diff options
author | Rob Crittenden <rcritten@redhat.com> | 2012-08-01 16:14:11 +0200 |
---|---|---|
committer | Martin Kosek <mkosek@redhat.com> | 2012-08-01 16:15:51 +0200 |
commit | fb817d340139822d17414da93853be5bc3bf6086 (patch) | |
tree | 4f086f792a9e776b71e36fcc5c693e3df1e687a2 /ipalib/plugins | |
parent | fd31396d5129b1980d3ce979af7239f16d3f6fc5 (diff) | |
download | freeipa-fb817d340139822d17414da93853be5bc3bf6086.tar.gz freeipa-fb817d340139822d17414da93853be5bc3bf6086.tar.xz freeipa-fb817d340139822d17414da93853be5bc3bf6086.zip |
Add per-service option to store the types of PAC it supports
Create a per-service default as well.
https://fedorahosted.org/freeipa/ticket/2184
Diffstat (limited to 'ipalib/plugins')
-rw-r--r-- | ipalib/plugins/config.py | 9 | ||||
-rw-r--r-- | ipalib/plugins/service.py | 23 |
2 files changed, 26 insertions, 6 deletions
diff --git a/ipalib/plugins/config.py b/ipalib/plugins/config.py index d632e2edf..9573bbb65 100644 --- a/ipalib/plugins/config.py +++ b/ipalib/plugins/config.py @@ -90,7 +90,7 @@ class config(LDAPObject): 'ipasearchrecordslimit', 'ipausersearchfields', 'ipagroupsearchfields', 'ipamigrationenabled', 'ipacertificatesubjectbase', 'ipapwdexpadvnotify', 'ipaselinuxusermaporder', - 'ipaselinuxusermapdefault', 'ipaconfigstring', + 'ipaselinuxusermapdefault', 'ipaconfigstring', 'ipakrbauthzdata', ] label = _('Configuration') @@ -189,6 +189,13 @@ class config(LDAPObject): label=_('Default SELinux user'), doc=_('Default SELinux user when no match is found in SELinux map rule'), ), + StrEnum('ipakrbauthzdata*', + cli_name='pac_type', + label=_('PAC type'), + doc=_('Default types of PAC for new services'), + values=(u'MS-PAC', u'PAD'), + csv=True, + ), ) def get_dn(self, *keys, **kwargs): diff --git a/ipalib/plugins/service.py b/ipalib/plugins/service.py index 60035bf6d..4f3051aa4 100644 --- a/ipalib/plugins/service.py +++ b/ipalib/plugins/service.py @@ -23,7 +23,7 @@ import base64 import os from ipalib import api, errors, util -from ipalib import Str, Flag, Bytes +from ipalib import Str, Flag, Bytes, StrEnum from ipalib.plugins.baseldap import * from ipalib import x509 from ipalib import _, ngettext @@ -223,8 +223,9 @@ class service(LDAPObject): 'krbprincipal', 'krbprincipalaux', 'krbticketpolicyaux', 'ipaobject', 'ipaservice', 'pkiuser', 'ipakrbprincipal' ] - search_attributes = ['krbprincipalname', 'managedby'] - default_attributes = ['krbprincipalname', 'usercertificate', 'managedby'] + search_attributes = ['krbprincipalname', 'managedby', 'ipakrbauthzdata'] + default_attributes = ['krbprincipalname', 'usercertificate', 'managedby', + 'ipakrbauthzdata',] uuid_attribute = 'ipauniqueid' attribute_members = { 'managedby': ['host'], @@ -251,7 +252,14 @@ class service(LDAPObject): label=_('Certificate'), doc=_('Base-64 encoded server certificate'), flags=['no_search',], - ) + ), + StrEnum('ipakrbauthzdata*', + cli_name='pac_type', + label=_('PAC type'), + doc=_('Types of PAC this service supports'), + values=(u'MS-PAC', u'PAD'), + csv=True, + ), ) api.register(service) @@ -291,7 +299,12 @@ class service_add(LDAPCreate): # don't exist in DNS. util.validate_host_dns(self.log, hostname) if not 'managedby' in entry_attrs: - entry_attrs['managedby'] = hostresult['dn'] + entry_attrs['managedby'] = hostresult['dn'] + if 'ipakrbauthzdata' not in entry_attrs: + config = ldap.get_ipa_config()[1] + default_pac_type = config.get('ipakrbauthzdata', []) + if default_pac_type: + entry_attrs['ipakrbauthzdata'] = default_pac_type # Enforce ipaKrbPrincipalAlias to aid case-insensitive searches # as krbPrincipalName/krbCanonicalName are case-sensitive in Kerberos |