diff options
| author | John Dennis <jdennis@redhat.com> | 2007-11-28 07:49:07 -0500 |
|---|---|---|
| committer | John Dennis <jdennis@redhat.com> | 2007-11-28 07:49:07 -0500 |
| commit | 904b76059cec667a9c155021c8e33ce1dbf2b389 (patch) | |
| tree | c2f9d8ed6a2f84427dd494d3814cac77c29a34f0 /ipa-admintools | |
| parent | c939c5d289daaf4c855caa2a6816e7eeba7e2661 (diff) | |
| parent | 2e7f629d913d775cfb285ede166d7a0f977782fe (diff) | |
| download | freeipa-904b76059cec667a9c155021c8e33ce1dbf2b389.tar.gz freeipa-904b76059cec667a9c155021c8e33ce1dbf2b389.tar.xz freeipa-904b76059cec667a9c155021c8e33ce1dbf2b389.zip | |
merged radius work with latest mainline tip
Diffstat (limited to 'ipa-admintools')
| -rw-r--r-- | ipa-admintools/Makefile | 1 | ||||
| -rw-r--r-- | ipa-admintools/ipa-adddelegation | 27 | ||||
| -rw-r--r-- | ipa-admintools/ipa-addgroup | 8 | ||||
| -rw-r--r-- | ipa-admintools/ipa-adduser | 10 | ||||
| -rwxr-xr-x | ipa-admintools/ipa-admintools.spec (renamed from ipa-admintools/freeipa-admintools.spec) | 13 | ||||
| -rwxr-xr-x | ipa-admintools/ipa-admintools.spec.in (renamed from ipa-admintools/freeipa-admintools.spec.in) | 11 | ||||
| -rw-r--r-- | ipa-admintools/ipa-deldelegation | 13 | ||||
| -rw-r--r-- | ipa-admintools/ipa-delgroup | 8 | ||||
| -rw-r--r-- | ipa-admintools/ipa-deluser | 26 | ||||
| -rw-r--r-- | ipa-admintools/ipa-findgroup | 27 | ||||
| -rw-r--r-- | ipa-admintools/ipa-finduser | 19 | ||||
| -rw-r--r-- | ipa-admintools/ipa-getkeytab | 83 | ||||
| -rw-r--r-- | ipa-admintools/ipa-groupmod | 93 | ||||
| -rw-r--r-- | ipa-admintools/ipa-listdelegation | 18 | ||||
| -rw-r--r-- | ipa-admintools/ipa-moddelegation | 8 | ||||
| -rw-r--r-- | ipa-admintools/ipa-passwd | 13 | ||||
| -rw-r--r-- | ipa-admintools/ipa-usermod | 43 | ||||
| -rw-r--r-- | ipa-admintools/man/ipa-deluser.1 | 14 | ||||
| -rw-r--r-- | ipa-admintools/man/ipa-groupmod.1 | 12 | ||||
| -rw-r--r-- | ipa-admintools/man/ipa-usermod.1 | 16 |
20 files changed, 392 insertions, 71 deletions
diff --git a/ipa-admintools/Makefile b/ipa-admintools/Makefile index 5ceb42d2..6601292e 100644 --- a/ipa-admintools/Makefile +++ b/ipa-admintools/Makefile @@ -21,6 +21,7 @@ install: install -m 755 ipa-deldelegation $(SBINDIR) install -m 755 ipa-listdelegation $(SBINDIR) install -m 755 ipa-moddelegation $(SBINDIR) + install -m 755 ipa-getkeytab $(SBINDIR) install -m 755 ipa-addradiusclient $(SBINDIR) install -m 755 ipa-radiusclientmod $(SBINDIR) install -m 755 ipa-delradiusclient $(SBINDIR) diff --git a/ipa-admintools/ipa-adddelegation b/ipa-admintools/ipa-adddelegation index 8dde908f..53bd43ce 100644 --- a/ipa-admintools/ipa-adddelegation +++ b/ipa-admintools/ipa-adddelegation @@ -31,6 +31,7 @@ import xmlrpclib import kerberos import krbV import ldap +import errno def usage(): print "ipa-adddelgation [-a|--attributes attr1,attr2,..,attrn] [-s|--source STRING] [-t|--target STRING] name" @@ -90,12 +91,34 @@ def main(): new_aci.dest_group = target_grp[1].dn new_aci.attrs = attr_list + aci_entry = client.get_aci_entry(['*', 'aci']) + + # Look for an existing ACI of the same name + aci_str_list = aci_entry.getValues('aci') + if aci_str_list is None: + aci_str_list = [] + if not(isinstance(aci_str_list,list) or isinstance(aci_str_list,tuple)): + aci_str_list = [aci_str_list] + + for aci_str in aci_str_list: + try: + old_aci = ipa.aci.ACI(aci_str) + if old_aci.name == new_aci.name: + print "A delegation of that name already exists" + return 2 + except SyntaxError: + # ignore aci_str's that ACI can't parse + pass + aci_entry = client.get_aci_entry(['dn']) aci_entry.setValue('aci', new_aci.export_to_string()) client.update_entry(aci_entry) - except xmlrpclib.Fault, f: - print f.faultString + except xmlrpclib.Fault, fault: + if fault.faultCode == errno.ECONNREFUSED: + print "The IPA XML-RPC service is not responding." + else: + print fault.faultString return 1 except kerberos.GSSError, e: print "Could not initialize GSSAPI: %s/%s" % (e[0][0][0], e[0][1][0]) diff --git a/ipa-admintools/ipa-addgroup b/ipa-admintools/ipa-addgroup index 97dfd5f7..15d42a91 100644 --- a/ipa-admintools/ipa-addgroup +++ b/ipa-admintools/ipa-addgroup @@ -30,6 +30,7 @@ import ipa.ipaerror import xmlrpclib import kerberos import ldap +import errno def usage(): print "ipa-addgroup [-d|--description STRING] group" @@ -95,8 +96,11 @@ def main(): client = ipaclient.IPAClient() client.add_group(group) print cn + " successfully added" - except xmlrpclib.Fault, f: - print f.faultString + except xmlrpclib.Fault, fault: + if fault.faultCode == errno.ECONNREFUSED: + print "The IPA XML-RPC service is not responding." + else: + print fault.faultString return 1 except kerberos.GSSError, e: print "Could not initialize GSSAPI: %s/%s" % (e[0][0][0], e[0][1][0]) diff --git a/ipa-admintools/ipa-adduser b/ipa-admintools/ipa-adduser index d82de895..e993bee5 100644 --- a/ipa-admintools/ipa-adduser +++ b/ipa-admintools/ipa-adduser @@ -31,6 +31,7 @@ import kerberos import krbV import ldap import getpass +import errno def usage(): print "ipa-adduser [-c|--gecos STRING] [-d|--directory STRING] [-f|--firstname STRING] [-l|--lastname STRING] user" @@ -204,14 +205,15 @@ def main(): user.setValue('homedirectory', directory) if shell: user.setValue('loginshell', shell) - else: - user.setValue('loginshell', "/bin/sh") try: client = ipaclient.IPAClient() client.add_user(user) - except xmlrpclib.Fault, f: - print f.faultString + except xmlrpclib.Fault, fault: + if fault.faultCode == errno.ECONNREFUSED: + print "The IPA XML-RPC service is not responding." + else: + print fault.faultString return 1 except kerberos.GSSError, e: print "Could not initialize GSSAPI: %s/%s" % (e[0][0][0], e[0][1][0]) diff --git a/ipa-admintools/freeipa-admintools.spec b/ipa-admintools/ipa-admintools.spec index 6fd423a0..24c83e6c 100755 --- a/ipa-admintools/freeipa-admintools.spec +++ b/ipa-admintools/ipa-admintools.spec @@ -1,7 +1,7 @@ -Name: freeipa-admintools -Version: 0.4.1 +Name: ipa-admintools +Version: 0.5.0 Release: 1%{?dist} -Summary: FreeIPA authentication server +Summary: IPA authentication server Group: System Environment/Base License: GPL @@ -10,10 +10,10 @@ Source0: %{name}-%{version}.tgz BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) BuildArch: noarch -Requires: python python-krbV freeipa-python +Requires: python python-krbV ipa-python %description -FreeIPA is a server for identity, policy, and audit. +IPA is a server for identity, policy, and audit. %prep %setup -q @@ -35,6 +35,9 @@ rm -rf %{buildroot} %{_mandir}/man1/* %changelog +* Wed Nov 21 2007 Karl MacMillan <kmacmill@redhat.com> - 0.5.0-1 +- Version bump for release and rpm name change + * Thu Nov 1 2007 Karl MacMillan <kmacmill@redhat.com> - 0.4.1-1 - Version bump for release diff --git a/ipa-admintools/freeipa-admintools.spec.in b/ipa-admintools/ipa-admintools.spec.in index ec731a64..4b444882 100755 --- a/ipa-admintools/freeipa-admintools.spec.in +++ b/ipa-admintools/ipa-admintools.spec.in @@ -1,7 +1,7 @@ -Name: freeipa-admintools +Name: ipa-admintools Version: VERSION Release: 1%{?dist} -Summary: FreeIPA authentication server +Summary: IPA authentication server Group: System Environment/Base License: GPL @@ -10,10 +10,10 @@ Source0: %{name}-%{version}.tgz BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) BuildArch: noarch -Requires: python python-krbV freeipa-python +Requires: python python-krbV ipa-python %description -FreeIPA is a server for identity, policy, and audit. +IPA is a server for identity, policy, and audit. %prep %setup -q @@ -35,6 +35,9 @@ rm -rf %{buildroot} %{_mandir}/man1/* %changelog +* Wed Nov 21 2007 Karl MacMillan <kmacmill@redhat.com> - 0.5.0-1 +- Version bump for release and rpm name change + * Thu Nov 1 2007 Karl MacMillan <kmacmill@redhat.com> - 0.4.1-1 - Version bump for release diff --git a/ipa-admintools/ipa-deldelegation b/ipa-admintools/ipa-deldelegation index 93e39548..7ad17c38 100644 --- a/ipa-admintools/ipa-deldelegation +++ b/ipa-admintools/ipa-deldelegation @@ -26,6 +26,7 @@ import ipa.config import xmlrpclib import kerberos import copy +import errno import ipa.aci from ipa import ipaerror @@ -85,12 +86,24 @@ def main(): aci_entry.setValue('aci', new_aci_str_list) client.update_entry(aci_entry) + except xmlrpclib.Fault, fault: + if fault.faultCode == errno.ECONNREFUSED: + print "The IPA XML-RPC service is not responding." + else: + print fault.faultString + return 1 except (SyntaxError, ipaerror.IPAError), e: print "Delegation deletion failed: " + str(e) return 1 except kerberos.GSSError, e: print "Could not initialize GSSAPI: %s/%s" % (e[0][0][0], e[0][1][0]) return 1 + except xmlrpclib.ProtocolError, e: + print "Unable to connect to IPA server: %s" % (e.errmsg) + return 1 + except ipa.ipaerror.IPAError, e: + print "%s" % (e.message) + return 1 return 0 diff --git a/ipa-admintools/ipa-delgroup b/ipa-admintools/ipa-delgroup index 08ea7377..b4f94606 100644 --- a/ipa-admintools/ipa-delgroup +++ b/ipa-admintools/ipa-delgroup @@ -23,6 +23,7 @@ from optparse import OptionParser import ipa import ipa.ipaclient as ipaclient import ipa.config +import errno import xmlrpclib import kerberos @@ -54,8 +55,11 @@ def main(): print args[1] + " successfully deleted" else: print args[1] + " " + ret - except xmlrpclib.Fault, f: - print f.faultString + except xmlrpclib.Fault, fault: + if fault.faultCode == errno.ECONNREFUSED: + print "The IPA XML-RPC service is not responding." + else: + print fault.faultString return 1 except kerberos.GSSError, e: print "Could not initialize GSSAPI: %s/%s" % (e[0][0][0], e[0][1][0]) diff --git a/ipa-admintools/ipa-deluser b/ipa-admintools/ipa-deluser index 18adf75c..02ba5f13 100644 --- a/ipa-admintools/ipa-deluser +++ b/ipa-admintools/ipa-deluser @@ -23,6 +23,7 @@ from optparse import OptionParser import ipa import ipa.ipaclient as ipaclient import ipa.config +import errno import xmlrpclib import kerberos @@ -33,6 +34,8 @@ def usage(): def parse_options(): parser = OptionParser() + parser.add_option("-d", "--delete", action="store_true", dest="deluser", + help="Delete the user, don't inactivate them.") parser.add_option("--usage", action="store_true", help="Program usage") @@ -47,15 +50,26 @@ def main(): if len(args) != 2: usage() + msg = "inactivated" try: client = ipaclient.IPAClient() - ret = client.mark_user_deleted(args[1]) - if (ret == "Success"): - print args[1] + " successfully deleted" + if options.deluser: + ret = client.delete_user(args[1]) + msg = "deleted" else: - print args[1] + " " + ret - except xmlrpclib.Fault, f: - print f.faultString + try: + ret = client.mark_user_inactive(args[1]) + except ipa.ipaerror.exception_for(ipa.ipaerror.LDAP_EMPTY_MODLIST): + print "User is already marked inactive" + return 0 + except: + raise + print args[1] + " successfully %s" % msg + except xmlrpclib.Fault, fault: + if fault.faultCode == errno.ECONNREFUSED: + print "The IPA XML-RPC service is not responding." + else: + print fault.faultString return 1 except kerberos.GSSError, e: print "Could not initialize GSSAPI: %s/%s" % (e[0][0][0], e[0][1][0]) diff --git a/ipa-admintools/ipa-findgroup b/ipa-admintools/ipa-findgroup index a876a050..9f809aa0 100644 --- a/ipa-admintools/ipa-findgroup +++ b/ipa-admintools/ipa-findgroup @@ -23,6 +23,7 @@ from optparse import OptionParser import ipa.ipaclient as ipaclient import ipa.config +import errno import sys import xmlrpclib import kerberos @@ -34,6 +35,12 @@ def usage(): def parse_options(): parser = OptionParser() + parser.add_option("-a", "--all", action="store_true", dest="all", + help="Show all group attributes") + parser.add_option("-n", "--notranslate", action="store_true", + dest="notranslate", + help="Don't translate LDAP attributes into readable labels") + args = ipa.config.init_config(sys.argv) options, args = parser.parse_args(args) @@ -48,7 +55,10 @@ def main(): try: client = ipaclient.IPAClient() - groups = client.find_groups(args[1], ['cn','description','gidnumber']) + if options.all is None: + groups = client.find_groups(args[1], ['cn','description','gidnumber','nsAccountLock']) + else: + groups = client.find_groups(args[1], sattrs=['*','nsAccountLock']) counter = groups[0] groups = groups[1:] @@ -64,15 +74,21 @@ def main(): print str(e) continue attr = ent.attrList() + if options.notranslate: + labels = {} + for a in attr: + labels[a] = a + else: + labels = client.attrs_to_labels(attr) print "dn: " + ent.dn for a in attr: value = ent.getValues(a) if isinstance(value,str): - print a + ": " + value + print labels[a] + ": " + value else: - print a + ": " + print labels[a] + ": " for l in value: print "\t" + l @@ -87,7 +103,10 @@ def main(): print except xmlrpclib.Fault, fault: - print fault.faultString + if fault.faultCode == errno.ECONNREFUSED: + print "The IPA XML-RPC service is not responding." + else: + print fault.faultString return 1 except kerberos.GSSError, e: print "Could not initialize GSSAPI: %s/%s" % (e[0][0][0], e[0][1][0]) diff --git a/ipa-admintools/ipa-finduser b/ipa-admintools/ipa-finduser index 3396ce45..6dc4d56c 100644 --- a/ipa-admintools/ipa-finduser +++ b/ipa-admintools/ipa-finduser @@ -25,6 +25,7 @@ import ipa.config import ipa.ipautil as ipautil import base64 +import errno import sys import xmlrpclib import kerberos @@ -38,6 +39,9 @@ def parse_options(): parser.add_option("-a", "--all", action="store_true", dest="all", help="Set user's e-mail address") + parser.add_option("-n", "--notranslate", action="store_true", + dest="notranslate", + help="Don't translate LDAP attributes into readable labels") parser.add_option("--usage", action="store_true", help="Program usage") @@ -90,6 +94,12 @@ def main(): for ent in users: attr = ent.attrList() attr.sort() + if options.notranslate: + labels = {} + for a in attr: + labels[a] = a + else: + labels = client.attrs_to_labels(attr) if options.all is True: print "dn: " + ent.dn @@ -97,16 +107,19 @@ def main(): for a in attr: value = ent.getValues(a) if isinstance(value,str): - print a + ": " + str(wrap_binary_data(value)).rstrip() + print labels[a] + ": " + str(wrap_binary_data(value)).rstrip() else: - print a + ": " + print labels[a] + ": " for l in value: print "\t" + wrap_binary_data(l) # blank line between results print except xmlrpclib.Fault, fault: - print fault.faultString + if fault.faultCode == errno.ECONNREFUSED: + print "The IPA XML-RPC service is not responding." + else: + print fault.faultString return 1 except kerberos.GSSError, e: print "Could not initialize GSSAPI: %s/%s" % (e[0][0][0], e[0][1][0]) diff --git a/ipa-admintools/ipa-getkeytab b/ipa-admintools/ipa-getkeytab new file mode 100644 index 00000000..5ecb7e4a --- /dev/null +++ b/ipa-admintools/ipa-getkeytab @@ -0,0 +1,83 @@ +#! /usr/bin/python -E +# Authors: Karl MacMillan <kmacmill@redhat.com> +# +# Copyright (C) 2007 Red Hat +# see file 'COPYING' for use and warranty information +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License as +# published by the Free Software Foundation; version 2 only +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA +# + +import sys +from optparse import OptionParser +import ipa +import ipa.user +import ipa.ipaclient as ipaclient +import ipa.ipavalidate as ipavalidate +import ipa.config + +import base64 + +import xmlrpclib +import kerberos +import krbV +import ldap +import getpass +import errno + +def usage(): + print "ipa-getkeytab [-a] principal filename" + sys.exit(1) + +def parse_options(): + parser = OptionParser() + parser.add_option("-a", "--add", dest="add_princ", action="store_true", + help="add the principal") + + args = ipa.config.init_config(sys.argv) + options, args = parser.parse_args(args) + + return options, args + +def main(): + # The following fields are required + princ_name = "" + + options, args = parse_options() + + if len(args) != 3: + usage() + princ_name = args[1] + file_name = args[2] + + client = ipaclient.IPAClient() + + try: + if options.add_princ: + client.add_service_principal(princ_name) + + princs = client.get_keytab(princ_name) + + if princs is None: + print "could not generate keytab" + sys.exit(1) + + fd = open(file_name, "w") + fd.write(princs) + + except Exception, e: + print str(e) + + +if __name__ == "__main__": + sys.exit(main()) diff --git a/ipa-admintools/ipa-groupmod b/ipa-admintools/ipa-groupmod index 4d8dd4d5..c7e6e1fa 100644 --- a/ipa-admintools/ipa-groupmod +++ b/ipa-admintools/ipa-groupmod @@ -29,12 +29,16 @@ import ipa.ipaerror import xmlrpclib import kerberos import ldap +import errno def usage(): - print "ipa-groupmod [-a] [-r] user group" - print "ipa-groupmod [-d|--desc description STRING] group" + print "ipa-groupmod [-a|--add] [-r|--remove] user group" + print "ipa-groupmod [-d|--desc description STRING] [--addattr attribute=value] [--delattr attribute] [--setattr attribute=value] group" sys.exit(1) +def set_add_usage(which): + print "%s option usage: --%s NAME=VALUE" % (which, which) + def parse_options(): parser = OptionParser() parser.add_option("-a", "--add", dest="add", action="store_true", @@ -43,20 +47,38 @@ def parse_options(): help="Remove a user from the group") parser.add_option("-d", "--description", dest="desc", help="Modify the description of the group") + parser.add_option("--addattr", dest="addattr", + help="Adds an attribute or values to that attribute, attr=value", + action="append") + parser.add_option("--delattr", dest="delattr", + help="Remove an attribute", action="append") + parser.add_option("--setattr", dest="setattr", + help="Set an attribute, dropping any existing values that may exist", + action="append") parser.add_option("--usage", action="store_true", help="Program usage") args = ipa.config.init_config(sys.argv) options, args = parser.parse_args(args) - if (not options.add and not options.remove) and (not options.desc): + if (not options.add and not options.remove) and (not options.desc and + not options.addattr and not options.delattr and not options.setattr): usage() return options, args -def get_group(client, group_cn): +def get_group(client, options, group_cn): try: - group = client.get_entry_by_cn(group_cn) + attrs = ['*'] + + # in case any attributes being modified are operational such as + # nsaccountlock. Any attribute to be deleted needs to be included + # in the original record so it can be seen as being removed. + if options.delattr: + for d in options.delattr: + attrs.append(d) + group = client.get_entry_by_cn(group_cn, sattrs=attrs) + except ipa.ipaerror.IPAError, e: print "%s" % e.message return None @@ -69,32 +91,69 @@ def main(): if (options.add or options.remove) and (len(args) != 3): usage() - if (options.desc and (len(args) != 2)): + elif ((options.desc or options.addattr or options.delattr or options.setattr) and (len(args) != 2)): usage() try: client = ipaclient.IPAClient() if options.add: - group = get_group(client, args[2]) + group = get_group(client, options, args[2]) if group is None: return 1 - client.add_user_to_group(args[1], group.dn) - print args[1] + " successfully added to " + args[2] + users = args[1].split(',') + for user in users: + client.add_user_to_group(user, group.dn) + print user + " successfully added to " + args[2] elif options.remove: - group = get_group(client, args[2]) + group = get_group(client, options, args[2]) if group is None: return 1 - client.remove_user_from_group(args[1], group.dn) - print args[1] + " successfully removed" - elif options.desc: - group = get_group(client, args[1]) + users = args[1].split(',') + for user in users: + client.remove_user_from_group(user, group.dn) + print user + " successfully removed" + else: + group = get_group(client, options, args[1]) if group is None: return 1 - group.setValue('description', options.desc) + + if options.desc: + group.setValue('description', options.desc) + + if options.delattr: + for d in options.delattr: + group.delValue(d) + + if options.setattr: + for s in options.setattr: + s = s.split('=') + if len(s) != 2: + set_add_usage("set") + sys.exit(1) + (attr,value) = s + group.setValue(attr, value) + + if options.addattr: + for a in options.addattr: + a = a.split('=') + if len(a) != 2: + set_add_usage("add") + sys.exit(1) + (attr,value) = a + cvalue = group.getValue(attr) + if cvalue: + if isinstance(cvalue,str): + cvalue = [cvalue] + value = cvalue + [value] + group.setValue(attr, value) + client.update_group(group) print args[1] + " successfully updated" - except xmlrpclib.Fault, f: - print f.faultString + except xmlrpclib.Fault, fault: + if fault.faultCode == errno.ECONNREFUSED: + print "The IPA XML-RPC service is not responding." + else: + print fault.faultString return 1 except kerberos.GSSError, e: print "Could not initialize GSSAPI: %s/%s" % (e[0][0][0], e[0][1][0]) diff --git a/ipa-admintools/ipa-listdelegation b/ipa-admintools/ipa-listdelegation index 54ab346b..6999e5f8 100644 --- a/ipa-admintools/ipa-listdelegation +++ b/ipa-admintools/ipa-listdelegation @@ -23,8 +23,10 @@ from optparse import OptionParser import ipa.ipaclient as ipaclient import ipa.config +import operator import xmlrpclib import kerberos +import errno import ipa.aci from ipa import ipaerror @@ -51,12 +53,21 @@ def main(): client = ipaclient.IPAClient() try: aci_entry = client.get_aci_entry(aci_fields) - except ipaerror.IPAError, e: - print("Delegation list failed: " + str(e)) + except xmlrpclib.Fault, fault: + if fault.faultCode == errno.ECONNREFUSED: + print "The IPA XML-RPC service is not responding." + else: + print fault.faultString return 1 except kerberos.GSSError, e: print "Could not initialize GSSAPI: %s/%s" % (e[0][0][0], e[0][1][0]) return 1 + except xmlrpclib.ProtocolError, e: + print "Unable to connect to IPA server: %s" % (e.errmsg) + return 1 + except ipaerror.IPAError, e: + print("Delegation list failed: " + str(e)) + return 1 aci_str_list = aci_entry.getValues('aci') if aci_str_list is None: @@ -75,7 +86,8 @@ def main(): group_dn_to_cn = ipa.aci.extract_group_cns(aci_list, client) - for a in aci_list: + # the operator.itemgetter(0) lets us sort by the name field + for a in sorted(aci_list, key=operator.itemgetter(0)): labels = client.attrs_to_labels(a.attrs) print "Delegation Name: " + a.name print "Group " + group_dn_to_cn[a.source_group] diff --git a/ipa-admintools/ipa-moddelegation b/ipa-admintools/ipa-moddelegation index 03b0dc4a..103c0586 100644 --- a/ipa-admintools/ipa-moddelegation +++ b/ipa-admintools/ipa-moddelegation @@ -32,6 +32,7 @@ import kerberos import krbV import ldap import copy +import errno aci_fields = ['*', 'aci'] @@ -142,8 +143,11 @@ def main(): aci_entry.setValue('aci', new_aci_str_list) client.update_entry(aci_entry) - except xmlrpclib.Fault, f: - print f.faultString + except xmlrpclib.Fault, fault: + if fault.faultCode == errno.ECONNREFUSED: + print "The IPA XML-RPC service is not responding." + else: + print fault.faultString return 1 except kerberos.GSSError, e: print "Could not initialize GSSAPI: %s/%s" % (e[0][0][0], e[0][1][0]) diff --git a/ipa-admintools/ipa-passwd b/ipa-admintools/ipa-passwd index 59d30e2e..93cb5f72 100644 --- a/ipa-admintools/ipa-passwd +++ b/ipa-admintools/ipa-passwd @@ -29,6 +29,7 @@ import kerberos import krbV import ldap import getpass +import errno def usage(): print "ipa-passwd [user]" @@ -98,6 +99,18 @@ def main(): try: client = ipaclient.IPAClient() client.modifyPassword(principal, None, password) + except xmlrpclib.Fault, fault: + if fault.faultCode == errno.ECONNREFUSED: + print "The IPA XML-RPC service is not responding." + else: + print fault.faultString + return 1 + except kerberos.GSSError, e: + print "Could not initialize GSSAPI: %s/%s" % (e[0][0][0], e[0][1][0]) + return 1 + except xmlrpclib.ProtocolError, e: + print "Unable to connect to IPA server: %s" % (e.errmsg) + return 1 except ipa.ipaerror.IPAError, e: print "%s" % (e.message) return 1 diff --git a/ipa-admintools/ipa-usermod b/ipa-admintools/ipa-usermod index c220b3f7..9d3e7794 100644 --- a/ipa-admintools/ipa-usermod +++ b/ipa-admintools/ipa-usermod @@ -29,9 +29,10 @@ import ipa.config import xmlrpclib import kerberos import ldap +import errno def usage(): - print "ipa-usermod [-c|--gecos STRING] [-d|--directory STRING] [-f|--firstname STRING] [-l|--lastname STRING] [-s|--shell STRING] [--add attribute=value] [--del attribute] [--set attribute=value] user" + print "ipa-usermod [-a|--activate] [-c|--gecos STRING] [-d|--directory STRING] [-f|--firstname STRING] [-l|--lastname STRING] [-s|--shell STRING] [--add attribute=value] [--del attribute] [--set attribute=value] user" sys.exit(1) def set_add_usage(which): @@ -39,6 +40,8 @@ def set_add_usage(which): def parse_options(): parser = OptionParser() + parser.add_option("-a", "--activate", dest="activate", action="store_true", + help="Activate the user") parser.add_option("-c", "--gecos", dest="gecos", help="Set the GECOS field") parser.add_option("-d", "--directory", dest="directory", @@ -49,12 +52,12 @@ def parse_options(): help="User's last name") parser.add_option("-s", "--shell", dest="shell", help="Set user's login shell to shell") - parser.add_option("--add", dest="addattr", + parser.add_option("--addattr", dest="addattr", help="Adds an attribute or values to that attribute, attr=value", action="append") - parser.add_option("--del", dest="delattr", + parser.add_option("--delattr", dest="delattr", help="Remove an attribute", action="append") - parser.add_option("--set", dest="setattr", + parser.add_option("--setattr", dest="setattr", help="Set an attribute, dropping any existing values that may exist", action="append") parser.add_option("-M", "--mailAddress", dest="mail", @@ -90,7 +93,15 @@ def main(): client = ipaclient.IPAClient() try: - user = client.get_user_by_uid(username) + attrs = ['*'] + + # in case any attributes being modified are operational such as + # nsaccountlock. Any attribute to be deleted needs to be included + # in the original record so it can be seen as being removed. + if options.delattr: + for d in options.delattr: + attrs.append(d) + user = client.get_user_by_uid(username, sattrs=attrs) except ipa.ipaerror.exception_for(ipa.ipaerror.LDAP_NOT_FOUND): print "User %s not found" % username return 1 @@ -102,7 +113,7 @@ def main(): return 1 # If any options are set we use just those. Otherwise ask for all of them. - if options.gn or options.sn or options.directory or options.gecos or options.mail or options.shell or options.addattr or options.delattr or options.setattr: + if options.gn or options.sn or options.directory or options.gecos or options.mail or options.shell or options.addattr or options.delattr or options.setattr or options.activate: givenname = options.gn lastname = options.sn gecos = options.gecos @@ -202,8 +213,7 @@ def main(): if options.delattr: for d in options.delattr: - # doesn't truly delete the attribute but does null out the value - user.setValue(d, '') + user.delValue(d) if options.setattr: for s in options.setattr: @@ -228,11 +238,22 @@ def main(): value = cvalue + [value] user.setValue(attr, value) - try: + if options.activate: + try: + client.mark_user_active(user.getValues('uid')) + print "User activated successfully." + except ipa.ipaerror.exception_for(ipa.ipaerror.LDAP_EMPTY_MODLIST): + print "User is already marked active" + return 0 + except: + raise client.update_user(user) - except xmlrpclib.Fault, f: - print f.faultString + except xmlrpclib.Fault, fault: + if fault.faultCode == errno.ECONNREFUSED: + print "The IPA XML-RPC service is not responding." + else: + print fault.faultString return 1 except kerberos.GSSError, e: print "Could not initialize GSSAPI: %s/%s" % (e[0][0][0], e[0][1][0]) diff --git a/ipa-admintools/man/ipa-deluser.1 b/ipa-admintools/man/ipa-deluser.1 index ab0303d7..8d82dceb 100644 --- a/ipa-admintools/man/ipa-deluser.1 +++ b/ipa-admintools/man/ipa-deluser.1 @@ -19,14 +19,20 @@ .\" .TH "ipa-deluser" "1" "Oct 10 2007" "freeipa" "" .SH "NAME" -ipa\-deluser \- Delete a user +ipa\-deluser \- Delete or inactivate a user .SH "SYNOPSIS" -ipa\-deluser \fIuser\fR +ipa\-deluser [\fIOPTION\fR]... \fIuser\fR .SH "DESCRIPTION" -Deletes a user with name \fIname\fR. +Inactivates a user with login name \fIname\fR. -Users are not completely removed with the command, just marked as inactive. +By default users are not completely removed. They are marked as inactive. Use the [\-d|\-\-delete] option to completely remove them. + +Users are automatically removed from groups when they are deleted. The are not when inactivated. +.SH "OPTIONS" +.TP +\fB\-d\fR, \fB\-\-delete +Completely remove the user from the database. The default is to mark the user inactive. .SH "EXIT STATUS" The exit status is 0 on success, nonzero on error. diff --git a/ipa-admintools/man/ipa-groupmod.1 b/ipa-admintools/man/ipa-groupmod.1 index 5b992546..5d107de2 100644 --- a/ipa-admintools/man/ipa-groupmod.1 +++ b/ipa-admintools/man/ipa-groupmod.1 @@ -37,5 +37,17 @@ Modify the description of the group .TP \fB\-r\fR, \fB\-\-remove\fR=\fIuser1,user2,...usern\fR Remove one or more users from the group + +.TP +\fB\-\-addattr\fR=\fIattr=value\fR +Add a new attribute, or value to an existing attribute + +.TP +\fB\-\-delattr\fR=\fIattr=value\fR +Remove an attribute and all values + +.TP +\fB\-\-setattr\fR=\fIattr=value\fR +Set an attribute to a new value, removing all old ones .SH "EXIT STATUS" The exit status is 0 on success, nonzero on error. diff --git a/ipa-admintools/man/ipa-usermod.1 b/ipa-admintools/man/ipa-usermod.1 index 760e6d05..43c74e45 100644 --- a/ipa-admintools/man/ipa-usermod.1 +++ b/ipa-admintools/man/ipa-usermod.1 @@ -21,10 +21,10 @@ .SH "NAME" ipa\-usermod \- Modify a user .SH "SYNOPSIS" -ipa\-usermod [\fIOPTION\fR]... \fIgroup\fR +ipa\-usermod [\fIOPTION\fR]... \fIname\fR .SH "DESCRIPTION" -Updates the members or description of \fIgroup\fR. +Updates the user \fIname\fR. .SH "OPTIONS" .TP \fB\-a\fR, \fB\-\-add\fR=\fIuser1,user2,...usern\fR @@ -37,5 +37,17 @@ Modify the description of the group .TP \fB\-r\fR, \fB\-\-remove\fR=\fIuser1,user2,...usern\fR Remove one or more users from the group + +.TP +\fB\-\-addattr\fR=\fIattr=value\fR +Add a new attribute, or value to an existing attribute + +.TP +\fB\-\-delattr\fR=\fIattr=value\fR +Remove an attribute and all values + +.TP +\fB\-\-setattr\fR=\fIattr=value\fR +Set an attribute to a new value, removing all old ones .SH "EXIT STATUS" The exit status is 0 on success, nonzero on error. |