diff options
| author | Nathaniel McCallum <npmccallum@redhat.com> | 2013-04-11 13:24:46 -0400 |
|---|---|---|
| committer | Martin Kosek <mkosek@redhat.com> | 2013-05-17 09:30:51 +0200 |
| commit | cb689354357d5311e7ecb231a34e867c23b8a803 (patch) | |
| tree | ea1e582e74be91db9abd94d3fdab007cea9a72fd /ipaserver | |
| parent | bc26d87b3445b26b5d33235c1dfeedb7a11cdfc8 (diff) | |
| download | freeipa.git-cb689354357d5311e7ecb231a34e867c23b8a803.tar.gz freeipa.git-cb689354357d5311e7ecb231a34e867c23b8a803.tar.xz freeipa.git-cb689354357d5311e7ecb231a34e867c23b8a803.zip | |
Add IPA OTP schema and ACLs
This commit adds schema support for two factor authentication via
OTP devices, including RADIUS or TOTP. This schema will be used
by future patches which will enable two factor authentication
directly.
https://fedorahosted.org/freeipa/ticket/3365
http://freeipa.org/page/V3/OTP
Diffstat (limited to 'ipaserver')
| -rw-r--r-- | ipaserver/install/dsinstance.py | 3 | ||||
| -rw-r--r-- | ipaserver/install/plugins/update_anonymous_aci.py | 25 |
2 files changed, 20 insertions, 8 deletions
diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py index 3b841417..046480f0 100644 --- a/ipaserver/install/dsinstance.py +++ b/ipaserver/install/dsinstance.py @@ -411,7 +411,8 @@ class DsInstance(service.Service): "60basev3.ldif", "60ipadns.ldif", "61kerberos-ipav3.ldif", - "65ipasudo.ldif"): + "65ipasudo.ldif", + "70ipaotp.ldif"): target_fname = schema_dirname(self.serverid) + schema_fname shutil.copyfile(ipautil.SHARE_DIR + schema_fname, target_fname) os.chmod(target_fname, 0440) # read access for dirsrv user/group diff --git a/ipaserver/install/plugins/update_anonymous_aci.py b/ipaserver/install/plugins/update_anonymous_aci.py index 2b7446ad..1e75113f 100644 --- a/ipaserver/install/plugins/update_anonymous_aci.py +++ b/ipaserver/install/plugins/update_anonymous_aci.py @@ -20,8 +20,6 @@ from copy import deepcopy from ipaserver.install.plugins import FIRST, LAST from ipaserver.install.plugins.baseupdate import PostUpdate -#from ipalib.frontend import Updater -#from ipaserver.install.plugins import baseupdate from ipalib import api from ipalib.aci import ACI from ipalib.plugins import aci @@ -37,6 +35,8 @@ class update_anonymous_aci(PostUpdate): aciname = u'Enable Anonymous access' aciprefix = u'none' ldap = self.obj.backend + targetfilter = '(&(!(objectClass=ipaToken))(!(objectClass=ipatokenTOTP))(!(objectClass=ipatokenRadiusProxyUser))(!(objectClass=ipatokenRadiusConfiguration)))' + filter = None (dn, entry_attrs) = ldap.get_entry(api.env.basedn, ['aci']) @@ -45,6 +45,9 @@ class update_anonymous_aci(PostUpdate): rawaci = aci._find_aci_by_name(acilist, aciprefix, aciname) attrs = rawaci.target['targetattr']['expression'] + rawfilter = rawaci.target.get('targetfilter', None) + if rawfilter is not None: + filter = rawfilter['expression'] update_attrs = deepcopy(attrs) @@ -54,12 +57,10 @@ class update_anonymous_aci(PostUpdate): needed_attrs.append(attr) update_attrs.extend(needed_attrs) - if len(attrs) == len(update_attrs): + if (len(attrs) == len(update_attrs) and + filter == targetfilter): root_logger.debug("Anonymous ACI already update-to-date") return (False, False, []) - else: - root_logger.debug("New Anonymous ACI attributes needed: %s", - needed_attrs) for tmpaci in acistrs: candidate = ACI(tmpaci) @@ -67,7 +68,17 @@ class update_anonymous_aci(PostUpdate): acistrs.remove(tmpaci) break - rawaci.target['targetattr']['expression'] = update_attrs + if len(attrs) != len(update_attrs): + root_logger.debug("New Anonymous ACI attributes needed: %s", + needed_attrs) + + rawaci.target['targetattr']['expression'] = update_attrs + + if filter != targetfilter: + root_logger.debug("New Anonymous ACI targetfilter needed.") + + rawaci.set_target_filter(targetfilter) + acistrs.append(unicode(rawaci)) entry_attrs['aci'] = acistrs |