summaryrefslogtreecommitdiffstats
path: root/ipaserver
diff options
context:
space:
mode:
authorNathaniel McCallum <npmccallum@redhat.com>2013-04-11 13:24:46 -0400
committerMartin Kosek <mkosek@redhat.com>2013-05-17 09:30:51 +0200
commitcb689354357d5311e7ecb231a34e867c23b8a803 (patch)
treeea1e582e74be91db9abd94d3fdab007cea9a72fd /ipaserver
parentbc26d87b3445b26b5d33235c1dfeedb7a11cdfc8 (diff)
downloadfreeipa-cb689354357d5311e7ecb231a34e867c23b8a803.tar.gz
freeipa-cb689354357d5311e7ecb231a34e867c23b8a803.tar.xz
freeipa-cb689354357d5311e7ecb231a34e867c23b8a803.zip
Add IPA OTP schema and ACLs
This commit adds schema support for two factor authentication via OTP devices, including RADIUS or TOTP. This schema will be used by future patches which will enable two factor authentication directly. https://fedorahosted.org/freeipa/ticket/3365 http://freeipa.org/page/V3/OTP
Diffstat (limited to 'ipaserver')
-rw-r--r--ipaserver/install/dsinstance.py3
-rw-r--r--ipaserver/install/plugins/update_anonymous_aci.py25
2 files changed, 20 insertions, 8 deletions
diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py
index 3b841417e..046480f0d 100644
--- a/ipaserver/install/dsinstance.py
+++ b/ipaserver/install/dsinstance.py
@@ -411,7 +411,8 @@ class DsInstance(service.Service):
"60basev3.ldif",
"60ipadns.ldif",
"61kerberos-ipav3.ldif",
- "65ipasudo.ldif"):
+ "65ipasudo.ldif",
+ "70ipaotp.ldif"):
target_fname = schema_dirname(self.serverid) + schema_fname
shutil.copyfile(ipautil.SHARE_DIR + schema_fname, target_fname)
os.chmod(target_fname, 0440) # read access for dirsrv user/group
diff --git a/ipaserver/install/plugins/update_anonymous_aci.py b/ipaserver/install/plugins/update_anonymous_aci.py
index 2b7446ad0..1e75113fc 100644
--- a/ipaserver/install/plugins/update_anonymous_aci.py
+++ b/ipaserver/install/plugins/update_anonymous_aci.py
@@ -20,8 +20,6 @@
from copy import deepcopy
from ipaserver.install.plugins import FIRST, LAST
from ipaserver.install.plugins.baseupdate import PostUpdate
-#from ipalib.frontend import Updater
-#from ipaserver.install.plugins import baseupdate
from ipalib import api
from ipalib.aci import ACI
from ipalib.plugins import aci
@@ -37,6 +35,8 @@ class update_anonymous_aci(PostUpdate):
aciname = u'Enable Anonymous access'
aciprefix = u'none'
ldap = self.obj.backend
+ targetfilter = '(&(!(objectClass=ipaToken))(!(objectClass=ipatokenTOTP))(!(objectClass=ipatokenRadiusProxyUser))(!(objectClass=ipatokenRadiusConfiguration)))'
+ filter = None
(dn, entry_attrs) = ldap.get_entry(api.env.basedn, ['aci'])
@@ -45,6 +45,9 @@ class update_anonymous_aci(PostUpdate):
rawaci = aci._find_aci_by_name(acilist, aciprefix, aciname)
attrs = rawaci.target['targetattr']['expression']
+ rawfilter = rawaci.target.get('targetfilter', None)
+ if rawfilter is not None:
+ filter = rawfilter['expression']
update_attrs = deepcopy(attrs)
@@ -54,12 +57,10 @@ class update_anonymous_aci(PostUpdate):
needed_attrs.append(attr)
update_attrs.extend(needed_attrs)
- if len(attrs) == len(update_attrs):
+ if (len(attrs) == len(update_attrs) and
+ filter == targetfilter):
root_logger.debug("Anonymous ACI already update-to-date")
return (False, False, [])
- else:
- root_logger.debug("New Anonymous ACI attributes needed: %s",
- needed_attrs)
for tmpaci in acistrs:
candidate = ACI(tmpaci)
@@ -67,7 +68,17 @@ class update_anonymous_aci(PostUpdate):
acistrs.remove(tmpaci)
break
- rawaci.target['targetattr']['expression'] = update_attrs
+ if len(attrs) != len(update_attrs):
+ root_logger.debug("New Anonymous ACI attributes needed: %s",
+ needed_attrs)
+
+ rawaci.target['targetattr']['expression'] = update_attrs
+
+ if filter != targetfilter:
+ root_logger.debug("New Anonymous ACI targetfilter needed.")
+
+ rawaci.set_target_filter(targetfilter)
+
acistrs.append(unicode(rawaci))
entry_attrs['aci'] = acistrs