diff options
Diffstat (limited to 'ipalib/plugins/baseuser.py')
-rw-r--r-- | ipalib/plugins/baseuser.py | 103 |
1 files changed, 103 insertions, 0 deletions
diff --git a/ipalib/plugins/baseuser.py b/ipalib/plugins/baseuser.py index 16c7b2a88..4266e876c 100644 --- a/ipalib/plugins/baseuser.py +++ b/ipalib/plugins/baseuser.py @@ -459,13 +459,116 @@ class baseuser_mod(LDAPUpdate): """ Prototype command plugin to be implemented by real plugin """ + def check_namelength(self, ldap, **options): + if options.get('rename') is not None: + config = ldap.get_ipa_config() + if 'ipamaxusernamelength' in config: + if len(options['rename']) > int(config.get('ipamaxusernamelength')[0]): + raise errors.ValidationError( + name=self.obj.primary_key.cli_name, + error=_('can be at most %(len)d characters') % dict( + len = int(config.get('ipamaxusernamelength')[0]) + ) + ) + def check_mail(self, entry_attrs): + if 'mail' in entry_attrs: + entry_attrs['mail'] = self.obj.normalize_and_validate_email(entry_attrs['mail']) + + def check_manager(self, entry_attrs, container): + if 'manager' in entry_attrs: + entry_attrs['manager'] = self.obj.normalize_manager(entry_attrs['manager'], container) + + def check_userpassword(self, entry_attrs, **options): + if 'userpassword' not in entry_attrs and options.get('random'): + entry_attrs['userpassword'] = ipa_generate_password(baseuser_pwdchars) + # save the password so it can be displayed in post_callback + setattr(context, 'randompassword', entry_attrs['userpassword']) + + def check_objectclass(self, ldap, dn, entry_attrs): + if ('ipasshpubkey' in entry_attrs or 'ipauserauthtype' in entry_attrs + or 'userclass' in entry_attrs or 'ipatokenradiusconfiglink' in entry_attrs): + if 'objectclass' in entry_attrs: + obj_classes = entry_attrs['objectclass'] + else: + _entry_attrs = ldap.get_entry(dn, ['objectclass']) + obj_classes = entry_attrs['objectclass'] = _entry_attrs['objectclass'] + + if 'ipasshpubkey' in entry_attrs and 'ipasshuser' not in obj_classes: + obj_classes.append('ipasshuser') + + if 'ipauserauthtype' in entry_attrs and 'ipauserauthtypeclass' not in obj_classes: + obj_classes.append('ipauserauthtypeclass') + + if 'userclass' in entry_attrs and 'ipauser' not in obj_classes: + obj_classes.append('ipauser') + + if 'ipatokenradiusconfiglink' in entry_attrs: + cl = entry_attrs['ipatokenradiusconfiglink'] + if cl: + if 'ipatokenradiusproxyuser' not in obj_classes: + obj_classes.append('ipatokenradiusproxyuser') + + answer = self.api.Object['radiusproxy'].get_dn_if_exists(cl) + entry_attrs['ipatokenradiusconfiglink'] = answer + + def pre_common_callback(self, ldap, dn, entry_attrs, **options): + assert isinstance(dn, DN) + self.check_namelength(ldap, **options) + + self.check_mail(entry_attrs) + + self.check_manager(entry_attrs, self.obj.active_container_dn) + + self.check_userpassword(entry_attrs, **options) + + self.check_objectclass(ldap, dn, entry_attrs) + + def post_common_callback(self, ldap, dn, entry_attrs, **options): + assert isinstance(dn, DN) + if options.get('random', False): + try: + entry_attrs['randompassword'] = unicode(getattr(context, 'randompassword')) + except AttributeError: + # if both randompassword and userpassword options were used + pass + convert_nsaccountlock(entry_attrs) + self.obj.convert_manager(entry_attrs, **options) + self.obj.get_password_attributes(ldap, dn, entry_attrs) + convert_sshpubkey_post(ldap, dn, entry_attrs) + radius_dn2pk(self.api, entry_attrs) class baseuser_find(LDAPSearch): """ Prototype command plugin to be implemented by real plugin """ + def common_enhance_options(self, newoptions, **options): + # assure the manager attr is a dn, not just a bare uid + manager = options.get('manager') + if manager is not None: + newoptions['manager'] = self.obj.normalize_manager(manager, self.obj.active_container_dn) + + # Ensure that the RADIUS config link is a dn, not just the name + cl = 'ipatokenradiusconfiglink' + if cl in options: + newoptions[cl] = self.api.Object['radiusproxy'].get_dn(options[cl]) + + def post_common_callback(self, ldap, entries, lockout=False, **options): + for attrs in entries: + self.obj.convert_manager(attrs, **options) + self.obj.get_password_attributes(ldap, attrs.dn, attrs) + if (lockout): + attrs['nsaccountlock'] = True + else: + convert_nsaccountlock(attrs) + convert_sshpubkey_post(ldap, attrs.dn, attrs) class baseuser_show(LDAPRetrieve): """ Prototype command plugin to be implemented by real plugin """ + def post_common_callback(self, ldap, dn, entry_attrs, **options): + assert isinstance(dn, DN) + self.obj.convert_manager(entry_attrs, **options) + self.obj.get_password_attributes(ldap, dn, entry_attrs) + convert_sshpubkey_post(ldap, dn, entry_attrs) + radius_dn2pk(self.api, entry_attrs) |