summaryrefslogtreecommitdiffstats
path: root/ipalib/plugins/pkinit.py
diff options
context:
space:
mode:
Diffstat (limited to 'ipalib/plugins/pkinit.py')
-rw-r--r--ipalib/plugins/pkinit.py98
1 files changed, 98 insertions, 0 deletions
diff --git a/ipalib/plugins/pkinit.py b/ipalib/plugins/pkinit.py
new file mode 100644
index 000000000..f7c189cf8
--- /dev/null
+++ b/ipalib/plugins/pkinit.py
@@ -0,0 +1,98 @@
+# Authors:
+# Simo Sorce <ssorce@redhat.com>
+#
+# Copyright (C) 2010 Red Hat
+# see file 'COPYING' for use and warranty information
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License as
+# published by the Free Software Foundation; version 2 only
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+"""
+Kerberos pkinit options
+
+Right now it enables only to control whether Anonymous PKINIT is enabled
+or not based on whether the wellknown principal is active or not.
+
+EXAMPLES:
+
+ Enable Anonymous pkinit:
+ ipa pkinit-anonymous enable
+
+ Disable Anonymous pkinit:
+ ipa pkinit-anonymous disable
+"""
+
+from ipalib import api, errors
+from ipalib import Int, Str
+from ipalib import Object, Command
+from ipalib import _
+
+
+class pkinit(Object):
+ """
+ PKINIT Options
+ """
+ object_name = 'pkinit'
+
+ label=_('PKINIT')
+
+api.register(pkinit)
+
+def valid_arg(ugettext, action):
+ """
+ Accepts only Enable/Disable.
+ """
+ a = action.lower()
+ if a != 'enable' and a != 'disable':
+ raise errors.ValidationError(
+ name='action',
+ error='Unknown command %s' % action
+ )
+
+class pkinit_anonymous(Command):
+ """
+ Enable or Disable Anonymous PKINIT
+ """
+ princ_name = 'WELLKNOWN/ANONYMOUS@%s' % api.env.realm
+ default_dn = 'krbprincipalname=%s,cn=%s,cn=kerberos,%s' % (
+ princ_name, api.env.realm, api.env.basedn
+ )
+
+ takes_args = (
+ Str('action', valid_arg),
+ )
+
+ def execute(self, action, **options):
+ ldap = self.api.Backend.ldap2
+ set_lock = False
+ lock = None
+
+ (dn, entry_attrs) = ldap.get_entry(self.default_dn, ['nsaccountlock'])
+
+ if 'nsaccountlock' in entry_attrs:
+ lock = entry_attrs['nsaccountlock'][0].lower()
+
+ if action.lower() == 'enable':
+ if lock == 'true':
+ set_lock = True
+ lock = None
+ elif action.lower() == 'disable':
+ if lock != 'true':
+ set_lock = True
+ lock = 'TRUE'
+
+ if set_lock:
+ ldap.update_entry(dn, {'nsaccountlock':lock})
+
+ return dict(result=True)
+
+api.register(pkinit_anonymous)