diff options
| author | Rob Crittenden <rcritten@redhat.com> | 2010-07-12 17:45:06 -0400 |
|---|---|---|
| committer | Rob Crittenden <rcritten@redhat.com> | 2010-07-13 09:29:10 -0400 |
| commit | 1e1985b17c3988056bef045fa84a9c7aaf0c4c65 (patch) | |
| tree | 3f95c4af67e71c42bacbdaaf6de7ba2217d1603b /ipalib/plugins/host.py | |
| parent | c9e0b43d53eaf6def7d8f445734115450f8fecaf (diff) | |
| download | freeipa-1e1985b17c3988056bef045fa84a9c7aaf0c4c65.tar.gz freeipa-1e1985b17c3988056bef045fa84a9c7aaf0c4c65.tar.xz freeipa-1e1985b17c3988056bef045fa84a9c7aaf0c4c65.zip | |
Add API to delete a service principal key, service-disable.
I have to do some pretty low-level LDAP work to achieve this. Since
we can't read the key using our modlist generator won't work and lots of
tricks would be needed to use the LDAPUpdate object in any case.
I pulled usercertificate out of the global params and put into each
appropriate function because it makes no sense for service-disable.
This also adds a new variable, has_keytab, to service/host_show output.
This flag tells us whether there is a krbprincipalkey.
Diffstat (limited to 'ipalib/plugins/host.py')
| -rw-r--r-- | ipalib/plugins/host.py | 50 |
1 files changed, 50 insertions, 0 deletions
diff --git a/ipalib/plugins/host.py b/ipalib/plugins/host.py index 82ef16457..b0d7289a8 100644 --- a/ipalib/plugins/host.py +++ b/ipalib/plugins/host.py @@ -57,6 +57,9 @@ EXAMPLES: Update information about a host ipa host-mod --os='Fedora 12' test.example.com + + Disable the host kerberos key + ipa host-disable test.example.com """ import platform @@ -91,9 +94,14 @@ class host(LDAPObject): object_name_plural = 'hosts' object_class = ['ipaobject', 'nshost', 'ipahost', 'pkiuser', 'ipaservice'] # object_class_config = 'ipahostobjectclasses' + search_attributes = [ + 'fqdn', 'description', 'l', 'nshostlocation', 'krbprincipalname', + 'nshardwareplatform', 'nsosversion', + ] default_attributes = [ 'fqdn', 'description', 'l', 'nshostlocation', 'krbprincipalname', 'nshardwareplatform', 'nsosversion', 'usercertificate', 'memberof', + 'krblastpwdchange', ] uuid_attribute = 'ipauniqueid' attribute_members = { @@ -316,5 +324,47 @@ class host_show(LDAPRetrieve): """ Display host. """ + has_output_params = ( + Flag('has_keytab', + label=_('Keytab'), + ) + ) + + def post_callback(self, ldap, dn, entry_attrs, *keys, **options): + if 'krblastpwdchange' in entry_attrs: + entry_attrs['has_keytab'] = True + if not options.get('all', False): + del entry_attrs['krblastpwdchange'] + else: + entry_attrs['has_keytab'] = False + + return dn api.register(host_show) + + +class host_disable(LDAPQuery): + """ + Disable the kerberos key of this host. + """ + has_output = output.standard_value + msg_summary = _('Removed kerberos key from "%(value)s"') + + def execute(self, *keys, **options): + ldap = self.obj.backend + + dn = self.obj.get_dn(*keys, **options) + (dn, entry_attrs) = ldap.get_entry(dn, ['krblastpwdchange']) + + if 'krblastpwdchange' not in entry_attrs: + error_msg = _('Host principal has no kerberos key') + raise errors.NotFound(reason=error_msg) + + ldap.remove_principal_key(dn) + + return dict( + result=True, + value=keys[0], + ) + +api.register(host_disable) |