summaryrefslogtreecommitdiffstats
path: root/ipalib
diff options
context:
space:
mode:
authorRob Crittenden <rcritten@redhat.com>2011-08-22 16:24:07 -0400
committerMartin Kosek <mkosek@redhat.com>2011-08-24 14:12:10 +0200
commitbe7de56e5d403fb97bcb583f6b7b5dd7e3fb914c (patch)
tree722fdd0af9246c027dedf0db3fa4caaa132688c7 /ipalib
parentae06f7b68e04000b748f702d553a5b691eb6cb3c (diff)
downloadfreeipa-be7de56e5d403fb97bcb583f6b7b5dd7e3fb914c.tar.gz
freeipa-be7de56e5d403fb97bcb583f6b7b5dd7e3fb914c.tar.xz
freeipa-be7de56e5d403fb97bcb583f6b7b5dd7e3fb914c.zip
Change the way has_keytab is determined, also check for password.
We need an indicator to see if a keytab has been set on host and service entries. We also need a way to know if a one-time password is set on a host. This adds an ACI that grants search on userPassword and krbPrincipalKey so we can do an existence search on them. This way we can tell if the attribute is set and create a fake attribute accordingly. When a userPassword is set on a host a keytab is generated against that password so we always set has_keytab to False if a password exists. This is fine because when keytab gets generated for the host the password is removed (hence one-time). This adds has_keytab/has_password to the user, host and service plugins. ticket https://fedorahosted.org/freeipa/ticket/1538
Diffstat (limited to 'ipalib')
-rw-r--r--ipalib/plugins/baseldap.py26
-rw-r--r--ipalib/plugins/host.py33
-rw-r--r--ipalib/plugins/service.py27
-rw-r--r--ipalib/plugins/user.py6
4 files changed, 61 insertions, 31 deletions
diff --git a/ipalib/plugins/baseldap.py b/ipalib/plugins/baseldap.py
index 1ff7a2a6d..94f57388d 100644
--- a/ipalib/plugins/baseldap.py
+++ b/ipalib/plugins/baseldap.py
@@ -36,6 +36,12 @@ from ipalib.util import json_serialize
from ipalib.dn import *
global_output_params = (
+ Flag('has_keytab',
+ label=_('Keytab'),
+ ),
+ Flag('has_password',
+ label=_('Password'),
+ ),
Str('member',
label=_('Failed members'),
),
@@ -319,6 +325,7 @@ class LDAPObject(Object):
uuid_attribute = ''
attribute_members = {}
rdnattr = None
+ password_attributes = []
# Can bind as this entry (has userPassword or krbPrincipalKey)
bindable = False
relationships = {
@@ -407,6 +414,25 @@ class LDAPObject(Object):
)
del entry_attrs[attr]
+ def get_password_attributes(self, ldap, dn, entry_attrs):
+ """
+ Search on the entry to determine if it has a password or
+ keytab set.
+
+ A tuple is used to determine which attribute is set
+ in entry_attrs. The value is set to True/False whether a
+ given password type is set.
+ """
+ for (pwattr, attr) in self.password_attributes:
+ search_filter = '(%s=*)' % pwattr
+ try:
+ (entries, truncated) = ldap.find_entries(
+ search_filter, [pwattr], dn, ldap.SCOPE_BASE
+ )
+ entry_attrs[attr] = True
+ except errors.NotFound:
+ entry_attrs[attr] = False
+
def handle_not_found(self, *keys):
pkey = ''
if self.primary_key:
diff --git a/ipalib/plugins/host.py b/ipalib/plugins/host.py
index 5cd1056ec..6e9efec1a 100644
--- a/ipalib/plugins/host.py
+++ b/ipalib/plugins/host.py
@@ -162,9 +162,6 @@ def remove_fwd_ptr(ipaddr, host, domain, recordtype):
pass
host_output_params = (
- Flag('has_keytab',
- label=_('Keytab'),
- ),
Str('managedby_host',
label='Managed by',
),
@@ -224,7 +221,7 @@ class host(LDAPObject):
default_attributes = [
'fqdn', 'description', 'l', 'nshostlocation', 'krbprincipalname',
'nshardwareplatform', 'nsosversion', 'usercertificate', 'memberof',
- 'krblastpwdchange', 'managedby', 'memberindirect', 'memberofindirect',
+ 'managedby', 'memberindirect', 'memberofindirect',
]
uuid_attribute = 'ipauniqueid'
attribute_members = {
@@ -242,6 +239,8 @@ class host(LDAPObject):
'managedby': ('Managed by', 'man_by_', 'not_man_by_'),
'managing': ('Managing', 'man_', 'not_man_'),
}
+ password_attributes = [('userpassword', 'has_password'),
+ ('krbprincipalkey', 'has_keytab')]
label = _('Hosts')
label_singular = _('Host')
@@ -466,6 +465,11 @@ class host_add(LDAPCreate):
if options.get('all', False):
entry_attrs['managing'] = self.obj.get_managed_hosts(dn)
+ self.obj.get_password_attributes(ldap, dn, entry_attrs)
+ if entry_attrs['has_password']:
+ # If an OTP is set there is no keytab, at least not one
+ # fetched anywhere.
+ entry_attrs['has_keytab'] = False
return dn
@@ -691,8 +695,13 @@ class host_find(LDAPSearch):
def post_callback(self, ldap, entries, truncated, *args, **options):
for entry in entries:
- entry_attrs = entry[1]
+ (dn, entry_attrs) = entry
set_certificate_attrs(entry_attrs)
+ self.obj.get_password_attributes(ldap, dn, entry_attrs)
+ if entry_attrs['has_password']:
+ # If an OTP is set there is no keytab, at least not one
+ # fetched anywhere.
+ entry_attrs['has_keytab'] = False
if options.get('all', False):
entry_attrs['managing'] = self.obj.get_managed_hosts(entry[0])
@@ -714,11 +723,10 @@ class host_show(LDAPRetrieve):
member_attributes = ['managedby']
def post_callback(self, ldap, dn, entry_attrs, *keys, **options):
- if 'krblastpwdchange' in entry_attrs:
- entry_attrs['has_keytab'] = True
- if not options.get('all', False):
- del entry_attrs['krblastpwdchange']
- else:
+ self.obj.get_password_attributes(ldap, dn, entry_attrs)
+ if entry_attrs['has_password']:
+ # If an OTP is set there is no keytab, at least not one
+ # fetched anywhere.
entry_attrs['has_keytab'] = False
set_certificate_attrs(entry_attrs)
@@ -766,7 +774,7 @@ class host_disable(LDAPQuery):
dn = self.obj.get_dn(*keys, **options)
try:
- (dn, entry_attrs) = ldap.get_entry(dn, ['krblastpwdchange', 'usercertificate'])
+ (dn, entry_attrs) = ldap.get_entry(dn, ['usercertificate'])
except errors.NotFound:
self.obj.handle_not_found(*keys)
@@ -816,7 +824,8 @@ class host_disable(LDAPQuery):
ldap.update_entry(dn, {'usercertificate': None})
done_work = True
- if 'krblastpwdchange' in entry_attrs:
+ self.obj.get_password_attributes(ldap, dn, entry_attrs)
+ if entry_attrs['has_keytab']:
ldap.remove_principal_key(dn)
done_work = True
diff --git a/ipalib/plugins/service.py b/ipalib/plugins/service.py
index 11970f401..bcaa76afb 100644
--- a/ipalib/plugins/service.py
+++ b/ipalib/plugins/service.py
@@ -83,9 +83,6 @@ from ipapython.ipautil import file_exists
output_params = (
- Flag('has_keytab',
- label=_('Keytab'),
- ),
Str('managedby_host',
label='Managed by',
),
@@ -207,7 +204,7 @@ class service(LDAPObject):
'ipaservice', 'pkiuser'
]
search_attributes = ['krbprincipalname', 'managedby']
- default_attributes = ['krbprincipalname', 'usercertificate', 'managedby', 'krblastpwdchange']
+ default_attributes = ['krbprincipalname', 'usercertificate', 'managedby']
uuid_attribute = 'ipauniqueid'
attribute_members = {
'managedby': ['host'],
@@ -216,6 +213,7 @@ class service(LDAPObject):
relationships = {
'managedby': ('Managed by', 'man_by_', 'not_man_by_'),
}
+ password_attributes = [('krbprincipalkey', 'has_keytab')]
label = _('Services')
label_singular = _('Service')
@@ -379,13 +377,8 @@ class service_find(LDAPSearch):
def post_callback(self, ldap, entries, truncated, *args, **options):
for entry in entries:
- entry_attrs = entry[1]
- if 'krblastpwdchange' in entry_attrs:
- entry_attrs['has_keytab'] = True
- if not options.get('all', False):
- del entry_attrs['krblastpwdchange']
- else:
- entry_attrs['has_keytab'] = False
+ (dn, entry_attrs) = entry
+ self.obj.get_password_attributes(ldap, dn, entry_attrs)
set_certificate_attrs(entry_attrs)
api.register(service_find)
@@ -403,12 +396,7 @@ class service_show(LDAPRetrieve):
)
def post_callback(self, ldap, dn, entry_attrs, *keys, **options):
- if 'krblastpwdchange' in entry_attrs:
- entry_attrs['has_keytab'] = True
- if not options.get('all', False):
- del entry_attrs['krblastpwdchange']
- else:
- entry_attrs['has_keytab'] = False
+ self.obj.get_password_attributes(ldap, dn, entry_attrs)
set_certificate_attrs(entry_attrs)
@@ -461,7 +449,7 @@ class service_disable(LDAPQuery):
ldap = self.obj.backend
dn = self.obj.get_dn(*keys, **options)
- (dn, entry_attrs) = ldap.get_entry(dn, ['krblastpwdchange', 'usercertificate'])
+ (dn, entry_attrs) = ldap.get_entry(dn, ['usercertificate'])
# See if we do any work at all here and if not raise an exception
done_work = False
@@ -493,7 +481,8 @@ class service_disable(LDAPQuery):
ldap.update_entry(dn, {'usercertificate': None})
done_work = True
- if 'krblastpwdchange' in entry_attrs:
+ self.obj.get_password_attributes(ldap, dn, entry_attrs)
+ if entry_attrs['has_keytab']:
ldap.remove_principal_key(dn)
done_work = True
diff --git a/ipalib/plugins/user.py b/ipalib/plugins/user.py
index 3068c6291..2112c03d0 100644
--- a/ipalib/plugins/user.py
+++ b/ipalib/plugins/user.py
@@ -113,6 +113,8 @@ class user(LDAPObject):
}
rdnattr = 'uid'
bindable = True
+ password_attributes = [('userpassword', 'has_password'),
+ ('krbprincipalkey', 'has_keytab')]
label = _('Users')
label_singular = _('User')
@@ -407,6 +409,7 @@ class user_add(LDAPCreate):
newentry = wait_for_value(ldap, dn, 'objectclass', 'mepOriginEntry')
entry_from_entry(entry_attrs, newentry)
+ self.obj.get_password_attributes(ldap, dn, entry_attrs)
return dn
api.register(user_add)
@@ -443,6 +446,7 @@ class user_mod(LDAPUpdate):
def post_callback(self, ldap, dn, entry_attrs, *keys, **options):
convert_nsaccountlock(entry_attrs)
self.obj._convert_manager(entry_attrs, **options)
+ self.obj.get_password_attributes(ldap, dn, entry_attrs)
return dn
api.register(user_mod)
@@ -472,6 +476,7 @@ class user_find(LDAPSearch):
for entry in entries:
(dn, attrs) = entry
self.obj._convert_manager(attrs, **options)
+ self.obj.get_password_attributes(ldap, dn, attrs)
convert_nsaccountlock(attrs)
msg_summary = ngettext(
@@ -488,6 +493,7 @@ class user_show(LDAPRetrieve):
def post_callback(self, ldap, dn, entry_attrs, *keys, **options):
convert_nsaccountlock(entry_attrs)
self.obj._convert_manager(entry_attrs, **options)
+ self.obj.get_password_attributes(ldap, dn, entry_attrs)
return dn
api.register(user_show)