Enable group inactivation by using the Class of Service plugin.

This adds 2 new groups: activated and inactivated.

If you, or a group you are a member of, is in inactivated then you are too.

If you, or a group you are a member of, is in the activated group, then you
are too.

In a fight between activated and inactivated, activated wins.

The DNs for doing this matching is case and white space sensitive.

The goal is to never have to actually set nsAccountLock in a user directly
but move them between these groups.

We need to decide where in the CLI this will happen. Right it is split
between ipa-deluser and ipa-usermod. To inactivate groups for now just
add the group to inactivate or active.

2 files changed, 20 insertions, 7 deletions

diff --git a/ipa-admintools/ipa-deluser b/ipa-admintools/ipa-deluser
index 3112420a..02ba5f13 100644
--- a/ipa-admintools/ipa-deluser
+++ b/ipa-admintools/ipa-deluser
@@ -57,11 +57,14 @@ def main():
             ret = client.delete_user(args[1])
             msg = "deleted"
         else:
-            ret = client.mark_user_deleted(args[1])
-        if (ret == "Success"):
+            try:
+                ret = client.mark_user_inactive(args[1])
+            except ipa.ipaerror.exception_for(ipa.ipaerror.LDAP_EMPTY_MODLIST):
+                print "User is already marked inactive"
+                return 0
+            except:
+                raise
             print args[1] + " successfully %s" % msg
-        else:
-            print args[1] + " " + ret
     except xmlrpclib.Fault, fault:
         if fault.faultCode == errno.ECONNREFUSED:
             print "The IPA XML-RPC service is not responding."
diff --git a/ipa-admintools/ipa-usermod b/ipa-admintools/ipa-usermod
index 9ebddd2c..9d3e7794 100644
--- a/ipa-admintools/ipa-usermod
+++ b/ipa-admintools/ipa-usermod
@@ -32,7 +32,7 @@ import ldap
 import errno
 
 def usage():
-    print "ipa-usermod [-c|--gecos STRING] [-d|--directory STRING] [-f|--firstname STRING] [-l|--lastname STRING] [-s|--shell STRING] [--add attribute=value] [--del attribute] [--set attribute=value] user"
+    print "ipa-usermod [-a|--activate] [-c|--gecos STRING] [-d|--directory STRING] [-f|--firstname STRING] [-l|--lastname STRING] [-s|--shell STRING] [--add attribute=value] [--del attribute] [--set attribute=value] user"
     sys.exit(1)
 
 def set_add_usage(which):
@@ -40,6 +40,8 @@ def set_add_usage(which):
 
 def parse_options():
     parser = OptionParser()
+    parser.add_option("-a", "--activate", dest="activate", action="store_true",
+                      help="Activate the user")
     parser.add_option("-c", "--gecos", dest="gecos",
                       help="Set the GECOS field")
     parser.add_option("-d", "--directory", dest="directory",
@@ -111,7 +113,7 @@ def main():
         return 1
 
     # If any options are set we use just those. Otherwise ask for all of them.
-    if options.gn or options.sn or options.directory or options.gecos or options.mail or options.shell or options.addattr or options.delattr or options.setattr:
+    if options.gn or options.sn or options.directory or options.gecos or options.mail or options.shell or options.addattr or options.delattr or options.setattr or options.activate:
         givenname = options.gn
         lastname = options.sn
         gecos = options.gecos
@@ -236,8 +238,16 @@ def main():
                 value = cvalue + [value]
             user.setValue(attr, value)
 
-
     try:
+        if options.activate:
+            try:
+                client.mark_user_active(user.getValues('uid'))
+                print "User activated successfully."
+            except ipa.ipaerror.exception_for(ipa.ipaerror.LDAP_EMPTY_MODLIST):
+                print "User is already marked active"
+                return 0
+            except:
+                raise
         client.update_user(user)
     except xmlrpclib.Fault, fault:
         if fault.faultCode == errno.ECONNREFUSED: