diff options
Diffstat (limited to 'ipalib/plugins')
-rw-r--r-- | ipalib/plugins/baseldap.py | 26 | ||||
-rw-r--r-- | ipalib/plugins/host.py | 33 | ||||
-rw-r--r-- | ipalib/plugins/service.py | 27 | ||||
-rw-r--r-- | ipalib/plugins/user.py | 6 |
4 files changed, 61 insertions, 31 deletions
diff --git a/ipalib/plugins/baseldap.py b/ipalib/plugins/baseldap.py index 1ff7a2a6d..94f57388d 100644 --- a/ipalib/plugins/baseldap.py +++ b/ipalib/plugins/baseldap.py @@ -36,6 +36,12 @@ from ipalib.util import json_serialize from ipalib.dn import * global_output_params = ( + Flag('has_keytab', + label=_('Keytab'), + ), + Flag('has_password', + label=_('Password'), + ), Str('member', label=_('Failed members'), ), @@ -319,6 +325,7 @@ class LDAPObject(Object): uuid_attribute = '' attribute_members = {} rdnattr = None + password_attributes = [] # Can bind as this entry (has userPassword or krbPrincipalKey) bindable = False relationships = { @@ -407,6 +414,25 @@ class LDAPObject(Object): ) del entry_attrs[attr] + def get_password_attributes(self, ldap, dn, entry_attrs): + """ + Search on the entry to determine if it has a password or + keytab set. + + A tuple is used to determine which attribute is set + in entry_attrs. The value is set to True/False whether a + given password type is set. + """ + for (pwattr, attr) in self.password_attributes: + search_filter = '(%s=*)' % pwattr + try: + (entries, truncated) = ldap.find_entries( + search_filter, [pwattr], dn, ldap.SCOPE_BASE + ) + entry_attrs[attr] = True + except errors.NotFound: + entry_attrs[attr] = False + def handle_not_found(self, *keys): pkey = '' if self.primary_key: diff --git a/ipalib/plugins/host.py b/ipalib/plugins/host.py index 5cd1056ec..6e9efec1a 100644 --- a/ipalib/plugins/host.py +++ b/ipalib/plugins/host.py @@ -162,9 +162,6 @@ def remove_fwd_ptr(ipaddr, host, domain, recordtype): pass host_output_params = ( - Flag('has_keytab', - label=_('Keytab'), - ), Str('managedby_host', label='Managed by', ), @@ -224,7 +221,7 @@ class host(LDAPObject): default_attributes = [ 'fqdn', 'description', 'l', 'nshostlocation', 'krbprincipalname', 'nshardwareplatform', 'nsosversion', 'usercertificate', 'memberof', - 'krblastpwdchange', 'managedby', 'memberindirect', 'memberofindirect', + 'managedby', 'memberindirect', 'memberofindirect', ] uuid_attribute = 'ipauniqueid' attribute_members = { @@ -242,6 +239,8 @@ class host(LDAPObject): 'managedby': ('Managed by', 'man_by_', 'not_man_by_'), 'managing': ('Managing', 'man_', 'not_man_'), } + password_attributes = [('userpassword', 'has_password'), + ('krbprincipalkey', 'has_keytab')] label = _('Hosts') label_singular = _('Host') @@ -466,6 +465,11 @@ class host_add(LDAPCreate): if options.get('all', False): entry_attrs['managing'] = self.obj.get_managed_hosts(dn) + self.obj.get_password_attributes(ldap, dn, entry_attrs) + if entry_attrs['has_password']: + # If an OTP is set there is no keytab, at least not one + # fetched anywhere. + entry_attrs['has_keytab'] = False return dn @@ -691,8 +695,13 @@ class host_find(LDAPSearch): def post_callback(self, ldap, entries, truncated, *args, **options): for entry in entries: - entry_attrs = entry[1] + (dn, entry_attrs) = entry set_certificate_attrs(entry_attrs) + self.obj.get_password_attributes(ldap, dn, entry_attrs) + if entry_attrs['has_password']: + # If an OTP is set there is no keytab, at least not one + # fetched anywhere. + entry_attrs['has_keytab'] = False if options.get('all', False): entry_attrs['managing'] = self.obj.get_managed_hosts(entry[0]) @@ -714,11 +723,10 @@ class host_show(LDAPRetrieve): member_attributes = ['managedby'] def post_callback(self, ldap, dn, entry_attrs, *keys, **options): - if 'krblastpwdchange' in entry_attrs: - entry_attrs['has_keytab'] = True - if not options.get('all', False): - del entry_attrs['krblastpwdchange'] - else: + self.obj.get_password_attributes(ldap, dn, entry_attrs) + if entry_attrs['has_password']: + # If an OTP is set there is no keytab, at least not one + # fetched anywhere. entry_attrs['has_keytab'] = False set_certificate_attrs(entry_attrs) @@ -766,7 +774,7 @@ class host_disable(LDAPQuery): dn = self.obj.get_dn(*keys, **options) try: - (dn, entry_attrs) = ldap.get_entry(dn, ['krblastpwdchange', 'usercertificate']) + (dn, entry_attrs) = ldap.get_entry(dn, ['usercertificate']) except errors.NotFound: self.obj.handle_not_found(*keys) @@ -816,7 +824,8 @@ class host_disable(LDAPQuery): ldap.update_entry(dn, {'usercertificate': None}) done_work = True - if 'krblastpwdchange' in entry_attrs: + self.obj.get_password_attributes(ldap, dn, entry_attrs) + if entry_attrs['has_keytab']: ldap.remove_principal_key(dn) done_work = True diff --git a/ipalib/plugins/service.py b/ipalib/plugins/service.py index 11970f401..bcaa76afb 100644 --- a/ipalib/plugins/service.py +++ b/ipalib/plugins/service.py @@ -83,9 +83,6 @@ from ipapython.ipautil import file_exists output_params = ( - Flag('has_keytab', - label=_('Keytab'), - ), Str('managedby_host', label='Managed by', ), @@ -207,7 +204,7 @@ class service(LDAPObject): 'ipaservice', 'pkiuser' ] search_attributes = ['krbprincipalname', 'managedby'] - default_attributes = ['krbprincipalname', 'usercertificate', 'managedby', 'krblastpwdchange'] + default_attributes = ['krbprincipalname', 'usercertificate', 'managedby'] uuid_attribute = 'ipauniqueid' attribute_members = { 'managedby': ['host'], @@ -216,6 +213,7 @@ class service(LDAPObject): relationships = { 'managedby': ('Managed by', 'man_by_', 'not_man_by_'), } + password_attributes = [('krbprincipalkey', 'has_keytab')] label = _('Services') label_singular = _('Service') @@ -379,13 +377,8 @@ class service_find(LDAPSearch): def post_callback(self, ldap, entries, truncated, *args, **options): for entry in entries: - entry_attrs = entry[1] - if 'krblastpwdchange' in entry_attrs: - entry_attrs['has_keytab'] = True - if not options.get('all', False): - del entry_attrs['krblastpwdchange'] - else: - entry_attrs['has_keytab'] = False + (dn, entry_attrs) = entry + self.obj.get_password_attributes(ldap, dn, entry_attrs) set_certificate_attrs(entry_attrs) api.register(service_find) @@ -403,12 +396,7 @@ class service_show(LDAPRetrieve): ) def post_callback(self, ldap, dn, entry_attrs, *keys, **options): - if 'krblastpwdchange' in entry_attrs: - entry_attrs['has_keytab'] = True - if not options.get('all', False): - del entry_attrs['krblastpwdchange'] - else: - entry_attrs['has_keytab'] = False + self.obj.get_password_attributes(ldap, dn, entry_attrs) set_certificate_attrs(entry_attrs) @@ -461,7 +449,7 @@ class service_disable(LDAPQuery): ldap = self.obj.backend dn = self.obj.get_dn(*keys, **options) - (dn, entry_attrs) = ldap.get_entry(dn, ['krblastpwdchange', 'usercertificate']) + (dn, entry_attrs) = ldap.get_entry(dn, ['usercertificate']) # See if we do any work at all here and if not raise an exception done_work = False @@ -493,7 +481,8 @@ class service_disable(LDAPQuery): ldap.update_entry(dn, {'usercertificate': None}) done_work = True - if 'krblastpwdchange' in entry_attrs: + self.obj.get_password_attributes(ldap, dn, entry_attrs) + if entry_attrs['has_keytab']: ldap.remove_principal_key(dn) done_work = True diff --git a/ipalib/plugins/user.py b/ipalib/plugins/user.py index 3068c6291..2112c03d0 100644 --- a/ipalib/plugins/user.py +++ b/ipalib/plugins/user.py @@ -113,6 +113,8 @@ class user(LDAPObject): } rdnattr = 'uid' bindable = True + password_attributes = [('userpassword', 'has_password'), + ('krbprincipalkey', 'has_keytab')] label = _('Users') label_singular = _('User') @@ -407,6 +409,7 @@ class user_add(LDAPCreate): newentry = wait_for_value(ldap, dn, 'objectclass', 'mepOriginEntry') entry_from_entry(entry_attrs, newentry) + self.obj.get_password_attributes(ldap, dn, entry_attrs) return dn api.register(user_add) @@ -443,6 +446,7 @@ class user_mod(LDAPUpdate): def post_callback(self, ldap, dn, entry_attrs, *keys, **options): convert_nsaccountlock(entry_attrs) self.obj._convert_manager(entry_attrs, **options) + self.obj.get_password_attributes(ldap, dn, entry_attrs) return dn api.register(user_mod) @@ -472,6 +476,7 @@ class user_find(LDAPSearch): for entry in entries: (dn, attrs) = entry self.obj._convert_manager(attrs, **options) + self.obj.get_password_attributes(ldap, dn, attrs) convert_nsaccountlock(attrs) msg_summary = ngettext( @@ -488,6 +493,7 @@ class user_show(LDAPRetrieve): def post_callback(self, ldap, dn, entry_attrs, *keys, **options): convert_nsaccountlock(entry_attrs) self.obj._convert_manager(entry_attrs, **options) + self.obj.get_password_attributes(ldap, dn, entry_attrs) return dn api.register(user_show) |