diff options
author | Jan Cholasta <jcholast@redhat.com> | 2016-04-28 10:30:05 +0200 |
---|---|---|
committer | Jan Cholasta <jcholast@redhat.com> | 2016-06-03 09:00:34 +0200 |
commit | 6e44557b601f769d23ee74555a72e8b5cc62c0c9 (patch) | |
tree | eedd3e054b0709341b9f58c190ea54f999f7d13a /ipaserver/plugins/pkinit.py | |
parent | ec841e5d7ab29d08de294b3fa863a631cd50e30a (diff) | |
download | freeipa-6e44557b601f769d23ee74555a72e8b5cc62c0c9.tar.gz freeipa-6e44557b601f769d23ee74555a72e8b5cc62c0c9.tar.xz freeipa-6e44557b601f769d23ee74555a72e8b5cc62c0c9.zip |
ipalib: move server-side plugins to ipaserver
Move the remaining plugin code from ipalib.plugins to ipaserver.plugins.
Remove the now unused ipalib.plugins package.
https://fedorahosted.org/freeipa/ticket/4739
Reviewed-By: David Kupka <dkupka@redhat.com>
Diffstat (limited to 'ipaserver/plugins/pkinit.py')
-rw-r--r-- | ipaserver/plugins/pkinit.py | 105 |
1 files changed, 105 insertions, 0 deletions
diff --git a/ipaserver/plugins/pkinit.py b/ipaserver/plugins/pkinit.py new file mode 100644 index 000000000..9aa101063 --- /dev/null +++ b/ipaserver/plugins/pkinit.py @@ -0,0 +1,105 @@ +# Authors: +# Simo Sorce <ssorce@redhat.com> +# +# Copyright (C) 2010 Red Hat +# see file 'COPYING' for use and warranty information +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. + +from ipalib import api, errors +from ipalib import Str +from ipalib import Object, Command +from ipalib import _ +from ipalib.plugable import Registry +from ipapython.dn import DN + +__doc__ = _(""" +Kerberos pkinit options + +Enable or disable anonymous pkinit using the principal +WELLKNOWN/ANONYMOUS@REALM. The server must have been installed with +pkinit support. + +EXAMPLES: + + Enable anonymous pkinit: + ipa pkinit-anonymous enable + + Disable anonymous pkinit: + ipa pkinit-anonymous disable + +For more information on anonymous pkinit see: + +http://k5wiki.kerberos.org/wiki/Projects/Anonymous_pkinit +""") + +register = Registry() + +@register() +class pkinit(Object): + """ + PKINIT Options + """ + object_name = _('pkinit') + + label=_('PKINIT') + + +def valid_arg(ugettext, action): + """ + Accepts only Enable/Disable. + """ + a = action.lower() + if a != 'enable' and a != 'disable': + raise errors.ValidationError( + name='action', + error=_('Unknown command %s') % action + ) + +@register() +class pkinit_anonymous(Command): + __doc__ = _('Enable or Disable Anonymous PKINIT.') + + princ_name = 'WELLKNOWN/ANONYMOUS@%s' % api.env.realm + default_dn = DN(('krbprincipalname', princ_name), ('cn', api.env.realm), ('cn', 'kerberos'), api.env.basedn) + + takes_args = ( + Str('action', valid_arg), + ) + + def execute(self, action, **options): + ldap = self.api.Backend.ldap2 + set_lock = False + lock = None + + entry_attrs = ldap.get_entry(self.default_dn, ['nsaccountlock']) + + if 'nsaccountlock' in entry_attrs: + lock = entry_attrs['nsaccountlock'][0].lower() + + if action.lower() == 'enable': + if lock == 'true': + set_lock = True + lock = None + elif action.lower() == 'disable': + if lock != 'true': + set_lock = True + lock = 'TRUE' + + if set_lock: + entry_attrs['nsaccountlock'] = lock + ldap.update_entry(entry_attrs) + + return dict(result=True) + |