1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
|
# Authors:
# Pavel Zuna <pzuna@redhat.com>
#
# Copyright (C) 2010 Red Hat
# see file 'COPYING' for use and warranty information
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License as
# published by the Free Software Foundation; version 2 only
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
"""
Kerberos ticket policy
"""
from ipalib import api
from ipalib import Int, Str
from ipalib.plugins.baseldap import *
from ipalib import _
# FIXME: load this from a config file?
_default_values = {
'krbmaxticketlife': 86400,
'krbmaxrenewableage': 604800,
}
class krbtpolicy(LDAPObject):
"""
Kerberos Ticket Policy object
"""
container_dn = 'cn=%s,cn=kerberos' % api.env.realm
object_name = 'kerberos ticket policy settings'
default_attributes = ['krbmaxticketlife', 'krbmaxrenewableage']
takes_params = (
Str('uid?',
cli_name='user',
label=_('User name'),
doc=_('Manage ticket policy for specific user'),
primary_key=True,
),
Int('krbmaxticketlife?',
cli_name='maxlife',
label=_('Max life'),
doc=_('Maximum ticket life'),
),
Int('krbmaxrenewableage?',
cli_name='maxrenew',
label=_('Max renew'),
doc=_('Maximum renewable age'),
),
)
def get_dn(self, *keys, **kwargs):
if keys[-1] is not None:
return self.api.Object.user.get_dn(*keys, **kwargs)
return self.container_dn
api.register(krbtpolicy)
class krbtpolicy_mod(LDAPUpdate):
"""
Modify kerberos ticket policy.
"""
def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options):
# disable all flag
# ticket policies are attached to objects with unrelated attributes
if options.get('all'):
options['all'] = False
return dn
api.register(krbtpolicy_mod)
class krbtpolicy_show(LDAPRetrieve):
"""
Display kerberos ticket policy.
"""
def pre_callback(self, ldap, dn, attrs_list, *keys, **options):
# disable all flag
# ticket policies are attached to objects with unrelated attributes
if options.get('all'):
options['all'] = False
return dn
def post_callback(self, ldap, dn, entry_attrs, *keys, **options):
if keys[-1] is not None:
# if policy for a specific user isn't set, display global values
if 'krbmaxticketlife' not in entry_attrs or \
'krbmaxrenewableage' not in entry_attrs:
res = self.api.Command.krbtpolicy_show()
for a in self.obj.default_attributes:
entry_attrs.setdefault(a, res['result'][a])
return dn
api.register(krbtpolicy_show)
class krbtpolicy_reset(LDAPQuery):
"""
Reset kerberos ticket policy to default.
"""
has_output = output.standard_entry
def execute(self, *keys, **options):
ldap = self.obj.backend
dn = self.obj.get_dn(*keys, **options)
def_values = {}
# if reseting policy for a user - just his values
if keys[-1] is not None:
for a in self.obj.default_attributes:
def_values[a] = None
# if reseting global policy - set values to default
else:
def_values = _default_values
try:
ldap.update_entry(dn, def_values)
except errors.EmptyModlist:
pass
if keys[-1] is not None:
# policy for user was deleted, retrieve global policy
dn = self.obj.get_dn(None)
(dn, entry_attrs) = ldap.get_entry(dn, self.obj.default_attributes)
if keys[-1] is not None:
return dict(result=entry_attrs, value=keys[-1])
return dict(result=entry_attrs, value=u'')
api.register(krbtpolicy_reset)
|