diff options
| author | Simo Sorce <ssorce@redhat.com> | 2007-10-01 17:33:16 -0400 |
|---|---|---|
| committer | Simo Sorce <ssorce@redhat.com> | 2007-10-01 17:33:16 -0400 |
| commit | cfac4acf9fb152d685e342bd5adabb5ec2fa2c74 (patch) | |
| tree | 07320a043e63ca21db1df716a47115984407d6ba /ipa-server/xmlrpc-server/funcs.py | |
| parent | 5750ebdd831f7f3e2dd5c08031a258ee448c7afa (diff) | |
| download | freeipa-cfac4acf9fb152d685e342bd5adabb5ec2fa2c74.tar.gz freeipa-cfac4acf9fb152d685e342bd5adabb5ec2fa2c74.tar.xz freeipa-cfac4acf9fb152d685e342bd5adabb5ec2fa2c74.zip | |
Rely more on kerberos.
Don't read ipa.conf to get the realm, the kerberos libs do that for you.
Use the krbPrincipalName to change passwords
Make it possible to specify the principal at user creation.
Mail is not a required attribute so far, don't require it.
Diffstat (limited to 'ipa-server/xmlrpc-server/funcs.py')
| -rw-r--r-- | ipa-server/xmlrpc-server/funcs.py | 57 |
1 files changed, 30 insertions, 27 deletions
diff --git a/ipa-server/xmlrpc-server/funcs.py b/ipa-server/xmlrpc-server/funcs.py index e4e2f40e2..de089b618 100644 --- a/ipa-server/xmlrpc-server/funcs.py +++ b/ipa-server/xmlrpc-server/funcs.py @@ -20,12 +20,12 @@ import sys sys.path.append("/usr/share/ipa") +import krbV import ldap import ipaserver.dsinstance import ipaserver.ipaldap import ipa.ipautil import xmlrpclib -import ipa.config import copy from ipa import ipaerror @@ -86,11 +86,12 @@ class IPAServer: self.bindcert = "/usr/share/ipa/cert.pem" self.bindkey = "/usr/share/ipa/key.pem" self.bindca = "/usr/share/ipa/cacert.asc" - + self.krbctx = krbV.default_context() + self.realm = self.krbctx.default_realm + if _LDAPPool is None: _LDAPPool = IPAConnPool() - ipa.config.init_config() - self.basedn = ipa.ipautil.realm_to_suffix(ipa.config.config.get_realm()) + self.basedn = ipa.ipautil.realm_to_suffix(self.realm) self.scope = ldap.SCOPE_SUBTREE self.princ = None self.krbccache = None @@ -312,6 +313,15 @@ class IPAServer: filter = "(objectClass=*)" return self.__get_entry(dn, filter, sattrs, opts) + def get_user_by_principal(self, principal, sattrs=None, opts=None): + """Get a user entry searching by Kerberos Principal Name. + Return as a dict of values. Multi-valued fields are + represented as lists. + """ + + filter = "(krbPrincipalName="+self.__safe_filter(principal)+")" + return self.__get_entry(self.basedn, filter, sattrs, opts) + def get_users_by_manager (self, manager_dn, sattrs=None, opts=None): """Gets the users that report to a particular manager. """ @@ -342,9 +352,9 @@ class IPAServer: # Let us add in some missing attributes if user.get('homedirectory') is None: - user['homedirectory'] = '/home/%s' % user.get('uid') + user['homedirectory'] = '/home/%s' % user.get('uid') if not user.get('gecos') is None: - user['gecos'] = user['uid'] + user['gecos'] = user['uid'] # FIXME: This can be removed once the DS plugin is installed user['uidnumber'] = '501' @@ -352,8 +362,8 @@ class IPAServer: # FIXME: What is the default group for users? user['gidnumber'] = '501' - realm = ipa.config.config.get_realm() - user['krbprincipalname'] = "%s@%s" % (user.get('uid'), realm) + if user.get('krbprincipalname') is None: + user['krbprincipalname'] = "%s@%s" % (user.get('uid'), self.realm) # FIXME. This is a hack so we can request separate First and Last # name in the GUI. @@ -365,17 +375,7 @@ class IPAServer: del user['gn'] # some required objectclasses - entry.setValues('objectClass', 'top', 'posixAccount', 'shadowAccount', 'account', 'person', 'inetOrgPerson', 'organizationalPerson', 'krbPrincipalAux', 'krbTicketPolicyAux') - - # Fill in shadow fields - entry.setValue('shadowMin', '0') - entry.setValue('shadowMax', '99999') - entry.setValue('shadowWarning', '7') - entry.setValue('shadowExpire', '-1') - entry.setValue('shadowInactive', '-1') - entry.setValue('shadowFlag', '-1') - - # FIXME: calculate shadowLastChange + entry.setValues('objectClass', 'top', 'person', 'organizationalPerson', 'inetOrgPerson', 'posixAccount', 'krbPrincipalAux') # fill in our new entry with everything sent by the user for u in user: @@ -426,7 +426,7 @@ class IPAServer: "label": "E-mail address:", "type": "text", "validator": "email", - "required": "true" + "required": "false" } fields.append(field1) @@ -455,6 +455,9 @@ class IPAServer: """Returns a list: counter followed by the results. If the results are truncated, counter will be set to -1.""" + # TODO - retrieve from config + timelimit = 2 + # Assume the list of fields to search will come from a central # configuration repository. A good format for that would be # a comma-separated list of fields @@ -562,31 +565,31 @@ class IPAServer: The memberOf plugin handles removing the user from any other groups. """ - user_dn = self.get_user_by_uid(uid, ['dn', 'uid', 'objectclass'], opts) - if user_dn is None: + user = self.get_user_by_uid(uid, ['dn', 'uid', 'objectclass'], opts) + if user is None: raise ipaerror.gen_exception(ipaerror.LDAP_NOT_FOUND) conn = self.getConnection(opts) try: - res = conn.deleteEntry(user_dn['dn']) + res = conn.deleteEntry(user['dn']) finally: self.releaseConnection(conn) return res - def modifyPassword (self, uid, oldpass, newpass, opts=None): + def modifyPassword (self, principal, oldpass, newpass, opts=None): """Set/Reset a user's password uid tells us who's password to change oldpass is the old password (if available) newpass is the new password """ - user_dn = self.get_user_by_uid(uid, ['dn', 'uid', 'objectclass'], opts) - if user_dn is None: + user = self.get_user_by_principal(principal, ['krbprincipalname'], opts) + if user is None or user['krbprincipalname'] != principal: raise ipaerror.gen_exception(ipaerror.LDAP_NOT_FOUND) conn = self.getConnection(opts) try: - res = conn.modifyPassword(user_dn['dn'], oldpass, newpass) + res = conn.modifyPassword(user['dn'], oldpass, newpass) finally: self.releaseConnection(conn) return res |