Add support for managing user auth types

https://fedorahosted.org/freeipa/ticket/3368
author: Nathaniel McCallum <npmccallum@redhat.com> 2013-09-18 15:48:23 -0400
committer: Petr Viktorin <pviktori@redhat.com> 2013-11-08 12:48:15 +0100
commit: 3f85f09a83f1cd25078c7c11a68d457bb198d66f (patch)
tree: add274a530453657c963f2ecfd951fb353c8a60f
parent: df5f4ee81d1aff1122dd92ab1b56eb335294c3a7 (diff)
download: freeipa-3f85f09a83f1cd25078c7c11a68d457bb198d66f.tar.gz
freeipa-3f85f09a83f1cd25078c7c11a68d457bb198d66f.tar.xz
freeipa-3f85f09a83f1cd25078c7c11a68d457bb198d66f.zip
5 files changed, 32 insertions, 10 deletions
diff --git a/API.txt b/API.txt
index 605f9ee30..cddb9d719 100644
--- a/API.txt
+++ b/API.txt
@@ -495,7 +495,7 @@ args: 0,1,1
 option: Str('version?', exclude='webui')
 output: Output('result', None, None)
 command: config_mod
-args: 0,24,3
+args: 0,25,3
 option: Str('addattr*', cli_name='addattr', exclude='webui')
 option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui')
 option: Str('delattr*', cli_name='delattr', exclude='webui')
@@ -514,6 +514,7 @@ option: Int('ipasearchrecordslimit', attribute=True, autofill=False, cli_name='s
 option: Int('ipasearchtimelimit', attribute=True, autofill=False, cli_name='searchtimelimit', minvalue=-1, multivalue=False, required=False)
 option: Str('ipaselinuxusermapdefault', attribute=True, autofill=False, cli_name='ipaselinuxusermapdefault', multivalue=False, required=False)
 option: Str('ipaselinuxusermaporder', attribute=True, autofill=False, cli_name='ipaselinuxusermaporder', multivalue=False, required=False)
+option: StrEnum('ipauserauthtype', attribute=True, autofill=False, cli_name='user_auth_type', csv=True, multivalue=True, required=False, values=(u'password',))
 option: Str('ipauserobjectclasses', attribute=True, autofill=False, cli_name='userobjectclasses', csv=True, multivalue=True, required=False)
 option: IA5Str('ipausersearchfields', attribute=True, autofill=False, cli_name='usersearch', multivalue=False, required=False)
 option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui')
@@ -3586,7 +3587,7 @@ output: Entry('result', <type 'dict'>, Gettext('A dictionary representing an LDA
 output: Output('summary', (<type 'unicode'>, <type 'NoneType'>), None)
 output: Output('value', <type 'unicode'>, None)
 command: user_add
-args: 1,35,3
+args: 1,36,3
 arg: Str('uid', attribute=True, cli_name='login', maxlength=255, multivalue=False, pattern='^[a-zA-Z0-9_.][a-zA-Z0-9_.-]{0,252}[a-zA-Z0-9_.$-]?$', primary_key=True, required=True)
 option: Str('addattr*', cli_name='addattr', exclude='webui')
 option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui')
@@ -3600,6 +3601,7 @@ option: Str('givenname', attribute=True, cli_name='first', multivalue=False, req
 option: Str('homedirectory', attribute=True, cli_name='homedir', multivalue=False, required=False)
 option: Str('initials', attribute=True, autofill=True, cli_name='initials', multivalue=False, required=False)
 option: Str('ipasshpubkey', attribute=True, cli_name='sshpubkey', csv=True, multivalue=True, required=False)
+option: StrEnum('ipauserauthtype', attribute=True, cli_name='user_auth_type', csv=True, multivalue=True, required=False, values=(u'password',))
 option: Str('krbprincipalname', attribute=True, autofill=True, cli_name='principal', multivalue=False, required=False)
 option: Str('l', attribute=True, cli_name='city', multivalue=False, required=False)
 option: Str('loginshell', attribute=True, cli_name='shell', multivalue=False, required=False)
@@ -3649,7 +3651,7 @@ output: Output('result', <type 'bool'>, None)
 output: Output('summary', (<type 'unicode'>, <type 'NoneType'>), None)
 output: Output('value', <type 'unicode'>, None)
 command: user_find
-args: 1,45,4
+args: 1,46,4
 arg: Str('criteria?', noextrawhitespace=False)
 option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui')
 option: Str('carlicense', attribute=True, autofill=False, cli_name='carlicense', multivalue=False, query=True, required=False)
@@ -3666,6 +3668,7 @@ option: Str('in_netgroup*', cli_name='in_netgroups', csv=True)
 option: Str('in_role*', cli_name='in_roles', csv=True)
 option: Str('in_sudorule*', cli_name='in_sudorules', csv=True)
 option: Str('initials', attribute=True, autofill=False, cli_name='initials', multivalue=False, query=True, required=False)
+option: StrEnum('ipauserauthtype', attribute=True, autofill=False, cli_name='user_auth_type', csv=True, multivalue=True, query=True, required=False, values=(u'password',))
 option: Str('krbprincipalname', attribute=True, autofill=False, cli_name='principal', multivalue=False, query=True, required=False)
 option: Str('l', attribute=True, autofill=False, cli_name='city', multivalue=False, query=True, required=False)
 option: Str('loginshell', attribute=True, autofill=False, cli_name='shell', multivalue=False, query=True, required=False)
@@ -3701,7 +3704,7 @@ output: ListOfEntries('result', (<type 'list'>, <type 'tuple'>), Gettext('A list
 output: Output('summary', (<type 'unicode'>, <type 'NoneType'>), None)
 output: Output('truncated', <type 'bool'>, None)
 command: user_mod
-args: 1,36,3
+args: 1,37,3
 arg: Str('uid', attribute=True, cli_name='login', maxlength=255, multivalue=False, pattern='^[a-zA-Z0-9_.][a-zA-Z0-9_.-]{0,252}[a-zA-Z0-9_.$-]?$', primary_key=True, query=True, required=True)
 option: Str('addattr*', cli_name='addattr', exclude='webui')
 option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui')
@@ -3716,6 +3719,7 @@ option: Str('givenname', attribute=True, autofill=False, cli_name='first', multi
 option: Str('homedirectory', attribute=True, autofill=False, cli_name='homedir', multivalue=False, required=False)
 option: Str('initials', attribute=True, autofill=False, cli_name='initials', multivalue=False, required=False)
 option: Str('ipasshpubkey', attribute=True, autofill=False, cli_name='sshpubkey', csv=True, multivalue=True, required=False)
+option: StrEnum('ipauserauthtype', attribute=True, autofill=False, cli_name='user_auth_type', csv=True, multivalue=True, required=False, values=(u'password',))
 option: Str('l', attribute=True, autofill=False, cli_name='city', multivalue=False, required=False)
 option: Str('loginshell', attribute=True, autofill=False, cli_name='shell', multivalue=False, required=False)
 option: Str('mail', attribute=True, autofill=False, cli_name='email', multivalue=True, required=False)
diff --git a/VERSION b/VERSION
index c3c6d5a4c..32f6efbc4 100644
--- a/VERSION
+++ b/VERSION
@@ -89,4 +89,4 @@ IPA_DATA_VERSION=20100614120000
 #                                                      #
 ########################################################
 IPA_API_VERSION_MAJOR=2
-IPA_API_VERSION_MINOR=65
+IPA_API_VERSION_MINOR=66
diff --git a/install/updates/50-ipaconfig.update b/install/updates/50-ipaconfig.update
index ce617fe0d..89a1726f4 100644
--- a/install/updates/50-ipaconfig.update
+++ b/install/updates/50-ipaconfig.update
@@ -3,3 +3,4 @@ add:ipaSELinuxUserMapOrder: guest_u:s0$$xguest_u:s0$$user_u:s0$$staff_u:s0-s0:c0
 add:ipaSELinuxUserMapDefault: unconfined_u:s0-s0:c0.c1023
 add:ipaUserObjectClasses: ipasshuser
 remove:ipaConfigString:AllowLMhash
+add:objectClass: ipaUserAuthTypeClass
diff --git a/ipalib/plugins/config.py b/ipalib/plugins/config.py
index fbaacb7b9..f4e35519f 100644
--- a/ipalib/plugins/config.py
+++ b/ipalib/plugins/config.py
@@ -92,6 +92,7 @@ class config(LDAPObject):
         'ipamigrationenabled', 'ipacertificatesubjectbase',
         'ipapwdexpadvnotify', 'ipaselinuxusermaporder',
         'ipaselinuxusermapdefault', 'ipaconfigstring', 'ipakrbauthzdata',
+        'ipauserauthtype'
     ]
 
     label = _('Configuration')
@@ -197,6 +198,13 @@ class config(LDAPObject):
             values=(u'MS-PAC', u'PAD', u'nfs:NONE'),
             csv=True,
         ),
+        StrEnum('ipauserauthtype*',
+            cli_name='user_auth_type',
+            label=_('Default user authentication types'),
+            doc=_('Default types of supported user authentication'),
+            values=(u'password',),
+            csv=True,
+        ),
     )
 
     def get_dn(self, *keys, **kwargs):
diff --git a/ipalib/plugins/user.py b/ipalib/plugins/user.py
index 471981f48..54d11c229 100644
--- a/ipalib/plugins/user.py
+++ b/ipalib/plugins/user.py
@@ -24,7 +24,7 @@ import posixpath
 import os
 
 from ipalib import api, errors
-from ipalib import Flag, Int, Password, Str, Bool
+from ipalib import Flag, Int, Password, Str, Bool, StrEnum
 from ipalib.plugins.baseldap import *
 from ipalib.plugins import baseldap
 from ipalib.request import context
@@ -198,14 +198,14 @@ class user(LDAPObject):
     object_name_plural = _('users')
     object_class = ['posixaccount']
     object_class_config = 'ipauserobjectclasses'
-    possible_objectclasses = ['meporiginentry']
+    possible_objectclasses = ['meporiginentry', 'ipauserauthtypeclass']
     disallow_object_classes = ['krbticketpolicyaux']
     search_attributes_config = 'ipausersearchfields'
     default_attributes = [
         'uid', 'givenname', 'sn', 'homedirectory', 'loginshell',
         'uidnumber', 'gidnumber', 'mail', 'ou',
         'telephonenumber', 'title', 'memberof', 'nsaccountlock',
-        'memberofindirect',
+        'memberofindirect', 'ipauserauthtype'
     ]
     search_display_attributes = [
         'uid', 'givenname', 'sn', 'homedirectory', 'loginshell',
@@ -365,6 +365,13 @@ class user(LDAPObject):
             csv=True,
             flags=['no_search'],
         ),
+        StrEnum('ipauserauthtype*',
+            cli_name='user_auth_type',
+            label=_('User authentication types'),
+            doc=_('Types of supported user authentication'),
+            values=(u'password',),
+            csv=True,
+        ),
     )
 
     def _normalize_and_validate_email(self, email, config=None):
@@ -633,14 +640,16 @@ class user_mod(LDAPUpdate):
             entry_attrs['userpassword'] = ipa_generate_password(user_pwdchars)
             # save the password so it can be displayed in post_callback
             setattr(context, 'randompassword', entry_attrs['userpassword'])
-        if 'ipasshpubkey' in entry_attrs:
+        if 'ipasshpubkey' in entry_attrs or 'ipauserauthtype' in entry_attrs:
             if 'objectclass' in entry_attrs:
                 obj_classes = entry_attrs['objectclass']
             else:
                 (_dn, _entry_attrs) = ldap.get_entry(dn, ['objectclass'])
                 obj_classes = entry_attrs['objectclass'] = _entry_attrs['objectclass']
-            if 'ipasshuser' not in obj_classes:
+            if 'ipasshpubkey' in entry_attrs and 'ipasshuser' not in obj_classes:
                 obj_classes.append('ipasshuser')
+            if 'ipauserauthtype' in entry_attrs and 'ipauserauthtype' not in obj_classes:
+                obj_classes.append('ipauserauthtypeclass')
         return dn
 
     def post_callback(self, ldap, dn, entry_attrs, *keys, **options):
author	Nathaniel McCallum <npmccallum@redhat.com>	2013-09-18 15:48:23 -0400
committer	Petr Viktorin <pviktori@redhat.com>	2013-11-08 12:48:15 +0100
commit	3f85f09a83f1cd25078c7c11a68d457bb198d66f (patch)
tree	add274a530453657c963f2ecfd951fb353c8a60f
parent	df5f4ee81d1aff1122dd92ab1b56eb335294c3a7 (diff)
download	freeipa-3f85f09a83f1cd25078c7c11a68d457bb198d66f.tar.gz freeipa-3f85f09a83f1cd25078c7c11a68d457bb198d66f.tar.xz freeipa-3f85f09a83f1cd25078c7c11a68d457bb198d66f.zip