diff options
author | Rob Crittenden <rcritten@redhat.com> | 2011-08-22 16:24:07 -0400 |
---|---|---|
committer | Martin Kosek <mkosek@redhat.com> | 2011-08-24 14:12:10 +0200 |
commit | be7de56e5d403fb97bcb583f6b7b5dd7e3fb914c (patch) | |
tree | 722fdd0af9246c027dedf0db3fa4caaa132688c7 /ipalib/plugins/service.py | |
parent | ae06f7b68e04000b748f702d553a5b691eb6cb3c (diff) | |
download | freeipa-be7de56e5d403fb97bcb583f6b7b5dd7e3fb914c.tar.gz freeipa-be7de56e5d403fb97bcb583f6b7b5dd7e3fb914c.tar.xz freeipa-be7de56e5d403fb97bcb583f6b7b5dd7e3fb914c.zip |
Change the way has_keytab is determined, also check for password.
We need an indicator to see if a keytab has been set on host and
service entries. We also need a way to know if a one-time password is
set on a host.
This adds an ACI that grants search on userPassword and
krbPrincipalKey so we can do an existence search on them. This way
we can tell if the attribute is set and create a fake attribute
accordingly.
When a userPassword is set on a host a keytab is generated against
that password so we always set has_keytab to False if a password
exists. This is fine because when keytab gets generated for the
host the password is removed (hence one-time).
This adds has_keytab/has_password to the user, host and service plugins.
ticket https://fedorahosted.org/freeipa/ticket/1538
Diffstat (limited to 'ipalib/plugins/service.py')
-rw-r--r-- | ipalib/plugins/service.py | 27 |
1 files changed, 8 insertions, 19 deletions
diff --git a/ipalib/plugins/service.py b/ipalib/plugins/service.py index 11970f401..bcaa76afb 100644 --- a/ipalib/plugins/service.py +++ b/ipalib/plugins/service.py @@ -83,9 +83,6 @@ from ipapython.ipautil import file_exists output_params = ( - Flag('has_keytab', - label=_('Keytab'), - ), Str('managedby_host', label='Managed by', ), @@ -207,7 +204,7 @@ class service(LDAPObject): 'ipaservice', 'pkiuser' ] search_attributes = ['krbprincipalname', 'managedby'] - default_attributes = ['krbprincipalname', 'usercertificate', 'managedby', 'krblastpwdchange'] + default_attributes = ['krbprincipalname', 'usercertificate', 'managedby'] uuid_attribute = 'ipauniqueid' attribute_members = { 'managedby': ['host'], @@ -216,6 +213,7 @@ class service(LDAPObject): relationships = { 'managedby': ('Managed by', 'man_by_', 'not_man_by_'), } + password_attributes = [('krbprincipalkey', 'has_keytab')] label = _('Services') label_singular = _('Service') @@ -379,13 +377,8 @@ class service_find(LDAPSearch): def post_callback(self, ldap, entries, truncated, *args, **options): for entry in entries: - entry_attrs = entry[1] - if 'krblastpwdchange' in entry_attrs: - entry_attrs['has_keytab'] = True - if not options.get('all', False): - del entry_attrs['krblastpwdchange'] - else: - entry_attrs['has_keytab'] = False + (dn, entry_attrs) = entry + self.obj.get_password_attributes(ldap, dn, entry_attrs) set_certificate_attrs(entry_attrs) api.register(service_find) @@ -403,12 +396,7 @@ class service_show(LDAPRetrieve): ) def post_callback(self, ldap, dn, entry_attrs, *keys, **options): - if 'krblastpwdchange' in entry_attrs: - entry_attrs['has_keytab'] = True - if not options.get('all', False): - del entry_attrs['krblastpwdchange'] - else: - entry_attrs['has_keytab'] = False + self.obj.get_password_attributes(ldap, dn, entry_attrs) set_certificate_attrs(entry_attrs) @@ -461,7 +449,7 @@ class service_disable(LDAPQuery): ldap = self.obj.backend dn = self.obj.get_dn(*keys, **options) - (dn, entry_attrs) = ldap.get_entry(dn, ['krblastpwdchange', 'usercertificate']) + (dn, entry_attrs) = ldap.get_entry(dn, ['usercertificate']) # See if we do any work at all here and if not raise an exception done_work = False @@ -493,7 +481,8 @@ class service_disable(LDAPQuery): ldap.update_entry(dn, {'usercertificate': None}) done_work = True - if 'krblastpwdchange' in entry_attrs: + self.obj.get_password_attributes(ldap, dn, entry_attrs) + if entry_attrs['has_keytab']: ldap.remove_principal_key(dn) done_work = True |