diff options
author | John Dennis <jdennis@redhat.com> | 2007-11-13 13:06:18 -0500 |
---|---|---|
committer | John Dennis <jdennis@redhat.com> | 2007-11-13 13:06:18 -0500 |
commit | 152f8e33928d9222257a272fb573aa9ce7d37578 (patch) | |
tree | c646bddf3b3c1031b5838b2cebe439f34d79b0f0 /ipa-admintools | |
parent | f36872383c51da0453d5387e0e1180ba47e19649 (diff) | |
parent | 24d5777bd682636b36b96193c2ec2c8bcb6f684f (diff) | |
download | freeipa-152f8e33928d9222257a272fb573aa9ce7d37578.tar.gz freeipa-152f8e33928d9222257a272fb573aa9ce7d37578.tar.xz freeipa-152f8e33928d9222257a272fb573aa9ce7d37578.zip |
checkpoint radius client work
Diffstat (limited to 'ipa-admintools')
-rw-r--r-- | ipa-admintools/Makefile | 1 | ||||
-rw-r--r-- | ipa-admintools/ipa-addradiusclient | 248 |
2 files changed, 249 insertions, 0 deletions
diff --git a/ipa-admintools/Makefile b/ipa-admintools/Makefile index 9d63db082..4c8d3f1f4 100644 --- a/ipa-admintools/Makefile +++ b/ipa-admintools/Makefile @@ -21,6 +21,7 @@ install: install -m 755 ipa-deldelegation $(SBINDIR) install -m 755 ipa-listdelegation $(SBINDIR) install -m 755 ipa-moddelegation $(SBINDIR) + install -m 755 ipa-addradiusclient $(SBINDIR) @for subdir in $(SUBDIRS); do \ (cd $$subdir && $(MAKE) $@) || exit 1; \ diff --git a/ipa-admintools/ipa-addradiusclient b/ipa-admintools/ipa-addradiusclient new file mode 100644 index 000000000..5772b4d8e --- /dev/null +++ b/ipa-admintools/ipa-addradiusclient @@ -0,0 +1,248 @@ +#! /usr/bin/python -E +# Authors: John Dennis <jdennis@redhat.com> +# +# Copyright (C) 2007 Red Hat +# see file 'COPYING' for use and warranty information +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License as +# published by the Free Software Foundation; version 2 only +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA +# + +import sys +from optparse import OptionParser +import ipa +import ipa.radius_client +import ipa.ipaclient as ipaclient +import ipa.ipavalidate as ipavalidate +import ipa.config +import ipa.ipaerror + +import xmlrpclib +import kerberos +import ldap +import getpass +import re + +#------------------------------------------------------------------------------ + +dotted_octet_RE = re.compile(r"^(\d+)\.(\d+)\.(\d+)\.(\d+)(/(\d+))?$") +dns_RE = re.compile(r"^[a-zA-Z.-]+$") +# secret, name, nastype all have 31 char max in freeRADIUS, max ip address len is 255 +valid_secret_len = (1,31) +valid_name_len = (1,31) +valid_nastype_len = (1,31) +valid_ip_addr_len = (1,255) + +valid_ip_addr_msg = "IP address is required and must be dotted octet with optional mask or a DNS name" +valid_desc_msg = "Description must text string" + +#------------------------------------------------------------------------------ + +def usage(): + print "ipa-addradiusclient" + sys.exit(1) + +def parse_options(): + parser = OptionParser() + parser.add_option("--usage", action="store_true", + help="Program usage") + parser.add_option("-a", "--address", dest="ip_addr", + help="RADIUS client IP address") + parser.add_option("-s", "--secret", dest="secret", + help="RADIUS client secret") + parser.add_option("-n", "--name", dest="name", + help="RADIUS client name") + parser.add_option("-t", "--type", dest="nastype", + help="RADIUS client name") + parser.add_option("-d", "--description", dest="desc", + help="description of the RADIUS client") + + args = ipa.config.init_config(sys.argv) + options, args = parser.parse_args(args) + + return options, args + +#------------------------------------------------------------------------------ + +def get_secret(): + valid = False + while (not valid): + secret = getpass.getpass("Enter Secret: ") + confirm = getpass.getpass("Confirm Secret: ") + if (secret != confirm): + print "Secrets do not match" + continue + valid = True + return secret + +#------------------------------------------------------------------------------ + +def valid_ip_addr(text): + + # is it a dotted octet? If so there should be 4 integers seperated + # by a dot and each integer should be between 0 and 255 + # there may be an optional mask preceded by a slash (e.g. 1.2.3.4/24) + match = dotted_octet_RE.search(text) + if match: + # dotted octet notation + i = 1 + while i <= 4: + octet = int(match.group(i)) + if octet > 255: return False + i += 1 + if match.group(5): + mask = int(match.group(6)) + if mask <= 32: + return True + else: + return False + return True + else: + # DNS name, can contain letters, dot and hypen + if dns_RE.search(text): return False + return True + +def validate_length(value, limits): + length = len(value) + if length < limits[0] or length > limits[1]: + return False + return True + +def valid_length_msg(name, limits): + return "%s length must be at least %d and not more than %d" % (name, limits[0], limits[1]) + +def validate_ip_addr(ip_addr): + if not validate_length(ip_addr, valid_ip_addr_len): + print valid_length_msg('ip address', valid_ip_addr_len) + return False + if not valid_ip_addr(ip_addr): + print valid_ip_addr_msg + return False + return True + +def validate_secret(secret): + if not validate_length(secret, valid_secret_len): + print valid_length_msg('secret', valid_secret_len) + return False + return True + +def validate_name(name): + if not validate_length(name, valid_name_len): + print valid_length_msg('name', valid_name_len) + return False + return True + +def validate_nastype(nastype): + if not validate_length(nastype, valid_nastype_len): + print valid_length_msg('NAS Type', valid_nastype_len) + return False + return True + +def validate_desc(desc): + if ipavalidate.plain(desc, notEmpty=True) != 0: + print valid_desc_msg + return False + return True + +#------------------------------------------------------------------------------ + +def main(): + ip_addr = None + secret = None + name = None + nastype = None + desc = None + + client=ipa.radius_client.RadiusClient() + options, args = parse_options() + + # client address is required + if options.ip_addr: + ip_addr = options.ip_addr + if not validate_ip_addr(ip_addr): return 1 + else: + valid = False + while not valid: + ip_addr = raw_input("Client IP: ") + if validate_ip_addr(ip_addr): valid = True + + # client secret is required + if options.secret: + secret = options.secret + if not validate_secret(secret): return 1 + else: + valid = False + while not valid: + secret = get_secret() + if validate_secret(secret): valid = True + + # client name is optional + if options.name: + name = options.name + if not validate_name(name): return 1 + + # client NAS Type is optional + if options.nastype: + nastype = options.nastype + if not validate_nastype(nastype): return 1 + + # client description is optional + if options.desc: + desc = options.desc + if not validate_desc(desc): return 1 + + + #print "ip_addr=%s secret=%s name=%s nastype=%s desc=%s" % (ip_addr, secret, name, nastype, desc) + + if ip_addr is not None: + client.setValue('radiusClientNASIpAddress', ip_addr) + else: + print "client IP Address is required" + return 1 + + if secret is not None: + client.setValue('radiusClientSecret', secret) + else: + print "client secret is required" + return 1 + + if name is not None: + client.setValue('radiusClientShortName', name) + + if nastype is not None: + client.setValue('radiusClientNASType', nastype) + + if desc is not None: + client.setValue('description', desc) + + try: + client = ipaclient.IPAClient() + client.add_radius_client(client) + print "successfully added" + except xmlrpclib.Fault, f: + print f.faultString + return 1 + except kerberos.GSSError, e: + print "Could not initialize GSSAPI: %s/%s" % (e[0][0][0], e[0][1][0]) + return 1 + except xmlrpclib.ProtocolError, e: + print "Unable to connect to IPA server: %s" % (e.errmsg) + return 1 + except ipa.ipaerror.IPAError, e: + print "%s" % (e.message) + return 1 + + return 0 + +if __name__ == "__main__": + sys.exit(main()) |