From a11436113b37e371d6843d97b4277fba19c02390 Mon Sep 17 00:00:00 2001 From: Pavel Zuna Date: Tue, 5 Jan 2010 15:07:19 +0100 Subject: Add Kerberos Ticket Policy management plugin. --- ipalib/plugins/baseldap.py | 50 +++++++-------- ipalib/plugins/krbtpolicy.py | 144 +++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 167 insertions(+), 27 deletions(-) create mode 100644 ipalib/plugins/krbtpolicy.py (limited to 'ipalib') diff --git a/ipalib/plugins/baseldap.py b/ipalib/plugins/baseldap.py index 98da3ed6..0e4eed1b 100644 --- a/ipalib/plugins/baseldap.py +++ b/ipalib/plugins/baseldap.py @@ -21,6 +21,7 @@ Base classes for LDAP plugins. """ import re + from ipalib import crud, errors, uuid from ipalib import Command, Method, Object from ipalib import Flag, List, Str @@ -51,6 +52,7 @@ def get_attributes(attrs): return attrlist + class LDAPObject(Object): """ Object representing a LDAP entry. @@ -75,9 +77,11 @@ class LDAPObject(Object): parent_dn = self.api.Object[self.parent_object].get_dn(*keys[:-1]) else: parent_dn = self.container_dn - return self.backend.make_dn_from_attr( - self.primary_key.name, keys[-1], parent_dn - ) + if self.primary_key and keys[-1] is not None: + return self.backend.make_dn_from_attr( + self.primary_key.name, keys[-1], parent_dn + ) + return parent_dn def get_primary_key_from_dn(self, dn): return dn[len(self.primary_key.name) + 1:dn.find(',')] @@ -109,7 +113,7 @@ class LDAPObject(Object): textui.print_attribute('dn', entry[0]) textui.print_entry(entry[1], attr_order=self.attribute_order) else: - if self.primary_key: + if self.primary_key and keys[-1] is not None: textui.print_attribute( self.object_name.capitalize(), keys[-1], indent=0 ) @@ -192,10 +196,9 @@ class LDAPCreate(crud.Create): entry_attrs['dn'] = dn self.obj.convert_attribute_members(entry_attrs, *keys, **options) - return dict( - result=entry_attrs, - value=keys[0], - ) + if self.obj.primary_key and keys[-1] is not None: + return dict(result=entry_attrs, value=keys[-1]) + return dict(result=entry_attrs, value=u'') def dont_output_for_cli(self, textui, entry, *keys, **options): textui.print_name(self.name) @@ -210,7 +213,7 @@ class LDAPCreate(crud.Create): ) elif len(keys) == 1: textui.print_dashed( - 'Created %s "%s".' % (self.obj.object_name, keys[0]) + 'Created %s "%s".' % (self.obj.object_name, keys[-1]) ) else: textui.print_dashed('Created %s.' % self.obj.object_name) @@ -269,11 +272,9 @@ class LDAPRetrieve(LDAPQuery): self.obj.convert_attribute_members(entry_attrs, *keys, **options) entry_attrs['dn'] = dn - return dict( - result=entry_attrs, - value=keys[0], - ) - + if self.obj.primary_key and keys[-1] is not None: + return dict(result=entry_attrs, value=keys[-1]) + return dict(result=entry_attrs, value=u'') def dont_output_for_cli(self, textui, entry, *keys, **options): textui.print_name(self.name) @@ -355,10 +356,9 @@ class LDAPUpdate(LDAPQuery, crud.Update): dn = self.post_callback(ldap, dn, entry_attrs, *keys, **options) self.obj.convert_attribute_members(entry_attrs, *keys, **options) - return dict( - result=entry_attrs, - value=keys[0], - ) + if self.obj.primary_key and keys[-1] is not None: + return dict(result=entry_attrs, value=keys[-1]) + return dict(result=entry_attrs, value=u'') def dont_output_for_cli(self, textui, entry, *keys, **options): textui.print_name(self.name) @@ -373,7 +373,7 @@ class LDAPUpdate(LDAPQuery, crud.Update): ) elif len(keys) == 1: textui.print_dashed( - 'Modified %s "%s".' % (self.obj.object_name, keys[0]) + 'Modified %s "%s".' % (self.obj.object_name, keys[-1]) ) else: textui.print_dashed('Modified %s.' % self.obj.object_name) @@ -416,11 +416,9 @@ class LDAPDelete(LDAPQuery): result = self.post_callback(ldap, dn, *keys, **options) - return dict( - result=result, - value=keys[0], - ) - + if self.obj.primary_key and keys[-1] is not None: + return dict(result=result, value=keys[-1]) + return dict(result=result, value=u'') def dont_output_for_cli(self, textui, result, *keys, **options): textui.print_name(self.name) @@ -434,7 +432,7 @@ class LDAPDelete(LDAPQuery): ) elif len(keys) == 1: textui.print_dashed( - 'Deleted %s "%s".' % (self.obj.object_name, keys[0]) + 'Deleted %s "%s".' % (self.obj.object_name, keys[-1]) ) else: textui.print_dashed('Deleted %s.' % self.obj.object_name) @@ -727,8 +725,6 @@ class LDAPSearch(crud.Search): truncated=truncated, ) - - def dont_output_for_cli(self, textui, result, *args, **options): (entries, truncated) = result diff --git a/ipalib/plugins/krbtpolicy.py b/ipalib/plugins/krbtpolicy.py new file mode 100644 index 00000000..8aa8f0c5 --- /dev/null +++ b/ipalib/plugins/krbtpolicy.py @@ -0,0 +1,144 @@ +# Authors: +# Pavel Zuna +# +# Copyright (C) 2010 Red Hat +# see file 'COPYING' for use and warranty information +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License as +# published by the Free Software Foundation; version 2 only +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA +""" +Kerberos ticket policy +""" + +from ipalib import api +from ipalib import Int, Str +from ipalib.plugins.baseldap import * + + +# FIXME: load this from a config file? +_default_values = { + 'krbmaxticketlife': 86400, + 'krbmaxrenewableage': 604800, +} + + +class krbtpolicy(LDAPObject): + """ + Kerberos Ticket Policy object + """ + container_dn = 'cn=%s,cn=kerberos' % api.env.realm + object_name = 'kerberos ticket policy settings' + default_attributes = ['krbmaxticketlife', 'krbmaxrenewableage'] + attribute_names = { + 'krbmaxticketlife': 'maximum life', + 'krbmaxrenewableage': 'maximum renewable age', + } + + takes_params = ( + Str('uid?', + cli_name='user', + doc='manage ticket policy for specific user', + primary_key=True, + ), + Int('krbmaxticketlife?', + cli_name='maxlife', + doc='maximum ticket life', + ), + Int('krbmaxrenewableage?', + cli_name='maxrenew', + doc='maximum renewable age', + ), + ) + + def get_dn(self, *keys, **kwargs): + if keys[-1] is not None: + return self.api.Object.user.get_dn(*keys, **kwargs) + return self.container_dn + +api.register(krbtpolicy) + + +class krbtpolicy_mod(LDAPUpdate): + """ + Modify kerberos ticket policy. + """ + def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options): + # disable all flag + # ticket policies are attached to objects with unrelated attributes + if options.get('all'): + options['all'] = False + return dn + +api.register(krbtpolicy_mod) + + +class krbtpolicy_show(LDAPRetrieve): + """ + Display kerberos ticket policy. + """ + def pre_callback(self, ldap, dn, attrs_list, *keys, **options): + # disable all flag + # ticket policies are attached to objects with unrelated attributes + if options.get('all'): + options['all'] = False + return dn + + def post_callback(self, ldap, dn, entry_attrs, *keys, **options): + if keys[-1] is not None: + # if policy for a specific user isn't set, display global values + if 'krbmaxticketlife' not in entry_attrs or \ + 'krbmaxrenewableage' not in entry_attrs: + res = self.api.Command.krbtpolicy_show() + for a in self.obj.default_attributes: + entry_attrs.setdefault(a, res['result'][a]) + return dn + +api.register(krbtpolicy_show) + + +class krbtpolicy_reset(LDAPQuery): + """ + Reset kerberos ticket policy to default. + """ + has_output = output.standard_entry + + def execute(self, *keys, **options): + ldap = self.obj.backend + + dn = self.obj.get_dn(*keys, **options) + + def_values = {} + # if reseting policy for a user - just his values + if keys[-1] is not None: + for a in self.obj.default_attributes: + def_values[a] = None + # if reseting global policy - set values to default + else: + def_values = _default_values + + try: + ldap.update_entry(dn, def_values) + except errors.EmptyModlist: + pass + + if keys[-1] is not None: + # policy for user was deleted, retrieve global policy + dn = self.obj.get_dn(None) + (dn, entry_attrs) = ldap.get_entry(dn, self.obj.default_attributes) + + if keys[-1] is not None: + return dict(result=entry_attrs, value=keys[-1]) + return dict(result=entry_attrs, value=u'') + +api.register(krbtpolicy_reset) + -- cgit