diff options
author | Simo Sorce <ssorce@redhat.com> | 2007-10-01 17:33:16 -0400 |
---|---|---|
committer | Simo Sorce <ssorce@redhat.com> | 2007-10-01 17:33:16 -0400 |
commit | cfac4acf9fb152d685e342bd5adabb5ec2fa2c74 (patch) | |
tree | 07320a043e63ca21db1df716a47115984407d6ba | |
parent | 5750ebdd831f7f3e2dd5c08031a258ee448c7afa (diff) | |
download | freeipa-cfac4acf9fb152d685e342bd5adabb5ec2fa2c74.tar.gz freeipa-cfac4acf9fb152d685e342bd5adabb5ec2fa2c74.tar.xz freeipa-cfac4acf9fb152d685e342bd5adabb5ec2fa2c74.zip |
Rely more on kerberos.
Don't read ipa.conf to get the realm, the kerberos libs do that for you.
Use the krbPrincipalName to change passwords
Make it possible to specify the principal at user creation.
Mail is not a required attribute so far, don't require it.
-rw-r--r-- | ipa-admintools/ipa-adduser | 55 | ||||
-rw-r--r-- | ipa-admintools/ipa-passwd | 36 | ||||
-rw-r--r-- | ipa-python/ipaclient.py | 26 | ||||
-rw-r--r-- | ipa-python/rpcclient.py | 22 | ||||
-rw-r--r-- | ipa-server/ipa-gui/ipagui/controllers.py | 2 | ||||
-rw-r--r-- | ipa-server/xmlrpc-server/funcs.py | 57 | ||||
-rw-r--r-- | ipa-server/xmlrpc-server/ipaxmlrpc.py | 1 |
7 files changed, 111 insertions, 88 deletions
diff --git a/ipa-admintools/ipa-adduser b/ipa-admintools/ipa-adduser index cefb2383a..8bca98d7e 100644 --- a/ipa-admintools/ipa-adduser +++ b/ipa-admintools/ipa-adduser @@ -28,6 +28,7 @@ import ipa.config import xmlrpclib import kerberos +import krbV import ldap import getpass @@ -51,8 +52,10 @@ def parse_options(): help="Set user's login shell to shell") parser.add_option("-G", "--groups", dest="groups", help="Add account to one or more groups (comma-separated)") + parser.add_option("-k", "--krb-principal", dest="principal", + help="Set user's Kerberos Principal Name") parser.add_option("-M", "--mailAddress", dest="mail", - help="Set uesr's e-mail address") + help="Set user's e-mail address") parser.add_option("--usage", action="store_true", help="Program usage") @@ -66,8 +69,9 @@ def main(): givenname = "" lastname = "" username = "" + principal = "" password = "" - mail = "" + mail = "" gecos = "" directory = "" shell = "" @@ -100,7 +104,7 @@ def main(): cont = False if not options.sn: while (cont != True): - lastname = raw_input(" Last name: ") + lastname = raw_input("Last name: ") if (ipavalidate.plain(lastname, notEmpty=True)): print "Field is required and must be letters or '" else: @@ -140,18 +144,10 @@ def main(): else: password = options.sn - cont = False - if not options.mail: - while (cont != True): - mail = raw_input("E-mail addr: ") - if (ipavalidate.email(mail)): - print "Field is required and must include a user and domain name" - else: - cont = True - else: + if options.mail: mail = options.mail if (ipavalidate.email(mail)): - print "E-mail is required and must include a user and domain name" + print "The email provided seem not a valid email." return 1 # Ask the questions we don't normally force. We don't require answers @@ -168,8 +164,10 @@ def main(): cont = False if not options.directory: while (cont != True): - directory = raw_input("home directory []: ") - if (ipavalidate.path(gecos, notEmpty=False)): + directory = raw_input("home directory [/home/"+username+"]: ") + if directory == "": + directory = "/home/"+username + if (ipavalidate.path(directory, notEmpty=False)): print "Must be letters, numbers, spaces or '" else: cont = True @@ -180,29 +178,26 @@ def main(): if len(shell) < 1: shell = None - cont = True - cont = False - if not options.groups: - while (cont != True): - g = raw_input("Add to group [blank to exit]: ") - - if len(g) < 1: - cont = True - else: - if (ipavalidate.path(g, notEmpty=False)): - print "Must be letters, numbers, spaces or '" - else: - groups = groups + "," + g + cont = True + else: gecos = options.gecos directory = options.directory shell = options.shell groups = options.groups + if options.principal: + principal = options.principal + else: + ctx = krbV.default_context() + principal = username + "@" + ctx.default_realm + user.setValue('givenname', givenname) user.setValue('sn', lastname) user.setValue('uid', username) - user.setValue('mail', mail) + user.setValue('krbprincipalname', principal) + if mail: + user.setValue('mail', mail) if gecos: user.setValue('gecos', gecos) if directory: @@ -231,7 +226,7 @@ def main(): # Set the User's password if password is not None: try: - client.modifyPassword(username, None, password) + client.modifyPassword(principal, None, password) except ipa.ipaerror.IPAError, e: print "User added but setting the password failed." print "%s" % (e.message) diff --git a/ipa-admintools/ipa-passwd b/ipa-admintools/ipa-passwd index 20dea562f..4db0838fe 100644 --- a/ipa-admintools/ipa-passwd +++ b/ipa-admintools/ipa-passwd @@ -44,12 +44,12 @@ def parse_options(): return options, args -def get_principal(): +def get_principal(krbctx): try: - ctx = krbV.default_context() - ccache = ctx.default_ccache() + ccache = krbctx.default_ccache() cprinc = ccache.principal() except krbV.Krb5Error, e: + #TODO: do a kinit print "Unable to get kerberos principal: %s" % e[1] return None @@ -57,39 +57,47 @@ def get_principal(): def main(): match = False + username = None + principal = None + krbctx = krbV.default_context() options, args = parse_options() if len(args) == 2: username = args[1] else: - username = get_principal() - if username is None: + principal = get_principal(krbctx) + if principal is None: return 1 - u = username.split('@') - if len(u) > 1: - username = u[0] + if not principal: + u = username.split('@') + if len(u) > 2 or len(u) == 0: + print "Invalid user name (%s)" % username + if len(u) == 1: + principal = username+"@"+krbctx.default_realm + else: + principal = username - print "Changing password for %s" % username + print "Changing password for %s" % principal while (match != True): # No syntax checking of the password is required because that is done # on the server side password = getpass.getpass(" New Password: ") - confirm = getpass.getpass(" New Password (again): ") + confirm = getpass.getpass(" Confirm Password: ") if (password != confirm): print "Passwords do not match" match = False + elif (len(password) < 1): + print "Password cannot be empty" + match = False else: match = True - if (len(password) < 1): - print "Password cannot be empty" - match = False try: client = ipaclient.IPAClient() - client.modifyPassword(username, None, password) + client.modifyPassword(principal, None, password) except ipa.ipaerror.IPAError, e: print "%s" % (e.message) return 1 diff --git a/ipa-python/ipaclient.py b/ipa-python/ipaclient.py index 27ad1c246..47788f39b 100644 --- a/ipa-python/ipaclient.py +++ b/ipa-python/ipaclient.py @@ -35,7 +35,6 @@ class IPAClient: def __init__(self,local=None): self.local = local - ipa.config.init_config() if local: self.transport = funcs.IPAServer() # client needs to call set_principal(user@REALM) @@ -69,6 +68,13 @@ class IPAClient: result = self.transport.get_user_by_dn(dn,sattrs) return user.User(result) + def get_user_by_principal(self,principal,sattrs=None): + """Get a specific user by uid. If sattrs is set then only those + attributes will be returned, otherwise all available attributes + are returned.""" + result = self.transport.get_user_by_principal(principal,sattrs) + return user.User(result) + def get_users_by_manager(self,manager_dn,sattrs=None): """Gets the users the report to a particular manager. If sattrs is not None then only those @@ -81,8 +87,6 @@ class IPAClient: def add_user(self,user,user_container=None): """Add a user. user is a ipa.user.User object""" - realm = config.config.get_realm() - user_dict = user.toDict() # dn is set on the server-side @@ -126,31 +130,25 @@ class IPAClient: def update_user(self,user): """Update a user entry.""" - realm = config.config.get_realm() - result = self.transport.update_user(user.origDataDict(), user.toDict()) return result def delete_user(self,uid): """Delete a user entry.""" - realm = config.config.get_realm() - result = self.transport.delete_user(uid) return result - def modifyPassword(self,uid,oldpass,newpass): + def modifyPassword(self,principal,oldpass,newpass): """Modify a user's password""" - result = self.transport.modifyPassword(uid,oldpass,newpass) + result = self.transport.modifyPassword(principal,oldpass,newpass) return result def mark_user_deleted(self,uid): """Set a user as inactive by uid.""" - realm = config.config.get_realm() - result = self.transport.mark_user_deleted(uid) return result @@ -182,8 +180,6 @@ class IPAClient: def add_group(self,group,group_container=None): """Add a group. group is a ipa.group.Group object""" - realm = config.config.get_realm() - group_dict = group.toDict() # dn is set on the server-side @@ -238,6 +234,8 @@ class IPAClient: def add_user_to_group(self, user_uid, group_cn): """Add a user to an existing group. + user is a uid of the user to add + group is the cn of the group to be added to """ return self.transport.add_user_to_group(user_uid, group_cn) @@ -253,6 +251,8 @@ class IPAClient: def remove_user_from_group(self, user_uid, group_cn): """Remove a user from an existing group. + user is a uid of the user to remove + group is the cn of the group to be removed from """ return self.transport.remove_user_from_group(user_uid, group_cn) diff --git a/ipa-python/rpcclient.py b/ipa-python/rpcclient.py index 9f02b374f..0327357dc 100644 --- a/ipa-python/rpcclient.py +++ b/ipa-python/rpcclient.py @@ -84,7 +84,7 @@ class RPCClient: raise xmlrpclib.Fault(value, msg) return ipautil.unwrap_binary_data(result) - + def get_user_by_dn(self,dn,sattrs=None): """Get a specific user. If sattrs is not None then only those attributes will be returned, otherwise all available @@ -101,6 +101,22 @@ class RPCClient: return ipautil.unwrap_binary_data(result) + def get_user_by_principal(self,principal,sattrs=None): + """Get a specific user. If sattrs is not None then only those + attributes will be returned, otherwise all available + attributes are returned. The result is a dict.""" + server = self.setup_server() + if sattrs is None: + sattrs = "__NONE__" + try: + result = server.get_user_by_principal(principal, sattrs) + except xmlrpclib.Fault, fault: + raise ipaerror.gen_exception(fault.faultCode, fault.faultString) + except socket.error, (value, msg): + raise xmlrpclib.Fault(value, msg) + + return ipautil.unwrap_binary_data(result) + def get_users_by_manager(self,manager_dn,sattrs=None): """Gets the users that report to a manager. If sattrs is not None then only those @@ -212,7 +228,7 @@ class RPCClient: return result - def modifyPassword(self,uid,oldpass,newpass): + def modifyPassword(self,principal,oldpass,newpass): """Modify a user's password""" server = self.setup_server() @@ -220,7 +236,7 @@ class RPCClient: oldpass = "__NONE__" try: - result = server.modifyPassword(uid,oldpass,newpass) + result = server.modifyPassword(principal,oldpass,newpass) except xmlrpclib.Fault, fault: raise ipaerror.gen_exception(fault.faultCode, fault.faultString) except socket.error, (value, msg): diff --git a/ipa-server/ipa-gui/ipagui/controllers.py b/ipa-server/ipa-gui/ipagui/controllers.py index 41bd3b293..bdb7b102f 100644 --- a/ipa-server/ipa-gui/ipagui/controllers.py +++ b/ipa-server/ipa-gui/ipagui/controllers.py @@ -338,7 +338,7 @@ class Root(controllers.RootController): # try: if password_change: - rv = client.modifyPassword(kw['uid'], "", kw.get('userpassword')) + rv = client.modifyPassword(kw['krbprincipalname'], "", kw.get('userpassword')) except ipaerror.IPAError, e: turbogears.flash("User password change failed: " + str(e)) return dict(form=user_edit_form, user=kw, diff --git a/ipa-server/xmlrpc-server/funcs.py b/ipa-server/xmlrpc-server/funcs.py index e4e2f40e2..de089b618 100644 --- a/ipa-server/xmlrpc-server/funcs.py +++ b/ipa-server/xmlrpc-server/funcs.py @@ -20,12 +20,12 @@ import sys sys.path.append("/usr/share/ipa") +import krbV import ldap import ipaserver.dsinstance import ipaserver.ipaldap import ipa.ipautil import xmlrpclib -import ipa.config import copy from ipa import ipaerror @@ -86,11 +86,12 @@ class IPAServer: self.bindcert = "/usr/share/ipa/cert.pem" self.bindkey = "/usr/share/ipa/key.pem" self.bindca = "/usr/share/ipa/cacert.asc" - + self.krbctx = krbV.default_context() + self.realm = self.krbctx.default_realm + if _LDAPPool is None: _LDAPPool = IPAConnPool() - ipa.config.init_config() - self.basedn = ipa.ipautil.realm_to_suffix(ipa.config.config.get_realm()) + self.basedn = ipa.ipautil.realm_to_suffix(self.realm) self.scope = ldap.SCOPE_SUBTREE self.princ = None self.krbccache = None @@ -312,6 +313,15 @@ class IPAServer: filter = "(objectClass=*)" return self.__get_entry(dn, filter, sattrs, opts) + def get_user_by_principal(self, principal, sattrs=None, opts=None): + """Get a user entry searching by Kerberos Principal Name. + Return as a dict of values. Multi-valued fields are + represented as lists. + """ + + filter = "(krbPrincipalName="+self.__safe_filter(principal)+")" + return self.__get_entry(self.basedn, filter, sattrs, opts) + def get_users_by_manager (self, manager_dn, sattrs=None, opts=None): """Gets the users that report to a particular manager. """ @@ -342,9 +352,9 @@ class IPAServer: # Let us add in some missing attributes if user.get('homedirectory') is None: - user['homedirectory'] = '/home/%s' % user.get('uid') + user['homedirectory'] = '/home/%s' % user.get('uid') if not user.get('gecos') is None: - user['gecos'] = user['uid'] + user['gecos'] = user['uid'] # FIXME: This can be removed once the DS plugin is installed user['uidnumber'] = '501' @@ -352,8 +362,8 @@ class IPAServer: # FIXME: What is the default group for users? user['gidnumber'] = '501' - realm = ipa.config.config.get_realm() - user['krbprincipalname'] = "%s@%s" % (user.get('uid'), realm) + if user.get('krbprincipalname') is None: + user['krbprincipalname'] = "%s@%s" % (user.get('uid'), self.realm) # FIXME. This is a hack so we can request separate First and Last # name in the GUI. @@ -365,17 +375,7 @@ class IPAServer: del user['gn'] # some required objectclasses - entry.setValues('objectClass', 'top', 'posixAccount', 'shadowAccount', 'account', 'person', 'inetOrgPerson', 'organizationalPerson', 'krbPrincipalAux', 'krbTicketPolicyAux') - - # Fill in shadow fields - entry.setValue('shadowMin', '0') - entry.setValue('shadowMax', '99999') - entry.setValue('shadowWarning', '7') - entry.setValue('shadowExpire', '-1') - entry.setValue('shadowInactive', '-1') - entry.setValue('shadowFlag', '-1') - - # FIXME: calculate shadowLastChange + entry.setValues('objectClass', 'top', 'person', 'organizationalPerson', 'inetOrgPerson', 'posixAccount', 'krbPrincipalAux') # fill in our new entry with everything sent by the user for u in user: @@ -426,7 +426,7 @@ class IPAServer: "label": "E-mail address:", "type": "text", "validator": "email", - "required": "true" + "required": "false" } fields.append(field1) @@ -455,6 +455,9 @@ class IPAServer: """Returns a list: counter followed by the results. If the results are truncated, counter will be set to -1.""" + # TODO - retrieve from config + timelimit = 2 + # Assume the list of fields to search will come from a central # configuration repository. A good format for that would be # a comma-separated list of fields @@ -562,31 +565,31 @@ class IPAServer: The memberOf plugin handles removing the user from any other groups. """ - user_dn = self.get_user_by_uid(uid, ['dn', 'uid', 'objectclass'], opts) - if user_dn is None: + user = self.get_user_by_uid(uid, ['dn', 'uid', 'objectclass'], opts) + if user is None: raise ipaerror.gen_exception(ipaerror.LDAP_NOT_FOUND) conn = self.getConnection(opts) try: - res = conn.deleteEntry(user_dn['dn']) + res = conn.deleteEntry(user['dn']) finally: self.releaseConnection(conn) return res - def modifyPassword (self, uid, oldpass, newpass, opts=None): + def modifyPassword (self, principal, oldpass, newpass, opts=None): """Set/Reset a user's password uid tells us who's password to change oldpass is the old password (if available) newpass is the new password """ - user_dn = self.get_user_by_uid(uid, ['dn', 'uid', 'objectclass'], opts) - if user_dn is None: + user = self.get_user_by_principal(principal, ['krbprincipalname'], opts) + if user is None or user['krbprincipalname'] != principal: raise ipaerror.gen_exception(ipaerror.LDAP_NOT_FOUND) conn = self.getConnection(opts) try: - res = conn.modifyPassword(user_dn['dn'], oldpass, newpass) + res = conn.modifyPassword(user['dn'], oldpass, newpass) finally: self.releaseConnection(conn) return res diff --git a/ipa-server/xmlrpc-server/ipaxmlrpc.py b/ipa-server/xmlrpc-server/ipaxmlrpc.py index 96d9299c2..9f70550aa 100644 --- a/ipa-server/xmlrpc-server/ipaxmlrpc.py +++ b/ipa-server/xmlrpc-server/ipaxmlrpc.py @@ -319,6 +319,7 @@ def handler(req, profiling=False): h = ModXMLRPCRequestHandler() h.register_function(f.get_user_by_uid) h.register_function(f.get_user_by_dn) + h.register_function(f.get_user_by_principal) h.register_function(f.get_users_by_manager) h.register_function(f.add_user) h.register_function(f.get_add_schema) |