Enable group inactivation by using the Class of Service plugin.

This adds 2 new groups: activated and inactivated. If you, or a group you are a member of, is in inactivated then you are too. If you, or a group you are a member of, is in the activated group, then you are too. In a fight between activated and inactivated, activated wins. The DNs for doing this matching is case and white space sensitive. The goal is to never have to actually set nsAccountLock in a user directly but move them between these groups. We need to decide where in the CLI this will happen. Right it is split between ipa-deluser and ipa-usermod. To inactivate groups for now just add the group to inactivate or active.
author: Rob Crittenden <rcritten@redhat.com> 2007-11-20 22:45:29 -0500
committer: Rob Crittenden <rcritten@redhat.com> 2007-11-20 22:45:29 -0500
commit: f42f1f44c81e15ac9ecbc6684cbc4dfc9395fd42 (patch)
tree: 5e3907c33efe15f9a7f04bc973a341d0851b6dd4 /ipa-server/xmlrpc-server
parent: 56d67b86e18112c9f059e7bcd3ac51fc21f941af (diff)
download: freeipa.git-f42f1f44c81e15ac9ecbc6684cbc4dfc9395fd42.tar.gz
freeipa.git-f42f1f44c81e15ac9ecbc6684cbc4dfc9395fd42.tar.xz
freeipa.git-f42f1f44c81e15ac9ecbc6684cbc4dfc9395fd42.zip
2 files changed, 92 insertions, 17 deletions
diff --git a/ipa-server/xmlrpc-server/funcs.py b/ipa-server/xmlrpc-server/funcs.py
index 85d22993..5c9f0cf6 100644
--- a/ipa-server/xmlrpc-server/funcs.py
+++ b/ipa-server/xmlrpc-server/funcs.py
@@ -36,6 +36,7 @@ import string
 from types import *
 import os
 import re
+import logging
 
 try:
     from threading import Lock
@@ -49,6 +50,11 @@ ACIContainer = "cn=accounts"
 DefaultUserContainer = "cn=users,cn=accounts"
 DefaultGroupContainer = "cn=groups,cn=accounts"
 
+# FIXME: need to check the ipadebug option in ipa.conf
+logging.basicConfig(level=logging.DEBUG,
+    format='%(asctime)s %(levelname)s %(message)s',
+    stream=sys.stderr)
+
 #
 # Apache runs in multi-process mode so each process will have its own
 # connection. This could theoretically drive the total number of connections
@@ -674,26 +680,80 @@ class IPAServer:
            else:
                raise
 
-    def mark_user_deleted (self, uid, opts=None):
-        """Mark a user as inactive in LDAP. We aren't actually deleting
-           users here, just making it so they can't log in, etc."""
-        user = self.get_user_by_uid(uid, ['dn', 'uid', 'nsAccountlock'], opts)
+    def mark_entry_active (self, dn, opts=None):
+        """Mark an entry as active in LDAP."""
 
-        # Are we doing an add or replace operation?
-        if user.has_key('nsaccountlock'):
-            if user['nsaccountlock'] == "true":
-                return "already marked as deleted"
-            has_key = True
-        else:
-            has_key = False
+        # This can be tricky. The entry itself can be marked inactive
+        # by being in the inactivated group. It can also be inactivated by
+        # being the member of an inactive group.
+        #
+        # First we try to remove the entry from the inactivated group. Then
+        # if it is still inactive we have to add it to the activated group
+        # which will override the group membership.
+
+        logging.debug("IPA: activating entry %s" % dn)
+
+        res = ""
+        # First, check the entry status
+        entry = self.get_entry_by_dn(dn, ['dn', 'nsAccountlock'], opts)
+
+        if entry.get('nsaccountlock', 'false') == "false":
+            logging.debug("IPA: already active")
+            raise ipaerror.gen_exception(ipaerror.LDAP_EMPTY_MODLIST)
+
+        group = self.get_entry_by_cn("inactivated", None, opts)
+        res = self.remove_member_from_group(entry.get('dn'), group.get('dn'), opts)
+
+        # Now they aren't a member of inactivated directly, what is the status
+        # now?
+        entry = self.get_entry_by_dn(dn, ['dn', 'nsAccountlock'], opts)
+
+        if entry.get('nsaccountlock', 'false') == "false":
+            # great, we're done
+            logging.debug("IPA: removing from inactivated did it.")
+            return res
+
+        # So still inactive, add them to activated
+        group = self.get_entry_by_cn("activated", None, opts)
+        res = self.add_member_to_group(dn, group.get('dn'), opts)
+        logging.debug("IPA: added to activated.")
 
-        conn = self.getConnection(opts)
-        try:
-            res = conn.inactivateEntry(user['dn'], has_key)
-        finally:
-            self.releaseConnection(conn)
         return res
 
+    def mark_entry_inactive (self, dn, opts=None):
+        """Mark an entry as inactive in LDAP."""
+
+        logging.debug("IPA: inactivating entry %s" % dn)
+
+        entry = self.get_entry_by_dn(dn, ['dn', 'nsAccountlock', 'memberOf'], opts)
+
+        if entry.get('nsaccountlock', 'false') == "true":
+            logging.debug("IPA: already marked as inactive")
+            raise ipaerror.gen_exception(ipaerror.LDAP_EMPTY_MODLIST)
+
+        # First see if they are in the activated group as this will override
+        # the our inactivation.
+        group = self.get_entry_by_cn("activated", None, opts)
+        self.remove_member_from_group(dn, group.get('dn'), opts)
+
+        # Now add them to inactivated
+        group = self.get_entry_by_cn("inactivated", None, opts)
+        res = self.add_member_to_group(dn, group.get('dn'), opts)
+            
+        return res
+
+    def mark_user_active(self, uid, opts=None):
+        """Mark a user as active"""
+
+        user = self.get_user_by_uid(uid, ['dn', 'uid'], opts)
+        return self.mark_entry_active(user.get('dn'))
+
+    def mark_user_inactive(self, uid, opts=None):
+        """Mark a user as inactive"""
+
+        user = self.get_user_by_uid(uid, ['dn', 'uid'], opts)
+        return self.mark_entry_inactive(user.get('dn'))
+
     def delete_user (self, uid, opts=None):
         """Delete a user. Not to be confused with inactivate_user. This
            makes the entry go away completely.
@@ -1215,6 +1275,18 @@ class IPAServer:
 
         return entries
 
+    def mark_group_active(self, cn, opts=None):
+        """Mark a group as active"""
+
+        group = self.get_entry_by_cn(cn, ['dn', 'cn'], opts)
+        return self.mark_entry_active(group.get('dn'))
+
+    def mark_group_inactive(self, cn, opts=None):
+        """Mark a group as inactive"""
+
+        group = self.get_entry_by_cn(cn, ['dn', 'uid'], opts)
+        return self.mark_entry_inactive(group.get('dn'))
+
 # Configuration support
     def get_ipa_config(self, opts=None):
         """Retrieve the IPA configuration"""
diff --git a/ipa-server/xmlrpc-server/ipaxmlrpc.py b/ipa-server/xmlrpc-server/ipaxmlrpc.py
index 23bdcec1..789233c9 100644
--- a/ipa-server/xmlrpc-server/ipaxmlrpc.py
+++ b/ipa-server/xmlrpc-server/ipaxmlrpc.py
@@ -332,7 +332,10 @@ def handler(req, profiling=False):
             h.register_function(f.find_users)
             h.register_function(f.update_user)
             h.register_function(f.delete_user)
-            h.register_function(f.mark_user_deleted)
+            h.register_function(f.mark_user_active)
+            h.register_function(f.mark_user_inactive)
+            h.register_function(f.mark_group_active)
+            h.register_function(f.mark_group_inactive)
             h.register_function(f.modifyPassword)
             h.register_function(f.get_groups_by_member)
             h.register_function(f.add_group)
author	Rob Crittenden <rcritten@redhat.com>	2007-11-20 22:45:29 -0500
committer	Rob Crittenden <rcritten@redhat.com>	2007-11-20 22:45:29 -0500
commit	f42f1f44c81e15ac9ecbc6684cbc4dfc9395fd42 (patch)
tree	5e3907c33efe15f9a7f04bc973a341d0851b6dd4 /ipa-server/xmlrpc-server
parent	56d67b86e18112c9f059e7bcd3ac51fc21f941af (diff)
download	freeipa.git-f42f1f44c81e15ac9ecbc6684cbc4dfc9395fd42.tar.gz freeipa.git-f42f1f44c81e15ac9ecbc6684cbc4dfc9395fd42.tar.xz freeipa.git-f42f1f44c81e15ac9ecbc6684cbc4dfc9395fd42.zip