summaryrefslogtreecommitdiffstats
path: root/ipalib
diff options
context:
space:
mode:
Diffstat (limited to 'ipalib')
-rw-r--r--ipalib/plugins/passwd.py11
-rw-r--r--ipalib/plugins/user.py47
2 files changed, 48 insertions, 10 deletions
diff --git a/ipalib/plugins/passwd.py b/ipalib/plugins/passwd.py
index 901a56f20..b7d82f355 100644
--- a/ipalib/plugins/passwd.py
+++ b/ipalib/plugins/passwd.py
@@ -22,6 +22,7 @@ from ipalib import Command
from ipalib import Str, Password
from ipalib import _
from ipalib import output
+from ipalib.plugins.user import split_principal, validate_principal, normalize_principal
__doc__ = _("""
Set a user's password
@@ -46,12 +47,13 @@ class passwd(Command):
__doc__ = _("Set a user's password.")
takes_args = (
- Str('principal',
+ Str('principal', validate_principal,
cli_name='user',
label=_('User name'),
primary_key=True,
autofill=True,
create_default=lambda **kw: util.get_current_principal(),
+ normalizer=lambda value: normalize_principal(value),
),
Password('password',
label=_('Password'),
@@ -75,13 +77,6 @@ class passwd(Command):
"""
ldap = self.api.Backend.ldap2
- if principal.find('@') != -1:
- principal_parts = principal.split('@')
- if len(principal_parts) > 2:
- raise errors.MalformedUserPrincipal(principal=principal)
- else:
- principal = '%s@%s' % (principal, self.api.env.realm)
-
(dn, entry_attrs) = ldap.find_entry_by_attr(
'krbprincipalname', principal, 'posixaccount', [''],
",".join([api.env.container_user, api.env.basedn])
diff --git a/ipalib/plugins/user.py b/ipalib/plugins/user.py
index 92a026d0a..35866d6e9 100644
--- a/ipalib/plugins/user.py
+++ b/ipalib/plugins/user.py
@@ -84,6 +84,48 @@ def convert_nsaccountlock(entry_attrs):
nsaccountlock = Bool('temp')
entry_attrs['nsaccountlock'] = nsaccountlock.convert(entry_attrs['nsaccountlock'][0])
+def split_principal(principal):
+ """
+ Split the principal into its components and do some basic validation.
+
+ Automatically append our realm if it wasn't provided.
+ """
+ realm = None
+ parts = principal.split('@')
+ user = parts[0].lower()
+ if len(parts) > 2:
+ raise errors.MalformedUserPrincipal(
+ principal=principal
+ )
+
+ if len(parts) == 2:
+ realm = parts[1].upper()
+ # At some point we'll support multiple realms
+ if realm != api.env.realm:
+ raise errors.RealmMismatch()
+ else:
+ realm = api.env.realm
+
+ return (user, realm)
+
+def validate_principal(ugettext, principal):
+ """
+ All the real work is done in split_principal.
+ """
+ (user, realm) = split_principal(principal)
+ return None
+
+def normalize_principal(principal):
+ """
+ Ensure that the name in the principal is lower-case. The realm is
+ upper-case by convention but it isn't required.
+
+ The principal is validated at this point.
+ """
+ (user, realm) = split_principal(principal)
+ return unicode('%s@%s' % (user, realm))
+
+
class user(LDAPObject):
"""
User object.
@@ -169,12 +211,13 @@ class user(LDAPObject):
label=_('Login shell'),
default=u'/bin/sh',
),
- Str('krbprincipalname?',
+ Str('krbprincipalname?', validate_principal,
cli_name='principal',
label=_('Kerberos principal'),
- default_from=lambda uid: '%s@%s' % (uid, api.env.realm),
+ default_from=lambda uid: '%s@%s' % (uid.lower(), api.env.realm),
autofill=True,
flags=['no_update'],
+ normalizer=lambda value: normalize_principal(value),
),
Str('mail*',
cli_name='email',