diff options
Diffstat (limited to 'ipa-server/xmlrpc-server/funcs.py')
-rw-r--r-- | ipa-server/xmlrpc-server/funcs.py | 57 |
1 files changed, 30 insertions, 27 deletions
diff --git a/ipa-server/xmlrpc-server/funcs.py b/ipa-server/xmlrpc-server/funcs.py index e4e2f40e2..de089b618 100644 --- a/ipa-server/xmlrpc-server/funcs.py +++ b/ipa-server/xmlrpc-server/funcs.py @@ -20,12 +20,12 @@ import sys sys.path.append("/usr/share/ipa") +import krbV import ldap import ipaserver.dsinstance import ipaserver.ipaldap import ipa.ipautil import xmlrpclib -import ipa.config import copy from ipa import ipaerror @@ -86,11 +86,12 @@ class IPAServer: self.bindcert = "/usr/share/ipa/cert.pem" self.bindkey = "/usr/share/ipa/key.pem" self.bindca = "/usr/share/ipa/cacert.asc" - + self.krbctx = krbV.default_context() + self.realm = self.krbctx.default_realm + if _LDAPPool is None: _LDAPPool = IPAConnPool() - ipa.config.init_config() - self.basedn = ipa.ipautil.realm_to_suffix(ipa.config.config.get_realm()) + self.basedn = ipa.ipautil.realm_to_suffix(self.realm) self.scope = ldap.SCOPE_SUBTREE self.princ = None self.krbccache = None @@ -312,6 +313,15 @@ class IPAServer: filter = "(objectClass=*)" return self.__get_entry(dn, filter, sattrs, opts) + def get_user_by_principal(self, principal, sattrs=None, opts=None): + """Get a user entry searching by Kerberos Principal Name. + Return as a dict of values. Multi-valued fields are + represented as lists. + """ + + filter = "(krbPrincipalName="+self.__safe_filter(principal)+")" + return self.__get_entry(self.basedn, filter, sattrs, opts) + def get_users_by_manager (self, manager_dn, sattrs=None, opts=None): """Gets the users that report to a particular manager. """ @@ -342,9 +352,9 @@ class IPAServer: # Let us add in some missing attributes if user.get('homedirectory') is None: - user['homedirectory'] = '/home/%s' % user.get('uid') + user['homedirectory'] = '/home/%s' % user.get('uid') if not user.get('gecos') is None: - user['gecos'] = user['uid'] + user['gecos'] = user['uid'] # FIXME: This can be removed once the DS plugin is installed user['uidnumber'] = '501' @@ -352,8 +362,8 @@ class IPAServer: # FIXME: What is the default group for users? user['gidnumber'] = '501' - realm = ipa.config.config.get_realm() - user['krbprincipalname'] = "%s@%s" % (user.get('uid'), realm) + if user.get('krbprincipalname') is None: + user['krbprincipalname'] = "%s@%s" % (user.get('uid'), self.realm) # FIXME. This is a hack so we can request separate First and Last # name in the GUI. @@ -365,17 +375,7 @@ class IPAServer: del user['gn'] # some required objectclasses - entry.setValues('objectClass', 'top', 'posixAccount', 'shadowAccount', 'account', 'person', 'inetOrgPerson', 'organizationalPerson', 'krbPrincipalAux', 'krbTicketPolicyAux') - - # Fill in shadow fields - entry.setValue('shadowMin', '0') - entry.setValue('shadowMax', '99999') - entry.setValue('shadowWarning', '7') - entry.setValue('shadowExpire', '-1') - entry.setValue('shadowInactive', '-1') - entry.setValue('shadowFlag', '-1') - - # FIXME: calculate shadowLastChange + entry.setValues('objectClass', 'top', 'person', 'organizationalPerson', 'inetOrgPerson', 'posixAccount', 'krbPrincipalAux') # fill in our new entry with everything sent by the user for u in user: @@ -426,7 +426,7 @@ class IPAServer: "label": "E-mail address:", "type": "text", "validator": "email", - "required": "true" + "required": "false" } fields.append(field1) @@ -455,6 +455,9 @@ class IPAServer: """Returns a list: counter followed by the results. If the results are truncated, counter will be set to -1.""" + # TODO - retrieve from config + timelimit = 2 + # Assume the list of fields to search will come from a central # configuration repository. A good format for that would be # a comma-separated list of fields @@ -562,31 +565,31 @@ class IPAServer: The memberOf plugin handles removing the user from any other groups. """ - user_dn = self.get_user_by_uid(uid, ['dn', 'uid', 'objectclass'], opts) - if user_dn is None: + user = self.get_user_by_uid(uid, ['dn', 'uid', 'objectclass'], opts) + if user is None: raise ipaerror.gen_exception(ipaerror.LDAP_NOT_FOUND) conn = self.getConnection(opts) try: - res = conn.deleteEntry(user_dn['dn']) + res = conn.deleteEntry(user['dn']) finally: self.releaseConnection(conn) return res - def modifyPassword (self, uid, oldpass, newpass, opts=None): + def modifyPassword (self, principal, oldpass, newpass, opts=None): """Set/Reset a user's password uid tells us who's password to change oldpass is the old password (if available) newpass is the new password """ - user_dn = self.get_user_by_uid(uid, ['dn', 'uid', 'objectclass'], opts) - if user_dn is None: + user = self.get_user_by_principal(principal, ['krbprincipalname'], opts) + if user is None or user['krbprincipalname'] != principal: raise ipaerror.gen_exception(ipaerror.LDAP_NOT_FOUND) conn = self.getConnection(opts) try: - res = conn.modifyPassword(user_dn['dn'], oldpass, newpass) + res = conn.modifyPassword(user['dn'], oldpass, newpass) finally: self.releaseConnection(conn) return res |