diff options
author | Rob Crittenden <rcritten@redhat.com> | 2009-12-16 16:04:53 -0500 |
---|---|---|
committer | Jason Gerard DeRose <jderose@redhat.com> | 2009-12-16 19:26:59 -0700 |
commit | c3f9ec14d90c46f20bd03311e9b31e8fa7c116ce (patch) | |
tree | a4019f771531ab227791515b49cc8f632bb3afff /ipalib/plugins/host.py | |
parent | 585540e0a2d28d0e275dcb17d317880ff1a6d80f (diff) | |
download | freeipa-c3f9ec14d90c46f20bd03311e9b31e8fa7c116ce.tar.gz freeipa-c3f9ec14d90c46f20bd03311e9b31e8fa7c116ce.tar.xz freeipa-c3f9ec14d90c46f20bd03311e9b31e8fa7c116ce.zip |
Make hosts more like real services so we can issue certs for host principals
This patch should make joining a client to the domain and using certmonger
to get an initial certificate work.
Diffstat (limited to 'ipalib/plugins/host.py')
-rw-r--r-- | ipalib/plugins/host.py | 25 |
1 files changed, 22 insertions, 3 deletions
diff --git a/ipalib/plugins/host.py b/ipalib/plugins/host.py index dd19362b..3d59be7c 100644 --- a/ipalib/plugins/host.py +++ b/ipalib/plugins/host.py @@ -26,10 +26,12 @@ import os import sys from ipalib import api, errors, util -from ipalib import Str, Flag +from ipalib import Str, Flag, Bytes from ipalib.plugins.baseldap import * from ipalib.plugins.service import split_principal +from ipalib.plugins.service import validate_certificate from ipalib import _, ngettext +import base64 def validate_host(ugettext, fqdn): @@ -48,11 +50,11 @@ class host(LDAPObject): container_dn = api.env.container_host object_name = 'host' object_name_plural = 'hosts' - object_class = ['ipaobject', 'nshost', 'ipahost', 'pkiuser'] + object_class = ['ipaobject', 'nshost', 'ipahost', 'pkiuser', 'ipaservice'] # object_class_config = 'ipahostobjectclasses' default_attributes = [ 'fqdn', 'description', 'localityname', 'nshostlocation', - 'nshardwareplatform', 'nsosversion' + 'nshardwareplatform', 'nsosversion', 'usercertificate', ] uuid_attribute = 'ipauniqueid' attribute_names = { @@ -107,6 +109,10 @@ class host(LDAPObject): label='User password', doc='Password used in bulk enrollment', ), + Bytes('usercertificate?', validate_certificate, + cli_name='certificate', + doc='base-64 encoded server certificate', + ), ) def get_dn(self, *keys, **options): @@ -148,6 +154,7 @@ class host_add(LDAPCreate): entry_attrs['objectclass'].append('krbprincipal') elif 'krbprincipalaux' in entry_attrs['objectclass']: entry_attrs['objectclass'].remove('krbprincipalaux') + entry_attrs['managedby'] = dn return dn api.register(host_add) @@ -209,6 +216,18 @@ class host_mod(LDAPUpdate): if 'krbprincipalaux' not in obj_classes: obj_classes.append('krbprincipalaux') entry_attrs['objectclass'] = obj_classes + cert = entry_attrs.get('usercertificate') + if cert: + (dn, entry_attrs_old) = ldap.get_entry(dn, ['usercertificate']) + if 'usercertificate' in entry_attrs_old: + # FIXME: what to do here? do we revoke the old cert? + fmt = 'entry already has a certificate, serial number: %s' % ( + get_serial(entry_attrs_old['usercertificate']) + ) + raise errors.GenericError(format=fmt) + # FIXME: should be in normalizer; see service_add + entry_attrs['usercertificate'] = base64.b64decode(cert) + return dn api.register(host_mod) |