diff options
author | Jason Gerard DeRose <jderose@redhat.com> | 2008-10-13 15:39:14 -0600 |
---|---|---|
committer | Jason Gerard DeRose <jderose@redhat.com> | 2008-10-13 15:39:14 -0600 |
commit | 367143adf35039d2e5c0edfd55f4112087d2bebb (patch) | |
tree | a905df2f460af2bb40450eedfe95c2f4d81a7454 /ipalib | |
parent | 225e2b0c939d81b490c955762e125e8afcd5bb94 (diff) | |
parent | 6d2705b363e95b5bd692b695cdcbbfcbca6d12b9 (diff) | |
download | freeipa-367143adf35039d2e5c0edfd55f4112087d2bebb.tar.gz freeipa-367143adf35039d2e5c0edfd55f4112087d2bebb.tar.xz freeipa-367143adf35039d2e5c0edfd55f4112087d2bebb.zip |
Merge branch 'master' of git://git.engineering.redhat.com/users/rcritten/freeipa2
Diffstat (limited to 'ipalib')
-rw-r--r-- | ipalib/errors.py | 42 | ||||
-rw-r--r-- | ipalib/plugins/f_delegation.py | 2 | ||||
-rw-r--r-- | ipalib/plugins/f_pwpolicy.py | 100 | ||||
-rw-r--r-- | ipalib/plugins/f_user.py | 38 |
4 files changed, 166 insertions, 16 deletions
diff --git a/ipalib/errors.py b/ipalib/errors.py index d0d917f6..f1c9e26e 100644 --- a/ipalib/errors.py +++ b/ipalib/errors.py @@ -286,57 +286,73 @@ class SameGroupError(InputError): """You can't add a group to itself""" faultCode = 1008 +class NotGroupMember(InputError): + """This entry is not a member of the group""" + faultCode = 1009 + class AdminsImmutable(InputError): """The admins group cannot be renamed""" - faultCode = 1009 + faultCode = 1010 class UsernameTooLong(InputError): """The requested username is too long""" - faultCode = 1010 + faultCode = 1011 class PrincipalError(GenericError): """There is a problem with the kerberos principal""" - faultCode = 1011 + faultCode = 1012 class MalformedServicePrincipal(PrincipalError): """The requested service principal is not of the form: service/fully-qualified host name""" - faultCode = 1012 + faultCode = 1013 class RealmMismatch(PrincipalError): """The realm for the principal does not match the realm for this IPA server""" - faultCode = 1013 + faultCode = 1014 class PrincipalRequired(PrincipalError): """You cannot remove IPA server service principals""" - faultCode = 1014 + faultCode = 1015 class InactivationError(GenericError): """This entry cannot be inactivated""" - faultCode = 1015 + faultCode = 1016 + +class AlreadyActiveError(InactivationError): + """This entry is already locked""" + faultCode = 1017 + +class AlreadyInactiveError(InactivationError): + """This entry is already unlocked""" + faultCode = 1018 + +class HasNSAccountLock(InactivationError): + """This entry appears to have the nsAccountLock attribute in it so the Class of Service activation/inactivation will not work. You will need to remove the attribute nsAccountLock for this to work.""" + faultCode = 1019 class ConnectionError(GenericError): """Connection to database failed""" - faultCode = 1016 + faultCode = 1020 class NoCCacheError(GenericError): """No Kerberos credentials cache is available. Connection cannot be made""" - faultCode = 1017 + faultCode = 1021 class GSSAPIError(GenericError): """GSSAPI Authorization error""" - faultCode = 1018 + faultCode = 1022 class ServerUnwilling(GenericError): """Account inactivated. Server is unwilling to perform""" - faultCode = 1018 + faultCode = 1023 class ConfigurationError(GenericError): """A configuration error occurred""" - faultCode = 1019 + faultCode = 1024 class DefaultGroup(ConfigurationError): """You cannot remove the default users group""" - faultCode = 1020 + faultCode = 1025 class FunctionDeprecated(GenericError): """Raised by a deprecated function""" diff --git a/ipalib/plugins/f_delegation.py b/ipalib/plugins/f_delegation.py index 762df1db..1fb2b4f9 100644 --- a/ipalib/plugins/f_delegation.py +++ b/ipalib/plugins/f_delegation.py @@ -40,7 +40,7 @@ class delegation(frontend.Object): 'target', Param('name', primary_key=True) ) -api.register(user) +api.register(delegation) class delegation_add(crud.Add): diff --git a/ipalib/plugins/f_pwpolicy.py b/ipalib/plugins/f_pwpolicy.py new file mode 100644 index 00000000..36e232dc --- /dev/null +++ b/ipalib/plugins/f_pwpolicy.py @@ -0,0 +1,100 @@ +# Authors: +# Rob Crittenden <rcritten@redhat.com> +# +# Copyright (C) 2008 Red Hat +# see file 'COPYING' for use and warranty information +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License as +# published by the Free Software Foundation; version 2 only +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + +""" +Frontend plugins for password policy. +""" + +from ipalib import frontend +from ipalib import crud +from ipalib.frontend import Param +from ipalib import api +from ipalib import errors +from ipalib import ipa_types +from ipa_server import servercore +from ipa_server import ipaldap +import ldap + + +class pwpolicy_mod(frontend.Command): + 'Edit existing password policy.' + # FIXME, switch to more human-readable names at some point + takes_options = ( + Param('krbmaxpwdlife?', type=ipa_types.Int(), doc='Max. Password Lifetime (days)'), + Param('krbminpwdlife?', type=ipa_types.Int(), doc='Min. Password Lifetime (hours)'), + Param('krbpwdhistorylength?', type=ipa_types.Int(), doc='Password History Size'), + Param('krbpwdmindiffchars?', type=ipa_types.Int(), doc='Min. Number of Character Classes'), + Param('krbpwdminlength?', type=ipa_types.Int(), doc='Min. Length of Password'), + ) + def execute(self, *args, **kw): + # Get the existing policy entry + oldpolicy = servercore.get_entry_by_cn("accounts", None) + + # Convert the existing policy into an entry object + dn = oldpolicy.get('dn') + del oldpolicy['dn'] + entry = ipaldap.Entry((dn, servercore.convert_scalar_values(oldpolicy))) + + # FIXME: if the user passed no options should we return something + # more than No modifications to be performed? + + policy = kw + + # The LDAP routines want strings, not ints, so convert a few + # things. Otherwise it sees a string -> int conversion as a change. + for k in policy.iterkeys(): + if k.startswith("krb", 0, 3): + policy[k] = str(policy[k]) + + # Convert hours and days to seconds + if policy.get('krbmaxpwdlife'): + policy['krbmaxpwdlife'] = str(int(policy.get('krbmaxpwdlife')) * 86400) + if policy.get('krbminpwdlife'): + policy['krbminpwdlife'] = str(int(policy.get('krbminpwdlife')) * 3600) + # Update the values passed-in + for p in policy: + # Values need to be strings, not integers + entry.setValues(p, str(policy[p])) + + result = servercore.update_entry(entry.toDict()) + + return result + def forward(self, *args, **kw): + result = super(pwpolicy_mod, self).forward(*args, **kw) + if result: + print "Policy modified" +api.register(pwpolicy_mod) + + +class pwpolicy_show(frontend.Command): + 'Retrieve current password policy' + def execute(self, *args, **kw): + policy = servercore.get_entry_by_cn("accounts", None) + + # convert some values for display purposes + policy['krbmaxpwdlife'] = str(int(policy.get('krbmaxpwdlife')) / 86400) + policy['krbminpwdlife'] = str(int(policy.get('krbminpwdlife')) / 3600) + + return policy + + def forward(self, *args, **kw): + result = super(pwpolicy_show, self).forward(*args, **kw) + if not result: return + print result +api.register(pwpolicy_show) diff --git a/ipalib/plugins/f_user.py b/ipalib/plugins/f_user.py index 9dbc93cb..ff459b3d 100644 --- a/ipalib/plugins/f_user.py +++ b/ipalib/plugins/f_user.py @@ -26,6 +26,7 @@ from ipalib import crud from ipalib.frontend import Param from ipalib import api from ipalib import errors +from ipalib import ipa_types from ipa_server import servercore from ipa_server import ipaldap import ldap @@ -136,7 +137,7 @@ class user_add(crud.Add): user['gidnumber'] = default_group.get('gidnumber') except errors.NotFound: # Fake an LDAP error so we can return something useful to the user - raise ipalib.NotFound, "The default group for new users, '%s', cannot be found." % config.get('ipadefaultprimarygroup') + raise errors.NotFound, "The default group for new users, '%s', cannot be found." % config.get('ipadefaultprimarygroup') except Exception, e: # catch everything else raise e @@ -203,7 +204,9 @@ class user_mod(crud.Mod): 'Edit an existing user.' def execute(self, *args, **kw): uid=args[0] - result = servercore.get_sub_entry(servercore.basedn, "uid=%s" % uid, ["*"]) + + # Get the existing user entry + result = servercore.get_sub_entry("cn=accounts," + servercore.basedn, "uid=%s" % uid, ["*"]) user = kw dn = result.get('dn') @@ -263,3 +266,34 @@ class user_show(crud.Get): except errors.NotFound: print "User %s not found" % args[0] api.register(user_show) + +class user_lock(frontend.Command): + 'Lock a user account.' + takes_args = ( + Param('uid', primary_key=True), + ) + def execute(self, *args, **kw): + uid = args[0] + user = servercore.get_user_by_uid(uid, ['dn', 'uid']) + return servercore.mark_entry_inactive(user['dn']) + def forward(self, *args, **kw): + result = super(user_lock, self).forward(*args, **kw) + if result: + print "User locked" +api.register(user_lock) + +class user_unlock(frontend.Command): + 'Unlock a user account.' + takes_args = ( + Param('uid', primary_key=True), + ) + def execute(self, *args, **kw): + uid = args[0] + user = servercore.get_user_by_uid(uid, ['dn', 'uid']) + return servercore.mark_entry_active(user['dn']) + def forward(self, *args, **kw): + result = super(user_unlock, self).forward(*args, **kw) + if result: + print "User unlocked" +api.register(user_unlock) + |