From 80c4ed7af26b5b6a581ccc8e0a9e65e53e43cc4c Mon Sep 17 00:00:00 2001 From: John Dennis Date: Tue, 6 Nov 2007 16:26:10 -0500 Subject: remove offensive use of rpm add the radiusprofile to the list of objectclasses used when creating a user --- ipa-server/xmlrpc-server/funcs.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'ipa-server/xmlrpc-server/funcs.py') diff --git a/ipa-server/xmlrpc-server/funcs.py b/ipa-server/xmlrpc-server/funcs.py index 17a578c2..6fdaaca5 100644 --- a/ipa-server/xmlrpc-server/funcs.py +++ b/ipa-server/xmlrpc-server/funcs.py @@ -443,7 +443,7 @@ class IPAServer: # some required objectclasses entry.setValues('objectClass', 'top', 'person', 'organizationalPerson', - 'inetOrgPerson', 'inetUser', 'posixAccount', 'krbPrincipalAux') + 'inetOrgPerson', 'inetUser', 'posixAccount', 'krbPrincipalAux', 'radiusprofile') # fill in our new entry with everything sent by the user for u in user: -- cgit From eab5a89d4a3e8159348b5a709cd4401c9784f058 Mon Sep 17 00:00:00 2001 From: John Dennis Date: Tue, 13 Nov 2007 20:05:02 -0500 Subject: ipa-addradiusclient now working --- ipa-server/xmlrpc-server/funcs.py | 22 +++++++++++++++++++--- 1 file changed, 19 insertions(+), 3 deletions(-) (limited to 'ipa-server/xmlrpc-server/funcs.py') diff --git a/ipa-server/xmlrpc-server/funcs.py b/ipa-server/xmlrpc-server/funcs.py index 8169b446..7c53e6d0 100644 --- a/ipa-server/xmlrpc-server/funcs.py +++ b/ipa-server/xmlrpc-server/funcs.py @@ -456,22 +456,38 @@ class IPAServer: self.releaseConnection(conn) return res + def __is_radius_client_unique(self, ip_addr, opts): + """Return 1 if the radius client is unique in the tree, 0 otherwise.""" + ip_addr = self.__safe_filter(ip_addr) + basedn = 'cn=clients,cn=radius,cn=services,cn=etc,%s' % self.basedn # FIXME, should not be hardcoded + + filter = "(&(radiusClientNASIpAddress=%s)(objectclass=radiusClientProfile))" % ip_addr + + try: + entry = self.__get_sub_entry(basedn, filter, ['dn','uid'], opts) + return 0 + except ipaerror.exception_for(ipaerror.LDAP_NOT_FOUND): + return 1 + def add_radius_client (self, client, opts=None): + print "add_radius_client:" client_container = 'cn=clients,cn=radius,cn=services,cn=etc' # FIXME, should not be hardcoded - if self.__is_client_unique(client['radiusClientNASIpAddress'], opts) == 0: + if self.__is_radius_client_unique(client['radiusClientNASIpAddress'], opts) == 0: raise ipaerror.gen_exception(ipaerror.LDAP_DUPLICATE) dn="radiusClientNASIpAddress=%s,%s,%s" % (ldap.dn.escape_dn_chars(client['radiusClientNASIpAddress']), client_container,self.basedn) - entry = ipaserver.ipaldap.Entry(dn) - # FIXME: This should be dynamic and can include just about anything + print "add_radius_client: dn=%s" % (dn) + + entry = ipaserver.ipaldap.Entry(dn) # some required objectclasses entry.setValues('objectClass', 'top', 'radiusClientProfile') # fill in our new entry with everything sent by the client for u in client: + print "add_radius_client: attr=%s %s" % (u, client[u]) entry.setValues(u, client[u]) conn = self.getConnection(opts) -- cgit From c24da12fe1c68cc2ea5211763e8904b646a17d95 Mon Sep 17 00:00:00 2001 From: John Dennis Date: Wed, 14 Nov 2007 00:04:19 -0500 Subject: radius client modify and delete work --- ipa-server/xmlrpc-server/funcs.py | 29 ++++++++++++++++++++++++----- 1 file changed, 24 insertions(+), 5 deletions(-) (limited to 'ipa-server/xmlrpc-server/funcs.py') diff --git a/ipa-server/xmlrpc-server/funcs.py b/ipa-server/xmlrpc-server/funcs.py index 7c53e6d0..38ba8c2b 100644 --- a/ipa-server/xmlrpc-server/funcs.py +++ b/ipa-server/xmlrpc-server/funcs.py @@ -456,11 +456,19 @@ class IPAServer: self.releaseConnection(conn) return res +# radius support + + # FIXME, why not just use get_entry_by_dn? + def get_radius_client_by_ip_addr(self, ip_addr, sattrs=None, opts=None): + ip_addr = self.__safe_filter(ip_addr) + basedn = 'cn=clients,cn=radius,cn=services,cn=etc,%s' % self.basedn # FIXME, should not be hardcoded + filter = "(&(radiusClientNASIpAddress=%s)(objectclass=radiusClientProfile))" % ip_addr + return self.__get_sub_entry(basedn, filter, sattrs, opts) + def __is_radius_client_unique(self, ip_addr, opts): """Return 1 if the radius client is unique in the tree, 0 otherwise.""" ip_addr = self.__safe_filter(ip_addr) basedn = 'cn=clients,cn=radius,cn=services,cn=etc,%s' % self.basedn # FIXME, should not be hardcoded - filter = "(&(radiusClientNASIpAddress=%s)(objectclass=radiusClientProfile))" % ip_addr try: @@ -470,7 +478,6 @@ class IPAServer: return 1 def add_radius_client (self, client, opts=None): - print "add_radius_client:" client_container = 'cn=clients,cn=radius,cn=services,cn=etc' # FIXME, should not be hardcoded if self.__is_radius_client_unique(client['radiusClientNASIpAddress'], opts) == 0: raise ipaerror.gen_exception(ipaerror.LDAP_DUPLICATE) @@ -478,8 +485,6 @@ class IPAServer: dn="radiusClientNASIpAddress=%s,%s,%s" % (ldap.dn.escape_dn_chars(client['radiusClientNASIpAddress']), client_container,self.basedn) - print "add_radius_client: dn=%s" % (dn) - entry = ipaserver.ipaldap.Entry(dn) # some required objectclasses @@ -487,7 +492,6 @@ class IPAServer: # fill in our new entry with everything sent by the client for u in client: - print "add_radius_client: attr=%s %s" % (u, client[u]) entry.setValues(u, client[u]) conn = self.getConnection(opts) @@ -497,6 +501,21 @@ class IPAServer: self.releaseConnection(conn) return res + def update_radius_client(self, oldentry, newentry, opts=None): + return self.update_entry(oldentry, newentry, opts) + + def delete_radius_client(self, ip_addr, opts=None): + client = self.get_radius_client_by_ip_addr(ip_addr, ['dn', 'cn'], opts) + if client is None: + raise ipaerror.gen_exception(ipaerror.LDAP_NOT_FOUND) + + conn = self.getConnection(opts) + try: + res = conn.deleteEntry(client['dn']) + finally: + self.releaseConnection(conn) + return res + def get_add_schema (self): """Get the list of fields to be used when adding users in the GUI.""" -- cgit From c4dbe6433da131b618ea2bfd9f0bfc5076c40ff2 Mon Sep 17 00:00:00 2001 From: John Dennis Date: Wed, 14 Nov 2007 15:32:08 -0500 Subject: add ipa-findradiusclient search --- ipa-server/xmlrpc-server/funcs.py | 31 +++++++++++++++++++++++++++++++ 1 file changed, 31 insertions(+) (limited to 'ipa-server/xmlrpc-server/funcs.py') diff --git a/ipa-server/xmlrpc-server/funcs.py b/ipa-server/xmlrpc-server/funcs.py index 38ba8c2b..26fdba48 100644 --- a/ipa-server/xmlrpc-server/funcs.py +++ b/ipa-server/xmlrpc-server/funcs.py @@ -516,6 +516,36 @@ class IPAServer: self.releaseConnection(conn) return res + def find_radius_clients(self, ip_attrs, sattrs=None, searchlimit=0, timelimit=-1, opts=None): + def gen_filter(objectclass, attr, values): + '''Given ('myclass', 'myattr', [v1, v2]) returns + (&(objectclass=myclass)(|(myattr=v1)(myattr=v2))) + ''' + # Don't use __safe_filter, prevents wildcarding + #attrs = ''.join(['(%s=%s)' % (attr, self.__safe_filter(val)) for val in values]) + attrs = ''.join(['(%s=%s)' % (attr, val) for val in values]) + filter = "(&(objectclass=%s)(|%s))" % (objectclass, attrs) + return filter + + basedn = 'cn=clients,cn=radius,cn=services,cn=etc,%s' % self.basedn # FIXME, should not be hardcoded + filter = gen_filter('radiusClientProfile', 'radiusClientNASIpAddress', ip_attrs) + conn = self.getConnection(opts) + try: + try: + results = conn.getListAsync(basedn, self.scope, filter, sattrs, 0, None, None, timelimit, searchlimit) + except ipaerror.exception_for(ipaerror.LDAP_NOT_FOUND): + results = [0] + finally: + self.releaseConnection(conn) + + counter = results[0] + results = results[1:] + radius_clients = [counter] + for radius_client in results: + radius_clients.append(self.convert_entry(radius_client)) + + return radius_clients + def get_add_schema (self): """Get the list of fields to be used when adding users in the GUI.""" @@ -1152,6 +1182,7 @@ class IPAServer: return entries + def ldap_search_escape(match): """Escapes out nasty characters from the ldap search. See RFC 2254.""" -- cgit From d98686e96758870cb4a56d41fb0aaae54d4067c5 Mon Sep 17 00:00:00 2001 From: John Dennis Date: Wed, 21 Nov 2007 13:11:10 -0500 Subject: Add radius profile implementations: get_radius_profile_by_uid add_radius_profile update_radius_profile delete_radius_profile find_radius_profiles Rewrite command line arg handling, now support pair entry, interactive mode with auto completion, reading pairs from a file, better handling of mandatory values, better help, long arg names now match attribute name in pairs Establish mappings for all attributes and names used in clients and profiles Add notion of containers to radius clients and profiles in LDAP Move common code, variables, constants, and strings into the files radius_client.py, radius_util.py, ipautil.py to eliminate redundant elements which could get out of sync if modified and to provide access to other code which might benefit from using these items in the future. Add utility functions: format_list() parse_key_value_pairs() Add utility class: AttributeValueCompleter Unify attribute usage in radius ldap schema --- ipa-server/xmlrpc-server/funcs.py | 155 ++++++++++++++++++++++++++++++++------ 1 file changed, 130 insertions(+), 25 deletions(-) (limited to 'ipa-server/xmlrpc-server/funcs.py') diff --git a/ipa-server/xmlrpc-server/funcs.py b/ipa-server/xmlrpc-server/funcs.py index 26fdba48..aa557f79 100644 --- a/ipa-server/xmlrpc-server/funcs.py +++ b/ipa-server/xmlrpc-server/funcs.py @@ -30,6 +30,7 @@ import xmlrpclib import copy import attrs from ipa import ipaerror +from ipa import radius_util import string from types import * @@ -458,41 +459,40 @@ class IPAServer: # radius support - # FIXME, why not just use get_entry_by_dn? - def get_radius_client_by_ip_addr(self, ip_addr, sattrs=None, opts=None): - ip_addr = self.__safe_filter(ip_addr) - basedn = 'cn=clients,cn=radius,cn=services,cn=etc,%s' % self.basedn # FIXME, should not be hardcoded - filter = "(&(radiusClientNASIpAddress=%s)(objectclass=radiusClientProfile))" % ip_addr + # clients + def get_radius_client_by_ip_addr(self, ip_addr, container=None, sattrs=None, opts=None): + filter = radius_util.radius_client_filter(ip_addr) + basedn = radius_util.radius_clients_basedn(container, self.basedn) return self.__get_sub_entry(basedn, filter, sattrs, opts) - def __is_radius_client_unique(self, ip_addr, opts): - """Return 1 if the radius client is unique in the tree, 0 otherwise.""" - ip_addr = self.__safe_filter(ip_addr) - basedn = 'cn=clients,cn=radius,cn=services,cn=etc,%s' % self.basedn # FIXME, should not be hardcoded - filter = "(&(radiusClientNASIpAddress=%s)(objectclass=radiusClientProfile))" % ip_addr + def __radius_client_exists(self, ip_addr, container, opts): + filter = radius_util.radius_client_filter(ip_addr) + basedn = radius_util.radius_clients_basedn(container, self.basedn) try: entry = self.__get_sub_entry(basedn, filter, ['dn','uid'], opts) - return 0 + return True except ipaerror.exception_for(ipaerror.LDAP_NOT_FOUND): - return 1 + return False - def add_radius_client (self, client, opts=None): - client_container = 'cn=clients,cn=radius,cn=services,cn=etc' # FIXME, should not be hardcoded - if self.__is_radius_client_unique(client['radiusClientNASIpAddress'], opts) == 0: - raise ipaerror.gen_exception(ipaerror.LDAP_DUPLICATE) + def add_radius_client (self, client, container=None, opts=None): + if container is None: + container = radius_util.clients_container - dn="radiusClientNASIpAddress=%s,%s,%s" % (ldap.dn.escape_dn_chars(client['radiusClientNASIpAddress']), - client_container,self.basedn) + ip_addr = client['radiusClientIPAddress'] + + if self.__radius_client_exists(ip_addr, container, opts): + raise ipaerror.gen_exception(ipaerror.LDAP_DUPLICATE) + dn = radius_util.radius_client_dn(ip_addr, container, self.basedn) entry = ipaserver.ipaldap.Entry(dn) # some required objectclasses entry.setValues('objectClass', 'top', 'radiusClientProfile') # fill in our new entry with everything sent by the client - for u in client: - entry.setValues(u, client[u]) + for attr in client: + entry.setValues(attr, client[attr]) conn = self.getConnection(opts) try: @@ -504,8 +504,8 @@ class IPAServer: def update_radius_client(self, oldentry, newentry, opts=None): return self.update_entry(oldentry, newentry, opts) - def delete_radius_client(self, ip_addr, opts=None): - client = self.get_radius_client_by_ip_addr(ip_addr, ['dn', 'cn'], opts) + def delete_radius_client(self, ip_addr, container=None, opts=None): + client = self.get_radius_client_by_ip_addr(ip_addr, container, ['dn', 'cn'], opts) if client is None: raise ipaerror.gen_exception(ipaerror.LDAP_NOT_FOUND) @@ -516,7 +516,7 @@ class IPAServer: self.releaseConnection(conn) return res - def find_radius_clients(self, ip_attrs, sattrs=None, searchlimit=0, timelimit=-1, opts=None): + def find_radius_clients(self, ip_attrs, container=None, sattrs=None, searchlimit=0, timelimit=-1, opts=None): def gen_filter(objectclass, attr, values): '''Given ('myclass', 'myattr', [v1, v2]) returns (&(objectclass=myclass)(|(myattr=v1)(myattr=v2))) @@ -527,8 +527,8 @@ class IPAServer: filter = "(&(objectclass=%s)(|%s))" % (objectclass, attrs) return filter - basedn = 'cn=clients,cn=radius,cn=services,cn=etc,%s' % self.basedn # FIXME, should not be hardcoded - filter = gen_filter('radiusClientProfile', 'radiusClientNASIpAddress', ip_attrs) + basedn = radius_util.radius_clients_basedn(container, self.basedn) + filter = gen_filter('radiusClientProfile', 'radiusClientIPAddress', ip_attrs) conn = self.getConnection(opts) try: try: @@ -546,6 +546,111 @@ class IPAServer: return radius_clients + # profiles + def get_radius_profile_by_uid(self, uid, user_profile=True, sattrs=None, opts=None): + if user_profile: + container = DefaultUserContainer + else: + container = radius_util.profiles_container + + uid = self.__safe_filter(uid) + filter = radius_util.radius_profile_filter(uid) + basedn = radius_util.radius_profiles_basedn(container, self.basedn) + return self.__get_sub_entry(basedn, filter, sattrs, opts) + + def __radius_profile_exists(self, uid, user_profile, opts): + if user_profile: + container = DefaultUserContainer + else: + container = radius_util.profiles_container + + uid = self.__safe_filter(uid) + filter = radius_util.radius_profile_filter(uid) + basedn = radius_util.radius_profiles_basedn(container, self.basedn) + + try: + entry = self.__get_sub_entry(basedn, filter, ['dn','uid'], opts) + return True + except ipaerror.exception_for(ipaerror.LDAP_NOT_FOUND): + return False + + def add_radius_profile (self, uid, user_profile=True, opts=None): + if self.__radius_profile_exists(profile['uid'], user_profile, opts): + raise ipaerror.gen_exception(ipaerror.LDAP_DUPLICATE) + + if user_profile: + container = DefaultUserContainer + else: + container = radius_util.profiles_container + + dn = radius_util.radius_profile_dn(uid, container, self.basedn) + entry = ipaserver.ipaldap.Entry(dn) + + # some required objectclasses + entry.setValues('objectClass', 'top', 'radiusClientProfile') + + # fill in our new entry with everything sent by the profile + for attr in profile: + entry.setValues(attr, profile[attr]) + + conn = self.getConnection(opts) + try: + res = conn.addEntry(entry) + finally: + self.releaseConnection(conn) + return res + + def update_radius_profile(self, oldentry, newentry, opts=None): + return self.update_entry(oldentry, newentry, opts) + + def delete_radius_profile(self, uid, user_profile, opts=None): + profile = self.get_radius_profile_by_uid(uid, user_profile, ['dn', 'cn'], opts) + if profile is None: + raise ipaerror.gen_exception(ipaerror.LDAP_NOT_FOUND) + + conn = self.getConnection(opts) + try: + res = conn.deleteEntry(profile['dn']) + finally: + self.releaseConnection(conn) + return res + + def find_radius_profiles(self, uids, user_profile=True, sattrs=None, searchlimit=0, timelimit=-1, opts=None): + def gen_filter(objectclass, attr, values): + '''Given ('myclass', 'myattr', [v1, v2]) returns + (&(objectclass=myclass)(|(myattr=v1)(myattr=v2))) + ''' + # Don't use __safe_filter, prevents wildcarding + #attrs = ''.join(['(%s=%s)' % (attr, self.__safe_filter(val)) for val in values]) + attrs = ''.join(['(%s=%s)' % (attr, val) for val in values]) + filter = "(&(objectclass=%s)(|%s))" % (objectclass, attrs) + return filter + + if user_profile: + container = DefaultUserContainer + else: + container = radius_util.profiles_container + + uid = self.__safe_filter(uid) + filter = gen_filter('radiusClientProfile' 'uid', uids) + basedn="%s,%s" % (container, self.basedn) + conn = self.getConnection(opts) + try: + try: + results = conn.getListAsync(basedn, self.scope, filter, sattrs, 0, None, None, timelimit, searchlimit) + except ipaerror.exception_for(ipaerror.LDAP_NOT_FOUND): + results = [0] + finally: + self.releaseConnection(conn) + + counter = results[0] + results = results[1:] + radius_profiles = [counter] + for radius_profile in results: + radius_profiles.append(self.convert_entry(radius_profile)) + + return radius_profiles + def get_add_schema (self): """Get the list of fields to be used when adding users in the GUI.""" -- cgit From 09238510ff0dced7998e6a1b72f450070e8c6116 Mon Sep 17 00:00:00 2001 From: John Dennis Date: Mon, 26 Nov 2007 19:30:33 -0500 Subject: add command line utilites for radius profiles --- ipa-server/xmlrpc-server/funcs.py | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) (limited to 'ipa-server/xmlrpc-server/funcs.py') diff --git a/ipa-server/xmlrpc-server/funcs.py b/ipa-server/xmlrpc-server/funcs.py index aa557f79..de9b265e 100644 --- a/ipa-server/xmlrpc-server/funcs.py +++ b/ipa-server/xmlrpc-server/funcs.py @@ -574,8 +574,10 @@ class IPAServer: except ipaerror.exception_for(ipaerror.LDAP_NOT_FOUND): return False - def add_radius_profile (self, uid, user_profile=True, opts=None): - if self.__radius_profile_exists(profile['uid'], user_profile, opts): + def add_radius_profile (self, profile, user_profile=True, opts=None): + uid = profile['uid'] + + if self.__radius_profile_exists(uid, user_profile, opts): raise ipaerror.gen_exception(ipaerror.LDAP_DUPLICATE) if user_profile: @@ -587,7 +589,7 @@ class IPAServer: entry = ipaserver.ipaldap.Entry(dn) # some required objectclasses - entry.setValues('objectClass', 'top', 'radiusClientProfile') + entry.setValues('objectClass', 'top', 'radiusprofile') # fill in our new entry with everything sent by the profile for attr in profile: @@ -631,8 +633,7 @@ class IPAServer: else: container = radius_util.profiles_container - uid = self.__safe_filter(uid) - filter = gen_filter('radiusClientProfile' 'uid', uids) + filter = gen_filter('radiusprofile', 'uid', uids) basedn="%s,%s" % (container, self.basedn) conn = self.getConnection(opts) try: -- cgit From 6be932e8af1f9e874071da943c129457d724b46c Mon Sep 17 00:00:00 2001 From: John Dennis Date: Thu, 29 Nov 2007 11:44:50 -0500 Subject: fix merge error --- ipa-server/xmlrpc-server/funcs.py | 44 --------------------------------------- 1 file changed, 44 deletions(-) (limited to 'ipa-server/xmlrpc-server/funcs.py') diff --git a/ipa-server/xmlrpc-server/funcs.py b/ipa-server/xmlrpc-server/funcs.py index 04b05324..3be61989 100644 --- a/ipa-server/xmlrpc-server/funcs.py +++ b/ipa-server/xmlrpc-server/funcs.py @@ -707,50 +707,6 @@ class IPAServer: return radius_profiles - def get_add_schema (self): - """Get the list of fields to be used when adding users in the GUI.""" - - # FIXME: this needs to be pulled from LDAP - fields = [] - - field1 = { - "name": "uid" , - "label": "Login:", - "type": "text", - "validator": "text", - "required": "true" - } - fields.append(field1) - - field1 = { - "name": "givenName" , - "label": "First name:", - "type": "text", - "validator": "string", - "required": "true" - } - fields.append(field1) - - field1 = { - "name": "sn" , - "label": "Last name:", - "type": "text", - "validator": "string", - "required": "true" - } - fields.append(field1) - - field1 = { - "name": "mail" , - "label": "E-mail address:", - "type": "text", - "validator": "email", - "required": "false" - } - fields.append(field1) - - return fields - def set_custom_fields (self, schema, opts=None): """Set the list of custom user fields. -- cgit From 2675f35fdf3121dd23658e4ea89e1600291d2b70 Mon Sep 17 00:00:00 2001 From: Rob Crittenden Date: Tue, 11 Dec 2007 09:56:37 -0500 Subject: Tie the logging module to 'PythonOption IPADebug' in /etc/httpd/conf.d/ipa.conf --- ipa-server/xmlrpc-server/funcs.py | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) (limited to 'ipa-server/xmlrpc-server/funcs.py') diff --git a/ipa-server/xmlrpc-server/funcs.py b/ipa-server/xmlrpc-server/funcs.py index 26fee6ab..4943da24 100644 --- a/ipa-server/xmlrpc-server/funcs.py +++ b/ipa-server/xmlrpc-server/funcs.py @@ -53,11 +53,6 @@ DefaultUserContainer = "cn=users,cn=accounts" DefaultGroupContainer = "cn=groups,cn=accounts" DefaultServiceContainer = "cn=services,cn=accounts" -# FIXME: need to check the ipadebug option in ipa.conf -#logging.basicConfig(level=logging.DEBUG, -# format='%(asctime)s %(levelname)s %(message)s', -# stream=sys.stderr) - # # Apache runs in multi-process mode so each process will have its own # connection. This could theoretically drive the total number of connections @@ -807,6 +802,7 @@ class IPAServer: """Returns a list: counter followed by the results. If the results are truncated, counter will be set to -1.""" + logging.debug("IPA: find users %s" % criteria) config = self.get_ipa_config(opts) if timelimit < 0: timelimit = float(config.get('ipasearchtimelimit')) -- cgit