJKoZIhvcNAQEFBQAwKTEnMCUGA1UEAxMeSVBBIFRlc3QgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XDTEwMDgwOTE1MDIyN1oXDTIwMDgwOTE1MDIyN1owKTEMMAoGA1UEChMDSVBBMRkwFwYDVQQDExBwdW1hLmdyZXlvYWsuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwYbfEOQPgGenPn9vt1JFKvWm/Je3y2tawGWA3LXDuqfFJyYtZ8ib3TcBUOnLk9WK5g2qCwHaNlei7bj8ggIfr5hegAVe10cun+wYErjnYo7hsHYd+57VZezeipWrXu+7NoNd4+c4A5lk4A/xJay9j3bYx2oOM8BEox4xWYoWge1ljPrc5JK46f0X7AGW4F2VhnKPnf8rwSuzI1U8VGjutyM9TWNy3m9KMWeScjyG/ggIpOjUDMV7HkJL0Di61lznR9jXubpiEC7gWGbTp84eGl/Nn9bgK1AwHfJ2lHwfoY4uiL7ge1gyP6EvuUlHoBzdb7pekiX28iePjW3iEG9IawIDAQABoyIwIDARBglghkgBhvhCAQEEBAMCBkAwCwYDVR0PBAQDAgUgMA0GCSqGSIb3DQEBBQUAA4GBACRESLemRV9BPxfEgbALuxH5oE8jQm8WZ3pm2pALbpDlAd9wQc3yVf6RtkfVthyDnM18bg7IhxKpd77/p3H8eCnS8w5MLVRda6ktUC6tGhFTS4QKAf0WyDGTcIgkXbeDw0OPAoNHivoXbIXIIRxlw/XgaSaMzJQDBG8iROsN4kCv' -class test_host(Declarative): +class test_service(Declarative): cleanup_commands = [ ('host_del', [fqdn1], {}), @@ -99,6 +99,8 @@ class test_host(Declarative): objectclass=objectclasses.host, ipauniqueid=[fuzzy_uuid], managedby_host=[u'%s' % fqdn1], + has_keytab=False, + has_password=False, ), ), ), @@ -125,6 +127,8 @@ class test_host(Declarative): objectclass=objectclasses.host, ipauniqueid=[fuzzy_uuid], managedby_host=[u'%s' % fqdn2], + has_keytab=False, + has_password=False, ), ), ), @@ -151,6 +155,8 @@ class test_host(Declarative): objectclass=objectclasses.host, ipauniqueid=[fuzzy_uuid], managedby_host=[u'%s' % fqdn3.lower()], + has_keytab=False, + has_password=False, ), ), ), diff --git a/tests/test_xmlrpc/test_user_plugin.py b/tests/test_xmlrpc/test_user_plugin.py index 12aec153c..9392742e9 100644 --- a/tests/test_xmlrpc/test_user_plugin.py +++ b/tests/test_xmlrpc/test_user_plugin.py @@ -104,6 +104,8 @@ class test_user(Declarative): [DN(('cn',user1),('cn','groups'),('cn','accounts'), api.env.basedn)], memberof_group=[u'ipausers'], + has_keytab=False, + has_password=False, dn=lambda x: DN(x) == \ DN(('uid','tuser1'),('cn','users'),('cn','accounts'), api.env.basedn), @@ -140,6 +142,8 @@ class test_user(Declarative): gidnumber=[fuzzy_digits], memberof_group=[u'ipausers'], nsaccountlock=False, + has_keytab=False, + has_password=False, ), value=user1, summary=None, @@ -178,6 +182,8 @@ class test_user(Declarative): [DN(('cn','global_policy'),('cn',api.env.realm), ('cn','kerberos'),api.env.basedn)], 'nsaccountlock': False, + 'has_keytab': False, + 'has_password': False, 'displayname': [u'Test User1'], 'cn': [u'Test User1'], 'initials': [u'TU'], @@ -206,6 +212,8 @@ class test_user(Declarative): sn=[u'User1'], uid=[user1], nsaccountlock=False, + has_keytab=False, + has_password=False, uidnumber=[fuzzy_digits], gidnumber=[fuzzy_digits], ), @@ -233,6 +241,8 @@ class test_user(Declarative): sn=[u'Administrator'], uid=[u'admin'], nsaccountlock=False, + has_keytab=True, + has_password=True, uidnumber=[fuzzy_digits], gidnumber=[fuzzy_digits], ), @@ -246,6 +256,8 @@ class test_user(Declarative): sn=[u'User1'], uid=[user1], nsaccountlock=False, + has_keytab=False, + has_password=False, uidnumber=[fuzzy_digits], gidnumber=[fuzzy_digits], ), @@ -273,6 +285,8 @@ class test_user(Declarative): sn=[u'Administrator'], uid=[u'admin'], nsaccountlock=False, + has_keytab=True, + has_password=True, uidnumber=[fuzzy_digits], gidnumber=[fuzzy_digits], ), @@ -326,6 +340,8 @@ class test_user(Declarative): gidnumber=[fuzzy_digits], memberof_group=[u'ipausers'], nsaccountlock=False, + has_keytab=False, + has_password=False, ), summary=u'Modified user "tuser1"', value=user1, @@ -359,6 +375,8 @@ class test_user(Declarative): gidnumber=[fuzzy_digits], memberof_group=[u'ipausers'], nsaccountlock=False, + has_keytab=False, + has_password=False, ), summary=None, value=user1, @@ -381,6 +399,8 @@ class test_user(Declarative): gidnumber=[fuzzy_digits], memberof_group=[u'ipausers'], nsaccountlock=False, + has_keytab=False, + has_password=False, ), summary=u'Modified user "%s"' % user1, value=user1, @@ -409,6 +429,8 @@ class test_user(Declarative): gidnumber=[fuzzy_digits], memberof_group=[u'ipausers'], nsaccountlock=False, + has_keytab=False, + has_password=False, ), summary=u'Modified user "%s"' % renameduser1, value=renameduser1, @@ -475,6 +497,8 @@ class test_user(Declarative): [DN(('cn',user1),('cn','groups'),('cn','accounts'), api.env.basedn)], memberof_group=[u'ipausers'], + has_keytab=False, + has_password=False, dn=lambda x: DN(x) == \ DN(('uid','tuser1'),('cn','users'),('cn','accounts'), api.env.basedn), @@ -513,6 +537,8 @@ class test_user(Declarative): [DN(('cn',user2),('cn','groups'),('cn','accounts'), api.env.basedn)], memberof_group=[u'ipausers'], + has_keytab=False, + has_password=False, dn=lambda x: DN(x) == \ DN(('uid','tuser2'),('cn','users'),('cn','accounts'), api.env.basedn), @@ -542,6 +568,8 @@ class test_user(Declarative): gidnumber=[fuzzy_digits], memberof_group=[u'ipausers'], nsaccountlock=False, + has_keytab=False, + has_password=False, manager=[user1], ), summary=u'Modified user "%s"' % user2, @@ -655,6 +683,8 @@ class test_user(Declarative): [DN(('cn',user1),('cn','groups'),('cn','accounts'), api.env.basedn)], memberof_group=[u'ipausers'], + has_keytab=False, + has_password=False, dn=lambda x: DN(x) == \ DN(('uid','tuser1'),('cn','users'),('cn','accounts'), api.env.basedn), |