diff options
author | Rob Crittenden <rcritten@redhat.com> | 2008-10-13 17:17:00 -0400 |
---|---|---|
committer | Rob Crittenden <rcritten@redhat.com> | 2008-10-13 17:17:00 -0400 |
commit | 6d2705b363e95b5bd692b695cdcbbfcbca6d12b9 (patch) | |
tree | 30fea8e1ae80c8ac1cd3f0e384aab51dd97b8b4a | |
parent | 19465318cebed2a2ae844d33e69728c1eb9fd7d6 (diff) | |
download | freeipa-6d2705b363e95b5bd692b695cdcbbfcbca6d12b9.tar.gz freeipa-6d2705b363e95b5bd692b695cdcbbfcbca6d12b9.tar.xz freeipa-6d2705b363e95b5bd692b695cdcbbfcbca6d12b9.zip |
Implement user lock and unlock
-rw-r--r-- | ipa_server/servercore.py | 183 | ||||
-rw-r--r-- | ipalib/errors.py | 42 | ||||
-rw-r--r-- | ipalib/plugins/f_user.py | 34 |
3 files changed, 241 insertions, 18 deletions
diff --git a/ipa_server/servercore.py b/ipa_server/servercore.py index 29a8afbdd..3e98e6f61 100644 --- a/ipa_server/servercore.py +++ b/ipa_server/servercore.py @@ -21,6 +21,7 @@ import ldap import string import re from ipa_server.context import context +from ipa_server import ipaldap import ipautil from ipalib import errors @@ -123,6 +124,37 @@ def get_list (base, searchfilter, sattrs=None): return map(convert_entry, entries) +def has_nsaccountlock(dn): + """Check to see if an entry has the nsaccountlock attribute. + This attribute is provided by the Class of Service plugin so + doing a search isn't enough. It is provided by the two + entries cn=inactivated and cn=activated. So if the entry has + the attribute and isn't in either cn=activated or cn=inactivated + then the attribute must be in the entry itself. + + Returns True or False + """ + # First get the entry. If it doesn't have nsaccountlock at all we + # can exit early. + entry = get_entry_by_dn(dn, ['dn', 'nsaccountlock', 'memberof']) + if not entry.get('nsaccountlock'): + return False + + # Now look to see if they are in activated or inactivated + # entry is a member + memberof = entry.get('memberof') + if isinstance(memberof, basestring): + memberof = [memberof] + for m in memberof: + inactivated = m.find("cn=inactivated") + activated = m.find("cn=activated") + # if they are in either group that means that the nsaccountlock + # value comes from there, otherwise it must be in this entry. + if inactivated >= 0 or activated >= 0: + return False + + return True + # General searches def get_entry_by_dn (dn, sattrs=None): @@ -142,6 +174,14 @@ def get_entry_by_cn (cn, sattrs): searchfilter = "(cn=%s)" % cn return get_sub_entry("cn=accounts," + basedn, searchfilter, sattrs) +def get_user_by_uid(uid, sattrs): + """Get a specific user's entry.""" + # FIXME: should accept a container to look in +# uid = self.__safe_filter(uid) + searchfilter = "(&(uid=%s)(objectclass=posixAccount))" % uid + + return get_sub_entry("cn=accounts," + basedn, searchfilter, sattrs) + # User support def user_exists(uid): @@ -152,10 +192,9 @@ def user_exists(uid): searchfilter = "(&(uid=%s)(objectclass=posixAccount))" % uid try: - entry = get_sub_entry("cn=accounts," + basedn, searchfilter, ['dn','uid']) - return False -# except ipaerror.exception_for(ipaerror.LDAP_NOT_FOUND): - except Exception: + get_sub_entry("cn=accounts," + basedn, searchfilter, ['dn','uid']) + return True + except errors.NotFound: return True def get_user_by_uid (uid, sattrs): @@ -348,3 +387,139 @@ def get_ipa_config(): raise errors.NotFound return config + +def mark_entry_active (dn): + """Mark an entry as active in LDAP.""" + + # This can be tricky. The entry itself can be marked inactive + # by being in the inactivated group. It can also be inactivated by + # being the member of an inactive group. + # + # First we try to remove the entry from the inactivated group. Then + # if it is still inactive we have to add it to the activated group + # which will override the group membership. + + res = "" + # First, check the entry status + entry = get_entry_by_dn(dn, ['dn', 'nsAccountlock']) + + if entry.get('nsaccountlock', 'false').lower() == "false": +# logging.debug("IPA: already active") + raise errors.AlreadyActiveError + + if has_nsaccountlock(dn): +# logging.debug("IPA: appears to have the nsaccountlock attribute") + raise errors.HasNSAccountLock + + group = get_entry_by_cn("inactivated", None) + try: + remove_member_from_group(entry.get('dn'), group.get('dn')) + except errors.NotGroupMember: + # Perhaps the user is there as a result of group membership + pass + + # Now they aren't a member of inactivated directly, what is the status + # now? + entry = get_entry_by_dn(dn, ['dn', 'nsAccountlock']) + + if entry.get('nsaccountlock', 'false').lower() == "false": + # great, we're done +# logging.debug("IPA: removing from inactivated did it.") + return res + + # So still inactive, add them to activated + group = get_entry_by_cn("activated", None) + res = add_member_to_group(dn, group.get('dn')) +# logging.debug("IPA: added to activated.") + + return res + +def mark_entry_inactive (dn): + """Mark an entry as inactive in LDAP.""" + + entry = get_entry_by_dn(dn, ['dn', 'nsAccountlock', 'memberOf']) + + if entry.get('nsaccountlock', 'false').lower() == "true": +# logging.debug("IPA: already marked as inactive") + raise errors.AlreadyInactiveError + + if has_nsaccountlock(dn): +# logging.debug("IPA: appears to have the nsaccountlock attribute") + raise errors.HasNSAccountLock + + # First see if they are in the activated group as this will override + # the our inactivation. + group = get_entry_by_cn("activated", None) + try: + remove_member_from_group(dn, group.get('dn')) + except errors.NotGroupMember: + # this is fine, they may not be explicitly in this group + pass + + # Now add them to inactivated + group = get_entry_by_cn("inactivated", None) + res = add_member_to_group(dn, group.get('dn')) + + return res + +def add_member_to_group(member_dn, group_dn): + """Add a member to an existing group.""" +# logging.info("IPA: add_member_to_group '%s' to '%s'" % (member_dn, group_dn)) + if member_dn.lower() == group_dn.lower(): + # You can't add a group to itself + raise errors.SameGroupError + + group = get_entry_by_dn(group_dn, None) + if group is None: + raise errors.NotFound + + # check to make sure member_dn exists + member_entry = get_base_entry(member_dn, "(objectClass=*)", ['dn','objectclass']) + if not member_entry: + raise errors.NotFound + + if group.get('member') is not None: + if isinstance(group.get('member'),basestring): + group['member'] = [group['member']] + group['member'].append(member_dn) + else: + group['member'] = member_dn + + try: + return update_entry(group) + except errors.EmptyModlist: + raise + +def remove_member_from_group(member_dn, group_dn=None): + """Remove a member_dn from an existing group.""" + + group = get_entry_by_dn(group_dn, None) + if group is None: + raise errors.NotFound + """ + if group.get('cn') == "admins": + member = get_entry_by_dn(member_dn, ['dn','uid']) + if member.get('uid') == "admin": + raise ipaerror.gen_exception(ipaerror.INPUT_ADMIN_REQUIRED_IN_ADMINS) + """ +# logging.info("IPA: remove_member_from_group '%s' from '%s'" % (member_dn, group_dn)) + + if group.get('member') is not None: + if isinstance(group.get('member'),basestring): + group['member'] = [group['member']] + for i in range(len(group['member'])): + group['member'][i] = ipaldap.IPAdmin.normalizeDN(group['member'][i]) + try: + group['member'].remove(member_dn) + except ValueError: + # member is not in the group + # FIXME: raise more specific error? + raise errors.NotGroupMember + else: + # Nothing to do if the group has no members + raise errors.NotGroupMember + + try: + return update_entry(group) + except errors.EmptyModlist: + raise diff --git a/ipalib/errors.py b/ipalib/errors.py index d0d917f6b..f1c9e26e8 100644 --- a/ipalib/errors.py +++ b/ipalib/errors.py @@ -286,57 +286,73 @@ class SameGroupError(InputError): """You can't add a group to itself""" faultCode = 1008 +class NotGroupMember(InputError): + """This entry is not a member of the group""" + faultCode = 1009 + class AdminsImmutable(InputError): """The admins group cannot be renamed""" - faultCode = 1009 + faultCode = 1010 class UsernameTooLong(InputError): """The requested username is too long""" - faultCode = 1010 + faultCode = 1011 class PrincipalError(GenericError): """There is a problem with the kerberos principal""" - faultCode = 1011 + faultCode = 1012 class MalformedServicePrincipal(PrincipalError): """The requested service principal is not of the form: service/fully-qualified host name""" - faultCode = 1012 + faultCode = 1013 class RealmMismatch(PrincipalError): """The realm for the principal does not match the realm for this IPA server""" - faultCode = 1013 + faultCode = 1014 class PrincipalRequired(PrincipalError): """You cannot remove IPA server service principals""" - faultCode = 1014 + faultCode = 1015 class InactivationError(GenericError): """This entry cannot be inactivated""" - faultCode = 1015 + faultCode = 1016 + +class AlreadyActiveError(InactivationError): + """This entry is already locked""" + faultCode = 1017 + +class AlreadyInactiveError(InactivationError): + """This entry is already unlocked""" + faultCode = 1018 + +class HasNSAccountLock(InactivationError): + """This entry appears to have the nsAccountLock attribute in it so the Class of Service activation/inactivation will not work. You will need to remove the attribute nsAccountLock for this to work.""" + faultCode = 1019 class ConnectionError(GenericError): """Connection to database failed""" - faultCode = 1016 + faultCode = 1020 class NoCCacheError(GenericError): """No Kerberos credentials cache is available. Connection cannot be made""" - faultCode = 1017 + faultCode = 1021 class GSSAPIError(GenericError): """GSSAPI Authorization error""" - faultCode = 1018 + faultCode = 1022 class ServerUnwilling(GenericError): """Account inactivated. Server is unwilling to perform""" - faultCode = 1018 + faultCode = 1023 class ConfigurationError(GenericError): """A configuration error occurred""" - faultCode = 1019 + faultCode = 1024 class DefaultGroup(ConfigurationError): """You cannot remove the default users group""" - faultCode = 1020 + faultCode = 1025 class FunctionDeprecated(GenericError): """Raised by a deprecated function""" diff --git a/ipalib/plugins/f_user.py b/ipalib/plugins/f_user.py index 573a2a434..ff459b3da 100644 --- a/ipalib/plugins/f_user.py +++ b/ipalib/plugins/f_user.py @@ -26,6 +26,7 @@ from ipalib import crud from ipalib.frontend import Param from ipalib import api from ipalib import errors +from ipalib import ipa_types from ipa_server import servercore from ipa_server import ipaldap import ldap @@ -136,7 +137,7 @@ class user_add(crud.Add): user['gidnumber'] = default_group.get('gidnumber') except errors.NotFound: # Fake an LDAP error so we can return something useful to the user - raise ipalib.NotFound, "The default group for new users, '%s', cannot be found." % config.get('ipadefaultprimarygroup') + raise errors.NotFound, "The default group for new users, '%s', cannot be found." % config.get('ipadefaultprimarygroup') except Exception, e: # catch everything else raise e @@ -265,3 +266,34 @@ class user_show(crud.Get): except errors.NotFound: print "User %s not found" % args[0] api.register(user_show) + +class user_lock(frontend.Command): + 'Lock a user account.' + takes_args = ( + Param('uid', primary_key=True), + ) + def execute(self, *args, **kw): + uid = args[0] + user = servercore.get_user_by_uid(uid, ['dn', 'uid']) + return servercore.mark_entry_inactive(user['dn']) + def forward(self, *args, **kw): + result = super(user_lock, self).forward(*args, **kw) + if result: + print "User locked" +api.register(user_lock) + +class user_unlock(frontend.Command): + 'Unlock a user account.' + takes_args = ( + Param('uid', primary_key=True), + ) + def execute(self, *args, **kw): + uid = args[0] + user = servercore.get_user_by_uid(uid, ['dn', 'uid']) + return servercore.mark_entry_active(user['dn']) + def forward(self, *args, **kw): + result = super(user_unlock, self).forward(*args, **kw) + if result: + print "User unlocked" +api.register(user_unlock) + |