From cb689354357d5311e7ecb231a34e867c23b8a803 Mon Sep 17 00:00:00 2001 From: Nathaniel McCallum Date: Thu, 11 Apr 2013 13:24:46 -0400 Subject: Add IPA OTP schema and ACLs This commit adds schema support for two factor authentication via OTP devices, including RADIUS or TOTP. This schema will be used by future patches which will enable two factor authentication directly. https://fedorahosted.org/freeipa/ticket/3365 http://freeipa.org/page/V3/OTP --- ipaserver/install/dsinstance.py | 3 ++- ipaserver/install/plugins/update_anonymous_aci.py | 25 ++++++++++++++++------- 2 files changed, 20 insertions(+), 8 deletions(-) (limited to 'ipaserver') diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py index 3b841417..046480f0 100644 --- a/ipaserver/install/dsinstance.py +++ b/ipaserver/install/dsinstance.py @@ -411,7 +411,8 @@ class DsInstance(service.Service): "60basev3.ldif", "60ipadns.ldif", "61kerberos-ipav3.ldif", - "65ipasudo.ldif"): + "65ipasudo.ldif", + "70ipaotp.ldif"): target_fname = schema_dirname(self.serverid) + schema_fname shutil.copyfile(ipautil.SHARE_DIR + schema_fname, target_fname) os.chmod(target_fname, 0440) # read access for dirsrv user/group diff --git a/ipaserver/install/plugins/update_anonymous_aci.py b/ipaserver/install/plugins/update_anonymous_aci.py index 2b7446ad..1e75113f 100644 --- a/ipaserver/install/plugins/update_anonymous_aci.py +++ b/ipaserver/install/plugins/update_anonymous_aci.py @@ -20,8 +20,6 @@ from copy import deepcopy from ipaserver.install.plugins import FIRST, LAST from ipaserver.install.plugins.baseupdate import PostUpdate -#from ipalib.frontend import Updater -#from ipaserver.install.plugins import baseupdate from ipalib import api from ipalib.aci import ACI from ipalib.plugins import aci @@ -37,6 +35,8 @@ class update_anonymous_aci(PostUpdate): aciname = u'Enable Anonymous access' aciprefix = u'none' ldap = self.obj.backend + targetfilter = '(&(!(objectClass=ipaToken))(!(objectClass=ipatokenTOTP))(!(objectClass=ipatokenRadiusProxyUser))(!(objectClass=ipatokenRadiusConfiguration)))' + filter = None (dn, entry_attrs) = ldap.get_entry(api.env.basedn, ['aci']) @@ -45,6 +45,9 @@ class update_anonymous_aci(PostUpdate): rawaci = aci._find_aci_by_name(acilist, aciprefix, aciname) attrs = rawaci.target['targetattr']['expression'] + rawfilter = rawaci.target.get('targetfilter', None) + if rawfilter is not None: + filter = rawfilter['expression'] update_attrs = deepcopy(attrs) @@ -54,12 +57,10 @@ class update_anonymous_aci(PostUpdate): needed_attrs.append(attr) update_attrs.extend(needed_attrs) - if len(attrs) == len(update_attrs): + if (len(attrs) == len(update_attrs) and + filter == targetfilter): root_logger.debug("Anonymous ACI already update-to-date") return (False, False, []) - else: - root_logger.debug("New Anonymous ACI attributes needed: %s", - needed_attrs) for tmpaci in acistrs: candidate = ACI(tmpaci) @@ -67,7 +68,17 @@ class update_anonymous_aci(PostUpdate): acistrs.remove(tmpaci) break - rawaci.target['targetattr']['expression'] = update_attrs + if len(attrs) != len(update_attrs): + root_logger.debug("New Anonymous ACI attributes needed: %s", + needed_attrs) + + rawaci.target['targetattr']['expression'] = update_attrs + + if filter != targetfilter: + root_logger.debug("New Anonymous ACI targetfilter needed.") + + rawaci.set_target_filter(targetfilter) + acistrs.append(unicode(rawaci)) entry_attrs['aci'] = acistrs -- cgit