From 5025e990e930161160b3f2dc7610a15b3484ed24 Mon Sep 17 00:00:00 2001 From: Rob Crittenden Date: Thu, 29 Nov 2007 16:48:32 -0500 Subject: Remove optional arguments from the XML-RPC interface --- ipa-server/xmlrpc-server/funcs.py | 30 +++++++++++++++--------------- 1 file changed, 15 insertions(+), 15 deletions(-) (limited to 'ipa-server/xmlrpc-server') diff --git a/ipa-server/xmlrpc-server/funcs.py b/ipa-server/xmlrpc-server/funcs.py index ef196a0a5..eb87ed065 100644 --- a/ipa-server/xmlrpc-server/funcs.py +++ b/ipa-server/xmlrpc-server/funcs.py @@ -331,7 +331,7 @@ class IPAServer: # Higher-level API - def get_aci_entry(self, sattrs=None, opts=None): + def get_aci_entry(self, sattrs, opts=None): """Returns the entry containing access control ACIs.""" dn="%s,%s" % (ACIContainer, self.basedn) @@ -339,7 +339,7 @@ class IPAServer: # General searches - def get_entry_by_dn (self, dn, sattrs=None, opts=None): + def get_entry_by_dn (self, dn, sattrs, opts=None): """Get a specific entry. Return as a dict of values. Multi-valued fields are represented as lists. """ @@ -347,7 +347,7 @@ class IPAServer: filter = "(objectClass=*)" return self.__get_base_entry(dn, filter, sattrs, opts) - def get_entry_by_cn (self, cn, sattrs=None, opts=None): + def get_entry_by_cn (self, cn, sattrs, opts=None): """Get a specific entry by cn. Return as a dict of values. Multi-valued fields are represented as lists. """ @@ -373,7 +373,7 @@ class IPAServer: except ipaerror.exception_for(ipaerror.LDAP_NOT_FOUND): return 1 - def get_user_by_uid (self, uid, sattrs=None, opts=None): + def get_user_by_uid (self, uid, sattrs, opts=None): """Get a specific user's entry. Return as a dict of values. Multi-valued fields are represented as lists. """ @@ -382,7 +382,7 @@ class IPAServer: filter = "(uid=" + uid + ")" return self.__get_sub_entry(self.basedn, filter, sattrs, opts) - def get_user_by_principal(self, principal, sattrs=None, opts=None): + def get_user_by_principal(self, principal, sattrs, opts=None): """Get a user entry searching by Kerberos Principal Name. Return as a dict of values. Multi-valued fields are represented as lists. @@ -391,7 +391,7 @@ class IPAServer: filter = "(krbPrincipalName="+self.__safe_filter(principal)+")" return self.__get_sub_entry(self.basedn, filter, sattrs, opts) - def get_user_by_email (self, email, sattrs=None, opts=None): + def get_user_by_email (self, email, sattrs, opts=None): """Get a specific user's entry. Return as a dict of values. Multi-valued fields are represented as lists. """ @@ -400,7 +400,7 @@ class IPAServer: filter = "(mail=" + email + ")" return self.__get_sub_entry(self.basedn, filter, sattrs, opts) - def get_users_by_manager (self, manager_dn, sattrs=None, opts=None): + def get_users_by_manager (self, manager_dn, sattrs, opts=None): """Gets the users that report to a particular manager. """ @@ -412,12 +412,12 @@ class IPAServer: except ipaerror.exception_for(ipaerror.LDAP_NOT_FOUND): return [] - def add_user (self, user, user_container=None, opts=None): + def add_user (self, user, user_container, opts=None): """Add a user in LDAP. Takes as input a dict where the key is the attribute name and the value is either a string or in the case of a multi-valued field a list of values. user_container sets where in the tree the user is placed.""" - if user_container is None: + if not user_container: user_container = DefaultUserContainer if self.__is_user_unique(user['uid'], opts) == 0: @@ -543,7 +543,7 @@ class IPAServer: return self.update_entry(config, new_config, opts) - def get_all_users (self, args=None, opts=None): + def get_all_users (self, opts=None): """Return a list containing a User object for each existing user. """ @@ -561,7 +561,7 @@ class IPAServer: return users - def find_users (self, criteria, sattrs=None, searchlimit=-1, timelimit=-1, + def find_users (self, criteria, sattrs, searchlimit=-1, timelimit=-1, opts=None): """Returns a list: counter followed by the results. If the results are truncated, counter will be set to -1.""" @@ -807,7 +807,7 @@ class IPAServer: except ipaerror.exception_for(ipaerror.LDAP_NOT_FOUND): return 1 - def get_groups_by_member (self, member_dn, sattrs=None, opts=None): + def get_groups_by_member (self, member_dn, sattrs, opts=None): """Get a specific group's entry. Return as a dict of values. Multi-valued fields are represented as lists. """ @@ -820,12 +820,12 @@ class IPAServer: except ipaerror.exception_for(ipaerror.LDAP_NOT_FOUND): return [] - def add_group (self, group, group_container=None, opts=None): + def add_group (self, group, group_container, opts=None): """Add a group in LDAP. Takes as input a dict where the key is the attribute name and the value is either a string or in the case of a multi-valued field a list of values. group_container sets where in the tree the group is placed.""" - if group_container is None: + if not group_container: group_container = DefaultGroupContainer if self.__is_group_unique(group['cn'], opts) == 0: @@ -852,7 +852,7 @@ class IPAServer: finally: self.releaseConnection(conn) - def find_groups (self, criteria, sattrs=None, searchlimit=-1, timelimit=-1, + def find_groups (self, criteria, sattrs, searchlimit=-1, timelimit=-1, opts=None): """Return a list containing a User object for each existing group that matches the criteria. -- cgit From bac556557d892966aaea2101d8c8207e471fda05 Mon Sep 17 00:00:00 2001 From: Rob Crittenden Date: Fri, 30 Nov 2007 12:49:08 -0500 Subject: Don't allow the admins or editors groups to be removed. Don't allow the default group for users to be removed. --- ipa-server/xmlrpc-server/funcs.py | 10 ++++++++++ 1 file changed, 10 insertions(+) (limited to 'ipa-server/xmlrpc-server') diff --git a/ipa-server/xmlrpc-server/funcs.py b/ipa-server/xmlrpc-server/funcs.py index eb87ed065..4741da10d 100644 --- a/ipa-server/xmlrpc-server/funcs.py +++ b/ipa-server/xmlrpc-server/funcs.py @@ -1201,6 +1201,16 @@ class IPAServer: if group is None: raise ipaerror.gen_exception(ipaerror.LDAP_NOT_FOUND) + # We have 2 special groups, don't allow them to be removed + if "admins" in group.get('cn') or "editors" in group.get('cn'): + raise ipaerror.gen_exception(ipaerror.CONFIG_REQUIRED_GROUPS) + + # Don't allow the default user group to be removed + config=self.get_ipa_config(opts) + default_group = self.get_entry_by_cn(config.get('ipadefaultprimarygroup'), None, opts) + if group_dn == default_group.get('dn'): + raise ipaerror.gen_exception(ipaerror.CONFIG_DEFAULT_GROUP) + conn = self.getConnection(opts) try: res = conn.deleteEntry(group_dn) -- cgit From 8ff9f63d80c9a6a28526a7ddc12d2a2ce8a6cb22 Mon Sep 17 00:00:00 2001 From: Rob Crittenden Date: Fri, 30 Nov 2007 13:27:33 -0500 Subject: Require that the default users group exists Fix some copy-paste errors from the password policy update --- ipa-server/xmlrpc-server/funcs.py | 27 +++++++++++++++++++-------- 1 file changed, 19 insertions(+), 8 deletions(-) (limited to 'ipa-server/xmlrpc-server') diff --git a/ipa-server/xmlrpc-server/funcs.py b/ipa-server/xmlrpc-server/funcs.py index 4741da10d..e733bd4af 100644 --- a/ipa-server/xmlrpc-server/funcs.py +++ b/ipa-server/xmlrpc-server/funcs.py @@ -53,9 +53,9 @@ DefaultGroupContainer = "cn=groups,cn=accounts" DefaultServiceContainer = "cn=services,cn=accounts" # FIXME: need to check the ipadebug option in ipa.conf -#logging.basicConfig(level=logging.DEBUG, -# format='%(asctime)s %(levelname)s %(message)s', -# stream=sys.stderr) +logging.basicConfig(level=logging.DEBUG, + format='%(asctime)s %(levelname)s %(message)s', + stream=sys.stderr) # # Apache runs in multi-process mode so each process will have its own @@ -1380,14 +1380,22 @@ class IPAServer: # The LDAP routines want strings, not ints, so convert a few # things. Otherwise it sees a string -> int conversion as a change. try: - newconfig['krbmaxpwdlife'] = str(newconfig.get('krbmaxpwdlife')) - newconfig['krbminpwdlife'] = str(newconfig.get('krbminpwdlife')) - newconfig['krbpwdmindiffchars'] = str(newconfig.get('krbpwdmindiffchars')) - newconfig['krbpwdminlength'] = str(newconfig.get('krbpwdminlength')) - newconfig['krbpwdhistorylength'] = str(newconfig.get('krbpwdhistorylength')) + newconfig['ipapwdexpadvnotify'] = str(newconfig.get('ipapwdexpadvnotify')) + newconfig['ipasearchtimelimit'] = str(newconfig.get('ipasearchtimelimit')) + newconfig['ipasearchrecordslimit'] = str(newconfig.get('ipasearchrecordslimit')) + newconfig['ipamaxusernamelength'] = str(newconfig.get('ipamaxusernamelength')) except KeyError: # These should all be there but if not, let things proceed pass + + # Ensure that the default group for users exists + try: + group = self.get_entry_by_cn(newconfig.get('ipadefaultprimarygroup'), None, opts) + except ipaerror.exception_for(ipaerror.LDAP_NOT_FOUND): + raise + except: + raise + return self.update_entry(oldconfig, newconfig, opts) def get_password_policy(self, opts=None): @@ -1413,6 +1421,9 @@ class IPAServer: except KeyError: # These should all be there but if not, let things proceed pass + except: + # Anything else raise an error + raise return self.update_entry(oldpolicy, newpolicy, opts) -- cgit From 002312c0504364cd397182ea800cdd10b1e76c21 Mon Sep 17 00:00:00 2001 From: Karl MacMillan Date: Mon, 3 Dec 2007 10:21:44 -0500 Subject: Revert logging setup change because it has unintended consequences during ipa-server-install. --- ipa-server/xmlrpc-server/funcs.py | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'ipa-server/xmlrpc-server') diff --git a/ipa-server/xmlrpc-server/funcs.py b/ipa-server/xmlrpc-server/funcs.py index e733bd4af..2e218ac93 100644 --- a/ipa-server/xmlrpc-server/funcs.py +++ b/ipa-server/xmlrpc-server/funcs.py @@ -53,9 +53,9 @@ DefaultGroupContainer = "cn=groups,cn=accounts" DefaultServiceContainer = "cn=services,cn=accounts" # FIXME: need to check the ipadebug option in ipa.conf -logging.basicConfig(level=logging.DEBUG, - format='%(asctime)s %(levelname)s %(message)s', - stream=sys.stderr) +#logging.basicConfig(level=logging.DEBUG, +# format='%(asctime)s %(levelname)s %(message)s', +# stream=sys.stderr) # # Apache runs in multi-process mode so each process will have its own -- cgit From c32a960cae3eca434369502fb12b23b62ae6b2bf Mon Sep 17 00:00:00 2001 From: "rcritten@redhat.com" Date: Fri, 30 Nov 2007 15:53:02 -0500 Subject: Compatibility changes to work on RHEL 5 with python 2.4 --- ipa-server/xmlrpc-server/funcs.py | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) (limited to 'ipa-server/xmlrpc-server') diff --git a/ipa-server/xmlrpc-server/funcs.py b/ipa-server/xmlrpc-server/funcs.py index 2e218ac93..032f6b422 100644 --- a/ipa-server/xmlrpc-server/funcs.py +++ b/ipa-server/xmlrpc-server/funcs.py @@ -1270,11 +1270,12 @@ class IPAServer: conn = self.getConnection(opts) try: - results = conn.getListAsync(self.basedn, self.scope, - filter, attr_list, 0, None, None, timelimit, - searchlimit) - except ipaerror.exception_for(ipaerror.LDAP_NOT_FOUND): - results = [0] + try: + results = conn.getListAsync(self.basedn, self.scope, + filter, attr_list, 0, None, None, timelimit, + searchlimit) + except ipaerror.exception_for(ipaerror.LDAP_NOT_FOUND): + results = [0] finally: self.releaseConnection(conn) -- cgit From 299e45769811c7573d1389e5eb25643e62b1d128 Mon Sep 17 00:00:00 2001 From: Rob Crittenden Date: Mon, 3 Dec 2007 18:07:47 -0500 Subject: Convert krbmaxpwdlife and krbminpwdlife from seconds into days and hours --- ipa-server/xmlrpc-server/funcs.py | 21 ++++++++++++++++----- 1 file changed, 16 insertions(+), 5 deletions(-) (limited to 'ipa-server/xmlrpc-server') diff --git a/ipa-server/xmlrpc-server/funcs.py b/ipa-server/xmlrpc-server/funcs.py index 032f6b422..12131c26b 100644 --- a/ipa-server/xmlrpc-server/funcs.py +++ b/ipa-server/xmlrpc-server/funcs.py @@ -1406,6 +1406,10 @@ class IPAServer: except ipaerror.exception_for(ipaerror.LDAP_NOT_FOUND): raise ipaerror.gen_exception(ipaerror.LDAP_NO_CONFIG) + # convert some values for display purposes + policy['krbmaxpwdlife'] = str(int(policy.get('krbmaxpwdlife')) / 86400) + policy['krbminpwdlife'] = str(int(policy.get('krbminpwdlife')) / 3600) + return policy def update_password_policy(self, oldpolicy, newpolicy, opts=None): @@ -1414,11 +1418,18 @@ class IPAServer: # The LDAP routines want strings, not ints, so convert a few # things. Otherwise it sees a string -> int conversion as a change. try: - newpolicy['krbmaxpwdlife'] = str(newpolicy.get('krbmaxpwdlife')) - newpolicy['krbminpwdlife'] = str(newpolicy.get('krbminpwdlife')) - newpolicy['krbpwdhistorylength'] = str(newpolicy.get('krbpwdhistorylength')) - newpolicy['krbpwdmindiffchars'] = str(newpolicy.get('krbpwdmindiffchars')) - newpolicy['krbpwdminlength'] = str(newpolicy.get('krbpwdminlength')) + for k in oldpolicy.iterkeys(): + if k.startswith("krb", 0, 3): + oldpolicy[k] = str(oldpolicy[k]) + for k in newpolicy.iterkeys(): + if k.startswith("krb", 0, 3): + newpolicy[k] = str(newpolicy[k]) + + # Convert hours and days to seconds + oldpolicy['krbmaxpwdlife'] = str(int(oldpolicy.get('krbmaxpwdlife')) * 86400) + oldpolicy['krbminpwdlife'] = str(int(oldpolicy.get('krbminpwdlife')) * 3600) + newpolicy['krbmaxpwdlife'] = str(int(newpolicy.get('krbmaxpwdlife')) * 86400) + newpolicy['krbminpwdlife'] = str(int(newpolicy.get('krbminpwdlife')) * 3600) except KeyError: # These should all be there but if not, let things proceed pass -- cgit