summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--freeipa.spec.in3
-rw-r--r--ipaclient/frontend.py106
-rw-r--r--ipaclient/remote_plugins/2_114/__init__.py15
-rw-r--r--ipaclient/remote_plugins/2_114/aci.py812
-rw-r--r--ipaclient/remote_plugins/2_114/automember.py827
-rw-r--r--ipaclient/remote_plugins/2_114/automount.py1228
-rw-r--r--ipaclient/remote_plugins/2_114/batch.py71
-rw-r--r--ipaclient/remote_plugins/2_114/cert.py376
-rw-r--r--ipaclient/remote_plugins/2_114/config.py408
-rw-r--r--ipaclient/remote_plugins/2_114/delegation.py383
-rw-r--r--ipaclient/remote_plugins/2_114/dns.py5373
-rw-r--r--ipaclient/remote_plugins/2_114/group.py912
-rw-r--r--ipaclient/remote_plugins/2_114/hbacrule.py1305
-rw-r--r--ipaclient/remote_plugins/2_114/hbacsvc.py413
-rw-r--r--ipaclient/remote_plugins/2_114/hbacsvcgroup.py528
-rw-r--r--ipaclient/remote_plugins/2_114/hbactest.py284
-rw-r--r--ipaclient/remote_plugins/2_114/host.py1556
-rw-r--r--ipaclient/remote_plugins/2_114/hostgroup.py709
-rw-r--r--ipaclient/remote_plugins/2_114/idrange.py620
-rw-r--r--ipaclient/remote_plugins/2_114/idviews.py1411
-rw-r--r--ipaclient/remote_plugins/2_114/internal.py92
-rw-r--r--ipaclient/remote_plugins/2_114/join.py64
-rw-r--r--ipaclient/remote_plugins/2_114/krbtpolicy.py266
-rw-r--r--ipaclient/remote_plugins/2_114/migration.py302
-rw-r--r--ipaclient/remote_plugins/2_114/misc.py113
-rw-r--r--ipaclient/remote_plugins/2_114/netgroup.py865
-rw-r--r--ipaclient/remote_plugins/2_114/otpconfig.py206
-rw-r--r--ipaclient/remote_plugins/2_114/otptoken.py893
-rw-r--r--ipaclient/remote_plugins/2_114/otptoken_yubikey.py33
-rw-r--r--ipaclient/remote_plugins/2_114/passwd.py93
-rw-r--r--ipaclient/remote_plugins/2_114/permission.py1045
-rw-r--r--ipaclient/remote_plugins/2_114/ping.py62
-rw-r--r--ipaclient/remote_plugins/2_114/pkinit.py63
-rw-r--r--ipaclient/remote_plugins/2_114/privilege.py656
-rw-r--r--ipaclient/remote_plugins/2_114/pwpolicy.py937
-rw-r--r--ipaclient/remote_plugins/2_114/radiusproxy.py521
-rw-r--r--ipaclient/remote_plugins/2_114/realmdomains.py195
-rw-r--r--ipaclient/remote_plugins/2_114/role.py758
-rw-r--r--ipaclient/remote_plugins/2_114/selfservice.py338
-rw-r--r--ipaclient/remote_plugins/2_114/selinuxusermap.py905
-rw-r--r--ipaclient/remote_plugins/2_114/service.py1100
-rw-r--r--ipaclient/remote_plugins/2_114/session.py626
-rw-r--r--ipaclient/remote_plugins/2_114/sudocmd.py394
-rw-r--r--ipaclient/remote_plugins/2_114/sudocmdgroup.py540
-rw-r--r--ipaclient/remote_plugins/2_114/sudorule.py1774
-rw-r--r--ipaclient/remote_plugins/2_114/trust.py1250
-rw-r--r--ipaclient/remote_plugins/2_114/user.py1623
-rw-r--r--ipaclient/remote_plugins/2_156/__init__.py15
-rw-r--r--ipaclient/remote_plugins/2_156/aci.py812
-rw-r--r--ipaclient/remote_plugins/2_156/automember.py827
-rw-r--r--ipaclient/remote_plugins/2_156/automount.py1228
-rw-r--r--ipaclient/remote_plugins/2_156/batch.py71
-rw-r--r--ipaclient/remote_plugins/2_156/caacl.py1155
-rw-r--r--ipaclient/remote_plugins/2_156/cert.py382
-rw-r--r--ipaclient/remote_plugins/2_156/certprofile.py431
-rw-r--r--ipaclient/remote_plugins/2_156/config.py408
-rw-r--r--ipaclient/remote_plugins/2_156/delegation.py383
-rw-r--r--ipaclient/remote_plugins/2_156/dns.py5148
-rw-r--r--ipaclient/remote_plugins/2_156/domainlevel.py64
-rw-r--r--ipaclient/remote_plugins/2_156/group.py912
-rw-r--r--ipaclient/remote_plugins/2_156/hbacrule.py1305
-rw-r--r--ipaclient/remote_plugins/2_156/hbacsvc.py413
-rw-r--r--ipaclient/remote_plugins/2_156/hbacsvcgroup.py528
-rw-r--r--ipaclient/remote_plugins/2_156/hbactest.py284
-rw-r--r--ipaclient/remote_plugins/2_156/host.py1680
-rw-r--r--ipaclient/remote_plugins/2_156/hostgroup.py709
-rw-r--r--ipaclient/remote_plugins/2_156/idrange.py639
-rw-r--r--ipaclient/remote_plugins/2_156/idviews.py1491
-rw-r--r--ipaclient/remote_plugins/2_156/internal.py92
-rw-r--r--ipaclient/remote_plugins/2_156/join.py64
-rw-r--r--ipaclient/remote_plugins/2_156/krbtpolicy.py266
-rw-r--r--ipaclient/remote_plugins/2_156/migration.py319
-rw-r--r--ipaclient/remote_plugins/2_156/misc.py113
-rw-r--r--ipaclient/remote_plugins/2_156/netgroup.py865
-rw-r--r--ipaclient/remote_plugins/2_156/otpconfig.py206
-rw-r--r--ipaclient/remote_plugins/2_156/otptoken.py893
-rw-r--r--ipaclient/remote_plugins/2_156/otptoken_yubikey.py33
-rw-r--r--ipaclient/remote_plugins/2_156/passwd.py93
-rw-r--r--ipaclient/remote_plugins/2_156/permission.py1099
-rw-r--r--ipaclient/remote_plugins/2_156/ping.py62
-rw-r--r--ipaclient/remote_plugins/2_156/pkinit.py63
-rw-r--r--ipaclient/remote_plugins/2_156/privilege.py656
-rw-r--r--ipaclient/remote_plugins/2_156/pwpolicy.py937
-rw-r--r--ipaclient/remote_plugins/2_156/radiusproxy.py521
-rw-r--r--ipaclient/remote_plugins/2_156/realmdomains.py195
-rw-r--r--ipaclient/remote_plugins/2_156/role.py758
-rw-r--r--ipaclient/remote_plugins/2_156/selfservice.py338
-rw-r--r--ipaclient/remote_plugins/2_156/selinuxusermap.py905
-rw-r--r--ipaclient/remote_plugins/2_156/server.py246
-rw-r--r--ipaclient/remote_plugins/2_156/service.py1225
-rw-r--r--ipaclient/remote_plugins/2_156/servicedelegation.py907
-rw-r--r--ipaclient/remote_plugins/2_156/session.py34
-rw-r--r--ipaclient/remote_plugins/2_156/stageuser.py1492
-rw-r--r--ipaclient/remote_plugins/2_156/sudocmd.py394
-rw-r--r--ipaclient/remote_plugins/2_156/sudocmdgroup.py540
-rw-r--r--ipaclient/remote_plugins/2_156/sudorule.py1774
-rw-r--r--ipaclient/remote_plugins/2_156/topology.py1026
-rw-r--r--ipaclient/remote_plugins/2_156/trust.py1264
-rw-r--r--ipaclient/remote_plugins/2_156/user.py1869
-rw-r--r--ipaclient/remote_plugins/2_156/vault.py1680
-rw-r--r--ipaclient/remote_plugins/2_164/__init__.py15
-rw-r--r--ipaclient/remote_plugins/2_164/aci.py812
-rw-r--r--ipaclient/remote_plugins/2_164/automember.py827
-rw-r--r--ipaclient/remote_plugins/2_164/automount.py1228
-rw-r--r--ipaclient/remote_plugins/2_164/batch.py71
-rw-r--r--ipaclient/remote_plugins/2_164/caacl.py1155
-rw-r--r--ipaclient/remote_plugins/2_164/cert.py382
-rw-r--r--ipaclient/remote_plugins/2_164/certprofile.py431
-rw-r--r--ipaclient/remote_plugins/2_164/config.py408
-rw-r--r--ipaclient/remote_plugins/2_164/delegation.py383
-rw-r--r--ipaclient/remote_plugins/2_164/dns.py5167
-rw-r--r--ipaclient/remote_plugins/2_164/domainlevel.py60
-rw-r--r--ipaclient/remote_plugins/2_164/group.py912
-rw-r--r--ipaclient/remote_plugins/2_164/hbacrule.py1305
-rw-r--r--ipaclient/remote_plugins/2_164/hbacsvc.py413
-rw-r--r--ipaclient/remote_plugins/2_164/hbacsvcgroup.py528
-rw-r--r--ipaclient/remote_plugins/2_164/hbactest.py284
-rw-r--r--ipaclient/remote_plugins/2_164/host.py1680
-rw-r--r--ipaclient/remote_plugins/2_164/hostgroup.py709
-rw-r--r--ipaclient/remote_plugins/2_164/idrange.py639
-rw-r--r--ipaclient/remote_plugins/2_164/idviews.py1491
-rw-r--r--ipaclient/remote_plugins/2_164/internal.py92
-rw-r--r--ipaclient/remote_plugins/2_164/join.py62
-rw-r--r--ipaclient/remote_plugins/2_164/krbtpolicy.py266
-rw-r--r--ipaclient/remote_plugins/2_164/migration.py319
-rw-r--r--ipaclient/remote_plugins/2_164/misc.py113
-rw-r--r--ipaclient/remote_plugins/2_164/netgroup.py865
-rw-r--r--ipaclient/remote_plugins/2_164/otpconfig.py206
-rw-r--r--ipaclient/remote_plugins/2_164/otptoken.py893
-rw-r--r--ipaclient/remote_plugins/2_164/otptoken_yubikey.py33
-rw-r--r--ipaclient/remote_plugins/2_164/passwd.py93
-rw-r--r--ipaclient/remote_plugins/2_164/permission.py1099
-rw-r--r--ipaclient/remote_plugins/2_164/ping.py62
-rw-r--r--ipaclient/remote_plugins/2_164/pkinit.py63
-rw-r--r--ipaclient/remote_plugins/2_164/privilege.py656
-rw-r--r--ipaclient/remote_plugins/2_164/pwpolicy.py937
-rw-r--r--ipaclient/remote_plugins/2_164/radiusproxy.py521
-rw-r--r--ipaclient/remote_plugins/2_164/realmdomains.py195
-rw-r--r--ipaclient/remote_plugins/2_164/role.py758
-rw-r--r--ipaclient/remote_plugins/2_164/selfservice.py338
-rw-r--r--ipaclient/remote_plugins/2_164/selinuxusermap.py905
-rw-r--r--ipaclient/remote_plugins/2_164/server.py317
-rw-r--r--ipaclient/remote_plugins/2_164/service.py1225
-rw-r--r--ipaclient/remote_plugins/2_164/servicedelegation.py907
-rw-r--r--ipaclient/remote_plugins/2_164/session.py34
-rw-r--r--ipaclient/remote_plugins/2_164/stageuser.py1616
-rw-r--r--ipaclient/remote_plugins/2_164/sudocmd.py394
-rw-r--r--ipaclient/remote_plugins/2_164/sudocmdgroup.py540
-rw-r--r--ipaclient/remote_plugins/2_164/sudorule.py1774
-rw-r--r--ipaclient/remote_plugins/2_164/topology.py1055
-rw-r--r--ipaclient/remote_plugins/2_164/trust.py1264
-rw-r--r--ipaclient/remote_plugins/2_164/user.py1993
-rw-r--r--ipaclient/remote_plugins/2_164/vault.py1680
-rw-r--r--ipaclient/remote_plugins/2_49/__init__.py15
-rw-r--r--ipaclient/remote_plugins/2_49/aci.py811
-rw-r--r--ipaclient/remote_plugins/2_49/automember.py758
-rw-r--r--ipaclient/remote_plugins/2_49/automount.py1225
-rw-r--r--ipaclient/remote_plugins/2_49/batch.py69
-rw-r--r--ipaclient/remote_plugins/2_49/cert.py209
-rw-r--r--ipaclient/remote_plugins/2_49/config.py394
-rw-r--r--ipaclient/remote_plugins/2_49/delegation.py384
-rw-r--r--ipaclient/remote_plugins/2_49/dns.py5063
-rw-r--r--ipaclient/remote_plugins/2_49/entitle.py383
-rw-r--r--ipaclient/remote_plugins/2_49/group.py854
-rw-r--r--ipaclient/remote_plugins/2_49/hbacrule.py1198
-rw-r--r--ipaclient/remote_plugins/2_49/hbacsvc.py390
-rw-r--r--ipaclient/remote_plugins/2_49/hbacsvcgroup.py493
-rw-r--r--ipaclient/remote_plugins/2_49/hbactest.py213
-rw-r--r--ipaclient/remote_plugins/2_49/host.py1030
-rw-r--r--ipaclient/remote_plugins/2_49/hostgroup.py670
-rw-r--r--ipaclient/remote_plugins/2_49/idrange.py609
-rw-r--r--ipaclient/remote_plugins/2_49/internal.py90
-rw-r--r--ipaclient/remote_plugins/2_49/join.py64
-rw-r--r--ipaclient/remote_plugins/2_49/krbtpolicy.py269
-rw-r--r--ipaclient/remote_plugins/2_49/migration.py295
-rw-r--r--ipaclient/remote_plugins/2_49/misc.py113
-rw-r--r--ipaclient/remote_plugins/2_49/netgroup.py826
-rw-r--r--ipaclient/remote_plugins/2_49/passwd.py86
-rw-r--r--ipaclient/remote_plugins/2_49/permission.py751
-rw-r--r--ipaclient/remote_plugins/2_49/ping.py60
-rw-r--r--ipaclient/remote_plugins/2_49/pkinit.py61
-rw-r--r--ipaclient/remote_plugins/2_49/privilege.py603
-rw-r--r--ipaclient/remote_plugins/2_49/pwpolicy.py947
-rw-r--r--ipaclient/remote_plugins/2_49/role.py682
-rw-r--r--ipaclient/remote_plugins/2_49/selfservice.py337
-rw-r--r--ipaclient/remote_plugins/2_49/selinuxusermap.py852
-rw-r--r--ipaclient/remote_plugins/2_49/service.py621
-rw-r--r--ipaclient/remote_plugins/2_49/session.py624
-rw-r--r--ipaclient/remote_plugins/2_49/sudocmd.py371
-rw-r--r--ipaclient/remote_plugins/2_49/sudocmdgroup.py501
-rw-r--r--ipaclient/remote_plugins/2_49/sudorule.py1561
-rw-r--r--ipaclient/remote_plugins/2_49/trust.py685
-rw-r--r--ipaclient/remote_plugins/2_49/user.py1372
-rw-r--r--ipaclient/remote_plugins/__init__.py12
-rw-r--r--ipaclient/remote_plugins/compat.py76
-rw-r--r--ipaclient/remote_plugins/schema.py120
-rw-r--r--ipaclient/setup.py.in4
-rw-r--r--ipalib/frontend.py6
198 files changed, 139695 insertions, 105 deletions
diff --git a/freeipa.spec.in b/freeipa.spec.in
index b04f819a9..6893d704e 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -1300,6 +1300,7 @@ fi
%{python_sitelib}/ipaclient/*.py*
%{python_sitelib}/ipaclient/plugins/*.py*
%{python_sitelib}/ipaclient/remote_plugins/*.py*
+%{python_sitelib}/ipaclient/remote_plugins/2_*/*.py*
%{python_sitelib}/ipaclient-*.egg-info
@@ -1316,6 +1317,8 @@ fi
%{python3_sitelib}/ipaclient/plugins/__pycache__/*.py*
%{python3_sitelib}/ipaclient/remote_plugins/*.py
%{python3_sitelib}/ipaclient/remote_plugins/__pycache__/*.py*
+%{python3_sitelib}/ipaclient/remote_plugins/2_*/*.py
+%{python3_sitelib}/ipaclient/remote_plugins/2_*/__pycache__/*.py*
%{python3_sitelib}/ipaclient-*.egg-info
%endif # with_python3
diff --git a/ipaclient/frontend.py b/ipaclient/frontend.py
index 94d694631..e8eacc068 100644
--- a/ipaclient/frontend.py
+++ b/ipaclient/frontend.py
@@ -3,6 +3,104 @@
#
from ipalib.frontend import Command, Method
+from ipalib.parameters import Str
+from ipalib.text import _
+
+
+class ClientCommand(Command):
+ def get_options(self):
+ skip = set()
+ for option in super(ClientCommand, self).get_options():
+ if option.name in skip:
+ continue
+ if option.name in ('all', 'raw'):
+ skip.add(option.name)
+ yield option
+
+
+class ClientMethod(ClientCommand, Method):
+ _failed_member_output_params = (
+ # baseldap
+ Str(
+ 'member',
+ label=_("Failed members"),
+ ),
+ Str(
+ 'sourcehost',
+ label=_("Failed source hosts/hostgroups"),
+ ),
+ Str(
+ 'memberhost',
+ label=_("Failed hosts/hostgroups"),
+ ),
+ Str(
+ 'memberuser',
+ label=_("Failed users/groups"),
+ ),
+ Str(
+ 'memberservice',
+ label=_("Failed service/service groups"),
+ ),
+ Str(
+ 'failed',
+ label=_("Failed to remove"),
+ flags=['suppress_empty'],
+ ),
+ Str(
+ 'ipasudorunas',
+ label=_("Failed RunAs"),
+ ),
+ Str(
+ 'ipasudorunasgroup',
+ label=_("Failed RunAsGroup"),
+ ),
+ # caacl
+ Str(
+ 'ipamembercertprofile',
+ label=_("Failed profiles"),
+ ),
+ Str(
+ 'ipamemberca',
+ label=_("Failed CAs"),
+ ),
+ # host
+ Str(
+ 'managedby',
+ label=_("Failed managedby"),
+ ),
+ # service
+ Str(
+ 'ipaallowedtoperform_read_keys',
+ label=_("Failed allowed to retrieve keytab"),
+ ),
+ Str(
+ 'ipaallowedtoperform_write_keys',
+ label=_("Failed allowed to create keytab"),
+ ),
+ # servicedelegation
+ Str(
+ 'failed_memberprincipal',
+ label=_("Failed members"),
+ ),
+ Str(
+ 'ipaallowedtarget',
+ label=_("Failed targets"),
+ ),
+ # vault
+ Str(
+ 'owner?',
+ label=_("Failed owners"),
+ ),
+ )
+
+ def get_output_params(self):
+ seen = set()
+ for output_param in super(ClientMethod, self).get_output_params():
+ seen.add(output_param.name)
+ yield output_param
+ for output_param in self._failed_member_output_params:
+ if output_param.name not in seen:
+ yield output_param
class CommandOverride(Command):
@@ -24,6 +122,14 @@ class CommandOverride(Command):
def topic(self):
return self.next.topic
+ @property
+ def forwarded_name(self):
+ return self.next.forwarded_name
+
+ @property
+ def api_version(self):
+ return self.next.api_version
+
def _on_finalize(self):
self.next.finalize()
diff --git a/ipaclient/remote_plugins/2_114/__init__.py b/ipaclient/remote_plugins/2_114/__init__.py
new file mode 100644
index 000000000..f1e2d03e8
--- /dev/null
+++ b/ipaclient/remote_plugins/2_114/__init__.py
@@ -0,0 +1,15 @@
+#
+# Copyright (C) 2016 FreeIPA Contributors see COPYING for license
+#
+
+from ..compat import CompatCommand, CompatMethod, CompatObject
+
+Object = CompatObject
+
+
+class Command(CompatCommand):
+ api_version = u'2.114'
+
+
+class Method(Command, CompatMethod):
+ pass
diff --git a/ipaclient/remote_plugins/2_114/aci.py b/ipaclient/remote_plugins/2_114/aci.py
new file mode 100644
index 000000000..316abeb46
--- /dev/null
+++ b/ipaclient/remote_plugins/2_114/aci.py
@@ -0,0 +1,812 @@
+#
+# Copyright (C) 2016 FreeIPA Contributors see COPYING for license
+#
+
+# pylint: disable=unused-import
+import six
+
+from . import Command, Method, Object
+from ipalib import api, parameters, output
+from ipalib.parameters import DefaultFrom
+from ipalib.plugable import Registry
+from ipalib.text import _
+from ipapython.dn import DN
+from ipapython.dnsutil import DNSName
+
+if six.PY3:
+ unicode = str
+
+__doc__ = _("""
+Directory Server Access Control Instructions (ACIs)
+
+ACIs are used to allow or deny access to information. This module is
+currently designed to allow, not deny, access.
+
+The aci commands are designed to grant permissions that allow updating
+existing entries or adding or deleting new ones. The goal of the ACIs
+that ship with IPA is to provide a set of low-level permissions that
+grant access to special groups called taskgroups. These low-level
+permissions can be combined into roles that grant broader access. These
+roles are another type of group, roles.
+
+For example, if you have taskgroups that allow adding and modifying users you
+could create a role, useradmin. You would assign users to the useradmin
+role to allow them to do the operations defined by the taskgroups.
+
+You can create ACIs that delegate permission so users in group A can write
+attributes on group B.
+
+The type option is a map that applies to all entries in the users, groups or
+host location. It is primarily designed to be used when granting add
+permissions (to write new entries).
+
+An ACI consists of three parts:
+1. target
+2. permissions
+3. bind rules
+
+The target is a set of rules that define which LDAP objects are being
+targeted. This can include a list of attributes, an area of that LDAP
+tree or an LDAP filter.
+
+The targets include:
+- attrs: list of attributes affected
+- type: an object type (user, group, host, service, etc)
+- memberof: members of a group
+- targetgroup: grant access to modify a specific group. This is primarily
+ designed to enable users to add or remove members of a specific group.
+- filter: A legal LDAP filter used to narrow the scope of the target.
+- subtree: Used to apply a rule across an entire set of objects. For example,
+ to allow adding users you need to grant "add" permission to the subtree
+ ldap://uid=*,cn=users,cn=accounts,dc=example,dc=com. The subtree option
+ is a fail-safe for objects that may not be covered by the type option.
+
+The permissions define what the ACI is allowed to do, and are one or
+more of:
+1. write - write one or more attributes
+2. read - read one or more attributes
+3. add - add a new entry to the tree
+4. delete - delete an existing entry
+5. all - all permissions are granted
+
+Note the distinction between attributes and entries. The permissions are
+independent, so being able to add a user does not mean that the user will
+be editable.
+
+The bind rule defines who this ACI grants permissions to. The LDAP server
+allows this to be any valid LDAP entry but we encourage the use of
+taskgroups so that the rights can be easily shared through roles.
+
+For a more thorough description of access controls see
+http://www.redhat.com/docs/manuals/dir-server/ag/8.0/Managing_Access_Control.html
+
+EXAMPLES:
+
+NOTE: ACIs are now added via the permission plugin. These examples are to
+demonstrate how the various options work but this is done via the permission
+command-line now (see last example).
+
+ Add an ACI so that the group "secretaries" can update the address on any user:
+ ipa group-add --desc="Office secretaries" secretaries
+ ipa aci-add --attrs=streetAddress --memberof=ipausers --group=secretaries --permissions=write --prefix=none "Secretaries write addresses"
+
+ Show the new ACI:
+ ipa aci-show --prefix=none "Secretaries write addresses"
+
+ Add an ACI that allows members of the "addusers" permission to add new users:
+ ipa aci-add --type=user --permission=addusers --permissions=add --prefix=none "Add new users"
+
+ Add an ACI that allows members of the editors manage members of the admins group:
+ ipa aci-add --permissions=write --attrs=member --targetgroup=admins --group=editors --prefix=none "Editors manage admins"
+
+ Add an ACI that allows members of the admins group to manage the street and zip code of those in the editors group:
+ ipa aci-add --permissions=write --memberof=editors --group=admins --attrs=street --attrs=postalcode --prefix=none "admins edit the address of editors"
+
+ Add an ACI that allows the admins group manage the street and zipcode of those who work for the boss:
+ ipa aci-add --permissions=write --group=admins --attrs=street --attrs=postalcode --filter="(manager=uid=boss,cn=users,cn=accounts,dc=example,dc=com)" --prefix=none "Edit the address of those who work for the boss"
+
+ Add an entirely new kind of record to IPA that isn't covered by any of the --type options, creating a permission:
+ ipa permission-add --permissions=add --subtree="cn=*,cn=orange,cn=accounts,dc=example,dc=com" --desc="Add Orange Entries" add_orange
+
+
+The show command shows the raw 389-ds ACI.
+
+IMPORTANT: When modifying the target attributes of an existing ACI you
+must include all existing attributes as well. When doing an aci-mod the
+targetattr REPLACES the current attributes, it does not add to them.
+""")
+
+register = Registry()
+
+
+@register()
+class aci(Object):
+ takes_params = (
+ parameters.Str(
+ 'aciname',
+ primary_key=True,
+ label=_(u'ACI name'),
+ ),
+ parameters.Str(
+ 'permission',
+ required=False,
+ label=_(u'Permission'),
+ doc=_(u'Permission ACI grants access to'),
+ ),
+ parameters.Str(
+ 'group',
+ required=False,
+ label=_(u'User group'),
+ doc=_(u'User group ACI grants access to'),
+ ),
+ parameters.Str(
+ 'permissions',
+ multivalue=True,
+ label=_(u'Permissions'),
+ doc=_(u'Permissions to grant(read, write, add, delete, all)'),
+ ),
+ parameters.Str(
+ 'attrs',
+ required=False,
+ multivalue=True,
+ label=_(u'Attributes to which the permission applies'),
+ doc=_(u'Attributes'),
+ ),
+ parameters.Str(
+ 'type',
+ required=False,
+ label=_(u'Type'),
+ doc=_(u'type of IPA object (user, group, host, hostgroup, service, netgroup)'),
+ ),
+ parameters.Str(
+ 'memberof',
+ required=False,
+ label=_(u'Member of'),
+ doc=_(u'Member of a group'),
+ ),
+ parameters.Str(
+ 'filter',
+ required=False,
+ label=_(u'Filter'),
+ doc=_(u'Legal LDAP filter (e.g. ou=Engineering)'),
+ ),
+ parameters.Str(
+ 'subtree',
+ required=False,
+ label=_(u'Subtree'),
+ doc=_(u'Subtree to apply ACI to'),
+ ),
+ parameters.Str(
+ 'targetgroup',
+ required=False,
+ label=_(u'Target group'),
+ doc=_(u'Group to apply ACI to'),
+ ),
+ parameters.Flag(
+ 'selfaci',
+ required=False,
+ label=_(u'Target your own entry (self)'),
+ doc=_(u'Apply ACI to your own entry (self)'),
+ ),
+ )
+
+
+@register()
+class aci_add(Method):
+ __doc__ = _("Create new ACI.")
+
+ NO_CLI = True
+
+ takes_args = (
+ parameters.Str(
+ 'aciname',
+ cli_name='name',
+ label=_(u'ACI name'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'permission',
+ required=False,
+ label=_(u'Permission'),
+ doc=_(u'Permission ACI grants access to'),
+ ),
+ parameters.Str(
+ 'group',
+ required=False,
+ label=_(u'User group'),
+ doc=_(u'User group ACI grants access to'),
+ ),
+ parameters.Str(
+ 'permissions',
+ multivalue=True,
+ label=_(u'Permissions'),
+ doc=_(u'Permissions to grant(read, write, add, delete, all)'),
+ no_convert=True,
+ ),
+ parameters.Str(
+ 'attrs',
+ required=False,
+ multivalue=True,
+ label=_(u'Attributes to which the permission applies'),
+ doc=_(u'Attributes'),
+ ),
+ parameters.Str(
+ 'type',
+ required=False,
+ cli_metavar="['user', 'group', 'host', 'service', 'hostgroup', 'netgroup', 'dnsrecord']",
+ label=_(u'Type'),
+ doc=_(u'type of IPA object (user, group, host, hostgroup, service, netgroup)'),
+ ),
+ parameters.Str(
+ 'memberof',
+ required=False,
+ label=_(u'Member of'),
+ doc=_(u'Member of a group'),
+ ),
+ parameters.Str(
+ 'filter',
+ required=False,
+ label=_(u'Filter'),
+ doc=_(u'Legal LDAP filter (e.g. ou=Engineering)'),
+ ),
+ parameters.Str(
+ 'subtree',
+ required=False,
+ label=_(u'Subtree'),
+ doc=_(u'Subtree to apply ACI to'),
+ ),
+ parameters.Str(
+ 'targetgroup',
+ required=False,
+ label=_(u'Target group'),
+ doc=_(u'Group to apply ACI to'),
+ ),
+ parameters.Flag(
+ 'selfaci',
+ required=False,
+ cli_name='self',
+ label=_(u'Target your own entry (self)'),
+ doc=_(u'Apply ACI to your own entry (self)'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'aciprefix',
+ cli_name='prefix',
+ cli_metavar="['permission', 'delegation', 'selfservice', 'none']",
+ label=_(u'ACI prefix'),
+ doc=_(u'Prefix used to distinguish ACI types (permission, delegation, selfservice, none)'),
+ ),
+ parameters.Flag(
+ 'test',
+ required=False,
+ doc=_(u"Test the ACI syntax but don't write anything"),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class aci_del(Method):
+ __doc__ = _("Delete ACI.")
+
+ NO_CLI = True
+
+ takes_args = (
+ parameters.Str(
+ 'aciname',
+ cli_name='name',
+ label=_(u'ACI name'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'aciprefix',
+ cli_name='prefix',
+ cli_metavar="['permission', 'delegation', 'selfservice', 'none']",
+ label=_(u'ACI prefix'),
+ doc=_(u'Prefix used to distinguish ACI types (permission, delegation, selfservice, none)'),
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Output(
+ 'result',
+ bool,
+ doc=_(u'True means the operation was successful'),
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class aci_find(Method):
+ __doc__ = _("""
+Search for ACIs.
+
+ Returns a list of ACIs
+
+ EXAMPLES:
+
+ To find all ACIs that apply directly to members of the group ipausers:
+ ipa aci-find --memberof=ipausers
+
+ To find all ACIs that grant add access:
+ ipa aci-find --permissions=add
+
+ Note that the find command only looks for the given text in the set of
+ ACIs, it does not evaluate the ACIs to see if something would apply.
+ For example, searching on memberof=ipausers will find all ACIs that
+ have ipausers as a memberof. There may be other ACIs that apply to
+ members of that group indirectly.
+ """)
+
+ NO_CLI = True
+
+ takes_args = (
+ parameters.Str(
+ 'criteria',
+ required=False,
+ doc=_(u'A string searched in all relevant object attributes'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'aciname',
+ required=False,
+ cli_name='name',
+ label=_(u'ACI name'),
+ ),
+ parameters.Str(
+ 'permission',
+ required=False,
+ label=_(u'Permission'),
+ doc=_(u'Permission ACI grants access to'),
+ ),
+ parameters.Str(
+ 'group',
+ required=False,
+ label=_(u'User group'),
+ doc=_(u'User group ACI grants access to'),
+ ),
+ parameters.Str(
+ 'permissions',
+ required=False,
+ multivalue=True,
+ label=_(u'Permissions'),
+ doc=_(u'Permissions to grant(read, write, add, delete, all)'),
+ no_convert=True,
+ ),
+ parameters.Str(
+ 'attrs',
+ required=False,
+ multivalue=True,
+ label=_(u'Attributes to which the permission applies'),
+ doc=_(u'Attributes'),
+ ),
+ parameters.Str(
+ 'type',
+ required=False,
+ cli_metavar="['user', 'group', 'host', 'service', 'hostgroup', 'netgroup', 'dnsrecord']",
+ label=_(u'Type'),
+ doc=_(u'type of IPA object (user, group, host, hostgroup, service, netgroup)'),
+ ),
+ parameters.Str(
+ 'memberof',
+ required=False,
+ label=_(u'Member of'),
+ doc=_(u'Member of a group'),
+ ),
+ parameters.Str(
+ 'filter',
+ required=False,
+ label=_(u'Filter'),
+ doc=_(u'Legal LDAP filter (e.g. ou=Engineering)'),
+ ),
+ parameters.Str(
+ 'subtree',
+ required=False,
+ label=_(u'Subtree'),
+ doc=_(u'Subtree to apply ACI to'),
+ ),
+ parameters.Str(
+ 'targetgroup',
+ required=False,
+ label=_(u'Target group'),
+ doc=_(u'Group to apply ACI to'),
+ ),
+ parameters.Bool(
+ 'selfaci',
+ required=False,
+ cli_name='self',
+ label=_(u'Target your own entry (self)'),
+ doc=_(u'Apply ACI to your own entry (self)'),
+ default=False,
+ ),
+ parameters.Str(
+ 'aciprefix',
+ required=False,
+ cli_name='prefix',
+ cli_metavar="['permission', 'delegation', 'selfservice', 'none']",
+ label=_(u'ACI prefix'),
+ doc=_(u'Prefix used to distinguish ACI types (permission, delegation, selfservice, none)'),
+ ),
+ parameters.Flag(
+ 'pkey_only',
+ required=False,
+ label=_(u'Primary key only'),
+ doc=_(u'Results should contain primary key attribute only ("name")'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.ListOfEntries(
+ 'result',
+ ),
+ output.Output(
+ 'count',
+ int,
+ doc=_(u'Number of entries returned'),
+ ),
+ output.Output(
+ 'truncated',
+ bool,
+ doc=_(u'True if not all results were returned'),
+ ),
+ )
+
+
+@register()
+class aci_mod(Method):
+ __doc__ = _("Modify ACI.")
+
+ NO_CLI = True
+
+ takes_args = (
+ parameters.Str(
+ 'aciname',
+ cli_name='name',
+ label=_(u'ACI name'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'permission',
+ required=False,
+ label=_(u'Permission'),
+ doc=_(u'Permission ACI grants access to'),
+ ),
+ parameters.Str(
+ 'group',
+ required=False,
+ label=_(u'User group'),
+ doc=_(u'User group ACI grants access to'),
+ ),
+ parameters.Str(
+ 'permissions',
+ required=False,
+ multivalue=True,
+ label=_(u'Permissions'),
+ doc=_(u'Permissions to grant(read, write, add, delete, all)'),
+ no_convert=True,
+ ),
+ parameters.Str(
+ 'attrs',
+ required=False,
+ multivalue=True,
+ label=_(u'Attributes to which the permission applies'),
+ doc=_(u'Attributes'),
+ ),
+ parameters.Str(
+ 'type',
+ required=False,
+ cli_metavar="['user', 'group', 'host', 'service', 'hostgroup', 'netgroup', 'dnsrecord']",
+ label=_(u'Type'),
+ doc=_(u'type of IPA object (user, group, host, hostgroup, service, netgroup)'),
+ ),
+ parameters.Str(
+ 'memberof',
+ required=False,
+ label=_(u'Member of'),
+ doc=_(u'Member of a group'),
+ ),
+ parameters.Str(
+ 'filter',
+ required=False,
+ label=_(u'Filter'),
+ doc=_(u'Legal LDAP filter (e.g. ou=Engineering)'),
+ ),
+ parameters.Str(
+ 'subtree',
+ required=False,
+ label=_(u'Subtree'),
+ doc=_(u'Subtree to apply ACI to'),
+ ),
+ parameters.Str(
+ 'targetgroup',
+ required=False,
+ label=_(u'Target group'),
+ doc=_(u'Group to apply ACI to'),
+ ),
+ parameters.Flag(
+ 'selfaci',
+ required=False,
+ cli_name='self',
+ label=_(u'Target your own entry (self)'),
+ doc=_(u'Apply ACI to your own entry (self)'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'aciprefix',
+ cli_name='prefix',
+ cli_metavar="['permission', 'delegation', 'selfservice', 'none']",
+ label=_(u'ACI prefix'),
+ doc=_(u'Prefix used to distinguish ACI types (permission, delegation, selfservice, none)'),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class aci_rename(Method):
+ __doc__ = _("Rename an ACI.")
+
+ NO_CLI = True
+
+ takes_args = (
+ parameters.Str(
+ 'aciname',
+ cli_name='name',
+ label=_(u'ACI name'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'permission',
+ required=False,
+ label=_(u'Permission'),
+ doc=_(u'Permission ACI grants access to'),
+ ),
+ parameters.Str(
+ 'group',
+ required=False,
+ label=_(u'User group'),
+ doc=_(u'User group ACI grants access to'),
+ ),
+ parameters.Str(
+ 'permissions',
+ required=False,
+ multivalue=True,
+ label=_(u'Permissions'),
+ doc=_(u'Permissions to grant(read, write, add, delete, all)'),
+ no_convert=True,
+ ),
+ parameters.Str(
+ 'attrs',
+ required=False,
+ multivalue=True,
+ label=_(u'Attributes to which the permission applies'),
+ doc=_(u'Attributes'),
+ ),
+ parameters.Str(
+ 'type',
+ required=False,
+ cli_metavar="['user', 'group', 'host', 'service', 'hostgroup', 'netgroup', 'dnsrecord']",
+ label=_(u'Type'),
+ doc=_(u'type of IPA object (user, group, host, hostgroup, service, netgroup)'),
+ ),
+ parameters.Str(
+ 'memberof',
+ required=False,
+ label=_(u'Member of'),
+ doc=_(u'Member of a group'),
+ ),
+ parameters.Str(
+ 'filter',
+ required=False,
+ label=_(u'Filter'),
+ doc=_(u'Legal LDAP filter (e.g. ou=Engineering)'),
+ ),
+ parameters.Str(
+ 'subtree',
+ required=False,
+ label=_(u'Subtree'),
+ doc=_(u'Subtree to apply ACI to'),
+ ),
+ parameters.Str(
+ 'targetgroup',
+ required=False,
+ label=_(u'Target group'),
+ doc=_(u'Group to apply ACI to'),
+ ),
+ parameters.Flag(
+ 'selfaci',
+ required=False,
+ cli_name='self',
+ label=_(u'Target your own entry (self)'),
+ doc=_(u'Apply ACI to your own entry (self)'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'aciprefix',
+ cli_name='prefix',
+ cli_metavar="['permission', 'delegation', 'selfservice', 'none']",
+ label=_(u'ACI prefix'),
+ doc=_(u'Prefix used to distinguish ACI types (permission, delegation, selfservice, none)'),
+ ),
+ parameters.Str(
+ 'newname',
+ doc=_(u'New ACI name'),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class aci_show(Method):
+ __doc__ = _("Display a single ACI given an ACI name.")
+
+ NO_CLI = True
+
+ takes_args = (
+ parameters.Str(
+ 'aciname',
+ cli_name='name',
+ label=_(u'ACI name'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'aciprefix',
+ cli_name='prefix',
+ cli_metavar="['permission', 'delegation', 'selfservice', 'none']",
+ label=_(u'ACI prefix'),
+ doc=_(u'Prefix used to distinguish ACI types (permission, delegation, selfservice, none)'),
+ ),
+ parameters.DNParam(
+ 'location',
+ required=False,
+ label=_(u'Location of the ACI'),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
diff --git a/ipaclient/remote_plugins/2_114/automember.py b/ipaclient/remote_plugins/2_114/automember.py
new file mode 100644
index 000000000..09b5a8d01
--- /dev/null
+++ b/ipaclient/remote_plugins/2_114/automember.py
@@ -0,0 +1,827 @@
+#
+# Copyright (C) 2016 FreeIPA Contributors see COPYING for license
+#
+
+# pylint: disable=unused-import
+import six
+
+from . import Command, Method, Object
+from ipalib import api, parameters, output
+from ipalib.parameters import DefaultFrom
+from ipalib.plugable import Registry
+from ipalib.text import _
+from ipapython.dn import DN
+from ipapython.dnsutil import DNSName
+
+if six.PY3:
+ unicode = str
+
+__doc__ = _("""
+Auto Membership Rule.
+
+Bring clarity to the membership of hosts and users by configuring inclusive
+or exclusive regex patterns, you can automatically assign a new entries into
+a group or hostgroup based upon attribute information.
+
+A rule is directly associated with a group by name, so you cannot create
+a rule without an accompanying group or hostgroup.
+
+A condition is a regular expression used by 389-ds to match a new incoming
+entry with an automember rule. If it matches an inclusive rule then the
+entry is added to the appropriate group or hostgroup.
+
+A default group or hostgroup could be specified for entries that do not
+match any rule. In case of user entries this group will be a fallback group
+because all users are by default members of group specified in IPA config.
+
+The automember-rebuild command can be used to retroactively run automember rules
+against existing entries, thus rebuilding their membership.
+
+EXAMPLES:
+
+ Add the initial group or hostgroup:
+ ipa hostgroup-add --desc="Web Servers" webservers
+ ipa group-add --desc="Developers" devel
+
+ Add the initial rule:
+ ipa automember-add --type=hostgroup webservers
+ ipa automember-add --type=group devel
+
+ Add a condition to the rule:
+ ipa automember-add-condition --key=fqdn --type=hostgroup --inclusive-regex=^web[1-9]+\.example\.com webservers
+ ipa automember-add-condition --key=manager --type=group --inclusive-regex=^uid=mscott devel
+
+ Add an exclusive condition to the rule to prevent auto assignment:
+ ipa automember-add-condition --key=fqdn --type=hostgroup --exclusive-regex=^web5\.example\.com webservers
+
+ Add a host:
+ ipa host-add web1.example.com
+
+ Add a user:
+ ipa user-add --first=Tim --last=User --password tuser1 --manager=mscott
+
+ Verify automembership:
+ ipa hostgroup-show webservers
+ Host-group: webservers
+ Description: Web Servers
+ Member hosts: web1.example.com
+
+ ipa group-show devel
+ Group name: devel
+ Description: Developers
+ GID: 1004200000
+ Member users: tuser
+
+ Remove a condition from the rule:
+ ipa automember-remove-condition --key=fqdn --type=hostgroup --inclusive-regex=^web[1-9]+\.example\.com webservers
+
+ Modify the automember rule:
+ ipa automember-mod
+
+ Set the default (fallback) target group:
+ ipa automember-default-group-set --default-group=webservers --type=hostgroup
+ ipa automember-default-group-set --default-group=ipausers --type=group
+
+ Remove the default (fallback) target group:
+ ipa automember-default-group-remove --type=hostgroup
+ ipa automember-default-group-remove --type=group
+
+ Show the default (fallback) target group:
+ ipa automember-default-group-show --type=hostgroup
+ ipa automember-default-group-show --type=group
+
+ Find all of the automember rules:
+ ipa automember-find
+
+ Display a automember rule:
+ ipa automember-show --type=hostgroup webservers
+ ipa automember-show --type=group devel
+
+ Delete an automember rule:
+ ipa automember-del --type=hostgroup webservers
+ ipa automember-del --type=group devel
+
+ Rebuild membership for all users:
+ ipa automember-rebuild --type=group
+
+ Rebuild membership for all hosts:
+ ipa automember-rebuild --type=hostgroup
+
+ Rebuild membership for specified users:
+ ipa automember-rebuild --users=tuser1 --users=tuser2
+
+ Rebuild membership for specified hosts:
+ ipa automember-rebuild --hosts=web1.example.com --hosts=web2.example.com
+""")
+
+register = Registry()
+
+
+@register()
+class automember(Object):
+ takes_params = (
+ parameters.Str(
+ 'description',
+ required=False,
+ label=_(u'Description'),
+ doc=_(u'A description of this auto member rule'),
+ ),
+ parameters.Str(
+ 'automemberdefaultgroup',
+ required=False,
+ label=_(u'Default (fallback) Group'),
+ doc=_(u'Default group for entries to land'),
+ ),
+ )
+
+
+@register()
+class automember_add(Method):
+ __doc__ = _("Add an automember rule.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='automember_rule',
+ label=_(u'Automember Rule'),
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'description',
+ required=False,
+ cli_name='desc',
+ label=_(u'Description'),
+ doc=_(u'A description of this auto member rule'),
+ ),
+ parameters.Str(
+ 'setattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'addattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'type',
+ cli_metavar="['group', 'hostgroup']",
+ label=_(u'Grouping Type'),
+ doc=_(u'Grouping to which the rule applies'),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class automember_add_condition(Method):
+ __doc__ = _("Add conditions to an automember rule.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='automember_rule',
+ label=_(u'Automember Rule'),
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'description',
+ required=False,
+ cli_name='desc',
+ label=_(u'Description'),
+ doc=_(u'A description of this auto member rule'),
+ ),
+ parameters.Str(
+ 'automemberinclusiveregex',
+ required=False,
+ multivalue=True,
+ cli_name='inclusive_regex',
+ label=_(u'Inclusive Regex'),
+ alwaysask=True,
+ ),
+ parameters.Str(
+ 'automemberexclusiveregex',
+ required=False,
+ multivalue=True,
+ cli_name='exclusive_regex',
+ label=_(u'Exclusive Regex'),
+ alwaysask=True,
+ ),
+ parameters.Str(
+ 'key',
+ label=_(u'Attribute Key'),
+ doc=_(u'Attribute to filter via regex. For example fqdn for a host, or manager for a user'),
+ ),
+ parameters.Str(
+ 'type',
+ cli_metavar="['group', 'hostgroup']",
+ label=_(u'Grouping Type'),
+ doc=_(u'Grouping to which the rule applies'),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ output.Output(
+ 'failed',
+ dict,
+ doc=_(u'Conditions that could not be added'),
+ ),
+ output.Output(
+ 'completed',
+ int,
+ doc=_(u'Number of conditions added'),
+ ),
+ )
+
+
+@register()
+class automember_default_group_remove(Method):
+ __doc__ = _("Remove default (fallback) group for all unmatched entries.")
+
+ takes_options = (
+ parameters.Str(
+ 'description',
+ required=False,
+ cli_name='desc',
+ label=_(u'Description'),
+ doc=_(u'A description of this auto member rule'),
+ ),
+ parameters.Str(
+ 'type',
+ cli_metavar="['group', 'hostgroup']",
+ label=_(u'Grouping Type'),
+ doc=_(u'Grouping to which the rule applies'),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class automember_default_group_set(Method):
+ __doc__ = _("Set default (fallback) group for all unmatched entries.")
+
+ takes_options = (
+ parameters.Str(
+ 'description',
+ required=False,
+ cli_name='desc',
+ label=_(u'Description'),
+ doc=_(u'A description of this auto member rule'),
+ ),
+ parameters.Str(
+ 'automemberdefaultgroup',
+ cli_name='default_group',
+ label=_(u'Default (fallback) Group'),
+ doc=_(u'Default (fallback) group for entries to land'),
+ ),
+ parameters.Str(
+ 'type',
+ cli_metavar="['group', 'hostgroup']",
+ label=_(u'Grouping Type'),
+ doc=_(u'Grouping to which the rule applies'),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class automember_default_group_show(Method):
+ __doc__ = _("Display information about the default (fallback) automember groups.")
+
+ takes_options = (
+ parameters.Str(
+ 'type',
+ cli_metavar="['group', 'hostgroup']",
+ label=_(u'Grouping Type'),
+ doc=_(u'Grouping to which the rule applies'),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class automember_del(Method):
+ __doc__ = _("Delete an automember rule.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='automember_rule',
+ label=_(u'Automember Rule'),
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'type',
+ cli_metavar="['group', 'hostgroup']",
+ label=_(u'Grouping Type'),
+ doc=_(u'Grouping to which the rule applies'),
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Output(
+ 'result',
+ dict,
+ doc=_(u'List of deletions that failed'),
+ ),
+ output.ListOfPrimaryKeys(
+ 'value',
+ ),
+ )
+
+
+@register()
+class automember_find(Method):
+ __doc__ = _("Search for automember rules.")
+
+ takes_args = (
+ parameters.Str(
+ 'criteria',
+ required=False,
+ doc=_(u'A string searched in all relevant object attributes'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'description',
+ required=False,
+ cli_name='desc',
+ label=_(u'Description'),
+ doc=_(u'A description of this auto member rule'),
+ ),
+ parameters.Str(
+ 'type',
+ cli_metavar="['group', 'hostgroup']",
+ label=_(u'Grouping Type'),
+ doc=_(u'Grouping to which the rule applies'),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.ListOfEntries(
+ 'result',
+ ),
+ output.Output(
+ 'count',
+ int,
+ doc=_(u'Number of entries returned'),
+ ),
+ output.Output(
+ 'truncated',
+ bool,
+ doc=_(u'True if not all results were returned'),
+ ),
+ )
+
+
+@register()
+class automember_mod(Method):
+ __doc__ = _("Modify an automember rule.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='automember_rule',
+ label=_(u'Automember Rule'),
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'description',
+ required=False,
+ cli_name='desc',
+ label=_(u'Description'),
+ doc=_(u'A description of this auto member rule'),
+ ),
+ parameters.Str(
+ 'setattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'addattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'delattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'),
+ exclude=('webui',),
+ ),
+ parameters.Flag(
+ 'rights',
+ label=_(u'Rights'),
+ doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'type',
+ cli_metavar="['group', 'hostgroup']",
+ label=_(u'Grouping Type'),
+ doc=_(u'Grouping to which the rule applies'),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class automember_rebuild(Command):
+ __doc__ = _("Rebuild auto membership.")
+
+ takes_options = (
+ parameters.Str(
+ 'type',
+ required=False,
+ cli_metavar="['group', 'hostgroup']",
+ label=_(u'Rebuild membership for all members of a grouping'),
+ doc=_(u'Grouping to which the rule applies'),
+ ),
+ parameters.Str(
+ 'users',
+ required=False,
+ multivalue=True,
+ label=_(u'Users'),
+ doc=_(u'Rebuild membership for specified users'),
+ ),
+ parameters.Str(
+ 'hosts',
+ required=False,
+ multivalue=True,
+ label=_(u'Hosts'),
+ doc=_(u'Rebuild membership for specified hosts'),
+ ),
+ parameters.Flag(
+ 'no_wait',
+ required=False,
+ label=_(u'No wait'),
+ doc=_(u"Don't wait for rebuilding membership"),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class automember_remove_condition(Method):
+ __doc__ = _("Remove conditions from an automember rule.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='automember_rule',
+ label=_(u'Automember Rule'),
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'description',
+ required=False,
+ cli_name='desc',
+ label=_(u'Description'),
+ doc=_(u'A description of this auto member rule'),
+ ),
+ parameters.Str(
+ 'automemberinclusiveregex',
+ required=False,
+ multivalue=True,
+ cli_name='inclusive_regex',
+ label=_(u'Inclusive Regex'),
+ alwaysask=True,
+ ),
+ parameters.Str(
+ 'automemberexclusiveregex',
+ required=False,
+ multivalue=True,
+ cli_name='exclusive_regex',
+ label=_(u'Exclusive Regex'),
+ alwaysask=True,
+ ),
+ parameters.Str(
+ 'key',
+ label=_(u'Attribute Key'),
+ doc=_(u'Attribute to filter via regex. For example fqdn for a host, or manager for a user'),
+ ),
+ parameters.Str(
+ 'type',
+ cli_metavar="['group', 'hostgroup']",
+ label=_(u'Grouping Type'),
+ doc=_(u'Grouping to which the rule applies'),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ output.Output(
+ 'failed',
+ dict,
+ doc=_(u'Conditions that could not be removed'),
+ ),
+ output.Output(
+ 'completed',
+ int,
+ doc=_(u'Number of conditions removed'),
+ ),
+ )
+
+
+@register()
+class automember_show(Method):
+ __doc__ = _("Display information about an automember rule.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='automember_rule',
+ label=_(u'Automember Rule'),
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'type',
+ cli_metavar="['group', 'hostgroup']",
+ label=_(u'Grouping Type'),
+ doc=_(u'Grouping to which the rule applies'),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
diff --git a/ipaclient/remote_plugins/2_114/automount.py b/ipaclient/remote_plugins/2_114/automount.py
new file mode 100644
index 000000000..c2fcd6cca
--- /dev/null
+++ b/ipaclient/remote_plugins/2_114/automount.py
@@ -0,0 +1,1228 @@
+#
+# Copyright (C) 2016 FreeIPA Contributors see COPYING for license
+#
+
+# pylint: disable=unused-import
+import six
+
+from . import Command, Method, Object
+from ipalib import api, parameters, output
+from ipalib.parameters import DefaultFrom
+from ipalib.plugable import Registry
+from ipalib.text import _
+from ipapython.dn import DN
+from ipapython.dnsutil import DNSName
+
+if six.PY3:
+ unicode = str
+
+__doc__ = _("""
+Automount
+
+Stores automount(8) configuration for autofs(8) in IPA.
+
+The base of an automount configuration is the configuration file auto.master.
+This is also the base location in IPA. Multiple auto.master configurations
+can be stored in separate locations. A location is implementation-specific
+with the default being a location named 'default'. For example, you can have
+locations by geographic region, by floor, by type, etc.
+
+Automount has three basic object types: locations, maps and keys.
+
+A location defines a set of maps anchored in auto.master. This allows you
+to store multiple automount configurations. A location in itself isn't
+very interesting, it is just a point to start a new automount map.
+
+A map is roughly equivalent to a discrete automount file and provides
+storage for keys.
+
+A key is a mount point associated with a map.
+
+When a new location is created, two maps are automatically created for
+it: auto.master and auto.direct. auto.master is the root map for all
+automount maps for the location. auto.direct is the default map for
+direct mounts and is mounted on /-.
+
+An automount map may contain a submount key. This key defines a mount
+location within the map that references another map. This can be done
+either using automountmap-add-indirect --parentmap or manually
+with automountkey-add and setting info to "-type=autofs :<mapname>".
+
+EXAMPLES:
+
+Locations:
+
+ Create a named location, "Baltimore":
+ ipa automountlocation-add baltimore
+
+ Display the new location:
+ ipa automountlocation-show baltimore
+
+ Find available locations:
+ ipa automountlocation-find
+
+ Remove a named automount location:
+ ipa automountlocation-del baltimore
+
+ Show what the automount maps would look like if they were in the filesystem:
+ ipa automountlocation-tofiles baltimore
+
+ Import an existing configuration into a location:
+ ipa automountlocation-import baltimore /etc/auto.master
+
+ The import will fail if any duplicate entries are found. For
+ continuous operation where errors are ignored, use the --continue
+ option.
+
+Maps:
+
+ Create a new map, "auto.share":
+ ipa automountmap-add baltimore auto.share
+
+ Display the new map:
+ ipa automountmap-show baltimore auto.share
+
+ Find maps in the location baltimore:
+ ipa automountmap-find baltimore
+
+ Create an indirect map with auto.share as a submount:
+ ipa automountmap-add-indirect baltimore --parentmap=auto.share --mount=sub auto.man
+
+ This is equivalent to:
+
+ ipa automountmap-add-indirect baltimore --mount=/man auto.man
+ ipa automountkey-add baltimore auto.man --key=sub --info="-fstype=autofs ldap:auto.share"
+
+ Remove the auto.share map:
+ ipa automountmap-del baltimore auto.share
+
+Keys:
+
+ Create a new key for the auto.share map in location baltimore. This ties
+ the map we previously created to auto.master:
+ ipa automountkey-add baltimore auto.master --key=/share --info=auto.share
+
+ Create a new key for our auto.share map, an NFS mount for man pages:
+ ipa automountkey-add baltimore auto.share --key=man --info="-ro,soft,rsize=8192,wsize=8192 ipa.example.com:/shared/man"
+
+ Find all keys for the auto.share map:
+ ipa automountkey-find baltimore auto.share
+
+ Find all direct automount keys:
+ ipa automountkey-find baltimore --key=/-
+
+ Remove the man key from the auto.share map:
+ ipa automountkey-del baltimore auto.share --key=man
+""")
+
+register = Registry()
+
+
+@register()
+class automountkey(Object):
+ takes_params = (
+ parameters.Str(
+ 'automountkey',
+ label=_(u'Key'),
+ doc=_(u'Automount key name.'),
+ ),
+ parameters.Str(
+ 'automountinformation',
+ label=_(u'Mount information'),
+ ),
+ parameters.Str(
+ 'description',
+ required=False,
+ primary_key=True,
+ label=_(u'description'),
+ exclude=('webui', 'cli'),
+ ),
+ )
+
+
+@register()
+class automountlocation(Object):
+ takes_params = (
+ parameters.Str(
+ 'cn',
+ primary_key=True,
+ label=_(u'Location'),
+ doc=_(u'Automount location name.'),
+ ),
+ )
+
+
+@register()
+class automountmap(Object):
+ takes_params = (
+ parameters.Str(
+ 'automountmapname',
+ primary_key=True,
+ label=_(u'Map'),
+ doc=_(u'Automount map name.'),
+ ),
+ parameters.Str(
+ 'description',
+ required=False,
+ label=_(u'Description'),
+ ),
+ )
+
+
+@register()
+class automountkey_add(Method):
+ __doc__ = _("Create a new automount key.")
+
+ takes_args = (
+ parameters.Str(
+ 'automountlocationcn',
+ cli_name='automountlocation',
+ label=_(u'Location'),
+ doc=_(u'Automount location name.'),
+ ),
+ parameters.Str(
+ 'automountmapautomountmapname',
+ cli_name='automountmap',
+ label=_(u'Map'),
+ doc=_(u'Automount map name.'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'automountkey',
+ cli_name='key',
+ label=_(u'Key'),
+ doc=_(u'Automount key name.'),
+ ),
+ parameters.Str(
+ 'automountinformation',
+ cli_name='info',
+ label=_(u'Mount information'),
+ ),
+ parameters.Str(
+ 'setattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'addattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
+ exclude=('webui',),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class automountkey_del(Method):
+ __doc__ = _("Delete an automount key.")
+
+ takes_args = (
+ parameters.Str(
+ 'automountlocationcn',
+ cli_name='automountlocation',
+ label=_(u'Location'),
+ doc=_(u'Automount location name.'),
+ ),
+ parameters.Str(
+ 'automountmapautomountmapname',
+ cli_name='automountmap',
+ label=_(u'Map'),
+ doc=_(u'Automount map name.'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'continue',
+ doc=_(u"Continuous mode: Don't stop on errors."),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'automountkey',
+ cli_name='key',
+ label=_(u'Key'),
+ doc=_(u'Automount key name.'),
+ ),
+ parameters.Str(
+ 'automountinformation',
+ required=False,
+ cli_name='info',
+ label=_(u'Mount information'),
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Output(
+ 'result',
+ dict,
+ doc=_(u'List of deletions that failed'),
+ ),
+ output.ListOfPrimaryKeys(
+ 'value',
+ ),
+ )
+
+
+@register()
+class automountkey_find(Method):
+ __doc__ = _("Search for an automount key.")
+
+ takes_args = (
+ parameters.Str(
+ 'automountlocationcn',
+ cli_name='automountlocation',
+ label=_(u'Location'),
+ doc=_(u'Automount location name.'),
+ ),
+ parameters.Str(
+ 'automountmapautomountmapname',
+ cli_name='automountmap',
+ label=_(u'Map'),
+ doc=_(u'Automount map name.'),
+ ),
+ parameters.Str(
+ 'criteria',
+ required=False,
+ doc=_(u'A string searched in all relevant object attributes'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'automountkey',
+ required=False,
+ cli_name='key',
+ label=_(u'Key'),
+ doc=_(u'Automount key name.'),
+ ),
+ parameters.Str(
+ 'automountinformation',
+ required=False,
+ cli_name='info',
+ label=_(u'Mount information'),
+ ),
+ parameters.Int(
+ 'timelimit',
+ required=False,
+ label=_(u'Time Limit'),
+ doc=_(u'Time limit of search in seconds'),
+ ),
+ parameters.Int(
+ 'sizelimit',
+ required=False,
+ label=_(u'Size Limit'),
+ doc=_(u'Maximum number of entries returned'),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.ListOfEntries(
+ 'result',
+ ),
+ output.Output(
+ 'count',
+ int,
+ doc=_(u'Number of entries returned'),
+ ),
+ output.Output(
+ 'truncated',
+ bool,
+ doc=_(u'True if not all results were returned'),
+ ),
+ )
+
+
+@register()
+class automountkey_mod(Method):
+ __doc__ = _("Modify an automount key.")
+
+ takes_args = (
+ parameters.Str(
+ 'automountlocationcn',
+ cli_name='automountlocation',
+ label=_(u'Location'),
+ doc=_(u'Automount location name.'),
+ ),
+ parameters.Str(
+ 'automountmapautomountmapname',
+ cli_name='automountmap',
+ label=_(u'Map'),
+ doc=_(u'Automount map name.'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'automountkey',
+ cli_name='key',
+ label=_(u'Key'),
+ doc=_(u'Automount key name.'),
+ ),
+ parameters.Str(
+ 'automountinformation',
+ required=False,
+ cli_name='info',
+ label=_(u'Mount information'),
+ ),
+ parameters.Str(
+ 'setattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'addattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'delattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'),
+ exclude=('webui',),
+ ),
+ parameters.Flag(
+ 'rights',
+ label=_(u'Rights'),
+ doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'newautomountinformation',
+ required=False,
+ cli_name='newinfo',
+ label=_(u'New mount information'),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'rename',
+ required=False,
+ label=_(u'Rename'),
+ doc=_(u'Rename the automount key object'),
+ exclude=('webui',),
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class automountkey_show(Method):
+ __doc__ = _("Display an automount key.")
+
+ takes_args = (
+ parameters.Str(
+ 'automountlocationcn',
+ cli_name='automountlocation',
+ label=_(u'Location'),
+ doc=_(u'Automount location name.'),
+ ),
+ parameters.Str(
+ 'automountmapautomountmapname',
+ cli_name='automountmap',
+ label=_(u'Map'),
+ doc=_(u'Automount map name.'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'rights',
+ label=_(u'Rights'),
+ doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'automountkey',
+ cli_name='key',
+ label=_(u'Key'),
+ doc=_(u'Automount key name.'),
+ ),
+ parameters.Str(
+ 'automountinformation',
+ required=False,
+ cli_name='info',
+ label=_(u'Mount information'),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class automountlocation_add(Method):
+ __doc__ = _("Create a new automount location.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='location',
+ label=_(u'Location'),
+ doc=_(u'Automount location name.'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'setattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'addattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
+ exclude=('webui',),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class automountlocation_del(Method):
+ __doc__ = _("Delete an automount location.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ multivalue=True,
+ cli_name='location',
+ label=_(u'Location'),
+ doc=_(u'Automount location name.'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'continue',
+ doc=_(u"Continuous mode: Don't stop on errors."),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Output(
+ 'result',
+ dict,
+ doc=_(u'List of deletions that failed'),
+ ),
+ output.ListOfPrimaryKeys(
+ 'value',
+ ),
+ )
+
+
+@register()
+class automountlocation_find(Method):
+ __doc__ = _("Search for an automount location.")
+
+ takes_args = (
+ parameters.Str(
+ 'criteria',
+ required=False,
+ doc=_(u'A string searched in all relevant object attributes'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'cn',
+ required=False,
+ cli_name='location',
+ label=_(u'Location'),
+ doc=_(u'Automount location name.'),
+ ),
+ parameters.Int(
+ 'timelimit',
+ required=False,
+ label=_(u'Time Limit'),
+ doc=_(u'Time limit of search in seconds'),
+ ),
+ parameters.Int(
+ 'sizelimit',
+ required=False,
+ label=_(u'Size Limit'),
+ doc=_(u'Maximum number of entries returned'),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'pkey_only',
+ required=False,
+ label=_(u'Primary key only'),
+ doc=_(u'Results should contain primary key attribute only ("location")'),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.ListOfEntries(
+ 'result',
+ ),
+ output.Output(
+ 'count',
+ int,
+ doc=_(u'Number of entries returned'),
+ ),
+ output.Output(
+ 'truncated',
+ bool,
+ doc=_(u'True if not all results were returned'),
+ ),
+ )
+
+
+@register()
+class automountlocation_show(Method):
+ __doc__ = _("Display an automount location.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='location',
+ label=_(u'Location'),
+ doc=_(u'Automount location name.'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'rights',
+ label=_(u'Rights'),
+ doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class automountlocation_tofiles(Method):
+ __doc__ = _("Generate automount files for a specific location.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='location',
+ label=_(u'Location'),
+ doc=_(u'Automount location name.'),
+ ),
+ )
+ takes_options = (
+ )
+ has_output = (
+ output.Output(
+ 'result',
+ ),
+ )
+
+
+@register()
+class automountmap_add(Method):
+ __doc__ = _("Create a new automount map.")
+
+ takes_args = (
+ parameters.Str(
+ 'automountlocationcn',
+ cli_name='automountlocation',
+ label=_(u'Location'),
+ doc=_(u'Automount location name.'),
+ ),
+ parameters.Str(
+ 'automountmapname',
+ cli_name='map',
+ label=_(u'Map'),
+ doc=_(u'Automount map name.'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'description',
+ required=False,
+ cli_name='desc',
+ label=_(u'Description'),
+ ),
+ parameters.Str(
+ 'setattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'addattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
+ exclude=('webui',),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class automountmap_add_indirect(Method):
+ __doc__ = _("Create a new indirect mount point.")
+
+ takes_args = (
+ parameters.Str(
+ 'automountlocationcn',
+ cli_name='automountlocation',
+ label=_(u'Location'),
+ doc=_(u'Automount location name.'),
+ ),
+ parameters.Str(
+ 'automountmapname',
+ cli_name='map',
+ label=_(u'Map'),
+ doc=_(u'Automount map name.'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'description',
+ required=False,
+ cli_name='desc',
+ label=_(u'Description'),
+ ),
+ parameters.Str(
+ 'setattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'addattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'key',
+ cli_name='mount',
+ label=_(u'Mount point'),
+ ),
+ parameters.Str(
+ 'parentmap',
+ required=False,
+ label=_(u'Parent map'),
+ doc=_(u'Name of parent automount map (default: auto.master).'),
+ default=u'auto.master',
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class automountmap_del(Method):
+ __doc__ = _("Delete an automount map.")
+
+ takes_args = (
+ parameters.Str(
+ 'automountlocationcn',
+ cli_name='automountlocation',
+ label=_(u'Location'),
+ doc=_(u'Automount location name.'),
+ ),
+ parameters.Str(
+ 'automountmapname',
+ multivalue=True,
+ cli_name='map',
+ label=_(u'Map'),
+ doc=_(u'Automount map name.'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'continue',
+ doc=_(u"Continuous mode: Don't stop on errors."),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Output(
+ 'result',
+ dict,
+ doc=_(u'List of deletions that failed'),
+ ),
+ output.ListOfPrimaryKeys(
+ 'value',
+ ),
+ )
+
+
+@register()
+class automountmap_find(Method):
+ __doc__ = _("Search for an automount map.")
+
+ takes_args = (
+ parameters.Str(
+ 'automountlocationcn',
+ cli_name='automountlocation',
+ label=_(u'Location'),
+ doc=_(u'Automount location name.'),
+ ),
+ parameters.Str(
+ 'criteria',
+ required=False,
+ doc=_(u'A string searched in all relevant object attributes'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'automountmapname',
+ required=False,
+ cli_name='map',
+ label=_(u'Map'),
+ doc=_(u'Automount map name.'),
+ ),
+ parameters.Str(
+ 'description',
+ required=False,
+ cli_name='desc',
+ label=_(u'Description'),
+ ),
+ parameters.Int(
+ 'timelimit',
+ required=False,
+ label=_(u'Time Limit'),
+ doc=_(u'Time limit of search in seconds'),
+ ),
+ parameters.Int(
+ 'sizelimit',
+ required=False,
+ label=_(u'Size Limit'),
+ doc=_(u'Maximum number of entries returned'),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'pkey_only',
+ required=False,
+ label=_(u'Primary key only'),
+ doc=_(u'Results should contain primary key attribute only ("map")'),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.ListOfEntries(
+ 'result',
+ ),
+ output.Output(
+ 'count',
+ int,
+ doc=_(u'Number of entries returned'),
+ ),
+ output.Output(
+ 'truncated',
+ bool,
+ doc=_(u'True if not all results were returned'),
+ ),
+ )
+
+
+@register()
+class automountmap_mod(Method):
+ __doc__ = _("Modify an automount map.")
+
+ takes_args = (
+ parameters.Str(
+ 'automountlocationcn',
+ cli_name='automountlocation',
+ label=_(u'Location'),
+ doc=_(u'Automount location name.'),
+ ),
+ parameters.Str(
+ 'automountmapname',
+ cli_name='map',
+ label=_(u'Map'),
+ doc=_(u'Automount map name.'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'description',
+ required=False,
+ cli_name='desc',
+ label=_(u'Description'),
+ ),
+ parameters.Str(
+ 'setattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'addattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'delattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'),
+ exclude=('webui',),
+ ),
+ parameters.Flag(
+ 'rights',
+ label=_(u'Rights'),
+ doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class automountmap_show(Method):
+ __doc__ = _("Display an automount map.")
+
+ takes_args = (
+ parameters.Str(
+ 'automountlocationcn',
+ cli_name='automountlocation',
+ label=_(u'Location'),
+ doc=_(u'Automount location name.'),
+ ),
+ parameters.Str(
+ 'automountmapname',
+ cli_name='map',
+ label=_(u'Map'),
+ doc=_(u'Automount map name.'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'rights',
+ label=_(u'Rights'),
+ doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
diff --git a/ipaclient/remote_plugins/2_114/batch.py b/ipaclient/remote_plugins/2_114/batch.py
new file mode 100644
index 000000000..4a613b677
--- /dev/null
+++ b/ipaclient/remote_plugins/2_114/batch.py
@@ -0,0 +1,71 @@
+#
+# Copyright (C) 2016 FreeIPA Contributors see COPYING for license
+#
+
+# pylint: disable=unused-import
+import six
+
+from . import Command, Method, Object
+from ipalib import api, parameters, output
+from ipalib.parameters import DefaultFrom
+from ipalib.plugable import Registry
+from ipalib.text import _
+from ipapython.dn import DN
+from ipapython.dnsutil import DNSName
+
+if six.PY3:
+ unicode = str
+
+__doc__ = _("""
+Plugin to make multiple ipa calls via one remote procedure call
+
+To run this code in the lite-server
+
+curl -H "Content-Type:application/json" -H "Accept:application/json" -H "Accept-Language:en" --negotiate -u : --cacert /etc/ipa/ca.crt -d @batch_request.json -X POST http://localhost:8888/ipa/json
+
+where the contents of the file batch_request.json follow the below example
+
+{"method":"batch","params":[[
+ {"method":"group_find","params":[[],{}]},
+ {"method":"user_find","params":[[],{"whoami":"true","all":"true"}]},
+ {"method":"user_show","params":[["admin"],{"all":true}]}
+ ],{}],"id":1}
+
+The format of the response is nested the same way. At the top you will see
+ "error": null,
+ "id": 1,
+ "result": {
+ "count": 3,
+ "results": [
+
+
+And then a nested response for each IPA command method sent in the request
+""")
+
+register = Registry()
+
+
+@register()
+class batch(Command):
+ NO_CLI = True
+
+ takes_args = (
+ parameters.Str(
+ 'methods',
+ required=False,
+ multivalue=True,
+ doc=_(u'Nested Methods to execute'),
+ ),
+ )
+ takes_options = (
+ )
+ has_output = (
+ output.Output(
+ 'count',
+ int,
+ ),
+ output.Output(
+ 'results',
+ (list, tuple),
+ ),
+ )
diff --git a/ipaclient/remote_plugins/2_114/cert.py b/ipaclient/remote_plugins/2_114/cert.py
new file mode 100644
index 000000000..763f63e37
--- /dev/null
+++ b/ipaclient/remote_plugins/2_114/cert.py
@@ -0,0 +1,376 @@
+#
+# Copyright (C) 2016 FreeIPA Contributors see COPYING for license
+#
+
+# pylint: disable=unused-import
+import six
+
+from . import Command, Method, Object
+from ipalib import api, parameters, output
+from ipalib.parameters import DefaultFrom
+from ipalib.plugable import Registry
+from ipalib.text import _
+from ipapython.dn import DN
+from ipapython.dnsutil import DNSName
+
+if six.PY3:
+ unicode = str
+
+__doc__ = _("""
+IPA certificate operations
+
+Implements a set of commands for managing server SSL certificates.
+
+Certificate requests exist in the form of a Certificate Signing Request (CSR)
+in PEM format.
+
+The dogtag CA uses just the CN value of the CSR and forces the rest of the
+subject to values configured in the server.
+
+A certificate is stored with a service principal and a service principal
+needs a host.
+
+In order to request a certificate:
+
+* The host must exist
+* The service must exist (or you use the --add option to automatically add it)
+
+SEARCHING:
+
+Certificates may be searched on by certificate subject, serial number,
+revocation reason, validity dates and the issued date.
+
+When searching on dates the _from date does a >= search and the _to date
+does a <= search. When combined these are done as an AND.
+
+Dates are treated as GMT to match the dates in the certificates.
+
+The date format is YYYY-mm-dd.
+
+EXAMPLES:
+
+ Request a new certificate and add the principal:
+ ipa cert-request --add --principal=HTTP/lion.example.com example.csr
+
+ Retrieve an existing certificate:
+ ipa cert-show 1032
+
+ Revoke a certificate (see RFC 5280 for reason details):
+ ipa cert-revoke --revocation-reason=6 1032
+
+ Remove a certificate from revocation hold status:
+ ipa cert-remove-hold 1032
+
+ Check the status of a signing request:
+ ipa cert-status 10
+
+ Search for certificates by hostname:
+ ipa cert-find --subject=ipaserver.example.com
+
+ Search for revoked certificates by reason:
+ ipa cert-find --revocation-reason=5
+
+ Search for certificates based on issuance date
+ ipa cert-find --issuedon-from=2013-02-01 --issuedon-to=2013-02-07
+
+IPA currently immediately issues (or declines) all certificate requests so
+the status of a request is not normally useful. This is for future use
+or the case where a CA does not immediately issue a certificate.
+
+The following revocation reasons are supported:
+
+ * 0 - unspecified
+ * 1 - keyCompromise
+ * 2 - cACompromise
+ * 3 - affiliationChanged
+ * 4 - superseded
+ * 5 - cessationOfOperation
+ * 6 - certificateHold
+ * 8 - removeFromCRL
+ * 9 - privilegeWithdrawn
+ * 10 - aACompromise
+
+Note that reason code 7 is not used. See RFC 5280 for more details:
+
+http://www.ietf.org/rfc/rfc5280.txt
+""")
+
+register = Registry()
+
+
+@register()
+class ca_is_enabled(Command):
+ __doc__ = _("Checks if any of the servers has the CA service enabled.")
+
+ NO_CLI = True
+
+ takes_options = (
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Output(
+ 'result',
+ bool,
+ doc=_(u'True means the operation was successful'),
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class cert_find(Command):
+ __doc__ = _("Search for existing certificates.")
+
+ takes_options = (
+ parameters.Str(
+ 'subject',
+ required=False,
+ label=_(u'Subject'),
+ ),
+ parameters.Int(
+ 'revocation_reason',
+ required=False,
+ label=_(u'Reason'),
+ doc=_(u'Reason for revoking the certificate (0-10)'),
+ ),
+ parameters.Int(
+ 'min_serial_number',
+ required=False,
+ doc=_(u'minimum serial number'),
+ ),
+ parameters.Int(
+ 'max_serial_number',
+ required=False,
+ doc=_(u'maximum serial number'),
+ ),
+ parameters.Flag(
+ 'exactly',
+ required=False,
+ doc=_(u'match the common name exactly'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'validnotafter_from',
+ required=False,
+ doc=_(u'Valid not after from this date (YYYY-mm-dd)'),
+ ),
+ parameters.Str(
+ 'validnotafter_to',
+ required=False,
+ doc=_(u'Valid not after to this date (YYYY-mm-dd)'),
+ ),
+ parameters.Str(
+ 'validnotbefore_from',
+ required=False,
+ doc=_(u'Valid not before from this date (YYYY-mm-dd)'),
+ ),
+ parameters.Str(
+ 'validnotbefore_to',
+ required=False,
+ doc=_(u'Valid not before to this date (YYYY-mm-dd)'),
+ ),
+ parameters.Str(
+ 'issuedon_from',
+ required=False,
+ doc=_(u'Issued on from this date (YYYY-mm-dd)'),
+ ),
+ parameters.Str(
+ 'issuedon_to',
+ required=False,
+ doc=_(u'Issued on to this date (YYYY-mm-dd)'),
+ ),
+ parameters.Str(
+ 'revokedon_from',
+ required=False,
+ doc=_(u'Revoked on from this date (YYYY-mm-dd)'),
+ ),
+ parameters.Str(
+ 'revokedon_to',
+ required=False,
+ doc=_(u'Revoked on to this date (YYYY-mm-dd)'),
+ ),
+ parameters.Int(
+ 'sizelimit',
+ required=False,
+ label=_(u'Size Limit'),
+ doc=_(u'Maximum number of certs returned'),
+ default=100,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.ListOfEntries(
+ 'result',
+ ),
+ output.Output(
+ 'count',
+ int,
+ doc=_(u'Number of entries returned'),
+ ),
+ output.Output(
+ 'truncated',
+ bool,
+ doc=_(u'True if not all results were returned'),
+ ),
+ )
+
+
+@register()
+class cert_remove_hold(Command):
+ __doc__ = _("Take a revoked certificate off hold.")
+
+ takes_args = (
+ parameters.Str(
+ 'serial_number',
+ label=_(u'Serial number'),
+ doc=_(u'Serial number in decimal or if prefixed with 0x in hexadecimal'),
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ )
+ has_output = (
+ output.Output(
+ 'result',
+ ),
+ )
+
+
+@register()
+class cert_request(Command):
+ __doc__ = _("Submit a certificate signing request.")
+
+ takes_args = (
+ parameters.Str(
+ 'csr',
+ cli_name='csr_file',
+ label=_(u'CSR'),
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'principal',
+ label=_(u'Principal'),
+ doc=_(u'Service principal for this certificate (e.g. HTTP/test.example.com)'),
+ ),
+ parameters.Str(
+ 'request_type',
+ default=u'pkcs10',
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'add',
+ doc=_(u"automatically add the principal if it doesn't exist"),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'result',
+ dict,
+ doc=_(u'Dictionary mapping variable name to value'),
+ ),
+ )
+
+
+@register()
+class cert_revoke(Command):
+ __doc__ = _("Revoke a certificate.")
+
+ takes_args = (
+ parameters.Str(
+ 'serial_number',
+ label=_(u'Serial number'),
+ doc=_(u'Serial number in decimal or if prefixed with 0x in hexadecimal'),
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Int(
+ 'revocation_reason',
+ label=_(u'Reason'),
+ doc=_(u'Reason for revoking the certificate (0-10)'),
+ default=0,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'result',
+ ),
+ )
+
+
+@register()
+class cert_show(Command):
+ __doc__ = _("Retrieve an existing certificate.")
+
+ takes_args = (
+ parameters.Str(
+ 'serial_number',
+ label=_(u'Serial number'),
+ doc=_(u'Serial number in decimal or if prefixed with 0x in hexadecimal'),
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'out',
+ required=False,
+ label=_(u'Output filename'),
+ doc=_(u'File to store the certificate in.'),
+ exclude=('webui',),
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'result',
+ ),
+ )
+
+
+@register()
+class cert_status(Command):
+ __doc__ = _("Check the status of a certificate signing request.")
+
+ takes_args = (
+ parameters.Str(
+ 'request_id',
+ label=_(u'Request id'),
+ ),
+ )
+ takes_options = (
+ )
+ has_output = (
+ output.Output(
+ 'result',
+ ),
+ )
diff --git a/ipaclient/remote_plugins/2_114/config.py b/ipaclient/remote_plugins/2_114/config.py
new file mode 100644
index 000000000..b55951602
--- /dev/null
+++ b/ipaclient/remote_plugins/2_114/config.py
@@ -0,0 +1,408 @@
+#
+# Copyright (C) 2016 FreeIPA Contributors see COPYING for license
+#
+
+# pylint: disable=unused-import
+import six
+
+from . import Command, Method, Object
+from ipalib import api, parameters, output
+from ipalib.parameters import DefaultFrom
+from ipalib.plugable import Registry
+from ipalib.text import _
+from ipapython.dn import DN
+from ipapython.dnsutil import DNSName
+
+if six.PY3:
+ unicode = str
+
+__doc__ = _("""
+Server configuration
+
+Manage the default values that IPA uses and some of its tuning parameters.
+
+NOTES:
+
+The password notification value (--pwdexpnotify) is stored here so it will
+be replicated. It is not currently used to notify users in advance of an
+expiring password.
+
+Some attributes are read-only, provided only for information purposes. These
+include:
+
+Certificate Subject base: the configured certificate subject base,
+ e.g. O=EXAMPLE.COM. This is configurable only at install time.
+Password plug-in features: currently defines additional hashes that the
+ password will generate (there may be other conditions).
+
+When setting the order list for mapping SELinux users you may need to
+quote the value so it isn't interpreted by the shell.
+
+EXAMPLES:
+
+ Show basic server configuration:
+ ipa config-show
+
+ Show all configuration options:
+ ipa config-show --all
+
+ Change maximum username length to 99 characters:
+ ipa config-mod --maxusername=99
+
+ Increase default time and size limits for maximum IPA server search:
+ ipa config-mod --searchtimelimit=10 --searchrecordslimit=2000
+
+ Set default user e-mail domain:
+ ipa config-mod --emaildomain=example.com
+
+ Enable migration mode to make "ipa migrate-ds" command operational:
+ ipa config-mod --enable-migration=TRUE
+
+ Define SELinux user map order:
+ ipa config-mod --ipaselinuxusermaporder='guest_u:s0$xguest_u:s0$user_u:s0-s0:c0.c1023$staff_u:s0-s0:c0.c1023$unconfined_u:s0-s0:c0.c1023'
+""")
+
+register = Registry()
+
+
+@register()
+class config(Object):
+ takes_params = (
+ parameters.Int(
+ 'ipamaxusernamelength',
+ label=_(u'Maximum username length'),
+ ),
+ parameters.Str(
+ 'ipahomesrootdir',
+ label=_(u'Home directory base'),
+ doc=_(u'Default location of home directories'),
+ ),
+ parameters.Str(
+ 'ipadefaultloginshell',
+ label=_(u'Default shell'),
+ doc=_(u'Default shell for new users'),
+ ),
+ parameters.Str(
+ 'ipadefaultprimarygroup',
+ label=_(u'Default users group'),
+ doc=_(u'Default group for new users'),
+ ),
+ parameters.Str(
+ 'ipadefaultemaildomain',
+ required=False,
+ label=_(u'Default e-mail domain'),
+ ),
+ parameters.Int(
+ 'ipasearchtimelimit',
+ label=_(u'Search time limit'),
+ doc=_(u'Maximum amount of time (seconds) for a search (> 0, or -1 for unlimited)'),
+ ),
+ parameters.Int(
+ 'ipasearchrecordslimit',
+ label=_(u'Search size limit'),
+ doc=_(u'Maximum number of records to search (-1 is unlimited)'),
+ ),
+ parameters.Str(
+ 'ipausersearchfields',
+ label=_(u'User search fields'),
+ doc=_(u'A comma-separated list of fields to search in when searching for users'),
+ ),
+ parameters.Str(
+ 'ipagroupsearchfields',
+ label=_(u'Group search fields'),
+ doc=_(u'A comma-separated list of fields to search in when searching for groups'),
+ ),
+ parameters.Bool(
+ 'ipamigrationenabled',
+ label=_(u'Enable migration mode'),
+ ),
+ parameters.DNParam(
+ 'ipacertificatesubjectbase',
+ label=_(u'Certificate Subject base'),
+ doc=_(u'Base for certificate subjects (OU=Test,O=Example)'),
+ ),
+ parameters.Str(
+ 'ipagroupobjectclasses',
+ multivalue=True,
+ label=_(u'Default group objectclasses'),
+ doc=_(u'Default group objectclasses (comma-separated list)'),
+ ),
+ parameters.Str(
+ 'ipauserobjectclasses',
+ multivalue=True,
+ label=_(u'Default user objectclasses'),
+ doc=_(u'Default user objectclasses (comma-separated list)'),
+ ),
+ parameters.Int(
+ 'ipapwdexpadvnotify',
+ label=_(u'Password Expiration Notification (days)'),
+ doc=_(u"Number of days's notice of impending password expiration"),
+ ),
+ parameters.Str(
+ 'ipaconfigstring',
+ required=False,
+ multivalue=True,
+ label=_(u'Password plugin features'),
+ doc=_(u'Extra hashes to generate in password plug-in'),
+ ),
+ parameters.Str(
+ 'ipaselinuxusermaporder',
+ label=_(u'SELinux user map order'),
+ doc=_(u'Order in increasing priority of SELinux users, delimited by $'),
+ ),
+ parameters.Str(
+ 'ipaselinuxusermapdefault',
+ required=False,
+ label=_(u'Default SELinux user'),
+ doc=_(u'Default SELinux user when no match is found in SELinux map rule'),
+ ),
+ parameters.Str(
+ 'ipakrbauthzdata',
+ required=False,
+ multivalue=True,
+ label=_(u'Default PAC types'),
+ doc=_(u'Default types of PAC supported for services'),
+ ),
+ parameters.Str(
+ 'ipauserauthtype',
+ required=False,
+ multivalue=True,
+ label=_(u'Default user authentication types'),
+ doc=_(u'Default types of supported user authentication'),
+ ),
+ )
+
+
+@register()
+class config_mod(Method):
+ __doc__ = _("Modify configuration options.")
+
+ takes_options = (
+ parameters.Int(
+ 'ipamaxusernamelength',
+ required=False,
+ cli_name='maxusername',
+ label=_(u'Maximum username length'),
+ ),
+ parameters.Str(
+ 'ipahomesrootdir',
+ required=False,
+ cli_name='homedirectory',
+ label=_(u'Home directory base'),
+ doc=_(u'Default location of home directories'),
+ ),
+ parameters.Str(
+ 'ipadefaultloginshell',
+ required=False,
+ cli_name='defaultshell',
+ label=_(u'Default shell'),
+ doc=_(u'Default shell for new users'),
+ ),
+ parameters.Str(
+ 'ipadefaultprimarygroup',
+ required=False,
+ cli_name='defaultgroup',
+ label=_(u'Default users group'),
+ doc=_(u'Default group for new users'),
+ ),
+ parameters.Str(
+ 'ipadefaultemaildomain',
+ required=False,
+ cli_name='emaildomain',
+ label=_(u'Default e-mail domain'),
+ ),
+ parameters.Int(
+ 'ipasearchtimelimit',
+ required=False,
+ cli_name='searchtimelimit',
+ label=_(u'Search time limit'),
+ doc=_(u'Maximum amount of time (seconds) for a search (> 0, or -1 for unlimited)'),
+ ),
+ parameters.Int(
+ 'ipasearchrecordslimit',
+ required=False,
+ cli_name='searchrecordslimit',
+ label=_(u'Search size limit'),
+ doc=_(u'Maximum number of records to search (-1 is unlimited)'),
+ ),
+ parameters.Str(
+ 'ipausersearchfields',
+ required=False,
+ cli_name='usersearch',
+ label=_(u'User search fields'),
+ doc=_(u'A comma-separated list of fields to search in when searching for users'),
+ ),
+ parameters.Str(
+ 'ipagroupsearchfields',
+ required=False,
+ cli_name='groupsearch',
+ label=_(u'Group search fields'),
+ doc=_(u'A comma-separated list of fields to search in when searching for groups'),
+ ),
+ parameters.Bool(
+ 'ipamigrationenabled',
+ required=False,
+ cli_name='enable_migration',
+ label=_(u'Enable migration mode'),
+ ),
+ parameters.Str(
+ 'ipagroupobjectclasses',
+ required=False,
+ multivalue=True,
+ cli_name='groupobjectclasses',
+ label=_(u'Default group objectclasses'),
+ doc=_(u'Default group objectclasses (comma-separated list)'),
+ ),
+ parameters.Str(
+ 'ipauserobjectclasses',
+ required=False,
+ multivalue=True,
+ cli_name='userobjectclasses',
+ label=_(u'Default user objectclasses'),
+ doc=_(u'Default user objectclasses (comma-separated list)'),
+ ),
+ parameters.Int(
+ 'ipapwdexpadvnotify',
+ required=False,
+ cli_name='pwdexpnotify',
+ label=_(u'Password Expiration Notification (days)'),
+ doc=_(u"Number of days's notice of impending password expiration"),
+ ),
+ parameters.Str(
+ 'ipaconfigstring',
+ required=False,
+ multivalue=True,
+ cli_metavar="['AllowNThash', 'KDC:Disable Last Success', 'KDC:Disable Lockout']",
+ label=_(u'Password plugin features'),
+ doc=_(u'Extra hashes to generate in password plug-in'),
+ ),
+ parameters.Str(
+ 'ipaselinuxusermaporder',
+ required=False,
+ label=_(u'SELinux user map order'),
+ doc=_(u'Order in increasing priority of SELinux users, delimited by $'),
+ ),
+ parameters.Str(
+ 'ipaselinuxusermapdefault',
+ required=False,
+ label=_(u'Default SELinux user'),
+ doc=_(u'Default SELinux user when no match is found in SELinux map rule'),
+ ),
+ parameters.Str(
+ 'ipakrbauthzdata',
+ required=False,
+ multivalue=True,
+ cli_name='pac_type',
+ cli_metavar="['MS-PAC', 'PAD', 'nfs:NONE']",
+ label=_(u'Default PAC types'),
+ doc=_(u'Default types of PAC supported for services'),
+ ),
+ parameters.Str(
+ 'ipauserauthtype',
+ required=False,
+ multivalue=True,
+ cli_name='user_auth_type',
+ cli_metavar="['password', 'radius', 'otp']",
+ label=_(u'Default user authentication types'),
+ doc=_(u'Default types of supported user authentication'),
+ ),
+ parameters.Str(
+ 'setattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'addattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'delattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'),
+ exclude=('webui',),
+ ),
+ parameters.Flag(
+ 'rights',
+ label=_(u'Rights'),
+ doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class config_show(Method):
+ __doc__ = _("Show the current configuration.")
+
+ takes_options = (
+ parameters.Flag(
+ 'rights',
+ label=_(u'Rights'),
+ doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
diff --git a/ipaclient/remote_plugins/2_114/delegation.py b/ipaclient/remote_plugins/2_114/delegation.py
new file mode 100644
index 000000000..87496117f
--- /dev/null
+++ b/ipaclient/remote_plugins/2_114/delegation.py
@@ -0,0 +1,383 @@
+#
+# Copyright (C) 2016 FreeIPA Contributors see COPYING for license
+#
+
+# pylint: disable=unused-import
+import six
+
+from . import Command, Method, Object
+from ipalib import api, parameters, output
+from ipalib.parameters import DefaultFrom
+from ipalib.plugable import Registry
+from ipalib.text import _
+from ipapython.dn import DN
+from ipapython.dnsutil import DNSName
+
+if six.PY3:
+ unicode = str
+
+__doc__ = _("""
+Group to Group Delegation
+
+A permission enables fine-grained delegation of permissions. Access Control
+Rules, or instructions (ACIs), grant permission to permissions to perform
+given tasks such as adding a user, modifying a group, etc.
+
+Group to Group Delegations grants the members of one group to update a set
+of attributes of members of another group.
+
+EXAMPLES:
+
+ Add a delegation rule to allow managers to edit employee's addresses:
+ ipa delegation-add --attrs=street --group=managers --membergroup=employees "managers edit employees' street"
+
+ When managing the list of attributes you need to include all attributes
+ in the list, including existing ones. Add postalCode to the list:
+ ipa delegation-mod --attrs=street --attrs=postalCode --group=managers --membergroup=employees "managers edit employees' street"
+
+ Display our updated rule:
+ ipa delegation-show "managers edit employees' street"
+
+ Delete a rule:
+ ipa delegation-del "managers edit employees' street"
+""")
+
+register = Registry()
+
+
+@register()
+class delegation(Object):
+ takes_params = (
+ parameters.Str(
+ 'aciname',
+ primary_key=True,
+ label=_(u'Delegation name'),
+ ),
+ parameters.Str(
+ 'permissions',
+ required=False,
+ multivalue=True,
+ label=_(u'Permissions'),
+ doc=_(u'Permissions to grant (read, write). Default is write.'),
+ ),
+ parameters.Str(
+ 'attrs',
+ multivalue=True,
+ label=_(u'Attributes'),
+ doc=_(u'Attributes to which the delegation applies'),
+ ),
+ parameters.Str(
+ 'memberof',
+ label=_(u'Member user group'),
+ doc=_(u'User group to apply delegation to'),
+ ),
+ parameters.Str(
+ 'group',
+ label=_(u'User group'),
+ doc=_(u'User group ACI grants access to'),
+ ),
+ )
+
+
+@register()
+class delegation_add(Method):
+ __doc__ = _("Add a new delegation.")
+
+ takes_args = (
+ parameters.Str(
+ 'aciname',
+ cli_name='name',
+ label=_(u'Delegation name'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'permissions',
+ required=False,
+ multivalue=True,
+ label=_(u'Permissions'),
+ doc=_(u'Permissions to grant (read, write). Default is write.'),
+ ),
+ parameters.Str(
+ 'attrs',
+ multivalue=True,
+ label=_(u'Attributes'),
+ doc=_(u'Attributes to which the delegation applies'),
+ no_convert=True,
+ ),
+ parameters.Str(
+ 'memberof',
+ cli_name='membergroup',
+ label=_(u'Member user group'),
+ doc=_(u'User group to apply delegation to'),
+ ),
+ parameters.Str(
+ 'group',
+ label=_(u'User group'),
+ doc=_(u'User group ACI grants access to'),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class delegation_del(Method):
+ __doc__ = _("Delete a delegation.")
+
+ takes_args = (
+ parameters.Str(
+ 'aciname',
+ cli_name='name',
+ label=_(u'Delegation name'),
+ ),
+ )
+ takes_options = (
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Output(
+ 'result',
+ bool,
+ doc=_(u'True means the operation was successful'),
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class delegation_find(Method):
+ __doc__ = _("Search for delegations.")
+
+ takes_args = (
+ parameters.Str(
+ 'criteria',
+ required=False,
+ doc=_(u'A string searched in all relevant object attributes'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'aciname',
+ required=False,
+ cli_name='name',
+ label=_(u'Delegation name'),
+ ),
+ parameters.Str(
+ 'permissions',
+ required=False,
+ multivalue=True,
+ label=_(u'Permissions'),
+ doc=_(u'Permissions to grant (read, write). Default is write.'),
+ ),
+ parameters.Str(
+ 'attrs',
+ required=False,
+ multivalue=True,
+ label=_(u'Attributes'),
+ doc=_(u'Attributes to which the delegation applies'),
+ no_convert=True,
+ ),
+ parameters.Str(
+ 'memberof',
+ required=False,
+ cli_name='membergroup',
+ label=_(u'Member user group'),
+ doc=_(u'User group to apply delegation to'),
+ ),
+ parameters.Str(
+ 'group',
+ required=False,
+ label=_(u'User group'),
+ doc=_(u'User group ACI grants access to'),
+ ),
+ parameters.Flag(
+ 'pkey_only',
+ required=False,
+ label=_(u'Primary key only'),
+ doc=_(u'Results should contain primary key attribute only ("name")'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.ListOfEntries(
+ 'result',
+ ),
+ output.Output(
+ 'count',
+ int,
+ doc=_(u'Number of entries returned'),
+ ),
+ output.Output(
+ 'truncated',
+ bool,
+ doc=_(u'True if not all results were returned'),
+ ),
+ )
+
+
+@register()
+class delegation_mod(Method):
+ __doc__ = _("Modify a delegation.")
+
+ takes_args = (
+ parameters.Str(
+ 'aciname',
+ cli_name='name',
+ label=_(u'Delegation name'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'permissions',
+ required=False,
+ multivalue=True,
+ label=_(u'Permissions'),
+ doc=_(u'Permissions to grant (read, write). Default is write.'),
+ ),
+ parameters.Str(
+ 'attrs',
+ required=False,
+ multivalue=True,
+ label=_(u'Attributes'),
+ doc=_(u'Attributes to which the delegation applies'),
+ no_convert=True,
+ ),
+ parameters.Str(
+ 'memberof',
+ required=False,
+ cli_name='membergroup',
+ label=_(u'Member user group'),
+ doc=_(u'User group to apply delegation to'),
+ ),
+ parameters.Str(
+ 'group',
+ required=False,
+ label=_(u'User group'),
+ doc=_(u'User group ACI grants access to'),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class delegation_show(Method):
+ __doc__ = _("Display information about a delegation.")
+
+ takes_args = (
+ parameters.Str(
+ 'aciname',
+ cli_name='name',
+ label=_(u'Delegation name'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
diff --git a/ipaclient/remote_plugins/2_114/dns.py b/ipaclient/remote_plugins/2_114/dns.py
new file mode 100644
index 000000000..5d91dbcb3
--- /dev/null
+++ b/ipaclient/remote_plugins/2_114/dns.py
@@ -0,0 +1,5373 @@
+#
+# Copyright (C) 2016 FreeIPA Contributors see COPYING for license
+#
+
+# pylint: disable=unused-import
+import six
+
+from . import Command, Method, Object
+from ipalib import api, parameters, output
+from ipalib.parameters import DefaultFrom
+from ipalib.plugable import Registry
+from ipalib.text import _
+from ipapython.dn import DN
+from ipapython.dnsutil import DNSName
+
+if six.PY3:
+ unicode = str
+
+__doc__ = _("""
+Domain Name System (DNS)
+
+Manage DNS zone and resource records.
+
+SUPPORTED ZONE TYPES
+
+ * Master zone (dnszone-*), contains authoritative data.
+ * Forward zone (dnsforwardzone-*), forwards queries to configured forwarders
+ (a set of DNS servers).
+
+USING STRUCTURED PER-TYPE OPTIONS
+
+There are many structured DNS RR types where DNS data stored in LDAP server
+is not just a scalar value, for example an IP address or a domain name, but
+a data structure which may be often complex. A good example is a LOC record
+[RFC1876] which consists of many mandatory and optional parts (degrees,
+minutes, seconds of latitude and longitude, altitude or precision).
+
+It may be difficult to manipulate such DNS records without making a mistake
+and entering an invalid value. DNS module provides an abstraction over these
+raw records and allows to manipulate each RR type with specific options. For
+each supported RR type, DNS module provides a standard option to manipulate
+a raw records with format --<rrtype>-rec, e.g. --mx-rec, and special options
+for every part of the RR structure with format --<rrtype>-<partname>, e.g.
+--mx-preference and --mx-exchanger.
+
+When adding a record, either RR specific options or standard option for a raw
+value can be used, they just should not be combined in one add operation. When
+modifying an existing entry, new RR specific options can be used to change
+one part of a DNS record, where the standard option for raw value is used
+to specify the modified value. The following example demonstrates
+a modification of MX record preference from 0 to 1 in a record without
+modifying the exchanger:
+ipa dnsrecord-mod --mx-rec="0 mx.example.com." --mx-preference=1
+
+
+EXAMPLES:
+
+ Add new zone:
+ ipa dnszone-add example.com --admin-email=admin@example.com
+
+ Add system permission that can be used for per-zone privilege delegation:
+ ipa dnszone-add-permission example.com
+
+ Modify the zone to allow dynamic updates for hosts own records in realm EXAMPLE.COM:
+ ipa dnszone-mod example.com --dynamic-update=TRUE
+
+ This is the equivalent of:
+ ipa dnszone-mod example.com --dynamic-update=TRUE \
+ --update-policy="grant EXAMPLE.COM krb5-self * A; grant EXAMPLE.COM krb5-self * AAAA; grant EXAMPLE.COM krb5-self * SSHFP;"
+
+ Modify the zone to allow zone transfers for local network only:
+ ipa dnszone-mod example.com --allow-transfer=192.0.2.0/24
+
+ Add new reverse zone specified by network IP address:
+ ipa dnszone-add --name-from-ip=192.0.2.0/24
+
+ Add second nameserver for example.com:
+ ipa dnsrecord-add example.com @ --ns-rec=nameserver2.example.com
+
+ Add a mail server for example.com:
+ ipa dnsrecord-add example.com @ --mx-rec="10 mail1"
+
+ Add another record using MX record specific options:
+ ipa dnsrecord-add example.com @ --mx-preference=20 --mx-exchanger=mail2
+
+ Add another record using interactive mode (started when dnsrecord-add, dnsrecord-mod,
+ or dnsrecord-del are executed with no options):
+ ipa dnsrecord-add example.com @
+ Please choose a type of DNS resource record to be added
+ The most common types for this type of zone are: NS, MX, LOC
+
+ DNS resource record type: MX
+ MX Preference: 30
+ MX Exchanger: mail3
+ Record name: example.com
+ MX record: 10 mail1, 20 mail2, 30 mail3
+ NS record: nameserver.example.com., nameserver2.example.com.
+
+ Delete previously added nameserver from example.com:
+ ipa dnsrecord-del example.com @ --ns-rec=nameserver2.example.com.
+
+ Add LOC record for example.com:
+ ipa dnsrecord-add example.com @ --loc-rec="49 11 42.4 N 16 36 29.6 E 227.64m"
+
+ Add new A record for www.example.com. Create a reverse record in appropriate
+ reverse zone as well. In this case a PTR record "2" pointing to www.example.com
+ will be created in zone 2.0.192.in-addr.arpa.
+ ipa dnsrecord-add example.com www --a-rec=192.0.2.2 --a-create-reverse
+
+ Add new PTR record for www.example.com
+ ipa dnsrecord-add 2.0.192.in-addr.arpa. 2 --ptr-rec=www.example.com.
+
+ Add new SRV records for LDAP servers. Three quarters of the requests
+ should go to fast.example.com, one quarter to slow.example.com. If neither
+ is available, switch to backup.example.com.
+ ipa dnsrecord-add example.com _ldap._tcp --srv-rec="0 3 389 fast.example.com"
+ ipa dnsrecord-add example.com _ldap._tcp --srv-rec="0 1 389 slow.example.com"
+ ipa dnsrecord-add example.com _ldap._tcp --srv-rec="1 1 389 backup.example.com"
+
+ The interactive mode can be used for easy modification:
+ ipa dnsrecord-mod example.com _ldap._tcp
+ No option to modify specific record provided.
+ Current DNS record contents:
+
+ SRV record: 0 3 389 fast.example.com, 0 1 389 slow.example.com, 1 1 389 backup.example.com
+
+ Modify SRV record '0 3 389 fast.example.com'? Yes/No (default No):
+ Modify SRV record '0 1 389 slow.example.com'? Yes/No (default No): y
+ SRV Priority [0]: (keep the default value)
+ SRV Weight [1]: 2 (modified value)
+ SRV Port [389]: (keep the default value)
+ SRV Target [slow.example.com]: (keep the default value)
+ 1 SRV record skipped. Only one value per DNS record type can be modified at one time.
+ Record name: _ldap._tcp
+ SRV record: 0 3 389 fast.example.com, 1 1 389 backup.example.com, 0 2 389 slow.example.com
+
+ After this modification, three fifths of the requests should go to
+ fast.example.com and two fifths to slow.example.com.
+
+ An example of the interactive mode for dnsrecord-del command:
+ ipa dnsrecord-del example.com www
+ No option to delete specific record provided.
+ Delete all? Yes/No (default No): (do not delete all records)
+ Current DNS record contents:
+
+ A record: 192.0.2.2, 192.0.2.3
+
+ Delete A record '192.0.2.2'? Yes/No (default No):
+ Delete A record '192.0.2.3'? Yes/No (default No): y
+ Record name: www
+ A record: 192.0.2.2 (A record 192.0.2.3 has been deleted)
+
+ Show zone example.com:
+ ipa dnszone-show example.com
+
+ Find zone with "example" in its domain name:
+ ipa dnszone-find example
+
+ Find records for resources with "www" in their name in zone example.com:
+ ipa dnsrecord-find example.com www
+
+ Find A records with value 192.0.2.2 in zone example.com
+ ipa dnsrecord-find example.com --a-rec=192.0.2.2
+
+ Show records for resource www in zone example.com
+ ipa dnsrecord-show example.com www
+
+ Delegate zone sub.example to another nameserver:
+ ipa dnsrecord-add example.com ns.sub --a-rec=203.0.113.1
+ ipa dnsrecord-add example.com sub --ns-rec=ns.sub.example.com.
+
+ Delete zone example.com with all resource records:
+ ipa dnszone-del example.com
+
+ If a global forwarder is configured, all queries for which this server is not
+ authoritative (e.g. sub.example.com) will be routed to the global forwarder.
+ Global forwarding configuration can be overridden per-zone.
+
+ Semantics of forwarding in IPA matches BIND semantics and depends on the type
+ of zone:
+ * Master zone: local BIND replies authoritatively to queries for data in
+ the given zone (including authoritative NXDOMAIN answers) and forwarding
+ affects only queries for names below zone cuts (NS records) of locally
+ served zones.
+
+ * Forward zone: forward zone contains no authoritative data. BIND forwards
+ queries, which cannot be answered from its local cache, to configured
+ forwarders.
+
+ Semantics of the --forwarder-policy option:
+ * none - disable forwarding for the given zone.
+ * first - forward all queries to configured forwarders. If they fail,
+ do resolution using DNS root servers.
+ * only - forward all queries to configured forwarders and if they fail,
+ return failure.
+
+ Disable global forwarding for given sub-tree:
+ ipa dnszone-mod example.com --forward-policy=none
+
+ This configuration forwards all queries for names outside the example.com
+ sub-tree to global forwarders. Normal recursive resolution process is used
+ for names inside the example.com sub-tree (i.e. NS records are followed etc.).
+
+ Forward all requests for the zone external.example.com to another forwarder
+ using a "first" policy (it will send the queries to the selected forwarder
+ and if not answered it will use global root servers):
+ ipa dnsforwardzone-add external.example.com --forward-policy=first \
+ --forwarder=203.0.113.1
+
+ Change forward-policy for external.example.com:
+ ipa dnsforwardzone-mod external.example.com --forward-policy=only
+
+ Show forward zone external.example.com:
+ ipa dnsforwardzone-show external.example.com
+
+ List all forward zones:
+ ipa dnsforwardzone-find
+
+ Delete forward zone external.example.com:
+ ipa dnsforwardzone-del external.example.com
+
+ Resolve a host name to see if it exists (will add default IPA domain
+ if one is not included):
+ ipa dns-resolve www.example.com
+ ipa dns-resolve www
+
+
+GLOBAL DNS CONFIGURATION
+
+DNS configuration passed to command line install script is stored in a local
+configuration file on each IPA server where DNS service is configured. These
+local settings can be overridden with a common configuration stored in LDAP
+server:
+
+ Show global DNS configuration:
+ ipa dnsconfig-show
+
+ Modify global DNS configuration and set a list of global forwarders:
+ ipa dnsconfig-mod --forwarder=203.0.113.113
+""")
+
+register = Registry()
+
+
+@register()
+class dnsconfig(Object):
+ takes_params = (
+ parameters.Str(
+ 'idnsforwarders',
+ required=False,
+ multivalue=True,
+ label=_(u'Global forwarders'),
+ doc=_(u'Global forwarders. A custom port can be specified for each forwarder using a standard format "IP_ADDRESS port PORT"'),
+ ),
+ parameters.Str(
+ 'idnsforwardpolicy',
+ required=False,
+ label=_(u'Forward policy'),
+ doc=_(u'Global forwarding policy. Set to "none" to disable any configured global forwarders.'),
+ ),
+ parameters.Bool(
+ 'idnsallowsyncptr',
+ required=False,
+ label=_(u'Allow PTR sync'),
+ doc=_(u'Allow synchronization of forward (A, AAAA) and reverse (PTR) records'),
+ ),
+ parameters.Int(
+ 'idnszonerefresh',
+ required=False,
+ label=_(u'Zone refresh interval'),
+ ),
+ )
+
+
+@register()
+class dnsforwardzone(Object):
+ takes_params = (
+ parameters.DNSNameParam(
+ 'idnsname',
+ primary_key=True,
+ label=_(u'Zone name'),
+ doc=_(u'Zone name (FQDN)'),
+ ),
+ parameters.Str(
+ 'name_from_ip',
+ required=False,
+ label=_(u'Reverse zone IP network'),
+ doc=_(u'IP network to create reverse zone name from'),
+ ),
+ parameters.Bool(
+ 'idnszoneactive',
+ required=False,
+ label=_(u'Active zone'),
+ doc=_(u'Is zone active?'),
+ ),
+ parameters.Str(
+ 'idnsforwarders',
+ required=False,
+ multivalue=True,
+ label=_(u'Zone forwarders'),
+ doc=_(u'Per-zone forwarders. A custom port can be specified for each forwarder using a standard format "IP_ADDRESS port PORT"'),
+ ),
+ parameters.Str(
+ 'idnsforwardpolicy',
+ required=False,
+ label=_(u'Forward policy'),
+ doc=_(u'Per-zone conditional forwarding policy. Set to "none" to disable forwarding to global forwarder for this zone. In that case, conditional zone forwarders are disregarded.'),
+ ),
+ )
+
+
+@register()
+class dnsrecord(Object):
+ takes_params = (
+ parameters.DNSNameParam(
+ 'idnsname',
+ primary_key=True,
+ label=_(u'Record name'),
+ ),
+ parameters.Int(
+ 'dnsttl',
+ required=False,
+ label=_(u'Time to live'),
+ ),
+ parameters.Str(
+ 'dnsclass',
+ required=False,
+ ),
+ parameters.Str(
+ 'dnsrecords',
+ required=False,
+ label=_(u'Records'),
+ ),
+ parameters.Str(
+ 'dnstype',
+ required=False,
+ label=_(u'Record type'),
+ ),
+ parameters.Str(
+ 'dnsdata',
+ required=False,
+ label=_(u'Record data'),
+ ),
+ parameters.Str(
+ 'arecord',
+ required=False,
+ multivalue=True,
+ label=_(u'A record'),
+ doc=_(u'Raw A records'),
+ ),
+ parameters.Str(
+ 'a_part_ip_address',
+ required=False,
+ label=_(u'A IP Address'),
+ doc=_(u'IP Address'),
+ ),
+ parameters.Flag(
+ 'a_extra_create_reverse',
+ required=False,
+ label=_(u'A Create reverse'),
+ doc=_(u'Create reverse record for this IP Address'),
+ ),
+ parameters.Str(
+ 'aaaarecord',
+ required=False,
+ multivalue=True,
+ label=_(u'AAAA record'),
+ doc=_(u'Raw AAAA records'),
+ ),
+ parameters.Str(
+ 'aaaa_part_ip_address',
+ required=False,
+ label=_(u'AAAA IP Address'),
+ doc=_(u'IP Address'),
+ ),
+ parameters.Flag(
+ 'aaaa_extra_create_reverse',
+ required=False,
+ label=_(u'AAAA Create reverse'),
+ doc=_(u'Create reverse record for this IP Address'),
+ ),
+ parameters.Str(
+ 'a6record',
+ required=False,
+ multivalue=True,
+ label=_(u'A6 record'),
+ doc=_(u'Raw A6 records'),
+ ),
+ parameters.Str(
+ 'a6_part_data',
+ required=False,
+ label=_(u'A6 Record data'),
+ doc=_(u'Record data'),
+ ),
+ parameters.Str(
+ 'afsdbrecord',
+ required=False,
+ multivalue=True,
+ label=_(u'AFSDB record'),
+ doc=_(u'Raw AFSDB records'),
+ ),
+ parameters.Int(
+ 'afsdb_part_subtype',
+ required=False,
+ label=_(u'AFSDB Subtype'),
+ doc=_(u'Subtype'),
+ ),
+ parameters.DNSNameParam(
+ 'afsdb_part_hostname',
+ required=False,
+ label=_(u'AFSDB Hostname'),
+ doc=_(u'Hostname'),
+ ),
+ parameters.Str(
+ 'aplrecord',
+ required=False,
+ multivalue=True,
+ label=_(u'APL record'),
+ doc=_(u'Raw APL records'),
+ ),
+ parameters.Str(
+ 'certrecord',
+ required=False,
+ multivalue=True,
+ label=_(u'CERT record'),
+ doc=_(u'Raw CERT records'),
+ ),
+ parameters.Int(
+ 'cert_part_type',
+ required=False,
+ label=_(u'CERT Certificate Type'),
+ doc=_(u'Certificate Type'),
+ ),
+ parameters.Int(
+ 'cert_part_key_tag',
+ required=False,
+ label=_(u'CERT Key Tag'),
+ doc=_(u'Key Tag'),
+ ),
+ parameters.Int(
+ 'cert_part_algorithm',
+ required=False,
+ label=_(u'CERT Algorithm'),
+ doc=_(u'Algorithm'),
+ ),
+ parameters.Str(
+ 'cert_part_certificate_or_crl',
+ required=False,
+ label=_(u'CERT Certificate/CRL'),
+ doc=_(u'Certificate/CRL'),
+ ),
+ parameters.Str(
+ 'cnamerecord',
+ required=False,
+ multivalue=True,
+ label=_(u'CNAME record'),
+ doc=_(u'Raw CNAME records'),
+ ),
+ parameters.DNSNameParam(
+ 'cname_part_hostname',
+ required=False,
+ label=_(u'CNAME Hostname'),
+ doc=_(u'A hostname which this alias hostname points to'),
+ ),
+ parameters.Str(
+ 'dhcidrecord',
+ required=False,
+ multivalue=True,
+ label=_(u'DHCID record'),
+ doc=_(u'Raw DHCID records'),
+ ),
+ parameters.Str(
+ 'dlvrecord',
+ required=False,
+ multivalue=True,
+ label=_(u'DLV record'),
+ doc=_(u'Raw DLV records'),
+ ),
+ parameters.Int(
+ 'dlv_part_key_tag',
+ required=False,
+ label=_(u'DLV Key Tag'),
+ doc=_(u'Key Tag'),
+ ),
+ parameters.Int(
+ 'dlv_part_algorithm',
+ required=False,
+ label=_(u'DLV Algorithm'),
+ doc=_(u'Algorithm'),
+ ),
+ parameters.Int(
+ 'dlv_part_digest_type',
+ required=False,
+ label=_(u'DLV Digest Type'),
+ doc=_(u'Digest Type'),
+ ),
+ parameters.Str(
+ 'dlv_part_digest',
+ required=False,
+ label=_(u'DLV Digest'),
+ doc=_(u'Digest'),
+ ),
+ parameters.Str(
+ 'dnamerecord',
+ required=False,
+ multivalue=True,
+ label=_(u'DNAME record'),
+ doc=_(u'Raw DNAME records'),
+ ),
+ parameters.DNSNameParam(
+ 'dname_part_target',
+ required=False,
+ label=_(u'DNAME Target'),
+ doc=_(u'Target'),
+ ),
+ parameters.Str(
+ 'dnskeyrecord',
+ required=False,
+ multivalue=True,
+ label=_(u'DNSKEY record'),
+ doc=_(u'Raw DNSKEY records'),
+ ),
+ parameters.Str(
+ 'dsrecord',
+ required=False,
+ multivalue=True,
+ label=_(u'DS record'),
+ doc=_(u'Raw DS records'),
+ ),
+ parameters.Int(
+ 'ds_part_key_tag',
+ required=False,
+ label=_(u'DS Key Tag'),
+ doc=_(u'Key Tag'),
+ ),
+ parameters.Int(
+ 'ds_part_algorithm',
+ required=False,
+ label=_(u'DS Algorithm'),
+ doc=_(u'Algorithm'),
+ ),
+ parameters.Int(
+ 'ds_part_digest_type',
+ required=False,
+ label=_(u'DS Digest Type'),
+ doc=_(u'Digest Type'),
+ ),
+ parameters.Str(
+ 'ds_part_digest',
+ required=False,
+ label=_(u'DS Digest'),
+ doc=_(u'Digest'),
+ ),
+ parameters.Str(
+ 'hiprecord',
+ required=False,
+ multivalue=True,
+ label=_(u'HIP record'),
+ doc=_(u'Raw HIP records'),
+ ),
+ parameters.Str(
+ 'ipseckeyrecord',
+ required=False,
+ multivalue=True,
+ label=_(u'IPSECKEY record'),
+ doc=_(u'Raw IPSECKEY records'),
+ ),
+ parameters.Str(
+ 'keyrecord',
+ required=False,
+ multivalue=True,
+ label=_(u'KEY record'),
+ doc=_(u'Raw KEY records'),
+ ),
+ parameters.Str(
+ 'kxrecord',
+ required=False,
+ multivalue=True,
+ label=_(u'KX record'),
+ doc=_(u'Raw KX records'),
+ ),
+ parameters.Int(
+ 'kx_part_preference',
+ required=False,
+ label=_(u'KX Preference'),
+ doc=_(u'Preference given to this exchanger. Lower values are more preferred'),
+ ),
+ parameters.DNSNameParam(
+ 'kx_part_exchanger',
+ required=False,
+ label=_(u'KX Exchanger'),
+ doc=_(u'A host willing to act as a key exchanger'),
+ ),
+ parameters.Str(
+ 'locrecord',
+ required=False,
+ multivalue=True,
+ label=_(u'LOC record'),
+ doc=_(u'Raw LOC records'),
+ ),
+ parameters.Int(
+ 'loc_part_lat_deg',
+ required=False,
+ label=_(u'LOC Degrees Latitude'),
+ doc=_(u'Degrees Latitude'),
+ ),
+ parameters.Int(
+ 'loc_part_lat_min',
+ required=False,
+ label=_(u'LOC Minutes Latitude'),
+ doc=_(u'Minutes Latitude'),
+ ),
+ parameters.Decimal(
+ 'loc_part_lat_sec',
+ required=False,
+ label=_(u'LOC Seconds Latitude'),
+ doc=_(u'Seconds Latitude'),
+ ),
+ parameters.Str(
+ 'loc_part_lat_dir',
+ required=False,
+ label=_(u'LOC Direction Latitude'),
+ doc=_(u'Direction Latitude'),
+ ),
+ parameters.Int(
+ 'loc_part_lon_deg',
+ required=False,
+ label=_(u'LOC Degrees Longitude'),
+ doc=_(u'Degrees Longitude'),
+ ),
+ parameters.Int(
+ 'loc_part_lon_min',
+ required=False,
+ label=_(u'LOC Minutes Longitude'),
+ doc=_(u'Minutes Longitude'),
+ ),
+ parameters.Decimal(
+ 'loc_part_lon_sec',
+ required=False,
+ label=_(u'LOC Seconds Longitude'),
+ doc=_(u'Seconds Longitude'),
+ ),
+ parameters.Str(
+ 'loc_part_lon_dir',
+ required=False,
+ label=_(u'LOC Direction Longitude'),
+ doc=_(u'Direction Longitude'),
+ ),
+ parameters.Decimal(
+ 'loc_part_altitude',
+ required=False,
+ label=_(u'LOC Altitude'),
+ doc=_(u'Altitude'),
+ ),
+ parameters.Decimal(
+ 'loc_part_size',
+ required=False,
+ label=_(u'LOC Size'),
+ doc=_(u'Size'),
+ ),
+ parameters.Decimal(
+ 'loc_part_h_precision',
+ required=False,
+ label=_(u'LOC Horizontal Precision'),
+ doc=_(u'Horizontal Precision'),
+ ),
+ parameters.Decimal(
+ 'loc_part_v_precision',
+ required=False,
+ label=_(u'LOC Vertical Precision'),
+ doc=_(u'Vertical Precision'),
+ ),
+ parameters.Str(
+ 'mxrecord',
+ required=False,
+ multivalue=True,
+ label=_(u'MX record'),
+ doc=_(u'Raw MX records'),
+ ),
+ parameters.Int(
+ 'mx_part_preference',
+ required=False,
+ label=_(u'MX Preference'),
+ doc=_(u'Preference given to this exchanger. Lower values are more preferred'),
+ ),
+ parameters.DNSNameParam(
+ 'mx_part_exchanger',
+ required=False,
+ label=_(u'MX Exchanger'),
+ doc=_(u'A host willing to act as a mail exchanger'),
+ ),
+ parameters.Str(
+ 'naptrrecord',
+ required=False,
+ multivalue=True,
+ label=_(u'NAPTR record'),
+ doc=_(u'Raw NAPTR records'),
+ ),
+ parameters.Int(
+ 'naptr_part_order',
+ required=False,
+ label=_(u'NAPTR Order'),
+ doc=_(u'Order'),
+ ),
+ parameters.Int(
+ 'naptr_part_preference',
+ required=False,
+ label=_(u'NAPTR Preference'),
+ doc=_(u'Preference'),
+ ),
+ parameters.Str(
+ 'naptr_part_flags',
+ required=False,
+ label=_(u'NAPTR Flags'),
+ doc=_(u'Flags'),
+ ),
+ parameters.Str(
+ 'naptr_part_service',
+ required=False,
+ label=_(u'NAPTR Service'),
+ doc=_(u'Service'),
+ ),
+ parameters.Str(
+ 'naptr_part_regexp',
+ required=False,
+ label=_(u'NAPTR Regular Expression'),
+ doc=_(u'Regular Expression'),
+ ),
+ parameters.Str(
+ 'naptr_part_replacement',
+ required=False,
+ label=_(u'NAPTR Replacement'),
+ doc=_(u'Replacement'),
+ ),
+ parameters.Str(
+ 'nsrecord',
+ required=False,
+ multivalue=True,
+ label=_(u'NS record'),
+ doc=_(u'Raw NS records'),
+ ),
+ parameters.DNSNameParam(
+ 'ns_part_hostname',
+ required=False,
+ label=_(u'NS Hostname'),
+ doc=_(u'Hostname'),
+ ),
+ parameters.Str(
+ 'nsecrecord',
+ required=False,
+ multivalue=True,
+ label=_(u'NSEC record'),
+ doc=_(u'Raw NSEC records'),
+ ),
+ parameters.Str(
+ 'nsec3record',
+ required=False,
+ multivalue=True,
+ label=_(u'NSEC3 record'),
+ doc=_(u'Raw NSEC3 records'),
+ ),
+ parameters.Str(
+ 'ptrrecord',
+ required=False,
+ multivalue=True,
+ label=_(u'PTR record'),
+ doc=_(u'Raw PTR records'),
+ ),
+ parameters.DNSNameParam(
+ 'ptr_part_hostname',
+ required=False,
+ label=_(u'PTR Hostname'),
+ doc=_(u'The hostname this reverse record points to'),
+ ),
+ parameters.Str(
+ 'rrsigrecord',
+ required=False,
+ multivalue=True,
+ label=_(u'RRSIG record'),
+ doc=_(u'Raw RRSIG records'),
+ ),
+ parameters.Str(
+ 'rprecord',
+ required=False,
+ multivalue=True,
+ label=_(u'RP record'),
+ doc=_(u'Raw RP records'),
+ ),
+ parameters.Str(
+ 'sigrecord',
+ required=False,
+ multivalue=True,
+ label=_(u'SIG record'),
+ doc=_(u'Raw SIG records'),
+ ),
+ parameters.Str(
+ 'spfrecord',
+ required=False,
+ multivalue=True,
+ label=_(u'SPF record'),
+ doc=_(u'Raw SPF records'),
+ ),
+ parameters.Str(
+ 'srvrecord',
+ required=False,
+ multivalue=True,
+ label=_(u'SRV record'),
+ doc=_(u'Raw SRV records'),
+ ),
+ parameters.Int(
+ 'srv_part_priority',
+ required=False,
+ label=_(u'SRV Priority'),
+ doc=_(u'Priority'),
+ ),
+ parameters.Int(
+ 'srv_part_weight',
+ required=False,
+ label=_(u'SRV Weight'),
+ doc=_(u'Weight'),
+ ),
+ parameters.Int(
+ 'srv_part_port',
+ required=False,
+ label=_(u'SRV Port'),
+ doc=_(u'Port'),
+ ),
+ parameters.DNSNameParam(
+ 'srv_part_target',
+ required=False,
+ label=_(u'SRV Target'),
+ doc=_(u"The domain name of the target host or '.' if the service is decidedly not available at this domain"),
+ ),
+ parameters.Str(
+ 'sshfprecord',
+ required=False,
+ multivalue=True,
+ label=_(u'SSHFP record'),
+ doc=_(u'Raw SSHFP records'),
+ ),
+ parameters.Int(
+ 'sshfp_part_algorithm',
+ required=False,
+ label=_(u'SSHFP Algorithm'),
+ doc=_(u'Algorithm'),
+ ),
+ parameters.Int(
+ 'sshfp_part_fp_type',
+ required=False,
+ label=_(u'SSHFP Fingerprint Type'),
+ doc=_(u'Fingerprint Type'),
+ ),
+ parameters.Str(
+ 'sshfp_part_fingerprint',
+ required=False,
+ label=_(u'SSHFP Fingerprint'),
+ doc=_(u'Fingerprint'),
+ ),
+ parameters.Str(
+ 'tarecord',
+ required=False,
+ multivalue=True,
+ label=_(u'TA record'),
+ doc=_(u'Raw TA records'),
+ ),
+ parameters.Str(
+ 'tlsarecord',
+ required=False,
+ multivalue=True,
+ label=_(u'TLSA record'),
+ doc=_(u'Raw TLSA records'),
+ ),
+ parameters.Int(
+ 'tlsa_part_cert_usage',
+ required=False,
+ label=_(u'TLSA Certificate Usage'),
+ doc=_(u'Certificate Usage'),
+ ),
+ parameters.Int(
+ 'tlsa_part_selector',
+ required=False,
+ label=_(u'TLSA Selector'),
+ doc=_(u'Selector'),
+ ),
+ parameters.Int(
+ 'tlsa_part_matching_type',
+ required=False,
+ label=_(u'TLSA Matching Type'),
+ doc=_(u'Matching Type'),
+ ),
+ parameters.Str(
+ 'tlsa_part_cert_association_data',
+ required=False,
+ label=_(u'TLSA Certificate Association Data'),
+ doc=_(u'Certificate Association Data'),
+ ),
+ parameters.Str(
+ 'tkeyrecord',
+ required=False,
+ multivalue=True,
+ label=_(u'TKEY record'),
+ doc=_(u'Raw TKEY records'),
+ ),
+ parameters.Str(
+ 'tsigrecord',
+ required=False,
+ multivalue=True,
+ label=_(u'TSIG record'),
+ doc=_(u'Raw TSIG records'),
+ ),
+ parameters.Str(
+ 'txtrecord',
+ required=False,
+ multivalue=True,
+ label=_(u'TXT record'),
+ doc=_(u'Raw TXT records'),
+ ),
+ parameters.Str(
+ 'txt_part_data',
+ required=False,
+ label=_(u'TXT Text Data'),
+ doc=_(u'Text Data'),
+ ),
+ )
+
+
+@register()
+class dnszone(Object):
+ takes_params = (
+ parameters.DNSNameParam(
+ 'idnsname',
+ primary_key=True,
+ label=_(u'Zone name'),
+ doc=_(u'Zone name (FQDN)'),
+ ),
+ parameters.Str(
+ 'name_from_ip',
+ required=False,
+ label=_(u'Reverse zone IP network'),
+ doc=_(u'IP network to create reverse zone name from'),
+ ),
+ parameters.Bool(
+ 'idnszoneactive',
+ required=False,
+ label=_(u'Active zone'),
+ doc=_(u'Is zone active?'),
+ ),
+ parameters.Str(
+ 'idnsforwarders',
+ required=False,
+ multivalue=True,
+ label=_(u'Zone forwarders'),
+ doc=_(u'Per-zone forwarders. A custom port can be specified for each forwarder using a standard format "IP_ADDRESS port PORT"'),
+ ),
+ parameters.Str(
+ 'idnsforwardpolicy',
+ required=False,
+ label=_(u'Forward policy'),
+ doc=_(u'Per-zone conditional forwarding policy. Set to "none" to disable forwarding to global forwarder for this zone. In that case, conditional zone forwarders are disregarded.'),
+ ),
+ parameters.DNSNameParam(
+ 'idnssoamname',
+ required=False,
+ label=_(u'Authoritative nameserver'),
+ doc=_(u'Authoritative nameserver domain name'),
+ ),
+ parameters.DNSNameParam(
+ 'idnssoarname',
+ label=_(u'Administrator e-mail address'),
+ ),
+ parameters.Int(
+ 'idnssoaserial',
+ label=_(u'SOA serial'),
+ doc=_(u'SOA record serial number'),
+ ),
+ parameters.Int(
+ 'idnssoarefresh',
+ label=_(u'SOA refresh'),
+ doc=_(u'SOA record refresh time'),
+ ),
+ parameters.Int(
+ 'idnssoaretry',
+ label=_(u'SOA retry'),
+ doc=_(u'SOA record retry time'),
+ ),
+ parameters.Int(
+ 'idnssoaexpire',
+ label=_(u'SOA expire'),
+ doc=_(u'SOA record expire time'),
+ ),
+ parameters.Int(
+ 'idnssoaminimum',
+ label=_(u'SOA minimum'),
+ doc=_(u'How long should negative responses be cached'),
+ ),
+ parameters.Int(
+ 'dnsttl',
+ required=False,
+ label=_(u'Time to live'),
+ doc=_(u'Time to live for records at zone apex'),
+ ),
+ parameters.Str(
+ 'dnsclass',
+ required=False,
+ ),
+ parameters.Str(
+ 'idnsupdatepolicy',
+ required=False,
+ label=_(u'BIND update policy'),
+ ),
+ parameters.Bool(
+ 'idnsallowdynupdate',
+ required=False,
+ label=_(u'Dynamic update'),
+ doc=_(u'Allow dynamic updates.'),
+ ),
+ parameters.Str(
+ 'idnsallowquery',
+ required=False,
+ label=_(u'Allow query'),
+ doc=_(u'Semicolon separated list of IP addresses or networks which are allowed to issue queries'),
+ ),
+ parameters.Str(
+ 'idnsallowtransfer',
+ required=False,
+ label=_(u'Allow transfer'),
+ doc=_(u'Semicolon separated list of IP addresses or networks which are allowed to transfer the zone'),
+ ),
+ parameters.Bool(
+ 'idnsallowsyncptr',
+ required=False,
+ label=_(u'Allow PTR sync'),
+ doc=_(u'Allow synchronization of forward (A, AAAA) and reverse (PTR) records in the zone'),
+ ),
+ parameters.Bool(
+ 'idnssecinlinesigning',
+ required=False,
+ label=_(u'Allow in-line DNSSEC signing'),
+ doc=_(u'Allow inline DNSSEC signing of records in the zone'),
+ ),
+ parameters.Str(
+ 'nsec3paramrecord',
+ required=False,
+ label=_(u'NSEC3PARAM record'),
+ doc=_(u'NSEC3PARAM record for zone in format: hash_algorithm flags iterations salt'),
+ ),
+ )
+
+
+@register()
+class dns_is_enabled(Command):
+ __doc__ = _("Checks if any of the servers has the DNS service enabled.")
+
+ NO_CLI = True
+
+ takes_options = (
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Output(
+ 'result',
+ bool,
+ doc=_(u'True means the operation was successful'),
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class dns_resolve(Command):
+ __doc__ = _("Resolve a host name in DNS.")
+
+ takes_args = (
+ parameters.Str(
+ 'hostname',
+ label=_(u'Hostname'),
+ ),
+ )
+ takes_options = (
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Output(
+ 'result',
+ bool,
+ doc=_(u'True means the operation was successful'),
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class dnsconfig_mod(Method):
+ __doc__ = _("Modify global DNS configuration.")
+
+ takes_options = (
+ parameters.Str(
+ 'idnsforwarders',
+ required=False,
+ multivalue=True,
+ cli_name='forwarder',
+ label=_(u'Global forwarders'),
+ doc=_(u'Global forwarders. A custom port can be specified for each forwarder using a standard format "IP_ADDRESS port PORT"'),
+ ),
+ parameters.Str(
+ 'idnsforwardpolicy',
+ required=False,
+ cli_name='forward_policy',
+ cli_metavar="['only', 'first', 'none']",
+ label=_(u'Forward policy'),
+ doc=_(u'Global forwarding policy. Set to "none" to disable any configured global forwarders.'),
+ ),
+ parameters.Bool(
+ 'idnsallowsyncptr',
+ required=False,
+ cli_name='allow_sync_ptr',
+ label=_(u'Allow PTR sync'),
+ doc=_(u'Allow synchronization of forward (A, AAAA) and reverse (PTR) records'),
+ ),
+ parameters.Int(
+ 'idnszonerefresh',
+ required=False,
+ deprecated=True,
+ cli_name='zone_refresh',
+ label=_(u'Zone refresh interval'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'setattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'addattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'delattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'),
+ exclude=('webui',),
+ ),
+ parameters.Flag(
+ 'rights',
+ label=_(u'Rights'),
+ doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class dnsconfig_show(Method):
+ __doc__ = _("Show the current global DNS configuration.")
+
+ takes_options = (
+ parameters.Flag(
+ 'rights',
+ label=_(u'Rights'),
+ doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class dnsforwardzone_add(Method):
+ __doc__ = _("Create new DNS forward zone.")
+
+ takes_args = (
+ parameters.DNSNameParam(
+ 'idnsname',
+ cli_name='name',
+ label=_(u'Zone name'),
+ doc=_(u'Zone name (FQDN)'),
+ default_from=DefaultFrom(lambda name_from_ip: None, 'name_from_ip'),
+ # FIXME:
+ # lambda name_from_ip: _reverse_zone_name(name_from_ip)
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'name_from_ip',
+ required=False,
+ label=_(u'Reverse zone IP network'),
+ doc=_(u'IP network to create reverse zone name from'),
+ ),
+ parameters.Str(
+ 'idnsforwarders',
+ required=False,
+ multivalue=True,
+ cli_name='forwarder',
+ label=_(u'Zone forwarders'),
+ doc=_(u'Per-zone forwarders. A custom port can be specified for each forwarder using a standard format "IP_ADDRESS port PORT"'),
+ ),
+ parameters.Str(
+ 'idnsforwardpolicy',
+ required=False,
+ cli_name='forward_policy',
+ cli_metavar="['only', 'first', 'none']",
+ label=_(u'Forward policy'),
+ doc=_(u'Per-zone conditional forwarding policy. Set to "none" to disable forwarding to global forwarder for this zone. In that case, conditional zone forwarders are disregarded.'),
+ ),
+ parameters.Str(
+ 'setattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'addattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
+ exclude=('webui',),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class dnsforwardzone_add_permission(Method):
+ __doc__ = _("Add a permission for per-forward zone access delegation.")
+
+ takes_args = (
+ parameters.DNSNameParam(
+ 'idnsname',
+ cli_name='name',
+ label=_(u'Zone name'),
+ doc=_(u'Zone name (FQDN)'),
+ default_from=DefaultFrom(lambda name_from_ip: None, 'name_from_ip'),
+ # FIXME:
+ # lambda name_from_ip: _reverse_zone_name(name_from_ip)
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Output(
+ 'result',
+ bool,
+ doc=_(u'True means the operation was successful'),
+ ),
+ output.Output(
+ 'value',
+ unicode,
+ doc=_(u'Permission value'),
+ ),
+ )
+
+
+@register()
+class dnsforwardzone_del(Method):
+ __doc__ = _("Delete DNS forward zone.")
+
+ takes_args = (
+ parameters.DNSNameParam(
+ 'idnsname',
+ multivalue=True,
+ cli_name='name',
+ label=_(u'Zone name'),
+ doc=_(u'Zone name (FQDN)'),
+ default_from=DefaultFrom(lambda name_from_ip: None, 'name_from_ip'),
+ # FIXME:
+ # lambda name_from_ip: _reverse_zone_name(name_from_ip)
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'continue',
+ doc=_(u"Continuous mode: Don't stop on errors."),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Output(
+ 'result',
+ dict,
+ doc=_(u'List of deletions that failed'),
+ ),
+ output.ListOfPrimaryKeys(
+ 'value',
+ ),
+ )
+
+
+@register()
+class dnsforwardzone_disable(Method):
+ __doc__ = _("Disable DNS Forward Zone.")
+
+ takes_args = (
+ parameters.DNSNameParam(
+ 'idnsname',
+ cli_name='name',
+ label=_(u'Zone name'),
+ doc=_(u'Zone name (FQDN)'),
+ default_from=DefaultFrom(lambda name_from_ip: None, 'name_from_ip'),
+ # FIXME:
+ # lambda name_from_ip: _reverse_zone_name(name_from_ip)
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Output(
+ 'result',
+ bool,
+ doc=_(u'True means the operation was successful'),
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class dnsforwardzone_enable(Method):
+ __doc__ = _("Enable DNS Forward Zone.")
+
+ takes_args = (
+ parameters.DNSNameParam(
+ 'idnsname',
+ cli_name='name',
+ label=_(u'Zone name'),
+ doc=_(u'Zone name (FQDN)'),
+ default_from=DefaultFrom(lambda name_from_ip: None, 'name_from_ip'),
+ # FIXME:
+ # lambda name_from_ip: _reverse_zone_name(name_from_ip)
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Output(
+ 'result',
+ bool,
+ doc=_(u'True means the operation was successful'),
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class dnsforwardzone_find(Method):
+ __doc__ = _("Search for DNS forward zones.")
+
+ takes_args = (
+ parameters.Str(
+ 'criteria',
+ required=False,
+ doc=_(u'A string searched in all relevant object attributes'),
+ ),
+ )
+ takes_options = (
+ parameters.DNSNameParam(
+ 'idnsname',
+ required=False,
+ cli_name='name',
+ label=_(u'Zone name'),
+ doc=_(u'Zone name (FQDN)'),
+ default_from=DefaultFrom(lambda name_from_ip: None, 'name_from_ip'),
+ # FIXME:
+ # lambda name_from_ip: _reverse_zone_name(name_from_ip)
+ no_convert=True,
+ ),
+ parameters.Str(
+ 'name_from_ip',
+ required=False,
+ label=_(u'Reverse zone IP network'),
+ doc=_(u'IP network to create reverse zone name from'),
+ ),
+ parameters.Bool(
+ 'idnszoneactive',
+ required=False,
+ cli_name='zone_active',
+ label=_(u'Active zone'),
+ doc=_(u'Is zone active?'),
+ ),
+ parameters.Str(
+ 'idnsforwarders',
+ required=False,
+ multivalue=True,
+ cli_name='forwarder',
+ label=_(u'Zone forwarders'),
+ doc=_(u'Per-zone forwarders. A custom port can be specified for each forwarder using a standard format "IP_ADDRESS port PORT"'),
+ ),
+ parameters.Str(
+ 'idnsforwardpolicy',
+ required=False,
+ cli_name='forward_policy',
+ cli_metavar="['only', 'first', 'none']",
+ label=_(u'Forward policy'),
+ doc=_(u'Per-zone conditional forwarding policy. Set to "none" to disable forwarding to global forwarder for this zone. In that case, conditional zone forwarders are disregarded.'),
+ ),
+ parameters.Int(
+ 'timelimit',
+ required=False,
+ label=_(u'Time Limit'),
+ doc=_(u'Time limit of search in seconds'),
+ ),
+ parameters.Int(
+ 'sizelimit',
+ required=False,
+ label=_(u'Size Limit'),
+ doc=_(u'Maximum number of entries returned'),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'pkey_only',
+ required=False,
+ label=_(u'Primary key only'),
+ doc=_(u'Results should contain primary key attribute only ("name")'),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.ListOfEntries(
+ 'result',
+ ),
+ output.Output(
+ 'count',
+ int,
+ doc=_(u'Number of entries returned'),
+ ),
+ output.Output(
+ 'truncated',
+ bool,
+ doc=_(u'True if not all results were returned'),
+ ),
+ )
+
+
+@register()
+class dnsforwardzone_mod(Method):
+ __doc__ = _("Modify DNS forward zone.")
+
+ takes_args = (
+ parameters.DNSNameParam(
+ 'idnsname',
+ cli_name='name',
+ label=_(u'Zone name'),
+ doc=_(u'Zone name (FQDN)'),
+ default_from=DefaultFrom(lambda name_from_ip: None, 'name_from_ip'),
+ # FIXME:
+ # lambda name_from_ip: _reverse_zone_name(name_from_ip)
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'name_from_ip',
+ required=False,
+ label=_(u'Reverse zone IP network'),
+ doc=_(u'IP network to create reverse zone name from'),
+ ),
+ parameters.Str(
+ 'idnsforwarders',
+ required=False,
+ multivalue=True,
+ cli_name='forwarder',
+ label=_(u'Zone forwarders'),
+ doc=_(u'Per-zone forwarders. A custom port can be specified for each forwarder using a standard format "IP_ADDRESS port PORT"'),
+ ),
+ parameters.Str(
+ 'idnsforwardpolicy',
+ required=False,
+ cli_name='forward_policy',
+ cli_metavar="['only', 'first', 'none']",
+ label=_(u'Forward policy'),
+ doc=_(u'Per-zone conditional forwarding policy. Set to "none" to disable forwarding to global forwarder for this zone. In that case, conditional zone forwarders are disregarded.'),
+ ),
+ parameters.Str(
+ 'setattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'addattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'delattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'),
+ exclude=('webui',),
+ ),
+ parameters.Flag(
+ 'rights',
+ label=_(u'Rights'),
+ doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class dnsforwardzone_remove_permission(Method):
+ __doc__ = _("Remove a permission for per-forward zone access delegation.")
+
+ takes_args = (
+ parameters.DNSNameParam(
+ 'idnsname',
+ cli_name='name',
+ label=_(u'Zone name'),
+ doc=_(u'Zone name (FQDN)'),
+ default_from=DefaultFrom(lambda name_from_ip: None, 'name_from_ip'),
+ # FIXME:
+ # lambda name_from_ip: _reverse_zone_name(name_from_ip)
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Output(
+ 'result',
+ bool,
+ doc=_(u'True means the operation was successful'),
+ ),
+ output.Output(
+ 'value',
+ unicode,
+ doc=_(u'Permission value'),
+ ),
+ )
+
+
+@register()
+class dnsforwardzone_show(Method):
+ __doc__ = _("Display information about a DNS forward zone.")
+
+ takes_args = (
+ parameters.DNSNameParam(
+ 'idnsname',
+ cli_name='name',
+ label=_(u'Zone name'),
+ doc=_(u'Zone name (FQDN)'),
+ default_from=DefaultFrom(lambda name_from_ip: None, 'name_from_ip'),
+ # FIXME:
+ # lambda name_from_ip: _reverse_zone_name(name_from_ip)
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'rights',
+ label=_(u'Rights'),
+ doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class dnsrecord_add(Method):
+ __doc__ = _("Add new DNS resource record.")
+
+ takes_args = (
+ parameters.DNSNameParam(
+ 'dnszoneidnsname',
+ cli_name='dnszone',
+ label=_(u'Zone name'),
+ doc=_(u'Zone name (FQDN)'),
+ default_from=DefaultFrom(lambda name_from_ip: None, 'name_from_ip'),
+ # FIXME:
+ # lambda name_from_ip: _reverse_zone_name(name_from_ip)
+ no_convert=True,
+ ),
+ parameters.DNSNameParam(
+ 'idnsname',
+ cli_name='name',
+ label=_(u'Record name'),
+ ),
+ )
+ takes_options = (
+ parameters.Int(
+ 'dnsttl',
+ required=False,
+ cli_name='ttl',
+ label=_(u'Time to live'),
+ ),
+ parameters.Str(
+ 'dnsclass',
+ required=False,
+ cli_name='class',
+ cli_metavar="['IN', 'CS', 'CH', 'HS']",
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'arecord',
+ required=False,
+ multivalue=True,
+ cli_name='a_rec',
+ option_group=u'A Record',
+ label=_(u'A record'),
+ doc=_(u'Raw A records'),
+ ),
+ parameters.Str(
+ 'a_part_ip_address',
+ required=False,
+ cli_name='a_ip_address',
+ option_group=u'A Record',
+ label=_(u'A IP Address'),
+ doc=_(u'IP Address'),
+ ),
+ parameters.Flag(
+ 'a_extra_create_reverse',
+ required=False,
+ cli_name='a_create_reverse',
+ option_group=u'A Record',
+ label=_(u'A Create reverse'),
+ doc=_(u'Create reverse record for this IP Address'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'aaaarecord',
+ required=False,
+ multivalue=True,
+ cli_name='aaaa_rec',
+ option_group=u'AAAA Record',
+ label=_(u'AAAA record'),
+ doc=_(u'Raw AAAA records'),
+ ),
+ parameters.Str(
+ 'aaaa_part_ip_address',
+ required=False,
+ cli_name='aaaa_ip_address',
+ option_group=u'AAAA Record',
+ label=_(u'AAAA IP Address'),
+ doc=_(u'IP Address'),
+ ),
+ parameters.Flag(
+ 'aaaa_extra_create_reverse',
+ required=False,
+ cli_name='aaaa_create_reverse',
+ option_group=u'AAAA Record',
+ label=_(u'AAAA Create reverse'),
+ doc=_(u'Create reverse record for this IP Address'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'a6record',
+ required=False,
+ multivalue=True,
+ cli_name='a6_rec',
+ option_group=u'A6 Record',
+ label=_(u'A6 record'),
+ doc=_(u'Raw A6 records'),
+ ),
+ parameters.Str(
+ 'a6_part_data',
+ required=False,
+ cli_name='a6_data',
+ option_group=u'A6 Record',
+ label=_(u'A6 Record data'),
+ doc=_(u'Record data'),
+ ),
+ parameters.Str(
+ 'afsdbrecord',
+ required=False,
+ multivalue=True,
+ cli_name='afsdb_rec',
+ option_group=u'AFSDB Record',
+ label=_(u'AFSDB record'),
+ doc=_(u'Raw AFSDB records'),
+ ),
+ parameters.Int(
+ 'afsdb_part_subtype',
+ required=False,
+ cli_name='afsdb_subtype',
+ option_group=u'AFSDB Record',
+ label=_(u'AFSDB Subtype'),
+ doc=_(u'Subtype'),
+ ),
+ parameters.DNSNameParam(
+ 'afsdb_part_hostname',
+ required=False,
+ cli_name='afsdb_hostname',
+ option_group=u'AFSDB Record',
+ label=_(u'AFSDB Hostname'),
+ doc=_(u'Hostname'),
+ ),
+ parameters.Str(
+ 'aplrecord',
+ required=False,
+ multivalue=True,
+ cli_name='apl_rec',
+ option_group=u'APL Record',
+ label=_(u'APL record'),
+ doc=_(u'Raw APL records'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'certrecord',
+ required=False,
+ multivalue=True,
+ cli_name='cert_rec',
+ option_group=u'CERT Record',
+ label=_(u'CERT record'),
+ doc=_(u'Raw CERT records'),
+ ),
+ parameters.Int(
+ 'cert_part_type',
+ required=False,
+ cli_name='cert_type',
+ option_group=u'CERT Record',
+ label=_(u'CERT Certificate Type'),
+ doc=_(u'Certificate Type'),
+ ),
+ parameters.Int(
+ 'cert_part_key_tag',
+ required=False,
+ cli_name='cert_key_tag',
+ option_group=u'CERT Record',
+ label=_(u'CERT Key Tag'),
+ doc=_(u'Key Tag'),
+ ),
+ parameters.Int(
+ 'cert_part_algorithm',
+ required=False,
+ cli_name='cert_algorithm',
+ option_group=u'CERT Record',
+ label=_(u'CERT Algorithm'),
+ doc=_(u'Algorithm'),
+ ),
+ parameters.Str(
+ 'cert_part_certificate_or_crl',
+ required=False,
+ cli_name='cert_certificate_or_crl',
+ option_group=u'CERT Record',
+ label=_(u'CERT Certificate/CRL'),
+ doc=_(u'Certificate/CRL'),
+ ),
+ parameters.Str(
+ 'cnamerecord',
+ required=False,
+ multivalue=True,
+ cli_name='cname_rec',
+ option_group=u'CNAME Record',
+ label=_(u'CNAME record'),
+ doc=_(u'Raw CNAME records'),
+ ),
+ parameters.DNSNameParam(
+ 'cname_part_hostname',
+ required=False,
+ cli_name='cname_hostname',
+ option_group=u'CNAME Record',
+ label=_(u'CNAME Hostname'),
+ doc=_(u'A hostname which this alias hostname points to'),
+ ),
+ parameters.Str(
+ 'dhcidrecord',
+ required=False,
+ multivalue=True,
+ cli_name='dhcid_rec',
+ option_group=u'DHCID Record',
+ label=_(u'DHCID record'),
+ doc=_(u'Raw DHCID records'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'dlvrecord',
+ required=False,
+ multivalue=True,
+ cli_name='dlv_rec',
+ option_group=u'DLV Record',
+ label=_(u'DLV record'),
+ doc=_(u'Raw DLV records'),
+ ),
+ parameters.Int(
+ 'dlv_part_key_tag',
+ required=False,
+ cli_name='dlv_key_tag',
+ option_group=u'DLV Record',
+ label=_(u'DLV Key Tag'),
+ doc=_(u'Key Tag'),
+ ),
+ parameters.Int(
+ 'dlv_part_algorithm',
+ required=False,
+ cli_name='dlv_algorithm',
+ option_group=u'DLV Record',
+ label=_(u'DLV Algorithm'),
+ doc=_(u'Algorithm'),
+ ),
+ parameters.Int(
+ 'dlv_part_digest_type',
+ required=False,
+ cli_name='dlv_digest_type',
+ option_group=u'DLV Record',
+ label=_(u'DLV Digest Type'),
+ doc=_(u'Digest Type'),
+ ),
+ parameters.Str(
+ 'dlv_part_digest',
+ required=False,
+ cli_name='dlv_digest',
+ option_group=u'DLV Record',
+ label=_(u'DLV Digest'),
+ doc=_(u'Digest'),
+ ),
+ parameters.Str(
+ 'dnamerecord',
+ required=False,
+ multivalue=True,
+ cli_name='dname_rec',
+ option_group=u'DNAME Record',
+ label=_(u'DNAME record'),
+ doc=_(u'Raw DNAME records'),
+ ),
+ parameters.DNSNameParam(
+ 'dname_part_target',
+ required=False,
+ cli_name='dname_target',
+ option_group=u'DNAME Record',
+ label=_(u'DNAME Target'),
+ doc=_(u'Target'),
+ ),
+ parameters.Str(
+ 'dnskeyrecord',
+ required=False,
+ multivalue=True,
+ cli_name='dnskey_rec',
+ option_group=u'DNSKEY Record',
+ label=_(u'DNSKEY record'),
+ doc=_(u'Raw DNSKEY records'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'dsrecord',
+ required=False,
+ multivalue=True,
+ cli_name='ds_rec',
+ option_group=u'DS Record',
+ label=_(u'DS record'),
+ doc=_(u'Raw DS records'),
+ ),
+ parameters.Int(
+ 'ds_part_key_tag',
+ required=False,
+ cli_name='ds_key_tag',
+ option_group=u'DS Record',
+ label=_(u'DS Key Tag'),
+ doc=_(u'Key Tag'),
+ ),
+ parameters.Int(
+ 'ds_part_algorithm',
+ required=False,
+ cli_name='ds_algorithm',
+ option_group=u'DS Record',
+ label=_(u'DS Algorithm'),
+ doc=_(u'Algorithm'),
+ ),
+ parameters.Int(
+ 'ds_part_digest_type',
+ required=False,
+ cli_name='ds_digest_type',
+ option_group=u'DS Record',
+ label=_(u'DS Digest Type'),
+ doc=_(u'Digest Type'),
+ ),
+ parameters.Str(
+ 'ds_part_digest',
+ required=False,
+ cli_name='ds_digest',
+ option_group=u'DS Record',
+ label=_(u'DS Digest'),
+ doc=_(u'Digest'),
+ ),
+ parameters.Str(
+ 'hiprecord',
+ required=False,
+ multivalue=True,
+ cli_name='hip_rec',
+ option_group=u'HIP Record',
+ label=_(u'HIP record'),
+ doc=_(u'Raw HIP records'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'ipseckeyrecord',
+ required=False,
+ multivalue=True,
+ cli_name='ipseckey_rec',
+ option_group=u'IPSECKEY Record',
+ label=_(u'IPSECKEY record'),
+ doc=_(u'Raw IPSECKEY records'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'keyrecord',
+ required=False,
+ multivalue=True,
+ cli_name='key_rec',
+ option_group=u'KEY Record',
+ label=_(u'KEY record'),
+ doc=_(u'Raw KEY records'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'kxrecord',
+ required=False,
+ multivalue=True,
+ cli_name='kx_rec',
+ option_group=u'KX Record',
+ label=_(u'KX record'),
+ doc=_(u'Raw KX records'),
+ ),
+ parameters.Int(
+ 'kx_part_preference',
+ required=False,
+ cli_name='kx_preference',
+ option_group=u'KX Record',
+ label=_(u'KX Preference'),
+ doc=_(u'Preference given to this exchanger. Lower values are more preferred'),
+ ),
+ parameters.DNSNameParam(
+ 'kx_part_exchanger',
+ required=False,
+ cli_name='kx_exchanger',
+ option_group=u'KX Record',
+ label=_(u'KX Exchanger'),
+ doc=_(u'A host willing to act as a key exchanger'),
+ ),
+ parameters.Str(
+ 'locrecord',
+ required=False,
+ multivalue=True,
+ cli_name='loc_rec',
+ option_group=u'LOC Record',
+ label=_(u'LOC record'),
+ doc=_(u'Raw LOC records'),
+ ),
+ parameters.Int(
+ 'loc_part_lat_deg',
+ required=False,
+ cli_name='loc_lat_deg',
+ option_group=u'LOC Record',
+ label=_(u'LOC Degrees Latitude'),
+ doc=_(u'Degrees Latitude'),
+ ),
+ parameters.Int(
+ 'loc_part_lat_min',
+ required=False,
+ cli_name='loc_lat_min',
+ option_group=u'LOC Record',
+ label=_(u'LOC Minutes Latitude'),
+ doc=_(u'Minutes Latitude'),
+ ),
+ parameters.Decimal(
+ 'loc_part_lat_sec',
+ required=False,
+ cli_name='loc_lat_sec',
+ option_group=u'LOC Record',
+ label=_(u'LOC Seconds Latitude'),
+ doc=_(u'Seconds Latitude'),
+ no_convert=True,
+ ),
+ parameters.Str(
+ 'loc_part_lat_dir',
+ required=False,
+ cli_name='loc_lat_dir',
+ option_group=u'LOC Record',
+ cli_metavar="['N', 'S']",
+ label=_(u'LOC Direction Latitude'),
+ doc=_(u'Direction Latitude'),
+ ),
+ parameters.Int(
+ 'loc_part_lon_deg',
+ required=False,
+ cli_name='loc_lon_deg',
+ option_group=u'LOC Record',
+ label=_(u'LOC Degrees Longitude'),
+ doc=_(u'Degrees Longitude'),
+ ),
+ parameters.Int(
+ 'loc_part_lon_min',
+ required=False,
+ cli_name='loc_lon_min',
+ option_group=u'LOC Record',
+ label=_(u'LOC Minutes Longitude'),
+ doc=_(u'Minutes Longitude'),
+ ),
+ parameters.Decimal(
+ 'loc_part_lon_sec',
+ required=False,
+ cli_name='loc_lon_sec',
+ option_group=u'LOC Record',
+ label=_(u'LOC Seconds Longitude'),
+ doc=_(u'Seconds Longitude'),
+ no_convert=True,
+ ),
+ parameters.Str(
+ 'loc_part_lon_dir',
+ required=False,
+ cli_name='loc_lon_dir',
+ option_group=u'LOC Record',
+ cli_metavar="['E', 'W']",
+ label=_(u'LOC Direction Longitude'),
+ doc=_(u'Direction Longitude'),
+ ),
+ parameters.Decimal(
+ 'loc_part_altitude',
+ required=False,
+ cli_name='loc_altitude',
+ option_group=u'LOC Record',
+ label=_(u'LOC Altitude'),
+ doc=_(u'Altitude'),
+ no_convert=True,
+ ),
+ parameters.Decimal(
+ 'loc_part_size',
+ required=False,
+ cli_name='loc_size',
+ option_group=u'LOC Record',
+ label=_(u'LOC Size'),
+ doc=_(u'Size'),
+ no_convert=True,
+ ),
+ parameters.Decimal(
+ 'loc_part_h_precision',
+ required=False,
+ cli_name='loc_h_precision',
+ option_group=u'LOC Record',
+ label=_(u'LOC Horizontal Precision'),
+ doc=_(u'Horizontal Precision'),
+ no_convert=True,
+ ),
+ parameters.Decimal(
+ 'loc_part_v_precision',
+ required=False,
+ cli_name='loc_v_precision',
+ option_group=u'LOC Record',
+ label=_(u'LOC Vertical Precision'),
+ doc=_(u'Vertical Precision'),
+ no_convert=True,
+ ),
+ parameters.Str(
+ 'mxrecord',
+ required=False,
+ multivalue=True,
+ cli_name='mx_rec',
+ option_group=u'MX Record',
+ label=_(u'MX record'),
+ doc=_(u'Raw MX records'),
+ ),
+ parameters.Int(
+ 'mx_part_preference',
+ required=False,
+ cli_name='mx_preference',
+ option_group=u'MX Record',
+ label=_(u'MX Preference'),
+ doc=_(u'Preference given to this exchanger. Lower values are more preferred'),
+ ),
+ parameters.DNSNameParam(
+ 'mx_part_exchanger',
+ required=False,
+ cli_name='mx_exchanger',
+ option_group=u'MX Record',
+ label=_(u'MX Exchanger'),
+ doc=_(u'A host willing to act as a mail exchanger'),
+ ),
+ parameters.Str(
+ 'naptrrecord',
+ required=False,
+ multivalue=True,
+ cli_name='naptr_rec',
+ option_group=u'NAPTR Record',
+ label=_(u'NAPTR record'),
+ doc=_(u'Raw NAPTR records'),
+ ),
+ parameters.Int(
+ 'naptr_part_order',
+ required=False,
+ cli_name='naptr_order',
+ option_group=u'NAPTR Record',
+ label=_(u'NAPTR Order'),
+ doc=_(u'Order'),
+ ),
+ parameters.Int(
+ 'naptr_part_preference',
+ required=False,
+ cli_name='naptr_preference',
+ option_group=u'NAPTR Record',
+ label=_(u'NAPTR Preference'),
+ doc=_(u'Preference'),
+ ),
+ parameters.Str(
+ 'naptr_part_flags',
+ required=False,
+ cli_name='naptr_flags',
+ option_group=u'NAPTR Record',
+ label=_(u'NAPTR Flags'),
+ doc=_(u'Flags'),
+ no_convert=True,
+ ),
+ parameters.Str(
+ 'naptr_part_service',
+ required=False,
+ cli_name='naptr_service',
+ option_group=u'NAPTR Record',
+ label=_(u'NAPTR Service'),
+ doc=_(u'Service'),
+ ),
+ parameters.Str(
+ 'naptr_part_regexp',
+ required=False,
+ cli_name='naptr_regexp',
+ option_group=u'NAPTR Record',
+ label=_(u'NAPTR Regular Expression'),
+ doc=_(u'Regular Expression'),
+ ),
+ parameters.Str(
+ 'naptr_part_replacement',
+ required=False,
+ cli_name='naptr_replacement',
+ option_group=u'NAPTR Record',
+ label=_(u'NAPTR Replacement'),
+ doc=_(u'Replacement'),
+ ),
+ parameters.Str(
+ 'nsrecord',
+ required=False,
+ multivalue=True,
+ cli_name='ns_rec',
+ option_group=u'NS Record',
+ label=_(u'NS record'),
+ doc=_(u'Raw NS records'),
+ ),
+ parameters.DNSNameParam(
+ 'ns_part_hostname',
+ required=False,
+ cli_name='ns_hostname',
+ option_group=u'NS Record',
+ label=_(u'NS Hostname'),
+ doc=_(u'Hostname'),
+ ),
+ parameters.Str(
+ 'nsecrecord',
+ required=False,
+ multivalue=True,
+ cli_name='nsec_rec',
+ option_group=u'NSEC Record',
+ label=_(u'NSEC record'),
+ doc=_(u'Raw NSEC records'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'nsec3record',
+ required=False,
+ multivalue=True,
+ cli_name='nsec3_rec',
+ option_group=u'NSEC3 Record',
+ label=_(u'NSEC3 record'),
+ doc=_(u'Raw NSEC3 records'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'ptrrecord',
+ required=False,
+ multivalue=True,
+ cli_name='ptr_rec',
+ option_group=u'PTR Record',
+ label=_(u'PTR record'),
+ doc=_(u'Raw PTR records'),
+ ),
+ parameters.DNSNameParam(
+ 'ptr_part_hostname',
+ required=False,
+ cli_name='ptr_hostname',
+ option_group=u'PTR Record',
+ label=_(u'PTR Hostname'),
+ doc=_(u'The hostname this reverse record points to'),
+ ),
+ parameters.Str(
+ 'rrsigrecord',
+ required=False,
+ multivalue=True,
+ cli_name='rrsig_rec',
+ option_group=u'RRSIG Record',
+ label=_(u'RRSIG record'),
+ doc=_(u'Raw RRSIG records'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'rprecord',
+ required=False,
+ multivalue=True,
+ cli_name='rp_rec',
+ option_group=u'RP Record',
+ label=_(u'RP record'),
+ doc=_(u'Raw RP records'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'sigrecord',
+ required=False,
+ multivalue=True,
+ cli_name='sig_rec',
+ option_group=u'SIG Record',
+ label=_(u'SIG record'),
+ doc=_(u'Raw SIG records'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'spfrecord',
+ required=False,
+ multivalue=True,
+ cli_name='spf_rec',
+ option_group=u'SPF Record',
+ label=_(u'SPF record'),
+ doc=_(u'Raw SPF records'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'srvrecord',
+ required=False,
+ multivalue=True,
+ cli_name='srv_rec',
+ option_group=u'SRV Record',
+ label=_(u'SRV record'),
+ doc=_(u'Raw SRV records'),
+ ),
+ parameters.Int(
+ 'srv_part_priority',
+ required=False,
+ cli_name='srv_priority',
+ option_group=u'SRV Record',
+ label=_(u'SRV Priority'),
+ doc=_(u'Priority'),
+ ),
+ parameters.Int(
+ 'srv_part_weight',
+ required=False,
+ cli_name='srv_weight',
+ option_group=u'SRV Record',
+ label=_(u'SRV Weight'),
+ doc=_(u'Weight'),
+ ),
+ parameters.Int(
+ 'srv_part_port',
+ required=False,
+ cli_name='srv_port',
+ option_group=u'SRV Record',
+ label=_(u'SRV Port'),
+ doc=_(u'Port'),
+ ),
+ parameters.DNSNameParam(
+ 'srv_part_target',
+ required=False,
+ cli_name='srv_target',
+ option_group=u'SRV Record',
+ label=_(u'SRV Target'),
+ doc=_(u"The domain name of the target host or '.' if the service is decidedly not available at this domain"),
+ ),
+ parameters.Str(
+ 'sshfprecord',
+ required=False,
+ multivalue=True,
+ cli_name='sshfp_rec',
+ option_group=u'SSHFP Record',
+ label=_(u'SSHFP record'),
+ doc=_(u'Raw SSHFP records'),
+ ),
+ parameters.Int(
+ 'sshfp_part_algorithm',
+ required=False,
+ cli_name='sshfp_algorithm',
+ option_group=u'SSHFP Record',
+ label=_(u'SSHFP Algorithm'),
+ doc=_(u'Algorithm'),
+ ),
+ parameters.Int(
+ 'sshfp_part_fp_type',
+ required=False,
+ cli_name='sshfp_fp_type',
+ option_group=u'SSHFP Record',
+ label=_(u'SSHFP Fingerprint Type'),
+ doc=_(u'Fingerprint Type'),
+ ),
+ parameters.Str(
+ 'sshfp_part_fingerprint',
+ required=False,
+ cli_name='sshfp_fingerprint',
+ option_group=u'SSHFP Record',
+ label=_(u'SSHFP Fingerprint'),
+ doc=_(u'Fingerprint'),
+ ),
+ parameters.Str(
+ 'tarecord',
+ required=False,
+ multivalue=True,
+ cli_name='ta_rec',
+ option_group=u'TA Record',
+ label=_(u'TA record'),
+ doc=_(u'Raw TA records'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'tlsarecord',
+ required=False,
+ multivalue=True,
+ cli_name='tlsa_rec',
+ option_group=u'TLSA Record',
+ label=_(u'TLSA record'),
+ doc=_(u'Raw TLSA records'),
+ ),
+ parameters.Int(
+ 'tlsa_part_cert_usage',
+ required=False,
+ cli_name='tlsa_cert_usage',
+ option_group=u'TLSA Record',
+ label=_(u'TLSA Certificate Usage'),
+ doc=_(u'Certificate Usage'),
+ ),
+ parameters.Int(
+ 'tlsa_part_selector',
+ required=False,
+ cli_name='tlsa_selector',
+ option_group=u'TLSA Record',
+ label=_(u'TLSA Selector'),
+ doc=_(u'Selector'),
+ ),
+ parameters.Int(
+ 'tlsa_part_matching_type',
+ required=False,
+ cli_name='tlsa_matching_type',
+ option_group=u'TLSA Record',
+ label=_(u'TLSA Matching Type'),
+ doc=_(u'Matching Type'),
+ ),
+ parameters.Str(
+ 'tlsa_part_cert_association_data',
+ required=False,
+ cli_name='tlsa_cert_association_data',
+ option_group=u'TLSA Record',
+ label=_(u'TLSA Certificate Association Data'),
+ doc=_(u'Certificate Association Data'),
+ ),
+ parameters.Str(
+ 'tkeyrecord',
+ required=False,
+ multivalue=True,
+ cli_name='tkey_rec',
+ option_group=u'TKEY Record',
+ label=_(u'TKEY record'),
+ doc=_(u'Raw TKEY records'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'tsigrecord',
+ required=False,
+ multivalue=True,
+ cli_name='tsig_rec',
+ option_group=u'TSIG Record',
+ label=_(u'TSIG record'),
+ doc=_(u'Raw TSIG records'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'txtrecord',
+ required=False,
+ multivalue=True,
+ cli_name='txt_rec',
+ option_group=u'TXT Record',
+ label=_(u'TXT record'),
+ doc=_(u'Raw TXT records'),
+ ),
+ parameters.Str(
+ 'txt_part_data',
+ required=False,
+ cli_name='txt_data',
+ option_group=u'TXT Record',
+ label=_(u'TXT Text Data'),
+ doc=_(u'Text Data'),
+ ),
+ parameters.Str(
+ 'setattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'addattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
+ exclude=('webui',),
+ ),
+ parameters.Flag(
+ 'force',
+ label=_(u'Force'),
+ doc=_(u'force NS record creation even if its hostname is not in DNS'),
+ exclude=('cli', 'webui'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'structured',
+ label=_(u'Structured'),
+ doc=_(u'Parse all raw DNS records and return them in a structured way'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class dnsrecord_del(Method):
+ __doc__ = _("Delete DNS resource record.")
+
+ takes_args = (
+ parameters.DNSNameParam(
+ 'dnszoneidnsname',
+ cli_name='dnszone',
+ label=_(u'Zone name'),
+ doc=_(u'Zone name (FQDN)'),
+ default_from=DefaultFrom(lambda name_from_ip: None, 'name_from_ip'),
+ # FIXME:
+ # lambda name_from_ip: _reverse_zone_name(name_from_ip)
+ no_convert=True,
+ ),
+ parameters.DNSNameParam(
+ 'idnsname',
+ cli_name='name',
+ label=_(u'Record name'),
+ ),
+ )
+ takes_options = (
+ parameters.Int(
+ 'dnsttl',
+ required=False,
+ cli_name='ttl',
+ label=_(u'Time to live'),
+ ),
+ parameters.Str(
+ 'dnsclass',
+ required=False,
+ cli_name='class',
+ cli_metavar="['IN', 'CS', 'CH', 'HS']",
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'arecord',
+ required=False,
+ multivalue=True,
+ cli_name='a_rec',
+ label=_(u'A record'),
+ doc=_(u'Raw A records'),
+ ),
+ parameters.Str(
+ 'aaaarecord',
+ required=False,
+ multivalue=True,
+ cli_name='aaaa_rec',
+ label=_(u'AAAA record'),
+ doc=_(u'Raw AAAA records'),
+ ),
+ parameters.Str(
+ 'a6record',
+ required=False,
+ multivalue=True,
+ cli_name='a6_rec',
+ label=_(u'A6 record'),
+ doc=_(u'Raw A6 records'),
+ ),
+ parameters.Str(
+ 'afsdbrecord',
+ required=False,
+ multivalue=True,
+ cli_name='afsdb_rec',
+ label=_(u'AFSDB record'),
+ doc=_(u'Raw AFSDB records'),
+ ),
+ parameters.Str(
+ 'aplrecord',
+ required=False,
+ multivalue=True,
+ cli_name='apl_rec',
+ label=_(u'APL record'),
+ doc=_(u'Raw APL records'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'certrecord',
+ required=False,
+ multivalue=True,
+ cli_name='cert_rec',
+ label=_(u'CERT record'),
+ doc=_(u'Raw CERT records'),
+ ),
+ parameters.Str(
+ 'cnamerecord',
+ required=False,
+ multivalue=True,
+ cli_name='cname_rec',
+ label=_(u'CNAME record'),
+ doc=_(u'Raw CNAME records'),
+ ),
+ parameters.Str(
+ 'dhcidrecord',
+ required=False,
+ multivalue=True,
+ cli_name='dhcid_rec',
+ label=_(u'DHCID record'),
+ doc=_(u'Raw DHCID records'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'dlvrecord',
+ required=False,
+ multivalue=True,
+ cli_name='dlv_rec',
+ label=_(u'DLV record'),
+ doc=_(u'Raw DLV records'),
+ ),
+ parameters.Str(
+ 'dnamerecord',
+ required=False,
+ multivalue=True,
+ cli_name='dname_rec',
+ label=_(u'DNAME record'),
+ doc=_(u'Raw DNAME records'),
+ ),
+ parameters.Str(
+ 'dnskeyrecord',
+ required=False,
+ multivalue=True,
+ cli_name='dnskey_rec',
+ label=_(u'DNSKEY record'),
+ doc=_(u'Raw DNSKEY records'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'dsrecord',
+ required=False,
+ multivalue=True,
+ cli_name='ds_rec',
+ label=_(u'DS record'),
+ doc=_(u'Raw DS records'),
+ ),
+ parameters.Str(
+ 'hiprecord',
+ required=False,
+ multivalue=True,
+ cli_name='hip_rec',
+ label=_(u'HIP record'),
+ doc=_(u'Raw HIP records'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'ipseckeyrecord',
+ required=False,
+ multivalue=True,
+ cli_name='ipseckey_rec',
+ label=_(u'IPSECKEY record'),
+ doc=_(u'Raw IPSECKEY records'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'keyrecord',
+ required=False,
+ multivalue=True,
+ cli_name='key_rec',
+ label=_(u'KEY record'),
+ doc=_(u'Raw KEY records'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'kxrecord',
+ required=False,
+ multivalue=True,
+ cli_name='kx_rec',
+ label=_(u'KX record'),
+ doc=_(u'Raw KX records'),
+ ),
+ parameters.Str(
+ 'locrecord',
+ required=False,
+ multivalue=True,
+ cli_name='loc_rec',
+ label=_(u'LOC record'),
+ doc=_(u'Raw LOC records'),
+ ),
+ parameters.Str(
+ 'mxrecord',
+ required=False,
+ multivalue=True,
+ cli_name='mx_rec',
+ label=_(u'MX record'),
+ doc=_(u'Raw MX records'),
+ ),
+ parameters.Str(
+ 'naptrrecord',
+ required=False,
+ multivalue=True,
+ cli_name='naptr_rec',
+ label=_(u'NAPTR record'),
+ doc=_(u'Raw NAPTR records'),
+ ),
+ parameters.Str(
+ 'nsrecord',
+ required=False,
+ multivalue=True,
+ cli_name='ns_rec',
+ label=_(u'NS record'),
+ doc=_(u'Raw NS records'),
+ ),
+ parameters.Str(
+ 'nsecrecord',
+ required=False,
+ multivalue=True,
+ cli_name='nsec_rec',
+ label=_(u'NSEC record'),
+ doc=_(u'Raw NSEC records'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'nsec3record',
+ required=False,
+ multivalue=True,
+ cli_name='nsec3_rec',
+ label=_(u'NSEC3 record'),
+ doc=_(u'Raw NSEC3 records'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'ptrrecord',
+ required=False,
+ multivalue=True,
+ cli_name='ptr_rec',
+ label=_(u'PTR record'),
+ doc=_(u'Raw PTR records'),
+ ),
+ parameters.Str(
+ 'rrsigrecord',
+ required=False,
+ multivalue=True,
+ cli_name='rrsig_rec',
+ label=_(u'RRSIG record'),
+ doc=_(u'Raw RRSIG records'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'rprecord',
+ required=False,
+ multivalue=True,
+ cli_name='rp_rec',
+ label=_(u'RP record'),
+ doc=_(u'Raw RP records'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'sigrecord',
+ required=False,
+ multivalue=True,
+ cli_name='sig_rec',
+ label=_(u'SIG record'),
+ doc=_(u'Raw SIG records'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'spfrecord',
+ required=False,
+ multivalue=True,
+ cli_name='spf_rec',
+ label=_(u'SPF record'),
+ doc=_(u'Raw SPF records'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'srvrecord',
+ required=False,
+ multivalue=True,
+ cli_name='srv_rec',
+ label=_(u'SRV record'),
+ doc=_(u'Raw SRV records'),
+ ),
+ parameters.Str(
+ 'sshfprecord',
+ required=False,
+ multivalue=True,
+ cli_name='sshfp_rec',
+ label=_(u'SSHFP record'),
+ doc=_(u'Raw SSHFP records'),
+ ),
+ parameters.Str(
+ 'tarecord',
+ required=False,
+ multivalue=True,
+ cli_name='ta_rec',
+ label=_(u'TA record'),
+ doc=_(u'Raw TA records'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'tlsarecord',
+ required=False,
+ multivalue=True,
+ cli_name='tlsa_rec',
+ label=_(u'TLSA record'),
+ doc=_(u'Raw TLSA records'),
+ ),
+ parameters.Str(
+ 'tkeyrecord',
+ required=False,
+ multivalue=True,
+ cli_name='tkey_rec',
+ label=_(u'TKEY record'),
+ doc=_(u'Raw TKEY records'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'tsigrecord',
+ required=False,
+ multivalue=True,
+ cli_name='tsig_rec',
+ label=_(u'TSIG record'),
+ doc=_(u'Raw TSIG records'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'txtrecord',
+ required=False,
+ multivalue=True,
+ cli_name='txt_rec',
+ label=_(u'TXT record'),
+ doc=_(u'Raw TXT records'),
+ ),
+ parameters.Flag(
+ 'del_all',
+ label=_(u'Delete all associated records'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'structured',
+ label=_(u'Structured'),
+ doc=_(u'Parse all raw DNS records and return them in a structured way'),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Output(
+ 'result',
+ dict,
+ doc=_(u'List of deletions that failed'),
+ ),
+ output.ListOfPrimaryKeys(
+ 'value',
+ ),
+ )
+
+
+@register()
+class dnsrecord_delentry(Method):
+ __doc__ = _("Delete DNS record entry.")
+
+ NO_CLI = True
+
+ takes_args = (
+ parameters.DNSNameParam(
+ 'dnszoneidnsname',
+ cli_name='dnszone',
+ label=_(u'Zone name'),
+ doc=_(u'Zone name (FQDN)'),
+ default_from=DefaultFrom(lambda name_from_ip: None, 'name_from_ip'),
+ # FIXME:
+ # lambda name_from_ip: _reverse_zone_name(name_from_ip)
+ no_convert=True,
+ ),
+ parameters.DNSNameParam(
+ 'idnsname',
+ multivalue=True,
+ cli_name='name',
+ label=_(u'Record name'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'continue',
+ doc=_(u"Continuous mode: Don't stop on errors."),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Output(
+ 'result',
+ dict,
+ doc=_(u'List of deletions that failed'),
+ ),
+ output.ListOfPrimaryKeys(
+ 'value',
+ ),
+ )
+
+
+@register()
+class dnsrecord_find(Method):
+ __doc__ = _("Search for DNS resources.")
+
+ takes_args = (
+ parameters.DNSNameParam(
+ 'dnszoneidnsname',
+ cli_name='dnszone',
+ label=_(u'Zone name'),
+ doc=_(u'Zone name (FQDN)'),
+ default_from=DefaultFrom(lambda name_from_ip: None, 'name_from_ip'),
+ # FIXME:
+ # lambda name_from_ip: _reverse_zone_name(name_from_ip)
+ no_convert=True,
+ ),
+ parameters.Str(
+ 'criteria',
+ required=False,
+ doc=_(u'A string searched in all relevant object attributes'),
+ ),
+ )
+ takes_options = (
+ parameters.DNSNameParam(
+ 'idnsname',
+ required=False,
+ cli_name='name',
+ label=_(u'Record name'),
+ ),
+ parameters.Int(
+ 'dnsttl',
+ required=False,
+ cli_name='ttl',
+ label=_(u'Time to live'),
+ ),
+ parameters.Str(
+ 'dnsclass',
+ required=False,
+ cli_name='class',
+ cli_metavar="['IN', 'CS', 'CH', 'HS']",
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'arecord',
+ required=False,
+ multivalue=True,
+ cli_name='a_rec',
+ label=_(u'A record'),
+ doc=_(u'Raw A records'),
+ ),
+ parameters.Str(
+ 'aaaarecord',
+ required=False,
+ multivalue=True,
+ cli_name='aaaa_rec',
+ label=_(u'AAAA record'),
+ doc=_(u'Raw AAAA records'),
+ ),
+ parameters.Str(
+ 'a6record',
+ required=False,
+ multivalue=True,
+ cli_name='a6_rec',
+ label=_(u'A6 record'),
+ doc=_(u'Raw A6 records'),
+ ),
+ parameters.Str(
+ 'afsdbrecord',
+ required=False,
+ multivalue=True,
+ cli_name='afsdb_rec',
+ label=_(u'AFSDB record'),
+ doc=_(u'Raw AFSDB records'),
+ ),
+ parameters.Str(
+ 'aplrecord',
+ required=False,
+ multivalue=True,
+ cli_name='apl_rec',
+ label=_(u'APL record'),
+ doc=_(u'Raw APL records'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'certrecord',
+ required=False,
+ multivalue=True,
+ cli_name='cert_rec',
+ label=_(u'CERT record'),
+ doc=_(u'Raw CERT records'),
+ ),
+ parameters.Str(
+ 'cnamerecord',
+ required=False,
+ multivalue=True,
+ cli_name='cname_rec',
+ label=_(u'CNAME record'),
+ doc=_(u'Raw CNAME records'),
+ ),
+ parameters.Str(
+ 'dhcidrecord',
+ required=False,
+ multivalue=True,
+ cli_name='dhcid_rec',
+ label=_(u'DHCID record'),
+ doc=_(u'Raw DHCID records'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'dlvrecord',
+ required=False,
+ multivalue=True,
+ cli_name='dlv_rec',
+ label=_(u'DLV record'),
+ doc=_(u'Raw DLV records'),
+ ),
+ parameters.Str(
+ 'dnamerecord',
+ required=False,
+ multivalue=True,
+ cli_name='dname_rec',
+ label=_(u'DNAME record'),
+ doc=_(u'Raw DNAME records'),
+ ),
+ parameters.Str(
+ 'dnskeyrecord',
+ required=False,
+ multivalue=True,
+ cli_name='dnskey_rec',
+ label=_(u'DNSKEY record'),
+ doc=_(u'Raw DNSKEY records'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'dsrecord',
+ required=False,
+ multivalue=True,
+ cli_name='ds_rec',
+ label=_(u'DS record'),
+ doc=_(u'Raw DS records'),
+ ),
+ parameters.Str(
+ 'hiprecord',
+ required=False,
+ multivalue=True,
+ cli_name='hip_rec',
+ label=_(u'HIP record'),
+ doc=_(u'Raw HIP records'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'ipseckeyrecord',
+ required=False,
+ multivalue=True,
+ cli_name='ipseckey_rec',
+ label=_(u'IPSECKEY record'),
+ doc=_(u'Raw IPSECKEY records'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'keyrecord',
+ required=False,
+ multivalue=True,
+ cli_name='key_rec',
+ label=_(u'KEY record'),
+ doc=_(u'Raw KEY records'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'kxrecord',
+ required=False,
+ multivalue=True,
+ cli_name='kx_rec',
+ label=_(u'KX record'),
+ doc=_(u'Raw KX records'),
+ ),
+ parameters.Str(
+ 'locrecord',
+ required=False,
+ multivalue=True,
+ cli_name='loc_rec',
+ label=_(u'LOC record'),
+ doc=_(u'Raw LOC records'),
+ ),
+ parameters.Str(
+ 'mxrecord',
+ required=False,
+ multivalue=True,
+ cli_name='mx_rec',
+ label=_(u'MX record'),
+ doc=_(u'Raw MX records'),
+ ),
+ parameters.Str(
+ 'naptrrecord',
+ required=False,
+ multivalue=True,
+ cli_name='naptr_rec',
+ label=_(u'NAPTR record'),
+ doc=_(u'Raw NAPTR records'),
+ ),
+ parameters.Str(
+ 'nsrecord',
+ required=False,
+ multivalue=True,
+ cli_name='ns_rec',
+ label=_(u'NS record'),
+ doc=_(u'Raw NS records'),
+ ),
+ parameters.Str(
+ 'nsecrecord',
+ required=False,
+ multivalue=True,
+ cli_name='nsec_rec',
+ label=_(u'NSEC record'),
+ doc=_(u'Raw NSEC records'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'nsec3record',
+ required=False,
+ multivalue=True,
+ cli_name='nsec3_rec',
+ label=_(u'NSEC3 record'),
+ doc=_(u'Raw NSEC3 records'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'ptrrecord',
+ required=False,
+ multivalue=True,
+ cli_name='ptr_rec',
+ label=_(u'PTR record'),
+ doc=_(u'Raw PTR records'),
+ ),
+ parameters.Str(
+ 'rrsigrecord',
+ required=False,
+ multivalue=True,
+ cli_name='rrsig_rec',
+ label=_(u'RRSIG record'),
+ doc=_(u'Raw RRSIG records'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'rprecord',
+ required=False,
+ multivalue=True,
+ cli_name='rp_rec',
+ label=_(u'RP record'),
+ doc=_(u'Raw RP records'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'sigrecord',
+ required=False,
+ multivalue=True,
+ cli_name='sig_rec',
+ label=_(u'SIG record'),
+ doc=_(u'Raw SIG records'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'spfrecord',
+ required=False,
+ multivalue=True,
+ cli_name='spf_rec',
+ label=_(u'SPF record'),
+ doc=_(u'Raw SPF records'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'srvrecord',
+ required=False,
+ multivalue=True,
+ cli_name='srv_rec',
+ label=_(u'SRV record'),
+ doc=_(u'Raw SRV records'),
+ ),
+ parameters.Str(
+ 'sshfprecord',
+ required=False,
+ multivalue=True,
+ cli_name='sshfp_rec',
+ label=_(u'SSHFP record'),
+ doc=_(u'Raw SSHFP records'),
+ ),
+ parameters.Str(
+ 'tarecord',
+ required=False,
+ multivalue=True,
+ cli_name='ta_rec',
+ label=_(u'TA record'),
+ doc=_(u'Raw TA records'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'tlsarecord',
+ required=False,
+ multivalue=True,
+ cli_name='tlsa_rec',
+ label=_(u'TLSA record'),
+ doc=_(u'Raw TLSA records'),
+ ),
+ parameters.Str(
+ 'tkeyrecord',
+ required=False,
+ multivalue=True,
+ cli_name='tkey_rec',
+ label=_(u'TKEY record'),
+ doc=_(u'Raw TKEY records'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'tsigrecord',
+ required=False,
+ multivalue=True,
+ cli_name='tsig_rec',
+ label=_(u'TSIG record'),
+ doc=_(u'Raw TSIG records'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'txtrecord',
+ required=False,
+ multivalue=True,
+ cli_name='txt_rec',
+ label=_(u'TXT record'),
+ doc=_(u'Raw TXT records'),
+ ),
+ parameters.Int(
+ 'timelimit',
+ required=False,
+ label=_(u'Time Limit'),
+ doc=_(u'Time limit of search in seconds'),
+ ),
+ parameters.Int(
+ 'sizelimit',
+ required=False,
+ label=_(u'Size Limit'),
+ doc=_(u'Maximum number of entries returned'),
+ ),
+ parameters.Flag(
+ 'structured',
+ label=_(u'Structured'),
+ doc=_(u'Parse all raw DNS records and return them in a structured way'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'pkey_only',
+ required=False,
+ label=_(u'Primary key only'),
+ doc=_(u'Results should contain primary key attribute only ("name")'),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.ListOfEntries(
+ 'result',
+ ),
+ output.Output(
+ 'count',
+ int,
+ doc=_(u'Number of entries returned'),
+ ),
+ output.Output(
+ 'truncated',
+ bool,
+ doc=_(u'True if not all results were returned'),
+ ),
+ )
+
+
+@register()
+class dnsrecord_mod(Method):
+ __doc__ = _("Modify a DNS resource record.")
+
+ takes_args = (
+ parameters.DNSNameParam(
+ 'dnszoneidnsname',
+ cli_name='dnszone',
+ label=_(u'Zone name'),
+ doc=_(u'Zone name (FQDN)'),
+ default_from=DefaultFrom(lambda name_from_ip: None, 'name_from_ip'),
+ # FIXME:
+ # lambda name_from_ip: _reverse_zone_name(name_from_ip)
+ no_convert=True,
+ ),
+ parameters.DNSNameParam(
+ 'idnsname',
+ cli_name='name',
+ label=_(u'Record name'),
+ ),
+ )
+ takes_options = (
+ parameters.Int(
+ 'dnsttl',
+ required=False,
+ cli_name='ttl',
+ label=_(u'Time to live'),
+ ),
+ parameters.Str(
+ 'dnsclass',
+ required=False,
+ cli_name='class',
+ cli_metavar="['IN', 'CS', 'CH', 'HS']",
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'arecord',
+ required=False,
+ multivalue=True,
+ cli_name='a_rec',
+ option_group=u'A Record',
+ label=_(u'A record'),
+ doc=_(u'Raw A records'),
+ ),
+ parameters.Str(
+ 'a_part_ip_address',
+ required=False,
+ cli_name='a_ip_address',
+ option_group=u'A Record',
+ label=_(u'A IP Address'),
+ doc=_(u'IP Address'),
+ ),
+ parameters.Str(
+ 'aaaarecord',
+ required=False,
+ multivalue=True,
+ cli_name='aaaa_rec',
+ option_group=u'AAAA Record',
+ label=_(u'AAAA record'),
+ doc=_(u'Raw AAAA records'),
+ ),
+ parameters.Str(
+ 'aaaa_part_ip_address',
+ required=False,
+ cli_name='aaaa_ip_address',
+ option_group=u'AAAA Record',
+ label=_(u'AAAA IP Address'),
+ doc=_(u'IP Address'),
+ ),
+ parameters.Str(
+ 'a6record',
+ required=False,
+ multivalue=True,
+ cli_name='a6_rec',
+ option_group=u'A6 Record',
+ label=_(u'A6 record'),
+ doc=_(u'Raw A6 records'),
+ ),
+ parameters.Str(
+ 'a6_part_data',
+ required=False,
+ cli_name='a6_data',
+ option_group=u'A6 Record',
+ label=_(u'A6 Record data'),
+ doc=_(u'Record data'),
+ ),
+ parameters.Str(
+ 'afsdbrecord',
+ required=False,
+ multivalue=True,
+ cli_name='afsdb_rec',
+ option_group=u'AFSDB Record',
+ label=_(u'AFSDB record'),
+ doc=_(u'Raw AFSDB records'),
+ ),
+ parameters.Int(
+ 'afsdb_part_subtype',
+ required=False,
+ cli_name='afsdb_subtype',
+ option_group=u'AFSDB Record',
+ label=_(u'AFSDB Subtype'),
+ doc=_(u'Subtype'),
+ ),
+ parameters.DNSNameParam(
+ 'afsdb_part_hostname',
+ required=False,
+ cli_name='afsdb_hostname',
+ option_group=u'AFSDB Record',
+ label=_(u'AFSDB Hostname'),
+ doc=_(u'Hostname'),
+ ),
+ parameters.Str(
+ 'aplrecord',
+ required=False,
+ multivalue=True,
+ cli_name='apl_rec',
+ option_group=u'APL Record',
+ label=_(u'APL record'),
+ doc=_(u'Raw APL records'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'certrecord',
+ required=False,
+ multivalue=True,
+ cli_name='cert_rec',
+ option_group=u'CERT Record',
+ label=_(u'CERT record'),
+ doc=_(u'Raw CERT records'),
+ ),
+ parameters.Int(
+ 'cert_part_type',
+ required=False,
+ cli_name='cert_type',
+ option_group=u'CERT Record',
+ label=_(u'CERT Certificate Type'),
+ doc=_(u'Certificate Type'),
+ ),
+ parameters.Int(
+ 'cert_part_key_tag',
+ required=False,
+ cli_name='cert_key_tag',
+ option_group=u'CERT Record',
+ label=_(u'CERT Key Tag'),
+ doc=_(u'Key Tag'),
+ ),
+ parameters.Int(
+ 'cert_part_algorithm',
+ required=False,
+ cli_name='cert_algorithm',
+ option_group=u'CERT Record',
+ label=_(u'CERT Algorithm'),
+ doc=_(u'Algorithm'),
+ ),
+ parameters.Str(
+ 'cert_part_certificate_or_crl',
+ required=False,
+ cli_name='cert_certificate_or_crl',
+ option_group=u'CERT Record',
+ label=_(u'CERT Certificate/CRL'),
+ doc=_(u'Certificate/CRL'),
+ ),
+ parameters.Str(
+ 'cnamerecord',
+ required=False,
+ multivalue=True,
+ cli_name='cname_rec',
+ option_group=u'CNAME Record',
+ label=_(u'CNAME record'),
+ doc=_(u'Raw CNAME records'),
+ ),
+ parameters.DNSNameParam(
+ 'cname_part_hostname',
+ required=False,
+ cli_name='cname_hostname',
+ option_group=u'CNAME Record',
+ label=_(u'CNAME Hostname'),
+ doc=_(u'A hostname which this alias hostname points to'),
+ ),
+ parameters.Str(
+ 'dhcidrecord',
+ required=False,
+ multivalue=True,
+ cli_name='dhcid_rec',
+ option_group=u'DHCID Record',
+ label=_(u'DHCID record'),
+ doc=_(u'Raw DHCID records'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'dlvrecord',
+ required=False,
+ multivalue=True,
+ cli_name='dlv_rec',
+ option_group=u'DLV Record',
+ label=_(u'DLV record'),
+ doc=_(u'Raw DLV records'),
+ ),
+ parameters.Int(
+ 'dlv_part_key_tag',
+ required=False,
+ cli_name='dlv_key_tag',
+ option_group=u'DLV Record',
+ label=_(u'DLV Key Tag'),
+ doc=_(u'Key Tag'),
+ ),
+ parameters.Int(
+ 'dlv_part_algorithm',
+ required=False,
+ cli_name='dlv_algorithm',
+ option_group=u'DLV Record',
+ label=_(u'DLV Algorithm'),
+ doc=_(u'Algorithm'),
+ ),
+ parameters.Int(
+ 'dlv_part_digest_type',
+ required=False,
+ cli_name='dlv_digest_type',
+ option_group=u'DLV Record',
+ label=_(u'DLV Digest Type'),
+ doc=_(u'Digest Type'),
+ ),
+ parameters.Str(
+ 'dlv_part_digest',
+ required=False,
+ cli_name='dlv_digest',
+ option_group=u'DLV Record',
+ label=_(u'DLV Digest'),
+ doc=_(u'Digest'),
+ ),
+ parameters.Str(
+ 'dnamerecord',
+ required=False,
+ multivalue=True,
+ cli_name='dname_rec',
+ option_group=u'DNAME Record',
+ label=_(u'DNAME record'),
+ doc=_(u'Raw DNAME records'),
+ ),
+ parameters.DNSNameParam(
+ 'dname_part_target',
+ required=False,
+ cli_name='dname_target',
+ option_group=u'DNAME Record',
+ label=_(u'DNAME Target'),
+ doc=_(u'Target'),
+ ),
+ parameters.Str(
+ 'dnskeyrecord',
+ required=False,
+ multivalue=True,
+ cli_name='dnskey_rec',
+ option_group=u'DNSKEY Record',
+ label=_(u'DNSKEY record'),
+ doc=_(u'Raw DNSKEY records'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'dsrecord',
+ required=False,
+ multivalue=True,
+ cli_name='ds_rec',
+ option_group=u'DS Record',
+ label=_(u'DS record'),
+ doc=_(u'Raw DS records'),
+ ),
+ parameters.Int(
+ 'ds_part_key_tag',
+ required=False,
+ cli_name='ds_key_tag',
+ option_group=u'DS Record',
+ label=_(u'DS Key Tag'),
+ doc=_(u'Key Tag'),
+ ),
+ parameters.Int(
+ 'ds_part_algorithm',
+ required=False,
+ cli_name='ds_algorithm',
+ option_group=u'DS Record',
+ label=_(u'DS Algorithm'),
+ doc=_(u'Algorithm'),
+ ),
+ parameters.Int(
+ 'ds_part_digest_type',
+ required=False,
+ cli_name='ds_digest_type',
+ option_group=u'DS Record',
+ label=_(u'DS Digest Type'),
+ doc=_(u'Digest Type'),
+ ),
+ parameters.Str(
+ 'ds_part_digest',
+ required=False,
+ cli_name='ds_digest',
+ option_group=u'DS Record',
+ label=_(u'DS Digest'),
+ doc=_(u'Digest'),
+ ),
+ parameters.Str(
+ 'hiprecord',
+ required=False,
+ multivalue=True,
+ cli_name='hip_rec',
+ option_group=u'HIP Record',
+ label=_(u'HIP record'),
+ doc=_(u'Raw HIP records'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'ipseckeyrecord',
+ required=False,
+ multivalue=True,
+ cli_name='ipseckey_rec',
+ option_group=u'IPSECKEY Record',
+ label=_(u'IPSECKEY record'),
+ doc=_(u'Raw IPSECKEY records'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'keyrecord',
+ required=False,
+ multivalue=True,
+ cli_name='key_rec',
+ option_group=u'KEY Record',
+ label=_(u'KEY record'),
+ doc=_(u'Raw KEY records'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'kxrecord',
+ required=False,
+ multivalue=True,
+ cli_name='kx_rec',
+ option_group=u'KX Record',
+ label=_(u'KX record'),
+ doc=_(u'Raw KX records'),
+ ),
+ parameters.Int(
+ 'kx_part_preference',
+ required=False,
+ cli_name='kx_preference',
+ option_group=u'KX Record',
+ label=_(u'KX Preference'),
+ doc=_(u'Preference given to this exchanger. Lower values are more preferred'),
+ ),
+ parameters.DNSNameParam(
+ 'kx_part_exchanger',
+ required=False,
+ cli_name='kx_exchanger',
+ option_group=u'KX Record',
+ label=_(u'KX Exchanger'),
+ doc=_(u'A host willing to act as a key exchanger'),
+ ),
+ parameters.Str(
+ 'locrecord',
+ required=False,
+ multivalue=True,
+ cli_name='loc_rec',
+ option_group=u'LOC Record',
+ label=_(u'LOC record'),
+ doc=_(u'Raw LOC records'),
+ ),
+ parameters.Int(
+ 'loc_part_lat_deg',
+ required=False,
+ cli_name='loc_lat_deg',
+ option_group=u'LOC Record',
+ label=_(u'LOC Degrees Latitude'),
+ doc=_(u'Degrees Latitude'),
+ ),
+ parameters.Int(
+ 'loc_part_lat_min',
+ required=False,
+ cli_name='loc_lat_min',
+ option_group=u'LOC Record',
+ label=_(u'LOC Minutes Latitude'),
+ doc=_(u'Minutes Latitude'),
+ ),
+ parameters.Decimal(
+ 'loc_part_lat_sec',
+ required=False,
+ cli_name='loc_lat_sec',
+ option_group=u'LOC Record',
+ label=_(u'LOC Seconds Latitude'),
+ doc=_(u'Seconds Latitude'),
+ no_convert=True,
+ ),
+ parameters.Str(
+ 'loc_part_lat_dir',
+ required=False,
+ cli_name='loc_lat_dir',
+ option_group=u'LOC Record',
+ cli_metavar="['N', 'S']",
+ label=_(u'LOC Direction Latitude'),
+ doc=_(u'Direction Latitude'),
+ ),
+ parameters.Int(
+ 'loc_part_lon_deg',
+ required=False,
+ cli_name='loc_lon_deg',
+ option_group=u'LOC Record',
+ label=_(u'LOC Degrees Longitude'),
+ doc=_(u'Degrees Longitude'),
+ ),
+ parameters.Int(
+ 'loc_part_lon_min',
+ required=False,
+ cli_name='loc_lon_min',
+ option_group=u'LOC Record',
+ label=_(u'LOC Minutes Longitude'),
+ doc=_(u'Minutes Longitude'),
+ ),
+ parameters.Decimal(
+ 'loc_part_lon_sec',
+ required=False,
+ cli_name='loc_lon_sec',
+ option_group=u'LOC Record',
+ label=_(u'LOC Seconds Longitude'),
+ doc=_(u'Seconds Longitude'),
+ no_convert=True,
+ ),
+ parameters.Str(
+ 'loc_part_lon_dir',
+ required=False,
+ cli_name='loc_lon_dir',
+ option_group=u'LOC Record',
+ cli_metavar="['E', 'W']",
+ label=_(u'LOC Direction Longitude'),
+ doc=_(u'Direction Longitude'),
+ ),
+ parameters.Decimal(
+ 'loc_part_altitude',
+ required=False,
+ cli_name='loc_altitude',
+ option_group=u'LOC Record',
+ label=_(u'LOC Altitude'),
+ doc=_(u'Altitude'),
+ no_convert=True,
+ ),
+ parameters.Decimal(
+ 'loc_part_size',
+ required=False,
+ cli_name='loc_size',
+ option_group=u'LOC Record',
+ label=_(u'LOC Size'),
+ doc=_(u'Size'),
+ no_convert=True,
+ ),
+ parameters.Decimal(
+ 'loc_part_h_precision',
+ required=False,
+ cli_name='loc_h_precision',
+ option_group=u'LOC Record',
+ label=_(u'LOC Horizontal Precision'),
+ doc=_(u'Horizontal Precision'),
+ no_convert=True,
+ ),
+ parameters.Decimal(
+ 'loc_part_v_precision',
+ required=False,
+ cli_name='loc_v_precision',
+ option_group=u'LOC Record',
+ label=_(u'LOC Vertical Precision'),
+ doc=_(u'Vertical Precision'),
+ no_convert=True,
+ ),
+ parameters.Str(
+ 'mxrecord',
+ required=False,
+ multivalue=True,
+ cli_name='mx_rec',
+ option_group=u'MX Record',
+ label=_(u'MX record'),
+ doc=_(u'Raw MX records'),
+ ),
+ parameters.Int(
+ 'mx_part_preference',
+ required=False,
+ cli_name='mx_preference',
+ option_group=u'MX Record',
+ label=_(u'MX Preference'),
+ doc=_(u'Preference given to this exchanger. Lower values are more preferred'),
+ ),
+ parameters.DNSNameParam(
+ 'mx_part_exchanger',
+ required=False,
+ cli_name='mx_exchanger',
+ option_group=u'MX Record',
+ label=_(u'MX Exchanger'),
+ doc=_(u'A host willing to act as a mail exchanger'),
+ ),
+ parameters.Str(
+ 'naptrrecord',
+ required=False,
+ multivalue=True,
+ cli_name='naptr_rec',
+ option_group=u'NAPTR Record',
+ label=_(u'NAPTR record'),
+ doc=_(u'Raw NAPTR records'),
+ ),
+ parameters.Int(
+ 'naptr_part_order',
+ required=False,
+ cli_name='naptr_order',
+ option_group=u'NAPTR Record',
+ label=_(u'NAPTR Order'),
+ doc=_(u'Order'),
+ ),
+ parameters.Int(
+ 'naptr_part_preference',
+ required=False,
+ cli_name='naptr_preference',
+ option_group=u'NAPTR Record',
+ label=_(u'NAPTR Preference'),
+ doc=_(u'Preference'),
+ ),
+ parameters.Str(
+ 'naptr_part_flags',
+ required=False,
+ cli_name='naptr_flags',
+ option_group=u'NAPTR Record',
+ label=_(u'NAPTR Flags'),
+ doc=_(u'Flags'),
+ no_convert=True,
+ ),
+ parameters.Str(
+ 'naptr_part_service',
+ required=False,
+ cli_name='naptr_service',
+ option_group=u'NAPTR Record',
+ label=_(u'NAPTR Service'),
+ doc=_(u'Service'),
+ ),
+ parameters.Str(
+ 'naptr_part_regexp',
+ required=False,
+ cli_name='naptr_regexp',
+ option_group=u'NAPTR Record',
+ label=_(u'NAPTR Regular Expression'),
+ doc=_(u'Regular Expression'),
+ ),
+ parameters.Str(
+ 'naptr_part_replacement',
+ required=False,
+ cli_name='naptr_replacement',
+ option_group=u'NAPTR Record',
+ label=_(u'NAPTR Replacement'),
+ doc=_(u'Replacement'),
+ ),
+ parameters.Str(
+ 'nsrecord',
+ required=False,
+ multivalue=True,
+ cli_name='ns_rec',
+ option_group=u'NS Record',
+ label=_(u'NS record'),
+ doc=_(u'Raw NS records'),
+ ),
+ parameters.DNSNameParam(
+ 'ns_part_hostname',
+ required=False,
+ cli_name='ns_hostname',
+ option_group=u'NS Record',
+ label=_(u'NS Hostname'),
+ doc=_(u'Hostname'),
+ ),
+ parameters.Str(
+ 'nsecrecord',
+ required=False,
+ multivalue=True,
+ cli_name='nsec_rec',
+ option_group=u'NSEC Record',
+ label=_(u'NSEC record'),
+ doc=_(u'Raw NSEC records'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'nsec3record',
+ required=False,
+ multivalue=True,
+ cli_name='nsec3_rec',
+ option_group=u'NSEC3 Record',
+ label=_(u'NSEC3 record'),
+ doc=_(u'Raw NSEC3 records'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'ptrrecord',
+ required=False,
+ multivalue=True,
+ cli_name='ptr_rec',
+ option_group=u'PTR Record',
+ label=_(u'PTR record'),
+ doc=_(u'Raw PTR records'),
+ ),
+ parameters.DNSNameParam(
+ 'ptr_part_hostname',
+ required=False,
+ cli_name='ptr_hostname',
+ option_group=u'PTR Record',
+ label=_(u'PTR Hostname'),
+ doc=_(u'The hostname this reverse record points to'),
+ ),
+ parameters.Str(
+ 'rrsigrecord',
+ required=False,
+ multivalue=True,
+ cli_name='rrsig_rec',
+ option_group=u'RRSIG Record',
+ label=_(u'RRSIG record'),
+ doc=_(u'Raw RRSIG records'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'rprecord',
+ required=False,
+ multivalue=True,
+ cli_name='rp_rec',
+ option_group=u'RP Record',
+ label=_(u'RP record'),
+ doc=_(u'Raw RP records'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'sigrecord',
+ required=False,
+ multivalue=True,
+ cli_name='sig_rec',
+ option_group=u'SIG Record',
+ label=_(u'SIG record'),
+ doc=_(u'Raw SIG records'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'spfrecord',
+ required=False,
+ multivalue=True,
+ cli_name='spf_rec',
+ option_group=u'SPF Record',
+ label=_(u'SPF record'),
+ doc=_(u'Raw SPF records'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'srvrecord',
+ required=False,
+ multivalue=True,
+ cli_name='srv_rec',
+ option_group=u'SRV Record',
+ label=_(u'SRV record'),
+ doc=_(u'Raw SRV records'),
+ ),
+ parameters.Int(
+ 'srv_part_priority',
+ required=False,
+ cli_name='srv_priority',
+ option_group=u'SRV Record',
+ label=_(u'SRV Priority'),
+ doc=_(u'Priority'),
+ ),
+ parameters.Int(
+ 'srv_part_weight',
+ required=False,
+ cli_name='srv_weight',
+ option_group=u'SRV Record',
+ label=_(u'SRV Weight'),
+ doc=_(u'Weight'),
+ ),
+ parameters.Int(
+ 'srv_part_port',
+ required=False,
+ cli_name='srv_port',
+ option_group=u'SRV Record',
+ label=_(u'SRV Port'),
+ doc=_(u'Port'),
+ ),
+ parameters.DNSNameParam(
+ 'srv_part_target',
+ required=False,
+ cli_name='srv_target',
+ option_group=u'SRV Record',
+ label=_(u'SRV Target'),
+ doc=_(u"The domain name of the target host or '.' if the service is decidedly not available at this domain"),
+ ),
+ parameters.Str(
+ 'sshfprecord',
+ required=False,
+ multivalue=True,
+ cli_name='sshfp_rec',
+ option_group=u'SSHFP Record',
+ label=_(u'SSHFP record'),
+ doc=_(u'Raw SSHFP records'),
+ ),
+ parameters.Int(
+ 'sshfp_part_algorithm',
+ required=False,
+ cli_name='sshfp_algorithm',
+ option_group=u'SSHFP Record',
+ label=_(u'SSHFP Algorithm'),
+ doc=_(u'Algorithm'),
+ ),
+ parameters.Int(
+ 'sshfp_part_fp_type',
+ required=False,
+ cli_name='sshfp_fp_type',
+ option_group=u'SSHFP Record',
+ label=_(u'SSHFP Fingerprint Type'),
+ doc=_(u'Fingerprint Type'),
+ ),
+ parameters.Str(
+ 'sshfp_part_fingerprint',
+ required=False,
+ cli_name='sshfp_fingerprint',
+ option_group=u'SSHFP Record',
+ label=_(u'SSHFP Fingerprint'),
+ doc=_(u'Fingerprint'),
+ ),
+ parameters.Str(
+ 'tarecord',
+ required=False,
+ multivalue=True,
+ cli_name='ta_rec',
+ option_group=u'TA Record',
+ label=_(u'TA record'),
+ doc=_(u'Raw TA records'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'tlsarecord',
+ required=False,
+ multivalue=True,
+ cli_name='tlsa_rec',
+ option_group=u'TLSA Record',
+ label=_(u'TLSA record'),
+ doc=_(u'Raw TLSA records'),
+ ),
+ parameters.Int(
+ 'tlsa_part_cert_usage',
+ required=False,
+ cli_name='tlsa_cert_usage',
+ option_group=u'TLSA Record',
+ label=_(u'TLSA Certificate Usage'),
+ doc=_(u'Certificate Usage'),
+ ),
+ parameters.Int(
+ 'tlsa_part_selector',
+ required=False,
+ cli_name='tlsa_selector',
+ option_group=u'TLSA Record',
+ label=_(u'TLSA Selector'),
+ doc=_(u'Selector'),
+ ),
+ parameters.Int(
+ 'tlsa_part_matching_type',
+ required=False,
+ cli_name='tlsa_matching_type',
+ option_group=u'TLSA Record',
+ label=_(u'TLSA Matching Type'),
+ doc=_(u'Matching Type'),
+ ),
+ parameters.Str(
+ 'tlsa_part_cert_association_data',
+ required=False,
+ cli_name='tlsa_cert_association_data',
+ option_group=u'TLSA Record',
+ label=_(u'TLSA Certificate Association Data'),
+ doc=_(u'Certificate Association Data'),
+ ),
+ parameters.Str(
+ 'tkeyrecord',
+ required=False,
+ multivalue=True,
+ cli_name='tkey_rec',
+ option_group=u'TKEY Record',
+ label=_(u'TKEY record'),
+ doc=_(u'Raw TKEY records'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'tsigrecord',
+ required=False,
+ multivalue=True,
+ cli_name='tsig_rec',
+ option_group=u'TSIG Record',
+ label=_(u'TSIG record'),
+ doc=_(u'Raw TSIG records'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'txtrecord',
+ required=False,
+ multivalue=True,
+ cli_name='txt_rec',
+ option_group=u'TXT Record',
+ label=_(u'TXT record'),
+ doc=_(u'Raw TXT records'),
+ ),
+ parameters.Str(
+ 'txt_part_data',
+ required=False,
+ cli_name='txt_data',
+ option_group=u'TXT Record',
+ label=_(u'TXT Text Data'),
+ doc=_(u'Text Data'),
+ ),
+ parameters.Str(
+ 'setattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'addattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'delattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'),
+ exclude=('webui',),
+ ),
+ parameters.Flag(
+ 'rights',
+ label=_(u'Rights'),
+ doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'structured',
+ label=_(u'Structured'),
+ doc=_(u'Parse all raw DNS records and return them in a structured way'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.DNSNameParam(
+ 'rename',
+ required=False,
+ label=_(u'Rename'),
+ doc=_(u'Rename the DNS resource record object'),
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class dnsrecord_show(Method):
+ __doc__ = _("Display DNS resource.")
+
+ takes_args = (
+ parameters.DNSNameParam(
+ 'dnszoneidnsname',
+ cli_name='dnszone',
+ label=_(u'Zone name'),
+ doc=_(u'Zone name (FQDN)'),
+ default_from=DefaultFrom(lambda name_from_ip: None, 'name_from_ip'),
+ # FIXME:
+ # lambda name_from_ip: _reverse_zone_name(name_from_ip)
+ no_convert=True,
+ ),
+ parameters.DNSNameParam(
+ 'idnsname',
+ cli_name='name',
+ label=_(u'Record name'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'rights',
+ label=_(u'Rights'),
+ doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'structured',
+ label=_(u'Structured'),
+ doc=_(u'Parse all raw DNS records and return them in a structured way'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class dnszone_add(Method):
+ __doc__ = _("Create new DNS zone (SOA record).")
+
+ takes_args = (
+ parameters.DNSNameParam(
+ 'idnsname',
+ cli_name='name',
+ label=_(u'Zone name'),
+ doc=_(u'Zone name (FQDN)'),
+ default_from=DefaultFrom(lambda name_from_ip: None, 'name_from_ip'),
+ # FIXME:
+ # lambda name_from_ip: _reverse_zone_name(name_from_ip)
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'name_from_ip',
+ required=False,
+ label=_(u'Reverse zone IP network'),
+ doc=_(u'IP network to create reverse zone name from'),
+ ),
+ parameters.Str(
+ 'idnsforwarders',
+ required=False,
+ multivalue=True,
+ cli_name='forwarder',
+ label=_(u'Zone forwarders'),
+ doc=_(u'Per-zone forwarders. A custom port can be specified for each forwarder using a standard format "IP_ADDRESS port PORT"'),
+ ),
+ parameters.Str(
+ 'idnsforwardpolicy',
+ required=False,
+ cli_name='forward_policy',
+ cli_metavar="['only', 'first', 'none']",
+ label=_(u'Forward policy'),
+ doc=_(u'Per-zone conditional forwarding policy. Set to "none" to disable forwarding to global forwarder for this zone. In that case, conditional zone forwarders are disregarded.'),
+ ),
+ parameters.DNSNameParam(
+ 'idnssoamname',
+ required=False,
+ cli_name='name_server',
+ label=_(u'Authoritative nameserver'),
+ doc=_(u'Authoritative nameserver domain name'),
+ ),
+ parameters.DNSNameParam(
+ 'idnssoarname',
+ cli_name='admin_email',
+ label=_(u'Administrator e-mail address'),
+ default=DNSName(u'hostmaster'),
+ autofill=True,
+ no_convert=True,
+ ),
+ parameters.Int(
+ 'idnssoaserial',
+ cli_name='serial',
+ label=_(u'SOA serial'),
+ doc=_(u'SOA record serial number'),
+ default_from=DefaultFrom(lambda : None),
+ # FIXME:
+ # def _create_zone_serial():
+ # """
+ # Generate serial number for zones. bind-dyndb-ldap expects unix time in
+ # to be used for SOA serial.
+ #
+ # SOA serial in a date format would also work, but it may be set to far
+ # future when many DNS updates are done per day (more than 100). Unix
+ # timestamp is more resilient to this issue.
+ # """
+ # return int(time.time())
+ autofill=True,
+ ),
+ parameters.Int(
+ 'idnssoarefresh',
+ cli_name='refresh',
+ label=_(u'SOA refresh'),
+ doc=_(u'SOA record refresh time'),
+ default=3600,
+ autofill=True,
+ ),
+ parameters.Int(
+ 'idnssoaretry',
+ cli_name='retry',
+ label=_(u'SOA retry'),
+ doc=_(u'SOA record retry time'),
+ default=900,
+ autofill=True,
+ ),
+ parameters.Int(
+ 'idnssoaexpire',
+ cli_name='expire',
+ label=_(u'SOA expire'),
+ doc=_(u'SOA record expire time'),
+ default=1209600,
+ autofill=True,
+ ),
+ parameters.Int(
+ 'idnssoaminimum',
+ cli_name='minimum',
+ label=_(u'SOA minimum'),
+ doc=_(u'How long should negative responses be cached'),
+ default=3600,
+ autofill=True,
+ ),
+ parameters.Int(
+ 'dnsttl',
+ required=False,
+ cli_name='ttl',
+ label=_(u'Time to live'),
+ doc=_(u'Time to live for records at zone apex'),
+ ),
+ parameters.Str(
+ 'dnsclass',
+ required=False,
+ cli_name='class',
+ cli_metavar="['IN', 'CS', 'CH', 'HS']",
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'idnsupdatepolicy',
+ required=False,
+ cli_name='update_policy',
+ label=_(u'BIND update policy'),
+ default_from=DefaultFrom(lambda idnsname: None, 'idnsname'),
+ # FIXME:
+ # lambda idnsname: default_zone_update_policy(idnsname)
+ autofill=True,
+ ),
+ parameters.Bool(
+ 'idnsallowdynupdate',
+ required=False,
+ cli_name='dynamic_update',
+ label=_(u'Dynamic update'),
+ doc=_(u'Allow dynamic updates.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'idnsallowquery',
+ required=False,
+ cli_name='allow_query',
+ label=_(u'Allow query'),
+ doc=_(u'Semicolon separated list of IP addresses or networks which are allowed to issue queries'),
+ default=u'any;',
+ autofill=True,
+ no_convert=True,
+ ),
+ parameters.Str(
+ 'idnsallowtransfer',
+ required=False,
+ cli_name='allow_transfer',
+ label=_(u'Allow transfer'),
+ doc=_(u'Semicolon separated list of IP addresses or networks which are allowed to transfer the zone'),
+ default=u'none;',
+ autofill=True,
+ no_convert=True,
+ ),
+ parameters.Bool(
+ 'idnsallowsyncptr',
+ required=False,
+ cli_name='allow_sync_ptr',
+ label=_(u'Allow PTR sync'),
+ doc=_(u'Allow synchronization of forward (A, AAAA) and reverse (PTR) records in the zone'),
+ ),
+ parameters.Bool(
+ 'idnssecinlinesigning',
+ required=False,
+ cli_name='dnssec',
+ label=_(u'Allow in-line DNSSEC signing'),
+ doc=_(u'Allow inline DNSSEC signing of records in the zone'),
+ default=False,
+ ),
+ parameters.Str(
+ 'nsec3paramrecord',
+ required=False,
+ cli_name='nsec3param_rec',
+ label=_(u'NSEC3PARAM record'),
+ doc=_(u'NSEC3PARAM record for zone in format: hash_algorithm flags iterations salt'),
+ ),
+ parameters.Str(
+ 'setattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'addattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
+ exclude=('webui',),
+ ),
+ parameters.Flag(
+ 'force',
+ label=_(u'Force'),
+ doc=_(u'Force DNS zone creation even if nameserver is not resolvable.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'ip_address',
+ required=False,
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class dnszone_add_permission(Method):
+ __doc__ = _("Add a permission for per-zone access delegation.")
+
+ takes_args = (
+ parameters.DNSNameParam(
+ 'idnsname',
+ cli_name='name',
+ label=_(u'Zone name'),
+ doc=_(u'Zone name (FQDN)'),
+ default_from=DefaultFrom(lambda name_from_ip: None, 'name_from_ip'),
+ # FIXME:
+ # lambda name_from_ip: _reverse_zone_name(name_from_ip)
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Output(
+ 'result',
+ bool,
+ doc=_(u'True means the operation was successful'),
+ ),
+ output.Output(
+ 'value',
+ unicode,
+ doc=_(u'Permission value'),
+ ),
+ )
+
+
+@register()
+class dnszone_del(Method):
+ __doc__ = _("Delete DNS zone (SOA record).")
+
+ takes_args = (
+ parameters.DNSNameParam(
+ 'idnsname',
+ multivalue=True,
+ cli_name='name',
+ label=_(u'Zone name'),
+ doc=_(u'Zone name (FQDN)'),
+ default_from=DefaultFrom(lambda name_from_ip: None, 'name_from_ip'),
+ # FIXME:
+ # lambda name_from_ip: _reverse_zone_name(name_from_ip)
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'continue',
+ doc=_(u"Continuous mode: Don't stop on errors."),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Output(
+ 'result',
+ dict,
+ doc=_(u'List of deletions that failed'),
+ ),
+ output.ListOfPrimaryKeys(
+ 'value',
+ ),
+ )
+
+
+@register()
+class dnszone_disable(Method):
+ __doc__ = _("Disable DNS Zone.")
+
+ takes_args = (
+ parameters.DNSNameParam(
+ 'idnsname',
+ cli_name='name',
+ label=_(u'Zone name'),
+ doc=_(u'Zone name (FQDN)'),
+ default_from=DefaultFrom(lambda name_from_ip: None, 'name_from_ip'),
+ # FIXME:
+ # lambda name_from_ip: _reverse_zone_name(name_from_ip)
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Output(
+ 'result',
+ bool,
+ doc=_(u'True means the operation was successful'),
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class dnszone_enable(Method):
+ __doc__ = _("Enable DNS Zone.")
+
+ takes_args = (
+ parameters.DNSNameParam(
+ 'idnsname',
+ cli_name='name',
+ label=_(u'Zone name'),
+ doc=_(u'Zone name (FQDN)'),
+ default_from=DefaultFrom(lambda name_from_ip: None, 'name_from_ip'),
+ # FIXME:
+ # lambda name_from_ip: _reverse_zone_name(name_from_ip)
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Output(
+ 'result',
+ bool,
+ doc=_(u'True means the operation was successful'),
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class dnszone_find(Method):
+ __doc__ = _("Search for DNS zones (SOA records).")
+
+ takes_args = (
+ parameters.Str(
+ 'criteria',
+ required=False,
+ doc=_(u'A string searched in all relevant object attributes'),
+ ),
+ )
+ takes_options = (
+ parameters.DNSNameParam(
+ 'idnsname',
+ required=False,
+ cli_name='name',
+ label=_(u'Zone name'),
+ doc=_(u'Zone name (FQDN)'),
+ default_from=DefaultFrom(lambda name_from_ip: None, 'name_from_ip'),
+ # FIXME:
+ # lambda name_from_ip: _reverse_zone_name(name_from_ip)
+ no_convert=True,
+ ),
+ parameters.Str(
+ 'name_from_ip',
+ required=False,
+ label=_(u'Reverse zone IP network'),
+ doc=_(u'IP network to create reverse zone name from'),
+ ),
+ parameters.Bool(
+ 'idnszoneactive',
+ required=False,
+ cli_name='zone_active',
+ label=_(u'Active zone'),
+ doc=_(u'Is zone active?'),
+ ),
+ parameters.Str(
+ 'idnsforwarders',
+ required=False,
+ multivalue=True,
+ cli_name='forwarder',
+ label=_(u'Zone forwarders'),
+ doc=_(u'Per-zone forwarders. A custom port can be specified for each forwarder using a standard format "IP_ADDRESS port PORT"'),
+ ),
+ parameters.Str(
+ 'idnsforwardpolicy',
+ required=False,
+ cli_name='forward_policy',
+ cli_metavar="['only', 'first', 'none']",
+ label=_(u'Forward policy'),
+ doc=_(u'Per-zone conditional forwarding policy. Set to "none" to disable forwarding to global forwarder for this zone. In that case, conditional zone forwarders are disregarded.'),
+ ),
+ parameters.DNSNameParam(
+ 'idnssoamname',
+ required=False,
+ cli_name='name_server',
+ label=_(u'Authoritative nameserver'),
+ doc=_(u'Authoritative nameserver domain name'),
+ ),
+ parameters.DNSNameParam(
+ 'idnssoarname',
+ required=False,
+ cli_name='admin_email',
+ label=_(u'Administrator e-mail address'),
+ default=DNSName(u'hostmaster'),
+ no_convert=True,
+ ),
+ parameters.Int(
+ 'idnssoaserial',
+ required=False,
+ cli_name='serial',
+ label=_(u'SOA serial'),
+ doc=_(u'SOA record serial number'),
+ default_from=DefaultFrom(lambda : None),
+ # FIXME:
+ # def _create_zone_serial():
+ # """
+ # Generate serial number for zones. bind-dyndb-ldap expects unix time in
+ # to be used for SOA serial.
+ #
+ # SOA serial in a date format would also work, but it may be set to far
+ # future when many DNS updates are done per day (more than 100). Unix
+ # timestamp is more resilient to this issue.
+ # """
+ # return int(time.time())
+ ),
+ parameters.Int(
+ 'idnssoarefresh',
+ required=False,
+ cli_name='refresh',
+ label=_(u'SOA refresh'),
+ doc=_(u'SOA record refresh time'),
+ default=3600,
+ ),
+ parameters.Int(
+ 'idnssoaretry',
+ required=False,
+ cli_name='retry',
+ label=_(u'SOA retry'),
+ doc=_(u'SOA record retry time'),
+ default=900,
+ ),
+ parameters.Int(
+ 'idnssoaexpire',
+ required=False,
+ cli_name='expire',
+ label=_(u'SOA expire'),
+ doc=_(u'SOA record expire time'),
+ default=1209600,
+ ),
+ parameters.Int(
+ 'idnssoaminimum',
+ required=False,
+ cli_name='minimum',
+ label=_(u'SOA minimum'),
+ doc=_(u'How long should negative responses be cached'),
+ default=3600,
+ ),
+ parameters.Int(
+ 'dnsttl',
+ required=False,
+ cli_name='ttl',
+ label=_(u'Time to live'),
+ doc=_(u'Time to live for records at zone apex'),
+ ),
+ parameters.Str(
+ 'dnsclass',
+ required=False,
+ cli_name='class',
+ cli_metavar="['IN', 'CS', 'CH', 'HS']",
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'idnsupdatepolicy',
+ required=False,
+ cli_name='update_policy',
+ label=_(u'BIND update policy'),
+ default_from=DefaultFrom(lambda idnsname: None, 'idnsname'),
+ # FIXME:
+ # lambda idnsname: default_zone_update_policy(idnsname)
+ ),
+ parameters.Bool(
+ 'idnsallowdynupdate',
+ required=False,
+ cli_name='dynamic_update',
+ label=_(u'Dynamic update'),
+ doc=_(u'Allow dynamic updates.'),
+ default=False,
+ ),
+ parameters.Str(
+ 'idnsallowquery',
+ required=False,
+ cli_name='allow_query',
+ label=_(u'Allow query'),
+ doc=_(u'Semicolon separated list of IP addresses or networks which are allowed to issue queries'),
+ default=u'any;',
+ no_convert=True,
+ ),
+ parameters.Str(
+ 'idnsallowtransfer',
+ required=False,
+ cli_name='allow_transfer',
+ label=_(u'Allow transfer'),
+ doc=_(u'Semicolon separated list of IP addresses or networks which are allowed to transfer the zone'),
+ default=u'none;',
+ no_convert=True,
+ ),
+ parameters.Bool(
+ 'idnsallowsyncptr',
+ required=False,
+ cli_name='allow_sync_ptr',
+ label=_(u'Allow PTR sync'),
+ doc=_(u'Allow synchronization of forward (A, AAAA) and reverse (PTR) records in the zone'),
+ ),
+ parameters.Bool(
+ 'idnssecinlinesigning',
+ required=False,
+ cli_name='dnssec',
+ label=_(u'Allow in-line DNSSEC signing'),
+ doc=_(u'Allow inline DNSSEC signing of records in the zone'),
+ default=False,
+ ),
+ parameters.Str(
+ 'nsec3paramrecord',
+ required=False,
+ cli_name='nsec3param_rec',
+ label=_(u'NSEC3PARAM record'),
+ doc=_(u'NSEC3PARAM record for zone in format: hash_algorithm flags iterations salt'),
+ ),
+ parameters.Int(
+ 'timelimit',
+ required=False,
+ label=_(u'Time Limit'),
+ doc=_(u'Time limit of search in seconds'),
+ ),
+ parameters.Int(
+ 'sizelimit',
+ required=False,
+ label=_(u'Size Limit'),
+ doc=_(u'Maximum number of entries returned'),
+ ),
+ parameters.Flag(
+ 'forward_only',
+ label=_(u'Forward zones only'),
+ doc=_(u'Search for forward zones only'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'pkey_only',
+ required=False,
+ label=_(u'Primary key only'),
+ doc=_(u'Results should contain primary key attribute only ("name")'),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.ListOfEntries(
+ 'result',
+ ),
+ output.Output(
+ 'count',
+ int,
+ doc=_(u'Number of entries returned'),
+ ),
+ output.Output(
+ 'truncated',
+ bool,
+ doc=_(u'True if not all results were returned'),
+ ),
+ )
+
+
+@register()
+class dnszone_mod(Method):
+ __doc__ = _("Modify DNS zone (SOA record).")
+
+ takes_args = (
+ parameters.DNSNameParam(
+ 'idnsname',
+ cli_name='name',
+ label=_(u'Zone name'),
+ doc=_(u'Zone name (FQDN)'),
+ default_from=DefaultFrom(lambda name_from_ip: None, 'name_from_ip'),
+ # FIXME:
+ # lambda name_from_ip: _reverse_zone_name(name_from_ip)
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'name_from_ip',
+ required=False,
+ label=_(u'Reverse zone IP network'),
+ doc=_(u'IP network to create reverse zone name from'),
+ ),
+ parameters.Str(
+ 'idnsforwarders',
+ required=False,
+ multivalue=True,
+ cli_name='forwarder',
+ label=_(u'Zone forwarders'),
+ doc=_(u'Per-zone forwarders. A custom port can be specified for each forwarder using a standard format "IP_ADDRESS port PORT"'),
+ ),
+ parameters.Str(
+ 'idnsforwardpolicy',
+ required=False,
+ cli_name='forward_policy',
+ cli_metavar="['only', 'first', 'none']",
+ label=_(u'Forward policy'),
+ doc=_(u'Per-zone conditional forwarding policy. Set to "none" to disable forwarding to global forwarder for this zone. In that case, conditional zone forwarders are disregarded.'),
+ ),
+ parameters.DNSNameParam(
+ 'idnssoamname',
+ required=False,
+ cli_name='name_server',
+ label=_(u'Authoritative nameserver'),
+ doc=_(u'Authoritative nameserver domain name'),
+ ),
+ parameters.DNSNameParam(
+ 'idnssoarname',
+ required=False,
+ cli_name='admin_email',
+ label=_(u'Administrator e-mail address'),
+ default=DNSName(u'hostmaster'),
+ no_convert=True,
+ ),
+ parameters.Int(
+ 'idnssoaserial',
+ required=False,
+ cli_name='serial',
+ label=_(u'SOA serial'),
+ doc=_(u'SOA record serial number'),
+ default_from=DefaultFrom(lambda : None),
+ # FIXME:
+ # def _create_zone_serial():
+ # """
+ # Generate serial number for zones. bind-dyndb-ldap expects unix time in
+ # to be used for SOA serial.
+ #
+ # SOA serial in a date format would also work, but it may be set to far
+ # future when many DNS updates are done per day (more than 100). Unix
+ # timestamp is more resilient to this issue.
+ # """
+ # return int(time.time())
+ ),
+ parameters.Int(
+ 'idnssoarefresh',
+ required=False,
+ cli_name='refresh',
+ label=_(u'SOA refresh'),
+ doc=_(u'SOA record refresh time'),
+ default=3600,
+ ),
+ parameters.Int(
+ 'idnssoaretry',
+ required=False,
+ cli_name='retry',
+ label=_(u'SOA retry'),
+ doc=_(u'SOA record retry time'),
+ default=900,
+ ),
+ parameters.Int(
+ 'idnssoaexpire',
+ required=False,
+ cli_name='expire',
+ label=_(u'SOA expire'),
+ doc=_(u'SOA record expire time'),
+ default=1209600,
+ ),
+ parameters.Int(
+ 'idnssoaminimum',
+ required=False,
+ cli_name='minimum',
+ label=_(u'SOA minimum'),
+ doc=_(u'How long should negative responses be cached'),
+ default=3600,
+ ),
+ parameters.Int(
+ 'dnsttl',
+ required=False,
+ cli_name='ttl',
+ label=_(u'Time to live'),
+ doc=_(u'Time to live for records at zone apex'),
+ ),
+ parameters.Str(
+ 'dnsclass',
+ required=False,
+ cli_name='class',
+ cli_metavar="['IN', 'CS', 'CH', 'HS']",
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'idnsupdatepolicy',
+ required=False,
+ cli_name='update_policy',
+ label=_(u'BIND update policy'),
+ default_from=DefaultFrom(lambda idnsname: None, 'idnsname'),
+ # FIXME:
+ # lambda idnsname: default_zone_update_policy(idnsname)
+ ),
+ parameters.Bool(
+ 'idnsallowdynupdate',
+ required=False,
+ cli_name='dynamic_update',
+ label=_(u'Dynamic update'),
+ doc=_(u'Allow dynamic updates.'),
+ default=False,
+ ),
+ parameters.Str(
+ 'idnsallowquery',
+ required=False,
+ cli_name='allow_query',
+ label=_(u'Allow query'),
+ doc=_(u'Semicolon separated list of IP addresses or networks which are allowed to issue queries'),
+ default=u'any;',
+ no_convert=True,
+ ),
+ parameters.Str(
+ 'idnsallowtransfer',
+ required=False,
+ cli_name='allow_transfer',
+ label=_(u'Allow transfer'),
+ doc=_(u'Semicolon separated list of IP addresses or networks which are allowed to transfer the zone'),
+ default=u'none;',
+ no_convert=True,
+ ),
+ parameters.Bool(
+ 'idnsallowsyncptr',
+ required=False,
+ cli_name='allow_sync_ptr',
+ label=_(u'Allow PTR sync'),
+ doc=_(u'Allow synchronization of forward (A, AAAA) and reverse (PTR) records in the zone'),
+ ),
+ parameters.Bool(
+ 'idnssecinlinesigning',
+ required=False,
+ cli_name='dnssec',
+ label=_(u'Allow in-line DNSSEC signing'),
+ doc=_(u'Allow inline DNSSEC signing of records in the zone'),
+ default=False,
+ ),
+ parameters.Str(
+ 'nsec3paramrecord',
+ required=False,
+ cli_name='nsec3param_rec',
+ label=_(u'NSEC3PARAM record'),
+ doc=_(u'NSEC3PARAM record for zone in format: hash_algorithm flags iterations salt'),
+ ),
+ parameters.Str(
+ 'setattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'addattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'delattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'),
+ exclude=('webui',),
+ ),
+ parameters.Flag(
+ 'rights',
+ label=_(u'Rights'),
+ doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'force',
+ label=_(u'Force'),
+ doc=_(u'Force nameserver change even if nameserver not in DNS'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class dnszone_remove_permission(Method):
+ __doc__ = _("Remove a permission for per-zone access delegation.")
+
+ takes_args = (
+ parameters.DNSNameParam(
+ 'idnsname',
+ cli_name='name',
+ label=_(u'Zone name'),
+ doc=_(u'Zone name (FQDN)'),
+ default_from=DefaultFrom(lambda name_from_ip: None, 'name_from_ip'),
+ # FIXME:
+ # lambda name_from_ip: _reverse_zone_name(name_from_ip)
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Output(
+ 'result',
+ bool,
+ doc=_(u'True means the operation was successful'),
+ ),
+ output.Output(
+ 'value',
+ unicode,
+ doc=_(u'Permission value'),
+ ),
+ )
+
+
+@register()
+class dnszone_show(Method):
+ __doc__ = _("Display information about a DNS zone (SOA record).")
+
+ takes_args = (
+ parameters.DNSNameParam(
+ 'idnsname',
+ cli_name='name',
+ label=_(u'Zone name'),
+ doc=_(u'Zone name (FQDN)'),
+ default_from=DefaultFrom(lambda name_from_ip: None, 'name_from_ip'),
+ # FIXME:
+ # lambda name_from_ip: _reverse_zone_name(name_from_ip)
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'rights',
+ label=_(u'Rights'),
+ doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
diff --git a/ipaclient/remote_plugins/2_114/group.py b/ipaclient/remote_plugins/2_114/group.py
new file mode 100644
index 000000000..86d8f7d4a
--- /dev/null
+++ b/ipaclient/remote_plugins/2_114/group.py
@@ -0,0 +1,912 @@
+#
+# Copyright (C) 2016 FreeIPA Contributors see COPYING for license
+#
+
+# pylint: disable=unused-import
+import six
+
+from . import Command, Method, Object
+from ipalib import api, parameters, output
+from ipalib.parameters import DefaultFrom
+from ipalib.plugable import Registry
+from ipalib.text import _
+from ipapython.dn import DN
+from ipapython.dnsutil import DNSName
+
+if six.PY3:
+ unicode = str
+
+__doc__ = _("""
+Groups of users
+
+Manage groups of users. By default, new groups are POSIX groups. You
+can add the --nonposix option to the group-add command to mark a new group
+as non-POSIX. You can use the --posix argument with the group-mod command
+to convert a non-POSIX group into a POSIX group. POSIX groups cannot be
+converted to non-POSIX groups.
+
+Every group must have a description.
+
+POSIX groups must have a Group ID (GID) number. Changing a GID is
+supported but can have an impact on your file permissions. It is not necessary
+to supply a GID when creating a group. IPA will generate one automatically
+if it is not provided.
+
+EXAMPLES:
+
+ Add a new group:
+ ipa group-add --desc='local administrators' localadmins
+
+ Add a new non-POSIX group:
+ ipa group-add --nonposix --desc='remote administrators' remoteadmins
+
+ Convert a non-POSIX group to posix:
+ ipa group-mod --posix remoteadmins
+
+ Add a new POSIX group with a specific Group ID number:
+ ipa group-add --gid=500 --desc='unix admins' unixadmins
+
+ Add a new POSIX group and let IPA assign a Group ID number:
+ ipa group-add --desc='printer admins' printeradmins
+
+ Remove a group:
+ ipa group-del unixadmins
+
+ To add the "remoteadmins" group to the "localadmins" group:
+ ipa group-add-member --groups=remoteadmins localadmins
+
+ Add multiple users to the "localadmins" group:
+ ipa group-add-member --users=test1 --users=test2 localadmins
+
+ Remove a user from the "localadmins" group:
+ ipa group-remove-member --users=test2 localadmins
+
+ Display information about a named group.
+ ipa group-show localadmins
+
+External group membership is designed to allow users from trusted domains
+to be mapped to local POSIX groups in order to actually use IPA resources.
+External members should be added to groups that specifically created as
+external and non-POSIX. Such group later should be included into one of POSIX
+groups.
+
+An external group member is currently a Security Identifier (SID) as defined by
+the trusted domain. When adding external group members, it is possible to
+specify them in either SID, or DOM\name, or name@domain format. IPA will attempt
+to resolve passed name to SID with the use of Global Catalog of the trusted domain.
+
+Example:
+
+1. Create group for the trusted domain admins' mapping and their local POSIX group:
+
+ ipa group-add --desc='<ad.domain> admins external map' ad_admins_external --external
+ ipa group-add --desc='<ad.domain> admins' ad_admins
+
+2. Add security identifier of Domain Admins of the <ad.domain> to the ad_admins_external
+ group:
+
+ ipa group-add-member ad_admins_external --external 'AD\Domain Admins'
+
+3. Allow members of ad_admins_external group to be associated with ad_admins POSIX group:
+
+ ipa group-add-member ad_admins --groups ad_admins_external
+
+4. List members of external members of ad_admins_external group to see their SIDs:
+
+ ipa group-show ad_admins_external
+""")
+
+register = Registry()
+
+
+@register()
+class group(Object):
+ takes_params = (
+ parameters.Str(
+ 'cn',
+ primary_key=True,
+ label=_(u'Group name'),
+ ),
+ parameters.Str(
+ 'description',
+ required=False,
+ label=_(u'Description'),
+ doc=_(u'Group description'),
+ ),
+ parameters.Int(
+ 'gidnumber',
+ required=False,
+ label=_(u'GID'),
+ doc=_(u'GID (use this option to set it manually)'),
+ ),
+ parameters.Str(
+ 'member_user',
+ required=False,
+ label=_(u'Member users'),
+ ),
+ parameters.Str(
+ 'member_group',
+ required=False,
+ label=_(u'Member groups'),
+ ),
+ parameters.Str(
+ 'memberof_group',
+ required=False,
+ label=_(u'Member of groups'),
+ ),
+ parameters.Str(
+ 'memberof_role',
+ required=False,
+ label=_(u'Roles'),
+ ),
+ parameters.Str(
+ 'memberof_netgroup',
+ required=False,
+ label=_(u'Member of netgroups'),
+ ),
+ parameters.Str(
+ 'memberof_sudorule',
+ required=False,
+ label=_(u'Member of Sudo rule'),
+ ),
+ parameters.Str(
+ 'memberof_hbacrule',
+ required=False,
+ label=_(u'Member of HBAC rule'),
+ ),
+ parameters.Str(
+ 'memberindirect_user',
+ required=False,
+ label=_(u'Indirect Member users'),
+ ),
+ parameters.Str(
+ 'memberindirect_group',
+ required=False,
+ label=_(u'Indirect Member groups'),
+ ),
+ parameters.Str(
+ 'memberofindirect_group',
+ required=False,
+ label=_(u'Indirect Member of group'),
+ ),
+ parameters.Str(
+ 'memberofindirect_netgroup',
+ required=False,
+ label=_(u'Indirect Member of netgroup'),
+ ),
+ parameters.Str(
+ 'memberofindirect_role',
+ required=False,
+ label=_(u'Indirect Member of role'),
+ ),
+ parameters.Str(
+ 'memberofindirect_sudorule',
+ required=False,
+ label=_(u'Indirect Member of Sudo rule'),
+ ),
+ parameters.Str(
+ 'memberofindirect_hbacrule',
+ required=False,
+ label=_(u'Indirect Member of HBAC rule'),
+ ),
+ )
+
+
+@register()
+class group_add(Method):
+ __doc__ = _("Create a new group.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='group_name',
+ label=_(u'Group name'),
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'description',
+ required=False,
+ cli_name='desc',
+ label=_(u'Description'),
+ doc=_(u'Group description'),
+ ),
+ parameters.Int(
+ 'gidnumber',
+ required=False,
+ cli_name='gid',
+ label=_(u'GID'),
+ doc=_(u'GID (use this option to set it manually)'),
+ ),
+ parameters.Str(
+ 'setattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'addattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
+ exclude=('webui',),
+ ),
+ parameters.Flag(
+ 'nonposix',
+ doc=_(u'Create as a non-POSIX group'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'external',
+ doc=_(u'Allow adding external non-IPA members from trusted domains'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class group_add_member(Method):
+ __doc__ = _("Add members to a group.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='group_name',
+ label=_(u'Group name'),
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'ipaexternalmember',
+ required=False,
+ multivalue=True,
+ cli_name='external',
+ label=_(u'External member'),
+ doc=_(u'Members of a trusted domain in DOM\\name or name@domain form'),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'user',
+ required=False,
+ multivalue=True,
+ cli_name='users',
+ label=_(u'member user'),
+ doc=_(u'users to add'),
+ alwaysask=True,
+ ),
+ parameters.Str(
+ 'group',
+ required=False,
+ multivalue=True,
+ cli_name='groups',
+ label=_(u'member group'),
+ doc=_(u'groups to add'),
+ alwaysask=True,
+ ),
+ )
+ has_output = (
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'failed',
+ dict,
+ doc=_(u'Members that could not be added'),
+ ),
+ output.Output(
+ 'completed',
+ int,
+ doc=_(u'Number of members added'),
+ ),
+ )
+
+
+@register()
+class group_del(Method):
+ __doc__ = _("Delete group.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ multivalue=True,
+ cli_name='group_name',
+ label=_(u'Group name'),
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'continue',
+ doc=_(u"Continuous mode: Don't stop on errors."),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Output(
+ 'result',
+ dict,
+ doc=_(u'List of deletions that failed'),
+ ),
+ output.ListOfPrimaryKeys(
+ 'value',
+ ),
+ )
+
+
+@register()
+class group_detach(Method):
+ __doc__ = _("Detach a managed group from a user.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='group_name',
+ label=_(u'Group name'),
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Output(
+ 'result',
+ bool,
+ doc=_(u'True means the operation was successful'),
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class group_find(Method):
+ __doc__ = _("Search for groups.")
+
+ takes_args = (
+ parameters.Str(
+ 'criteria',
+ required=False,
+ doc=_(u'A string searched in all relevant object attributes'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'cn',
+ required=False,
+ cli_name='group_name',
+ label=_(u'Group name'),
+ no_convert=True,
+ ),
+ parameters.Str(
+ 'description',
+ required=False,
+ cli_name='desc',
+ label=_(u'Description'),
+ doc=_(u'Group description'),
+ ),
+ parameters.Int(
+ 'gidnumber',
+ required=False,
+ cli_name='gid',
+ label=_(u'GID'),
+ doc=_(u'GID (use this option to set it manually)'),
+ ),
+ parameters.Int(
+ 'timelimit',
+ required=False,
+ label=_(u'Time Limit'),
+ doc=_(u'Time limit of search in seconds'),
+ ),
+ parameters.Int(
+ 'sizelimit',
+ required=False,
+ label=_(u'Size Limit'),
+ doc=_(u'Maximum number of entries returned'),
+ ),
+ parameters.Flag(
+ 'private',
+ doc=_(u'search for private groups'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'posix',
+ doc=_(u'search for POSIX groups'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'external',
+ doc=_(u'search for groups with support of external non-IPA members from trusted domains'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'nonposix',
+ doc=_(u'search for non-POSIX groups'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'pkey_only',
+ required=False,
+ label=_(u'Primary key only'),
+ doc=_(u'Results should contain primary key attribute only ("group-name")'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'user',
+ required=False,
+ multivalue=True,
+ cli_name='users',
+ label=_(u'user'),
+ doc=_(u'Search for groups with these member users.'),
+ ),
+ parameters.Str(
+ 'no_user',
+ required=False,
+ multivalue=True,
+ cli_name='no_users',
+ label=_(u'user'),
+ doc=_(u'Search for groups without these member users.'),
+ ),
+ parameters.Str(
+ 'group',
+ required=False,
+ multivalue=True,
+ cli_name='groups',
+ label=_(u'group'),
+ doc=_(u'Search for groups with these member groups.'),
+ ),
+ parameters.Str(
+ 'no_group',
+ required=False,
+ multivalue=True,
+ cli_name='no_groups',
+ label=_(u'group'),
+ doc=_(u'Search for groups without these member groups.'),
+ ),
+ parameters.Str(
+ 'in_group',
+ required=False,
+ multivalue=True,
+ cli_name='in_groups',
+ label=_(u'group'),
+ doc=_(u'Search for groups with these member of groups.'),
+ ),
+ parameters.Str(
+ 'not_in_group',
+ required=False,
+ multivalue=True,
+ cli_name='not_in_groups',
+ label=_(u'group'),
+ doc=_(u'Search for groups without these member of groups.'),
+ ),
+ parameters.Str(
+ 'in_netgroup',
+ required=False,
+ multivalue=True,
+ cli_name='in_netgroups',
+ label=_(u'netgroup'),
+ doc=_(u'Search for groups with these member of netgroups.'),
+ ),
+ parameters.Str(
+ 'not_in_netgroup',
+ required=False,
+ multivalue=True,
+ cli_name='not_in_netgroups',
+ label=_(u'netgroup'),
+ doc=_(u'Search for groups without these member of netgroups.'),
+ ),
+ parameters.Str(
+ 'in_role',
+ required=False,
+ multivalue=True,
+ cli_name='in_roles',
+ label=_(u'role'),
+ doc=_(u'Search for groups with these member of roles.'),
+ ),
+ parameters.Str(
+ 'not_in_role',
+ required=False,
+ multivalue=True,
+ cli_name='not_in_roles',
+ label=_(u'role'),
+ doc=_(u'Search for groups without these member of roles.'),
+ ),
+ parameters.Str(
+ 'in_hbacrule',
+ required=False,
+ multivalue=True,
+ cli_name='in_hbacrules',
+ label=_(u'HBAC rule'),
+ doc=_(u'Search for groups with these member of HBAC rules.'),
+ ),
+ parameters.Str(
+ 'not_in_hbacrule',
+ required=False,
+ multivalue=True,
+ cli_name='not_in_hbacrules',
+ label=_(u'HBAC rule'),
+ doc=_(u'Search for groups without these member of HBAC rules.'),
+ ),
+ parameters.Str(
+ 'in_sudorule',
+ required=False,
+ multivalue=True,
+ cli_name='in_sudorules',
+ label=_(u'sudo rule'),
+ doc=_(u'Search for groups with these member of sudo rules.'),
+ ),
+ parameters.Str(
+ 'not_in_sudorule',
+ required=False,
+ multivalue=True,
+ cli_name='not_in_sudorules',
+ label=_(u'sudo rule'),
+ doc=_(u'Search for groups without these member of sudo rules.'),
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.ListOfEntries(
+ 'result',
+ ),
+ output.Output(
+ 'count',
+ int,
+ doc=_(u'Number of entries returned'),
+ ),
+ output.Output(
+ 'truncated',
+ bool,
+ doc=_(u'True if not all results were returned'),
+ ),
+ )
+
+
+@register()
+class group_mod(Method):
+ __doc__ = _("Modify a group.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='group_name',
+ label=_(u'Group name'),
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'description',
+ required=False,
+ cli_name='desc',
+ label=_(u'Description'),
+ doc=_(u'Group description'),
+ ),
+ parameters.Int(
+ 'gidnumber',
+ required=False,
+ cli_name='gid',
+ label=_(u'GID'),
+ doc=_(u'GID (use this option to set it manually)'),
+ ),
+ parameters.Str(
+ 'setattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'addattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'delattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'),
+ exclude=('webui',),
+ ),
+ parameters.Flag(
+ 'rights',
+ label=_(u'Rights'),
+ doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'posix',
+ doc=_(u'change to a POSIX group'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'external',
+ doc=_(u'change to support external non-IPA members from trusted domains'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'rename',
+ required=False,
+ label=_(u'Rename'),
+ doc=_(u'Rename the group object'),
+ no_convert=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class group_remove_member(Method):
+ __doc__ = _("Remove members from a group.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='group_name',
+ label=_(u'Group name'),
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'ipaexternalmember',
+ required=False,
+ multivalue=True,
+ cli_name='external',
+ label=_(u'External member'),
+ doc=_(u'Members of a trusted domain in DOM\\name or name@domain form'),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'user',
+ required=False,
+ multivalue=True,
+ cli_name='users',
+ label=_(u'member user'),
+ doc=_(u'users to remove'),
+ alwaysask=True,
+ ),
+ parameters.Str(
+ 'group',
+ required=False,
+ multivalue=True,
+ cli_name='groups',
+ label=_(u'member group'),
+ doc=_(u'groups to remove'),
+ alwaysask=True,
+ ),
+ )
+ has_output = (
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'failed',
+ dict,
+ doc=_(u'Members that could not be removed'),
+ ),
+ output.Output(
+ 'completed',
+ int,
+ doc=_(u'Number of members removed'),
+ ),
+ )
+
+
+@register()
+class group_show(Method):
+ __doc__ = _("Display information about a named group.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='group_name',
+ label=_(u'Group name'),
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'rights',
+ label=_(u'Rights'),
+ doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
diff --git a/ipaclient/remote_plugins/2_114/hbacrule.py b/ipaclient/remote_plugins/2_114/hbacrule.py
new file mode 100644
index 000000000..443e5ba9b
--- /dev/null
+++ b/ipaclient/remote_plugins/2_114/hbacrule.py
@@ -0,0 +1,1305 @@
+#
+# Copyright (C) 2016 FreeIPA Contributors see COPYING for license
+#
+
+# pylint: disable=unused-import
+import six
+
+from . import Command, Method, Object
+from ipalib import api, parameters, output
+from ipalib.parameters import DefaultFrom
+from ipalib.plugable import Registry
+from ipalib.text import _
+from ipapython.dn import DN
+from ipapython.dnsutil import DNSName
+
+if six.PY3:
+ unicode = str
+
+__doc__ = _("""
+Host-based access control
+
+Control who can access what services on what hosts. You
+can use HBAC to control which users or groups can
+access a service, or group of services, on a target host.
+
+You can also specify a category of users and target hosts.
+This is currently limited to "all", but might be expanded in the
+future.
+
+Target hosts in HBAC rules must be hosts managed by IPA.
+
+The available services and groups of services are controlled by the
+hbacsvc and hbacsvcgroup plug-ins respectively.
+
+EXAMPLES:
+
+ Create a rule, "test1", that grants all users access to the host "server" from
+ anywhere:
+ ipa hbacrule-add --usercat=all test1
+ ipa hbacrule-add-host --hosts=server.example.com test1
+
+ Display the properties of a named HBAC rule:
+ ipa hbacrule-show test1
+
+ Create a rule for a specific service. This lets the user john access
+ the sshd service on any machine from any machine:
+ ipa hbacrule-add --hostcat=all john_sshd
+ ipa hbacrule-add-user --users=john john_sshd
+ ipa hbacrule-add-service --hbacsvcs=sshd john_sshd
+
+ Create a rule for a new service group. This lets the user john access
+ the FTP service on any machine from any machine:
+ ipa hbacsvcgroup-add ftpers
+ ipa hbacsvc-add sftp
+ ipa hbacsvcgroup-add-member --hbacsvcs=ftp --hbacsvcs=sftp ftpers
+ ipa hbacrule-add --hostcat=all john_ftp
+ ipa hbacrule-add-user --users=john john_ftp
+ ipa hbacrule-add-service --hbacsvcgroups=ftpers john_ftp
+
+ Disable a named HBAC rule:
+ ipa hbacrule-disable test1
+
+ Remove a named HBAC rule:
+ ipa hbacrule-del allow_server
+""")
+
+register = Registry()
+
+
+@register()
+class hbacrule(Object):
+ takes_params = (
+ parameters.Str(
+ 'cn',
+ primary_key=True,
+ label=_(u'Rule name'),
+ ),
+ parameters.Str(
+ 'accessruletype',
+ label=_(u'Rule type'),
+ doc=_(u'Rule type (allow)'),
+ exclude=('webui', 'cli'),
+ ),
+ parameters.Str(
+ 'usercategory',
+ required=False,
+ label=_(u'User category'),
+ doc=_(u'User category the rule applies to'),
+ ),
+ parameters.Str(
+ 'hostcategory',
+ required=False,
+ label=_(u'Host category'),
+ doc=_(u'Host category the rule applies to'),
+ ),
+ parameters.Str(
+ 'sourcehostcategory',
+ required=False,
+ ),
+ parameters.Str(
+ 'servicecategory',
+ required=False,
+ label=_(u'Service category'),
+ doc=_(u'Service category the rule applies to'),
+ ),
+ parameters.Str(
+ 'description',
+ required=False,
+ label=_(u'Description'),
+ ),
+ parameters.Bool(
+ 'ipaenabledflag',
+ required=False,
+ label=_(u'Enabled'),
+ ),
+ parameters.Str(
+ 'memberuser_user',
+ required=False,
+ label=_(u'Users'),
+ ),
+ parameters.Str(
+ 'memberuser_group',
+ required=False,
+ label=_(u'User Groups'),
+ ),
+ parameters.Str(
+ 'memberhost_host',
+ required=False,
+ label=_(u'Hosts'),
+ ),
+ parameters.Str(
+ 'memberhost_hostgroup',
+ required=False,
+ label=_(u'Host Groups'),
+ ),
+ parameters.Str(
+ 'sourcehost_host',
+ required=False,
+ ),
+ parameters.Str(
+ 'sourcehost_hostgroup',
+ required=False,
+ ),
+ parameters.Str(
+ 'memberservice_hbacsvc',
+ required=False,
+ label=_(u'Services'),
+ ),
+ parameters.Str(
+ 'memberservice_hbacsvcgroup',
+ required=False,
+ label=_(u'Service Groups'),
+ ),
+ parameters.Str(
+ 'externalhost',
+ required=False,
+ multivalue=True,
+ label=_(u'External host'),
+ ),
+ )
+
+
+@register()
+class hbacrule_add(Method):
+ __doc__ = _("Create a new HBAC rule.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='name',
+ label=_(u'Rule name'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'accessruletype',
+ cli_name='type',
+ cli_metavar="['allow', 'deny']",
+ label=_(u'Rule type'),
+ doc=_(u'Rule type (allow)'),
+ exclude=('webui', 'cli'),
+ default=u'allow',
+ autofill=True,
+ ),
+ parameters.Str(
+ 'usercategory',
+ required=False,
+ cli_name='usercat',
+ cli_metavar="['all']",
+ label=_(u'User category'),
+ doc=_(u'User category the rule applies to'),
+ ),
+ parameters.Str(
+ 'hostcategory',
+ required=False,
+ cli_name='hostcat',
+ cli_metavar="['all']",
+ label=_(u'Host category'),
+ doc=_(u'Host category the rule applies to'),
+ ),
+ parameters.Str(
+ 'sourcehostcategory',
+ required=False,
+ deprecated=True,
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'servicecategory',
+ required=False,
+ cli_name='servicecat',
+ cli_metavar="['all']",
+ label=_(u'Service category'),
+ doc=_(u'Service category the rule applies to'),
+ ),
+ parameters.Str(
+ 'description',
+ required=False,
+ cli_name='desc',
+ label=_(u'Description'),
+ ),
+ parameters.Bool(
+ 'ipaenabledflag',
+ required=False,
+ label=_(u'Enabled'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'sourcehost_host',
+ required=False,
+ deprecated=True,
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'sourcehost_hostgroup',
+ required=False,
+ deprecated=True,
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'externalhost',
+ required=False,
+ multivalue=True,
+ label=_(u'External host'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'setattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'addattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
+ exclude=('webui',),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class hbacrule_add_host(Method):
+ __doc__ = _("Add target hosts and hostgroups to an HBAC rule.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='name',
+ label=_(u'Rule name'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'host',
+ required=False,
+ multivalue=True,
+ cli_name='hosts',
+ label=_(u'member host'),
+ doc=_(u'hosts to add'),
+ alwaysask=True,
+ ),
+ parameters.Str(
+ 'hostgroup',
+ required=False,
+ multivalue=True,
+ cli_name='hostgroups',
+ label=_(u'member host group'),
+ doc=_(u'host groups to add'),
+ alwaysask=True,
+ ),
+ )
+ has_output = (
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'failed',
+ dict,
+ doc=_(u'Members that could not be added'),
+ ),
+ output.Output(
+ 'completed',
+ int,
+ doc=_(u'Number of members added'),
+ ),
+ )
+
+
+@register()
+class hbacrule_add_service(Method):
+ __doc__ = _("Add services to an HBAC rule.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='name',
+ label=_(u'Rule name'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'hbacsvc',
+ required=False,
+ multivalue=True,
+ cli_name='hbacsvcs',
+ label=_(u'member HBAC service'),
+ doc=_(u'HBAC services to add'),
+ alwaysask=True,
+ ),
+ parameters.Str(
+ 'hbacsvcgroup',
+ required=False,
+ multivalue=True,
+ cli_name='hbacsvcgroups',
+ label=_(u'member HBAC service group'),
+ doc=_(u'HBAC service groups to add'),
+ alwaysask=True,
+ ),
+ )
+ has_output = (
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'failed',
+ dict,
+ doc=_(u'Members that could not be added'),
+ ),
+ output.Output(
+ 'completed',
+ int,
+ doc=_(u'Number of members added'),
+ ),
+ )
+
+
+@register()
+class hbacrule_add_sourcehost(Method):
+ NO_CLI = True
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='name',
+ label=_(u'Rule name'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'host',
+ required=False,
+ multivalue=True,
+ cli_name='hosts',
+ label=_(u'member host'),
+ doc=_(u'hosts to add'),
+ alwaysask=True,
+ ),
+ parameters.Str(
+ 'hostgroup',
+ required=False,
+ multivalue=True,
+ cli_name='hostgroups',
+ label=_(u'member host group'),
+ doc=_(u'host groups to add'),
+ alwaysask=True,
+ ),
+ )
+ has_output = (
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'failed',
+ dict,
+ doc=_(u'Members that could not be added'),
+ ),
+ output.Output(
+ 'completed',
+ int,
+ doc=_(u'Number of members added'),
+ ),
+ )
+
+
+@register()
+class hbacrule_add_user(Method):
+ __doc__ = _("Add users and groups to an HBAC rule.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='name',
+ label=_(u'Rule name'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'user',
+ required=False,
+ multivalue=True,
+ cli_name='users',
+ label=_(u'member user'),
+ doc=_(u'users to add'),
+ alwaysask=True,
+ ),
+ parameters.Str(
+ 'group',
+ required=False,
+ multivalue=True,
+ cli_name='groups',
+ label=_(u'member group'),
+ doc=_(u'groups to add'),
+ alwaysask=True,
+ ),
+ )
+ has_output = (
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'failed',
+ dict,
+ doc=_(u'Members that could not be added'),
+ ),
+ output.Output(
+ 'completed',
+ int,
+ doc=_(u'Number of members added'),
+ ),
+ )
+
+
+@register()
+class hbacrule_del(Method):
+ __doc__ = _("Delete an HBAC rule.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ multivalue=True,
+ cli_name='name',
+ label=_(u'Rule name'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'continue',
+ doc=_(u"Continuous mode: Don't stop on errors."),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Output(
+ 'result',
+ dict,
+ doc=_(u'List of deletions that failed'),
+ ),
+ output.ListOfPrimaryKeys(
+ 'value',
+ ),
+ )
+
+
+@register()
+class hbacrule_disable(Method):
+ __doc__ = _("Disable an HBAC rule.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='name',
+ label=_(u'Rule name'),
+ ),
+ )
+ takes_options = (
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Output(
+ 'result',
+ bool,
+ doc=_(u'True means the operation was successful'),
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class hbacrule_enable(Method):
+ __doc__ = _("Enable an HBAC rule.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='name',
+ label=_(u'Rule name'),
+ ),
+ )
+ takes_options = (
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Output(
+ 'result',
+ bool,
+ doc=_(u'True means the operation was successful'),
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class hbacrule_find(Method):
+ __doc__ = _("Search for HBAC rules.")
+
+ takes_args = (
+ parameters.Str(
+ 'criteria',
+ required=False,
+ doc=_(u'A string searched in all relevant object attributes'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'cn',
+ required=False,
+ cli_name='name',
+ label=_(u'Rule name'),
+ ),
+ parameters.Str(
+ 'accessruletype',
+ required=False,
+ cli_name='type',
+ cli_metavar="['allow', 'deny']",
+ label=_(u'Rule type'),
+ doc=_(u'Rule type (allow)'),
+ exclude=('webui', 'cli'),
+ default=u'allow',
+ ),
+ parameters.Str(
+ 'usercategory',
+ required=False,
+ cli_name='usercat',
+ cli_metavar="['all']",
+ label=_(u'User category'),
+ doc=_(u'User category the rule applies to'),
+ ),
+ parameters.Str(
+ 'hostcategory',
+ required=False,
+ cli_name='hostcat',
+ cli_metavar="['all']",
+ label=_(u'Host category'),
+ doc=_(u'Host category the rule applies to'),
+ ),
+ parameters.Str(
+ 'sourcehostcategory',
+ required=False,
+ deprecated=True,
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'servicecategory',
+ required=False,
+ cli_name='servicecat',
+ cli_metavar="['all']",
+ label=_(u'Service category'),
+ doc=_(u'Service category the rule applies to'),
+ ),
+ parameters.Str(
+ 'description',
+ required=False,
+ cli_name='desc',
+ label=_(u'Description'),
+ ),
+ parameters.Bool(
+ 'ipaenabledflag',
+ required=False,
+ label=_(u'Enabled'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'sourcehost_host',
+ required=False,
+ deprecated=True,
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'sourcehost_hostgroup',
+ required=False,
+ deprecated=True,
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'externalhost',
+ required=False,
+ multivalue=True,
+ label=_(u'External host'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Int(
+ 'timelimit',
+ required=False,
+ label=_(u'Time Limit'),
+ doc=_(u'Time limit of search in seconds'),
+ ),
+ parameters.Int(
+ 'sizelimit',
+ required=False,
+ label=_(u'Size Limit'),
+ doc=_(u'Maximum number of entries returned'),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'pkey_only',
+ required=False,
+ label=_(u'Primary key only'),
+ doc=_(u'Results should contain primary key attribute only ("name")'),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.ListOfEntries(
+ 'result',
+ ),
+ output.Output(
+ 'count',
+ int,
+ doc=_(u'Number of entries returned'),
+ ),
+ output.Output(
+ 'truncated',
+ bool,
+ doc=_(u'True if not all results were returned'),
+ ),
+ )
+
+
+@register()
+class hbacrule_mod(Method):
+ __doc__ = _("Modify an HBAC rule.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='name',
+ label=_(u'Rule name'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'accessruletype',
+ required=False,
+ cli_name='type',
+ cli_metavar="['allow', 'deny']",
+ label=_(u'Rule type'),
+ doc=_(u'Rule type (allow)'),
+ exclude=('webui', 'cli'),
+ default=u'allow',
+ ),
+ parameters.Str(
+ 'usercategory',
+ required=False,
+ cli_name='usercat',
+ cli_metavar="['all']",
+ label=_(u'User category'),
+ doc=_(u'User category the rule applies to'),
+ ),
+ parameters.Str(
+ 'hostcategory',
+ required=False,
+ cli_name='hostcat',
+ cli_metavar="['all']",
+ label=_(u'Host category'),
+ doc=_(u'Host category the rule applies to'),
+ ),
+ parameters.Str(
+ 'sourcehostcategory',
+ required=False,
+ deprecated=True,
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'servicecategory',
+ required=False,
+ cli_name='servicecat',
+ cli_metavar="['all']",
+ label=_(u'Service category'),
+ doc=_(u'Service category the rule applies to'),
+ ),
+ parameters.Str(
+ 'description',
+ required=False,
+ cli_name='desc',
+ label=_(u'Description'),
+ ),
+ parameters.Bool(
+ 'ipaenabledflag',
+ required=False,
+ label=_(u'Enabled'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'sourcehost_host',
+ required=False,
+ deprecated=True,
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'sourcehost_hostgroup',
+ required=False,
+ deprecated=True,
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'externalhost',
+ required=False,
+ multivalue=True,
+ label=_(u'External host'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'setattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'addattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'delattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'),
+ exclude=('webui',),
+ ),
+ parameters.Flag(
+ 'rights',
+ label=_(u'Rights'),
+ doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class hbacrule_remove_host(Method):
+ __doc__ = _("Remove target hosts and hostgroups from an HBAC rule.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='name',
+ label=_(u'Rule name'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'host',
+ required=False,
+ multivalue=True,
+ cli_name='hosts',
+ label=_(u'member host'),
+ doc=_(u'hosts to remove'),
+ alwaysask=True,
+ ),
+ parameters.Str(
+ 'hostgroup',
+ required=False,
+ multivalue=True,
+ cli_name='hostgroups',
+ label=_(u'member host group'),
+ doc=_(u'host groups to remove'),
+ alwaysask=True,
+ ),
+ )
+ has_output = (
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'failed',
+ dict,
+ doc=_(u'Members that could not be removed'),
+ ),
+ output.Output(
+ 'completed',
+ int,
+ doc=_(u'Number of members removed'),
+ ),
+ )
+
+
+@register()
+class hbacrule_remove_service(Method):
+ __doc__ = _("Remove service and service groups from an HBAC rule.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='name',
+ label=_(u'Rule name'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'hbacsvc',
+ required=False,
+ multivalue=True,
+ cli_name='hbacsvcs',
+ label=_(u'member HBAC service'),
+ doc=_(u'HBAC services to remove'),
+ alwaysask=True,
+ ),
+ parameters.Str(
+ 'hbacsvcgroup',
+ required=False,
+ multivalue=True,
+ cli_name='hbacsvcgroups',
+ label=_(u'member HBAC service group'),
+ doc=_(u'HBAC service groups to remove'),
+ alwaysask=True,
+ ),
+ )
+ has_output = (
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'failed',
+ dict,
+ doc=_(u'Members that could not be removed'),
+ ),
+ output.Output(
+ 'completed',
+ int,
+ doc=_(u'Number of members removed'),
+ ),
+ )
+
+
+@register()
+class hbacrule_remove_sourcehost(Method):
+ NO_CLI = True
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='name',
+ label=_(u'Rule name'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'host',
+ required=False,
+ multivalue=True,
+ cli_name='hosts',
+ label=_(u'member host'),
+ doc=_(u'hosts to remove'),
+ alwaysask=True,
+ ),
+ parameters.Str(
+ 'hostgroup',
+ required=False,
+ multivalue=True,
+ cli_name='hostgroups',
+ label=_(u'member host group'),
+ doc=_(u'host groups to remove'),
+ alwaysask=True,
+ ),
+ )
+ has_output = (
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'failed',
+ dict,
+ doc=_(u'Members that could not be removed'),
+ ),
+ output.Output(
+ 'completed',
+ int,
+ doc=_(u'Number of members removed'),
+ ),
+ )
+
+
+@register()
+class hbacrule_remove_user(Method):
+ __doc__ = _("Remove users and groups from an HBAC rule.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='name',
+ label=_(u'Rule name'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'user',
+ required=False,
+ multivalue=True,
+ cli_name='users',
+ label=_(u'member user'),
+ doc=_(u'users to remove'),
+ alwaysask=True,
+ ),
+ parameters.Str(
+ 'group',
+ required=False,
+ multivalue=True,
+ cli_name='groups',
+ label=_(u'member group'),
+ doc=_(u'groups to remove'),
+ alwaysask=True,
+ ),
+ )
+ has_output = (
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'failed',
+ dict,
+ doc=_(u'Members that could not be removed'),
+ ),
+ output.Output(
+ 'completed',
+ int,
+ doc=_(u'Number of members removed'),
+ ),
+ )
+
+
+@register()
+class hbacrule_show(Method):
+ __doc__ = _("Display the properties of an HBAC rule.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='name',
+ label=_(u'Rule name'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'rights',
+ label=_(u'Rights'),
+ doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
diff --git a/ipaclient/remote_plugins/2_114/hbacsvc.py b/ipaclient/remote_plugins/2_114/hbacsvc.py
new file mode 100644
index 000000000..ab53d6b3a
--- /dev/null
+++ b/ipaclient/remote_plugins/2_114/hbacsvc.py
@@ -0,0 +1,413 @@
+#
+# Copyright (C) 2016 FreeIPA Contributors see COPYING for license
+#
+
+# pylint: disable=unused-import
+import six
+
+from . import Command, Method, Object
+from ipalib import api, parameters, output
+from ipalib.parameters import DefaultFrom
+from ipalib.plugable import Registry
+from ipalib.text import _
+from ipapython.dn import DN
+from ipapython.dnsutil import DNSName
+
+if six.PY3:
+ unicode = str
+
+__doc__ = _("""
+HBAC Services
+
+The PAM services that HBAC can control access to. The name used here
+must match the service name that PAM is evaluating.
+
+EXAMPLES:
+
+ Add a new HBAC service:
+ ipa hbacsvc-add tftp
+
+ Modify an existing HBAC service:
+ ipa hbacsvc-mod --desc="TFTP service" tftp
+
+ Search for HBAC services. This example will return two results, the FTP
+ service and the newly-added tftp service:
+ ipa hbacsvc-find ftp
+
+ Delete an HBAC service:
+ ipa hbacsvc-del tftp
+""")
+
+register = Registry()
+
+
+@register()
+class hbacsvc(Object):
+ takes_params = (
+ parameters.Str(
+ 'cn',
+ primary_key=True,
+ label=_(u'Service name'),
+ doc=_(u'HBAC service'),
+ ),
+ parameters.Str(
+ 'description',
+ required=False,
+ label=_(u'Description'),
+ doc=_(u'HBAC service description'),
+ ),
+ parameters.Str(
+ 'memberof_hbacsvcgroup',
+ required=False,
+ label=_(u'Member of HBAC service groups'),
+ ),
+ )
+
+
+@register()
+class hbacsvc_add(Method):
+ __doc__ = _("Add a new HBAC service.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='service',
+ label=_(u'Service name'),
+ doc=_(u'HBAC service'),
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'description',
+ required=False,
+ cli_name='desc',
+ label=_(u'Description'),
+ doc=_(u'HBAC service description'),
+ ),
+ parameters.Str(
+ 'setattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'addattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
+ exclude=('webui',),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class hbacsvc_del(Method):
+ __doc__ = _("Delete an existing HBAC service.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ multivalue=True,
+ cli_name='service',
+ label=_(u'Service name'),
+ doc=_(u'HBAC service'),
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'continue',
+ doc=_(u"Continuous mode: Don't stop on errors."),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Output(
+ 'result',
+ dict,
+ doc=_(u'List of deletions that failed'),
+ ),
+ output.ListOfPrimaryKeys(
+ 'value',
+ ),
+ )
+
+
+@register()
+class hbacsvc_find(Method):
+ __doc__ = _("Search for HBAC services.")
+
+ takes_args = (
+ parameters.Str(
+ 'criteria',
+ required=False,
+ doc=_(u'A string searched in all relevant object attributes'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'cn',
+ required=False,
+ cli_name='service',
+ label=_(u'Service name'),
+ doc=_(u'HBAC service'),
+ no_convert=True,
+ ),
+ parameters.Str(
+ 'description',
+ required=False,
+ cli_name='desc',
+ label=_(u'Description'),
+ doc=_(u'HBAC service description'),
+ ),
+ parameters.Int(
+ 'timelimit',
+ required=False,
+ label=_(u'Time Limit'),
+ doc=_(u'Time limit of search in seconds'),
+ ),
+ parameters.Int(
+ 'sizelimit',
+ required=False,
+ label=_(u'Size Limit'),
+ doc=_(u'Maximum number of entries returned'),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'pkey_only',
+ required=False,
+ label=_(u'Primary key only'),
+ doc=_(u'Results should contain primary key attribute only ("service")'),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.ListOfEntries(
+ 'result',
+ ),
+ output.Output(
+ 'count',
+ int,
+ doc=_(u'Number of entries returned'),
+ ),
+ output.Output(
+ 'truncated',
+ bool,
+ doc=_(u'True if not all results were returned'),
+ ),
+ )
+
+
+@register()
+class hbacsvc_mod(Method):
+ __doc__ = _("Modify an HBAC service.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='service',
+ label=_(u'Service name'),
+ doc=_(u'HBAC service'),
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'description',
+ required=False,
+ cli_name='desc',
+ label=_(u'Description'),
+ doc=_(u'HBAC service description'),
+ ),
+ parameters.Str(
+ 'setattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'addattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'delattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'),
+ exclude=('webui',),
+ ),
+ parameters.Flag(
+ 'rights',
+ label=_(u'Rights'),
+ doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class hbacsvc_show(Method):
+ __doc__ = _("Display information about an HBAC service.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='service',
+ label=_(u'Service name'),
+ doc=_(u'HBAC service'),
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'rights',
+ label=_(u'Rights'),
+ doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
diff --git a/ipaclient/remote_plugins/2_114/hbacsvcgroup.py b/ipaclient/remote_plugins/2_114/hbacsvcgroup.py
new file mode 100644
index 000000000..ef987e9fa
--- /dev/null
+++ b/ipaclient/remote_plugins/2_114/hbacsvcgroup.py
@@ -0,0 +1,528 @@
+#
+# Copyright (C) 2016 FreeIPA Contributors see COPYING for license
+#
+
+# pylint: disable=unused-import
+import six
+
+from . import Command, Method, Object
+from ipalib import api, parameters, output
+from ipalib.parameters import DefaultFrom
+from ipalib.plugable import Registry
+from ipalib.text import _
+from ipapython.dn import DN
+from ipapython.dnsutil import DNSName
+
+if six.PY3:
+ unicode = str
+
+__doc__ = _("""
+HBAC Service Groups
+
+HBAC service groups can contain any number of individual services,
+or "members". Every group must have a description.
+
+EXAMPLES:
+
+ Add a new HBAC service group:
+ ipa hbacsvcgroup-add --desc="login services" login
+
+ Add members to an HBAC service group:
+ ipa hbacsvcgroup-add-member --hbacsvcs=sshd --hbacsvcs=login login
+
+ Display information about a named group:
+ ipa hbacsvcgroup-show login
+
+ Delete an HBAC service group:
+ ipa hbacsvcgroup-del login
+""")
+
+register = Registry()
+
+
+@register()
+class hbacsvcgroup(Object):
+ takes_params = (
+ parameters.Str(
+ 'cn',
+ primary_key=True,
+ label=_(u'Service group name'),
+ ),
+ parameters.Str(
+ 'description',
+ required=False,
+ label=_(u'Description'),
+ doc=_(u'HBAC service group description'),
+ ),
+ parameters.Str(
+ 'member_hbacsvc',
+ required=False,
+ label=_(u'Member HBAC service'),
+ ),
+ )
+
+
+@register()
+class hbacsvcgroup_add(Method):
+ __doc__ = _("Add a new HBAC service group.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='name',
+ label=_(u'Service group name'),
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'description',
+ required=False,
+ cli_name='desc',
+ label=_(u'Description'),
+ doc=_(u'HBAC service group description'),
+ ),
+ parameters.Str(
+ 'setattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'addattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
+ exclude=('webui',),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class hbacsvcgroup_add_member(Method):
+ __doc__ = _("Add members to an HBAC service group.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='name',
+ label=_(u'Service group name'),
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'hbacsvc',
+ required=False,
+ multivalue=True,
+ cli_name='hbacsvcs',
+ label=_(u'member HBAC service'),
+ doc=_(u'HBAC services to add'),
+ alwaysask=True,
+ ),
+ )
+ has_output = (
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'failed',
+ dict,
+ doc=_(u'Members that could not be added'),
+ ),
+ output.Output(
+ 'completed',
+ int,
+ doc=_(u'Number of members added'),
+ ),
+ )
+
+
+@register()
+class hbacsvcgroup_del(Method):
+ __doc__ = _("Delete an HBAC service group.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ multivalue=True,
+ cli_name='name',
+ label=_(u'Service group name'),
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'continue',
+ doc=_(u"Continuous mode: Don't stop on errors."),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Output(
+ 'result',
+ dict,
+ doc=_(u'List of deletions that failed'),
+ ),
+ output.ListOfPrimaryKeys(
+ 'value',
+ ),
+ )
+
+
+@register()
+class hbacsvcgroup_find(Method):
+ __doc__ = _("Search for an HBAC service group.")
+
+ takes_args = (
+ parameters.Str(
+ 'criteria',
+ required=False,
+ doc=_(u'A string searched in all relevant object attributes'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'cn',
+ required=False,
+ cli_name='name',
+ label=_(u'Service group name'),
+ no_convert=True,
+ ),
+ parameters.Str(
+ 'description',
+ required=False,
+ cli_name='desc',
+ label=_(u'Description'),
+ doc=_(u'HBAC service group description'),
+ ),
+ parameters.Int(
+ 'timelimit',
+ required=False,
+ label=_(u'Time Limit'),
+ doc=_(u'Time limit of search in seconds'),
+ ),
+ parameters.Int(
+ 'sizelimit',
+ required=False,
+ label=_(u'Size Limit'),
+ doc=_(u'Maximum number of entries returned'),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'pkey_only',
+ required=False,
+ label=_(u'Primary key only'),
+ doc=_(u'Results should contain primary key attribute only ("name")'),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.ListOfEntries(
+ 'result',
+ ),
+ output.Output(
+ 'count',
+ int,
+ doc=_(u'Number of entries returned'),
+ ),
+ output.Output(
+ 'truncated',
+ bool,
+ doc=_(u'True if not all results were returned'),
+ ),
+ )
+
+
+@register()
+class hbacsvcgroup_mod(Method):
+ __doc__ = _("Modify an HBAC service group.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='name',
+ label=_(u'Service group name'),
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'description',
+ required=False,
+ cli_name='desc',
+ label=_(u'Description'),
+ doc=_(u'HBAC service group description'),
+ ),
+ parameters.Str(
+ 'setattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'addattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'delattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'),
+ exclude=('webui',),
+ ),
+ parameters.Flag(
+ 'rights',
+ label=_(u'Rights'),
+ doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class hbacsvcgroup_remove_member(Method):
+ __doc__ = _("Remove members from an HBAC service group.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='name',
+ label=_(u'Service group name'),
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'hbacsvc',
+ required=False,
+ multivalue=True,
+ cli_name='hbacsvcs',
+ label=_(u'member HBAC service'),
+ doc=_(u'HBAC services to remove'),
+ alwaysask=True,
+ ),
+ )
+ has_output = (
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'failed',
+ dict,
+ doc=_(u'Members that could not be removed'),
+ ),
+ output.Output(
+ 'completed',
+ int,
+ doc=_(u'Number of members removed'),
+ ),
+ )
+
+
+@register()
+class hbacsvcgroup_show(Method):
+ __doc__ = _("Display information about an HBAC service group.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='name',
+ label=_(u'Service group name'),
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'rights',
+ label=_(u'Rights'),
+ doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
diff --git a/ipaclient/remote_plugins/2_114/hbactest.py b/ipaclient/remote_plugins/2_114/hbactest.py
new file mode 100644
index 000000000..b0c49b71b
--- /dev/null
+++ b/ipaclient/remote_plugins/2_114/hbactest.py
@@ -0,0 +1,284 @@
+#
+# Copyright (C) 2016 FreeIPA Contributors see COPYING for license
+#
+
+# pylint: disable=unused-import
+import six
+
+from . import Command, Method, Object
+from ipalib import api, parameters, output
+from ipalib.parameters import DefaultFrom
+from ipalib.plugable import Registry
+from ipalib.text import _
+from ipapython.dn import DN
+from ipapython.dnsutil import DNSName
+
+if six.PY3:
+ unicode = str
+
+__doc__ = _("""
+Simulate use of Host-based access controls
+
+HBAC rules control who can access what services on what hosts.
+You can use HBAC to control which users or groups can access a service,
+or group of services, on a target host.
+
+Since applying HBAC rules implies use of a production environment,
+this plugin aims to provide simulation of HBAC rules evaluation without
+having access to the production environment.
+
+ Test user coming to a service on a named host against
+ existing enabled rules.
+
+ ipa hbactest --user= --host= --service=
+ [--rules=rules-list] [--nodetail] [--enabled] [--disabled]
+ [--sizelimit= ]
+
+ --user, --host, and --service are mandatory, others are optional.
+
+ If --rules is specified simulate enabling of the specified rules and test
+ the login of the user using only these rules.
+
+ If --enabled is specified, all enabled HBAC rules will be added to simulation
+
+ If --disabled is specified, all disabled HBAC rules will be added to simulation
+
+ If --nodetail is specified, do not return information about rules matched/not matched.
+
+ If both --rules and --enabled are specified, apply simulation to --rules _and_
+ all IPA enabled rules.
+
+ If no --rules specified, simulation is run against all IPA enabled rules.
+ By default there is a IPA-wide limit to number of entries fetched, you can change it
+ with --sizelimit option.
+
+EXAMPLES:
+
+ 1. Use all enabled HBAC rules in IPA database to simulate:
+ $ ipa hbactest --user=a1a --host=bar --service=sshd
+ --------------------
+ Access granted: True
+ --------------------
+ Not matched rules: my-second-rule
+ Not matched rules: my-third-rule
+ Not matched rules: myrule
+ Matched rules: allow_all
+
+ 2. Disable detailed summary of how rules were applied:
+ $ ipa hbactest --user=a1a --host=bar --service=sshd --nodetail
+ --------------------
+ Access granted: True
+ --------------------
+
+ 3. Test explicitly specified HBAC rules:
+ $ ipa hbactest --user=a1a --host=bar --service=sshd \
+ --rules=myrule --rules=my-second-rule
+ ---------------------
+ Access granted: False
+ ---------------------
+ Not matched rules: my-second-rule
+ Not matched rules: myrule
+
+ 4. Use all enabled HBAC rules in IPA database + explicitly specified rules:
+ $ ipa hbactest --user=a1a --host=bar --service=sshd \
+ --rules=myrule --rules=my-second-rule --enabled
+ --------------------
+ Access granted: True
+ --------------------
+ Not matched rules: my-second-rule
+ Not matched rules: my-third-rule
+ Not matched rules: myrule
+ Matched rules: allow_all
+
+ 5. Test all disabled HBAC rules in IPA database:
+ $ ipa hbactest --user=a1a --host=bar --service=sshd --disabled
+ ---------------------
+ Access granted: False
+ ---------------------
+ Not matched rules: new-rule
+
+ 6. Test all disabled HBAC rules in IPA database + explicitly specified rules:
+ $ ipa hbactest --user=a1a --host=bar --service=sshd \
+ --rules=myrule --rules=my-second-rule --disabled
+ ---------------------
+ Access granted: False
+ ---------------------
+ Not matched rules: my-second-rule
+ Not matched rules: my-third-rule
+ Not matched rules: myrule
+
+ 7. Test all (enabled and disabled) HBAC rules in IPA database:
+ $ ipa hbactest --user=a1a --host=bar --service=sshd \
+ --enabled --disabled
+ --------------------
+ Access granted: True
+ --------------------
+ Not matched rules: my-second-rule
+ Not matched rules: my-third-rule
+ Not matched rules: myrule
+ Not matched rules: new-rule
+ Matched rules: allow_all
+
+
+HBACTEST AND TRUSTED DOMAINS
+
+When an external trusted domain is configured in IPA, HBAC rules are also applied
+on users accessing IPA resources from the trusted domain. Trusted domain users and
+groups (and their SIDs) can be then assigned to external groups which can be
+members of POSIX groups in IPA which can be used in HBAC rules and thus allowing
+access to resources protected by the HBAC system.
+
+hbactest plugin is capable of testing access for both local IPA users and users
+from the trusted domains, either by a fully qualified user name or by user SID.
+Such user names need to have a trusted domain specified as a short name
+(DOMAIN\Administrator) or with a user principal name (UPN), Administrator@ad.test.
+
+Please note that hbactest executed with a trusted domain user as --user parameter
+can be only run by members of "trust admins" group.
+
+EXAMPLES:
+
+ 1. Test if a user from a trusted domain specified by its shortname matches any
+ rule:
+
+ $ ipa hbactest --user 'DOMAIN\Administrator' --host `hostname` --service sshd
+ --------------------
+ Access granted: True
+ --------------------
+ Matched rules: allow_all
+ Matched rules: can_login
+
+ 2. Test if a user from a trusted domain specified by its domain name matches
+ any rule:
+
+ $ ipa hbactest --user 'Administrator@domain.com' --host `hostname` --service sshd
+ --------------------
+ Access granted: True
+ --------------------
+ Matched rules: allow_all
+ Matched rules: can_login
+
+ 3. Test if a user from a trusted domain specified by its SID matches any rule:
+
+ $ ipa hbactest --user S-1-5-21-3035198329-144811719-1378114514-500 \
+ --host `hostname` --service sshd
+ --------------------
+ Access granted: True
+ --------------------
+ Matched rules: allow_all
+ Matched rules: can_login
+
+ 4. Test if other user from a trusted domain specified by its SID matches any rule:
+
+ $ ipa hbactest --user S-1-5-21-3035198329-144811719-1378114514-1203 \
+ --host `hostname` --service sshd
+ --------------------
+ Access granted: True
+ --------------------
+ Matched rules: allow_all
+ Not matched rules: can_login
+
+ 5. Test if other user from a trusted domain specified by its shortname matches
+ any rule:
+
+ $ ipa hbactest --user 'DOMAIN\Otheruser' --host `hostname` --service sshd
+ --------------------
+ Access granted: True
+ --------------------
+ Matched rules: allow_all
+ Not matched rules: can_login
+""")
+
+register = Registry()
+
+
+@register()
+class hbactest(Command):
+ __doc__ = _("Simulate use of Host-based access controls")
+
+ takes_options = (
+ parameters.Str(
+ 'user',
+ label=_(u'User name'),
+ ),
+ parameters.Str(
+ 'sourcehost',
+ required=False,
+ deprecated=True,
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'targethost',
+ cli_name='host',
+ label=_(u'Target host'),
+ ),
+ parameters.Str(
+ 'service',
+ label=_(u'Service'),
+ ),
+ parameters.Str(
+ 'rules',
+ required=False,
+ multivalue=True,
+ label=_(u'Rules to test. If not specified, --enabled is assumed'),
+ ),
+ parameters.Flag(
+ 'nodetail',
+ required=False,
+ label=_(u'Hide details which rules are matched, not matched, or invalid'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'enabled',
+ required=False,
+ label=_(u'Include all enabled IPA rules into test [default]'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'disabled',
+ required=False,
+ label=_(u'Include all disabled IPA rules into test'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Int(
+ 'sizelimit',
+ required=False,
+ label=_(u'Size Limit'),
+ doc=_(u'Maximum number of rules to process when no --rules is specified'),
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Output(
+ 'warning',
+ (list, tuple, type(None)),
+ doc=_(u'Warning'),
+ ),
+ output.Output(
+ 'matched',
+ (list, tuple, type(None)),
+ doc=_(u'Matched rules'),
+ ),
+ output.Output(
+ 'notmatched',
+ (list, tuple, type(None)),
+ doc=_(u'Not matched rules'),
+ ),
+ output.Output(
+ 'error',
+ (list, tuple, type(None)),
+ doc=_(u'Non-existent or invalid rules'),
+ ),
+ output.Output(
+ 'value',
+ bool,
+ doc=_(u'Result of simulation'),
+ ),
+ )
diff --git a/ipaclient/remote_plugins/2_114/host.py b/ipaclient/remote_plugins/2_114/host.py
new file mode 100644
index 000000000..527e75be3
--- /dev/null
+++ b/ipaclient/remote_plugins/2_114/host.py
@@ -0,0 +1,1556 @@
+#
+# Copyright (C) 2016 FreeIPA Contributors see COPYING for license
+#
+
+# pylint: disable=unused-import
+import six
+
+from . import Command, Method, Object
+from ipalib import api, parameters, output
+from ipalib.parameters import DefaultFrom
+from ipalib.plugable import Registry
+from ipalib.text import _
+from ipapython.dn import DN
+from ipapython.dnsutil import DNSName
+
+if six.PY3:
+ unicode = str
+
+__doc__ = _("""
+Hosts/Machines
+
+A host represents a machine. It can be used in a number of contexts:
+- service entries are associated with a host
+- a host stores the host/ service principal
+- a host can be used in Host-based Access Control (HBAC) rules
+- every enrolled client generates a host entry
+
+ENROLLMENT:
+
+There are three enrollment scenarios when enrolling a new client:
+
+1. You are enrolling as a full administrator. The host entry may exist
+ or not. A full administrator is a member of the hostadmin role
+ or the admins group.
+2. You are enrolling as a limited administrator. The host must already
+ exist. A limited administrator is a member a role with the
+ Host Enrollment privilege.
+3. The host has been created with a one-time password.
+
+RE-ENROLLMENT:
+
+Host that has been enrolled at some point, and lost its configuration (e.g. VM
+destroyed) can be re-enrolled.
+
+For more information, consult the manual pages for ipa-client-install.
+
+A host can optionally store information such as where it is located,
+the OS that it runs, etc.
+
+EXAMPLES:
+
+ Add a new host:
+ ipa host-add --location="3rd floor lab" --locality=Dallas test.example.com
+
+ Delete a host:
+ ipa host-del test.example.com
+
+ Add a new host with a one-time password:
+ ipa host-add --os='Fedora 12' --password=Secret123 test.example.com
+
+ Add a new host with a random one-time password:
+ ipa host-add --os='Fedora 12' --random test.example.com
+
+ Modify information about a host:
+ ipa host-mod --os='Fedora 12' test.example.com
+
+ Remove SSH public keys of a host and update DNS to reflect this change:
+ ipa host-mod --sshpubkey= --updatedns test.example.com
+
+ Disable the host Kerberos key, SSL certificate and all of its services:
+ ipa host-disable test.example.com
+
+ Add a host that can manage this host's keytab and certificate:
+ ipa host-add-managedby --hosts=test2 test
+
+ Allow user to create a keytab:
+ ipa host-allow-create-keytab test2 --users=tuser1
+""")
+
+register = Registry()
+
+
+@register()
+class host(Object):
+ takes_params = (
+ parameters.Str(
+ 'fqdn',
+ primary_key=True,
+ label=_(u'Host name'),
+ ),
+ parameters.Str(
+ 'description',
+ required=False,
+ label=_(u'Description'),
+ doc=_(u'A description of this host'),
+ ),
+ parameters.Str(
+ 'l',
+ required=False,
+ label=_(u'Locality'),
+ doc=_(u'Host locality (e.g. "Baltimore, MD")'),
+ ),
+ parameters.Str(
+ 'nshostlocation',
+ required=False,
+ label=_(u'Location'),
+ doc=_(u'Host location (e.g. "Lab 2")'),
+ ),
+ parameters.Str(
+ 'nshardwareplatform',
+ required=False,
+ label=_(u'Platform'),
+ doc=_(u'Host hardware platform (e.g. "Lenovo T61")'),
+ ),
+ parameters.Str(
+ 'nsosversion',
+ required=False,
+ label=_(u'Operating system'),
+ doc=_(u'Host operating system and version (e.g. "Fedora 9")'),
+ ),
+ parameters.Str(
+ 'userpassword',
+ required=False,
+ label=_(u'User password'),
+ doc=_(u'Password used in bulk enrollment'),
+ ),
+ parameters.Flag(
+ 'random',
+ required=False,
+ doc=_(u'Generate a random password to be used in bulk enrollment'),
+ ),
+ parameters.Str(
+ 'randompassword',
+ required=False,
+ label=_(u'Random password'),
+ ),
+ parameters.Bytes(
+ 'usercertificate',
+ required=False,
+ label=_(u'Certificate'),
+ doc=_(u'Base-64 encoded server certificate'),
+ ),
+ parameters.Str(
+ 'krbprincipalname',
+ required=False,
+ label=_(u'Principal name'),
+ ),
+ parameters.Str(
+ 'macaddress',
+ required=False,
+ multivalue=True,
+ label=_(u'MAC address'),
+ doc=_(u'Hardware MAC address(es) on this host'),
+ ),
+ parameters.Str(
+ 'ipasshpubkey',
+ required=False,
+ multivalue=True,
+ label=_(u'SSH public key'),
+ ),
+ parameters.Str(
+ 'userclass',
+ required=False,
+ multivalue=True,
+ label=_(u'Class'),
+ doc=_(u'Host category (semantics placed on this attribute are for local interpretation)'),
+ ),
+ parameters.Str(
+ 'ipaassignedidview',
+ required=False,
+ label=_(u'Assigned ID View'),
+ ),
+ parameters.Bool(
+ 'ipakrbrequirespreauth',
+ required=False,
+ label=_(u'Requires pre-authentication'),
+ doc=_(u'Pre-authentication is required for the service'),
+ ),
+ parameters.Bool(
+ 'ipakrbokasdelegate',
+ required=False,
+ label=_(u'Trusted for delegation'),
+ doc=_(u'Client credentials may be delegated to the service'),
+ ),
+ parameters.Flag(
+ 'has_password',
+ label=_(u'Password'),
+ ),
+ parameters.Str(
+ 'memberof_hostgroup',
+ required=False,
+ label=_(u'Member of host-groups'),
+ ),
+ parameters.Str(
+ 'memberof_role',
+ required=False,
+ label=_(u'Roles'),
+ ),
+ parameters.Str(
+ 'memberof_netgroup',
+ required=False,
+ label=_(u'Member of netgroups'),
+ ),
+ parameters.Str(
+ 'memberof_sudorule',
+ required=False,
+ label=_(u'Member of Sudo rule'),
+ ),
+ parameters.Str(
+ 'memberof_hbacrule',
+ required=False,
+ label=_(u'Member of HBAC rule'),
+ ),
+ parameters.Str(
+ 'memberofindirect_netgroup',
+ required=False,
+ label=_(u'Indirect Member of netgroup'),
+ ),
+ parameters.Str(
+ 'memberofindirect_hostgroup',
+ required=False,
+ label=_(u'Indirect Member of host-group'),
+ ),
+ parameters.Str(
+ 'memberofindirect_role',
+ required=False,
+ label=_(u'Indirect Member of role'),
+ ),
+ parameters.Str(
+ 'memberofindirect_sudorule',
+ required=False,
+ label=_(u'Indirect Member of Sudo rule'),
+ ),
+ parameters.Str(
+ 'memberofindirect_hbacrule',
+ required=False,
+ label=_(u'Indirect Member of HBAC rule'),
+ ),
+ parameters.Flag(
+ 'has_keytab',
+ label=_(u'Keytab'),
+ ),
+ parameters.Str(
+ 'managedby_host',
+ label=_(u'Managed by'),
+ ),
+ parameters.Str(
+ 'managing_host',
+ label=_(u'Managing'),
+ ),
+ parameters.Str(
+ 'ipaallowedtoperform_read_keys_user',
+ label=_(u'Users allowed to retrieve keytab'),
+ ),
+ parameters.Str(
+ 'ipaallowedtoperform_read_keys_group',
+ label=_(u'Groups allowed to retrieve keytab'),
+ ),
+ parameters.Str(
+ 'ipaallowedtoperform_read_keys_host',
+ label=_(u'Hosts allowed to retrieve keytab'),
+ ),
+ parameters.Str(
+ 'ipaallowedtoperform_read_keys_hostgroup',
+ label=_(u'Host Groups allowed to retrieve keytab'),
+ ),
+ parameters.Str(
+ 'ipaallowedtoperform_write_keys_user',
+ label=_(u'Users allowed to create keytab'),
+ ),
+ parameters.Str(
+ 'ipaallowedtoperform_write_keys_group',
+ label=_(u'Groups allowed to create keytab'),
+ ),
+ parameters.Str(
+ 'ipaallowedtoperform_write_keys_host',
+ label=_(u'Hosts allowed to create keytab'),
+ ),
+ parameters.Str(
+ 'ipaallowedtoperform_write_keys_hostgroup',
+ label=_(u'Host Groups allowed to create keytab'),
+ ),
+ )
+
+
+@register()
+class host_add(Method):
+ __doc__ = _("Add a new host.")
+
+ takes_args = (
+ parameters.Str(
+ 'fqdn',
+ cli_name='hostname',
+ label=_(u'Host name'),
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'description',
+ required=False,
+ cli_name='desc',
+ label=_(u'Description'),
+ doc=_(u'A description of this host'),
+ ),
+ parameters.Str(
+ 'l',
+ required=False,
+ cli_name='locality',
+ label=_(u'Locality'),
+ doc=_(u'Host locality (e.g. "Baltimore, MD")'),
+ ),
+ parameters.Str(
+ 'nshostlocation',
+ required=False,
+ cli_name='location',
+ label=_(u'Location'),
+ doc=_(u'Host location (e.g. "Lab 2")'),
+ ),
+ parameters.Str(
+ 'nshardwareplatform',
+ required=False,
+ cli_name='platform',
+ label=_(u'Platform'),
+ doc=_(u'Host hardware platform (e.g. "Lenovo T61")'),
+ ),
+ parameters.Str(
+ 'nsosversion',
+ required=False,
+ cli_name='os',
+ label=_(u'Operating system'),
+ doc=_(u'Host operating system and version (e.g. "Fedora 9")'),
+ ),
+ parameters.Str(
+ 'userpassword',
+ required=False,
+ cli_name='password',
+ label=_(u'User password'),
+ doc=_(u'Password used in bulk enrollment'),
+ ),
+ parameters.Flag(
+ 'random',
+ required=False,
+ doc=_(u'Generate a random password to be used in bulk enrollment'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Bytes(
+ 'usercertificate',
+ required=False,
+ cli_name='certificate',
+ label=_(u'Certificate'),
+ doc=_(u'Base-64 encoded server certificate'),
+ ),
+ parameters.Str(
+ 'macaddress',
+ required=False,
+ multivalue=True,
+ label=_(u'MAC address'),
+ doc=_(u'Hardware MAC address(es) on this host'),
+ no_convert=True,
+ ),
+ parameters.Str(
+ 'ipasshpubkey',
+ required=False,
+ multivalue=True,
+ cli_name='sshpubkey',
+ label=_(u'SSH public key'),
+ no_convert=True,
+ ),
+ parameters.Str(
+ 'userclass',
+ required=False,
+ multivalue=True,
+ cli_name='class',
+ label=_(u'Class'),
+ doc=_(u'Host category (semantics placed on this attribute are for local interpretation)'),
+ ),
+ parameters.Str(
+ 'ipaassignedidview',
+ required=False,
+ label=_(u'Assigned ID View'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Bool(
+ 'ipakrbrequirespreauth',
+ required=False,
+ cli_name='requires_pre_auth',
+ label=_(u'Requires pre-authentication'),
+ doc=_(u'Pre-authentication is required for the service'),
+ ),
+ parameters.Bool(
+ 'ipakrbokasdelegate',
+ required=False,
+ cli_name='ok_as_delegate',
+ label=_(u'Trusted for delegation'),
+ doc=_(u'Client credentials may be delegated to the service'),
+ ),
+ parameters.Str(
+ 'setattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'addattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
+ exclude=('webui',),
+ ),
+ parameters.Flag(
+ 'force',
+ label=_(u'Force'),
+ doc=_(u'force host name even if not in DNS'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_reverse',
+ doc=_(u'skip reverse DNS detection'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'ip_address',
+ required=False,
+ label=_(u'IP Address'),
+ doc=_(u'Add the host to DNS with this IP address'),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class host_add_managedby(Method):
+ __doc__ = _("Add hosts that can manage this host.")
+
+ takes_args = (
+ parameters.Str(
+ 'fqdn',
+ cli_name='hostname',
+ label=_(u'Host name'),
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'host',
+ required=False,
+ multivalue=True,
+ cli_name='hosts',
+ label=_(u'member host'),
+ doc=_(u'hosts to add'),
+ alwaysask=True,
+ ),
+ )
+ has_output = (
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'failed',
+ dict,
+ doc=_(u'Members that could not be added'),
+ ),
+ output.Output(
+ 'completed',
+ int,
+ doc=_(u'Number of members added'),
+ ),
+ )
+
+
+@register()
+class host_allow_create_keytab(Method):
+ __doc__ = _("Allow users, groups, hosts or host groups to create a keytab of this host.")
+
+ takes_args = (
+ parameters.Str(
+ 'fqdn',
+ cli_name='hostname',
+ label=_(u'Host name'),
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'user',
+ required=False,
+ multivalue=True,
+ cli_name='users',
+ label=_(u'member user'),
+ doc=_(u'users to add'),
+ alwaysask=True,
+ ),
+ parameters.Str(
+ 'group',
+ required=False,
+ multivalue=True,
+ cli_name='groups',
+ label=_(u'member group'),
+ doc=_(u'groups to add'),
+ alwaysask=True,
+ ),
+ parameters.Str(
+ 'host',
+ required=False,
+ multivalue=True,
+ cli_name='hosts',
+ label=_(u'member host'),
+ doc=_(u'hosts to add'),
+ alwaysask=True,
+ ),
+ parameters.Str(
+ 'hostgroup',
+ required=False,
+ multivalue=True,
+ cli_name='hostgroups',
+ label=_(u'member host group'),
+ doc=_(u'host groups to add'),
+ alwaysask=True,
+ ),
+ )
+ has_output = (
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'failed',
+ dict,
+ doc=_(u'Members that could not be added'),
+ ),
+ output.Output(
+ 'completed',
+ int,
+ doc=_(u'Number of members added'),
+ ),
+ )
+
+
+@register()
+class host_allow_retrieve_keytab(Method):
+ __doc__ = _("Allow users, groups, hosts or host groups to retrieve a keytab of this host.")
+
+ takes_args = (
+ parameters.Str(
+ 'fqdn',
+ cli_name='hostname',
+ label=_(u'Host name'),
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'user',
+ required=False,
+ multivalue=True,
+ cli_name='users',
+ label=_(u'member user'),
+ doc=_(u'users to add'),
+ alwaysask=True,
+ ),
+ parameters.Str(
+ 'group',
+ required=False,
+ multivalue=True,
+ cli_name='groups',
+ label=_(u'member group'),
+ doc=_(u'groups to add'),
+ alwaysask=True,
+ ),
+ parameters.Str(
+ 'host',
+ required=False,
+ multivalue=True,
+ cli_name='hosts',
+ label=_(u'member host'),
+ doc=_(u'hosts to add'),
+ alwaysask=True,
+ ),
+ parameters.Str(
+ 'hostgroup',
+ required=False,
+ multivalue=True,
+ cli_name='hostgroups',
+ label=_(u'member host group'),
+ doc=_(u'host groups to add'),
+ alwaysask=True,
+ ),
+ )
+ has_output = (
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'failed',
+ dict,
+ doc=_(u'Members that could not be added'),
+ ),
+ output.Output(
+ 'completed',
+ int,
+ doc=_(u'Number of members added'),
+ ),
+ )
+
+
+@register()
+class host_del(Method):
+ __doc__ = _("Delete a host.")
+
+ takes_args = (
+ parameters.Str(
+ 'fqdn',
+ multivalue=True,
+ cli_name='hostname',
+ label=_(u'Host name'),
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'continue',
+ doc=_(u"Continuous mode: Don't stop on errors."),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'updatedns',
+ required=False,
+ doc=_(u'Remove entries from DNS'),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Output(
+ 'result',
+ dict,
+ doc=_(u'List of deletions that failed'),
+ ),
+ output.ListOfPrimaryKeys(
+ 'value',
+ ),
+ )
+
+
+@register()
+class host_disable(Method):
+ __doc__ = _("Disable the Kerberos key, SSL certificate and all services of a host.")
+
+ takes_args = (
+ parameters.Str(
+ 'fqdn',
+ cli_name='hostname',
+ label=_(u'Host name'),
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Output(
+ 'result',
+ bool,
+ doc=_(u'True means the operation was successful'),
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class host_disallow_create_keytab(Method):
+ __doc__ = _("Disallow users, groups, hosts or host groups to create a keytab of this host.")
+
+ takes_args = (
+ parameters.Str(
+ 'fqdn',
+ cli_name='hostname',
+ label=_(u'Host name'),
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'user',
+ required=False,
+ multivalue=True,
+ cli_name='users',
+ label=_(u'member user'),
+ doc=_(u'users to remove'),
+ alwaysask=True,
+ ),
+ parameters.Str(
+ 'group',
+ required=False,
+ multivalue=True,
+ cli_name='groups',
+ label=_(u'member group'),
+ doc=_(u'groups to remove'),
+ alwaysask=True,
+ ),
+ parameters.Str(
+ 'host',
+ required=False,
+ multivalue=True,
+ cli_name='hosts',
+ label=_(u'member host'),
+ doc=_(u'hosts to remove'),
+ alwaysask=True,
+ ),
+ parameters.Str(
+ 'hostgroup',
+ required=False,
+ multivalue=True,
+ cli_name='hostgroups',
+ label=_(u'member host group'),
+ doc=_(u'host groups to remove'),
+ alwaysask=True,
+ ),
+ )
+ has_output = (
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'failed',
+ dict,
+ doc=_(u'Members that could not be removed'),
+ ),
+ output.Output(
+ 'completed',
+ int,
+ doc=_(u'Number of members removed'),
+ ),
+ )
+
+
+@register()
+class host_disallow_retrieve_keytab(Method):
+ __doc__ = _("Disallow users, groups, hosts or host groups to retrieve a keytab of this host.")
+
+ takes_args = (
+ parameters.Str(
+ 'fqdn',
+ cli_name='hostname',
+ label=_(u'Host name'),
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'user',
+ required=False,
+ multivalue=True,
+ cli_name='users',
+ label=_(u'member user'),
+ doc=_(u'users to remove'),
+ alwaysask=True,
+ ),
+ parameters.Str(
+ 'group',
+ required=False,
+ multivalue=True,
+ cli_name='groups',
+ label=_(u'member group'),
+ doc=_(u'groups to remove'),
+ alwaysask=True,
+ ),
+ parameters.Str(
+ 'host',
+ required=False,
+ multivalue=True,
+ cli_name='hosts',
+ label=_(u'member host'),
+ doc=_(u'hosts to remove'),
+ alwaysask=True,
+ ),
+ parameters.Str(
+ 'hostgroup',
+ required=False,
+ multivalue=True,
+ cli_name='hostgroups',
+ label=_(u'member host group'),
+ doc=_(u'host groups to remove'),
+ alwaysask=True,
+ ),
+ )
+ has_output = (
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'failed',
+ dict,
+ doc=_(u'Members that could not be removed'),
+ ),
+ output.Output(
+ 'completed',
+ int,
+ doc=_(u'Number of members removed'),
+ ),
+ )
+
+
+@register()
+class host_find(Method):
+ __doc__ = _("Search for hosts.")
+
+ takes_args = (
+ parameters.Str(
+ 'criteria',
+ required=False,
+ doc=_(u'A string searched in all relevant object attributes'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'fqdn',
+ required=False,
+ cli_name='hostname',
+ label=_(u'Host name'),
+ no_convert=True,
+ ),
+ parameters.Str(
+ 'description',
+ required=False,
+ cli_name='desc',
+ label=_(u'Description'),
+ doc=_(u'A description of this host'),
+ ),
+ parameters.Str(
+ 'l',
+ required=False,
+ cli_name='locality',
+ label=_(u'Locality'),
+ doc=_(u'Host locality (e.g. "Baltimore, MD")'),
+ ),
+ parameters.Str(
+ 'nshostlocation',
+ required=False,
+ cli_name='location',
+ label=_(u'Location'),
+ doc=_(u'Host location (e.g. "Lab 2")'),
+ ),
+ parameters.Str(
+ 'nshardwareplatform',
+ required=False,
+ cli_name='platform',
+ label=_(u'Platform'),
+ doc=_(u'Host hardware platform (e.g. "Lenovo T61")'),
+ ),
+ parameters.Str(
+ 'nsosversion',
+ required=False,
+ cli_name='os',
+ label=_(u'Operating system'),
+ doc=_(u'Host operating system and version (e.g. "Fedora 9")'),
+ ),
+ parameters.Str(
+ 'userpassword',
+ required=False,
+ cli_name='password',
+ label=_(u'User password'),
+ doc=_(u'Password used in bulk enrollment'),
+ ),
+ parameters.Bytes(
+ 'usercertificate',
+ required=False,
+ cli_name='certificate',
+ label=_(u'Certificate'),
+ doc=_(u'Base-64 encoded server certificate'),
+ ),
+ parameters.Str(
+ 'macaddress',
+ required=False,
+ multivalue=True,
+ label=_(u'MAC address'),
+ doc=_(u'Hardware MAC address(es) on this host'),
+ no_convert=True,
+ ),
+ parameters.Str(
+ 'userclass',
+ required=False,
+ multivalue=True,
+ cli_name='class',
+ label=_(u'Class'),
+ doc=_(u'Host category (semantics placed on this attribute are for local interpretation)'),
+ ),
+ parameters.Str(
+ 'ipaassignedidview',
+ required=False,
+ label=_(u'Assigned ID View'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Int(
+ 'timelimit',
+ required=False,
+ label=_(u'Time Limit'),
+ doc=_(u'Time limit of search in seconds'),
+ ),
+ parameters.Int(
+ 'sizelimit',
+ required=False,
+ label=_(u'Size Limit'),
+ doc=_(u'Maximum number of entries returned'),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'pkey_only',
+ required=False,
+ label=_(u'Primary key only'),
+ doc=_(u'Results should contain primary key attribute only ("hostname")'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'in_hostgroup',
+ required=False,
+ multivalue=True,
+ cli_name='in_hostgroups',
+ label=_(u'host group'),
+ doc=_(u'Search for hosts with these member of host groups.'),
+ ),
+ parameters.Str(
+ 'not_in_hostgroup',
+ required=False,
+ multivalue=True,
+ cli_name='not_in_hostgroups',
+ label=_(u'host group'),
+ doc=_(u'Search for hosts without these member of host groups.'),
+ ),
+ parameters.Str(
+ 'in_netgroup',
+ required=False,
+ multivalue=True,
+ cli_name='in_netgroups',
+ label=_(u'netgroup'),
+ doc=_(u'Search for hosts with these member of netgroups.'),
+ ),
+ parameters.Str(
+ 'not_in_netgroup',
+ required=False,
+ multivalue=True,
+ cli_name='not_in_netgroups',
+ label=_(u'netgroup'),
+ doc=_(u'Search for hosts without these member of netgroups.'),
+ ),
+ parameters.Str(
+ 'in_role',
+ required=False,
+ multivalue=True,
+ cli_name='in_roles',
+ label=_(u'role'),
+ doc=_(u'Search for hosts with these member of roles.'),
+ ),
+ parameters.Str(
+ 'not_in_role',
+ required=False,
+ multivalue=True,
+ cli_name='not_in_roles',
+ label=_(u'role'),
+ doc=_(u'Search for hosts without these member of roles.'),
+ ),
+ parameters.Str(
+ 'in_hbacrule',
+ required=False,
+ multivalue=True,
+ cli_name='in_hbacrules',
+ label=_(u'HBAC rule'),
+ doc=_(u'Search for hosts with these member of HBAC rules.'),
+ ),
+ parameters.Str(
+ 'not_in_hbacrule',
+ required=False,
+ multivalue=True,
+ cli_name='not_in_hbacrules',
+ label=_(u'HBAC rule'),
+ doc=_(u'Search for hosts without these member of HBAC rules.'),
+ ),
+ parameters.Str(
+ 'in_sudorule',
+ required=False,
+ multivalue=True,
+ cli_name='in_sudorules',
+ label=_(u'sudo rule'),
+ doc=_(u'Search for hosts with these member of sudo rules.'),
+ ),
+ parameters.Str(
+ 'not_in_sudorule',
+ required=False,
+ multivalue=True,
+ cli_name='not_in_sudorules',
+ label=_(u'sudo rule'),
+ doc=_(u'Search for hosts without these member of sudo rules.'),
+ ),
+ parameters.Str(
+ 'enroll_by_user',
+ required=False,
+ multivalue=True,
+ cli_name='enroll_by_users',
+ label=_(u'user'),
+ doc=_(u'Search for hosts with these enrolled by users.'),
+ ),
+ parameters.Str(
+ 'not_enroll_by_user',
+ required=False,
+ multivalue=True,
+ cli_name='not_enroll_by_users',
+ label=_(u'user'),
+ doc=_(u'Search for hosts without these enrolled by users.'),
+ ),
+ parameters.Str(
+ 'man_by_host',
+ required=False,
+ multivalue=True,
+ cli_name='man_by_hosts',
+ label=_(u'host'),
+ doc=_(u'Search for hosts with these managed by hosts.'),
+ ),
+ parameters.Str(
+ 'not_man_by_host',
+ required=False,
+ multivalue=True,
+ cli_name='not_man_by_hosts',
+ label=_(u'host'),
+ doc=_(u'Search for hosts without these managed by hosts.'),
+ ),
+ parameters.Str(
+ 'man_host',
+ required=False,
+ multivalue=True,
+ cli_name='man_hosts',
+ label=_(u'host'),
+ doc=_(u'Search for hosts with these managing hosts.'),
+ ),
+ parameters.Str(
+ 'not_man_host',
+ required=False,
+ multivalue=True,
+ cli_name='not_man_hosts',
+ label=_(u'host'),
+ doc=_(u'Search for hosts without these managing hosts.'),
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.ListOfEntries(
+ 'result',
+ ),
+ output.Output(
+ 'count',
+ int,
+ doc=_(u'Number of entries returned'),
+ ),
+ output.Output(
+ 'truncated',
+ bool,
+ doc=_(u'True if not all results were returned'),
+ ),
+ )
+
+
+@register()
+class host_mod(Method):
+ __doc__ = _("Modify information about a host.")
+
+ takes_args = (
+ parameters.Str(
+ 'fqdn',
+ cli_name='hostname',
+ label=_(u'Host name'),
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'description',
+ required=False,
+ cli_name='desc',
+ label=_(u'Description'),
+ doc=_(u'A description of this host'),
+ ),
+ parameters.Str(
+ 'l',
+ required=False,
+ cli_name='locality',
+ label=_(u'Locality'),
+ doc=_(u'Host locality (e.g. "Baltimore, MD")'),
+ ),
+ parameters.Str(
+ 'nshostlocation',
+ required=False,
+ cli_name='location',
+ label=_(u'Location'),
+ doc=_(u'Host location (e.g. "Lab 2")'),
+ ),
+ parameters.Str(
+ 'nshardwareplatform',
+ required=False,
+ cli_name='platform',
+ label=_(u'Platform'),
+ doc=_(u'Host hardware platform (e.g. "Lenovo T61")'),
+ ),
+ parameters.Str(
+ 'nsosversion',
+ required=False,
+ cli_name='os',
+ label=_(u'Operating system'),
+ doc=_(u'Host operating system and version (e.g. "Fedora 9")'),
+ ),
+ parameters.Str(
+ 'userpassword',
+ required=False,
+ cli_name='password',
+ label=_(u'User password'),
+ doc=_(u'Password used in bulk enrollment'),
+ ),
+ parameters.Flag(
+ 'random',
+ required=False,
+ doc=_(u'Generate a random password to be used in bulk enrollment'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Bytes(
+ 'usercertificate',
+ required=False,
+ cli_name='certificate',
+ label=_(u'Certificate'),
+ doc=_(u'Base-64 encoded server certificate'),
+ ),
+ parameters.Str(
+ 'macaddress',
+ required=False,
+ multivalue=True,
+ label=_(u'MAC address'),
+ doc=_(u'Hardware MAC address(es) on this host'),
+ no_convert=True,
+ ),
+ parameters.Str(
+ 'ipasshpubkey',
+ required=False,
+ multivalue=True,
+ cli_name='sshpubkey',
+ label=_(u'SSH public key'),
+ no_convert=True,
+ ),
+ parameters.Str(
+ 'userclass',
+ required=False,
+ multivalue=True,
+ cli_name='class',
+ label=_(u'Class'),
+ doc=_(u'Host category (semantics placed on this attribute are for local interpretation)'),
+ ),
+ parameters.Str(
+ 'ipaassignedidview',
+ required=False,
+ label=_(u'Assigned ID View'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Bool(
+ 'ipakrbrequirespreauth',
+ required=False,
+ cli_name='requires_pre_auth',
+ label=_(u'Requires pre-authentication'),
+ doc=_(u'Pre-authentication is required for the service'),
+ ),
+ parameters.Bool(
+ 'ipakrbokasdelegate',
+ required=False,
+ cli_name='ok_as_delegate',
+ label=_(u'Trusted for delegation'),
+ doc=_(u'Client credentials may be delegated to the service'),
+ ),
+ parameters.Str(
+ 'setattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'addattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'delattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'),
+ exclude=('webui',),
+ ),
+ parameters.Flag(
+ 'rights',
+ label=_(u'Rights'),
+ doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'krbprincipalname',
+ required=False,
+ cli_name='principalname',
+ label=_(u'Principal name'),
+ doc=_(u'Kerberos principal name for this host'),
+ ),
+ parameters.Flag(
+ 'updatedns',
+ required=False,
+ doc=_(u'Update DNS entries'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class host_remove_managedby(Method):
+ __doc__ = _("Remove hosts that can manage this host.")
+
+ takes_args = (
+ parameters.Str(
+ 'fqdn',
+ cli_name='hostname',
+ label=_(u'Host name'),
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'host',
+ required=False,
+ multivalue=True,
+ cli_name='hosts',
+ label=_(u'member host'),
+ doc=_(u'hosts to remove'),
+ alwaysask=True,
+ ),
+ )
+ has_output = (
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'failed',
+ dict,
+ doc=_(u'Members that could not be removed'),
+ ),
+ output.Output(
+ 'completed',
+ int,
+ doc=_(u'Number of members removed'),
+ ),
+ )
+
+
+@register()
+class host_show(Method):
+ __doc__ = _("Display information about a host.")
+
+ takes_args = (
+ parameters.Str(
+ 'fqdn',
+ cli_name='hostname',
+ label=_(u'Host name'),
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'rights',
+ label=_(u'Rights'),
+ doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'out',
+ required=False,
+ doc=_(u'file to store certificate in'),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
diff --git a/ipaclient/remote_plugins/2_114/hostgroup.py b/ipaclient/remote_plugins/2_114/hostgroup.py
new file mode 100644
index 000000000..3b39849f9
--- /dev/null
+++ b/ipaclient/remote_plugins/2_114/hostgroup.py
@@ -0,0 +1,709 @@
+#
+# Copyright (C) 2016 FreeIPA Contributors see COPYING for license
+#
+
+# pylint: disable=unused-import
+import six
+
+from . import Command, Method, Object
+from ipalib import api, parameters, output
+from ipalib.parameters import DefaultFrom
+from ipalib.plugable import Registry
+from ipalib.text import _
+from ipapython.dn import DN
+from ipapython.dnsutil import DNSName
+
+if six.PY3:
+ unicode = str
+
+__doc__ = _("""
+Groups of hosts.
+
+Manage groups of hosts. This is useful for applying access control to a
+number of hosts by using Host-based Access Control.
+
+EXAMPLES:
+
+ Add a new host group:
+ ipa hostgroup-add --desc="Baltimore hosts" baltimore
+
+ Add another new host group:
+ ipa hostgroup-add --desc="Maryland hosts" maryland
+
+ Add members to the hostgroup (using Bash brace expansion):
+ ipa hostgroup-add-member --hosts={box1,box2,box3} baltimore
+
+ Add a hostgroup as a member of another hostgroup:
+ ipa hostgroup-add-member --hostgroups=baltimore maryland
+
+ Remove a host from the hostgroup:
+ ipa hostgroup-remove-member --hosts=box2 baltimore
+
+ Display a host group:
+ ipa hostgroup-show baltimore
+
+ Delete a hostgroup:
+ ipa hostgroup-del baltimore
+""")
+
+register = Registry()
+
+
+@register()
+class hostgroup(Object):
+ takes_params = (
+ parameters.Str(
+ 'cn',
+ primary_key=True,
+ label=_(u'Host-group'),
+ doc=_(u'Name of host-group'),
+ ),
+ parameters.Str(
+ 'description',
+ required=False,
+ label=_(u'Description'),
+ doc=_(u'A description of this host-group'),
+ ),
+ parameters.Str(
+ 'member_host',
+ required=False,
+ label=_(u'Member hosts'),
+ ),
+ parameters.Str(
+ 'member_hostgroup',
+ required=False,
+ label=_(u'Member host-groups'),
+ ),
+ parameters.Str(
+ 'memberof_hostgroup',
+ required=False,
+ label=_(u'Member of host-groups'),
+ ),
+ parameters.Str(
+ 'memberof_netgroup',
+ required=False,
+ label=_(u'Member of netgroups'),
+ ),
+ parameters.Str(
+ 'memberof_sudorule',
+ required=False,
+ label=_(u'Member of Sudo rule'),
+ ),
+ parameters.Str(
+ 'memberof_hbacrule',
+ required=False,
+ label=_(u'Member of HBAC rule'),
+ ),
+ parameters.Str(
+ 'memberindirect_host',
+ required=False,
+ label=_(u'Indirect Member hosts'),
+ ),
+ parameters.Str(
+ 'memberindirect_hostgroup',
+ required=False,
+ label=_(u'Indirect Member host-groups'),
+ ),
+ parameters.Str(
+ 'memberofindirect_hostgroup',
+ required=False,
+ label=_(u'Indirect Member of host-group'),
+ ),
+ parameters.Str(
+ 'memberofindirect_sudorule',
+ required=False,
+ label=_(u'Indirect Member of Sudo rule'),
+ ),
+ parameters.Str(
+ 'memberofindirect_hbacrule',
+ required=False,
+ label=_(u'Indirect Member of HBAC rule'),
+ ),
+ )
+
+
+@register()
+class hostgroup_add(Method):
+ __doc__ = _("Add a new hostgroup.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='hostgroup_name',
+ label=_(u'Host-group'),
+ doc=_(u'Name of host-group'),
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'description',
+ required=False,
+ cli_name='desc',
+ label=_(u'Description'),
+ doc=_(u'A description of this host-group'),
+ ),
+ parameters.Str(
+ 'setattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'addattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
+ exclude=('webui',),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class hostgroup_add_member(Method):
+ __doc__ = _("Add members to a hostgroup.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='hostgroup_name',
+ label=_(u'Host-group'),
+ doc=_(u'Name of host-group'),
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'host',
+ required=False,
+ multivalue=True,
+ cli_name='hosts',
+ label=_(u'member host'),
+ doc=_(u'hosts to add'),
+ alwaysask=True,
+ ),
+ parameters.Str(
+ 'hostgroup',
+ required=False,
+ multivalue=True,
+ cli_name='hostgroups',
+ label=_(u'member host group'),
+ doc=_(u'host groups to add'),
+ alwaysask=True,
+ ),
+ )
+ has_output = (
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'failed',
+ dict,
+ doc=_(u'Members that could not be added'),
+ ),
+ output.Output(
+ 'completed',
+ int,
+ doc=_(u'Number of members added'),
+ ),
+ )
+
+
+@register()
+class hostgroup_del(Method):
+ __doc__ = _("Delete a hostgroup.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ multivalue=True,
+ cli_name='hostgroup_name',
+ label=_(u'Host-group'),
+ doc=_(u'Name of host-group'),
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'continue',
+ doc=_(u"Continuous mode: Don't stop on errors."),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Output(
+ 'result',
+ dict,
+ doc=_(u'List of deletions that failed'),
+ ),
+ output.ListOfPrimaryKeys(
+ 'value',
+ ),
+ )
+
+
+@register()
+class hostgroup_find(Method):
+ __doc__ = _("Search for hostgroups.")
+
+ takes_args = (
+ parameters.Str(
+ 'criteria',
+ required=False,
+ doc=_(u'A string searched in all relevant object attributes'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'cn',
+ required=False,
+ cli_name='hostgroup_name',
+ label=_(u'Host-group'),
+ doc=_(u'Name of host-group'),
+ no_convert=True,
+ ),
+ parameters.Str(
+ 'description',
+ required=False,
+ cli_name='desc',
+ label=_(u'Description'),
+ doc=_(u'A description of this host-group'),
+ ),
+ parameters.Int(
+ 'timelimit',
+ required=False,
+ label=_(u'Time Limit'),
+ doc=_(u'Time limit of search in seconds'),
+ ),
+ parameters.Int(
+ 'sizelimit',
+ required=False,
+ label=_(u'Size Limit'),
+ doc=_(u'Maximum number of entries returned'),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'pkey_only',
+ required=False,
+ label=_(u'Primary key only'),
+ doc=_(u'Results should contain primary key attribute only ("hostgroup-name")'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'host',
+ required=False,
+ multivalue=True,
+ cli_name='hosts',
+ label=_(u'host'),
+ doc=_(u'Search for host groups with these member hosts.'),
+ ),
+ parameters.Str(
+ 'no_host',
+ required=False,
+ multivalue=True,
+ cli_name='no_hosts',
+ label=_(u'host'),
+ doc=_(u'Search for host groups without these member hosts.'),
+ ),
+ parameters.Str(
+ 'hostgroup',
+ required=False,
+ multivalue=True,
+ cli_name='hostgroups',
+ label=_(u'host group'),
+ doc=_(u'Search for host groups with these member host groups.'),
+ ),
+ parameters.Str(
+ 'no_hostgroup',
+ required=False,
+ multivalue=True,
+ cli_name='no_hostgroups',
+ label=_(u'host group'),
+ doc=_(u'Search for host groups without these member host groups.'),
+ ),
+ parameters.Str(
+ 'in_hostgroup',
+ required=False,
+ multivalue=True,
+ cli_name='in_hostgroups',
+ label=_(u'host group'),
+ doc=_(u'Search for host groups with these member of host groups.'),
+ ),
+ parameters.Str(
+ 'not_in_hostgroup',
+ required=False,
+ multivalue=True,
+ cli_name='not_in_hostgroups',
+ label=_(u'host group'),
+ doc=_(u'Search for host groups without these member of host groups.'),
+ ),
+ parameters.Str(
+ 'in_netgroup',
+ required=False,
+ multivalue=True,
+ cli_name='in_netgroups',
+ label=_(u'netgroup'),
+ doc=_(u'Search for host groups with these member of netgroups.'),
+ ),
+ parameters.Str(
+ 'not_in_netgroup',
+ required=False,
+ multivalue=True,
+ cli_name='not_in_netgroups',
+ label=_(u'netgroup'),
+ doc=_(u'Search for host groups without these member of netgroups.'),
+ ),
+ parameters.Str(
+ 'in_hbacrule',
+ required=False,
+ multivalue=True,
+ cli_name='in_hbacrules',
+ label=_(u'HBAC rule'),
+ doc=_(u'Search for host groups with these member of HBAC rules.'),
+ ),
+ parameters.Str(
+ 'not_in_hbacrule',
+ required=False,
+ multivalue=True,
+ cli_name='not_in_hbacrules',
+ label=_(u'HBAC rule'),
+ doc=_(u'Search for host groups without these member of HBAC rules.'),
+ ),
+ parameters.Str(
+ 'in_sudorule',
+ required=False,
+ multivalue=True,
+ cli_name='in_sudorules',
+ label=_(u'sudo rule'),
+ doc=_(u'Search for host groups with these member of sudo rules.'),
+ ),
+ parameters.Str(
+ 'not_in_sudorule',
+ required=False,
+ multivalue=True,
+ cli_name='not_in_sudorules',
+ label=_(u'sudo rule'),
+ doc=_(u'Search for host groups without these member of sudo rules.'),
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.ListOfEntries(
+ 'result',
+ ),
+ output.Output(
+ 'count',
+ int,
+ doc=_(u'Number of entries returned'),
+ ),
+ output.Output(
+ 'truncated',
+ bool,
+ doc=_(u'True if not all results were returned'),
+ ),
+ )
+
+
+@register()
+class hostgroup_mod(Method):
+ __doc__ = _("Modify a hostgroup.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='hostgroup_name',
+ label=_(u'Host-group'),
+ doc=_(u'Name of host-group'),
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'description',
+ required=False,
+ cli_name='desc',
+ label=_(u'Description'),
+ doc=_(u'A description of this host-group'),
+ ),
+ parameters.Str(
+ 'setattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'addattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'delattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'),
+ exclude=('webui',),
+ ),
+ parameters.Flag(
+ 'rights',
+ label=_(u'Rights'),
+ doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class hostgroup_remove_member(Method):
+ __doc__ = _("Remove members from a hostgroup.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='hostgroup_name',
+ label=_(u'Host-group'),
+ doc=_(u'Name of host-group'),
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'host',
+ required=False,
+ multivalue=True,
+ cli_name='hosts',
+ label=_(u'member host'),
+ doc=_(u'hosts to remove'),
+ alwaysask=True,
+ ),
+ parameters.Str(
+ 'hostgroup',
+ required=False,
+ multivalue=True,
+ cli_name='hostgroups',
+ label=_(u'member host group'),
+ doc=_(u'host groups to remove'),
+ alwaysask=True,
+ ),
+ )
+ has_output = (
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'failed',
+ dict,
+ doc=_(u'Members that could not be removed'),
+ ),
+ output.Output(
+ 'completed',
+ int,
+ doc=_(u'Number of members removed'),
+ ),
+ )
+
+
+@register()
+class hostgroup_show(Method):
+ __doc__ = _("Display information about a hostgroup.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='hostgroup_name',
+ label=_(u'Host-group'),
+ doc=_(u'Name of host-group'),
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'rights',
+ label=_(u'Rights'),
+ doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
diff --git a/ipaclient/remote_plugins/2_114/idrange.py b/ipaclient/remote_plugins/2_114/idrange.py
new file mode 100644
index 000000000..2de06871b
--- /dev/null
+++ b/ipaclient/remote_plugins/2_114/idrange.py
@@ -0,0 +1,620 @@
+#
+# Copyright (C) 2016 FreeIPA Contributors see COPYING for license
+#
+
+# pylint: disable=unused-import
+import six
+
+from . import Command, Method, Object
+from ipalib import api, parameters, output
+from ipalib.parameters import DefaultFrom
+from ipalib.plugable import Registry
+from ipalib.text import _
+from ipapython.dn import DN
+from ipapython.dnsutil import DNSName
+
+if six.PY3:
+ unicode = str
+
+__doc__ = _("""
+ID ranges
+
+Manage ID ranges used to map Posix IDs to SIDs and back.
+
+There are two type of ID ranges which are both handled by this utility:
+
+ - the ID ranges of the local domain
+ - the ID ranges of trusted remote domains
+
+Both types have the following attributes in common:
+
+ - base-id: the first ID of the Posix ID range
+ - range-size: the size of the range
+
+With those two attributes a range object can reserve the Posix IDs starting
+with base-id up to but not including base-id+range-size exclusively.
+
+Additionally an ID range of the local domain may set
+ - rid-base: the first RID(*) of the corresponding RID range
+ - secondary-rid-base: first RID of the secondary RID range
+
+and an ID range of a trusted domain must set
+ - rid-base: the first RID of the corresponding RID range
+ - sid: domain SID of the trusted domain
+
+
+
+EXAMPLE: Add a new ID range for a trusted domain
+
+Since there might be more than one trusted domain the domain SID must be given
+while creating the ID range.
+
+ ipa idrange-add --base-id=1200000 --range-size=200000 --rid-base=0 \
+ --dom-sid=S-1-5-21-123-456-789 trusted_dom_range
+
+This ID range is then used by the IPA server and the SSSD IPA provider to
+assign Posix UIDs to users from the trusted domain.
+
+If e.g a range for a trusted domain is configured with the following values:
+ base-id = 1200000
+ range-size = 200000
+ rid-base = 0
+the RIDs 0 to 199999 are mapped to the Posix ID from 1200000 to 13999999. So
+RID 1000 <-> Posix ID 1201000
+
+
+
+EXAMPLE: Add a new ID range for the local domain
+
+To create an ID range for the local domain it is not necessary to specify a
+domain SID. But since it is possible that a user and a group can have the same
+value as Posix ID a second RID interval is needed to handle conflicts.
+
+ ipa idrange-add --base-id=1200000 --range-size=200000 --rid-base=1000 \
+ --secondary-rid-base=1000000 local_range
+
+The data from the ID ranges of the local domain are used by the IPA server
+internally to assign SIDs to IPA users and groups. The SID will then be stored
+in the user or group objects.
+
+If e.g. the ID range for the local domain is configured with the values from
+the example above then a new user with the UID 1200007 will get the RID 1007.
+If this RID is already used by a group the RID will be 1000007. This can only
+happen if a user or a group object was created with a fixed ID because the
+automatic assignment will not assign the same ID twice. Since there are only
+users and groups sharing the same ID namespace it is sufficient to have only
+one fallback range to handle conflicts.
+
+To find the Posix ID for a given RID from the local domain it has to be
+checked first if the RID falls in the primary or secondary RID range and
+the rid-base or the secondary-rid-base has to be subtracted, respectively,
+and the base-id has to be added to get the Posix ID.
+
+Typically the creation of ID ranges happens behind the scenes and this CLI
+must not be used at all. The ID range for the local domain will be created
+during installation or upgrade from an older version. The ID range for a
+trusted domain will be created together with the trust by 'ipa trust-add ...'.
+
+USE CASES:
+
+ Add an ID range from a transitively trusted domain
+
+ If the trusted domain (A) trusts another domain (B) as well and this trust
+ is transitive 'ipa trust-add domain-A' will only create a range for
+ domain A. The ID range for domain B must be added manually.
+
+ Add an additional ID range for the local domain
+
+ If the ID range of the local domain is exhausted, i.e. no new IDs can be
+ assigned to Posix users or groups by the DNA plugin, a new range has to be
+ created to allow new users and groups to be added. (Currently there is no
+ connection between this range CLI and the DNA plugin, but a future version
+ might be able to modify the configuration of the DNS plugin as well)
+
+In general it is not necessary to modify or delete ID ranges. If there is no
+other way to achieve a certain configuration than to modify or delete an ID
+range it should be done with great care. Because UIDs are stored in the file
+system and are used for access control it might be possible that users are
+allowed to access files of other users if an ID range got deleted and reused
+for a different domain.
+
+(*) The RID is typically the last integer of a user or group SID which follows
+the domain SID. E.g. if the domain SID is S-1-5-21-123-456-789 and a user from
+this domain has the SID S-1-5-21-123-456-789-1010 then 1010 id the RID of the
+user. RIDs are unique in a domain, 32bit values and are used for users and
+groups.
+
+WARNING:
+
+DNA plugin in 389-ds will allocate IDs based on the ranges configured for the
+local domain. Currently the DNA plugin *cannot* be reconfigured itself based
+on the local ranges set via this family of commands.
+
+Manual configuration change has to be done in the DNA plugin configuration for
+the new local range. Specifically, The dnaNextRange attribute of 'cn=Posix
+IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config' has to be
+modified to match the new range.
+""")
+
+register = Registry()
+
+
+@register()
+class idrange(Object):
+ takes_params = (
+ parameters.Str(
+ 'cn',
+ primary_key=True,
+ label=_(u'Range name'),
+ ),
+ parameters.Int(
+ 'ipabaseid',
+ label=_(u'First Posix ID of the range'),
+ ),
+ parameters.Int(
+ 'ipaidrangesize',
+ label=_(u'Number of IDs in the range'),
+ ),
+ parameters.Int(
+ 'ipabaserid',
+ required=False,
+ label=_(u'First RID of the corresponding RID range'),
+ ),
+ parameters.Int(
+ 'ipasecondarybaserid',
+ required=False,
+ label=_(u'First RID of the secondary RID range'),
+ ),
+ parameters.Str(
+ 'ipanttrusteddomainsid',
+ required=False,
+ label=_(u'Domain SID of the trusted domain'),
+ ),
+ parameters.Str(
+ 'ipanttrusteddomainname',
+ required=False,
+ label=_(u'Name of the trusted domain'),
+ ),
+ parameters.Str(
+ 'iparangetype',
+ required=False,
+ label=_(u'Range type'),
+ doc=_(u'ID range type, one of ipa-ad-trust-posix, ipa-ad-trust, ipa-local'),
+ ),
+ )
+
+
+@register()
+class idrange_add(Method):
+ __doc__ = _("""
+Add new ID range.
+
+ To add a new ID range you always have to specify
+
+ --base-id
+ --range-size
+
+ Additionally
+
+ --rid-base
+ --secondary-rid-base
+
+ may be given for a new ID range for the local domain while
+
+ --rid-base
+ --dom-sid
+
+ must be given to add a new range for a trusted AD domain.
+
+ WARNING:
+
+ DNA plugin in 389-ds will allocate IDs based on the ranges configured for the
+ local domain. Currently the DNA plugin *cannot* be reconfigured itself based
+ on the local ranges set via this family of commands.
+
+ Manual configuration change has to be done in the DNA plugin configuration for
+ the new local range. Specifically, The dnaNextRange attribute of 'cn=Posix
+ IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config' has to be
+ modified to match the new range.
+ """)
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='name',
+ label=_(u'Range name'),
+ ),
+ )
+ takes_options = (
+ parameters.Int(
+ 'ipabaseid',
+ cli_name='base_id',
+ label=_(u'First Posix ID of the range'),
+ ),
+ parameters.Int(
+ 'ipaidrangesize',
+ cli_name='range_size',
+ label=_(u'Number of IDs in the range'),
+ ),
+ parameters.Int(
+ 'ipabaserid',
+ required=False,
+ cli_name='rid_base',
+ label=_(u'First RID of the corresponding RID range'),
+ ),
+ parameters.Int(
+ 'ipasecondarybaserid',
+ required=False,
+ cli_name='secondary_rid_base',
+ label=_(u'First RID of the secondary RID range'),
+ ),
+ parameters.Str(
+ 'ipanttrusteddomainsid',
+ required=False,
+ cli_name='dom_sid',
+ label=_(u'Domain SID of the trusted domain'),
+ ),
+ parameters.Str(
+ 'ipanttrusteddomainname',
+ required=False,
+ cli_name='dom_name',
+ label=_(u'Name of the trusted domain'),
+ ),
+ parameters.Str(
+ 'iparangetype',
+ required=False,
+ cli_name='type',
+ cli_metavar="['ipa-ad-trust-posix', 'ipa-ad-trust', 'ipa-local']",
+ label=_(u'Range type'),
+ doc=_(u'ID range type, one of ipa-ad-trust-posix, ipa-ad-trust, ipa-local'),
+ ),
+ parameters.Str(
+ 'setattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'addattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
+ exclude=('webui',),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class idrange_del(Method):
+ __doc__ = _("Delete an ID range.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ multivalue=True,
+ cli_name='name',
+ label=_(u'Range name'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'continue',
+ doc=_(u"Continuous mode: Don't stop on errors."),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Output(
+ 'result',
+ dict,
+ doc=_(u'List of deletions that failed'),
+ ),
+ output.ListOfPrimaryKeys(
+ 'value',
+ ),
+ )
+
+
+@register()
+class idrange_find(Method):
+ __doc__ = _("Search for ranges.")
+
+ takes_args = (
+ parameters.Str(
+ 'criteria',
+ required=False,
+ doc=_(u'A string searched in all relevant object attributes'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'cn',
+ required=False,
+ cli_name='name',
+ label=_(u'Range name'),
+ ),
+ parameters.Int(
+ 'ipabaseid',
+ required=False,
+ cli_name='base_id',
+ label=_(u'First Posix ID of the range'),
+ ),
+ parameters.Int(
+ 'ipaidrangesize',
+ required=False,
+ cli_name='range_size',
+ label=_(u'Number of IDs in the range'),
+ ),
+ parameters.Int(
+ 'ipabaserid',
+ required=False,
+ cli_name='rid_base',
+ label=_(u'First RID of the corresponding RID range'),
+ ),
+ parameters.Int(
+ 'ipasecondarybaserid',
+ required=False,
+ cli_name='secondary_rid_base',
+ label=_(u'First RID of the secondary RID range'),
+ ),
+ parameters.Str(
+ 'ipanttrusteddomainsid',
+ required=False,
+ cli_name='dom_sid',
+ label=_(u'Domain SID of the trusted domain'),
+ ),
+ parameters.Str(
+ 'iparangetype',
+ required=False,
+ cli_name='type',
+ cli_metavar="['ipa-ad-trust-posix', 'ipa-ad-trust', 'ipa-local']",
+ label=_(u'Range type'),
+ doc=_(u'ID range type, one of ipa-ad-trust-posix, ipa-ad-trust, ipa-local'),
+ ),
+ parameters.Int(
+ 'timelimit',
+ required=False,
+ label=_(u'Time Limit'),
+ doc=_(u'Time limit of search in seconds'),
+ ),
+ parameters.Int(
+ 'sizelimit',
+ required=False,
+ label=_(u'Size Limit'),
+ doc=_(u'Maximum number of entries returned'),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'pkey_only',
+ required=False,
+ label=_(u'Primary key only'),
+ doc=_(u'Results should contain primary key attribute only ("name")'),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.ListOfEntries(
+ 'result',
+ ),
+ output.Output(
+ 'count',
+ int,
+ doc=_(u'Number of entries returned'),
+ ),
+ output.Output(
+ 'truncated',
+ bool,
+ doc=_(u'True if not all results were returned'),
+ ),
+ )
+
+
+@register()
+class idrange_mod(Method):
+ __doc__ = _("Modify ID range.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='name',
+ label=_(u'Range name'),
+ ),
+ )
+ takes_options = (
+ parameters.Int(
+ 'ipabaseid',
+ required=False,
+ cli_name='base_id',
+ label=_(u'First Posix ID of the range'),
+ ),
+ parameters.Int(
+ 'ipaidrangesize',
+ required=False,
+ cli_name='range_size',
+ label=_(u'Number of IDs in the range'),
+ ),
+ parameters.Int(
+ 'ipabaserid',
+ required=False,
+ cli_name='rid_base',
+ label=_(u'First RID of the corresponding RID range'),
+ ),
+ parameters.Int(
+ 'ipasecondarybaserid',
+ required=False,
+ cli_name='secondary_rid_base',
+ label=_(u'First RID of the secondary RID range'),
+ ),
+ parameters.Str(
+ 'setattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'addattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'delattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'),
+ exclude=('webui',),
+ ),
+ parameters.Flag(
+ 'rights',
+ label=_(u'Rights'),
+ doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'ipanttrusteddomainsid',
+ required=False,
+ deprecated=True,
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'ipanttrusteddomainname',
+ required=False,
+ deprecated=True,
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class idrange_show(Method):
+ __doc__ = _("Display information about a range.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='name',
+ label=_(u'Range name'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'rights',
+ label=_(u'Rights'),
+ doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
diff --git a/ipaclient/remote_plugins/2_114/idviews.py b/ipaclient/remote_plugins/2_114/idviews.py
new file mode 100644
index 000000000..6bd422c97
--- /dev/null
+++ b/ipaclient/remote_plugins/2_114/idviews.py
@@ -0,0 +1,1411 @@
+#
+# Copyright (C) 2016 FreeIPA Contributors see COPYING for license
+#
+
+# pylint: disable=unused-import
+import six
+
+from . import Command, Method, Object
+from ipalib import api, parameters, output
+from ipalib.parameters import DefaultFrom
+from ipalib.plugable import Registry
+from ipalib.text import _
+from ipapython.dn import DN
+from ipapython.dnsutil import DNSName
+
+if six.PY3:
+ unicode = str
+
+__doc__ = _("""
+ID Views
+Manage ID Views
+IPA allows to override certain properties of users and groups per each host.
+This functionality is primarily used to allow migration from older systems or
+other Identity Management solutions.
+""")
+
+register = Registry()
+
+
+@register()
+class idoverridegroup(Object):
+ takes_params = (
+ parameters.Str(
+ 'ipaanchoruuid',
+ primary_key=True,
+ label=_(u'Anchor to override'),
+ ),
+ parameters.Str(
+ 'description',
+ required=False,
+ label=_(u'Description'),
+ ),
+ parameters.Str(
+ 'cn',
+ required=False,
+ label=_(u'Group name'),
+ ),
+ parameters.Int(
+ 'gidnumber',
+ required=False,
+ label=_(u'GID'),
+ doc=_(u'Group ID Number'),
+ ),
+ )
+
+
+@register()
+class idoverrideuser(Object):
+ takes_params = (
+ parameters.Str(
+ 'ipaanchoruuid',
+ primary_key=True,
+ label=_(u'Anchor to override'),
+ ),
+ parameters.Str(
+ 'description',
+ required=False,
+ label=_(u'Description'),
+ ),
+ parameters.Str(
+ 'uid',
+ required=False,
+ label=_(u'User login'),
+ ),
+ parameters.Int(
+ 'uidnumber',
+ required=False,
+ label=_(u'UID'),
+ doc=_(u'User ID Number'),
+ ),
+ parameters.Str(
+ 'gecos',
+ required=False,
+ label=_(u'GECOS'),
+ ),
+ parameters.Int(
+ 'gidnumber',
+ required=False,
+ label=_(u'GID'),
+ doc=_(u'Group ID Number'),
+ ),
+ parameters.Str(
+ 'homedirectory',
+ required=False,
+ label=_(u'Home directory'),
+ ),
+ parameters.Str(
+ 'loginshell',
+ required=False,
+ label=_(u'Login shell'),
+ ),
+ parameters.Str(
+ 'ipaoriginaluid',
+ required=False,
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'ipasshpubkey',
+ required=False,
+ multivalue=True,
+ label=_(u'SSH public key'),
+ ),
+ )
+
+
+@register()
+class idview(Object):
+ takes_params = (
+ parameters.Str(
+ 'cn',
+ primary_key=True,
+ label=_(u'ID View Name'),
+ ),
+ parameters.Str(
+ 'description',
+ required=False,
+ label=_(u'Description'),
+ ),
+ )
+
+
+@register()
+class idoverridegroup_add(Method):
+ __doc__ = _("Add a new Group ID override.")
+
+ takes_args = (
+ parameters.Str(
+ 'idviewcn',
+ cli_name='idview',
+ label=_(u'ID View Name'),
+ ),
+ parameters.Str(
+ 'ipaanchoruuid',
+ cli_name='anchor',
+ label=_(u'Anchor to override'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'description',
+ required=False,
+ cli_name='desc',
+ label=_(u'Description'),
+ ),
+ parameters.Str(
+ 'cn',
+ required=False,
+ cli_name='group_name',
+ label=_(u'Group name'),
+ no_convert=True,
+ ),
+ parameters.Int(
+ 'gidnumber',
+ required=False,
+ cli_name='gid',
+ label=_(u'GID'),
+ doc=_(u'Group ID Number'),
+ ),
+ parameters.Str(
+ 'setattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'addattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
+ exclude=('webui',),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class idoverridegroup_del(Method):
+ __doc__ = _("Delete an Group ID override.")
+
+ takes_args = (
+ parameters.Str(
+ 'idviewcn',
+ cli_name='idview',
+ label=_(u'ID View Name'),
+ ),
+ parameters.Str(
+ 'ipaanchoruuid',
+ multivalue=True,
+ cli_name='anchor',
+ label=_(u'Anchor to override'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'continue',
+ doc=_(u"Continuous mode: Don't stop on errors."),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Output(
+ 'result',
+ dict,
+ doc=_(u'List of deletions that failed'),
+ ),
+ output.ListOfPrimaryKeys(
+ 'value',
+ ),
+ )
+
+
+@register()
+class idoverridegroup_find(Method):
+ __doc__ = _("Search for an Group ID override.")
+
+ takes_args = (
+ parameters.Str(
+ 'idviewcn',
+ cli_name='idview',
+ label=_(u'ID View Name'),
+ ),
+ parameters.Str(
+ 'criteria',
+ required=False,
+ doc=_(u'A string searched in all relevant object attributes'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'ipaanchoruuid',
+ required=False,
+ cli_name='anchor',
+ label=_(u'Anchor to override'),
+ ),
+ parameters.Str(
+ 'description',
+ required=False,
+ cli_name='desc',
+ label=_(u'Description'),
+ ),
+ parameters.Str(
+ 'cn',
+ required=False,
+ cli_name='group_name',
+ label=_(u'Group name'),
+ no_convert=True,
+ ),
+ parameters.Int(
+ 'gidnumber',
+ required=False,
+ cli_name='gid',
+ label=_(u'GID'),
+ doc=_(u'Group ID Number'),
+ ),
+ parameters.Int(
+ 'timelimit',
+ required=False,
+ label=_(u'Time Limit'),
+ doc=_(u'Time limit of search in seconds'),
+ ),
+ parameters.Int(
+ 'sizelimit',
+ required=False,
+ label=_(u'Size Limit'),
+ doc=_(u'Maximum number of entries returned'),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'pkey_only',
+ required=False,
+ label=_(u'Primary key only'),
+ doc=_(u'Results should contain primary key attribute only ("anchor")'),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.ListOfEntries(
+ 'result',
+ ),
+ output.Output(
+ 'count',
+ int,
+ doc=_(u'Number of entries returned'),
+ ),
+ output.Output(
+ 'truncated',
+ bool,
+ doc=_(u'True if not all results were returned'),
+ ),
+ )
+
+
+@register()
+class idoverridegroup_mod(Method):
+ __doc__ = _("Modify an Group ID override.")
+
+ takes_args = (
+ parameters.Str(
+ 'idviewcn',
+ cli_name='idview',
+ label=_(u'ID View Name'),
+ ),
+ parameters.Str(
+ 'ipaanchoruuid',
+ cli_name='anchor',
+ label=_(u'Anchor to override'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'description',
+ required=False,
+ cli_name='desc',
+ label=_(u'Description'),
+ ),
+ parameters.Str(
+ 'cn',
+ required=False,
+ cli_name='group_name',
+ label=_(u'Group name'),
+ no_convert=True,
+ ),
+ parameters.Int(
+ 'gidnumber',
+ required=False,
+ cli_name='gid',
+ label=_(u'GID'),
+ doc=_(u'Group ID Number'),
+ ),
+ parameters.Str(
+ 'setattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'addattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'delattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'),
+ exclude=('webui',),
+ ),
+ parameters.Flag(
+ 'rights',
+ label=_(u'Rights'),
+ doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'rename',
+ required=False,
+ label=_(u'Rename'),
+ doc=_(u'Rename the Group ID override object'),
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class idoverridegroup_show(Method):
+ __doc__ = _("Display information about an Group ID override.")
+
+ takes_args = (
+ parameters.Str(
+ 'idviewcn',
+ cli_name='idview',
+ label=_(u'ID View Name'),
+ ),
+ parameters.Str(
+ 'ipaanchoruuid',
+ cli_name='anchor',
+ label=_(u'Anchor to override'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'rights',
+ label=_(u'Rights'),
+ doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class idoverrideuser_add(Method):
+ __doc__ = _("Add a new User ID override.")
+
+ takes_args = (
+ parameters.Str(
+ 'idviewcn',
+ cli_name='idview',
+ label=_(u'ID View Name'),
+ ),
+ parameters.Str(
+ 'ipaanchoruuid',
+ cli_name='anchor',
+ label=_(u'Anchor to override'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'description',
+ required=False,
+ cli_name='desc',
+ label=_(u'Description'),
+ ),
+ parameters.Str(
+ 'uid',
+ required=False,
+ cli_name='login',
+ label=_(u'User login'),
+ no_convert=True,
+ ),
+ parameters.Int(
+ 'uidnumber',
+ required=False,
+ cli_name='uid',
+ label=_(u'UID'),
+ doc=_(u'User ID Number'),
+ ),
+ parameters.Str(
+ 'gecos',
+ required=False,
+ label=_(u'GECOS'),
+ ),
+ parameters.Int(
+ 'gidnumber',
+ required=False,
+ label=_(u'GID'),
+ doc=_(u'Group ID Number'),
+ ),
+ parameters.Str(
+ 'homedirectory',
+ required=False,
+ cli_name='homedir',
+ label=_(u'Home directory'),
+ ),
+ parameters.Str(
+ 'loginshell',
+ required=False,
+ cli_name='shell',
+ label=_(u'Login shell'),
+ ),
+ parameters.Str(
+ 'ipaoriginaluid',
+ required=False,
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'ipasshpubkey',
+ required=False,
+ multivalue=True,
+ cli_name='sshpubkey',
+ label=_(u'SSH public key'),
+ no_convert=True,
+ ),
+ parameters.Str(
+ 'setattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'addattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
+ exclude=('webui',),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class idoverrideuser_del(Method):
+ __doc__ = _("Delete an User ID override.")
+
+ takes_args = (
+ parameters.Str(
+ 'idviewcn',
+ cli_name='idview',
+ label=_(u'ID View Name'),
+ ),
+ parameters.Str(
+ 'ipaanchoruuid',
+ multivalue=True,
+ cli_name='anchor',
+ label=_(u'Anchor to override'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'continue',
+ doc=_(u"Continuous mode: Don't stop on errors."),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Output(
+ 'result',
+ dict,
+ doc=_(u'List of deletions that failed'),
+ ),
+ output.ListOfPrimaryKeys(
+ 'value',
+ ),
+ )
+
+
+@register()
+class idoverrideuser_find(Method):
+ __doc__ = _("Search for an User ID override.")
+
+ takes_args = (
+ parameters.Str(
+ 'idviewcn',
+ cli_name='idview',
+ label=_(u'ID View Name'),
+ ),
+ parameters.Str(
+ 'criteria',
+ required=False,
+ doc=_(u'A string searched in all relevant object attributes'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'ipaanchoruuid',
+ required=False,
+ cli_name='anchor',
+ label=_(u'Anchor to override'),
+ ),
+ parameters.Str(
+ 'description',
+ required=False,
+ cli_name='desc',
+ label=_(u'Description'),
+ ),
+ parameters.Str(
+ 'uid',
+ required=False,
+ cli_name='login',
+ label=_(u'User login'),
+ no_convert=True,
+ ),
+ parameters.Int(
+ 'uidnumber',
+ required=False,
+ cli_name='uid',
+ label=_(u'UID'),
+ doc=_(u'User ID Number'),
+ ),
+ parameters.Str(
+ 'gecos',
+ required=False,
+ label=_(u'GECOS'),
+ ),
+ parameters.Int(
+ 'gidnumber',
+ required=False,
+ label=_(u'GID'),
+ doc=_(u'Group ID Number'),
+ ),
+ parameters.Str(
+ 'homedirectory',
+ required=False,
+ cli_name='homedir',
+ label=_(u'Home directory'),
+ ),
+ parameters.Str(
+ 'loginshell',
+ required=False,
+ cli_name='shell',
+ label=_(u'Login shell'),
+ ),
+ parameters.Str(
+ 'ipaoriginaluid',
+ required=False,
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Int(
+ 'timelimit',
+ required=False,
+ label=_(u'Time Limit'),
+ doc=_(u'Time limit of search in seconds'),
+ ),
+ parameters.Int(
+ 'sizelimit',
+ required=False,
+ label=_(u'Size Limit'),
+ doc=_(u'Maximum number of entries returned'),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'pkey_only',
+ required=False,
+ label=_(u'Primary key only'),
+ doc=_(u'Results should contain primary key attribute only ("anchor")'),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.ListOfEntries(
+ 'result',
+ ),
+ output.Output(
+ 'count',
+ int,
+ doc=_(u'Number of entries returned'),
+ ),
+ output.Output(
+ 'truncated',
+ bool,
+ doc=_(u'True if not all results were returned'),
+ ),
+ )
+
+
+@register()
+class idoverrideuser_mod(Method):
+ __doc__ = _("Modify an User ID override.")
+
+ takes_args = (
+ parameters.Str(
+ 'idviewcn',
+ cli_name='idview',
+ label=_(u'ID View Name'),
+ ),
+ parameters.Str(
+ 'ipaanchoruuid',
+ cli_name='anchor',
+ label=_(u'Anchor to override'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'description',
+ required=False,
+ cli_name='desc',
+ label=_(u'Description'),
+ ),
+ parameters.Str(
+ 'uid',
+ required=False,
+ cli_name='login',
+ label=_(u'User login'),
+ no_convert=True,
+ ),
+ parameters.Int(
+ 'uidnumber',
+ required=False,
+ cli_name='uid',
+ label=_(u'UID'),
+ doc=_(u'User ID Number'),
+ ),
+ parameters.Str(
+ 'gecos',
+ required=False,
+ label=_(u'GECOS'),
+ ),
+ parameters.Int(
+ 'gidnumber',
+ required=False,
+ label=_(u'GID'),
+ doc=_(u'Group ID Number'),
+ ),
+ parameters.Str(
+ 'homedirectory',
+ required=False,
+ cli_name='homedir',
+ label=_(u'Home directory'),
+ ),
+ parameters.Str(
+ 'loginshell',
+ required=False,
+ cli_name='shell',
+ label=_(u'Login shell'),
+ ),
+ parameters.Str(
+ 'ipaoriginaluid',
+ required=False,
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'ipasshpubkey',
+ required=False,
+ multivalue=True,
+ cli_name='sshpubkey',
+ label=_(u'SSH public key'),
+ no_convert=True,
+ ),
+ parameters.Str(
+ 'setattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'addattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'delattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'),
+ exclude=('webui',),
+ ),
+ parameters.Flag(
+ 'rights',
+ label=_(u'Rights'),
+ doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'rename',
+ required=False,
+ label=_(u'Rename'),
+ doc=_(u'Rename the User ID override object'),
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class idoverrideuser_show(Method):
+ __doc__ = _("Display information about an User ID override.")
+
+ takes_args = (
+ parameters.Str(
+ 'idviewcn',
+ cli_name='idview',
+ label=_(u'ID View Name'),
+ ),
+ parameters.Str(
+ 'ipaanchoruuid',
+ cli_name='anchor',
+ label=_(u'Anchor to override'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'rights',
+ label=_(u'Rights'),
+ doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class idview_add(Method):
+ __doc__ = _("Add a new ID View.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='name',
+ label=_(u'ID View Name'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'description',
+ required=False,
+ cli_name='desc',
+ label=_(u'Description'),
+ ),
+ parameters.Str(
+ 'setattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'addattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
+ exclude=('webui',),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class idview_apply(Method):
+ __doc__ = _("Applies ID View to specified hosts or current members of specified hostgroups. If any other ID View is applied to the host, it is overriden.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='name',
+ label=_(u'ID View Name'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'host',
+ required=False,
+ multivalue=True,
+ cli_name='hosts',
+ label=_(u'hosts'),
+ doc=_(u'Hosts to apply the ID View to'),
+ ),
+ parameters.Str(
+ 'hostgroup',
+ required=False,
+ multivalue=True,
+ cli_name='hostgroups',
+ label=_(u'hostgroups'),
+ doc=_(u'Hostgroups to whose hosts apply the ID View to. Please note that view is not applied automatically to any hosts added to the hostgroup after running the idview-apply command.'),
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Output(
+ 'succeeded',
+ dict,
+ doc=_(u'Hosts that this ID View was applied to.'),
+ ),
+ output.Output(
+ 'failed',
+ dict,
+ doc=_(u'Hosts or hostgroups that this ID View could not be applied to.'),
+ ),
+ output.Output(
+ 'completed',
+ int,
+ doc=_(u'Number of hosts the ID View was applied to:'),
+ ),
+ )
+
+
+@register()
+class idview_del(Method):
+ __doc__ = _("Delete an ID View.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ multivalue=True,
+ cli_name='name',
+ label=_(u'ID View Name'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'continue',
+ doc=_(u"Continuous mode: Don't stop on errors."),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Output(
+ 'result',
+ dict,
+ doc=_(u'List of deletions that failed'),
+ ),
+ output.ListOfPrimaryKeys(
+ 'value',
+ ),
+ )
+
+
+@register()
+class idview_find(Method):
+ __doc__ = _("Search for an ID View.")
+
+ takes_args = (
+ parameters.Str(
+ 'criteria',
+ required=False,
+ doc=_(u'A string searched in all relevant object attributes'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'cn',
+ required=False,
+ cli_name='name',
+ label=_(u'ID View Name'),
+ ),
+ parameters.Str(
+ 'description',
+ required=False,
+ cli_name='desc',
+ label=_(u'Description'),
+ ),
+ parameters.Int(
+ 'timelimit',
+ required=False,
+ label=_(u'Time Limit'),
+ doc=_(u'Time limit of search in seconds'),
+ ),
+ parameters.Int(
+ 'sizelimit',
+ required=False,
+ label=_(u'Size Limit'),
+ doc=_(u'Maximum number of entries returned'),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'pkey_only',
+ required=False,
+ label=_(u'Primary key only'),
+ doc=_(u'Results should contain primary key attribute only ("name")'),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.ListOfEntries(
+ 'result',
+ ),
+ output.Output(
+ 'count',
+ int,
+ doc=_(u'Number of entries returned'),
+ ),
+ output.Output(
+ 'truncated',
+ bool,
+ doc=_(u'True if not all results were returned'),
+ ),
+ )
+
+
+@register()
+class idview_mod(Method):
+ __doc__ = _("Modify an ID View.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='name',
+ label=_(u'ID View Name'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'description',
+ required=False,
+ cli_name='desc',
+ label=_(u'Description'),
+ ),
+ parameters.Str(
+ 'setattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'addattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'delattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'),
+ exclude=('webui',),
+ ),
+ parameters.Flag(
+ 'rights',
+ label=_(u'Rights'),
+ doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'rename',
+ required=False,
+ label=_(u'Rename'),
+ doc=_(u'Rename the ID View object'),
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class idview_show(Method):
+ __doc__ = _("Display information about an ID View.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='name',
+ label=_(u'ID View Name'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'rights',
+ label=_(u'Rights'),
+ doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'show_hosts',
+ required=False,
+ doc=_(u'Enumerate all the hosts the view applies to.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class idview_unapply(Method):
+ __doc__ = _("Clears ID View from specified hosts or current members of specified hostgroups.")
+
+ takes_options = (
+ parameters.Str(
+ 'host',
+ required=False,
+ multivalue=True,
+ cli_name='hosts',
+ label=_(u'hosts'),
+ doc=_(u'Hosts to clear (any) ID View from.'),
+ ),
+ parameters.Str(
+ 'hostgroup',
+ required=False,
+ multivalue=True,
+ cli_name='hostgroups',
+ label=_(u'hostgroups'),
+ doc=_(u'Hostgroups whose hosts should have ID Views cleared. Note that view is not cleared automatically from any host added to the hostgroup after running idview-unapply command.'),
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Output(
+ 'succeeded',
+ dict,
+ doc=_(u'Hosts that ID View was cleared from.'),
+ ),
+ output.Output(
+ 'failed',
+ dict,
+ doc=_(u'Hosts or hostgroups that ID View could not be cleared from.'),
+ ),
+ output.Output(
+ 'completed',
+ int,
+ doc=_(u'Number of hosts that had a ID View was unset:'),
+ ),
+ )
diff --git a/ipaclient/remote_plugins/2_114/internal.py b/ipaclient/remote_plugins/2_114/internal.py
new file mode 100644
index 000000000..7fec8d26f
--- /dev/null
+++ b/ipaclient/remote_plugins/2_114/internal.py
@@ -0,0 +1,92 @@
+#
+# Copyright (C) 2016 FreeIPA Contributors see COPYING for license
+#
+
+# pylint: disable=unused-import
+import six
+
+from . import Command, Method, Object
+from ipalib import api, parameters, output
+from ipalib.parameters import DefaultFrom
+from ipalib.plugable import Registry
+from ipalib.text import _
+from ipapython.dn import DN
+from ipapython.dnsutil import DNSName
+
+if six.PY3:
+ unicode = str
+
+__doc__ = _("""
+Plugins not accessible directly through the CLI, commands used internally
+""")
+
+register = Registry()
+
+
+@register()
+class i18n_messages(Command):
+ NO_CLI = True
+
+ takes_options = (
+ )
+ has_output = (
+ output.Output(
+ 'texts',
+ dict,
+ doc=_(u'Dict of I18N messages'),
+ ),
+ )
+
+
+@register()
+class json_metadata(Command):
+ __doc__ = _("Export plugin meta-data for the webUI.")
+
+ NO_CLI = True
+
+ takes_args = (
+ parameters.Str(
+ 'objname',
+ required=False,
+ doc=_(u'Name of object to export'),
+ ),
+ parameters.Str(
+ 'methodname',
+ required=False,
+ doc=_(u'Name of method to export'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'object',
+ required=False,
+ doc=_(u'Name of object to export'),
+ ),
+ parameters.Str(
+ 'method',
+ required=False,
+ doc=_(u'Name of method to export'),
+ ),
+ parameters.Str(
+ 'command',
+ required=False,
+ doc=_(u'Name of command to export'),
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'objects',
+ dict,
+ doc=_(u'Dict of JSON encoded IPA Objects'),
+ ),
+ output.Output(
+ 'methods',
+ dict,
+ doc=_(u'Dict of JSON encoded IPA Methods'),
+ ),
+ output.Output(
+ 'commands',
+ dict,
+ doc=_(u'Dict of JSON encoded IPA Commands'),
+ ),
+ )
diff --git a/ipaclient/remote_plugins/2_114/join.py b/ipaclient/remote_plugins/2_114/join.py
new file mode 100644
index 000000000..dc0904dc4
--- /dev/null
+++ b/ipaclient/remote_plugins/2_114/join.py
@@ -0,0 +1,64 @@
+#
+# Copyright (C) 2016 FreeIPA Contributors see COPYING for license
+#
+
+# pylint: disable=unused-import
+import six
+
+from . import Command, Method, Object
+from ipalib import api, parameters, output
+from ipalib.parameters import DefaultFrom
+from ipalib.plugable import Registry
+from ipalib.text import _
+from ipapython.dn import DN
+from ipapython.dnsutil import DNSName
+
+if six.PY3:
+ unicode = str
+
+__doc__ = _("""
+Joining an IPA domain
+""")
+
+register = Registry()
+
+
+@register()
+class join(Command):
+ __doc__ = _("Join an IPA domain")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='hostname',
+ doc=_(u'The hostname to register as'),
+ default_from=DefaultFrom(lambda : None),
+ # FIXME:
+ # lambda: unicode(installutils.get_fqdn())
+ autofill=True,
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'realm',
+ doc=_(u'The IPA realm'),
+ default_from=DefaultFrom(lambda : None),
+ # FIXME:
+ # lambda: get_realm()
+ autofill=True,
+ ),
+ parameters.Str(
+ 'nshardwareplatform',
+ required=False,
+ cli_name='platform',
+ doc=_(u'Hardware platform of the host (e.g. Lenovo T61)'),
+ ),
+ parameters.Str(
+ 'nsosversion',
+ required=False,
+ cli_name='os',
+ doc=_(u'Operating System and version of the host (e.g. Fedora 9)'),
+ ),
+ )
+ has_output = (
+ )
diff --git a/ipaclient/remote_plugins/2_114/krbtpolicy.py b/ipaclient/remote_plugins/2_114/krbtpolicy.py
new file mode 100644
index 000000000..42a4b2bc7
--- /dev/null
+++ b/ipaclient/remote_plugins/2_114/krbtpolicy.py
@@ -0,0 +1,266 @@
+#
+# Copyright (C) 2016 FreeIPA Contributors see COPYING for license
+#
+
+# pylint: disable=unused-import
+import six
+
+from . import Command, Method, Object
+from ipalib import api, parameters, output
+from ipalib.parameters import DefaultFrom
+from ipalib.plugable import Registry
+from ipalib.text import _
+from ipapython.dn import DN
+from ipapython.dnsutil import DNSName
+
+if six.PY3:
+ unicode = str
+
+__doc__ = _("""
+Kerberos ticket policy
+
+There is a single Kerberos ticket policy. This policy defines the
+maximum ticket lifetime and the maximum renewal age, the period during
+which the ticket is renewable.
+
+You can also create a per-user ticket policy by specifying the user login.
+
+For changes to the global policy to take effect, restarting the KDC service
+is required, which can be achieved using:
+
+service krb5kdc restart
+
+Changes to per-user policies take effect immediately for newly requested
+tickets (e.g. when the user next runs kinit).
+
+EXAMPLES:
+
+ Display the current Kerberos ticket policy:
+ ipa krbtpolicy-show
+
+ Reset the policy to the default:
+ ipa krbtpolicy-reset
+
+ Modify the policy to 8 hours max life, 1-day max renewal:
+ ipa krbtpolicy-mod --maxlife=28800 --maxrenew=86400
+
+ Display effective Kerberos ticket policy for user 'admin':
+ ipa krbtpolicy-show admin
+
+ Reset per-user policy for user 'admin':
+ ipa krbtpolicy-reset admin
+
+ Modify per-user policy for user 'admin':
+ ipa krbtpolicy-mod admin --maxlife=3600
+""")
+
+register = Registry()
+
+
+@register()
+class krbtpolicy(Object):
+ takes_params = (
+ parameters.Str(
+ 'uid',
+ required=False,
+ primary_key=True,
+ label=_(u'User name'),
+ doc=_(u'Manage ticket policy for specific user'),
+ ),
+ parameters.Int(
+ 'krbmaxticketlife',
+ required=False,
+ label=_(u'Max life'),
+ doc=_(u'Maximum ticket life (seconds)'),
+ ),
+ parameters.Int(
+ 'krbmaxrenewableage',
+ required=False,
+ label=_(u'Max renew'),
+ doc=_(u'Maximum renewable age (seconds)'),
+ ),
+ )
+
+
+@register()
+class krbtpolicy_mod(Method):
+ __doc__ = _("Modify Kerberos ticket policy.")
+
+ takes_args = (
+ parameters.Str(
+ 'uid',
+ required=False,
+ cli_name='user',
+ label=_(u'User name'),
+ doc=_(u'Manage ticket policy for specific user'),
+ ),
+ )
+ takes_options = (
+ parameters.Int(
+ 'krbmaxticketlife',
+ required=False,
+ cli_name='maxlife',
+ label=_(u'Max life'),
+ doc=_(u'Maximum ticket life (seconds)'),
+ ),
+ parameters.Int(
+ 'krbmaxrenewableage',
+ required=False,
+ cli_name='maxrenew',
+ label=_(u'Max renew'),
+ doc=_(u'Maximum renewable age (seconds)'),
+ ),
+ parameters.Str(
+ 'setattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'addattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'delattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'),
+ exclude=('webui',),
+ ),
+ parameters.Flag(
+ 'rights',
+ label=_(u'Rights'),
+ doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class krbtpolicy_reset(Method):
+ __doc__ = _("Reset Kerberos ticket policy to the default values.")
+
+ takes_args = (
+ parameters.Str(
+ 'uid',
+ required=False,
+ cli_name='user',
+ label=_(u'User name'),
+ doc=_(u'Manage ticket policy for specific user'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class krbtpolicy_show(Method):
+ __doc__ = _("Display the current Kerberos ticket policy.")
+
+ takes_args = (
+ parameters.Str(
+ 'uid',
+ required=False,
+ cli_name='user',
+ label=_(u'User name'),
+ doc=_(u'Manage ticket policy for specific user'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'rights',
+ label=_(u'Rights'),
+ doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
diff --git a/ipaclient/remote_plugins/2_114/migration.py b/ipaclient/remote_plugins/2_114/migration.py
new file mode 100644
index 000000000..06c03465f
--- /dev/null
+++ b/ipaclient/remote_plugins/2_114/migration.py
@@ -0,0 +1,302 @@
+#
+# Copyright (C) 2016 FreeIPA Contributors see COPYING for license
+#
+
+# pylint: disable=unused-import
+import six
+
+from . import Command, Method, Object
+from ipalib import api, parameters, output
+from ipalib.parameters import DefaultFrom
+from ipalib.plugable import Registry
+from ipalib.text import _
+from ipapython.dn import DN
+from ipapython.dnsutil import DNSName
+
+if six.PY3:
+ unicode = str
+
+__doc__ = _("""
+Migration to IPA
+
+Migrate users and groups from an LDAP server to IPA.
+
+This performs an LDAP query against the remote server searching for
+users and groups in a container. In order to migrate passwords you need
+to bind as a user that can read the userPassword attribute on the remote
+server. This is generally restricted to high-level admins such as
+cn=Directory Manager in 389-ds (this is the default bind user).
+
+The default user container is ou=People.
+
+The default group container is ou=Groups.
+
+Users and groups that already exist on the IPA server are skipped.
+
+Two LDAP schemas define how group members are stored: RFC2307 and
+RFC2307bis. RFC2307bis uses member and uniquemember to specify group
+members, RFC2307 uses memberUid. The default schema is RFC2307bis.
+
+The schema compat feature allows IPA to reformat data for systems that
+do not support RFC2307bis. It is recommended that this feature is disabled
+during migration to reduce system overhead. It can be re-enabled after
+migration. To migrate with it enabled use the "--with-compat" option.
+
+Migrated users do not have Kerberos credentials, they have only their
+LDAP password. To complete the migration process, users need to go
+to http://ipa.example.com/ipa/migration and authenticate using their
+LDAP password in order to generate their Kerberos credentials.
+
+Migration is disabled by default. Use the command ipa config-mod to
+enable it:
+
+ ipa config-mod --enable-migration=TRUE
+
+If a base DN is not provided with --basedn then IPA will use either
+the value of defaultNamingContext if it is set or the first value
+in namingContexts set in the root of the remote LDAP server.
+
+Users are added as members to the default user group. This can be a
+time-intensive task so during migration this is done in a batch
+mode for every 100 users. As a result there will be a window in which
+users will be added to IPA but will not be members of the default
+user group.
+
+EXAMPLES:
+
+ The simplest migration, accepting all defaults:
+ ipa migrate-ds ldap://ds.example.com:389
+
+ Specify the user and group container. This can be used to migrate user
+ and group data from an IPA v1 server:
+ ipa migrate-ds --user-container='cn=users,cn=accounts' \
+ --group-container='cn=groups,cn=accounts' \
+ ldap://ds.example.com:389
+
+ Since IPA v2 server already contain predefined groups that may collide with
+ groups in migrated (IPA v1) server (for example admins, ipausers), users
+ having colliding group as their primary group may happen to belong to
+ an unknown group on new IPA v2 server.
+ Use --group-overwrite-gid option to overwrite GID of already existing groups
+ to prevent this issue:
+ ipa migrate-ds --group-overwrite-gid \
+ --user-container='cn=users,cn=accounts' \
+ --group-container='cn=groups,cn=accounts' \
+ ldap://ds.example.com:389
+
+ Migrated users or groups may have object class and accompanied attributes
+ unknown to the IPA v2 server. These object classes and attributes may be
+ left out of the migration process:
+ ipa migrate-ds --user-container='cn=users,cn=accounts' \
+ --group-container='cn=groups,cn=accounts' \
+ --user-ignore-objectclass=radiusprofile \
+ --user-ignore-attribute=radiusgroupname \
+ ldap://ds.example.com:389
+
+LOGGING
+
+Migration will log warnings and errors to the Apache error log. This
+file should be evaluated post-migration to correct or investigate any
+issues that were discovered.
+
+For every 100 users migrated an info-level message will be displayed to
+give the current progress and duration to make it possible to track
+the progress of migration.
+
+If the log level is debug, either by setting debug = True in
+/etc/ipa/default.conf or /etc/ipa/server.conf, then an entry will be printed
+for each user added plus a summary when the default user group is
+updated.
+""")
+
+register = Registry()
+
+
+@register()
+class migrate_ds(Command):
+ __doc__ = _("Migrate users and groups from DS to IPA.")
+
+ takes_args = (
+ parameters.Str(
+ 'ldapuri',
+ cli_name='ldap_uri',
+ label=_(u'LDAP URI'),
+ doc=_(u'LDAP URI of DS server to migrate from'),
+ ),
+ parameters.Password(
+ 'bindpw',
+ cli_name='password',
+ label=_(u'Password'),
+ doc=_(u'bind password'),
+ ),
+ )
+ takes_options = (
+ parameters.DNParam(
+ 'binddn',
+ required=False,
+ cli_name='bind_dn',
+ label=_(u'Bind DN'),
+ default=DN(u'cn=directory manager'),
+ autofill=True,
+ ),
+ parameters.DNParam(
+ 'usercontainer',
+ cli_name='user_container',
+ label=_(u'User container'),
+ doc=_(u'DN of container for users in DS relative to base DN'),
+ default=DN(u'ou=people'),
+ autofill=True,
+ ),
+ parameters.DNParam(
+ 'groupcontainer',
+ cli_name='group_container',
+ label=_(u'Group container'),
+ doc=_(u'DN of container for groups in DS relative to base DN'),
+ default=DN(u'ou=groups'),
+ autofill=True,
+ ),
+ parameters.Str(
+ 'userobjectclass',
+ multivalue=True,
+ cli_name='user_objectclass',
+ label=_(u'User object class'),
+ doc=_(u'Objectclasses used to search for user entries in DS'),
+ default=(u'person',),
+ autofill=True,
+ ),
+ parameters.Str(
+ 'groupobjectclass',
+ multivalue=True,
+ cli_name='group_objectclass',
+ label=_(u'Group object class'),
+ doc=_(u'Objectclasses used to search for group entries in DS'),
+ default=(u'groupOfUniqueNames', u'groupOfNames'),
+ autofill=True,
+ ),
+ parameters.Str(
+ 'userignoreobjectclass',
+ required=False,
+ multivalue=True,
+ cli_name='user_ignore_objectclass',
+ label=_(u'Ignore user object class'),
+ doc=_(u'Objectclasses to be ignored for user entries in DS'),
+ default=(),
+ autofill=True,
+ ),
+ parameters.Str(
+ 'userignoreattribute',
+ required=False,
+ multivalue=True,
+ cli_name='user_ignore_attribute',
+ label=_(u'Ignore user attribute'),
+ doc=_(u'Attributes to be ignored for user entries in DS'),
+ default=(),
+ autofill=True,
+ ),
+ parameters.Str(
+ 'groupignoreobjectclass',
+ required=False,
+ multivalue=True,
+ cli_name='group_ignore_objectclass',
+ label=_(u'Ignore group object class'),
+ doc=_(u'Objectclasses to be ignored for group entries in DS'),
+ default=(),
+ autofill=True,
+ ),
+ parameters.Str(
+ 'groupignoreattribute',
+ required=False,
+ multivalue=True,
+ cli_name='group_ignore_attribute',
+ label=_(u'Ignore group attribute'),
+ doc=_(u'Attributes to be ignored for group entries in DS'),
+ default=(),
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'groupoverwritegid',
+ cli_name='group_overwrite_gid',
+ label=_(u'Overwrite GID'),
+ doc=_(u'When migrating a group already existing in IPA domain overwrite the group GID and report as success'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'schema',
+ required=False,
+ cli_metavar="['RFC2307bis', 'RFC2307']",
+ label=_(u'LDAP schema'),
+ doc=_(u'The schema used on the LDAP server. Supported values are RFC2307 and RFC2307bis. The default is RFC2307bis'),
+ default=u'RFC2307bis',
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'continue',
+ required=False,
+ label=_(u'Continue'),
+ doc=_(u'Continuous operation mode. Errors are reported but the process continues'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.DNParam(
+ 'basedn',
+ required=False,
+ cli_name='base_dn',
+ label=_(u'Base DN'),
+ doc=_(u'Base DN on remote LDAP server'),
+ ),
+ parameters.Flag(
+ 'compat',
+ required=False,
+ cli_name='with_compat',
+ label=_(u'Ignore compat plugin'),
+ doc=_(u'Allows migration despite the usage of compat plugin'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'cacertfile',
+ required=False,
+ cli_name='ca_cert_file',
+ label=_(u'CA certificate'),
+ doc=_(u'Load CA certificate of LDAP server from FILE'),
+ ),
+ parameters.Str(
+ 'exclude_groups',
+ required=False,
+ multivalue=True,
+ doc=_(u'groups to exclude from migration'),
+ default=(),
+ autofill=True,
+ ),
+ parameters.Str(
+ 'exclude_users',
+ required=False,
+ multivalue=True,
+ doc=_(u'users to exclude from migration'),
+ default=(),
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'result',
+ dict,
+ doc=_(u'Lists of objects migrated; categorized by type.'),
+ ),
+ output.Output(
+ 'failed',
+ dict,
+ doc=_(u'Lists of objects that could not be migrated; categorized by type.'),
+ ),
+ output.Output(
+ 'enabled',
+ bool,
+ doc=_(u'False if migration mode was disabled.'),
+ ),
+ output.Output(
+ 'compat',
+ bool,
+ doc=_(u'False if migration fails because the compatibility plug-in is enabled.'),
+ ),
+ )
diff --git a/ipaclient/remote_plugins/2_114/misc.py b/ipaclient/remote_plugins/2_114/misc.py
new file mode 100644
index 000000000..4889e666b
--- /dev/null
+++ b/ipaclient/remote_plugins/2_114/misc.py
@@ -0,0 +1,113 @@
+#
+# Copyright (C) 2016 FreeIPA Contributors see COPYING for license
+#
+
+# pylint: disable=unused-import
+import six
+
+from . import Command, Method, Object
+from ipalib import api, parameters, output
+from ipalib.parameters import DefaultFrom
+from ipalib.plugable import Registry
+from ipalib.text import _
+from ipapython.dn import DN
+from ipapython.dnsutil import DNSName
+
+if six.PY3:
+ unicode = str
+
+__doc__ = _("""
+Misc plug-ins
+""")
+
+register = Registry()
+
+
+@register()
+class env(Command):
+ __doc__ = _("Show environment variables.")
+
+ takes_args = (
+ parameters.Str(
+ 'variables',
+ required=False,
+ multivalue=True,
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'server',
+ required=False,
+ doc=_(u'Forward to server instead of running locally'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=True,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'result',
+ dict,
+ doc=_(u'Dictionary mapping variable name to value'),
+ ),
+ output.Output(
+ 'total',
+ int,
+ doc=_(u'Total number of variables env (>= count)'),
+ ),
+ output.Output(
+ 'count',
+ int,
+ doc=_(u'Number of variables returned (<= total)'),
+ ),
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ )
+
+
+@register()
+class plugins(Command):
+ __doc__ = _("Show all loaded plugins.")
+
+ takes_options = (
+ parameters.Flag(
+ 'server',
+ required=False,
+ doc=_(u'Forward to server instead of running locally'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=True,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'result',
+ dict,
+ doc=_(u'Dictionary mapping plugin names to bases'),
+ ),
+ output.Output(
+ 'count',
+ int,
+ doc=_(u'Number of plugins loaded'),
+ ),
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ )
diff --git a/ipaclient/remote_plugins/2_114/netgroup.py b/ipaclient/remote_plugins/2_114/netgroup.py
new file mode 100644
index 000000000..c6aada019
--- /dev/null
+++ b/ipaclient/remote_plugins/2_114/netgroup.py
@@ -0,0 +1,865 @@
+#
+# Copyright (C) 2016 FreeIPA Contributors see COPYING for license
+#
+
+# pylint: disable=unused-import
+import six
+
+from . import Command, Method, Object
+from ipalib import api, parameters, output
+from ipalib.parameters import DefaultFrom
+from ipalib.plugable import Registry
+from ipalib.text import _
+from ipapython.dn import DN
+from ipapython.dnsutil import DNSName
+
+if six.PY3:
+ unicode = str
+
+__doc__ = _("""
+Netgroups
+
+A netgroup is a group used for permission checking. It can contain both
+user and host values.
+
+EXAMPLES:
+
+ Add a new netgroup:
+ ipa netgroup-add --desc="NFS admins" admins
+
+ Add members to the netgroup:
+ ipa netgroup-add-member --users=tuser1 --users=tuser2 admins
+
+ Remove a member from the netgroup:
+ ipa netgroup-remove-member --users=tuser2 admins
+
+ Display information about a netgroup:
+ ipa netgroup-show admins
+
+ Delete a netgroup:
+ ipa netgroup-del admins
+""")
+
+register = Registry()
+
+
+@register()
+class netgroup(Object):
+ takes_params = (
+ parameters.Str(
+ 'cn',
+ primary_key=True,
+ label=_(u'Netgroup name'),
+ ),
+ parameters.Str(
+ 'description',
+ required=False,
+ label=_(u'Description'),
+ doc=_(u'Netgroup description'),
+ ),
+ parameters.Str(
+ 'nisdomainname',
+ required=False,
+ label=_(u'NIS domain name'),
+ ),
+ parameters.Str(
+ 'ipauniqueid',
+ required=False,
+ label=_(u'IPA unique ID'),
+ doc=_(u'IPA unique ID'),
+ ),
+ parameters.Str(
+ 'usercategory',
+ required=False,
+ label=_(u'User category'),
+ doc=_(u'User category the rule applies to'),
+ ),
+ parameters.Str(
+ 'hostcategory',
+ required=False,
+ label=_(u'Host category'),
+ doc=_(u'Host category the rule applies to'),
+ ),
+ parameters.Str(
+ 'externalhost',
+ required=False,
+ multivalue=True,
+ label=_(u'External host'),
+ ),
+ parameters.Str(
+ 'member_netgroup',
+ required=False,
+ label=_(u'Member netgroups'),
+ ),
+ parameters.Str(
+ 'memberof_netgroup',
+ required=False,
+ label=_(u'Member of netgroups'),
+ ),
+ parameters.Str(
+ 'memberindirect_netgroup',
+ required=False,
+ label=_(u'Indirect Member netgroups'),
+ ),
+ parameters.Str(
+ 'memberuser_user',
+ required=False,
+ label=_(u'Member User'),
+ ),
+ parameters.Str(
+ 'memberuser_group',
+ required=False,
+ label=_(u'Member Group'),
+ ),
+ parameters.Str(
+ 'memberhost_host',
+ required=False,
+ label=_(u'Member Host'),
+ ),
+ parameters.Str(
+ 'memberhost_hostgroup',
+ required=False,
+ label=_(u'Member Hostgroup'),
+ ),
+ )
+
+
+@register()
+class netgroup_add(Method):
+ __doc__ = _("Add a new netgroup.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='name',
+ label=_(u'Netgroup name'),
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'description',
+ required=False,
+ cli_name='desc',
+ label=_(u'Description'),
+ doc=_(u'Netgroup description'),
+ ),
+ parameters.Str(
+ 'nisdomainname',
+ required=False,
+ cli_name='nisdomain',
+ label=_(u'NIS domain name'),
+ ),
+ parameters.Str(
+ 'usercategory',
+ required=False,
+ cli_name='usercat',
+ cli_metavar="['all']",
+ label=_(u'User category'),
+ doc=_(u'User category the rule applies to'),
+ ),
+ parameters.Str(
+ 'hostcategory',
+ required=False,
+ cli_name='hostcat',
+ cli_metavar="['all']",
+ label=_(u'Host category'),
+ doc=_(u'Host category the rule applies to'),
+ ),
+ parameters.Str(
+ 'externalhost',
+ required=False,
+ multivalue=True,
+ label=_(u'External host'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'setattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'addattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
+ exclude=('webui',),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class netgroup_add_member(Method):
+ __doc__ = _("Add members to a netgroup.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='name',
+ label=_(u'Netgroup name'),
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'user',
+ required=False,
+ multivalue=True,
+ cli_name='users',
+ label=_(u'member user'),
+ doc=_(u'users to add'),
+ alwaysask=True,
+ ),
+ parameters.Str(
+ 'group',
+ required=False,
+ multivalue=True,
+ cli_name='groups',
+ label=_(u'member group'),
+ doc=_(u'groups to add'),
+ alwaysask=True,
+ ),
+ parameters.Str(
+ 'host',
+ required=False,
+ multivalue=True,
+ cli_name='hosts',
+ label=_(u'member host'),
+ doc=_(u'hosts to add'),
+ alwaysask=True,
+ ),
+ parameters.Str(
+ 'hostgroup',
+ required=False,
+ multivalue=True,
+ cli_name='hostgroups',
+ label=_(u'member host group'),
+ doc=_(u'host groups to add'),
+ alwaysask=True,
+ ),
+ parameters.Str(
+ 'netgroup',
+ required=False,
+ multivalue=True,
+ cli_name='netgroups',
+ label=_(u'member netgroup'),
+ doc=_(u'netgroups to add'),
+ alwaysask=True,
+ ),
+ )
+ has_output = (
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'failed',
+ dict,
+ doc=_(u'Members that could not be added'),
+ ),
+ output.Output(
+ 'completed',
+ int,
+ doc=_(u'Number of members added'),
+ ),
+ )
+
+
+@register()
+class netgroup_del(Method):
+ __doc__ = _("Delete a netgroup.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ multivalue=True,
+ cli_name='name',
+ label=_(u'Netgroup name'),
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'continue',
+ doc=_(u"Continuous mode: Don't stop on errors."),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Output(
+ 'result',
+ dict,
+ doc=_(u'List of deletions that failed'),
+ ),
+ output.ListOfPrimaryKeys(
+ 'value',
+ ),
+ )
+
+
+@register()
+class netgroup_find(Method):
+ __doc__ = _("Search for a netgroup.")
+
+ takes_args = (
+ parameters.Str(
+ 'criteria',
+ required=False,
+ doc=_(u'A string searched in all relevant object attributes'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'cn',
+ required=False,
+ cli_name='name',
+ label=_(u'Netgroup name'),
+ no_convert=True,
+ ),
+ parameters.Str(
+ 'description',
+ required=False,
+ cli_name='desc',
+ label=_(u'Description'),
+ doc=_(u'Netgroup description'),
+ ),
+ parameters.Str(
+ 'nisdomainname',
+ required=False,
+ cli_name='nisdomain',
+ label=_(u'NIS domain name'),
+ ),
+ parameters.Str(
+ 'ipauniqueid',
+ required=False,
+ cli_name='uuid',
+ label=_(u'IPA unique ID'),
+ doc=_(u'IPA unique ID'),
+ ),
+ parameters.Str(
+ 'usercategory',
+ required=False,
+ cli_name='usercat',
+ cli_metavar="['all']",
+ label=_(u'User category'),
+ doc=_(u'User category the rule applies to'),
+ ),
+ parameters.Str(
+ 'hostcategory',
+ required=False,
+ cli_name='hostcat',
+ cli_metavar="['all']",
+ label=_(u'Host category'),
+ doc=_(u'Host category the rule applies to'),
+ ),
+ parameters.Str(
+ 'externalhost',
+ required=False,
+ multivalue=True,
+ label=_(u'External host'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Int(
+ 'timelimit',
+ required=False,
+ label=_(u'Time Limit'),
+ doc=_(u'Time limit of search in seconds'),
+ ),
+ parameters.Int(
+ 'sizelimit',
+ required=False,
+ label=_(u'Size Limit'),
+ doc=_(u'Maximum number of entries returned'),
+ ),
+ parameters.Flag(
+ 'private',
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'managed',
+ doc=_(u'search for managed groups'),
+ default=False,
+ default_from=DefaultFrom(lambda private: private),
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'pkey_only',
+ required=False,
+ label=_(u'Primary key only'),
+ doc=_(u'Results should contain primary key attribute only ("name")'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'netgroup',
+ required=False,
+ multivalue=True,
+ cli_name='netgroups',
+ label=_(u'netgroup'),
+ doc=_(u'Search for netgroups with these member netgroups.'),
+ ),
+ parameters.Str(
+ 'no_netgroup',
+ required=False,
+ multivalue=True,
+ cli_name='no_netgroups',
+ label=_(u'netgroup'),
+ doc=_(u'Search for netgroups without these member netgroups.'),
+ ),
+ parameters.Str(
+ 'user',
+ required=False,
+ multivalue=True,
+ cli_name='users',
+ label=_(u'user'),
+ doc=_(u'Search for netgroups with these member users.'),
+ ),
+ parameters.Str(
+ 'no_user',
+ required=False,
+ multivalue=True,
+ cli_name='no_users',
+ label=_(u'user'),
+ doc=_(u'Search for netgroups without these member users.'),
+ ),
+ parameters.Str(
+ 'group',
+ required=False,
+ multivalue=True,
+ cli_name='groups',
+ label=_(u'group'),
+ doc=_(u'Search for netgroups with these member groups.'),
+ ),
+ parameters.Str(
+ 'no_group',
+ required=False,
+ multivalue=True,
+ cli_name='no_groups',
+ label=_(u'group'),
+ doc=_(u'Search for netgroups without these member groups.'),
+ ),
+ parameters.Str(
+ 'host',
+ required=False,
+ multivalue=True,
+ cli_name='hosts',
+ label=_(u'host'),
+ doc=_(u'Search for netgroups with these member hosts.'),
+ ),
+ parameters.Str(
+ 'no_host',
+ required=False,
+ multivalue=True,
+ cli_name='no_hosts',
+ label=_(u'host'),
+ doc=_(u'Search for netgroups without these member hosts.'),
+ ),
+ parameters.Str(
+ 'hostgroup',
+ required=False,
+ multivalue=True,
+ cli_name='hostgroups',
+ label=_(u'host group'),
+ doc=_(u'Search for netgroups with these member host groups.'),
+ ),
+ parameters.Str(
+ 'no_hostgroup',
+ required=False,
+ multivalue=True,
+ cli_name='no_hostgroups',
+ label=_(u'host group'),
+ doc=_(u'Search for netgroups without these member host groups.'),
+ ),
+ parameters.Str(
+ 'in_netgroup',
+ required=False,
+ multivalue=True,
+ cli_name='in_netgroups',
+ label=_(u'netgroup'),
+ doc=_(u'Search for netgroups with these member of netgroups.'),
+ ),
+ parameters.Str(
+ 'not_in_netgroup',
+ required=False,
+ multivalue=True,
+ cli_name='not_in_netgroups',
+ label=_(u'netgroup'),
+ doc=_(u'Search for netgroups without these member of netgroups.'),
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.ListOfEntries(
+ 'result',
+ ),
+ output.Output(
+ 'count',
+ int,
+ doc=_(u'Number of entries returned'),
+ ),
+ output.Output(
+ 'truncated',
+ bool,
+ doc=_(u'True if not all results were returned'),
+ ),
+ )
+
+
+@register()
+class netgroup_mod(Method):
+ __doc__ = _("Modify a netgroup.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='name',
+ label=_(u'Netgroup name'),
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'description',
+ required=False,
+ cli_name='desc',
+ label=_(u'Description'),
+ doc=_(u'Netgroup description'),
+ ),
+ parameters.Str(
+ 'nisdomainname',
+ required=False,
+ cli_name='nisdomain',
+ label=_(u'NIS domain name'),
+ ),
+ parameters.Str(
+ 'usercategory',
+ required=False,
+ cli_name='usercat',
+ cli_metavar="['all']",
+ label=_(u'User category'),
+ doc=_(u'User category the rule applies to'),
+ ),
+ parameters.Str(
+ 'hostcategory',
+ required=False,
+ cli_name='hostcat',
+ cli_metavar="['all']",
+ label=_(u'Host category'),
+ doc=_(u'Host category the rule applies to'),
+ ),
+ parameters.Str(
+ 'externalhost',
+ required=False,
+ multivalue=True,
+ label=_(u'External host'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'setattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'addattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'delattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'),
+ exclude=('webui',),
+ ),
+ parameters.Flag(
+ 'rights',
+ label=_(u'Rights'),
+ doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class netgroup_remove_member(Method):
+ __doc__ = _("Remove members from a netgroup.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='name',
+ label=_(u'Netgroup name'),
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'user',
+ required=False,
+ multivalue=True,
+ cli_name='users',
+ label=_(u'member user'),
+ doc=_(u'users to remove'),
+ alwaysask=True,
+ ),
+ parameters.Str(
+ 'group',
+ required=False,
+ multivalue=True,
+ cli_name='groups',
+ label=_(u'member group'),
+ doc=_(u'groups to remove'),
+ alwaysask=True,
+ ),
+ parameters.Str(
+ 'host',
+ required=False,
+ multivalue=True,
+ cli_name='hosts',
+ label=_(u'member host'),
+ doc=_(u'hosts to remove'),
+ alwaysask=True,
+ ),
+ parameters.Str(
+ 'hostgroup',
+ required=False,
+ multivalue=True,
+ cli_name='hostgroups',
+ label=_(u'member host group'),
+ doc=_(u'host groups to remove'),
+ alwaysask=True,
+ ),
+ parameters.Str(
+ 'netgroup',
+ required=False,
+ multivalue=True,
+ cli_name='netgroups',
+ label=_(u'member netgroup'),
+ doc=_(u'netgroups to remove'),
+ alwaysask=True,
+ ),
+ )
+ has_output = (
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'failed',
+ dict,
+ doc=_(u'Members that could not be removed'),
+ ),
+ output.Output(
+ 'completed',
+ int,
+ doc=_(u'Number of members removed'),
+ ),
+ )
+
+
+@register()
+class netgroup_show(Method):
+ __doc__ = _("Display information about a netgroup.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='name',
+ label=_(u'Netgroup name'),
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'rights',
+ label=_(u'Rights'),
+ doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
diff --git a/ipaclient/remote_plugins/2_114/otpconfig.py b/ipaclient/remote_plugins/2_114/otpconfig.py
new file mode 100644
index 000000000..1aceb903e
--- /dev/null
+++ b/ipaclient/remote_plugins/2_114/otpconfig.py
@@ -0,0 +1,206 @@
+#
+# Copyright (C) 2016 FreeIPA Contributors see COPYING for license
+#
+
+# pylint: disable=unused-import
+import six
+
+from . import Command, Method, Object
+from ipalib import api, parameters, output
+from ipalib.parameters import DefaultFrom
+from ipalib.plugable import Registry
+from ipalib.text import _
+from ipapython.dn import DN
+from ipapython.dnsutil import DNSName
+
+if six.PY3:
+ unicode = str
+
+__doc__ = _("""
+OTP configuration
+
+Manage the default values that IPA uses for OTP tokens.
+
+EXAMPLES:
+
+ Show basic OTP configuration:
+ ipa otpconfig-show
+
+ Show all OTP configuration options:
+ ipa otpconfig-show --all
+
+ Change maximum TOTP authentication window to 10 minutes:
+ ipa otpconfig-mod --totp-auth-window=600
+
+ Change maximum TOTP synchronization window to 12 hours:
+ ipa otpconfig-mod --totp-sync-window=43200
+
+ Change maximum HOTP authentication window to 5:
+ ipa hotpconfig-mod --hotp-auth-window=5
+
+ Change maximum HOTP synchronization window to 50:
+ ipa hotpconfig-mod --hotp-sync-window=50
+""")
+
+register = Registry()
+
+
+@register()
+class otpconfig(Object):
+ takes_params = (
+ parameters.Int(
+ 'ipatokentotpauthwindow',
+ label=_(u'TOTP authentication Window'),
+ doc=_(u'TOTP authentication time variance (seconds)'),
+ ),
+ parameters.Int(
+ 'ipatokentotpsyncwindow',
+ label=_(u'TOTP Synchronization Window'),
+ doc=_(u'TOTP synchronization time variance (seconds)'),
+ ),
+ parameters.Int(
+ 'ipatokenhotpauthwindow',
+ label=_(u'HOTP Authentication Window'),
+ doc=_(u'HOTP authentication skip-ahead'),
+ ),
+ parameters.Int(
+ 'ipatokenhotpsyncwindow',
+ label=_(u'HOTP Synchronization Window'),
+ doc=_(u'HOTP synchronization skip-ahead'),
+ ),
+ )
+
+
+@register()
+class otpconfig_mod(Method):
+ __doc__ = _("Modify OTP configuration options.")
+
+ takes_options = (
+ parameters.Int(
+ 'ipatokentotpauthwindow',
+ required=False,
+ cli_name='totp_auth_window',
+ label=_(u'TOTP authentication Window'),
+ doc=_(u'TOTP authentication time variance (seconds)'),
+ ),
+ parameters.Int(
+ 'ipatokentotpsyncwindow',
+ required=False,
+ cli_name='totp_sync_window',
+ label=_(u'TOTP Synchronization Window'),
+ doc=_(u'TOTP synchronization time variance (seconds)'),
+ ),
+ parameters.Int(
+ 'ipatokenhotpauthwindow',
+ required=False,
+ cli_name='hotp_auth_window',
+ label=_(u'HOTP Authentication Window'),
+ doc=_(u'HOTP authentication skip-ahead'),
+ ),
+ parameters.Int(
+ 'ipatokenhotpsyncwindow',
+ required=False,
+ cli_name='hotp_sync_window',
+ label=_(u'HOTP Synchronization Window'),
+ doc=_(u'HOTP synchronization skip-ahead'),
+ ),
+ parameters.Str(
+ 'setattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'addattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'delattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'),
+ exclude=('webui',),
+ ),
+ parameters.Flag(
+ 'rights',
+ label=_(u'Rights'),
+ doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class otpconfig_show(Method):
+ __doc__ = _("Show the current OTP configuration.")
+
+ takes_options = (
+ parameters.Flag(
+ 'rights',
+ label=_(u'Rights'),
+ doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
diff --git a/ipaclient/remote_plugins/2_114/otptoken.py b/ipaclient/remote_plugins/2_114/otptoken.py
new file mode 100644
index 000000000..632c97ea2
--- /dev/null
+++ b/ipaclient/remote_plugins/2_114/otptoken.py
@@ -0,0 +1,893 @@
+#
+# Copyright (C) 2016 FreeIPA Contributors see COPYING for license
+#
+
+# pylint: disable=unused-import
+import six
+
+from . import Command, Method, Object
+from ipalib import api, parameters, output
+from ipalib.parameters import DefaultFrom
+from ipalib.plugable import Registry
+from ipalib.text import _
+from ipapython.dn import DN
+from ipapython.dnsutil import DNSName
+
+if six.PY3:
+ unicode = str
+
+__doc__ = _("""
+OTP Tokens
+
+Manage OTP tokens.
+
+IPA supports the use of OTP tokens for multi-factor authentication. This
+code enables the management of OTP tokens.
+
+EXAMPLES:
+
+ Add a new token:
+ ipa otptoken-add --type=totp --owner=jdoe --desc="My soft token"
+
+ Examine the token:
+ ipa otptoken-show a93db710-a31a-4639-8647-f15b2c70b78a
+
+ Change the vendor:
+ ipa otptoken-mod a93db710-a31a-4639-8647-f15b2c70b78a --vendor="Red Hat"
+
+ Delete a token:
+ ipa otptoken-del a93db710-a31a-4639-8647-f15b2c70b78a
+""")
+
+register = Registry()
+
+
+@register()
+class otptoken(Object):
+ takes_params = (
+ parameters.Str(
+ 'ipatokenuniqueid',
+ primary_key=True,
+ label=_(u'Unique ID'),
+ ),
+ parameters.Str(
+ 'type',
+ required=False,
+ label=_(u'Type'),
+ doc=_(u'Type of the token'),
+ ),
+ parameters.Str(
+ 'description',
+ required=False,
+ label=_(u'Description'),
+ doc=_(u'Token description (informational only)'),
+ ),
+ parameters.Str(
+ 'ipatokenowner',
+ required=False,
+ label=_(u'Owner'),
+ doc=_(u'Assigned user of the token (default: self)'),
+ ),
+ parameters.Str(
+ 'managedby_user',
+ required=False,
+ label=_(u'Manager'),
+ doc=_(u'Assigned manager of the token (default: self)'),
+ ),
+ parameters.Bool(
+ 'ipatokendisabled',
+ required=False,
+ label=_(u'Disabled'),
+ doc=_(u'Mark the token as disabled (default: false)'),
+ ),
+ parameters.DateTime(
+ 'ipatokennotbefore',
+ required=False,
+ label=_(u'Validity start'),
+ doc=_(u'First date/time the token can be used'),
+ ),
+ parameters.DateTime(
+ 'ipatokennotafter',
+ required=False,
+ label=_(u'Validity end'),
+ doc=_(u'Last date/time the token can be used'),
+ ),
+ parameters.Str(
+ 'ipatokenvendor',
+ required=False,
+ label=_(u'Vendor'),
+ doc=_(u'Token vendor name (informational only)'),
+ ),
+ parameters.Str(
+ 'ipatokenmodel',
+ required=False,
+ label=_(u'Model'),
+ doc=_(u'Token model (informational only)'),
+ ),
+ parameters.Str(
+ 'ipatokenserial',
+ required=False,
+ label=_(u'Serial'),
+ doc=_(u'Token serial (informational only)'),
+ ),
+ parameters.Bytes(
+ 'ipatokenotpkey',
+ required=False,
+ label=_(u'Key'),
+ doc=_(u'Token secret (Base32; default: random)'),
+ ),
+ parameters.Str(
+ 'ipatokenotpalgorithm',
+ required=False,
+ label=_(u'Algorithm'),
+ doc=_(u'Token hash algorithm'),
+ ),
+ parameters.Int(
+ 'ipatokenotpdigits',
+ required=False,
+ label=_(u'Digits'),
+ doc=_(u'Number of digits each token code will have'),
+ ),
+ parameters.Int(
+ 'ipatokentotpclockoffset',
+ required=False,
+ label=_(u'Clock offset'),
+ doc=_(u'TOTP token / FreeIPA server time difference'),
+ ),
+ parameters.Int(
+ 'ipatokentotptimestep',
+ required=False,
+ label=_(u'Clock interval'),
+ doc=_(u'Length of TOTP token code validity'),
+ ),
+ parameters.Int(
+ 'ipatokenhotpcounter',
+ required=False,
+ label=_(u'Counter'),
+ doc=_(u'Initial counter for the HOTP token'),
+ ),
+ )
+
+
+@register()
+class otptoken_add(Method):
+ __doc__ = _("Add a new OTP token.")
+
+ takes_args = (
+ parameters.Str(
+ 'ipatokenuniqueid',
+ required=False,
+ cli_name='id',
+ label=_(u'Unique ID'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'type',
+ required=False,
+ cli_metavar="['totp', 'hotp', 'TOTP', 'HOTP']",
+ label=_(u'Type'),
+ doc=_(u'Type of the token'),
+ default=u'totp',
+ autofill=True,
+ ),
+ parameters.Str(
+ 'description',
+ required=False,
+ cli_name='desc',
+ label=_(u'Description'),
+ doc=_(u'Token description (informational only)'),
+ ),
+ parameters.Str(
+ 'ipatokenowner',
+ required=False,
+ cli_name='owner',
+ label=_(u'Owner'),
+ doc=_(u'Assigned user of the token (default: self)'),
+ ),
+ parameters.Bool(
+ 'ipatokendisabled',
+ required=False,
+ cli_name='disabled',
+ label=_(u'Disabled'),
+ doc=_(u'Mark the token as disabled (default: false)'),
+ ),
+ parameters.DateTime(
+ 'ipatokennotbefore',
+ required=False,
+ cli_name='not_before',
+ label=_(u'Validity start'),
+ doc=_(u'First date/time the token can be used'),
+ ),
+ parameters.DateTime(
+ 'ipatokennotafter',
+ required=False,
+ cli_name='not_after',
+ label=_(u'Validity end'),
+ doc=_(u'Last date/time the token can be used'),
+ ),
+ parameters.Str(
+ 'ipatokenvendor',
+ required=False,
+ cli_name='vendor',
+ label=_(u'Vendor'),
+ doc=_(u'Token vendor name (informational only)'),
+ ),
+ parameters.Str(
+ 'ipatokenmodel',
+ required=False,
+ cli_name='model',
+ label=_(u'Model'),
+ doc=_(u'Token model (informational only)'),
+ ),
+ parameters.Str(
+ 'ipatokenserial',
+ required=False,
+ cli_name='serial',
+ label=_(u'Serial'),
+ doc=_(u'Token serial (informational only)'),
+ ),
+ parameters.Bytes(
+ 'ipatokenotpkey',
+ required=False,
+ cli_name='key',
+ label=_(u'Key'),
+ doc=_(u'Token secret (Base32; default: random)'),
+ default_from=DefaultFrom(lambda : None),
+ # FIXME:
+ # lambda: os.urandom(KEY_LENGTH)
+ autofill=True,
+ ),
+ parameters.Str(
+ 'ipatokenotpalgorithm',
+ required=False,
+ cli_name='algo',
+ cli_metavar="['sha1', 'sha256', 'sha384', 'sha512']",
+ label=_(u'Algorithm'),
+ doc=_(u'Token hash algorithm'),
+ default=u'sha1',
+ autofill=True,
+ ),
+ parameters.Int(
+ 'ipatokenotpdigits',
+ required=False,
+ cli_name='digits',
+ cli_metavar="['6', '8']",
+ label=_(u'Digits'),
+ doc=_(u'Number of digits each token code will have'),
+ default=6,
+ autofill=True,
+ ),
+ parameters.Int(
+ 'ipatokentotpclockoffset',
+ required=False,
+ cli_name='offset',
+ label=_(u'Clock offset'),
+ doc=_(u'TOTP token / FreeIPA server time difference'),
+ default=0,
+ autofill=True,
+ ),
+ parameters.Int(
+ 'ipatokentotptimestep',
+ required=False,
+ cli_name='interval',
+ label=_(u'Clock interval'),
+ doc=_(u'Length of TOTP token code validity'),
+ default=30,
+ autofill=True,
+ ),
+ parameters.Int(
+ 'ipatokenhotpcounter',
+ required=False,
+ cli_name='counter',
+ label=_(u'Counter'),
+ doc=_(u'Initial counter for the HOTP token'),
+ default=0,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'setattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'addattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
+ exclude=('webui',),
+ ),
+ parameters.Flag(
+ 'qrcode',
+ required=False,
+ label=_(u'(deprecated)'),
+ exclude=('cli', 'webui'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_qrcode',
+ label=_(u'Do not display QR code'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class otptoken_add_managedby(Method):
+ __doc__ = _("Add users that can manage this token.")
+
+ takes_args = (
+ parameters.Str(
+ 'ipatokenuniqueid',
+ cli_name='id',
+ label=_(u'Unique ID'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'user',
+ required=False,
+ multivalue=True,
+ cli_name='users',
+ label=_(u'member user'),
+ doc=_(u'users to add'),
+ alwaysask=True,
+ ),
+ )
+ has_output = (
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'failed',
+ dict,
+ doc=_(u'Members that could not be added'),
+ ),
+ output.Output(
+ 'completed',
+ int,
+ doc=_(u'Number of members added'),
+ ),
+ )
+
+
+@register()
+class otptoken_del(Method):
+ __doc__ = _("Delete an OTP token.")
+
+ takes_args = (
+ parameters.Str(
+ 'ipatokenuniqueid',
+ multivalue=True,
+ cli_name='id',
+ label=_(u'Unique ID'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'continue',
+ doc=_(u"Continuous mode: Don't stop on errors."),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Output(
+ 'result',
+ dict,
+ doc=_(u'List of deletions that failed'),
+ ),
+ output.ListOfPrimaryKeys(
+ 'value',
+ ),
+ )
+
+
+@register()
+class otptoken_find(Method):
+ __doc__ = _("Search for OTP token.")
+
+ takes_args = (
+ parameters.Str(
+ 'criteria',
+ required=False,
+ doc=_(u'A string searched in all relevant object attributes'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'ipatokenuniqueid',
+ required=False,
+ cli_name='id',
+ label=_(u'Unique ID'),
+ ),
+ parameters.Str(
+ 'type',
+ required=False,
+ cli_metavar="['totp', 'hotp', 'TOTP', 'HOTP']",
+ label=_(u'Type'),
+ doc=_(u'Type of the token'),
+ default=u'totp',
+ ),
+ parameters.Str(
+ 'description',
+ required=False,
+ cli_name='desc',
+ label=_(u'Description'),
+ doc=_(u'Token description (informational only)'),
+ ),
+ parameters.Str(
+ 'ipatokenowner',
+ required=False,
+ cli_name='owner',
+ label=_(u'Owner'),
+ doc=_(u'Assigned user of the token (default: self)'),
+ ),
+ parameters.Bool(
+ 'ipatokendisabled',
+ required=False,
+ cli_name='disabled',
+ label=_(u'Disabled'),
+ doc=_(u'Mark the token as disabled (default: false)'),
+ ),
+ parameters.DateTime(
+ 'ipatokennotbefore',
+ required=False,
+ cli_name='not_before',
+ label=_(u'Validity start'),
+ doc=_(u'First date/time the token can be used'),
+ ),
+ parameters.DateTime(
+ 'ipatokennotafter',
+ required=False,
+ cli_name='not_after',
+ label=_(u'Validity end'),
+ doc=_(u'Last date/time the token can be used'),
+ ),
+ parameters.Str(
+ 'ipatokenvendor',
+ required=False,
+ cli_name='vendor',
+ label=_(u'Vendor'),
+ doc=_(u'Token vendor name (informational only)'),
+ ),
+ parameters.Str(
+ 'ipatokenmodel',
+ required=False,
+ cli_name='model',
+ label=_(u'Model'),
+ doc=_(u'Token model (informational only)'),
+ ),
+ parameters.Str(
+ 'ipatokenserial',
+ required=False,
+ cli_name='serial',
+ label=_(u'Serial'),
+ doc=_(u'Token serial (informational only)'),
+ ),
+ parameters.Str(
+ 'ipatokenotpalgorithm',
+ required=False,
+ cli_name='algo',
+ cli_metavar="['sha1', 'sha256', 'sha384', 'sha512']",
+ label=_(u'Algorithm'),
+ doc=_(u'Token hash algorithm'),
+ default=u'sha1',
+ ),
+ parameters.Int(
+ 'ipatokenotpdigits',
+ required=False,
+ cli_name='digits',
+ cli_metavar="['6', '8']",
+ label=_(u'Digits'),
+ doc=_(u'Number of digits each token code will have'),
+ default=6,
+ ),
+ parameters.Int(
+ 'ipatokentotpclockoffset',
+ required=False,
+ cli_name='offset',
+ label=_(u'Clock offset'),
+ doc=_(u'TOTP token / FreeIPA server time difference'),
+ default=0,
+ ),
+ parameters.Int(
+ 'ipatokentotptimestep',
+ required=False,
+ cli_name='interval',
+ label=_(u'Clock interval'),
+ doc=_(u'Length of TOTP token code validity'),
+ default=30,
+ ),
+ parameters.Int(
+ 'ipatokenhotpcounter',
+ required=False,
+ cli_name='counter',
+ label=_(u'Counter'),
+ doc=_(u'Initial counter for the HOTP token'),
+ default=0,
+ ),
+ parameters.Int(
+ 'timelimit',
+ required=False,
+ label=_(u'Time Limit'),
+ doc=_(u'Time limit of search in seconds'),
+ ),
+ parameters.Int(
+ 'sizelimit',
+ required=False,
+ label=_(u'Size Limit'),
+ doc=_(u'Maximum number of entries returned'),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'pkey_only',
+ required=False,
+ label=_(u'Primary key only'),
+ doc=_(u'Results should contain primary key attribute only ("id")'),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.ListOfEntries(
+ 'result',
+ ),
+ output.Output(
+ 'count',
+ int,
+ doc=_(u'Number of entries returned'),
+ ),
+ output.Output(
+ 'truncated',
+ bool,
+ doc=_(u'True if not all results were returned'),
+ ),
+ )
+
+
+@register()
+class otptoken_mod(Method):
+ __doc__ = _("Modify a OTP token.")
+
+ takes_args = (
+ parameters.Str(
+ 'ipatokenuniqueid',
+ cli_name='id',
+ label=_(u'Unique ID'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'description',
+ required=False,
+ cli_name='desc',
+ label=_(u'Description'),
+ doc=_(u'Token description (informational only)'),
+ ),
+ parameters.Str(
+ 'ipatokenowner',
+ required=False,
+ cli_name='owner',
+ label=_(u'Owner'),
+ doc=_(u'Assigned user of the token (default: self)'),
+ ),
+ parameters.Bool(
+ 'ipatokendisabled',
+ required=False,
+ cli_name='disabled',
+ label=_(u'Disabled'),
+ doc=_(u'Mark the token as disabled (default: false)'),
+ ),
+ parameters.DateTime(
+ 'ipatokennotbefore',
+ required=False,
+ cli_name='not_before',
+ label=_(u'Validity start'),
+ doc=_(u'First date/time the token can be used'),
+ ),
+ parameters.DateTime(
+ 'ipatokennotafter',
+ required=False,
+ cli_name='not_after',
+ label=_(u'Validity end'),
+ doc=_(u'Last date/time the token can be used'),
+ ),
+ parameters.Str(
+ 'ipatokenvendor',
+ required=False,
+ cli_name='vendor',
+ label=_(u'Vendor'),
+ doc=_(u'Token vendor name (informational only)'),
+ ),
+ parameters.Str(
+ 'ipatokenmodel',
+ required=False,
+ cli_name='model',
+ label=_(u'Model'),
+ doc=_(u'Token model (informational only)'),
+ ),
+ parameters.Str(
+ 'ipatokenserial',
+ required=False,
+ cli_name='serial',
+ label=_(u'Serial'),
+ doc=_(u'Token serial (informational only)'),
+ ),
+ parameters.Str(
+ 'setattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'addattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'delattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'),
+ exclude=('webui',),
+ ),
+ parameters.Flag(
+ 'rights',
+ label=_(u'Rights'),
+ doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'rename',
+ required=False,
+ label=_(u'Rename'),
+ doc=_(u'Rename the OTP token object'),
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class otptoken_remove_managedby(Method):
+ __doc__ = _("Remove hosts that can manage this host.")
+
+ takes_args = (
+ parameters.Str(
+ 'ipatokenuniqueid',
+ cli_name='id',
+ label=_(u'Unique ID'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'user',
+ required=False,
+ multivalue=True,
+ cli_name='users',
+ label=_(u'member user'),
+ doc=_(u'users to remove'),
+ alwaysask=True,
+ ),
+ )
+ has_output = (
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'failed',
+ dict,
+ doc=_(u'Members that could not be removed'),
+ ),
+ output.Output(
+ 'completed',
+ int,
+ doc=_(u'Number of members removed'),
+ ),
+ )
+
+
+@register()
+class otptoken_show(Method):
+ __doc__ = _("Display information about an OTP token.")
+
+ takes_args = (
+ parameters.Str(
+ 'ipatokenuniqueid',
+ cli_name='id',
+ label=_(u'Unique ID'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'rights',
+ label=_(u'Rights'),
+ doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
diff --git a/ipaclient/remote_plugins/2_114/otptoken_yubikey.py b/ipaclient/remote_plugins/2_114/otptoken_yubikey.py
new file mode 100644
index 000000000..61fe1b484
--- /dev/null
+++ b/ipaclient/remote_plugins/2_114/otptoken_yubikey.py
@@ -0,0 +1,33 @@
+#
+# Copyright (C) 2016 FreeIPA Contributors see COPYING for license
+#
+
+# pylint: disable=unused-import
+import six
+
+from . import Command, Method, Object
+from ipalib import api, parameters, output
+from ipalib.parameters import DefaultFrom
+from ipalib.plugable import Registry
+from ipalib.text import _
+from ipapython.dn import DN
+from ipapython.dnsutil import DNSName
+
+if six.PY3:
+ unicode = str
+
+__doc__ = _("""
+YubiKey Tokens
+
+Manage YubiKey tokens.
+
+This code is an extension to the otptoken plugin and provides support for
+reading/writing YubiKey tokens directly.
+
+EXAMPLES:
+
+ Add a new token:
+ ipa otptoken-add-yubikey --owner=jdoe --desc="My YubiKey"
+""")
+
+register = Registry()
diff --git a/ipaclient/remote_plugins/2_114/passwd.py b/ipaclient/remote_plugins/2_114/passwd.py
new file mode 100644
index 000000000..66ec54b5c
--- /dev/null
+++ b/ipaclient/remote_plugins/2_114/passwd.py
@@ -0,0 +1,93 @@
+#
+# Copyright (C) 2016 FreeIPA Contributors see COPYING for license
+#
+
+# pylint: disable=unused-import
+import six
+
+from . import Command, Method, Object
+from ipalib import api, parameters, output
+from ipalib.parameters import DefaultFrom
+from ipalib.plugable import Registry
+from ipalib.text import _
+from ipapython.dn import DN
+from ipapython.dnsutil import DNSName
+
+if six.PY3:
+ unicode = str
+
+__doc__ = _("""
+Set a user's password
+
+If someone other than a user changes that user's password (e.g., Helpdesk
+resets it) then the password will need to be changed the first time it
+is used. This is so the end-user is the only one who knows the password.
+
+The IPA password policy controls how often a password may be changed,
+what strength requirements exist, and the length of the password history.
+
+EXAMPLES:
+
+ To reset your own password:
+ ipa passwd
+
+ To change another user's password:
+ ipa passwd tuser1
+""")
+
+register = Registry()
+
+
+@register()
+class passwd(Command):
+ __doc__ = _("Set a user's password.")
+
+ takes_args = (
+ parameters.Str(
+ 'principal',
+ cli_name='user',
+ label=_(u'User name'),
+ default_from=DefaultFrom(lambda : None),
+ # FIXME:
+ # lambda: util.get_current_principal()
+ autofill=True,
+ no_convert=True,
+ ),
+ parameters.Password(
+ 'password',
+ label=_(u'New Password'),
+ confirm=True,
+ ),
+ parameters.Password(
+ 'current_password',
+ label=_(u'Current Password'),
+ default_from=DefaultFrom(lambda principal: None, 'principal'),
+ # FIXME:
+ # lambda principal: get_current_password(principal)
+ autofill=True,
+ ),
+ )
+ takes_options = (
+ parameters.Password(
+ 'otp',
+ required=False,
+ label=_(u'OTP'),
+ doc=_(u'One Time Password'),
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Output(
+ 'result',
+ bool,
+ doc=_(u'True means the operation was successful'),
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
diff --git a/ipaclient/remote_plugins/2_114/permission.py b/ipaclient/remote_plugins/2_114/permission.py
new file mode 100644
index 000000000..66ab03de1
--- /dev/null
+++ b/ipaclient/remote_plugins/2_114/permission.py
@@ -0,0 +1,1045 @@
+#
+# Copyright (C) 2016 FreeIPA Contributors see COPYING for license
+#
+
+# pylint: disable=unused-import
+import six
+
+from . import Command, Method, Object
+from ipalib import api, parameters, output
+from ipalib.parameters import DefaultFrom
+from ipalib.plugable import Registry
+from ipalib.text import _
+from ipapython.dn import DN
+from ipapython.dnsutil import DNSName
+
+if six.PY3:
+ unicode = str
+
+__doc__ = _("""
+Permissions
+
+A permission enables fine-grained delegation of rights. A permission is
+a human-readable wrapper around a 389-ds Access Control Rule,
+or instruction (ACI).
+A permission grants the right to perform a specific task such as adding a
+user, modifying a group, etc.
+
+A permission may not contain other permissions.
+
+* A permission grants access to read, write, add, delete, read, search,
+ or compare.
+* A privilege combines similar permissions (for example all the permissions
+ needed to add a user).
+* A role grants a set of privileges to users, groups, hosts or hostgroups.
+
+A permission is made up of a number of different parts:
+
+1. The name of the permission.
+2. The target of the permission.
+3. The rights granted by the permission.
+
+Rights define what operations are allowed, and may be one or more
+of the following:
+1. write - write one or more attributes
+2. read - read one or more attributes
+3. search - search on one or more attributes
+4. compare - compare one or more attributes
+5. add - add a new entry to the tree
+6. delete - delete an existing entry
+7. all - all permissions are granted
+
+Note the distinction between attributes and entries. The permissions are
+independent, so being able to add a user does not mean that the user will
+be editable.
+
+There are a number of allowed targets:
+1. subtree: a DN; the permission applies to the subtree under this DN
+2. target filter: an LDAP filter
+3. target: DN with possible wildcards, specifies entries permission applies to
+
+Additionally, there are the following convenience options.
+Setting one of these options will set the corresponding attribute(s).
+1. type: a type of object (user, group, etc); sets subtree and target filter.
+2. memberof: apply to members of a group; sets target filter
+3. targetgroup: grant access to modify a specific group (such as granting
+ the rights to manage group membership); sets target.
+
+Managed permissions
+
+Permissions that come with IPA by default can be so-called "managed"
+permissions. These have a default set of attributes they apply to,
+but the administrator can add/remove individual attributes to/from the set.
+
+Deleting or renaming a managed permission, as well as changing its target,
+is not allowed.
+
+EXAMPLES:
+
+ Add a permission that grants the creation of users:
+ ipa permission-add --type=user --permissions=add "Add Users"
+
+ Add a permission that grants the ability to manage group membership:
+ ipa permission-add --attrs=member --permissions=write --type=group "Manage Group Members"
+""")
+
+register = Registry()
+
+
+@register()
+class permission(Object):
+ takes_params = (
+ parameters.Str(
+ 'cn',
+ primary_key=True,
+ label=_(u'Permission name'),
+ ),
+ parameters.Str(
+ 'ipapermright',
+ required=False,
+ multivalue=True,
+ label=_(u'Granted rights'),
+ doc=_(u'Rights to grant (read, search, compare, write, add, delete, all)'),
+ ),
+ parameters.Str(
+ 'attrs',
+ required=False,
+ multivalue=True,
+ label=_(u'Effective attributes'),
+ doc=_(u'All attributes to which the permission applies'),
+ ),
+ parameters.Str(
+ 'ipapermincludedattr',
+ required=False,
+ multivalue=True,
+ label=_(u'Included attributes'),
+ doc=_(u'User-specified attributes to which the permission applies'),
+ ),
+ parameters.Str(
+ 'ipapermexcludedattr',
+ required=False,
+ multivalue=True,
+ label=_(u'Excluded attributes'),
+ doc=_(u'User-specified attributes to which the permission explicitly does not apply'),
+ ),
+ parameters.Str(
+ 'ipapermdefaultattr',
+ required=False,
+ multivalue=True,
+ label=_(u'Default attributes'),
+ doc=_(u'Attributes to which the permission applies by default'),
+ ),
+ parameters.Str(
+ 'ipapermbindruletype',
+ label=_(u'Bind rule type'),
+ ),
+ parameters.Str(
+ 'ipapermlocation',
+ required=False,
+ label=_(u'Subtree'),
+ doc=_(u'Subtree to apply permissions to'),
+ ),
+ parameters.Str(
+ 'extratargetfilter',
+ required=False,
+ multivalue=True,
+ label=_(u'Extra target filter'),
+ ),
+ parameters.Str(
+ 'ipapermtargetfilter',
+ required=False,
+ multivalue=True,
+ label=_(u'Raw target filter'),
+ doc=_(u'All target filters, including those implied by type and memberof'),
+ ),
+ parameters.DNParam(
+ 'ipapermtarget',
+ required=False,
+ label=_(u'Target DN'),
+ doc=_(u'Optional DN to apply the permission to (must be in the subtree, but may not yet exist)'),
+ ),
+ parameters.Str(
+ 'memberof',
+ required=False,
+ multivalue=True,
+ label=_(u'Member of group'),
+ doc=_(u'Target members of a group (sets memberOf targetfilter)'),
+ ),
+ parameters.Str(
+ 'targetgroup',
+ required=False,
+ label=_(u'Target group'),
+ doc=_(u'User group to apply permissions to (sets target)'),
+ ),
+ parameters.Str(
+ 'type',
+ required=False,
+ label=_(u'Type'),
+ doc=_(u'Type of IPA object (sets subtree and objectClass targetfilter)'),
+ ),
+ parameters.Str(
+ 'filter',
+ required=False,
+ multivalue=True,
+ doc=_(u'Deprecated; use extratargetfilter'),
+ ),
+ parameters.Str(
+ 'subtree',
+ required=False,
+ multivalue=True,
+ doc=_(u'Deprecated; use ipapermlocation'),
+ ),
+ parameters.Str(
+ 'permissions',
+ required=False,
+ multivalue=True,
+ doc=_(u'Deprecated; use ipapermright'),
+ ),
+ parameters.Str(
+ 'member_privilege',
+ required=False,
+ label=_(u'Granted to Privilege'),
+ ),
+ parameters.Str(
+ 'memberindirect_role',
+ required=False,
+ label=_(u'Indirect Member of roles'),
+ ),
+ )
+
+
+@register()
+class permission_add(Method):
+ __doc__ = _("Add a new permission.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='name',
+ label=_(u'Permission name'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'ipapermright',
+ required=False,
+ multivalue=True,
+ cli_name='right',
+ cli_metavar="['read', 'search', 'compare', 'write', 'add', 'delete', 'all']",
+ label=_(u'Granted rights'),
+ doc=_(u'Rights to grant (read, search, compare, write, add, delete, all)'),
+ alwaysask=True,
+ ),
+ parameters.Str(
+ 'attrs',
+ required=False,
+ multivalue=True,
+ label=_(u'Effective attributes'),
+ doc=_(u'All attributes to which the permission applies'),
+ ),
+ parameters.Str(
+ 'ipapermbindruletype',
+ cli_name='bindtype',
+ cli_metavar="['permission', 'all', 'anonymous']",
+ label=_(u'Bind rule type'),
+ default=u'permission',
+ autofill=True,
+ ),
+ parameters.Str(
+ 'ipapermlocation',
+ required=False,
+ cli_name='subtree',
+ label=_(u'Subtree'),
+ doc=_(u'Subtree to apply permissions to'),
+ alwaysask=True,
+ ),
+ parameters.Str(
+ 'extratargetfilter',
+ required=False,
+ multivalue=True,
+ cli_name='filter',
+ label=_(u'Extra target filter'),
+ ),
+ parameters.Str(
+ 'ipapermtargetfilter',
+ required=False,
+ multivalue=True,
+ cli_name='rawfilter',
+ label=_(u'Raw target filter'),
+ doc=_(u'All target filters, including those implied by type and memberof'),
+ ),
+ parameters.DNParam(
+ 'ipapermtarget',
+ required=False,
+ cli_name='target',
+ label=_(u'Target DN'),
+ doc=_(u'Optional DN to apply the permission to (must be in the subtree, but may not yet exist)'),
+ ),
+ parameters.Str(
+ 'memberof',
+ required=False,
+ multivalue=True,
+ label=_(u'Member of group'),
+ doc=_(u'Target members of a group (sets memberOf targetfilter)'),
+ alwaysask=True,
+ ),
+ parameters.Str(
+ 'targetgroup',
+ required=False,
+ label=_(u'Target group'),
+ doc=_(u'User group to apply permissions to (sets target)'),
+ alwaysask=True,
+ ),
+ parameters.Str(
+ 'type',
+ required=False,
+ label=_(u'Type'),
+ doc=_(u'Type of IPA object (sets subtree and objectClass targetfilter)'),
+ alwaysask=True,
+ ),
+ parameters.Str(
+ 'filter',
+ required=False,
+ multivalue=True,
+ doc=_(u'Deprecated; use extratargetfilter'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'subtree',
+ required=False,
+ multivalue=True,
+ doc=_(u'Deprecated; use ipapermlocation'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'permissions',
+ required=False,
+ multivalue=True,
+ doc=_(u'Deprecated; use ipapermright'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'setattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'addattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
+ exclude=('webui',),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class permission_add_member(Method):
+ __doc__ = _("Add members to a permission.")
+
+ NO_CLI = True
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='name',
+ label=_(u'Permission name'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'privilege',
+ required=False,
+ multivalue=True,
+ cli_name='privileges',
+ label=_(u'member privilege'),
+ doc=_(u'privileges to add'),
+ alwaysask=True,
+ ),
+ )
+ has_output = (
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'failed',
+ dict,
+ doc=_(u'Members that could not be added'),
+ ),
+ output.Output(
+ 'completed',
+ int,
+ doc=_(u'Number of members added'),
+ ),
+ )
+
+
+@register()
+class permission_add_noaci(Method):
+ __doc__ = _("Add a system permission without an ACI (internal command)")
+
+ NO_CLI = True
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='name',
+ label=_(u'Permission name'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'ipapermissiontype',
+ multivalue=True,
+ label=_(u'Permission flags'),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class permission_del(Method):
+ __doc__ = _("Delete a permission.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ multivalue=True,
+ cli_name='name',
+ label=_(u'Permission name'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'continue',
+ doc=_(u"Continuous mode: Don't stop on errors."),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'force',
+ label=_(u'Force'),
+ doc=_(u'force delete of SYSTEM permissions'),
+ exclude=('cli', 'webui'),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Output(
+ 'result',
+ dict,
+ doc=_(u'List of deletions that failed'),
+ ),
+ output.ListOfPrimaryKeys(
+ 'value',
+ ),
+ )
+
+
+@register()
+class permission_find(Method):
+ __doc__ = _("Search for permissions.")
+
+ takes_args = (
+ parameters.Str(
+ 'criteria',
+ required=False,
+ doc=_(u'A string searched in all relevant object attributes'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'cn',
+ required=False,
+ cli_name='name',
+ label=_(u'Permission name'),
+ ),
+ parameters.Str(
+ 'ipapermright',
+ required=False,
+ multivalue=True,
+ cli_name='right',
+ cli_metavar="['read', 'search', 'compare', 'write', 'add', 'delete', 'all']",
+ label=_(u'Granted rights'),
+ doc=_(u'Rights to grant (read, search, compare, write, add, delete, all)'),
+ ),
+ parameters.Str(
+ 'attrs',
+ required=False,
+ multivalue=True,
+ label=_(u'Effective attributes'),
+ doc=_(u'All attributes to which the permission applies'),
+ ),
+ parameters.Str(
+ 'ipapermincludedattr',
+ required=False,
+ multivalue=True,
+ cli_name='includedattrs',
+ label=_(u'Included attributes'),
+ doc=_(u'User-specified attributes to which the permission applies'),
+ ),
+ parameters.Str(
+ 'ipapermexcludedattr',
+ required=False,
+ multivalue=True,
+ cli_name='excludedattrs',
+ label=_(u'Excluded attributes'),
+ doc=_(u'User-specified attributes to which the permission explicitly does not apply'),
+ ),
+ parameters.Str(
+ 'ipapermdefaultattr',
+ required=False,
+ multivalue=True,
+ cli_name='defaultattrs',
+ label=_(u'Default attributes'),
+ doc=_(u'Attributes to which the permission applies by default'),
+ ),
+ parameters.Str(
+ 'ipapermbindruletype',
+ required=False,
+ cli_name='bindtype',
+ cli_metavar="['permission', 'all', 'anonymous']",
+ label=_(u'Bind rule type'),
+ default=u'permission',
+ ),
+ parameters.Str(
+ 'ipapermlocation',
+ required=False,
+ cli_name='subtree',
+ label=_(u'Subtree'),
+ doc=_(u'Subtree to apply permissions to'),
+ ),
+ parameters.Str(
+ 'extratargetfilter',
+ required=False,
+ multivalue=True,
+ cli_name='filter',
+ label=_(u'Extra target filter'),
+ ),
+ parameters.Str(
+ 'ipapermtargetfilter',
+ required=False,
+ multivalue=True,
+ cli_name='rawfilter',
+ label=_(u'Raw target filter'),
+ doc=_(u'All target filters, including those implied by type and memberof'),
+ ),
+ parameters.DNParam(
+ 'ipapermtarget',
+ required=False,
+ cli_name='target',
+ label=_(u'Target DN'),
+ doc=_(u'Optional DN to apply the permission to (must be in the subtree, but may not yet exist)'),
+ ),
+ parameters.Str(
+ 'memberof',
+ required=False,
+ multivalue=True,
+ label=_(u'Member of group'),
+ doc=_(u'Target members of a group (sets memberOf targetfilter)'),
+ ),
+ parameters.Str(
+ 'targetgroup',
+ required=False,
+ label=_(u'Target group'),
+ doc=_(u'User group to apply permissions to (sets target)'),
+ ),
+ parameters.Str(
+ 'type',
+ required=False,
+ label=_(u'Type'),
+ doc=_(u'Type of IPA object (sets subtree and objectClass targetfilter)'),
+ ),
+ parameters.Str(
+ 'filter',
+ required=False,
+ multivalue=True,
+ doc=_(u'Deprecated; use extratargetfilter'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'subtree',
+ required=False,
+ multivalue=True,
+ doc=_(u'Deprecated; use ipapermlocation'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'permissions',
+ required=False,
+ multivalue=True,
+ doc=_(u'Deprecated; use ipapermright'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Int(
+ 'timelimit',
+ required=False,
+ label=_(u'Time Limit'),
+ doc=_(u'Time limit of search in seconds'),
+ ),
+ parameters.Int(
+ 'sizelimit',
+ required=False,
+ label=_(u'Size Limit'),
+ doc=_(u'Maximum number of entries returned'),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'pkey_only',
+ required=False,
+ label=_(u'Primary key only'),
+ doc=_(u'Results should contain primary key attribute only ("name")'),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.ListOfEntries(
+ 'result',
+ ),
+ output.Output(
+ 'count',
+ int,
+ doc=_(u'Number of entries returned'),
+ ),
+ output.Output(
+ 'truncated',
+ bool,
+ doc=_(u'True if not all results were returned'),
+ ),
+ )
+
+
+@register()
+class permission_mod(Method):
+ __doc__ = _("Modify a permission.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='name',
+ label=_(u'Permission name'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'ipapermright',
+ required=False,
+ multivalue=True,
+ cli_name='right',
+ cli_metavar="['read', 'search', 'compare', 'write', 'add', 'delete', 'all']",
+ label=_(u'Granted rights'),
+ doc=_(u'Rights to grant (read, search, compare, write, add, delete, all)'),
+ ),
+ parameters.Str(
+ 'attrs',
+ required=False,
+ multivalue=True,
+ label=_(u'Effective attributes'),
+ doc=_(u'All attributes to which the permission applies'),
+ ),
+ parameters.Str(
+ 'ipapermincludedattr',
+ required=False,
+ multivalue=True,
+ cli_name='includedattrs',
+ label=_(u'Included attributes'),
+ doc=_(u'User-specified attributes to which the permission applies'),
+ ),
+ parameters.Str(
+ 'ipapermexcludedattr',
+ required=False,
+ multivalue=True,
+ cli_name='excludedattrs',
+ label=_(u'Excluded attributes'),
+ doc=_(u'User-specified attributes to which the permission explicitly does not apply'),
+ ),
+ parameters.Str(
+ 'ipapermbindruletype',
+ required=False,
+ cli_name='bindtype',
+ cli_metavar="['permission', 'all', 'anonymous']",
+ label=_(u'Bind rule type'),
+ default=u'permission',
+ ),
+ parameters.Str(
+ 'ipapermlocation',
+ required=False,
+ cli_name='subtree',
+ label=_(u'Subtree'),
+ doc=_(u'Subtree to apply permissions to'),
+ ),
+ parameters.Str(
+ 'extratargetfilter',
+ required=False,
+ multivalue=True,
+ cli_name='filter',
+ label=_(u'Extra target filter'),
+ ),
+ parameters.Str(
+ 'ipapermtargetfilter',
+ required=False,
+ multivalue=True,
+ cli_name='rawfilter',
+ label=_(u'Raw target filter'),
+ doc=_(u'All target filters, including those implied by type and memberof'),
+ ),
+ parameters.DNParam(
+ 'ipapermtarget',
+ required=False,
+ cli_name='target',
+ label=_(u'Target DN'),
+ doc=_(u'Optional DN to apply the permission to (must be in the subtree, but may not yet exist)'),
+ ),
+ parameters.Str(
+ 'memberof',
+ required=False,
+ multivalue=True,
+ label=_(u'Member of group'),
+ doc=_(u'Target members of a group (sets memberOf targetfilter)'),
+ ),
+ parameters.Str(
+ 'targetgroup',
+ required=False,
+ label=_(u'Target group'),
+ doc=_(u'User group to apply permissions to (sets target)'),
+ ),
+ parameters.Str(
+ 'type',
+ required=False,
+ label=_(u'Type'),
+ doc=_(u'Type of IPA object (sets subtree and objectClass targetfilter)'),
+ ),
+ parameters.Str(
+ 'filter',
+ required=False,
+ multivalue=True,
+ doc=_(u'Deprecated; use extratargetfilter'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'subtree',
+ required=False,
+ multivalue=True,
+ doc=_(u'Deprecated; use ipapermlocation'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'permissions',
+ required=False,
+ multivalue=True,
+ doc=_(u'Deprecated; use ipapermright'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'setattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'addattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'delattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'),
+ exclude=('webui',),
+ ),
+ parameters.Flag(
+ 'rights',
+ label=_(u'Rights'),
+ doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'rename',
+ required=False,
+ label=_(u'Rename'),
+ doc=_(u'Rename the permission object'),
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class permission_remove_member(Method):
+ __doc__ = _("Remove members from a permission.")
+
+ NO_CLI = True
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='name',
+ label=_(u'Permission name'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'privilege',
+ required=False,
+ multivalue=True,
+ cli_name='privileges',
+ label=_(u'member privilege'),
+ doc=_(u'privileges to remove'),
+ alwaysask=True,
+ ),
+ )
+ has_output = (
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'failed',
+ dict,
+ doc=_(u'Members that could not be removed'),
+ ),
+ output.Output(
+ 'completed',
+ int,
+ doc=_(u'Number of members removed'),
+ ),
+ )
+
+
+@register()
+class permission_show(Method):
+ __doc__ = _("Display information about a permission.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='name',
+ label=_(u'Permission name'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'rights',
+ label=_(u'Rights'),
+ doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
diff --git a/ipaclient/remote_plugins/2_114/ping.py b/ipaclient/remote_plugins/2_114/ping.py
new file mode 100644
index 000000000..e9344127c
--- /dev/null
+++ b/ipaclient/remote_plugins/2_114/ping.py
@@ -0,0 +1,62 @@
+#
+# Copyright (C) 2016 FreeIPA Contributors see COPYING for license
+#
+
+# pylint: disable=unused-import
+import six
+
+from . import Command, Method, Object
+from ipalib import api, parameters, output
+from ipalib.parameters import DefaultFrom
+from ipalib.plugable import Registry
+from ipalib.text import _
+from ipapython.dn import DN
+from ipapython.dnsutil import DNSName
+
+if six.PY3:
+ unicode = str
+
+__doc__ = _("""
+Ping the remote IPA server to ensure it is running.
+
+The ping command sends an echo request to an IPA server. The server
+returns its version information. This is used by an IPA client
+to confirm that the server is available and accepting requests.
+
+The server from xmlrpc_uri in /etc/ipa/default.conf is contacted first.
+If it does not respond then the client will contact any servers defined
+by ldap SRV records in DNS.
+
+EXAMPLES:
+
+ Ping an IPA server:
+ ipa ping
+ ------------------------------------------
+ IPA server version 2.1.9. API version 2.20
+ ------------------------------------------
+
+ Ping an IPA server verbosely:
+ ipa -v ping
+ ipa: INFO: trying https://ipa.example.com/ipa/xml
+ ipa: INFO: Forwarding 'ping' to server 'https://ipa.example.com/ipa/xml'
+ -----------------------------------------------------
+ IPA server version 2.1.9. API version 2.20
+ -----------------------------------------------------
+""")
+
+register = Registry()
+
+
+@register()
+class ping(Command):
+ __doc__ = _("Ping a remote server.")
+
+ takes_options = (
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ )
diff --git a/ipaclient/remote_plugins/2_114/pkinit.py b/ipaclient/remote_plugins/2_114/pkinit.py
new file mode 100644
index 000000000..fcb4c6b6b
--- /dev/null
+++ b/ipaclient/remote_plugins/2_114/pkinit.py
@@ -0,0 +1,63 @@
+#
+# Copyright (C) 2016 FreeIPA Contributors see COPYING for license
+#
+
+# pylint: disable=unused-import
+import six
+
+from . import Command, Method, Object
+from ipalib import api, parameters, output
+from ipalib.parameters import DefaultFrom
+from ipalib.plugable import Registry
+from ipalib.text import _
+from ipapython.dn import DN
+from ipapython.dnsutil import DNSName
+
+if six.PY3:
+ unicode = str
+
+__doc__ = _("""
+Kerberos pkinit options
+
+Enable or disable anonymous pkinit using the principal
+WELLKNOWN/ANONYMOUS@REALM. The server must have been installed with
+pkinit support.
+
+EXAMPLES:
+
+ Enable anonymous pkinit:
+ ipa pkinit-anonymous enable
+
+ Disable anonymous pkinit:
+ ipa pkinit-anonymous disable
+
+For more information on anonymous pkinit see:
+
+http://k5wiki.kerberos.org/wiki/Projects/Anonymous_pkinit
+""")
+
+register = Registry()
+
+
+@register()
+class pkinit(Object):
+ takes_params = (
+ )
+
+
+@register()
+class pkinit_anonymous(Command):
+ __doc__ = _("Enable or Disable Anonymous PKINIT.")
+
+ takes_args = (
+ parameters.Str(
+ 'action',
+ ),
+ )
+ takes_options = (
+ )
+ has_output = (
+ output.Output(
+ 'result',
+ ),
+ )
diff --git a/ipaclient/remote_plugins/2_114/privilege.py b/ipaclient/remote_plugins/2_114/privilege.py
new file mode 100644
index 000000000..a9fb98316
--- /dev/null
+++ b/ipaclient/remote_plugins/2_114/privilege.py
@@ -0,0 +1,656 @@
+#
+# Copyright (C) 2016 FreeIPA Contributors see COPYING for license
+#
+
+# pylint: disable=unused-import
+import six
+
+from . import Command, Method, Object
+from ipalib import api, parameters, output
+from ipalib.parameters import DefaultFrom
+from ipalib.plugable import Registry
+from ipalib.text import _
+from ipapython.dn import DN
+from ipapython.dnsutil import DNSName
+
+if six.PY3:
+ unicode = str
+
+__doc__ = _("""
+Privileges
+
+A privilege combines permissions into a logical task. A permission provides
+the rights to do a single task. There are some IPA operations that require
+multiple permissions to succeed. A privilege is where permissions are
+combined in order to perform a specific task.
+
+For example, adding a user requires the following permissions:
+ * Creating a new user entry
+ * Resetting a user password
+ * Adding the new user to the default IPA users group
+
+Combining these three low-level tasks into a higher level task in the
+form of a privilege named "Add User" makes it easier to manage Roles.
+
+A privilege may not contain other privileges.
+
+See role and permission for additional information.
+""")
+
+register = Registry()
+
+
+@register()
+class privilege(Object):
+ takes_params = (
+ parameters.Str(
+ 'cn',
+ primary_key=True,
+ label=_(u'Privilege name'),
+ ),
+ parameters.Str(
+ 'description',
+ required=False,
+ label=_(u'Description'),
+ doc=_(u'Privilege description'),
+ ),
+ parameters.Str(
+ 'memberof_permission',
+ required=False,
+ label=_(u'Permissions'),
+ ),
+ parameters.Str(
+ 'member_role',
+ required=False,
+ label=_(u'Granting privilege to roles'),
+ ),
+ )
+
+
+@register()
+class privilege_add(Method):
+ __doc__ = _("Add a new privilege.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='name',
+ label=_(u'Privilege name'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'description',
+ required=False,
+ cli_name='desc',
+ label=_(u'Description'),
+ doc=_(u'Privilege description'),
+ ),
+ parameters.Str(
+ 'setattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'addattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
+ exclude=('webui',),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class privilege_add_member(Method):
+ __doc__ = _("Add members to a privilege.")
+
+ NO_CLI = True
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='name',
+ label=_(u'Privilege name'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'role',
+ required=False,
+ multivalue=True,
+ cli_name='roles',
+ label=_(u'member role'),
+ doc=_(u'roles to add'),
+ alwaysask=True,
+ ),
+ )
+ has_output = (
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'failed',
+ dict,
+ doc=_(u'Members that could not be added'),
+ ),
+ output.Output(
+ 'completed',
+ int,
+ doc=_(u'Number of members added'),
+ ),
+ )
+
+
+@register()
+class privilege_add_permission(Method):
+ __doc__ = _("Add permissions to a privilege.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='name',
+ label=_(u'Privilege name'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'permission',
+ required=False,
+ multivalue=True,
+ cli_name='permissions',
+ label=_(u'permission'),
+ doc=_(u'permissions'),
+ alwaysask=True,
+ ),
+ )
+ has_output = (
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'failed',
+ dict,
+ doc=_(u'Members that could not be added'),
+ ),
+ output.Output(
+ 'completed',
+ int,
+ doc=_(u'Number of permissions added'),
+ ),
+ )
+
+
+@register()
+class privilege_del(Method):
+ __doc__ = _("Delete a privilege.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ multivalue=True,
+ cli_name='name',
+ label=_(u'Privilege name'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'continue',
+ doc=_(u"Continuous mode: Don't stop on errors."),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Output(
+ 'result',
+ dict,
+ doc=_(u'List of deletions that failed'),
+ ),
+ output.ListOfPrimaryKeys(
+ 'value',
+ ),
+ )
+
+
+@register()
+class privilege_find(Method):
+ __doc__ = _("Search for privileges.")
+
+ takes_args = (
+ parameters.Str(
+ 'criteria',
+ required=False,
+ doc=_(u'A string searched in all relevant object attributes'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'cn',
+ required=False,
+ cli_name='name',
+ label=_(u'Privilege name'),
+ ),
+ parameters.Str(
+ 'description',
+ required=False,
+ cli_name='desc',
+ label=_(u'Description'),
+ doc=_(u'Privilege description'),
+ ),
+ parameters.Int(
+ 'timelimit',
+ required=False,
+ label=_(u'Time Limit'),
+ doc=_(u'Time limit of search in seconds'),
+ ),
+ parameters.Int(
+ 'sizelimit',
+ required=False,
+ label=_(u'Size Limit'),
+ doc=_(u'Maximum number of entries returned'),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'pkey_only',
+ required=False,
+ label=_(u'Primary key only'),
+ doc=_(u'Results should contain primary key attribute only ("name")'),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.ListOfEntries(
+ 'result',
+ ),
+ output.Output(
+ 'count',
+ int,
+ doc=_(u'Number of entries returned'),
+ ),
+ output.Output(
+ 'truncated',
+ bool,
+ doc=_(u'True if not all results were returned'),
+ ),
+ )
+
+
+@register()
+class privilege_mod(Method):
+ __doc__ = _("Modify a privilege.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='name',
+ label=_(u'Privilege name'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'description',
+ required=False,
+ cli_name='desc',
+ label=_(u'Description'),
+ doc=_(u'Privilege description'),
+ ),
+ parameters.Str(
+ 'setattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'addattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'delattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'),
+ exclude=('webui',),
+ ),
+ parameters.Flag(
+ 'rights',
+ label=_(u'Rights'),
+ doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'rename',
+ required=False,
+ label=_(u'Rename'),
+ doc=_(u'Rename the privilege object'),
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class privilege_remove_member(Method):
+ __doc__ = _("Remove members from a privilege")
+
+ NO_CLI = True
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='name',
+ label=_(u'Privilege name'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'role',
+ required=False,
+ multivalue=True,
+ cli_name='roles',
+ label=_(u'member role'),
+ doc=_(u'roles to remove'),
+ alwaysask=True,
+ ),
+ )
+ has_output = (
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'failed',
+ dict,
+ doc=_(u'Members that could not be removed'),
+ ),
+ output.Output(
+ 'completed',
+ int,
+ doc=_(u'Number of members removed'),
+ ),
+ )
+
+
+@register()
+class privilege_remove_permission(Method):
+ __doc__ = _("Remove permissions from a privilege.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='name',
+ label=_(u'Privilege name'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'permission',
+ required=False,
+ multivalue=True,
+ cli_name='permissions',
+ label=_(u'permission'),
+ doc=_(u'permissions'),
+ alwaysask=True,
+ ),
+ )
+ has_output = (
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'failed',
+ dict,
+ doc=_(u'Members that could not be added'),
+ ),
+ output.Output(
+ 'completed',
+ int,
+ doc=_(u'Number of permissions removed'),
+ ),
+ )
+
+
+@register()
+class privilege_show(Method):
+ __doc__ = _("Display information about a privilege.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='name',
+ label=_(u'Privilege name'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'rights',
+ label=_(u'Rights'),
+ doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
diff --git a/ipaclient/remote_plugins/2_114/pwpolicy.py b/ipaclient/remote_plugins/2_114/pwpolicy.py
new file mode 100644
index 000000000..9db8c28df
--- /dev/null
+++ b/ipaclient/remote_plugins/2_114/pwpolicy.py
@@ -0,0 +1,937 @@
+#
+# Copyright (C) 2016 FreeIPA Contributors see COPYING for license
+#
+
+# pylint: disable=unused-import
+import six
+
+from . import Command, Method, Object
+from ipalib import api, parameters, output
+from ipalib.parameters import DefaultFrom
+from ipalib.plugable import Registry
+from ipalib.text import _
+from ipapython.dn import DN
+from ipapython.dnsutil import DNSName
+
+if six.PY3:
+ unicode = str
+
+__doc__ = _("""
+Password policy
+
+A password policy sets limitations on IPA passwords, including maximum
+lifetime, minimum lifetime, the number of passwords to save in
+history, the number of character classes required (for stronger passwords)
+and the minimum password length.
+
+By default there is a single, global policy for all users. You can also
+create a password policy to apply to a group. Each user is only subject
+to one password policy, either the group policy or the global policy. A
+group policy stands alone; it is not a super-set of the global policy plus
+custom settings.
+
+Each group password policy requires a unique priority setting. If a user
+is in multiple groups that have password policies, this priority determines
+which password policy is applied. A lower value indicates a higher priority
+policy.
+
+Group password policies are automatically removed when the groups they
+are associated with are removed.
+
+EXAMPLES:
+
+ Modify the global policy:
+ ipa pwpolicy-mod --minlength=10
+
+ Add a new group password policy:
+ ipa pwpolicy-add --maxlife=90 --minlife=1 --history=10 --minclasses=3 --minlength=8 --priority=10 localadmins
+
+ Display the global password policy:
+ ipa pwpolicy-show
+
+ Display a group password policy:
+ ipa pwpolicy-show localadmins
+
+ Display the policy that would be applied to a given user:
+ ipa pwpolicy-show --user=tuser1
+
+ Modify a group password policy:
+ ipa pwpolicy-mod --minclasses=2 localadmins
+""")
+
+register = Registry()
+
+
+@register()
+class cosentry(Object):
+ takes_params = (
+ parameters.Str(
+ 'cn',
+ primary_key=True,
+ ),
+ parameters.DNParam(
+ 'krbpwdpolicyreference',
+ ),
+ parameters.Int(
+ 'cospriority',
+ ),
+ )
+
+
+@register()
+class pwpolicy(Object):
+ takes_params = (
+ parameters.Str(
+ 'cn',
+ required=False,
+ primary_key=True,
+ label=_(u'Group'),
+ doc=_(u'Manage password policy for specific group'),
+ ),
+ parameters.Int(
+ 'krbmaxpwdlife',
+ required=False,
+ label=_(u'Max lifetime (days)'),
+ doc=_(u'Maximum password lifetime (in days)'),
+ ),
+ parameters.Int(
+ 'krbminpwdlife',
+ required=False,
+ label=_(u'Min lifetime (hours)'),
+ doc=_(u'Minimum password lifetime (in hours)'),
+ ),
+ parameters.Int(
+ 'krbpwdhistorylength',
+ required=False,
+ label=_(u'History size'),
+ doc=_(u'Password history size'),
+ ),
+ parameters.Int(
+ 'krbpwdmindiffchars',
+ required=False,
+ label=_(u'Character classes'),
+ doc=_(u'Minimum number of character classes'),
+ ),
+ parameters.Int(
+ 'krbpwdminlength',
+ required=False,
+ label=_(u'Min length'),
+ doc=_(u'Minimum length of password'),
+ ),
+ parameters.Int(
+ 'cospriority',
+ label=_(u'Priority'),
+ doc=_(u'Priority of the policy (higher number means lower priority'),
+ ),
+ parameters.Int(
+ 'krbpwdmaxfailure',
+ required=False,
+ label=_(u'Max failures'),
+ doc=_(u'Consecutive failures before lockout'),
+ ),
+ parameters.Int(
+ 'krbpwdfailurecountinterval',
+ required=False,
+ label=_(u'Failure reset interval'),
+ doc=_(u'Period after which failure count will be reset (seconds)'),
+ ),
+ parameters.Int(
+ 'krbpwdlockoutduration',
+ required=False,
+ label=_(u'Lockout duration'),
+ doc=_(u'Period for which lockout is enforced (seconds)'),
+ ),
+ )
+
+
+@register()
+class cosentry_add(Method):
+ NO_CLI = True
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ ),
+ )
+ takes_options = (
+ parameters.DNParam(
+ 'krbpwdpolicyreference',
+ ),
+ parameters.Int(
+ 'cospriority',
+ ),
+ parameters.Str(
+ 'setattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'addattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
+ exclude=('webui',),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class cosentry_del(Method):
+ NO_CLI = True
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ multivalue=True,
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'continue',
+ doc=_(u"Continuous mode: Don't stop on errors."),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Output(
+ 'result',
+ dict,
+ doc=_(u'List of deletions that failed'),
+ ),
+ output.ListOfPrimaryKeys(
+ 'value',
+ ),
+ )
+
+
+@register()
+class cosentry_find(Method):
+ NO_CLI = True
+
+ takes_args = (
+ parameters.Str(
+ 'criteria',
+ required=False,
+ doc=_(u'A string searched in all relevant object attributes'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'cn',
+ required=False,
+ ),
+ parameters.DNParam(
+ 'krbpwdpolicyreference',
+ required=False,
+ ),
+ parameters.Int(
+ 'cospriority',
+ required=False,
+ ),
+ parameters.Int(
+ 'timelimit',
+ required=False,
+ label=_(u'Time Limit'),
+ doc=_(u'Time limit of search in seconds'),
+ ),
+ parameters.Int(
+ 'sizelimit',
+ required=False,
+ label=_(u'Size Limit'),
+ doc=_(u'Maximum number of entries returned'),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'pkey_only',
+ required=False,
+ label=_(u'Primary key only'),
+ doc=_(u'Results should contain primary key attribute only ("cn")'),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.ListOfEntries(
+ 'result',
+ ),
+ output.Output(
+ 'count',
+ int,
+ doc=_(u'Number of entries returned'),
+ ),
+ output.Output(
+ 'truncated',
+ bool,
+ doc=_(u'True if not all results were returned'),
+ ),
+ )
+
+
+@register()
+class cosentry_mod(Method):
+ NO_CLI = True
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ ),
+ )
+ takes_options = (
+ parameters.DNParam(
+ 'krbpwdpolicyreference',
+ required=False,
+ ),
+ parameters.Int(
+ 'cospriority',
+ required=False,
+ ),
+ parameters.Str(
+ 'setattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'addattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'delattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'),
+ exclude=('webui',),
+ ),
+ parameters.Flag(
+ 'rights',
+ label=_(u'Rights'),
+ doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class cosentry_show(Method):
+ NO_CLI = True
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'rights',
+ label=_(u'Rights'),
+ doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class pwpolicy_add(Method):
+ __doc__ = _("Add a new group password policy.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='group',
+ label=_(u'Group'),
+ doc=_(u'Manage password policy for specific group'),
+ ),
+ )
+ takes_options = (
+ parameters.Int(
+ 'krbmaxpwdlife',
+ required=False,
+ cli_name='maxlife',
+ label=_(u'Max lifetime (days)'),
+ doc=_(u'Maximum password lifetime (in days)'),
+ ),
+ parameters.Int(
+ 'krbminpwdlife',
+ required=False,
+ cli_name='minlife',
+ label=_(u'Min lifetime (hours)'),
+ doc=_(u'Minimum password lifetime (in hours)'),
+ ),
+ parameters.Int(
+ 'krbpwdhistorylength',
+ required=False,
+ cli_name='history',
+ label=_(u'History size'),
+ doc=_(u'Password history size'),
+ ),
+ parameters.Int(
+ 'krbpwdmindiffchars',
+ required=False,
+ cli_name='minclasses',
+ label=_(u'Character classes'),
+ doc=_(u'Minimum number of character classes'),
+ ),
+ parameters.Int(
+ 'krbpwdminlength',
+ required=False,
+ cli_name='minlength',
+ label=_(u'Min length'),
+ doc=_(u'Minimum length of password'),
+ ),
+ parameters.Int(
+ 'cospriority',
+ cli_name='priority',
+ label=_(u'Priority'),
+ doc=_(u'Priority of the policy (higher number means lower priority'),
+ ),
+ parameters.Int(
+ 'krbpwdmaxfailure',
+ required=False,
+ cli_name='maxfail',
+ label=_(u'Max failures'),
+ doc=_(u'Consecutive failures before lockout'),
+ ),
+ parameters.Int(
+ 'krbpwdfailurecountinterval',
+ required=False,
+ cli_name='failinterval',
+ label=_(u'Failure reset interval'),
+ doc=_(u'Period after which failure count will be reset (seconds)'),
+ ),
+ parameters.Int(
+ 'krbpwdlockoutduration',
+ required=False,
+ cli_name='lockouttime',
+ label=_(u'Lockout duration'),
+ doc=_(u'Period for which lockout is enforced (seconds)'),
+ ),
+ parameters.Str(
+ 'setattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'addattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
+ exclude=('webui',),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class pwpolicy_del(Method):
+ __doc__ = _("Delete a group password policy.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ multivalue=True,
+ cli_name='group',
+ label=_(u'Group'),
+ doc=_(u'Manage password policy for specific group'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'continue',
+ doc=_(u"Continuous mode: Don't stop on errors."),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Output(
+ 'result',
+ dict,
+ doc=_(u'List of deletions that failed'),
+ ),
+ output.ListOfPrimaryKeys(
+ 'value',
+ ),
+ )
+
+
+@register()
+class pwpolicy_find(Method):
+ __doc__ = _("Search for group password policies.")
+
+ takes_args = (
+ parameters.Str(
+ 'criteria',
+ required=False,
+ doc=_(u'A string searched in all relevant object attributes'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'cn',
+ required=False,
+ cli_name='group',
+ label=_(u'Group'),
+ doc=_(u'Manage password policy for specific group'),
+ ),
+ parameters.Int(
+ 'krbmaxpwdlife',
+ required=False,
+ cli_name='maxlife',
+ label=_(u'Max lifetime (days)'),
+ doc=_(u'Maximum password lifetime (in days)'),
+ ),
+ parameters.Int(
+ 'krbminpwdlife',
+ required=False,
+ cli_name='minlife',
+ label=_(u'Min lifetime (hours)'),
+ doc=_(u'Minimum password lifetime (in hours)'),
+ ),
+ parameters.Int(
+ 'krbpwdhistorylength',
+ required=False,
+ cli_name='history',
+ label=_(u'History size'),
+ doc=_(u'Password history size'),
+ ),
+ parameters.Int(
+ 'krbpwdmindiffchars',
+ required=False,
+ cli_name='minclasses',
+ label=_(u'Character classes'),
+ doc=_(u'Minimum number of character classes'),
+ ),
+ parameters.Int(
+ 'krbpwdminlength',
+ required=False,
+ cli_name='minlength',
+ label=_(u'Min length'),
+ doc=_(u'Minimum length of password'),
+ ),
+ parameters.Int(
+ 'cospriority',
+ required=False,
+ cli_name='priority',
+ label=_(u'Priority'),
+ doc=_(u'Priority of the policy (higher number means lower priority'),
+ ),
+ parameters.Int(
+ 'krbpwdmaxfailure',
+ required=False,
+ cli_name='maxfail',
+ label=_(u'Max failures'),
+ doc=_(u'Consecutive failures before lockout'),
+ ),
+ parameters.Int(
+ 'krbpwdfailurecountinterval',
+ required=False,
+ cli_name='failinterval',
+ label=_(u'Failure reset interval'),
+ doc=_(u'Period after which failure count will be reset (seconds)'),
+ ),
+ parameters.Int(
+ 'krbpwdlockoutduration',
+ required=False,
+ cli_name='lockouttime',
+ label=_(u'Lockout duration'),
+ doc=_(u'Period for which lockout is enforced (seconds)'),
+ ),
+ parameters.Int(
+ 'timelimit',
+ required=False,
+ label=_(u'Time Limit'),
+ doc=_(u'Time limit of search in seconds'),
+ ),
+ parameters.Int(
+ 'sizelimit',
+ required=False,
+ label=_(u'Size Limit'),
+ doc=_(u'Maximum number of entries returned'),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'pkey_only',
+ required=False,
+ label=_(u'Primary key only'),
+ doc=_(u'Results should contain primary key attribute only ("group")'),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.ListOfEntries(
+ 'result',
+ ),
+ output.Output(
+ 'count',
+ int,
+ doc=_(u'Number of entries returned'),
+ ),
+ output.Output(
+ 'truncated',
+ bool,
+ doc=_(u'True if not all results were returned'),
+ ),
+ )
+
+
+@register()
+class pwpolicy_mod(Method):
+ __doc__ = _("Modify a group password policy.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ required=False,
+ cli_name='group',
+ label=_(u'Group'),
+ doc=_(u'Manage password policy for specific group'),
+ ),
+ )
+ takes_options = (
+ parameters.Int(
+ 'krbmaxpwdlife',
+ required=False,
+ cli_name='maxlife',
+ label=_(u'Max lifetime (days)'),
+ doc=_(u'Maximum password lifetime (in days)'),
+ ),
+ parameters.Int(
+ 'krbminpwdlife',
+ required=False,
+ cli_name='minlife',
+ label=_(u'Min lifetime (hours)'),
+ doc=_(u'Minimum password lifetime (in hours)'),
+ ),
+ parameters.Int(
+ 'krbpwdhistorylength',
+ required=False,
+ cli_name='history',
+ label=_(u'History size'),
+ doc=_(u'Password history size'),
+ ),
+ parameters.Int(
+ 'krbpwdmindiffchars',
+ required=False,
+ cli_name='minclasses',
+ label=_(u'Character classes'),
+ doc=_(u'Minimum number of character classes'),
+ ),
+ parameters.Int(
+ 'krbpwdminlength',
+ required=False,
+ cli_name='minlength',
+ label=_(u'Min length'),
+ doc=_(u'Minimum length of password'),
+ ),
+ parameters.Int(
+ 'cospriority',
+ required=False,
+ cli_name='priority',
+ label=_(u'Priority'),
+ doc=_(u'Priority of the policy (higher number means lower priority'),
+ ),
+ parameters.Int(
+ 'krbpwdmaxfailure',
+ required=False,
+ cli_name='maxfail',
+ label=_(u'Max failures'),
+ doc=_(u'Consecutive failures before lockout'),
+ ),
+ parameters.Int(
+ 'krbpwdfailurecountinterval',
+ required=False,
+ cli_name='failinterval',
+ label=_(u'Failure reset interval'),
+ doc=_(u'Period after which failure count will be reset (seconds)'),
+ ),
+ parameters.Int(
+ 'krbpwdlockoutduration',
+ required=False,
+ cli_name='lockouttime',
+ label=_(u'Lockout duration'),
+ doc=_(u'Period for which lockout is enforced (seconds)'),
+ ),
+ parameters.Str(
+ 'setattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'addattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'delattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'),
+ exclude=('webui',),
+ ),
+ parameters.Flag(
+ 'rights',
+ label=_(u'Rights'),
+ doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class pwpolicy_show(Method):
+ __doc__ = _("Display information about password policy.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ required=False,
+ cli_name='group',
+ label=_(u'Group'),
+ doc=_(u'Manage password policy for specific group'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'rights',
+ label=_(u'Rights'),
+ doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'user',
+ required=False,
+ label=_(u'User'),
+ doc=_(u'Display effective policy for a specific user'),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
diff --git a/ipaclient/remote_plugins/2_114/radiusproxy.py b/ipaclient/remote_plugins/2_114/radiusproxy.py
new file mode 100644
index 000000000..fca0b2ec3
--- /dev/null
+++ b/ipaclient/remote_plugins/2_114/radiusproxy.py
@@ -0,0 +1,521 @@
+#
+# Copyright (C) 2016 FreeIPA Contributors see COPYING for license
+#
+
+# pylint: disable=unused-import
+import six
+
+from . import Command, Method, Object
+from ipalib import api, parameters, output
+from ipalib.parameters import DefaultFrom
+from ipalib.plugable import Registry
+from ipalib.text import _
+from ipapython.dn import DN
+from ipapython.dnsutil import DNSName
+
+if six.PY3:
+ unicode = str
+
+__doc__ = _("""
+RADIUS Proxy Servers
+
+Manage RADIUS Proxy Servers.
+
+IPA supports the use of an external RADIUS proxy server for krb5 OTP
+authentications. This permits a great deal of flexibility when
+integrating with third-party authentication services.
+
+EXAMPLES:
+
+ Add a new server:
+ ipa radiusproxy-add MyRADIUS --server=radius.example.com:1812
+
+ Find all servers whose entries include the string "example.com":
+ ipa radiusproxy-find example.com
+
+ Examine the configuration:
+ ipa radiusproxy-show MyRADIUS
+
+ Change the secret:
+ ipa radiusproxy-mod MyRADIUS --secret
+
+ Delete a configuration:
+ ipa radiusproxy-del MyRADIUS
+""")
+
+register = Registry()
+
+
+@register()
+class radiusproxy(Object):
+ takes_params = (
+ parameters.Str(
+ 'cn',
+ primary_key=True,
+ label=_(u'RADIUS proxy server name'),
+ ),
+ parameters.Str(
+ 'description',
+ required=False,
+ label=_(u'Description'),
+ doc=_(u'A description of this RADIUS proxy server'),
+ ),
+ parameters.Str(
+ 'ipatokenradiusserver',
+ multivalue=True,
+ label=_(u'Server'),
+ doc=_(u'The hostname or IP (with or without port)'),
+ ),
+ parameters.Password(
+ 'ipatokenradiussecret',
+ label=_(u'Secret'),
+ doc=_(u'The secret used to encrypt data'),
+ ),
+ parameters.Int(
+ 'ipatokenradiustimeout',
+ required=False,
+ label=_(u'Timeout'),
+ doc=_(u'The total timeout across all retries (in seconds)'),
+ ),
+ parameters.Int(
+ 'ipatokenradiusretries',
+ required=False,
+ label=_(u'Retries'),
+ doc=_(u'The number of times to retry authentication'),
+ ),
+ parameters.Str(
+ 'ipatokenusermapattribute',
+ required=False,
+ label=_(u'User attribute'),
+ doc=_(u'The username attribute on the user object'),
+ ),
+ )
+
+
+@register()
+class radiusproxy_add(Method):
+ __doc__ = _("Add a new RADIUS proxy server.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='name',
+ label=_(u'RADIUS proxy server name'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'description',
+ required=False,
+ cli_name='desc',
+ label=_(u'Description'),
+ doc=_(u'A description of this RADIUS proxy server'),
+ ),
+ parameters.Str(
+ 'ipatokenradiusserver',
+ multivalue=True,
+ cli_name='server',
+ label=_(u'Server'),
+ doc=_(u'The hostname or IP (with or without port)'),
+ ),
+ parameters.Password(
+ 'ipatokenradiussecret',
+ cli_name='secret',
+ label=_(u'Secret'),
+ doc=_(u'The secret used to encrypt data'),
+ exclude=('cli', 'webui'),
+ confirm=True,
+ ),
+ parameters.Int(
+ 'ipatokenradiustimeout',
+ required=False,
+ cli_name='timeout',
+ label=_(u'Timeout'),
+ doc=_(u'The total timeout across all retries (in seconds)'),
+ ),
+ parameters.Int(
+ 'ipatokenradiusretries',
+ required=False,
+ cli_name='retries',
+ label=_(u'Retries'),
+ doc=_(u'The number of times to retry authentication'),
+ ),
+ parameters.Str(
+ 'ipatokenusermapattribute',
+ required=False,
+ cli_name='userattr',
+ label=_(u'User attribute'),
+ doc=_(u'The username attribute on the user object'),
+ ),
+ parameters.Str(
+ 'setattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'addattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
+ exclude=('webui',),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class radiusproxy_del(Method):
+ __doc__ = _("Delete a RADIUS proxy server.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ multivalue=True,
+ cli_name='name',
+ label=_(u'RADIUS proxy server name'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'continue',
+ doc=_(u"Continuous mode: Don't stop on errors."),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Output(
+ 'result',
+ dict,
+ doc=_(u'List of deletions that failed'),
+ ),
+ output.ListOfPrimaryKeys(
+ 'value',
+ ),
+ )
+
+
+@register()
+class radiusproxy_find(Method):
+ __doc__ = _("Search for RADIUS proxy servers.")
+
+ takes_args = (
+ parameters.Str(
+ 'criteria',
+ required=False,
+ doc=_(u'A string searched in all relevant object attributes'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'cn',
+ required=False,
+ cli_name='name',
+ label=_(u'RADIUS proxy server name'),
+ ),
+ parameters.Str(
+ 'description',
+ required=False,
+ cli_name='desc',
+ label=_(u'Description'),
+ doc=_(u'A description of this RADIUS proxy server'),
+ ),
+ parameters.Str(
+ 'ipatokenradiusserver',
+ required=False,
+ multivalue=True,
+ cli_name='server',
+ label=_(u'Server'),
+ doc=_(u'The hostname or IP (with or without port)'),
+ ),
+ parameters.Password(
+ 'ipatokenradiussecret',
+ required=False,
+ cli_name='secret',
+ label=_(u'Secret'),
+ doc=_(u'The secret used to encrypt data'),
+ exclude=('cli', 'webui'),
+ confirm=True,
+ ),
+ parameters.Int(
+ 'ipatokenradiustimeout',
+ required=False,
+ cli_name='timeout',
+ label=_(u'Timeout'),
+ doc=_(u'The total timeout across all retries (in seconds)'),
+ ),
+ parameters.Int(
+ 'ipatokenradiusretries',
+ required=False,
+ cli_name='retries',
+ label=_(u'Retries'),
+ doc=_(u'The number of times to retry authentication'),
+ ),
+ parameters.Str(
+ 'ipatokenusermapattribute',
+ required=False,
+ cli_name='userattr',
+ label=_(u'User attribute'),
+ doc=_(u'The username attribute on the user object'),
+ ),
+ parameters.Int(
+ 'timelimit',
+ required=False,
+ label=_(u'Time Limit'),
+ doc=_(u'Time limit of search in seconds'),
+ ),
+ parameters.Int(
+ 'sizelimit',
+ required=False,
+ label=_(u'Size Limit'),
+ doc=_(u'Maximum number of entries returned'),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'pkey_only',
+ required=False,
+ label=_(u'Primary key only'),
+ doc=_(u'Results should contain primary key attribute only ("name")'),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.ListOfEntries(
+ 'result',
+ ),
+ output.Output(
+ 'count',
+ int,
+ doc=_(u'Number of entries returned'),
+ ),
+ output.Output(
+ 'truncated',
+ bool,
+ doc=_(u'True if not all results were returned'),
+ ),
+ )
+
+
+@register()
+class radiusproxy_mod(Method):
+ __doc__ = _("Modify a RADIUS proxy server.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='name',
+ label=_(u'RADIUS proxy server name'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'description',
+ required=False,
+ cli_name='desc',
+ label=_(u'Description'),
+ doc=_(u'A description of this RADIUS proxy server'),
+ ),
+ parameters.Str(
+ 'ipatokenradiusserver',
+ required=False,
+ multivalue=True,
+ cli_name='server',
+ label=_(u'Server'),
+ doc=_(u'The hostname or IP (with or without port)'),
+ ),
+ parameters.Password(
+ 'ipatokenradiussecret',
+ required=False,
+ cli_name='secret',
+ label=_(u'Secret'),
+ doc=_(u'The secret used to encrypt data'),
+ exclude=('cli', 'webui'),
+ confirm=True,
+ ),
+ parameters.Int(
+ 'ipatokenradiustimeout',
+ required=False,
+ cli_name='timeout',
+ label=_(u'Timeout'),
+ doc=_(u'The total timeout across all retries (in seconds)'),
+ ),
+ parameters.Int(
+ 'ipatokenradiusretries',
+ required=False,
+ cli_name='retries',
+ label=_(u'Retries'),
+ doc=_(u'The number of times to retry authentication'),
+ ),
+ parameters.Str(
+ 'ipatokenusermapattribute',
+ required=False,
+ cli_name='userattr',
+ label=_(u'User attribute'),
+ doc=_(u'The username attribute on the user object'),
+ ),
+ parameters.Str(
+ 'setattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'addattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'delattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'),
+ exclude=('webui',),
+ ),
+ parameters.Flag(
+ 'rights',
+ label=_(u'Rights'),
+ doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'rename',
+ required=False,
+ label=_(u'Rename'),
+ doc=_(u'Rename the RADIUS proxy server object'),
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class radiusproxy_show(Method):
+ __doc__ = _("Display information about a RADIUS proxy server.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='name',
+ label=_(u'RADIUS proxy server name'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'rights',
+ label=_(u'Rights'),
+ doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
diff --git a/ipaclient/remote_plugins/2_114/realmdomains.py b/ipaclient/remote_plugins/2_114/realmdomains.py
new file mode 100644
index 000000000..f8f563a45
--- /dev/null
+++ b/ipaclient/remote_plugins/2_114/realmdomains.py
@@ -0,0 +1,195 @@
+#
+# Copyright (C) 2016 FreeIPA Contributors see COPYING for license
+#
+
+# pylint: disable=unused-import
+import six
+
+from . import Command, Method, Object
+from ipalib import api, parameters, output
+from ipalib.parameters import DefaultFrom
+from ipalib.plugable import Registry
+from ipalib.text import _
+from ipapython.dn import DN
+from ipapython.dnsutil import DNSName
+
+if six.PY3:
+ unicode = str
+
+__doc__ = _("""
+Realm domains
+
+Manage the list of domains associated with IPA realm.
+
+EXAMPLES:
+
+ Display the current list of realm domains:
+ ipa realmdomains-show
+
+ Replace the list of realm domains:
+ ipa realmdomains-mod --domain=example.com
+ ipa realmdomains-mod --domain={example1.com,example2.com,example3.com}
+
+ Add a domain to the list of realm domains:
+ ipa realmdomains-mod --add-domain=newdomain.com
+
+ Delete a domain from the list of realm domains:
+ ipa realmdomains-mod --del-domain=olddomain.com
+""")
+
+register = Registry()
+
+
+@register()
+class realmdomains(Object):
+ takes_params = (
+ parameters.Str(
+ 'associateddomain',
+ multivalue=True,
+ label=_(u'Domain'),
+ ),
+ parameters.Str(
+ 'add_domain',
+ required=False,
+ label=_(u'Add domain'),
+ ),
+ parameters.Str(
+ 'del_domain',
+ required=False,
+ label=_(u'Delete domain'),
+ ),
+ )
+
+
+@register()
+class realmdomains_mod(Method):
+ __doc__ = _("Modify realm domains.")
+
+ takes_options = (
+ parameters.Str(
+ 'associateddomain',
+ required=False,
+ multivalue=True,
+ cli_name='domain',
+ label=_(u'Domain'),
+ no_convert=True,
+ ),
+ parameters.Str(
+ 'add_domain',
+ required=False,
+ label=_(u'Add domain'),
+ no_convert=True,
+ ),
+ parameters.Str(
+ 'del_domain',
+ required=False,
+ label=_(u'Delete domain'),
+ no_convert=True,
+ ),
+ parameters.Str(
+ 'setattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'addattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'delattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'),
+ exclude=('webui',),
+ ),
+ parameters.Flag(
+ 'rights',
+ label=_(u'Rights'),
+ doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'force',
+ label=_(u'Force'),
+ doc=_(u'Force adding domain even if not in DNS'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class realmdomains_show(Method):
+ __doc__ = _("Display the list of realm domains.")
+
+ takes_options = (
+ parameters.Flag(
+ 'rights',
+ label=_(u'Rights'),
+ doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
diff --git a/ipaclient/remote_plugins/2_114/role.py b/ipaclient/remote_plugins/2_114/role.py
new file mode 100644
index 000000000..120b79a08
--- /dev/null
+++ b/ipaclient/remote_plugins/2_114/role.py
@@ -0,0 +1,758 @@
+#
+# Copyright (C) 2016 FreeIPA Contributors see COPYING for license
+#
+
+# pylint: disable=unused-import
+import six
+
+from . import Command, Method, Object
+from ipalib import api, parameters, output
+from ipalib.parameters import DefaultFrom
+from ipalib.plugable import Registry
+from ipalib.text import _
+from ipapython.dn import DN
+from ipapython.dnsutil import DNSName
+
+if six.PY3:
+ unicode = str
+
+__doc__ = _("""
+Roles
+
+A role is used for fine-grained delegation. A permission grants the ability
+to perform given low-level tasks (add a user, modify a group, etc.). A
+privilege combines one or more permissions into a higher-level abstraction
+such as useradmin. A useradmin would be able to add, delete and modify users.
+
+Privileges are assigned to Roles.
+
+Users, groups, hosts and hostgroups may be members of a Role.
+
+Roles can not contain other roles.
+
+EXAMPLES:
+
+ Add a new role:
+ ipa role-add --desc="Junior-level admin" junioradmin
+
+ Add some privileges to this role:
+ ipa role-add-privilege --privileges=addusers junioradmin
+ ipa role-add-privilege --privileges=change_password junioradmin
+ ipa role-add-privilege --privileges=add_user_to_default_group junioradmin
+
+ Add a group of users to this role:
+ ipa group-add --desc="User admins" useradmins
+ ipa role-add-member --groups=useradmins junioradmin
+
+ Display information about a role:
+ ipa role-show junioradmin
+
+ The result of this is that any users in the group 'junioradmin' can
+ add users, reset passwords or add a user to the default IPA user group.
+""")
+
+register = Registry()
+
+
+@register()
+class role(Object):
+ takes_params = (
+ parameters.Str(
+ 'cn',
+ primary_key=True,
+ label=_(u'Role name'),
+ ),
+ parameters.Str(
+ 'description',
+ required=False,
+ label=_(u'Description'),
+ doc=_(u'A description of this role-group'),
+ ),
+ parameters.Str(
+ 'member_user',
+ required=False,
+ label=_(u'Member users'),
+ ),
+ parameters.Str(
+ 'member_group',
+ required=False,
+ label=_(u'Member groups'),
+ ),
+ parameters.Str(
+ 'member_host',
+ required=False,
+ label=_(u'Member hosts'),
+ ),
+ parameters.Str(
+ 'member_hostgroup',
+ required=False,
+ label=_(u'Member host-groups'),
+ ),
+ parameters.Str(
+ 'memberof_privilege',
+ required=False,
+ label=_(u'Privileges'),
+ ),
+ parameters.Str(
+ 'member_service',
+ required=False,
+ label=_(u'Member services'),
+ ),
+ )
+
+
+@register()
+class role_add(Method):
+ __doc__ = _("Add a new role.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='name',
+ label=_(u'Role name'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'description',
+ required=False,
+ cli_name='desc',
+ label=_(u'Description'),
+ doc=_(u'A description of this role-group'),
+ ),
+ parameters.Str(
+ 'setattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'addattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
+ exclude=('webui',),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class role_add_member(Method):
+ __doc__ = _("Add members to a role.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='name',
+ label=_(u'Role name'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'user',
+ required=False,
+ multivalue=True,
+ cli_name='users',
+ label=_(u'member user'),
+ doc=_(u'users to add'),
+ alwaysask=True,
+ ),
+ parameters.Str(
+ 'group',
+ required=False,
+ multivalue=True,
+ cli_name='groups',
+ label=_(u'member group'),
+ doc=_(u'groups to add'),
+ alwaysask=True,
+ ),
+ parameters.Str(
+ 'host',
+ required=False,
+ multivalue=True,
+ cli_name='hosts',
+ label=_(u'member host'),
+ doc=_(u'hosts to add'),
+ alwaysask=True,
+ ),
+ parameters.Str(
+ 'hostgroup',
+ required=False,
+ multivalue=True,
+ cli_name='hostgroups',
+ label=_(u'member host group'),
+ doc=_(u'host groups to add'),
+ alwaysask=True,
+ ),
+ parameters.Str(
+ 'service',
+ required=False,
+ multivalue=True,
+ cli_name='services',
+ label=_(u'member service'),
+ doc=_(u'services to add'),
+ alwaysask=True,
+ ),
+ )
+ has_output = (
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'failed',
+ dict,
+ doc=_(u'Members that could not be added'),
+ ),
+ output.Output(
+ 'completed',
+ int,
+ doc=_(u'Number of members added'),
+ ),
+ )
+
+
+@register()
+class role_add_privilege(Method):
+ __doc__ = _("Add privileges to a role.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='name',
+ label=_(u'Role name'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'privilege',
+ required=False,
+ multivalue=True,
+ cli_name='privileges',
+ label=_(u'privilege'),
+ doc=_(u'privileges'),
+ alwaysask=True,
+ ),
+ )
+ has_output = (
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'failed',
+ dict,
+ doc=_(u'Members that could not be added'),
+ ),
+ output.Output(
+ 'completed',
+ int,
+ doc=_(u'Number of privileges added'),
+ ),
+ )
+
+
+@register()
+class role_del(Method):
+ __doc__ = _("Delete a role.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ multivalue=True,
+ cli_name='name',
+ label=_(u'Role name'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'continue',
+ doc=_(u"Continuous mode: Don't stop on errors."),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Output(
+ 'result',
+ dict,
+ doc=_(u'List of deletions that failed'),
+ ),
+ output.ListOfPrimaryKeys(
+ 'value',
+ ),
+ )
+
+
+@register()
+class role_find(Method):
+ __doc__ = _("Search for roles.")
+
+ takes_args = (
+ parameters.Str(
+ 'criteria',
+ required=False,
+ doc=_(u'A string searched in all relevant object attributes'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'cn',
+ required=False,
+ cli_name='name',
+ label=_(u'Role name'),
+ ),
+ parameters.Str(
+ 'description',
+ required=False,
+ cli_name='desc',
+ label=_(u'Description'),
+ doc=_(u'A description of this role-group'),
+ ),
+ parameters.Int(
+ 'timelimit',
+ required=False,
+ label=_(u'Time Limit'),
+ doc=_(u'Time limit of search in seconds'),
+ ),
+ parameters.Int(
+ 'sizelimit',
+ required=False,
+ label=_(u'Size Limit'),
+ doc=_(u'Maximum number of entries returned'),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'pkey_only',
+ required=False,
+ label=_(u'Primary key only'),
+ doc=_(u'Results should contain primary key attribute only ("name")'),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.ListOfEntries(
+ 'result',
+ ),
+ output.Output(
+ 'count',
+ int,
+ doc=_(u'Number of entries returned'),
+ ),
+ output.Output(
+ 'truncated',
+ bool,
+ doc=_(u'True if not all results were returned'),
+ ),
+ )
+
+
+@register()
+class role_mod(Method):
+ __doc__ = _("Modify a role.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='name',
+ label=_(u'Role name'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'description',
+ required=False,
+ cli_name='desc',
+ label=_(u'Description'),
+ doc=_(u'A description of this role-group'),
+ ),
+ parameters.Str(
+ 'setattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'addattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'delattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'),
+ exclude=('webui',),
+ ),
+ parameters.Flag(
+ 'rights',
+ label=_(u'Rights'),
+ doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'rename',
+ required=False,
+ label=_(u'Rename'),
+ doc=_(u'Rename the role object'),
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class role_remove_member(Method):
+ __doc__ = _("Remove members from a role.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='name',
+ label=_(u'Role name'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'user',
+ required=False,
+ multivalue=True,
+ cli_name='users',
+ label=_(u'member user'),
+ doc=_(u'users to remove'),
+ alwaysask=True,
+ ),
+ parameters.Str(
+ 'group',
+ required=False,
+ multivalue=True,
+ cli_name='groups',
+ label=_(u'member group'),
+ doc=_(u'groups to remove'),
+ alwaysask=True,
+ ),
+ parameters.Str(
+ 'host',
+ required=False,
+ multivalue=True,
+ cli_name='hosts',
+ label=_(u'member host'),
+ doc=_(u'hosts to remove'),
+ alwaysask=True,
+ ),
+ parameters.Str(
+ 'hostgroup',
+ required=False,
+ multivalue=True,
+ cli_name='hostgroups',
+ label=_(u'member host group'),
+ doc=_(u'host groups to remove'),
+ alwaysask=True,
+ ),
+ parameters.Str(
+ 'service',
+ required=False,
+ multivalue=True,
+ cli_name='services',
+ label=_(u'member service'),
+ doc=_(u'services to remove'),
+ alwaysask=True,
+ ),
+ )
+ has_output = (
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'failed',
+ dict,
+ doc=_(u'Members that could not be removed'),
+ ),
+ output.Output(
+ 'completed',
+ int,
+ doc=_(u'Number of members removed'),
+ ),
+ )
+
+
+@register()
+class role_remove_privilege(Method):
+ __doc__ = _("Remove privileges from a role.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='name',
+ label=_(u'Role name'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'privilege',
+ required=False,
+ multivalue=True,
+ cli_name='privileges',
+ label=_(u'privilege'),
+ doc=_(u'privileges'),
+ alwaysask=True,
+ ),
+ )
+ has_output = (
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'failed',
+ dict,
+ doc=_(u'Members that could not be added'),
+ ),
+ output.Output(
+ 'completed',
+ int,
+ doc=_(u'Number of privileges removed'),
+ ),
+ )
+
+
+@register()
+class role_show(Method):
+ __doc__ = _("Display information about a role.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='name',
+ label=_(u'Role name'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'rights',
+ label=_(u'Rights'),
+ doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
diff --git a/ipaclient/remote_plugins/2_114/selfservice.py b/ipaclient/remote_plugins/2_114/selfservice.py
new file mode 100644
index 000000000..5d7e36f30
--- /dev/null
+++ b/ipaclient/remote_plugins/2_114/selfservice.py
@@ -0,0 +1,338 @@
+#
+# Copyright (C) 2016 FreeIPA Contributors see COPYING for license
+#
+
+# pylint: disable=unused-import
+import six
+
+from . import Command, Method, Object
+from ipalib import api, parameters, output
+from ipalib.parameters import DefaultFrom
+from ipalib.plugable import Registry
+from ipalib.text import _
+from ipapython.dn import DN
+from ipapython.dnsutil import DNSName
+
+if six.PY3:
+ unicode = str
+
+__doc__ = _("""
+Self-service Permissions
+
+A permission enables fine-grained delegation of permissions. Access Control
+Rules, or instructions (ACIs), grant permission to permissions to perform
+given tasks such as adding a user, modifying a group, etc.
+
+A Self-service permission defines what an object can change in its own entry.
+
+
+EXAMPLES:
+
+ Add a self-service rule to allow users to manage their address (using Bash
+ brace expansion):
+ ipa selfservice-add --permissions=write --attrs={street,postalCode,l,c,st} "Users manage their own address"
+
+ When managing the list of attributes you need to include all attributes
+ in the list, including existing ones.
+ Add telephoneNumber to the list (using Bash brace expansion):
+ ipa selfservice-mod --attrs={street,postalCode,l,c,st,telephoneNumber} "Users manage their own address"
+
+ Display our updated rule:
+ ipa selfservice-show "Users manage their own address"
+
+ Delete a rule:
+ ipa selfservice-del "Users manage their own address"
+""")
+
+register = Registry()
+
+
+@register()
+class selfservice(Object):
+ takes_params = (
+ parameters.Str(
+ 'aciname',
+ primary_key=True,
+ label=_(u'Self-service name'),
+ ),
+ parameters.Str(
+ 'permissions',
+ required=False,
+ multivalue=True,
+ label=_(u'Permissions'),
+ doc=_(u'Permissions to grant (read, write). Default is write.'),
+ ),
+ parameters.Str(
+ 'attrs',
+ multivalue=True,
+ label=_(u'Attributes'),
+ doc=_(u'Attributes to which the permission applies.'),
+ ),
+ )
+
+
+@register()
+class selfservice_add(Method):
+ __doc__ = _("Add a new self-service permission.")
+
+ takes_args = (
+ parameters.Str(
+ 'aciname',
+ cli_name='name',
+ label=_(u'Self-service name'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'permissions',
+ required=False,
+ multivalue=True,
+ label=_(u'Permissions'),
+ doc=_(u'Permissions to grant (read, write). Default is write.'),
+ ),
+ parameters.Str(
+ 'attrs',
+ multivalue=True,
+ label=_(u'Attributes'),
+ doc=_(u'Attributes to which the permission applies.'),
+ no_convert=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class selfservice_del(Method):
+ __doc__ = _("Delete a self-service permission.")
+
+ takes_args = (
+ parameters.Str(
+ 'aciname',
+ cli_name='name',
+ label=_(u'Self-service name'),
+ ),
+ )
+ takes_options = (
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Output(
+ 'result',
+ bool,
+ doc=_(u'True means the operation was successful'),
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class selfservice_find(Method):
+ __doc__ = _("Search for a self-service permission.")
+
+ takes_args = (
+ parameters.Str(
+ 'criteria',
+ required=False,
+ doc=_(u'A string searched in all relevant object attributes'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'aciname',
+ required=False,
+ cli_name='name',
+ label=_(u'Self-service name'),
+ ),
+ parameters.Str(
+ 'permissions',
+ required=False,
+ multivalue=True,
+ label=_(u'Permissions'),
+ doc=_(u'Permissions to grant (read, write). Default is write.'),
+ ),
+ parameters.Str(
+ 'attrs',
+ required=False,
+ multivalue=True,
+ label=_(u'Attributes'),
+ doc=_(u'Attributes to which the permission applies.'),
+ no_convert=True,
+ ),
+ parameters.Flag(
+ 'pkey_only',
+ required=False,
+ label=_(u'Primary key only'),
+ doc=_(u'Results should contain primary key attribute only ("name")'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.ListOfEntries(
+ 'result',
+ ),
+ output.Output(
+ 'count',
+ int,
+ doc=_(u'Number of entries returned'),
+ ),
+ output.Output(
+ 'truncated',
+ bool,
+ doc=_(u'True if not all results were returned'),
+ ),
+ )
+
+
+@register()
+class selfservice_mod(Method):
+ __doc__ = _("Modify a self-service permission.")
+
+ takes_args = (
+ parameters.Str(
+ 'aciname',
+ cli_name='name',
+ label=_(u'Self-service name'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'permissions',
+ required=False,
+ multivalue=True,
+ label=_(u'Permissions'),
+ doc=_(u'Permissions to grant (read, write). Default is write.'),
+ ),
+ parameters.Str(
+ 'attrs',
+ required=False,
+ multivalue=True,
+ label=_(u'Attributes'),
+ doc=_(u'Attributes to which the permission applies.'),
+ no_convert=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class selfservice_show(Method):
+ __doc__ = _("Display information about a self-service permission.")
+
+ takes_args = (
+ parameters.Str(
+ 'aciname',
+ cli_name='name',
+ label=_(u'Self-service name'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
diff --git a/ipaclient/remote_plugins/2_114/selinuxusermap.py b/ipaclient/remote_plugins/2_114/selinuxusermap.py
new file mode 100644
index 000000000..223aeb722
--- /dev/null
+++ b/ipaclient/remote_plugins/2_114/selinuxusermap.py
@@ -0,0 +1,905 @@
+#
+# Copyright (C) 2016 FreeIPA Contributors see COPYING for license
+#
+
+# pylint: disable=unused-import
+import six
+
+from . import Command, Method, Object
+from ipalib import api, parameters, output
+from ipalib.parameters import DefaultFrom
+from ipalib.plugable import Registry
+from ipalib.text import _
+from ipapython.dn import DN
+from ipapython.dnsutil import DNSName
+
+if six.PY3:
+ unicode = str
+
+__doc__ = _("""
+SELinux User Mapping
+
+Map IPA users to SELinux users by host.
+
+Hosts, hostgroups, users and groups can be either defined within
+the rule or it may point to an existing HBAC rule. When using
+--hbacrule option to selinuxusermap-find an exact match is made on the
+HBAC rule name, so only one or zero entries will be returned.
+
+EXAMPLES:
+
+ Create a rule, "test1", that sets all users to xguest_u:s0 on the host "server":
+ ipa selinuxusermap-add --usercat=all --selinuxuser=xguest_u:s0 test1
+ ipa selinuxusermap-add-host --hosts=server.example.com test1
+
+ Create a rule, "test2", that sets all users to guest_u:s0 and uses an existing HBAC rule for users and hosts:
+ ipa selinuxusermap-add --usercat=all --hbacrule=webserver --selinuxuser=guest_u:s0 test2
+
+ Display the properties of a rule:
+ ipa selinuxusermap-show test2
+
+ Create a rule for a specific user. This sets the SELinux context for
+ user john to unconfined_u:s0-s0:c0.c1023 on any machine:
+ ipa selinuxusermap-add --hostcat=all --selinuxuser=unconfined_u:s0-s0:c0.c1023 john_unconfined
+ ipa selinuxusermap-add-user --users=john john_unconfined
+
+ Disable a rule:
+ ipa selinuxusermap-disable test1
+
+ Enable a rule:
+ ipa selinuxusermap-enable test1
+
+ Find a rule referencing a specific HBAC rule:
+ ipa selinuxusermap-find --hbacrule=allow_some
+
+ Remove a rule:
+ ipa selinuxusermap-del john_unconfined
+
+SEEALSO:
+
+ The list controlling the order in which the SELinux user map is applied
+ and the default SELinux user are available in the config-show command.
+""")
+
+register = Registry()
+
+
+@register()
+class selinuxusermap(Object):
+ takes_params = (
+ parameters.Str(
+ 'cn',
+ primary_key=True,
+ label=_(u'Rule name'),
+ ),
+ parameters.Str(
+ 'ipaselinuxuser',
+ label=_(u'SELinux User'),
+ ),
+ parameters.Str(
+ 'seealso',
+ required=False,
+ label=_(u'HBAC Rule'),
+ doc=_(u'HBAC Rule that defines the users, groups and hostgroups'),
+ ),
+ parameters.Str(
+ 'usercategory',
+ required=False,
+ label=_(u'User category'),
+ doc=_(u'User category the rule applies to'),
+ ),
+ parameters.Str(
+ 'hostcategory',
+ required=False,
+ label=_(u'Host category'),
+ doc=_(u'Host category the rule applies to'),
+ ),
+ parameters.Str(
+ 'description',
+ required=False,
+ label=_(u'Description'),
+ ),
+ parameters.Bool(
+ 'ipaenabledflag',
+ required=False,
+ label=_(u'Enabled'),
+ ),
+ parameters.Str(
+ 'memberuser_user',
+ required=False,
+ label=_(u'Users'),
+ ),
+ parameters.Str(
+ 'memberuser_group',
+ required=False,
+ label=_(u'User Groups'),
+ ),
+ parameters.Str(
+ 'memberhost_host',
+ required=False,
+ label=_(u'Hosts'),
+ ),
+ parameters.Str(
+ 'memberhost_hostgroup',
+ required=False,
+ label=_(u'Host Groups'),
+ ),
+ )
+
+
+@register()
+class selinuxusermap_add(Method):
+ __doc__ = _("Create a new SELinux User Map.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='name',
+ label=_(u'Rule name'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'ipaselinuxuser',
+ cli_name='selinuxuser',
+ label=_(u'SELinux User'),
+ ),
+ parameters.Str(
+ 'seealso',
+ required=False,
+ cli_name='hbacrule',
+ label=_(u'HBAC Rule'),
+ doc=_(u'HBAC Rule that defines the users, groups and hostgroups'),
+ ),
+ parameters.Str(
+ 'usercategory',
+ required=False,
+ cli_name='usercat',
+ cli_metavar="['all']",
+ label=_(u'User category'),
+ doc=_(u'User category the rule applies to'),
+ ),
+ parameters.Str(
+ 'hostcategory',
+ required=False,
+ cli_name='hostcat',
+ cli_metavar="['all']",
+ label=_(u'Host category'),
+ doc=_(u'Host category the rule applies to'),
+ ),
+ parameters.Str(
+ 'description',
+ required=False,
+ cli_name='desc',
+ label=_(u'Description'),
+ ),
+ parameters.Bool(
+ 'ipaenabledflag',
+ required=False,
+ label=_(u'Enabled'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'setattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'addattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
+ exclude=('webui',),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class selinuxusermap_add_host(Method):
+ __doc__ = _("Add target hosts and hostgroups to an SELinux User Map rule.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='name',
+ label=_(u'Rule name'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'host',
+ required=False,
+ multivalue=True,
+ cli_name='hosts',
+ label=_(u'member host'),
+ doc=_(u'hosts to add'),
+ alwaysask=True,
+ ),
+ parameters.Str(
+ 'hostgroup',
+ required=False,
+ multivalue=True,
+ cli_name='hostgroups',
+ label=_(u'member host group'),
+ doc=_(u'host groups to add'),
+ alwaysask=True,
+ ),
+ )
+ has_output = (
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'failed',
+ dict,
+ doc=_(u'Members that could not be added'),
+ ),
+ output.Output(
+ 'completed',
+ int,
+ doc=_(u'Number of members added'),
+ ),
+ )
+
+
+@register()
+class selinuxusermap_add_user(Method):
+ __doc__ = _("Add users and groups to an SELinux User Map rule.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='name',
+ label=_(u'Rule name'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'user',
+ required=False,
+ multivalue=True,
+ cli_name='users',
+ label=_(u'member user'),
+ doc=_(u'users to add'),
+ alwaysask=True,
+ ),
+ parameters.Str(
+ 'group',
+ required=False,
+ multivalue=True,
+ cli_name='groups',
+ label=_(u'member group'),
+ doc=_(u'groups to add'),
+ alwaysask=True,
+ ),
+ )
+ has_output = (
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'failed',
+ dict,
+ doc=_(u'Members that could not be added'),
+ ),
+ output.Output(
+ 'completed',
+ int,
+ doc=_(u'Number of members added'),
+ ),
+ )
+
+
+@register()
+class selinuxusermap_del(Method):
+ __doc__ = _("Delete a SELinux User Map.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ multivalue=True,
+ cli_name='name',
+ label=_(u'Rule name'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'continue',
+ doc=_(u"Continuous mode: Don't stop on errors."),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Output(
+ 'result',
+ dict,
+ doc=_(u'List of deletions that failed'),
+ ),
+ output.ListOfPrimaryKeys(
+ 'value',
+ ),
+ )
+
+
+@register()
+class selinuxusermap_disable(Method):
+ __doc__ = _("Disable an SELinux User Map rule.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='name',
+ label=_(u'Rule name'),
+ ),
+ )
+ takes_options = (
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Output(
+ 'result',
+ bool,
+ doc=_(u'True means the operation was successful'),
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class selinuxusermap_enable(Method):
+ __doc__ = _("Enable an SELinux User Map rule.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='name',
+ label=_(u'Rule name'),
+ ),
+ )
+ takes_options = (
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Output(
+ 'result',
+ bool,
+ doc=_(u'True means the operation was successful'),
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class selinuxusermap_find(Method):
+ __doc__ = _("Search for SELinux User Maps.")
+
+ takes_args = (
+ parameters.Str(
+ 'criteria',
+ required=False,
+ doc=_(u'A string searched in all relevant object attributes'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'cn',
+ required=False,
+ cli_name='name',
+ label=_(u'Rule name'),
+ ),
+ parameters.Str(
+ 'ipaselinuxuser',
+ required=False,
+ cli_name='selinuxuser',
+ label=_(u'SELinux User'),
+ ),
+ parameters.Str(
+ 'seealso',
+ required=False,
+ cli_name='hbacrule',
+ label=_(u'HBAC Rule'),
+ doc=_(u'HBAC Rule that defines the users, groups and hostgroups'),
+ ),
+ parameters.Str(
+ 'usercategory',
+ required=False,
+ cli_name='usercat',
+ cli_metavar="['all']",
+ label=_(u'User category'),
+ doc=_(u'User category the rule applies to'),
+ ),
+ parameters.Str(
+ 'hostcategory',
+ required=False,
+ cli_name='hostcat',
+ cli_metavar="['all']",
+ label=_(u'Host category'),
+ doc=_(u'Host category the rule applies to'),
+ ),
+ parameters.Str(
+ 'description',
+ required=False,
+ cli_name='desc',
+ label=_(u'Description'),
+ ),
+ parameters.Bool(
+ 'ipaenabledflag',
+ required=False,
+ label=_(u'Enabled'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Int(
+ 'timelimit',
+ required=False,
+ label=_(u'Time Limit'),
+ doc=_(u'Time limit of search in seconds'),
+ ),
+ parameters.Int(
+ 'sizelimit',
+ required=False,
+ label=_(u'Size Limit'),
+ doc=_(u'Maximum number of entries returned'),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'pkey_only',
+ required=False,
+ label=_(u'Primary key only'),
+ doc=_(u'Results should contain primary key attribute only ("name")'),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.ListOfEntries(
+ 'result',
+ ),
+ output.Output(
+ 'count',
+ int,
+ doc=_(u'Number of entries returned'),
+ ),
+ output.Output(
+ 'truncated',
+ bool,
+ doc=_(u'True if not all results were returned'),
+ ),
+ )
+
+
+@register()
+class selinuxusermap_mod(Method):
+ __doc__ = _("Modify a SELinux User Map.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='name',
+ label=_(u'Rule name'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'ipaselinuxuser',
+ required=False,
+ cli_name='selinuxuser',
+ label=_(u'SELinux User'),
+ ),
+ parameters.Str(
+ 'seealso',
+ required=False,
+ cli_name='hbacrule',
+ label=_(u'HBAC Rule'),
+ doc=_(u'HBAC Rule that defines the users, groups and hostgroups'),
+ ),
+ parameters.Str(
+ 'usercategory',
+ required=False,
+ cli_name='usercat',
+ cli_metavar="['all']",
+ label=_(u'User category'),
+ doc=_(u'User category the rule applies to'),
+ ),
+ parameters.Str(
+ 'hostcategory',
+ required=False,
+ cli_name='hostcat',
+ cli_metavar="['all']",
+ label=_(u'Host category'),
+ doc=_(u'Host category the rule applies to'),
+ ),
+ parameters.Str(
+ 'description',
+ required=False,
+ cli_name='desc',
+ label=_(u'Description'),
+ ),
+ parameters.Bool(
+ 'ipaenabledflag',
+ required=False,
+ label=_(u'Enabled'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'setattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'addattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'delattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'),
+ exclude=('webui',),
+ ),
+ parameters.Flag(
+ 'rights',
+ label=_(u'Rights'),
+ doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class selinuxusermap_remove_host(Method):
+ __doc__ = _("Remove target hosts and hostgroups from an SELinux User Map rule.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='name',
+ label=_(u'Rule name'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'host',
+ required=False,
+ multivalue=True,
+ cli_name='hosts',
+ label=_(u'member host'),
+ doc=_(u'hosts to remove'),
+ alwaysask=True,
+ ),
+ parameters.Str(
+ 'hostgroup',
+ required=False,
+ multivalue=True,
+ cli_name='hostgroups',
+ label=_(u'member host group'),
+ doc=_(u'host groups to remove'),
+ alwaysask=True,
+ ),
+ )
+ has_output = (
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'failed',
+ dict,
+ doc=_(u'Members that could not be removed'),
+ ),
+ output.Output(
+ 'completed',
+ int,
+ doc=_(u'Number of members removed'),
+ ),
+ )
+
+
+@register()
+class selinuxusermap_remove_user(Method):
+ __doc__ = _("Remove users and groups from an SELinux User Map rule.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='name',
+ label=_(u'Rule name'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'user',
+ required=False,
+ multivalue=True,
+ cli_name='users',
+ label=_(u'member user'),
+ doc=_(u'users to remove'),
+ alwaysask=True,
+ ),
+ parameters.Str(
+ 'group',
+ required=False,
+ multivalue=True,
+ cli_name='groups',
+ label=_(u'member group'),
+ doc=_(u'groups to remove'),
+ alwaysask=True,
+ ),
+ )
+ has_output = (
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'failed',
+ dict,
+ doc=_(u'Members that could not be removed'),
+ ),
+ output.Output(
+ 'completed',
+ int,
+ doc=_(u'Number of members removed'),
+ ),
+ )
+
+
+@register()
+class selinuxusermap_show(Method):
+ __doc__ = _("Display the properties of a SELinux User Map rule.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='name',
+ label=_(u'Rule name'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'rights',
+ label=_(u'Rights'),
+ doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
diff --git a/ipaclient/remote_plugins/2_114/service.py b/ipaclient/remote_plugins/2_114/service.py
new file mode 100644
index 000000000..8e025b3f2
--- /dev/null
+++ b/ipaclient/remote_plugins/2_114/service.py
@@ -0,0 +1,1100 @@
+#
+# Copyright (C) 2016 FreeIPA Contributors see COPYING for license
+#
+
+# pylint: disable=unused-import
+import six
+
+from . import Command, Method, Object
+from ipalib import api, parameters, output
+from ipalib.parameters import DefaultFrom
+from ipalib.plugable import Registry
+from ipalib.text import _
+from ipapython.dn import DN
+from ipapython.dnsutil import DNSName
+
+if six.PY3:
+ unicode = str
+
+__doc__ = _("""
+Services
+
+A IPA service represents a service that runs on a host. The IPA service
+record can store a Kerberos principal, an SSL certificate, or both.
+
+An IPA service can be managed directly from a machine, provided that
+machine has been given the correct permission. This is true even for
+machines other than the one the service is associated with. For example,
+requesting an SSL certificate using the host service principal credentials
+of the host. To manage a service using host credentials you need to
+kinit as the host:
+
+ # kinit -kt /etc/krb5.keytab host/ipa.example.com@EXAMPLE.COM
+
+Adding an IPA service allows the associated service to request an SSL
+certificate or keytab, but this is performed as a separate step; they
+are not produced as a result of adding the service.
+
+Only the public aspect of a certificate is stored in a service record;
+the private key is not stored.
+
+EXAMPLES:
+
+ Add a new IPA service:
+ ipa service-add HTTP/web.example.com
+
+ Allow a host to manage an IPA service certificate:
+ ipa service-add-host --hosts=web.example.com HTTP/web.example.com
+ ipa role-add-member --hosts=web.example.com certadmin
+
+ Override a default list of supported PAC types for the service:
+ ipa service-mod HTTP/web.example.com --pac-type=MS-PAC
+
+ A typical use case where overriding the PAC type is needed is NFS.
+ Currently the related code in the Linux kernel can only handle Kerberos
+ tickets up to a maximal size. Since the PAC data can become quite large it
+ is recommended to set --pac-type=NONE for NFS services.
+
+ Delete an IPA service:
+ ipa service-del HTTP/web.example.com
+
+ Find all IPA services associated with a host:
+ ipa service-find web.example.com
+
+ Find all HTTP services:
+ ipa service-find HTTP
+
+ Disable the service Kerberos key and SSL certificate:
+ ipa service-disable HTTP/web.example.com
+
+ Request a certificate for an IPA service:
+ ipa cert-request --principal=HTTP/web.example.com example.csr
+
+ Allow user to create a keytab:
+ ipa service-allow-create-keytab HTTP/web.example.com --users=tuser1
+
+ Generate and retrieve a keytab for an IPA service:
+ ipa-getkeytab -s ipa.example.com -p HTTP/web.example.com -k /etc/httpd/httpd.keytab
+""")
+
+register = Registry()
+
+
+@register()
+class service(Object):
+ takes_params = (
+ parameters.Str(
+ 'krbprincipalname',
+ primary_key=True,
+ label=_(u'Principal'),
+ doc=_(u'Service principal'),
+ ),
+ parameters.Bytes(
+ 'usercertificate',
+ required=False,
+ label=_(u'Certificate'),
+ doc=_(u'Base-64 encoded server certificate'),
+ ),
+ parameters.Str(
+ 'ipakrbauthzdata',
+ required=False,
+ multivalue=True,
+ label=_(u'PAC type'),
+ doc=_(u"Override default list of supported PAC types. Use 'NONE' to disable PAC support for this service, e.g. this might be necessary for NFS services."),
+ ),
+ parameters.Bool(
+ 'ipakrbrequirespreauth',
+ required=False,
+ label=_(u'Requires pre-authentication'),
+ doc=_(u'Pre-authentication is required for the service'),
+ ),
+ parameters.Bool(
+ 'ipakrbokasdelegate',
+ required=False,
+ label=_(u'Trusted for delegation'),
+ doc=_(u'Client credentials may be delegated to the service'),
+ ),
+ parameters.Str(
+ 'memberof_role',
+ required=False,
+ label=_(u'Roles'),
+ ),
+ parameters.Flag(
+ 'has_keytab',
+ label=_(u'Keytab'),
+ ),
+ parameters.Str(
+ 'managedby_host',
+ label=_(u'Managed by'),
+ ),
+ parameters.Str(
+ 'ipaallowedtoperform_read_keys_user',
+ label=_(u'Users allowed to retrieve keytab'),
+ ),
+ parameters.Str(
+ 'ipaallowedtoperform_read_keys_group',
+ label=_(u'Groups allowed to retrieve keytab'),
+ ),
+ parameters.Str(
+ 'ipaallowedtoperform_read_keys_host',
+ label=_(u'Hosts allowed to retrieve keytab'),
+ ),
+ parameters.Str(
+ 'ipaallowedtoperform_read_keys_hostgroup',
+ label=_(u'Host Groups allowed to retrieve keytab'),
+ ),
+ parameters.Str(
+ 'ipaallowedtoperform_write_keys_user',
+ label=_(u'Users allowed to create keytab'),
+ ),
+ parameters.Str(
+ 'ipaallowedtoperform_write_keys_group',
+ label=_(u'Groups allowed to create keytab'),
+ ),
+ parameters.Str(
+ 'ipaallowedtoperform_write_keys_host',
+ label=_(u'Hosts allowed to create keytab'),
+ ),
+ parameters.Str(
+ 'ipaallowedtoperform_write_keys_hostgroup',
+ label=_(u'Host Groups allowed to create keytab'),
+ ),
+ )
+
+
+@register()
+class service_add(Method):
+ __doc__ = _("Add a new IPA new service.")
+
+ takes_args = (
+ parameters.Str(
+ 'krbprincipalname',
+ cli_name='principal',
+ label=_(u'Principal'),
+ doc=_(u'Service principal'),
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Bytes(
+ 'usercertificate',
+ required=False,
+ cli_name='certificate',
+ label=_(u'Certificate'),
+ doc=_(u'Base-64 encoded server certificate'),
+ ),
+ parameters.Str(
+ 'ipakrbauthzdata',
+ required=False,
+ multivalue=True,
+ cli_name='pac_type',
+ cli_metavar="['MS-PAC', 'PAD', 'NONE']",
+ label=_(u'PAC type'),
+ doc=_(u"Override default list of supported PAC types. Use 'NONE' to disable PAC support for this service, e.g. this might be necessary for NFS services."),
+ ),
+ parameters.Bool(
+ 'ipakrbrequirespreauth',
+ required=False,
+ cli_name='requires_pre_auth',
+ label=_(u'Requires pre-authentication'),
+ doc=_(u'Pre-authentication is required for the service'),
+ ),
+ parameters.Bool(
+ 'ipakrbokasdelegate',
+ required=False,
+ cli_name='ok_as_delegate',
+ label=_(u'Trusted for delegation'),
+ doc=_(u'Client credentials may be delegated to the service'),
+ ),
+ parameters.Str(
+ 'setattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'addattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
+ exclude=('webui',),
+ ),
+ parameters.Flag(
+ 'force',
+ label=_(u'Force'),
+ doc=_(u'force principal name even if not in DNS'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class service_add_host(Method):
+ __doc__ = _("Add hosts that can manage this service.")
+
+ takes_args = (
+ parameters.Str(
+ 'krbprincipalname',
+ cli_name='principal',
+ label=_(u'Principal'),
+ doc=_(u'Service principal'),
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'host',
+ required=False,
+ multivalue=True,
+ cli_name='hosts',
+ label=_(u'member host'),
+ doc=_(u'hosts to add'),
+ alwaysask=True,
+ ),
+ )
+ has_output = (
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'failed',
+ dict,
+ doc=_(u'Members that could not be added'),
+ ),
+ output.Output(
+ 'completed',
+ int,
+ doc=_(u'Number of members added'),
+ ),
+ )
+
+
+@register()
+class service_allow_create_keytab(Method):
+ __doc__ = _("Allow users, groups, hosts or host groups to create a keytab of this service.")
+
+ takes_args = (
+ parameters.Str(
+ 'krbprincipalname',
+ cli_name='principal',
+ label=_(u'Principal'),
+ doc=_(u'Service principal'),
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'user',
+ required=False,
+ multivalue=True,
+ cli_name='users',
+ label=_(u'member user'),
+ doc=_(u'users to add'),
+ alwaysask=True,
+ ),
+ parameters.Str(
+ 'group',
+ required=False,
+ multivalue=True,
+ cli_name='groups',
+ label=_(u'member group'),
+ doc=_(u'groups to add'),
+ alwaysask=True,
+ ),
+ parameters.Str(
+ 'host',
+ required=False,
+ multivalue=True,
+ cli_name='hosts',
+ label=_(u'member host'),
+ doc=_(u'hosts to add'),
+ alwaysask=True,
+ ),
+ parameters.Str(
+ 'hostgroup',
+ required=False,
+ multivalue=True,
+ cli_name='hostgroups',
+ label=_(u'member host group'),
+ doc=_(u'host groups to add'),
+ alwaysask=True,
+ ),
+ )
+ has_output = (
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'failed',
+ dict,
+ doc=_(u'Members that could not be added'),
+ ),
+ output.Output(
+ 'completed',
+ int,
+ doc=_(u'Number of members added'),
+ ),
+ )
+
+
+@register()
+class service_allow_retrieve_keytab(Method):
+ __doc__ = _("Allow users, groups, hosts or host groups to retrieve a keytab of this service.")
+
+ takes_args = (
+ parameters.Str(
+ 'krbprincipalname',
+ cli_name='principal',
+ label=_(u'Principal'),
+ doc=_(u'Service principal'),
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'user',
+ required=False,
+ multivalue=True,
+ cli_name='users',
+ label=_(u'member user'),
+ doc=_(u'users to add'),
+ alwaysask=True,
+ ),
+ parameters.Str(
+ 'group',
+ required=False,
+ multivalue=True,
+ cli_name='groups',
+ label=_(u'member group'),
+ doc=_(u'groups to add'),
+ alwaysask=True,
+ ),
+ parameters.Str(
+ 'host',
+ required=False,
+ multivalue=True,
+ cli_name='hosts',
+ label=_(u'member host'),
+ doc=_(u'hosts to add'),
+ alwaysask=True,
+ ),
+ parameters.Str(
+ 'hostgroup',
+ required=False,
+ multivalue=True,
+ cli_name='hostgroups',
+ label=_(u'member host group'),
+ doc=_(u'host groups to add'),
+ alwaysask=True,
+ ),
+ )
+ has_output = (
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'failed',
+ dict,
+ doc=_(u'Members that could not be added'),
+ ),
+ output.Output(
+ 'completed',
+ int,
+ doc=_(u'Number of members added'),
+ ),
+ )
+
+
+@register()
+class service_del(Method):
+ __doc__ = _("Delete an IPA service.")
+
+ takes_args = (
+ parameters.Str(
+ 'krbprincipalname',
+ multivalue=True,
+ cli_name='principal',
+ label=_(u'Principal'),
+ doc=_(u'Service principal'),
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'continue',
+ doc=_(u"Continuous mode: Don't stop on errors."),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Output(
+ 'result',
+ dict,
+ doc=_(u'List of deletions that failed'),
+ ),
+ output.ListOfPrimaryKeys(
+ 'value',
+ ),
+ )
+
+
+@register()
+class service_disable(Method):
+ __doc__ = _("Disable the Kerberos key and SSL certificate of a service.")
+
+ takes_args = (
+ parameters.Str(
+ 'krbprincipalname',
+ cli_name='principal',
+ label=_(u'Principal'),
+ doc=_(u'Service principal'),
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Output(
+ 'result',
+ bool,
+ doc=_(u'True means the operation was successful'),
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class service_disallow_create_keytab(Method):
+ __doc__ = _("Disallow users, groups, hosts or host groups to create a keytab of this service.")
+
+ takes_args = (
+ parameters.Str(
+ 'krbprincipalname',
+ cli_name='principal',
+ label=_(u'Principal'),
+ doc=_(u'Service principal'),
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'user',
+ required=False,
+ multivalue=True,
+ cli_name='users',
+ label=_(u'member user'),
+ doc=_(u'users to remove'),
+ alwaysask=True,
+ ),
+ parameters.Str(
+ 'group',
+ required=False,
+ multivalue=True,
+ cli_name='groups',
+ label=_(u'member group'),
+ doc=_(u'groups to remove'),
+ alwaysask=True,
+ ),
+ parameters.Str(
+ 'host',
+ required=False,
+ multivalue=True,
+ cli_name='hosts',
+ label=_(u'member host'),
+ doc=_(u'hosts to remove'),
+ alwaysask=True,
+ ),
+ parameters.Str(
+ 'hostgroup',
+ required=False,
+ multivalue=True,
+ cli_name='hostgroups',
+ label=_(u'member host group'),
+ doc=_(u'host groups to remove'),
+ alwaysask=True,
+ ),
+ )
+ has_output = (
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'failed',
+ dict,
+ doc=_(u'Members that could not be removed'),
+ ),
+ output.Output(
+ 'completed',
+ int,
+ doc=_(u'Number of members removed'),
+ ),
+ )
+
+
+@register()
+class service_disallow_retrieve_keytab(Method):
+ __doc__ = _("Disallow users, groups, hosts or host groups to retrieve a keytab of this service.")
+
+ takes_args = (
+ parameters.Str(
+ 'krbprincipalname',
+ cli_name='principal',
+ label=_(u'Principal'),
+ doc=_(u'Service principal'),
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'user',
+ required=False,
+ multivalue=True,
+ cli_name='users',
+ label=_(u'member user'),
+ doc=_(u'users to remove'),
+ alwaysask=True,
+ ),
+ parameters.Str(
+ 'group',
+ required=False,
+ multivalue=True,
+ cli_name='groups',
+ label=_(u'member group'),
+ doc=_(u'groups to remove'),
+ alwaysask=True,
+ ),
+ parameters.Str(
+ 'host',
+ required=False,
+ multivalue=True,
+ cli_name='hosts',
+ label=_(u'member host'),
+ doc=_(u'hosts to remove'),
+ alwaysask=True,
+ ),
+ parameters.Str(
+ 'hostgroup',
+ required=False,
+ multivalue=True,
+ cli_name='hostgroups',
+ label=_(u'member host group'),
+ doc=_(u'host groups to remove'),
+ alwaysask=True,
+ ),
+ )
+ has_output = (
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'failed',
+ dict,
+ doc=_(u'Members that could not be removed'),
+ ),
+ output.Output(
+ 'completed',
+ int,
+ doc=_(u'Number of members removed'),
+ ),
+ )
+
+
+@register()
+class service_find(Method):
+ __doc__ = _("Search for IPA services.")
+
+ takes_args = (
+ parameters.Str(
+ 'criteria',
+ required=False,
+ doc=_(u'A string searched in all relevant object attributes'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'krbprincipalname',
+ required=False,
+ cli_name='principal',
+ label=_(u'Principal'),
+ doc=_(u'Service principal'),
+ no_convert=True,
+ ),
+ parameters.Str(
+ 'ipakrbauthzdata',
+ required=False,
+ multivalue=True,
+ cli_name='pac_type',
+ cli_metavar="['MS-PAC', 'PAD', 'NONE']",
+ label=_(u'PAC type'),
+ doc=_(u"Override default list of supported PAC types. Use 'NONE' to disable PAC support for this service, e.g. this might be necessary for NFS services."),
+ ),
+ parameters.Int(
+ 'timelimit',
+ required=False,
+ label=_(u'Time Limit'),
+ doc=_(u'Time limit of search in seconds'),
+ ),
+ parameters.Int(
+ 'sizelimit',
+ required=False,
+ label=_(u'Size Limit'),
+ doc=_(u'Maximum number of entries returned'),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'pkey_only',
+ required=False,
+ label=_(u'Primary key only'),
+ doc=_(u'Results should contain primary key attribute only ("principal")'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'man_by_host',
+ required=False,
+ multivalue=True,
+ cli_name='man_by_hosts',
+ label=_(u'host'),
+ doc=_(u'Search for services with these managed by hosts.'),
+ ),
+ parameters.Str(
+ 'not_man_by_host',
+ required=False,
+ multivalue=True,
+ cli_name='not_man_by_hosts',
+ label=_(u'host'),
+ doc=_(u'Search for services without these managed by hosts.'),
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.ListOfEntries(
+ 'result',
+ ),
+ output.Output(
+ 'count',
+ int,
+ doc=_(u'Number of entries returned'),
+ ),
+ output.Output(
+ 'truncated',
+ bool,
+ doc=_(u'True if not all results were returned'),
+ ),
+ )
+
+
+@register()
+class service_mod(Method):
+ __doc__ = _("Modify an existing IPA service.")
+
+ takes_args = (
+ parameters.Str(
+ 'krbprincipalname',
+ cli_name='principal',
+ label=_(u'Principal'),
+ doc=_(u'Service principal'),
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Bytes(
+ 'usercertificate',
+ required=False,
+ cli_name='certificate',
+ label=_(u'Certificate'),
+ doc=_(u'Base-64 encoded server certificate'),
+ ),
+ parameters.Str(
+ 'ipakrbauthzdata',
+ required=False,
+ multivalue=True,
+ cli_name='pac_type',
+ cli_metavar="['MS-PAC', 'PAD', 'NONE']",
+ label=_(u'PAC type'),
+ doc=_(u"Override default list of supported PAC types. Use 'NONE' to disable PAC support for this service, e.g. this might be necessary for NFS services."),
+ ),
+ parameters.Bool(
+ 'ipakrbrequirespreauth',
+ required=False,
+ cli_name='requires_pre_auth',
+ label=_(u'Requires pre-authentication'),
+ doc=_(u'Pre-authentication is required for the service'),
+ ),
+ parameters.Bool(
+ 'ipakrbokasdelegate',
+ required=False,
+ cli_name='ok_as_delegate',
+ label=_(u'Trusted for delegation'),
+ doc=_(u'Client credentials may be delegated to the service'),
+ ),
+ parameters.Str(
+ 'setattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'addattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'delattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'),
+ exclude=('webui',),
+ ),
+ parameters.Flag(
+ 'rights',
+ label=_(u'Rights'),
+ doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class service_remove_host(Method):
+ __doc__ = _("Remove hosts that can manage this service.")
+
+ takes_args = (
+ parameters.Str(
+ 'krbprincipalname',
+ cli_name='principal',
+ label=_(u'Principal'),
+ doc=_(u'Service principal'),
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'host',
+ required=False,
+ multivalue=True,
+ cli_name='hosts',
+ label=_(u'member host'),
+ doc=_(u'hosts to remove'),
+ alwaysask=True,
+ ),
+ )
+ has_output = (
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'failed',
+ dict,
+ doc=_(u'Members that could not be removed'),
+ ),
+ output.Output(
+ 'completed',
+ int,
+ doc=_(u'Number of members removed'),
+ ),
+ )
+
+
+@register()
+class service_show(Method):
+ __doc__ = _("Display information about an IPA service.")
+
+ takes_args = (
+ parameters.Str(
+ 'krbprincipalname',
+ cli_name='principal',
+ label=_(u'Principal'),
+ doc=_(u'Service principal'),
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'rights',
+ label=_(u'Rights'),
+ doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'out',
+ required=False,
+ doc=_(u'file to store certificate in'),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
diff --git a/ipaclient/remote_plugins/2_114/session.py b/ipaclient/remote_plugins/2_114/session.py
new file mode 100644
index 000000000..72c565ca4
--- /dev/null
+++ b/ipaclient/remote_plugins/2_114/session.py
@@ -0,0 +1,626 @@
+#
+# Copyright (C) 2016 FreeIPA Contributors see COPYING for license
+#
+
+# pylint: disable=unused-import
+import six
+
+from . import Command, Method, Object
+from ipalib import api, parameters, output
+from ipalib.parameters import DefaultFrom
+from ipalib.plugable import Registry
+from ipalib.text import _
+from ipapython.dn import DN
+from ipapython.dnsutil import DNSName
+
+if six.PY3:
+ unicode = str
+
+__doc__ = _("""
+Session Support for IPA
+John Dennis <jdennis@redhat.com>
+
+Goals
+=====
+
+Provide per-user session data caching which persists between
+requests. Desired features are:
+
+* Integrates cleanly with minimum impact on existing infrastructure.
+
+* Provides maximum security balanced against real-world performance
+ demands.
+
+* Sessions must be able to be revoked (flushed).
+
+* Should be flexible and easy to use for developers.
+
+* Should leverage existing technology and code to the maximum extent
+ possible to avoid re-invention, excessive implementation time and to
+ benefit from robustness in field proven components commonly shared
+ in the open source community.
+
+* Must support multiple independent processes which share session
+ data.
+
+* System must function correctly if session data is available or not.
+
+* Must be high performance.
+
+* Should not be tied to specific web servers or browsers. Should
+ integrate with our chosen WSGI model.
+
+Issues
+======
+
+Cookies
+-------
+
+Most session implementations are based on the use of cookies. Cookies
+have some inherent problems.
+
+* User has the option to disable cookies.
+
+* User stored cookie data is not secure. Can be mitigated by setting
+ flags indicating the cookie is only to be used with SSL secured HTTP
+ connections to specific web resources and setting the cookie to
+ expire at session termination. Most modern browsers enforce these.
+
+Where to store session data?
+----------------------------
+
+Session data may be stored on either on the client or on the
+server. Storing session data on the client addresses the problem of
+session data availability when requests are serviced by independent web
+servers because the session data travels with the request. However
+there are data size limitations. Storing session data on the client
+also exposes sensitive data but this can be mitigated by encrypting
+the session data such that only the server can decrypt it.
+
+The more conventional approach is to bind session data to a unique
+name, the session ID. The session ID is transmitted to the client and
+the session data is paired with the session ID on the server in a
+associative data store. The session data is retrieved by the server
+using the session ID when the receiving the request. This eliminates
+exposing sensitive session data on the client along with limitations
+on data size. It however introduces the issue of session data
+availability when requests are serviced by more than one server
+process.
+
+Multi-process session data availability
+---------------------------------------
+
+Apache (and other web servers) fork child processes to handle requests
+in parallel. Also web servers may be deployed in a farm where requests
+are load balanced in round robin fashion across different nodes. In
+both cases session data cannot be stored in the memory of a server
+process because it is not available to other processes, either sibling
+children of a master server process or server processes on distinct
+nodes.
+
+Typically this is addressed by storing session data in a SQL
+database. When a request is received by a server process containing a
+session ID in it's cookie data the session ID is used to perform a SQL
+query and the resulting data is then attached to the request as it
+proceeds through the request processing pipeline. This of course
+introduces coherency issues.
+
+For IPA the introduction of a SQL database dependency is undesired and
+should be avoided.
+
+Session data may also be shared by independent processes by storing
+the session data in files.
+
+An alternative solution which has gained considerable popularity
+recently is the use of a fast memory based caching server. Data is
+stored in a single process memory and may be queried and set via a
+light weight protocol using standard socket mechanisms, memcached is
+one example. A typical use is to optimize SQL queries by storing a SQL
+result in shared memory cache avoiding the more expensive SQL
+operation. But the memory cache has distinct advantages in non-SQL
+situations as well.
+
+Possible implementations for use by IPA
+=======================================
+
+Apache Sessions
+---------------
+
+Apache has 2.3 has implemented session support via these modules:
+
+ mod_session
+ Overarching session support based on cookies.
+
+ See: http://httpd.apache.org/docs/2.3/mod/mod_session.html
+
+ mod_session_cookie
+ Stores session data in the client.
+
+ See: http://httpd.apache.org/docs/2.3/mod/mod_session_cookie.html
+
+ mod_session_crypto
+ Encrypts session data for security. Encryption key is shared
+ configuration parameter visible to all Apache processes and is
+ stored in a configuration file.
+
+ See: http://httpd.apache.org/docs/2.3/mod/mod_session_crypto.html
+
+ mod_session_dbd
+ Stores session data in a SQL database permitting multiple
+ processes to access and share the same session data.
+
+ See: http://httpd.apache.org/docs/2.3/mod/mod_session_dbd.html
+
+Issues with Apache sessions
+~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Although Apache has implemented generic session support and Apache is
+our web server of preference it nonetheless introduces issues for IPA.
+
+ * Session support is only available in httpd >= 2.3 which at the
+ time of this writing is currently only available as a Beta release
+ from upstream. We currently only ship httpd 2.2, the same is true
+ for other distributions.
+
+ * We could package and ship the sessions modules as a temporary
+ package in httpd 2.2 environments. But this has the following
+ consequences:
+
+ - The code has to be backported. the module API has changed
+ slightly between httpd 2.2 and 2.3. The backporting is not
+ terribly difficult and a proof of concept has been
+ implemented.
+
+ - We would then be on the hook to package and maintain a special
+ case Apache package. This is maintenance burden as well as a
+ distribution packaging burden. Both of which would be best
+ avoided if possible.
+
+ * The design of the Apache session modules is such that they can
+ only be manipulated by other Apache modules. The ability of
+ consumers of the session data to control the session data is
+ simplistic, constrained and static during the period the request
+ is processed. Request handlers which are not native Apache modules
+ (e.g. IPA via WSGI) can only examine the session data
+ via request headers and reset it in response headers.
+
+ * Shared session data is available exclusively via SQL.
+
+However using the 2.3 Apache session modules would give us robust
+session support implemented in C based on standardized Apache
+interfaces which are widely used.
+
+Python Web Frameworks
+---------------------
+
+Virtually every Python web framework supports cookie based sessions,
+e.g. Django, Twisted, Zope, Turbogears etc. Early on in IPA we decided
+to avoid the use of these frameworks. Trying to pull in just one part
+of these frameworks just to get session support would be problematic
+because the code does not function outside it's framework.
+
+IPA implemented sessions
+------------------------
+
+Originally it was believed the path of least effort was to utilize
+existing session support, most likely what would be provided by
+Apache. However there are enough basic modular components available in
+native Python and other standard packages it should be possible to
+provide session support meeting the aforementioned goals with a modest
+implementation effort. Because we're leveraging existing components
+the implementation difficulties are subsumed by other components which
+have already been field proven and have community support. This is a
+smart strategy.
+
+Proposed Solution
+=================
+
+Our interface to the web server is via WSGI which invokes a callback
+per request passing us an environmental context for the request. For
+this discussion we'll name the WSGI callback "application()", a
+conventional name in WSGI parlance.
+
+Shared session data will be handled by memcached. We will create one
+instance of memcached on each server node dedicated to IPA
+exclusively. Communication with memcached will be via a UNIX socket
+located in the file system under /var/run/ipa_memcached. It will be
+protected by file permissions and optionally SELinux policy.
+
+In application() we examine the request cookies and if there is an IPA
+session cookie with a session ID we retrieve the session data from our
+memcached instance.
+
+The session data will be a Python dict. IPA components will read or
+write their session information by using a pre-agreed upon name
+(e.g. key) in the dict. This is a very flexible system and consistent
+with how we pass data in most parts of IPA.
+
+If the session data is not available an empty session data dict will
+be created.
+
+How does this session data travel with the request in the IPA
+pipeline? In IPA we use the HTTP request/response to implement RPC. In
+application() we convert the request into a procedure call passing it
+arguments derived from the HTTP request. The passed parameters are
+specific to the RPC method being invoked. The context the RPC call is
+executing in is not passed as an RPC parameter.
+
+How would the contextual information such as session data be bound to
+the request and hence the RPC call?
+
+In IPA when a RPC invocation is being prepared from a request we
+recognize this will only ever be processed serially by one Python
+thread. A thread local dict called "context" is allocated for each
+thread. The context dict is cleared in between requests (e.g. RPC method
+invocations). The per-thread context dict is populated during the
+lifetime of the request and is used as a global data structure unique to
+the request that various IPA component can read from and write to with
+the assurance the data is unique to the current request and/or method
+call.
+
+The session data dict will be written into the context dict under the
+session key before the RPC method begins execution. Thus session data
+can be read and written by any IPA component by accessing
+``context.session``.
+
+When the RPC method finishes execution the session data bound to the
+request/method is retrieved from the context and written back to the
+memcached instance. The session ID is set in the response sent back to
+the client in the ``Set-Cookie`` header along with the flags
+controlling it's usage.
+
+Issues and details
+------------------
+
+IPA code cannot depend on session data being present, however it
+should always update session data with the hope it will be available
+in the future. Session data may not be available because:
+
+ * This is the first request from the user and no session data has
+ been created yet.
+
+ * The user may have cookies disabled.
+
+ * The session data may have been flushed. memcached operates with
+ a fixed memory allocation and will flush entries on a LRU basis,
+ like with any cache there is no guarantee of persistence.
+
+ Also we may have have deliberately expired or deleted session
+ data, see below.
+
+Cookie manipulation is done via the standard Python Cookie module.
+
+Session cookies will be set to only persist as long as the browser has
+the session open. They will be tagged so the browser only returns
+the session ID on SSL secured HTTP requests. They will not be visible
+to Javascript in the browser.
+
+Session ID's will be created by using 48 bits of random data and
+converted to 12 hexadecimal digits. Newly generated session ID's will
+be checked for prior existence to handle the unlikely case the random
+number repeats.
+
+memcached will have significantly higher performance than a SQL or file
+based storage solution. Communication is effectively though a pipe
+(UNIX socket) using a very simple protocol and the data is held
+entirely in process memory. memcached also scales easily, it is easy
+to add more memcached processes and distribute the load across them.
+At this point in time we don't anticipate the need for this.
+
+A very nice feature of the Python memcached module is that when a data
+item is written to the cache it is done with standard Python pickling
+(pickling is a standard Python mechanism to marshal and unmarshal
+Python objects). We adopt the convention the object written to cache
+will be a dict to meet our internal data handling conventions. The
+pickling code will recursively handle nested objects in the dict. Thus
+we gain a lot of flexibility using standard Python data structures to
+store and retrieve our session data without having to author and debug
+code to marshal and unmarshal the data if some other storage mechanism
+had been used. This is a significant implementation win. Of course
+some common sense limitations need to observed when deciding on what
+is written to the session cache keeping in mind the data is shared
+between processes and it should not be excessively large (a
+configurable option)
+
+We can set an expiration on memcached entries. We may elect to do that
+to force session data to be refreshed periodically. For example we may
+wish the client to present fresh credentials on a periodic basis even
+if the cached credentials are otherwise within their validity period.
+
+We can explicitly delete session data if for some reason we believe it
+is stale, invalid or compromised.
+
+memcached also gives us certain facilities to prevent race conditions
+between different processes utilizing the cache. For example you can
+check of the entry has been modified since you last read it or use CAS
+(Check And Set) semantics. What has to be protected in terms of cache
+coherency will likely have to be determined as the session support is
+utilized and different data items are added to the cache. This is very
+much data and context specific. Fortunately memcached operations are
+atomic.
+
+Controlling the memcached process
+---------------------------------
+
+We need a mechanism to start the memcached process and secure it so
+that only IPA components can access it.
+
+Although memcached ships with both an initscript and systemd unit
+files those are for generic instances. We want a memcached instance
+dedicated exclusively to IPA usage. To accomplish this we would install
+a systemd unit file or an SysV initscript to control the IPA specific
+memcached service. ipactl would be extended to know about this
+additional service. systemd's cgroup facility would give us additional
+mechanisms to integrate the IPA memcached service within a larger IPA
+process group.
+
+Protecting the memcached data would be done via file permissions (and
+optionally SELinux policy) on the UNIX domain socket. Although recent
+implementations of memcached support authentication via SASL this
+introduces a performance and complexity burden not warranted when
+cached is dedicated to our exclusive use and access controlled by OS
+mechanisms.
+
+Conventionally daemons are protected by assigning a system uid and/or
+gid to the daemon. A daemon launched by root will drop it's privileges
+by assuming the effective uid:gid assigned to it. File system access
+is controlled by the OS via the effective identity and SELinux policy
+can be crafted based on the identity. Thus the memcached UNIX socket
+would be protected by having it owned by a specific system user and/or
+membership in a restricted system group (discounting for the moment
+SELinux).
+
+Unfortunately we currently do not have an IPA system uid whose
+identity our processes operate under nor do we have an IPA system
+group. IPA does manage a collection of related processes (daemons) and
+historically each has been assigned their own uid. When these
+unrelated processes communicate they mutually authenticate via other
+mechanisms. We do not have much of a history of using shared file
+system objects across identities. When file objects are created they
+are typically assigned the identity of daemon needing to access the
+object and are not accessed by other daemons, or they carry root
+identity.
+
+When our WSGI application runs in Apache it is run as a WSGI
+daemon. This means when Apache starts up it forks off WSGI processes
+for us and we are independent of other Apache processes. When WSGI is
+run in this mode there is the ability to set the uid:gid of the WSGI
+process hosting us, however we currently do not take advantage of this
+option. WSGI can be run in other modes as well, only in daemon mode
+can the uid:gid be independently set from the rest of Apache. All
+processes started by Apache can be set to a common uid:gid specified
+in the global Apache configuration, by default it's
+apache:apache. Thus when our IPA code executes it is running as
+apache:apache.
+
+To protect our memcached UNIX socket we can do one of two things:
+
+1. Assign it's uid:gid as apache:apache. This would limit access to
+ our cache only to processes running under httpd. It's somewhat
+ restricted but far from ideal. Any code running in the web server
+ could potentially access our cache. It's difficult to control what the
+ web server runs and admins may not understand the consequences of
+ configuring httpd to serve other things besides IPA.
+
+2. Create an IPA specific uid:gid, for example ipa:ipa. We then configure
+ our WSGI application to run as the ipa:ipa user and group. We also
+ configure our memcached instance to run as the ipa:ipa user and
+ group. In this configuration we are now fully protected, only our WSGI
+ code can read & write to our memcached UNIX socket.
+
+However there may be unforeseen issues by converting our code to run as
+something other than apache:apache. This would require some
+investigation and testing.
+
+IPA is dependent on other system daemons, specifically Directory
+Server (ds) and Certificate Server (cs). Currently we configure ds to
+run under the dirsrv:dirsrv user and group, an identity of our
+creation. We allow cs to default to it's pkiuser:pkiuser user and
+group. Should these other cooperating daemons also run under the
+common ipa:ipa user and group identities? At first blush there would
+seem to be an advantage to coalescing all process identities under a
+common IPA user and group identity. However these other processes do
+not depend on user and group permissions when working with external
+agents, processes, etc. Rather they are designed to be stand-alone
+network services which authenticate their clients via other
+mechanisms. They do depend on user and group permission to manage
+their own file system objects. If somehow the ipa user and/or group
+were compromised or malicious code somehow executed under the ipa
+identity there would be an advantage in having the cooperating
+processes cordoned off under their own identities providing one extra
+layer of protection. (Note, these cooperating daemons may not even be
+co-located on the same node in which case the issue is moot)
+
+The UNIX socket behavior (ldapi) with Directory Server is as follows:
+
+ * The socket ownership is: root:root
+
+ * The socket permissions are: 0666
+
+ * When connecting via ldapi you must authenticate as you would
+ normally with a TCP socket, except ...
+
+ * If autobind is enabled and the uid:gid is available via
+ SO_PEERCRED and the uid:gid can be found in the set of users known
+ to the Directory Server then that connection will be bound as that
+ user.
+
+ * Otherwise an anonymous bind will occur.
+
+memcached UNIX socket behavior is as follows:
+
+ * memcached can be invoked with a user argument, no group may be
+ specified. The effective uid is the uid of the user argument and
+ the effective gid is the primary group of the user, let's call
+ this euid:egid
+
+ * The socket ownership is: euid:egid
+
+ * The socket permissions are 0700 by default, but this can be
+ modified by the -a mask command line arg which sets the umask
+ (defaults to 0700).
+
+Overview of authentication in IPA
+=================================
+
+This describes how we currently authenticate and how we plan to
+improve authentication performance. First some definitions.
+
+There are 4 major players:
+
+ 1. client
+ 2. mod_auth_kerb (in Apache process)
+ 3. wsgi handler (in IPA wsgi python process)
+ 4. ds (directory server)
+
+There are several resources:
+
+ 1. /ipa/ui (unprotected, web UI static resources)
+ 2. /ipa/xml (protected, xmlrpc RPC used by command line clients)
+ 3. /ipa/json (protected, json RPC used by javascript in web UI)
+ 4. ds (protected, wsgi acts as proxy, our LDAP server)
+
+Current Model
+-------------
+
+This describes how things work in our current system for the web UI.
+
+ 1. Client requests /ipa/ui, this is unprotected, is static and
+ contains no sensitive information. Apache replies with html and
+ javascript. The javascript requests /ipa/json.
+
+ 2. Client sends post to /ipa/json.
+
+ 3. mod_auth_kerb is configured to protect /ipa/json, replies 401
+ authenticate negotiate.
+
+ 4. Client resends with credentials
+
+ 5. mod_auth_kerb validates credentials
+
+ a. if invalid replies 403 access denied (stops here)
+
+ b. if valid creates temporary ccache, adds KRB5CCNAME to request
+ headers
+
+ 6. Request passed to wsgi handler
+
+ a. validates request, KRB5CCNAME must be present, referrer, etc.
+
+ b. ccache saved and used to bind to ds
+
+ c. routes to specified RPC handler.
+
+ 7. wsgi handler replies to client
+
+Proposed new session based optimization
+---------------------------------------
+
+The round trip negotiate and credential validation in steps 3,4,5 is
+expensive. This can be avoided if we can cache the client
+credentials. With client sessions we can store the client credentials
+in the session bound to the client.
+
+A few notes about the session implementation.
+
+ * based on session cookies, cookies must be enabled
+
+ * session cookie is secure, only passed on secure connections, only
+ passed to our URL resource, never visible to client javascript
+ etc.
+
+ * session cookie has a session id which is used by wsgi handler to
+ retrieve client session data from shared multi-process cache.
+
+Changes to Apache's resource protection
+---------------------------------------
+
+ * /ipa/json is no longer protected by mod_auth_kerb. This is
+ necessary to avoid the negotiate expense in steps 3,4,5
+ above. Instead the /ipa/json resource will be protected in our wsgi
+ handler via the session cookie.
+
+ * A new protected URI is introduced, /ipa/login. This resource
+ does no serve any data, it is used exclusively for authentication.
+
+The new sequence is:
+
+ 1. Client requests /ipa/ui, this is unprotected. Apache replies with
+ html and javascript. The javascript requests /ipa/json.
+
+ 2. Client sends post to /ipa/json, which is unprotected.
+
+ 3. wsgi handler obtains session data from session cookie.
+
+ a. if ccache is present in session data and is valid
+
+ - request is further validated
+
+ - ccache is established for bind to ds
+
+ - request is routed to RPC handler
+
+ - wsgi handler eventually replies to client
+
+ b. if ccache is not present or not valid processing continues ...
+
+ 4. wsgi handler replies with 401 Unauthorized
+
+ 5. client sends request to /ipa/login to obtain session credentials
+
+ 6. mod_auth_kerb replies 401 negotiate on /ipa/login
+
+ 7. client sends credentials to /ipa/login
+
+ 8. mod_auth_kerb validates credentials
+
+ a. if valid
+
+ - mod_auth_kerb permits access to /ipa/login. wsgi handler is
+ invoked and does the following:
+
+ * establishes session for client
+
+ * retrieves the ccache from KRB5CCNAME and stores it
+
+ a. if invalid
+
+ - mod_auth_kerb sends 403 access denied (processing stops)
+
+ 9. client now posts the same data again to /ipa/json including
+ session cookie. Processing repeats starting at step 2 and since
+ the session data now contains a valid ccache step 3a executes, a
+ successful reply is sent to client.
+
+Command line client using xmlrpc
+--------------------------------
+
+The above describes the web UI utilizing the json RPC mechanism. The
+IPA command line tools utilize a xmlrpc RPC mechanism on the same
+HTTP server. Access to the xmlrpc is via the /ipa/xml URI. The json
+and xmlrpc API's are the same, they differ only on how their procedure
+calls are marshalled and unmarshalled.
+
+Under the new scheme /ipa/xml will continue to be Kerberos protected
+at all times. Apache's mod_auth_kerb will continue to require the
+client provides valid Kerberos credentials.
+
+When the WSGI handler routes to /ipa/xml the Kerberos credentials will
+be extracted from the KRB5CCNAME environment variable as provided by
+mod_auth_kerb. Everything else remains the same.
+""")
+
+register = Registry()
+
+
+@register()
+class session_logout(Command):
+ __doc__ = _("RPC command used to log the current user out of their session.")
+
+ takes_options = (
+ )
+ has_output = (
+ output.Output(
+ 'result',
+ ),
+ )
diff --git a/ipaclient/remote_plugins/2_114/sudocmd.py b/ipaclient/remote_plugins/2_114/sudocmd.py
new file mode 100644
index 000000000..871535f25
--- /dev/null
+++ b/ipaclient/remote_plugins/2_114/sudocmd.py
@@ -0,0 +1,394 @@
+#
+# Copyright (C) 2016 FreeIPA Contributors see COPYING for license
+#
+
+# pylint: disable=unused-import
+import six
+
+from . import Command, Method, Object
+from ipalib import api, parameters, output
+from ipalib.parameters import DefaultFrom
+from ipalib.plugable import Registry
+from ipalib.text import _
+from ipapython.dn import DN
+from ipapython.dnsutil import DNSName
+
+if six.PY3:
+ unicode = str
+
+__doc__ = _("""
+Sudo Commands
+
+Commands used as building blocks for sudo
+
+EXAMPLES:
+
+ Create a new command
+ ipa sudocmd-add --desc='For reading log files' /usr/bin/less
+
+ Remove a command
+ ipa sudocmd-del /usr/bin/less
+""")
+
+register = Registry()
+
+
+@register()
+class sudocmd(Object):
+ takes_params = (
+ parameters.Str(
+ 'sudocmd',
+ primary_key=True,
+ label=_(u'Sudo Command'),
+ ),
+ parameters.Str(
+ 'description',
+ required=False,
+ label=_(u'Description'),
+ doc=_(u'A description of this command'),
+ ),
+ parameters.Str(
+ 'memberof_sudocmdgroup',
+ required=False,
+ label=_(u'Sudo Command Groups'),
+ ),
+ )
+
+
+@register()
+class sudocmd_add(Method):
+ __doc__ = _("Create new Sudo Command.")
+
+ takes_args = (
+ parameters.Str(
+ 'sudocmd',
+ cli_name='command',
+ label=_(u'Sudo Command'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'description',
+ required=False,
+ cli_name='desc',
+ label=_(u'Description'),
+ doc=_(u'A description of this command'),
+ ),
+ parameters.Str(
+ 'setattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'addattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
+ exclude=('webui',),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class sudocmd_del(Method):
+ __doc__ = _("Delete Sudo Command.")
+
+ takes_args = (
+ parameters.Str(
+ 'sudocmd',
+ multivalue=True,
+ cli_name='command',
+ label=_(u'Sudo Command'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'continue',
+ doc=_(u"Continuous mode: Don't stop on errors."),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Output(
+ 'result',
+ dict,
+ doc=_(u'List of deletions that failed'),
+ ),
+ output.ListOfPrimaryKeys(
+ 'value',
+ ),
+ )
+
+
+@register()
+class sudocmd_find(Method):
+ __doc__ = _("Search for Sudo Commands.")
+
+ takes_args = (
+ parameters.Str(
+ 'criteria',
+ required=False,
+ doc=_(u'A string searched in all relevant object attributes'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'sudocmd',
+ required=False,
+ cli_name='command',
+ label=_(u'Sudo Command'),
+ ),
+ parameters.Str(
+ 'description',
+ required=False,
+ cli_name='desc',
+ label=_(u'Description'),
+ doc=_(u'A description of this command'),
+ ),
+ parameters.Int(
+ 'timelimit',
+ required=False,
+ label=_(u'Time Limit'),
+ doc=_(u'Time limit of search in seconds'),
+ ),
+ parameters.Int(
+ 'sizelimit',
+ required=False,
+ label=_(u'Size Limit'),
+ doc=_(u'Maximum number of entries returned'),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'pkey_only',
+ required=False,
+ label=_(u'Primary key only'),
+ doc=_(u'Results should contain primary key attribute only ("command")'),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.ListOfEntries(
+ 'result',
+ ),
+ output.Output(
+ 'count',
+ int,
+ doc=_(u'Number of entries returned'),
+ ),
+ output.Output(
+ 'truncated',
+ bool,
+ doc=_(u'True if not all results were returned'),
+ ),
+ )
+
+
+@register()
+class sudocmd_mod(Method):
+ __doc__ = _("Modify Sudo Command.")
+
+ takes_args = (
+ parameters.Str(
+ 'sudocmd',
+ cli_name='command',
+ label=_(u'Sudo Command'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'description',
+ required=False,
+ cli_name='desc',
+ label=_(u'Description'),
+ doc=_(u'A description of this command'),
+ ),
+ parameters.Str(
+ 'setattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'addattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'delattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'),
+ exclude=('webui',),
+ ),
+ parameters.Flag(
+ 'rights',
+ label=_(u'Rights'),
+ doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class sudocmd_show(Method):
+ __doc__ = _("Display Sudo Command.")
+
+ takes_args = (
+ parameters.Str(
+ 'sudocmd',
+ cli_name='command',
+ label=_(u'Sudo Command'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'rights',
+ label=_(u'Rights'),
+ doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
diff --git a/ipaclient/remote_plugins/2_114/sudocmdgroup.py b/ipaclient/remote_plugins/2_114/sudocmdgroup.py
new file mode 100644
index 000000000..25fc8b11d
--- /dev/null
+++ b/ipaclient/remote_plugins/2_114/sudocmdgroup.py
@@ -0,0 +1,540 @@
+#
+# Copyright (C) 2016 FreeIPA Contributors see COPYING for license
+#
+
+# pylint: disable=unused-import
+import six
+
+from . import Command, Method, Object
+from ipalib import api, parameters, output
+from ipalib.parameters import DefaultFrom
+from ipalib.plugable import Registry
+from ipalib.text import _
+from ipapython.dn import DN
+from ipapython.dnsutil import DNSName
+
+if six.PY3:
+ unicode = str
+
+__doc__ = _("""
+Groups of Sudo Commands
+
+Manage groups of Sudo Commands.
+
+EXAMPLES:
+
+ Add a new Sudo Command Group:
+ ipa sudocmdgroup-add --desc='administrators commands' admincmds
+
+ Remove a Sudo Command Group:
+ ipa sudocmdgroup-del admincmds
+
+ Manage Sudo Command Group membership, commands:
+ ipa sudocmdgroup-add-member --sudocmds=/usr/bin/less --sudocmds=/usr/bin/vim admincmds
+
+ Manage Sudo Command Group membership, commands:
+ ipa group-remove-member --sudocmds=/usr/bin/less admincmds
+
+ Show a Sudo Command Group:
+ ipa group-show localadmins
+""")
+
+register = Registry()
+
+
+@register()
+class sudocmdgroup(Object):
+ takes_params = (
+ parameters.Str(
+ 'cn',
+ primary_key=True,
+ label=_(u'Sudo Command Group'),
+ ),
+ parameters.Str(
+ 'description',
+ required=False,
+ label=_(u'Description'),
+ doc=_(u'Group description'),
+ ),
+ parameters.Str(
+ 'membercmd_sudocmd',
+ required=False,
+ label=_(u'Commands'),
+ ),
+ parameters.Str(
+ 'membercmd_sudocmdgroup',
+ required=False,
+ label=_(u'Sudo Command Groups'),
+ ),
+ parameters.Str(
+ 'member_sudocmd',
+ required=False,
+ label=_(u'Member Sudo commands'),
+ ),
+ )
+
+
+@register()
+class sudocmdgroup_add(Method):
+ __doc__ = _("Create new Sudo Command Group.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='sudocmdgroup_name',
+ label=_(u'Sudo Command Group'),
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'description',
+ required=False,
+ cli_name='desc',
+ label=_(u'Description'),
+ doc=_(u'Group description'),
+ ),
+ parameters.Str(
+ 'setattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'addattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
+ exclude=('webui',),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class sudocmdgroup_add_member(Method):
+ __doc__ = _("Add members to Sudo Command Group.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='sudocmdgroup_name',
+ label=_(u'Sudo Command Group'),
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'sudocmd',
+ required=False,
+ multivalue=True,
+ cli_name='sudocmds',
+ label=_(u'member sudo command'),
+ doc=_(u'sudo commands to add'),
+ alwaysask=True,
+ ),
+ )
+ has_output = (
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'failed',
+ dict,
+ doc=_(u'Members that could not be added'),
+ ),
+ output.Output(
+ 'completed',
+ int,
+ doc=_(u'Number of members added'),
+ ),
+ )
+
+
+@register()
+class sudocmdgroup_del(Method):
+ __doc__ = _("Delete Sudo Command Group.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ multivalue=True,
+ cli_name='sudocmdgroup_name',
+ label=_(u'Sudo Command Group'),
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'continue',
+ doc=_(u"Continuous mode: Don't stop on errors."),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Output(
+ 'result',
+ dict,
+ doc=_(u'List of deletions that failed'),
+ ),
+ output.ListOfPrimaryKeys(
+ 'value',
+ ),
+ )
+
+
+@register()
+class sudocmdgroup_find(Method):
+ __doc__ = _("Search for Sudo Command Groups.")
+
+ takes_args = (
+ parameters.Str(
+ 'criteria',
+ required=False,
+ doc=_(u'A string searched in all relevant object attributes'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'cn',
+ required=False,
+ cli_name='sudocmdgroup_name',
+ label=_(u'Sudo Command Group'),
+ no_convert=True,
+ ),
+ parameters.Str(
+ 'description',
+ required=False,
+ cli_name='desc',
+ label=_(u'Description'),
+ doc=_(u'Group description'),
+ ),
+ parameters.Int(
+ 'timelimit',
+ required=False,
+ label=_(u'Time Limit'),
+ doc=_(u'Time limit of search in seconds'),
+ ),
+ parameters.Int(
+ 'sizelimit',
+ required=False,
+ label=_(u'Size Limit'),
+ doc=_(u'Maximum number of entries returned'),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'pkey_only',
+ required=False,
+ label=_(u'Primary key only'),
+ doc=_(u'Results should contain primary key attribute only ("sudocmdgroup-name")'),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.ListOfEntries(
+ 'result',
+ ),
+ output.Output(
+ 'count',
+ int,
+ doc=_(u'Number of entries returned'),
+ ),
+ output.Output(
+ 'truncated',
+ bool,
+ doc=_(u'True if not all results were returned'),
+ ),
+ )
+
+
+@register()
+class sudocmdgroup_mod(Method):
+ __doc__ = _("Modify Sudo Command Group.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='sudocmdgroup_name',
+ label=_(u'Sudo Command Group'),
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'description',
+ required=False,
+ cli_name='desc',
+ label=_(u'Description'),
+ doc=_(u'Group description'),
+ ),
+ parameters.Str(
+ 'setattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'addattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'delattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'),
+ exclude=('webui',),
+ ),
+ parameters.Flag(
+ 'rights',
+ label=_(u'Rights'),
+ doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class sudocmdgroup_remove_member(Method):
+ __doc__ = _("Remove members from Sudo Command Group.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='sudocmdgroup_name',
+ label=_(u'Sudo Command Group'),
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'sudocmd',
+ required=False,
+ multivalue=True,
+ cli_name='sudocmds',
+ label=_(u'member sudo command'),
+ doc=_(u'sudo commands to remove'),
+ alwaysask=True,
+ ),
+ )
+ has_output = (
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'failed',
+ dict,
+ doc=_(u'Members that could not be removed'),
+ ),
+ output.Output(
+ 'completed',
+ int,
+ doc=_(u'Number of members removed'),
+ ),
+ )
+
+
+@register()
+class sudocmdgroup_show(Method):
+ __doc__ = _("Display Sudo Command Group.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='sudocmdgroup_name',
+ label=_(u'Sudo Command Group'),
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'rights',
+ label=_(u'Rights'),
+ doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
diff --git a/ipaclient/remote_plugins/2_114/sudorule.py b/ipaclient/remote_plugins/2_114/sudorule.py
new file mode 100644
index 000000000..808720e42
--- /dev/null
+++ b/ipaclient/remote_plugins/2_114/sudorule.py
@@ -0,0 +1,1774 @@
+#
+# Copyright (C) 2016 FreeIPA Contributors see COPYING for license
+#
+
+# pylint: disable=unused-import
+import six
+
+from . import Command, Method, Object
+from ipalib import api, parameters, output
+from ipalib.parameters import DefaultFrom
+from ipalib.plugable import Registry
+from ipalib.text import _
+from ipapython.dn import DN
+from ipapython.dnsutil import DNSName
+
+if six.PY3:
+ unicode = str
+
+__doc__ = _("""
+Sudo Rules
+
+Sudo (su "do") allows a system administrator to delegate authority to
+give certain users (or groups of users) the ability to run some (or all)
+commands as root or another user while providing an audit trail of the
+commands and their arguments.
+
+FreeIPA provides a means to configure the various aspects of Sudo:
+ Users: The user(s)/group(s) allowed to invoke Sudo.
+ Hosts: The host(s)/hostgroup(s) which the user is allowed to to invoke Sudo.
+ Allow Command: The specific command(s) permitted to be run via Sudo.
+ Deny Command: The specific command(s) prohibited to be run via Sudo.
+ RunAsUser: The user(s) or group(s) of users whose rights Sudo will be invoked with.
+ RunAsGroup: The group(s) whose gid rights Sudo will be invoked with.
+ Options: The various Sudoers Options that can modify Sudo's behavior.
+
+An order can be added to a sudorule to control the order in which they
+are evaluated (if the client supports it). This order is an integer and
+must be unique.
+
+FreeIPA provides a designated binddn to use with Sudo located at:
+uid=sudo,cn=sysaccounts,cn=etc,dc=example,dc=com
+
+To enable the binddn run the following command to set the password:
+LDAPTLS_CACERT=/etc/ipa/ca.crt /usr/bin/ldappasswd -S -W -h ipa.example.com -ZZ -D "cn=Directory Manager" uid=sudo,cn=sysaccounts,cn=etc,dc=example,dc=com
+
+EXAMPLES:
+
+ Create a new rule:
+ ipa sudorule-add readfiles
+
+ Add sudo command object and add it as allowed command in the rule:
+ ipa sudocmd-add /usr/bin/less
+ ipa sudorule-add-allow-command readfiles --sudocmds /usr/bin/less
+
+ Add a host to the rule:
+ ipa sudorule-add-host readfiles --hosts server.example.com
+
+ Add a user to the rule:
+ ipa sudorule-add-user readfiles --users jsmith
+
+ Add a special Sudo rule for default Sudo server configuration:
+ ipa sudorule-add defaults
+
+ Set a default Sudo option:
+ ipa sudorule-add-option defaults --sudooption '!authenticate'
+""")
+
+register = Registry()
+
+
+@register()
+class sudorule(Object):
+ takes_params = (
+ parameters.Str(
+ 'cn',
+ primary_key=True,
+ label=_(u'Rule name'),
+ ),
+ parameters.Str(
+ 'description',
+ required=False,
+ label=_(u'Description'),
+ ),
+ parameters.Bool(
+ 'ipaenabledflag',
+ required=False,
+ label=_(u'Enabled'),
+ ),
+ parameters.Str(
+ 'usercategory',
+ required=False,
+ label=_(u'User category'),
+ doc=_(u'User category the rule applies to'),
+ ),
+ parameters.Str(
+ 'hostcategory',
+ required=False,
+ label=_(u'Host category'),
+ doc=_(u'Host category the rule applies to'),
+ ),
+ parameters.Str(
+ 'cmdcategory',
+ required=False,
+ label=_(u'Command category'),
+ doc=_(u'Command category the rule applies to'),
+ ),
+ parameters.Str(
+ 'ipasudorunasusercategory',
+ required=False,
+ label=_(u'RunAs User category'),
+ doc=_(u'RunAs User category the rule applies to'),
+ ),
+ parameters.Str(
+ 'ipasudorunasgroupcategory',
+ required=False,
+ label=_(u'RunAs Group category'),
+ doc=_(u'RunAs Group category the rule applies to'),
+ ),
+ parameters.Int(
+ 'sudoorder',
+ required=False,
+ label=_(u'Sudo order'),
+ doc=_(u'integer to order the Sudo rules'),
+ ),
+ parameters.Str(
+ 'memberuser_user',
+ required=False,
+ label=_(u'Users'),
+ ),
+ parameters.Str(
+ 'memberuser_group',
+ required=False,
+ label=_(u'User Groups'),
+ ),
+ parameters.Str(
+ 'externaluser',
+ required=False,
+ label=_(u'External User'),
+ doc=_(u'External User the rule applies to (sudorule-find only)'),
+ ),
+ parameters.Str(
+ 'memberhost_host',
+ required=False,
+ label=_(u'Hosts'),
+ ),
+ parameters.Str(
+ 'memberhost_hostgroup',
+ required=False,
+ label=_(u'Host Groups'),
+ ),
+ parameters.Str(
+ 'hostmask',
+ multivalue=True,
+ label=_(u'Host Masks'),
+ ),
+ parameters.Str(
+ 'externalhost',
+ required=False,
+ multivalue=True,
+ label=_(u'External host'),
+ ),
+ parameters.Str(
+ 'memberallowcmd_sudocmd',
+ required=False,
+ label=_(u'Sudo Allow Commands'),
+ ),
+ parameters.Str(
+ 'memberdenycmd_sudocmd',
+ required=False,
+ label=_(u'Sudo Deny Commands'),
+ ),
+ parameters.Str(
+ 'memberallowcmd_sudocmdgroup',
+ required=False,
+ label=_(u'Sudo Allow Command Groups'),
+ ),
+ parameters.Str(
+ 'memberdenycmd_sudocmdgroup',
+ required=False,
+ label=_(u'Sudo Deny Command Groups'),
+ ),
+ parameters.Str(
+ 'ipasudorunas_user',
+ required=False,
+ label=_(u'RunAs Users'),
+ doc=_(u'Run as a user'),
+ ),
+ parameters.Str(
+ 'ipasudorunas_group',
+ required=False,
+ label=_(u'Groups of RunAs Users'),
+ doc=_(u'Run as any user within a specified group'),
+ ),
+ parameters.Str(
+ 'ipasudorunasextuser',
+ required=False,
+ label=_(u'RunAs External User'),
+ doc=_(u'External User the commands can run as (sudorule-find only)'),
+ ),
+ parameters.Str(
+ 'ipasudorunasextusergroup',
+ required=False,
+ label=_(u'External Groups of RunAs Users'),
+ doc=_(u'External Groups of users that the command can run as'),
+ ),
+ parameters.Str(
+ 'ipasudorunasgroup_group',
+ required=False,
+ label=_(u'RunAs Groups'),
+ doc=_(u'Run with the gid of a specified POSIX group'),
+ ),
+ parameters.Str(
+ 'ipasudorunasextgroup',
+ required=False,
+ label=_(u'RunAs External Group'),
+ doc=_(u'External Group the commands can run as (sudorule-find only)'),
+ ),
+ parameters.Str(
+ 'ipasudoopt',
+ required=False,
+ label=_(u'Sudo Option'),
+ ),
+ )
+
+
+@register()
+class sudorule_add(Method):
+ __doc__ = _("Create new Sudo Rule.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='sudorule_name',
+ label=_(u'Rule name'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'description',
+ required=False,
+ cli_name='desc',
+ label=_(u'Description'),
+ ),
+ parameters.Bool(
+ 'ipaenabledflag',
+ required=False,
+ label=_(u'Enabled'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'usercategory',
+ required=False,
+ cli_name='usercat',
+ cli_metavar="['all']",
+ label=_(u'User category'),
+ doc=_(u'User category the rule applies to'),
+ ),
+ parameters.Str(
+ 'hostcategory',
+ required=False,
+ cli_name='hostcat',
+ cli_metavar="['all']",
+ label=_(u'Host category'),
+ doc=_(u'Host category the rule applies to'),
+ ),
+ parameters.Str(
+ 'cmdcategory',
+ required=False,
+ cli_name='cmdcat',
+ cli_metavar="['all']",
+ label=_(u'Command category'),
+ doc=_(u'Command category the rule applies to'),
+ ),
+ parameters.Str(
+ 'ipasudorunasusercategory',
+ required=False,
+ cli_name='runasusercat',
+ cli_metavar="['all']",
+ label=_(u'RunAs User category'),
+ doc=_(u'RunAs User category the rule applies to'),
+ ),
+ parameters.Str(
+ 'ipasudorunasgroupcategory',
+ required=False,
+ cli_name='runasgroupcat',
+ cli_metavar="['all']",
+ label=_(u'RunAs Group category'),
+ doc=_(u'RunAs Group category the rule applies to'),
+ ),
+ parameters.Int(
+ 'sudoorder',
+ required=False,
+ cli_name='order',
+ label=_(u'Sudo order'),
+ doc=_(u'integer to order the Sudo rules'),
+ default=0,
+ ),
+ parameters.Str(
+ 'externaluser',
+ required=False,
+ label=_(u'External User'),
+ doc=_(u'External User the rule applies to (sudorule-find only)'),
+ ),
+ parameters.Str(
+ 'externalhost',
+ required=False,
+ multivalue=True,
+ label=_(u'External host'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'ipasudorunasextuser',
+ required=False,
+ cli_name='runasexternaluser',
+ label=_(u'RunAs External User'),
+ doc=_(u'External User the commands can run as (sudorule-find only)'),
+ ),
+ parameters.Str(
+ 'ipasudorunasextgroup',
+ required=False,
+ cli_name='runasexternalgroup',
+ label=_(u'RunAs External Group'),
+ doc=_(u'External Group the commands can run as (sudorule-find only)'),
+ ),
+ parameters.Str(
+ 'setattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'addattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
+ exclude=('webui',),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class sudorule_add_allow_command(Method):
+ __doc__ = _("Add commands and sudo command groups affected by Sudo Rule.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='sudorule_name',
+ label=_(u'Rule name'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'sudocmd',
+ required=False,
+ multivalue=True,
+ cli_name='sudocmds',
+ label=_(u'member sudo command'),
+ doc=_(u'sudo commands to add'),
+ alwaysask=True,
+ ),
+ parameters.Str(
+ 'sudocmdgroup',
+ required=False,
+ multivalue=True,
+ cli_name='sudocmdgroups',
+ label=_(u'member sudo command group'),
+ doc=_(u'sudo command groups to add'),
+ alwaysask=True,
+ ),
+ )
+ has_output = (
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'failed',
+ dict,
+ doc=_(u'Members that could not be added'),
+ ),
+ output.Output(
+ 'completed',
+ int,
+ doc=_(u'Number of members added'),
+ ),
+ )
+
+
+@register()
+class sudorule_add_deny_command(Method):
+ __doc__ = _("Add commands and sudo command groups affected by Sudo Rule.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='sudorule_name',
+ label=_(u'Rule name'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'sudocmd',
+ required=False,
+ multivalue=True,
+ cli_name='sudocmds',
+ label=_(u'member sudo command'),
+ doc=_(u'sudo commands to add'),
+ alwaysask=True,
+ ),
+ parameters.Str(
+ 'sudocmdgroup',
+ required=False,
+ multivalue=True,
+ cli_name='sudocmdgroups',
+ label=_(u'member sudo command group'),
+ doc=_(u'sudo command groups to add'),
+ alwaysask=True,
+ ),
+ )
+ has_output = (
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'failed',
+ dict,
+ doc=_(u'Members that could not be added'),
+ ),
+ output.Output(
+ 'completed',
+ int,
+ doc=_(u'Number of members added'),
+ ),
+ )
+
+
+@register()
+class sudorule_add_host(Method):
+ __doc__ = _("Add hosts and hostgroups affected by Sudo Rule.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='sudorule_name',
+ label=_(u'Rule name'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'host',
+ required=False,
+ multivalue=True,
+ cli_name='hosts',
+ label=_(u'member host'),
+ doc=_(u'hosts to add'),
+ alwaysask=True,
+ ),
+ parameters.Str(
+ 'hostgroup',
+ required=False,
+ multivalue=True,
+ cli_name='hostgroups',
+ label=_(u'member host group'),
+ doc=_(u'host groups to add'),
+ alwaysask=True,
+ ),
+ parameters.Str(
+ 'hostmask',
+ required=False,
+ multivalue=True,
+ label=_(u'host masks of allowed hosts'),
+ ),
+ )
+ has_output = (
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'failed',
+ dict,
+ doc=_(u'Members that could not be added'),
+ ),
+ output.Output(
+ 'completed',
+ int,
+ doc=_(u'Number of members added'),
+ ),
+ )
+
+
+@register()
+class sudorule_add_option(Method):
+ __doc__ = _("Add an option to the Sudo Rule.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='sudorule_name',
+ label=_(u'Rule name'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'ipasudoopt',
+ cli_name='sudooption',
+ label=_(u'Sudo Option'),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class sudorule_add_runasgroup(Method):
+ __doc__ = _("Add group for Sudo to execute as.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='sudorule_name',
+ label=_(u'Rule name'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'group',
+ required=False,
+ multivalue=True,
+ cli_name='groups',
+ label=_(u'member group'),
+ doc=_(u'groups to add'),
+ alwaysask=True,
+ ),
+ )
+ has_output = (
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'failed',
+ dict,
+ doc=_(u'Members that could not be added'),
+ ),
+ output.Output(
+ 'completed',
+ int,
+ doc=_(u'Number of members added'),
+ ),
+ )
+
+
+@register()
+class sudorule_add_runasuser(Method):
+ __doc__ = _("Add users and groups for Sudo to execute as.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='sudorule_name',
+ label=_(u'Rule name'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'user',
+ required=False,
+ multivalue=True,
+ cli_name='users',
+ label=_(u'member user'),
+ doc=_(u'users to add'),
+ alwaysask=True,
+ ),
+ parameters.Str(
+ 'group',
+ required=False,
+ multivalue=True,
+ cli_name='groups',
+ label=_(u'member group'),
+ doc=_(u'groups to add'),
+ alwaysask=True,
+ ),
+ )
+ has_output = (
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'failed',
+ dict,
+ doc=_(u'Members that could not be added'),
+ ),
+ output.Output(
+ 'completed',
+ int,
+ doc=_(u'Number of members added'),
+ ),
+ )
+
+
+@register()
+class sudorule_add_user(Method):
+ __doc__ = _("Add users and groups affected by Sudo Rule.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='sudorule_name',
+ label=_(u'Rule name'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'user',
+ required=False,
+ multivalue=True,
+ cli_name='users',
+ label=_(u'member user'),
+ doc=_(u'users to add'),
+ alwaysask=True,
+ ),
+ parameters.Str(
+ 'group',
+ required=False,
+ multivalue=True,
+ cli_name='groups',
+ label=_(u'member group'),
+ doc=_(u'groups to add'),
+ alwaysask=True,
+ ),
+ )
+ has_output = (
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'failed',
+ dict,
+ doc=_(u'Members that could not be added'),
+ ),
+ output.Output(
+ 'completed',
+ int,
+ doc=_(u'Number of members added'),
+ ),
+ )
+
+
+@register()
+class sudorule_del(Method):
+ __doc__ = _("Delete Sudo Rule.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ multivalue=True,
+ cli_name='sudorule_name',
+ label=_(u'Rule name'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'continue',
+ doc=_(u"Continuous mode: Don't stop on errors."),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Output(
+ 'result',
+ dict,
+ doc=_(u'List of deletions that failed'),
+ ),
+ output.ListOfPrimaryKeys(
+ 'value',
+ ),
+ )
+
+
+@register()
+class sudorule_disable(Method):
+ __doc__ = _("Disable a Sudo Rule.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='sudorule_name',
+ label=_(u'Rule name'),
+ ),
+ )
+ takes_options = (
+ )
+ has_output = (
+ output.Output(
+ 'result',
+ ),
+ )
+
+
+@register()
+class sudorule_enable(Method):
+ __doc__ = _("Enable a Sudo Rule.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='sudorule_name',
+ label=_(u'Rule name'),
+ ),
+ )
+ takes_options = (
+ )
+ has_output = (
+ output.Output(
+ 'result',
+ ),
+ )
+
+
+@register()
+class sudorule_find(Method):
+ __doc__ = _("Search for Sudo Rule.")
+
+ takes_args = (
+ parameters.Str(
+ 'criteria',
+ required=False,
+ doc=_(u'A string searched in all relevant object attributes'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'cn',
+ required=False,
+ cli_name='sudorule_name',
+ label=_(u'Rule name'),
+ ),
+ parameters.Str(
+ 'description',
+ required=False,
+ cli_name='desc',
+ label=_(u'Description'),
+ ),
+ parameters.Bool(
+ 'ipaenabledflag',
+ required=False,
+ label=_(u'Enabled'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'usercategory',
+ required=False,
+ cli_name='usercat',
+ cli_metavar="['all']",
+ label=_(u'User category'),
+ doc=_(u'User category the rule applies to'),
+ ),
+ parameters.Str(
+ 'hostcategory',
+ required=False,
+ cli_name='hostcat',
+ cli_metavar="['all']",
+ label=_(u'Host category'),
+ doc=_(u'Host category the rule applies to'),
+ ),
+ parameters.Str(
+ 'cmdcategory',
+ required=False,
+ cli_name='cmdcat',
+ cli_metavar="['all']",
+ label=_(u'Command category'),
+ doc=_(u'Command category the rule applies to'),
+ ),
+ parameters.Str(
+ 'ipasudorunasusercategory',
+ required=False,
+ cli_name='runasusercat',
+ cli_metavar="['all']",
+ label=_(u'RunAs User category'),
+ doc=_(u'RunAs User category the rule applies to'),
+ ),
+ parameters.Str(
+ 'ipasudorunasgroupcategory',
+ required=False,
+ cli_name='runasgroupcat',
+ cli_metavar="['all']",
+ label=_(u'RunAs Group category'),
+ doc=_(u'RunAs Group category the rule applies to'),
+ ),
+ parameters.Int(
+ 'sudoorder',
+ required=False,
+ cli_name='order',
+ label=_(u'Sudo order'),
+ doc=_(u'integer to order the Sudo rules'),
+ default=0,
+ ),
+ parameters.Str(
+ 'externaluser',
+ required=False,
+ label=_(u'External User'),
+ doc=_(u'External User the rule applies to (sudorule-find only)'),
+ ),
+ parameters.Str(
+ 'externalhost',
+ required=False,
+ multivalue=True,
+ label=_(u'External host'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'ipasudorunasextuser',
+ required=False,
+ cli_name='runasexternaluser',
+ label=_(u'RunAs External User'),
+ doc=_(u'External User the commands can run as (sudorule-find only)'),
+ ),
+ parameters.Str(
+ 'ipasudorunasextgroup',
+ required=False,
+ cli_name='runasexternalgroup',
+ label=_(u'RunAs External Group'),
+ doc=_(u'External Group the commands can run as (sudorule-find only)'),
+ ),
+ parameters.Int(
+ 'timelimit',
+ required=False,
+ label=_(u'Time Limit'),
+ doc=_(u'Time limit of search in seconds'),
+ ),
+ parameters.Int(
+ 'sizelimit',
+ required=False,
+ label=_(u'Size Limit'),
+ doc=_(u'Maximum number of entries returned'),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'pkey_only',
+ required=False,
+ label=_(u'Primary key only'),
+ doc=_(u'Results should contain primary key attribute only ("sudorule-name")'),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.ListOfEntries(
+ 'result',
+ ),
+ output.Output(
+ 'count',
+ int,
+ doc=_(u'Number of entries returned'),
+ ),
+ output.Output(
+ 'truncated',
+ bool,
+ doc=_(u'True if not all results were returned'),
+ ),
+ )
+
+
+@register()
+class sudorule_mod(Method):
+ __doc__ = _("Modify Sudo Rule.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='sudorule_name',
+ label=_(u'Rule name'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'description',
+ required=False,
+ cli_name='desc',
+ label=_(u'Description'),
+ ),
+ parameters.Bool(
+ 'ipaenabledflag',
+ required=False,
+ label=_(u'Enabled'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'usercategory',
+ required=False,
+ cli_name='usercat',
+ cli_metavar="['all']",
+ label=_(u'User category'),
+ doc=_(u'User category the rule applies to'),
+ ),
+ parameters.Str(
+ 'hostcategory',
+ required=False,
+ cli_name='hostcat',
+ cli_metavar="['all']",
+ label=_(u'Host category'),
+ doc=_(u'Host category the rule applies to'),
+ ),
+ parameters.Str(
+ 'cmdcategory',
+ required=False,
+ cli_name='cmdcat',
+ cli_metavar="['all']",
+ label=_(u'Command category'),
+ doc=_(u'Command category the rule applies to'),
+ ),
+ parameters.Str(
+ 'ipasudorunasusercategory',
+ required=False,
+ cli_name='runasusercat',
+ cli_metavar="['all']",
+ label=_(u'RunAs User category'),
+ doc=_(u'RunAs User category the rule applies to'),
+ ),
+ parameters.Str(
+ 'ipasudorunasgroupcategory',
+ required=False,
+ cli_name='runasgroupcat',
+ cli_metavar="['all']",
+ label=_(u'RunAs Group category'),
+ doc=_(u'RunAs Group category the rule applies to'),
+ ),
+ parameters.Int(
+ 'sudoorder',
+ required=False,
+ cli_name='order',
+ label=_(u'Sudo order'),
+ doc=_(u'integer to order the Sudo rules'),
+ default=0,
+ ),
+ parameters.Str(
+ 'externaluser',
+ required=False,
+ label=_(u'External User'),
+ doc=_(u'External User the rule applies to (sudorule-find only)'),
+ ),
+ parameters.Str(
+ 'externalhost',
+ required=False,
+ multivalue=True,
+ label=_(u'External host'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'ipasudorunasextuser',
+ required=False,
+ cli_name='runasexternaluser',
+ label=_(u'RunAs External User'),
+ doc=_(u'External User the commands can run as (sudorule-find only)'),
+ ),
+ parameters.Str(
+ 'ipasudorunasextgroup',
+ required=False,
+ cli_name='runasexternalgroup',
+ label=_(u'RunAs External Group'),
+ doc=_(u'External Group the commands can run as (sudorule-find only)'),
+ ),
+ parameters.Str(
+ 'setattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'addattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'delattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'),
+ exclude=('webui',),
+ ),
+ parameters.Flag(
+ 'rights',
+ label=_(u'Rights'),
+ doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class sudorule_remove_allow_command(Method):
+ __doc__ = _("Remove commands and sudo command groups affected by Sudo Rule.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='sudorule_name',
+ label=_(u'Rule name'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'sudocmd',
+ required=False,
+ multivalue=True,
+ cli_name='sudocmds',
+ label=_(u'member sudo command'),
+ doc=_(u'sudo commands to remove'),
+ alwaysask=True,
+ ),
+ parameters.Str(
+ 'sudocmdgroup',
+ required=False,
+ multivalue=True,
+ cli_name='sudocmdgroups',
+ label=_(u'member sudo command group'),
+ doc=_(u'sudo command groups to remove'),
+ alwaysask=True,
+ ),
+ )
+ has_output = (
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'failed',
+ dict,
+ doc=_(u'Members that could not be removed'),
+ ),
+ output.Output(
+ 'completed',
+ int,
+ doc=_(u'Number of members removed'),
+ ),
+ )
+
+
+@register()
+class sudorule_remove_deny_command(Method):
+ __doc__ = _("Remove commands and sudo command groups affected by Sudo Rule.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='sudorule_name',
+ label=_(u'Rule name'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'sudocmd',
+ required=False,
+ multivalue=True,
+ cli_name='sudocmds',
+ label=_(u'member sudo command'),
+ doc=_(u'sudo commands to remove'),
+ alwaysask=True,
+ ),
+ parameters.Str(
+ 'sudocmdgroup',
+ required=False,
+ multivalue=True,
+ cli_name='sudocmdgroups',
+ label=_(u'member sudo command group'),
+ doc=_(u'sudo command groups to remove'),
+ alwaysask=True,
+ ),
+ )
+ has_output = (
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'failed',
+ dict,
+ doc=_(u'Members that could not be removed'),
+ ),
+ output.Output(
+ 'completed',
+ int,
+ doc=_(u'Number of members removed'),
+ ),
+ )
+
+
+@register()
+class sudorule_remove_host(Method):
+ __doc__ = _("Remove hosts and hostgroups affected by Sudo Rule.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='sudorule_name',
+ label=_(u'Rule name'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'host',
+ required=False,
+ multivalue=True,
+ cli_name='hosts',
+ label=_(u'member host'),
+ doc=_(u'hosts to remove'),
+ alwaysask=True,
+ ),
+ parameters.Str(
+ 'hostgroup',
+ required=False,
+ multivalue=True,
+ cli_name='hostgroups',
+ label=_(u'member host group'),
+ doc=_(u'host groups to remove'),
+ alwaysask=True,
+ ),
+ parameters.Str(
+ 'hostmask',
+ required=False,
+ multivalue=True,
+ label=_(u'host masks of allowed hosts'),
+ ),
+ )
+ has_output = (
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'failed',
+ dict,
+ doc=_(u'Members that could not be removed'),
+ ),
+ output.Output(
+ 'completed',
+ int,
+ doc=_(u'Number of members removed'),
+ ),
+ )
+
+
+@register()
+class sudorule_remove_option(Method):
+ __doc__ = _("Remove an option from Sudo Rule.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='sudorule_name',
+ label=_(u'Rule name'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'ipasudoopt',
+ cli_name='sudooption',
+ label=_(u'Sudo Option'),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class sudorule_remove_runasgroup(Method):
+ __doc__ = _("Remove group for Sudo to execute as.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='sudorule_name',
+ label=_(u'Rule name'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'group',
+ required=False,
+ multivalue=True,
+ cli_name='groups',
+ label=_(u'member group'),
+ doc=_(u'groups to remove'),
+ alwaysask=True,
+ ),
+ )
+ has_output = (
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'failed',
+ dict,
+ doc=_(u'Members that could not be removed'),
+ ),
+ output.Output(
+ 'completed',
+ int,
+ doc=_(u'Number of members removed'),
+ ),
+ )
+
+
+@register()
+class sudorule_remove_runasuser(Method):
+ __doc__ = _("Remove users and groups for Sudo to execute as.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='sudorule_name',
+ label=_(u'Rule name'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'user',
+ required=False,
+ multivalue=True,
+ cli_name='users',
+ label=_(u'member user'),
+ doc=_(u'users to remove'),
+ alwaysask=True,
+ ),
+ parameters.Str(
+ 'group',
+ required=False,
+ multivalue=True,
+ cli_name='groups',
+ label=_(u'member group'),
+ doc=_(u'groups to remove'),
+ alwaysask=True,
+ ),
+ )
+ has_output = (
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'failed',
+ dict,
+ doc=_(u'Members that could not be removed'),
+ ),
+ output.Output(
+ 'completed',
+ int,
+ doc=_(u'Number of members removed'),
+ ),
+ )
+
+
+@register()
+class sudorule_remove_user(Method):
+ __doc__ = _("Remove users and groups affected by Sudo Rule.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='sudorule_name',
+ label=_(u'Rule name'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'user',
+ required=False,
+ multivalue=True,
+ cli_name='users',
+ label=_(u'member user'),
+ doc=_(u'users to remove'),
+ alwaysask=True,
+ ),
+ parameters.Str(
+ 'group',
+ required=False,
+ multivalue=True,
+ cli_name='groups',
+ label=_(u'member group'),
+ doc=_(u'groups to remove'),
+ alwaysask=True,
+ ),
+ )
+ has_output = (
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'failed',
+ dict,
+ doc=_(u'Members that could not be removed'),
+ ),
+ output.Output(
+ 'completed',
+ int,
+ doc=_(u'Number of members removed'),
+ ),
+ )
+
+
+@register()
+class sudorule_show(Method):
+ __doc__ = _("Display Sudo Rule.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='sudorule_name',
+ label=_(u'Rule name'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'rights',
+ label=_(u'Rights'),
+ doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
diff --git a/ipaclient/remote_plugins/2_114/trust.py b/ipaclient/remote_plugins/2_114/trust.py
new file mode 100644
index 000000000..1976f4a25
--- /dev/null
+++ b/ipaclient/remote_plugins/2_114/trust.py
@@ -0,0 +1,1250 @@
+#
+# Copyright (C) 2016 FreeIPA Contributors see COPYING for license
+#
+
+# pylint: disable=unused-import
+import six
+
+from . import Command, Method, Object
+from ipalib import api, parameters, output
+from ipalib.parameters import DefaultFrom
+from ipalib.plugable import Registry
+from ipalib.text import _
+from ipapython.dn import DN
+from ipapython.dnsutil import DNSName
+
+if six.PY3:
+ unicode = str
+
+__doc__ = _("""
+Cross-realm trusts
+
+Manage trust relationship between IPA and Active Directory domains.
+
+In order to allow users from a remote domain to access resources in IPA
+domain, trust relationship needs to be established. Currently IPA supports
+only trusts between IPA and Active Directory domains under control of Windows
+Server 2008 or later, with functional level 2008 or later.
+
+Please note that DNS on both IPA and Active Directory domain sides should be
+configured properly to discover each other. Trust relationship relies on
+ability to discover special resources in the other domain via DNS records.
+
+Examples:
+
+1. Establish cross-realm trust with Active Directory using AD administrator
+ credentials:
+
+ ipa trust-add --type=ad <ad.domain> --admin <AD domain administrator> --password
+
+2. List all existing trust relationships:
+
+ ipa trust-find
+
+3. Show details of the specific trust relationship:
+
+ ipa trust-show <ad.domain>
+
+4. Delete existing trust relationship:
+
+ ipa trust-del <ad.domain>
+
+Once trust relationship is established, remote users will need to be mapped
+to local POSIX groups in order to actually use IPA resources. The mapping should
+be done via use of external membership of non-POSIX group and then this group
+should be included into one of local POSIX groups.
+
+Example:
+
+1. Create group for the trusted domain admins' mapping and their local POSIX group:
+
+ ipa group-add --desc='<ad.domain> admins external map' ad_admins_external --external
+ ipa group-add --desc='<ad.domain> admins' ad_admins
+
+2. Add security identifier of Domain Admins of the <ad.domain> to the ad_admins_external
+ group:
+
+ ipa group-add-member ad_admins_external --external 'AD\Domain Admins'
+
+3. Allow members of ad_admins_external group to be associated with ad_admins POSIX group:
+
+ ipa group-add-member ad_admins --groups ad_admins_external
+
+4. List members of external members of ad_admins_external group to see their SIDs:
+
+ ipa group-show ad_admins_external
+
+
+GLOBAL TRUST CONFIGURATION
+
+When IPA AD trust subpackage is installed and ipa-adtrust-install is run,
+a local domain configuration (SID, GUID, NetBIOS name) is generated. These
+identifiers are then used when communicating with a trusted domain of the
+particular type.
+
+1. Show global trust configuration for Active Directory type of trusts:
+
+ ipa trustconfig-show --type ad
+
+2. Modify global configuration for all trusts of Active Directory type and set
+ a different fallback primary group (fallback primary group GID is used as
+ a primary user GID if user authenticating to IPA domain does not have any other
+ primary GID already set):
+
+ ipa trustconfig-mod --type ad --fallback-primary-group "alternative AD group"
+
+3. Change primary fallback group back to default hidden group (any group with
+ posixGroup object class is allowed):
+
+ ipa trustconfig-mod --type ad --fallback-primary-group "Default SMB Group"
+""")
+
+register = Registry()
+
+
+@register()
+class trust(Object):
+ takes_params = (
+ parameters.Str(
+ 'cn',
+ primary_key=True,
+ label=_(u'Realm name'),
+ ),
+ parameters.Str(
+ 'ipantflatname',
+ label=_(u'Domain NetBIOS name'),
+ ),
+ parameters.Str(
+ 'ipanttrusteddomainsid',
+ label=_(u'Domain Security Identifier'),
+ ),
+ parameters.Str(
+ 'ipantsidblacklistincoming',
+ required=False,
+ multivalue=True,
+ label=_(u'SID blacklist incoming'),
+ ),
+ parameters.Str(
+ 'ipantsidblacklistoutgoing',
+ required=False,
+ multivalue=True,
+ label=_(u'SID blacklist outgoing'),
+ ),
+ )
+
+
+@register()
+class trustconfig(Object):
+ takes_params = (
+ parameters.Str(
+ 'cn',
+ label=_(u'Domain'),
+ ),
+ parameters.Str(
+ 'ipantsecurityidentifier',
+ label=_(u'Security Identifier'),
+ ),
+ parameters.Str(
+ 'ipantflatname',
+ label=_(u'NetBIOS name'),
+ ),
+ parameters.Str(
+ 'ipantdomainguid',
+ label=_(u'Domain GUID'),
+ ),
+ parameters.Str(
+ 'ipantfallbackprimarygroup',
+ label=_(u'Fallback primary group'),
+ ),
+ )
+
+
+@register()
+class trustdomain(Object):
+ takes_params = (
+ parameters.Str(
+ 'cn',
+ primary_key=True,
+ label=_(u'Domain name'),
+ ),
+ parameters.Str(
+ 'ipantflatname',
+ required=False,
+ label=_(u'Domain NetBIOS name'),
+ ),
+ parameters.Str(
+ 'ipanttrusteddomainsid',
+ required=False,
+ label=_(u'Domain Security Identifier'),
+ ),
+ parameters.Str(
+ 'ipanttrustpartner',
+ required=False,
+ label=_(u'Trusted domain partner'),
+ ),
+ )
+
+
+@register()
+class adtrust_is_enabled(Command):
+ __doc__ = _("Determine whether ipa-adtrust-install has been run on this system")
+
+ NO_CLI = True
+
+ takes_options = (
+ )
+ has_output = (
+ output.Output(
+ 'result',
+ ),
+ )
+
+
+@register()
+class compat_is_enabled(Command):
+ __doc__ = _("Determine whether Schema Compatibility plugin is configured to serve trusted domain users and groups")
+
+ NO_CLI = True
+
+ takes_options = (
+ )
+ has_output = (
+ output.Output(
+ 'result',
+ ),
+ )
+
+
+@register()
+class sidgen_was_run(Command):
+ __doc__ = _("Determine whether ipa-adtrust-install has been run with sidgen task")
+
+ NO_CLI = True
+
+ takes_options = (
+ )
+ has_output = (
+ output.Output(
+ 'result',
+ ),
+ )
+
+
+@register()
+class trust_add(Method):
+ __doc__ = _("""
+Add new trust to use.
+
+This command establishes trust relationship to another domain
+which becomes 'trusted'. As result, users of the trusted domain
+may access resources of this domain.
+
+Only trusts to Active Directory domains are supported right now.
+
+The command can be safely run multiple times against the same domain,
+this will cause change to trust relationship credentials on both
+sides.
+ """)
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='realm',
+ label=_(u'Realm name'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'setattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'addattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'trust_type',
+ cli_name='type',
+ cli_metavar="['ad']",
+ label=_(u'Trust type (ad for Active Directory, default)'),
+ default=u'ad',
+ autofill=True,
+ ),
+ parameters.Str(
+ 'realm_admin',
+ required=False,
+ cli_name='admin',
+ label=_(u'Active Directory domain administrator'),
+ ),
+ parameters.Password(
+ 'realm_passwd',
+ required=False,
+ cli_name='password',
+ label=_(u"Active Directory domain administrator's password"),
+ ),
+ parameters.Str(
+ 'realm_server',
+ required=False,
+ cli_name='server',
+ label=_(u'Domain controller for the Active Directory domain (optional)'),
+ ),
+ parameters.Password(
+ 'trust_secret',
+ required=False,
+ label=_(u'Shared secret for the trust'),
+ ),
+ parameters.Int(
+ 'base_id',
+ required=False,
+ label=_(u'First Posix ID of the range reserved for the trusted domain'),
+ ),
+ parameters.Int(
+ 'range_size',
+ required=False,
+ label=_(u'Size of the ID range reserved for the trusted domain'),
+ ),
+ parameters.Str(
+ 'range_type',
+ required=False,
+ cli_metavar="['ipa-ad-trust-posix', 'ipa-ad-trust']",
+ label=_(u'Range type'),
+ doc=_(u'Type of trusted domain ID range, one of ipa-ad-trust-posix, ipa-ad-trust'),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class trust_del(Method):
+ __doc__ = _("Delete a trust.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ multivalue=True,
+ cli_name='realm',
+ label=_(u'Realm name'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'continue',
+ doc=_(u"Continuous mode: Don't stop on errors."),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Output(
+ 'result',
+ dict,
+ doc=_(u'List of deletions that failed'),
+ ),
+ output.ListOfPrimaryKeys(
+ 'value',
+ ),
+ )
+
+
+@register()
+class trust_fetch_domains(Method):
+ __doc__ = _("Refresh list of the domains associated with the trust")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='realm',
+ label=_(u'Realm name'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'rights',
+ label=_(u'Rights'),
+ doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.ListOfEntries(
+ 'result',
+ ),
+ output.Output(
+ 'count',
+ int,
+ doc=_(u'Number of entries returned'),
+ ),
+ output.Output(
+ 'truncated',
+ bool,
+ doc=_(u'True if not all results were returned'),
+ ),
+ )
+
+
+@register()
+class trust_find(Method):
+ __doc__ = _("Search for trusts.")
+
+ takes_args = (
+ parameters.Str(
+ 'criteria',
+ required=False,
+ doc=_(u'A string searched in all relevant object attributes'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'cn',
+ required=False,
+ cli_name='realm',
+ label=_(u'Realm name'),
+ ),
+ parameters.Str(
+ 'ipantflatname',
+ required=False,
+ cli_name='flat_name',
+ label=_(u'Domain NetBIOS name'),
+ ),
+ parameters.Str(
+ 'ipanttrusteddomainsid',
+ required=False,
+ cli_name='sid',
+ label=_(u'Domain Security Identifier'),
+ ),
+ parameters.Str(
+ 'ipantsidblacklistincoming',
+ required=False,
+ multivalue=True,
+ cli_name='sid_blacklist_incoming',
+ label=_(u'SID blacklist incoming'),
+ ),
+ parameters.Str(
+ 'ipantsidblacklistoutgoing',
+ required=False,
+ multivalue=True,
+ cli_name='sid_blacklist_outgoing',
+ label=_(u'SID blacklist outgoing'),
+ ),
+ parameters.Int(
+ 'timelimit',
+ required=False,
+ label=_(u'Time Limit'),
+ doc=_(u'Time limit of search in seconds'),
+ ),
+ parameters.Int(
+ 'sizelimit',
+ required=False,
+ label=_(u'Size Limit'),
+ doc=_(u'Maximum number of entries returned'),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'pkey_only',
+ required=False,
+ label=_(u'Primary key only'),
+ doc=_(u'Results should contain primary key attribute only ("realm")'),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.ListOfEntries(
+ 'result',
+ ),
+ output.Output(
+ 'count',
+ int,
+ doc=_(u'Number of entries returned'),
+ ),
+ output.Output(
+ 'truncated',
+ bool,
+ doc=_(u'True if not all results were returned'),
+ ),
+ )
+
+
+@register()
+class trust_mod(Method):
+ __doc__ = _("""
+Modify a trust (for future use).
+
+ Currently only the default option to modify the LDAP attributes is
+ available. More specific options will be added in coming releases.
+ """)
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='realm',
+ label=_(u'Realm name'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'ipantsidblacklistincoming',
+ required=False,
+ multivalue=True,
+ cli_name='sid_blacklist_incoming',
+ label=_(u'SID blacklist incoming'),
+ ),
+ parameters.Str(
+ 'ipantsidblacklistoutgoing',
+ required=False,
+ multivalue=True,
+ cli_name='sid_blacklist_outgoing',
+ label=_(u'SID blacklist outgoing'),
+ ),
+ parameters.Str(
+ 'setattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'addattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'delattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'),
+ exclude=('webui',),
+ ),
+ parameters.Flag(
+ 'rights',
+ label=_(u'Rights'),
+ doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class trust_resolve(Command):
+ __doc__ = _("Resolve security identifiers of users and groups in trusted domains")
+
+ NO_CLI = True
+
+ takes_options = (
+ parameters.Str(
+ 'sids',
+ multivalue=True,
+ label=_(u'Security Identifiers (SIDs)'),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.ListOfEntries(
+ 'result',
+ ),
+ )
+
+
+@register()
+class trust_show(Method):
+ __doc__ = _("Display information about a trust.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='realm',
+ label=_(u'Realm name'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'rights',
+ label=_(u'Rights'),
+ doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class trustconfig_mod(Method):
+ __doc__ = _("Modify global trust configuration.")
+
+ takes_options = (
+ parameters.Str(
+ 'ipantfallbackprimarygroup',
+ required=False,
+ cli_name='fallback_primary_group',
+ label=_(u'Fallback primary group'),
+ ),
+ parameters.Str(
+ 'setattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'addattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'delattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'),
+ exclude=('webui',),
+ ),
+ parameters.Flag(
+ 'rights',
+ label=_(u'Rights'),
+ doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'trust_type',
+ cli_name='type',
+ cli_metavar="['ad']",
+ label=_(u'Trust type (ad for Active Directory, default)'),
+ default=u'ad',
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class trustconfig_show(Method):
+ __doc__ = _("Show global trust configuration.")
+
+ takes_options = (
+ parameters.Flag(
+ 'rights',
+ label=_(u'Rights'),
+ doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'trust_type',
+ cli_name='type',
+ cli_metavar="['ad']",
+ label=_(u'Trust type (ad for Active Directory, default)'),
+ default=u'ad',
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class trustdomain_add(Method):
+ __doc__ = _("Allow access from the trusted domain")
+
+ NO_CLI = True
+
+ takes_args = (
+ parameters.Str(
+ 'trustcn',
+ cli_name='trust',
+ label=_(u'Realm name'),
+ ),
+ parameters.Str(
+ 'cn',
+ cli_name='domain',
+ label=_(u'Domain name'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'ipantflatname',
+ required=False,
+ cli_name='flat_name',
+ label=_(u'Domain NetBIOS name'),
+ ),
+ parameters.Str(
+ 'ipanttrusteddomainsid',
+ required=False,
+ cli_name='sid',
+ label=_(u'Domain Security Identifier'),
+ ),
+ parameters.Str(
+ 'ipanttrustpartner',
+ required=False,
+ label=_(u'Trusted domain partner'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'setattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'addattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'trust_type',
+ cli_name='type',
+ cli_metavar="['ad']",
+ label=_(u'Trust type (ad for Active Directory, default)'),
+ default=u'ad',
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class trustdomain_del(Method):
+ __doc__ = _("Remove infromation about the domain associated with the trust.")
+
+ takes_args = (
+ parameters.Str(
+ 'trustcn',
+ cli_name='trust',
+ label=_(u'Realm name'),
+ ),
+ parameters.Str(
+ 'cn',
+ multivalue=True,
+ cli_name='domain',
+ label=_(u'Domain name'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'continue',
+ doc=_(u"Continuous mode: Don't stop on errors."),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Output(
+ 'result',
+ dict,
+ doc=_(u'List of deletions that failed'),
+ ),
+ output.ListOfPrimaryKeys(
+ 'value',
+ ),
+ )
+
+
+@register()
+class trustdomain_disable(Method):
+ __doc__ = _("Disable use of IPA resources by the domain of the trust")
+
+ takes_args = (
+ parameters.Str(
+ 'trustcn',
+ cli_name='trust',
+ label=_(u'Realm name'),
+ ),
+ parameters.Str(
+ 'cn',
+ cli_name='domain',
+ label=_(u'Domain name'),
+ ),
+ )
+ takes_options = (
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Output(
+ 'result',
+ bool,
+ doc=_(u'True means the operation was successful'),
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class trustdomain_enable(Method):
+ __doc__ = _("Allow use of IPA resources by the domain of the trust")
+
+ takes_args = (
+ parameters.Str(
+ 'trustcn',
+ cli_name='trust',
+ label=_(u'Realm name'),
+ ),
+ parameters.Str(
+ 'cn',
+ cli_name='domain',
+ label=_(u'Domain name'),
+ ),
+ )
+ takes_options = (
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Output(
+ 'result',
+ bool,
+ doc=_(u'True means the operation was successful'),
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class trustdomain_find(Method):
+ __doc__ = _("Search domains of the trust")
+
+ takes_args = (
+ parameters.Str(
+ 'trustcn',
+ cli_name='trust',
+ label=_(u'Realm name'),
+ ),
+ parameters.Str(
+ 'criteria',
+ required=False,
+ doc=_(u'A string searched in all relevant object attributes'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'cn',
+ required=False,
+ cli_name='domain',
+ label=_(u'Domain name'),
+ ),
+ parameters.Str(
+ 'ipantflatname',
+ required=False,
+ cli_name='flat_name',
+ label=_(u'Domain NetBIOS name'),
+ ),
+ parameters.Str(
+ 'ipanttrusteddomainsid',
+ required=False,
+ cli_name='sid',
+ label=_(u'Domain Security Identifier'),
+ ),
+ parameters.Str(
+ 'ipanttrustpartner',
+ required=False,
+ label=_(u'Trusted domain partner'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Int(
+ 'timelimit',
+ required=False,
+ label=_(u'Time Limit'),
+ doc=_(u'Time limit of search in seconds'),
+ ),
+ parameters.Int(
+ 'sizelimit',
+ required=False,
+ label=_(u'Size Limit'),
+ doc=_(u'Maximum number of entries returned'),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'pkey_only',
+ required=False,
+ label=_(u'Primary key only'),
+ doc=_(u'Results should contain primary key attribute only ("domain")'),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.ListOfEntries(
+ 'result',
+ ),
+ output.Output(
+ 'count',
+ int,
+ doc=_(u'Number of entries returned'),
+ ),
+ output.Output(
+ 'truncated',
+ bool,
+ doc=_(u'True if not all results were returned'),
+ ),
+ )
+
+
+@register()
+class trustdomain_mod(Method):
+ __doc__ = _("Modify trustdomain of the trust")
+
+ NO_CLI = True
+
+ takes_args = (
+ parameters.Str(
+ 'trustcn',
+ cli_name='trust',
+ label=_(u'Realm name'),
+ ),
+ parameters.Str(
+ 'cn',
+ cli_name='domain',
+ label=_(u'Domain name'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'ipantflatname',
+ required=False,
+ cli_name='flat_name',
+ label=_(u'Domain NetBIOS name'),
+ ),
+ parameters.Str(
+ 'ipanttrusteddomainsid',
+ required=False,
+ cli_name='sid',
+ label=_(u'Domain Security Identifier'),
+ ),
+ parameters.Str(
+ 'ipanttrustpartner',
+ required=False,
+ label=_(u'Trusted domain partner'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'setattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'addattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'delattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'),
+ exclude=('webui',),
+ ),
+ parameters.Flag(
+ 'rights',
+ label=_(u'Rights'),
+ doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'trust_type',
+ cli_name='type',
+ cli_metavar="['ad']",
+ label=_(u'Trust type (ad for Active Directory, default)'),
+ default=u'ad',
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
diff --git a/ipaclient/remote_plugins/2_114/user.py b/ipaclient/remote_plugins/2_114/user.py
new file mode 100644
index 000000000..c1751cd8d
--- /dev/null
+++ b/ipaclient/remote_plugins/2_114/user.py
@@ -0,0 +1,1623 @@
+#
+# Copyright (C) 2016 FreeIPA Contributors see COPYING for license
+#
+
+# pylint: disable=unused-import
+import six
+
+from . import Command, Method, Object
+from ipalib import api, parameters, output
+from ipalib.parameters import DefaultFrom
+from ipalib.plugable import Registry
+from ipalib.text import _
+from ipapython.dn import DN
+from ipapython.dnsutil import DNSName
+
+if six.PY3:
+ unicode = str
+
+__doc__ = _("""
+Users
+
+Manage user entries. All users are POSIX users.
+
+IPA supports a wide range of username formats, but you need to be aware of any
+restrictions that may apply to your particular environment. For example,
+usernames that start with a digit or usernames that exceed a certain length
+may cause problems for some UNIX systems.
+Use 'ipa config-mod' to change the username format allowed by IPA tools.
+
+Disabling a user account prevents that user from obtaining new Kerberos
+credentials. It does not invalidate any credentials that have already
+been issued.
+
+Password management is not a part of this module. For more information
+about this topic please see: ipa help passwd
+
+Account lockout on password failure happens per IPA master. The user-status
+command can be used to identify which master the user is locked out on.
+It is on that master the administrator must unlock the user.
+
+EXAMPLES:
+
+ Add a new user:
+ ipa user-add --first=Tim --last=User --password tuser1
+
+ Find all users whose entries include the string "Tim":
+ ipa user-find Tim
+
+ Find all users with "Tim" as the first name:
+ ipa user-find --first=Tim
+
+ Disable a user account:
+ ipa user-disable tuser1
+
+ Enable a user account:
+ ipa user-enable tuser1
+
+ Delete a user:
+ ipa user-del tuser1
+""")
+
+register = Registry()
+
+
+@register()
+class user(Object):
+ takes_params = (
+ parameters.Str(
+ 'uid',
+ primary_key=True,
+ label=_(u'User login'),
+ ),
+ parameters.Str(
+ 'givenname',
+ label=_(u'First name'),
+ ),
+ parameters.Str(
+ 'sn',
+ label=_(u'Last name'),
+ ),
+ parameters.Str(
+ 'cn',
+ label=_(u'Full name'),
+ ),
+ parameters.Str(
+ 'displayname',
+ required=False,
+ label=_(u'Display name'),
+ ),
+ parameters.Str(
+ 'initials',
+ required=False,
+ label=_(u'Initials'),
+ ),
+ parameters.Str(
+ 'homedirectory',
+ required=False,
+ label=_(u'Home directory'),
+ ),
+ parameters.Str(
+ 'gecos',
+ required=False,
+ label=_(u'GECOS'),
+ ),
+ parameters.Str(
+ 'loginshell',
+ required=False,
+ label=_(u'Login shell'),
+ ),
+ parameters.Str(
+ 'krbprincipalname',
+ required=False,
+ label=_(u'Kerberos principal'),
+ ),
+ parameters.DateTime(
+ 'krbprincipalexpiration',
+ required=False,
+ label=_(u'Kerberos principal expiration'),
+ ),
+ parameters.Str(
+ 'mail',
+ required=False,
+ multivalue=True,
+ label=_(u'Email address'),
+ ),
+ parameters.Password(
+ 'userpassword',
+ required=False,
+ label=_(u'Password'),
+ doc=_(u'Prompt to set the user password'),
+ exclude=('webui',),
+ ),
+ parameters.Flag(
+ 'random',
+ required=False,
+ doc=_(u'Generate a random user password'),
+ ),
+ parameters.Str(
+ 'randompassword',
+ required=False,
+ label=_(u'Random password'),
+ ),
+ parameters.Int(
+ 'uidnumber',
+ required=False,
+ label=_(u'UID'),
+ doc=_(u'User ID Number (system will assign one if not provided)'),
+ ),
+ parameters.Int(
+ 'gidnumber',
+ required=False,
+ label=_(u'GID'),
+ doc=_(u'Group ID Number'),
+ ),
+ parameters.Str(
+ 'street',
+ required=False,
+ label=_(u'Street address'),
+ ),
+ parameters.Str(
+ 'l',
+ required=False,
+ label=_(u'City'),
+ ),
+ parameters.Str(
+ 'st',
+ required=False,
+ label=_(u'State/Province'),
+ ),
+ parameters.Str(
+ 'postalcode',
+ required=False,
+ label=_(u'ZIP'),
+ ),
+ parameters.Str(
+ 'telephonenumber',
+ required=False,
+ multivalue=True,
+ label=_(u'Telephone Number'),
+ ),
+ parameters.Str(
+ 'mobile',
+ required=False,
+ multivalue=True,
+ label=_(u'Mobile Telephone Number'),
+ ),
+ parameters.Str(
+ 'pager',
+ required=False,
+ multivalue=True,
+ label=_(u'Pager Number'),
+ ),
+ parameters.Str(
+ 'facsimiletelephonenumber',
+ required=False,
+ multivalue=True,
+ label=_(u'Fax Number'),
+ ),
+ parameters.Str(
+ 'ou',
+ required=False,
+ label=_(u'Org. Unit'),
+ ),
+ parameters.Str(
+ 'title',
+ required=False,
+ label=_(u'Job Title'),
+ ),
+ parameters.Str(
+ 'manager',
+ required=False,
+ label=_(u'Manager'),
+ ),
+ parameters.Str(
+ 'carlicense',
+ required=False,
+ multivalue=True,
+ label=_(u'Car License'),
+ ),
+ parameters.Bool(
+ 'nsaccountlock',
+ required=False,
+ label=_(u'Account disabled'),
+ ),
+ parameters.Str(
+ 'ipasshpubkey',
+ required=False,
+ multivalue=True,
+ label=_(u'SSH public key'),
+ ),
+ parameters.Str(
+ 'ipauserauthtype',
+ required=False,
+ multivalue=True,
+ label=_(u'User authentication types'),
+ doc=_(u'Types of supported user authentication'),
+ ),
+ parameters.Str(
+ 'userclass',
+ required=False,
+ multivalue=True,
+ label=_(u'Class'),
+ doc=_(u'User category (semantics placed on this attribute are for local interpretation)'),
+ ),
+ parameters.Str(
+ 'ipatokenradiusconfiglink',
+ required=False,
+ label=_(u'RADIUS proxy configuration'),
+ ),
+ parameters.Str(
+ 'ipatokenradiususername',
+ required=False,
+ label=_(u'RADIUS proxy username'),
+ ),
+ parameters.Str(
+ 'departmentnumber',
+ required=False,
+ multivalue=True,
+ label=_(u'Department Number'),
+ ),
+ parameters.Str(
+ 'employeenumber',
+ required=False,
+ label=_(u'Employee Number'),
+ ),
+ parameters.Str(
+ 'employeetype',
+ required=False,
+ label=_(u'Employee Type'),
+ ),
+ parameters.Str(
+ 'preferredlanguage',
+ required=False,
+ label=_(u'Preferred Language'),
+ ),
+ parameters.Flag(
+ 'has_password',
+ label=_(u'Password'),
+ ),
+ parameters.Str(
+ 'memberof_group',
+ required=False,
+ label=_(u'Member of groups'),
+ ),
+ parameters.Str(
+ 'memberof_role',
+ required=False,
+ label=_(u'Roles'),
+ ),
+ parameters.Str(
+ 'memberof_netgroup',
+ required=False,
+ label=_(u'Member of netgroups'),
+ ),
+ parameters.Str(
+ 'memberof_sudorule',
+ required=False,
+ label=_(u'Member of Sudo rule'),
+ ),
+ parameters.Str(
+ 'memberof_hbacrule',
+ required=False,
+ label=_(u'Member of HBAC rule'),
+ ),
+ parameters.Str(
+ 'memberofindirect_group',
+ required=False,
+ label=_(u'Indirect Member of group'),
+ ),
+ parameters.Str(
+ 'memberofindirect_netgroup',
+ required=False,
+ label=_(u'Indirect Member of netgroup'),
+ ),
+ parameters.Str(
+ 'memberofindirect_role',
+ required=False,
+ label=_(u'Indirect Member of role'),
+ ),
+ parameters.Str(
+ 'memberofindirect_sudorule',
+ required=False,
+ label=_(u'Indirect Member of Sudo rule'),
+ ),
+ parameters.Str(
+ 'memberofindirect_hbacrule',
+ required=False,
+ label=_(u'Indirect Member of HBAC rule'),
+ ),
+ parameters.Flag(
+ 'has_keytab',
+ label=_(u'Kerberos keys available'),
+ ),
+ )
+
+
+@register()
+class user_add(Method):
+ __doc__ = _("Add a new user.")
+
+ takes_args = (
+ parameters.Str(
+ 'uid',
+ cli_name='login',
+ label=_(u'User login'),
+ default_from=DefaultFrom(lambda givenname, sn: givenname[0] + sn, 'principal'),
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'givenname',
+ cli_name='first',
+ label=_(u'First name'),
+ ),
+ parameters.Str(
+ 'sn',
+ cli_name='last',
+ label=_(u'Last name'),
+ ),
+ parameters.Str(
+ 'cn',
+ label=_(u'Full name'),
+ default_from=DefaultFrom(lambda givenname, sn: '%s %s' % (givenname, sn), 'principal'),
+ autofill=True,
+ ),
+ parameters.Str(
+ 'displayname',
+ required=False,
+ label=_(u'Display name'),
+ default_from=DefaultFrom(lambda givenname, sn: '%s %s' % (givenname, sn), 'principal'),
+ autofill=True,
+ ),
+ parameters.Str(
+ 'initials',
+ required=False,
+ label=_(u'Initials'),
+ default_from=DefaultFrom(lambda givenname, sn: '%c%c' % (givenname[0], sn[0]), 'principal'),
+ autofill=True,
+ ),
+ parameters.Str(
+ 'homedirectory',
+ required=False,
+ cli_name='homedir',
+ label=_(u'Home directory'),
+ ),
+ parameters.Str(
+ 'gecos',
+ required=False,
+ label=_(u'GECOS'),
+ default_from=DefaultFrom(lambda givenname, sn: '%s %s' % (givenname, sn), 'principal'),
+ autofill=True,
+ ),
+ parameters.Str(
+ 'loginshell',
+ required=False,
+ cli_name='shell',
+ label=_(u'Login shell'),
+ ),
+ parameters.Str(
+ 'krbprincipalname',
+ required=False,
+ cli_name='principal',
+ label=_(u'Kerberos principal'),
+ default_from=DefaultFrom(lambda uid: '%s@%s' % (uid.lower(), api.env.realm), 'principal'),
+ autofill=True,
+ no_convert=True,
+ ),
+ parameters.DateTime(
+ 'krbprincipalexpiration',
+ required=False,
+ cli_name='principal_expiration',
+ label=_(u'Kerberos principal expiration'),
+ ),
+ parameters.Str(
+ 'mail',
+ required=False,
+ multivalue=True,
+ cli_name='email',
+ label=_(u'Email address'),
+ ),
+ parameters.Password(
+ 'userpassword',
+ required=False,
+ cli_name='password',
+ label=_(u'Password'),
+ doc=_(u'Prompt to set the user password'),
+ exclude=('webui',),
+ confirm=True,
+ ),
+ parameters.Flag(
+ 'random',
+ required=False,
+ doc=_(u'Generate a random user password'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Int(
+ 'uidnumber',
+ required=False,
+ cli_name='uid',
+ label=_(u'UID'),
+ doc=_(u'User ID Number (system will assign one if not provided)'),
+ ),
+ parameters.Int(
+ 'gidnumber',
+ required=False,
+ label=_(u'GID'),
+ doc=_(u'Group ID Number'),
+ ),
+ parameters.Str(
+ 'street',
+ required=False,
+ label=_(u'Street address'),
+ ),
+ parameters.Str(
+ 'l',
+ required=False,
+ cli_name='city',
+ label=_(u'City'),
+ ),
+ parameters.Str(
+ 'st',
+ required=False,
+ cli_name='state',
+ label=_(u'State/Province'),
+ ),
+ parameters.Str(
+ 'postalcode',
+ required=False,
+ label=_(u'ZIP'),
+ ),
+ parameters.Str(
+ 'telephonenumber',
+ required=False,
+ multivalue=True,
+ cli_name='phone',
+ label=_(u'Telephone Number'),
+ ),
+ parameters.Str(
+ 'mobile',
+ required=False,
+ multivalue=True,
+ label=_(u'Mobile Telephone Number'),
+ ),
+ parameters.Str(
+ 'pager',
+ required=False,
+ multivalue=True,
+ label=_(u'Pager Number'),
+ ),
+ parameters.Str(
+ 'facsimiletelephonenumber',
+ required=False,
+ multivalue=True,
+ cli_name='fax',
+ label=_(u'Fax Number'),
+ ),
+ parameters.Str(
+ 'ou',
+ required=False,
+ cli_name='orgunit',
+ label=_(u'Org. Unit'),
+ ),
+ parameters.Str(
+ 'title',
+ required=False,
+ label=_(u'Job Title'),
+ ),
+ parameters.Str(
+ 'manager',
+ required=False,
+ label=_(u'Manager'),
+ ),
+ parameters.Str(
+ 'carlicense',
+ required=False,
+ multivalue=True,
+ label=_(u'Car License'),
+ ),
+ parameters.Bool(
+ 'nsaccountlock',
+ required=False,
+ label=_(u'Account disabled'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'ipasshpubkey',
+ required=False,
+ multivalue=True,
+ cli_name='sshpubkey',
+ label=_(u'SSH public key'),
+ no_convert=True,
+ ),
+ parameters.Str(
+ 'ipauserauthtype',
+ required=False,
+ multivalue=True,
+ cli_name='user_auth_type',
+ cli_metavar="['password', 'radius', 'otp']",
+ label=_(u'User authentication types'),
+ doc=_(u'Types of supported user authentication'),
+ ),
+ parameters.Str(
+ 'userclass',
+ required=False,
+ multivalue=True,
+ cli_name='class',
+ label=_(u'Class'),
+ doc=_(u'User category (semantics placed on this attribute are for local interpretation)'),
+ ),
+ parameters.Str(
+ 'ipatokenradiusconfiglink',
+ required=False,
+ cli_name='radius',
+ label=_(u'RADIUS proxy configuration'),
+ ),
+ parameters.Str(
+ 'ipatokenradiususername',
+ required=False,
+ cli_name='radius_username',
+ label=_(u'RADIUS proxy username'),
+ ),
+ parameters.Str(
+ 'departmentnumber',
+ required=False,
+ multivalue=True,
+ label=_(u'Department Number'),
+ ),
+ parameters.Str(
+ 'employeenumber',
+ required=False,
+ label=_(u'Employee Number'),
+ ),
+ parameters.Str(
+ 'employeetype',
+ required=False,
+ label=_(u'Employee Type'),
+ ),
+ parameters.Str(
+ 'preferredlanguage',
+ required=False,
+ label=_(u'Preferred Language'),
+ ),
+ parameters.Str(
+ 'setattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'addattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
+ exclude=('webui',),
+ ),
+ parameters.Flag(
+ 'noprivate',
+ doc=_(u"Don't create user private group"),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class user_del(Method):
+ __doc__ = _("Delete a user.")
+
+ takes_args = (
+ parameters.Str(
+ 'uid',
+ multivalue=True,
+ cli_name='login',
+ label=_(u'User login'),
+ default_from=DefaultFrom(lambda givenname, sn: givenname[0] + sn, 'principal'),
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'continue',
+ doc=_(u"Continuous mode: Don't stop on errors."),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Output(
+ 'result',
+ dict,
+ doc=_(u'List of deletions that failed'),
+ ),
+ output.ListOfPrimaryKeys(
+ 'value',
+ ),
+ )
+
+
+@register()
+class user_disable(Method):
+ __doc__ = _("Disable a user account.")
+
+ takes_args = (
+ parameters.Str(
+ 'uid',
+ cli_name='login',
+ label=_(u'User login'),
+ default_from=DefaultFrom(lambda givenname, sn: givenname[0] + sn, 'principal'),
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Output(
+ 'result',
+ bool,
+ doc=_(u'True means the operation was successful'),
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class user_enable(Method):
+ __doc__ = _("Enable a user account.")
+
+ takes_args = (
+ parameters.Str(
+ 'uid',
+ cli_name='login',
+ label=_(u'User login'),
+ default_from=DefaultFrom(lambda givenname, sn: givenname[0] + sn, 'principal'),
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Output(
+ 'result',
+ bool,
+ doc=_(u'True means the operation was successful'),
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class user_find(Method):
+ __doc__ = _("Search for users.")
+
+ takes_args = (
+ parameters.Str(
+ 'criteria',
+ required=False,
+ doc=_(u'A string searched in all relevant object attributes'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'uid',
+ required=False,
+ cli_name='login',
+ label=_(u'User login'),
+ default_from=DefaultFrom(lambda givenname, sn: givenname[0] + sn, 'principal'),
+ no_convert=True,
+ ),
+ parameters.Str(
+ 'givenname',
+ required=False,
+ cli_name='first',
+ label=_(u'First name'),
+ ),
+ parameters.Str(
+ 'sn',
+ required=False,
+ cli_name='last',
+ label=_(u'Last name'),
+ ),
+ parameters.Str(
+ 'cn',
+ required=False,
+ label=_(u'Full name'),
+ default_from=DefaultFrom(lambda givenname, sn: '%s %s' % (givenname, sn), 'principal'),
+ ),
+ parameters.Str(
+ 'displayname',
+ required=False,
+ label=_(u'Display name'),
+ default_from=DefaultFrom(lambda givenname, sn: '%s %s' % (givenname, sn), 'principal'),
+ ),
+ parameters.Str(
+ 'initials',
+ required=False,
+ label=_(u'Initials'),
+ default_from=DefaultFrom(lambda givenname, sn: '%c%c' % (givenname[0], sn[0]), 'principal'),
+ ),
+ parameters.Str(
+ 'homedirectory',
+ required=False,
+ cli_name='homedir',
+ label=_(u'Home directory'),
+ ),
+ parameters.Str(
+ 'gecos',
+ required=False,
+ label=_(u'GECOS'),
+ default_from=DefaultFrom(lambda givenname, sn: '%s %s' % (givenname, sn), 'principal'),
+ ),
+ parameters.Str(
+ 'loginshell',
+ required=False,
+ cli_name='shell',
+ label=_(u'Login shell'),
+ ),
+ parameters.Str(
+ 'krbprincipalname',
+ required=False,
+ cli_name='principal',
+ label=_(u'Kerberos principal'),
+ default_from=DefaultFrom(lambda uid: '%s@%s' % (uid.lower(), api.env.realm), 'principal'),
+ no_convert=True,
+ ),
+ parameters.DateTime(
+ 'krbprincipalexpiration',
+ required=False,
+ cli_name='principal_expiration',
+ label=_(u'Kerberos principal expiration'),
+ ),
+ parameters.Str(
+ 'mail',
+ required=False,
+ multivalue=True,
+ cli_name='email',
+ label=_(u'Email address'),
+ ),
+ parameters.Password(
+ 'userpassword',
+ required=False,
+ cli_name='password',
+ label=_(u'Password'),
+ doc=_(u'Prompt to set the user password'),
+ exclude=('webui',),
+ confirm=True,
+ ),
+ parameters.Int(
+ 'uidnumber',
+ required=False,
+ cli_name='uid',
+ label=_(u'UID'),
+ doc=_(u'User ID Number (system will assign one if not provided)'),
+ ),
+ parameters.Int(
+ 'gidnumber',
+ required=False,
+ label=_(u'GID'),
+ doc=_(u'Group ID Number'),
+ ),
+ parameters.Str(
+ 'street',
+ required=False,
+ label=_(u'Street address'),
+ ),
+ parameters.Str(
+ 'l',
+ required=False,
+ cli_name='city',
+ label=_(u'City'),
+ ),
+ parameters.Str(
+ 'st',
+ required=False,
+ cli_name='state',
+ label=_(u'State/Province'),
+ ),
+ parameters.Str(
+ 'postalcode',
+ required=False,
+ label=_(u'ZIP'),
+ ),
+ parameters.Str(
+ 'telephonenumber',
+ required=False,
+ multivalue=True,
+ cli_name='phone',
+ label=_(u'Telephone Number'),
+ ),
+ parameters.Str(
+ 'mobile',
+ required=False,
+ multivalue=True,
+ label=_(u'Mobile Telephone Number'),
+ ),
+ parameters.Str(
+ 'pager',
+ required=False,
+ multivalue=True,
+ label=_(u'Pager Number'),
+ ),
+ parameters.Str(
+ 'facsimiletelephonenumber',
+ required=False,
+ multivalue=True,
+ cli_name='fax',
+ label=_(u'Fax Number'),
+ ),
+ parameters.Str(
+ 'ou',
+ required=False,
+ cli_name='orgunit',
+ label=_(u'Org. Unit'),
+ ),
+ parameters.Str(
+ 'title',
+ required=False,
+ label=_(u'Job Title'),
+ ),
+ parameters.Str(
+ 'manager',
+ required=False,
+ label=_(u'Manager'),
+ ),
+ parameters.Str(
+ 'carlicense',
+ required=False,
+ multivalue=True,
+ label=_(u'Car License'),
+ ),
+ parameters.Bool(
+ 'nsaccountlock',
+ required=False,
+ label=_(u'Account disabled'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'ipauserauthtype',
+ required=False,
+ multivalue=True,
+ cli_name='user_auth_type',
+ cli_metavar="['password', 'radius', 'otp']",
+ label=_(u'User authentication types'),
+ doc=_(u'Types of supported user authentication'),
+ ),
+ parameters.Str(
+ 'userclass',
+ required=False,
+ multivalue=True,
+ cli_name='class',
+ label=_(u'Class'),
+ doc=_(u'User category (semantics placed on this attribute are for local interpretation)'),
+ ),
+ parameters.Str(
+ 'ipatokenradiusconfiglink',
+ required=False,
+ cli_name='radius',
+ label=_(u'RADIUS proxy configuration'),
+ ),
+ parameters.Str(
+ 'ipatokenradiususername',
+ required=False,
+ cli_name='radius_username',
+ label=_(u'RADIUS proxy username'),
+ ),
+ parameters.Str(
+ 'departmentnumber',
+ required=False,
+ multivalue=True,
+ label=_(u'Department Number'),
+ ),
+ parameters.Str(
+ 'employeenumber',
+ required=False,
+ label=_(u'Employee Number'),
+ ),
+ parameters.Str(
+ 'employeetype',
+ required=False,
+ label=_(u'Employee Type'),
+ ),
+ parameters.Str(
+ 'preferredlanguage',
+ required=False,
+ label=_(u'Preferred Language'),
+ ),
+ parameters.Int(
+ 'timelimit',
+ required=False,
+ label=_(u'Time Limit'),
+ doc=_(u'Time limit of search in seconds'),
+ ),
+ parameters.Int(
+ 'sizelimit',
+ required=False,
+ label=_(u'Size Limit'),
+ doc=_(u'Maximum number of entries returned'),
+ ),
+ parameters.Flag(
+ 'whoami',
+ label=_(u'Self'),
+ doc=_(u'Display user record for current Kerberos principal'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'pkey_only',
+ required=False,
+ label=_(u'Primary key only'),
+ doc=_(u'Results should contain primary key attribute only ("login")'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'in_group',
+ required=False,
+ multivalue=True,
+ cli_name='in_groups',
+ label=_(u'group'),
+ doc=_(u'Search for users with these member of groups.'),
+ ),
+ parameters.Str(
+ 'not_in_group',
+ required=False,
+ multivalue=True,
+ cli_name='not_in_groups',
+ label=_(u'group'),
+ doc=_(u'Search for users without these member of groups.'),
+ ),
+ parameters.Str(
+ 'in_netgroup',
+ required=False,
+ multivalue=True,
+ cli_name='in_netgroups',
+ label=_(u'netgroup'),
+ doc=_(u'Search for users with these member of netgroups.'),
+ ),
+ parameters.Str(
+ 'not_in_netgroup',
+ required=False,
+ multivalue=True,
+ cli_name='not_in_netgroups',
+ label=_(u'netgroup'),
+ doc=_(u'Search for users without these member of netgroups.'),
+ ),
+ parameters.Str(
+ 'in_role',
+ required=False,
+ multivalue=True,
+ cli_name='in_roles',
+ label=_(u'role'),
+ doc=_(u'Search for users with these member of roles.'),
+ ),
+ parameters.Str(
+ 'not_in_role',
+ required=False,
+ multivalue=True,
+ cli_name='not_in_roles',
+ label=_(u'role'),
+ doc=_(u'Search for users without these member of roles.'),
+ ),
+ parameters.Str(
+ 'in_hbacrule',
+ required=False,
+ multivalue=True,
+ cli_name='in_hbacrules',
+ label=_(u'HBAC rule'),
+ doc=_(u'Search for users with these member of HBAC rules.'),
+ ),
+ parameters.Str(
+ 'not_in_hbacrule',
+ required=False,
+ multivalue=True,
+ cli_name='not_in_hbacrules',
+ label=_(u'HBAC rule'),
+ doc=_(u'Search for users without these member of HBAC rules.'),
+ ),
+ parameters.Str(
+ 'in_sudorule',
+ required=False,
+ multivalue=True,
+ cli_name='in_sudorules',
+ label=_(u'sudo rule'),
+ doc=_(u'Search for users with these member of sudo rules.'),
+ ),
+ parameters.Str(
+ 'not_in_sudorule',
+ required=False,
+ multivalue=True,
+ cli_name='not_in_sudorules',
+ label=_(u'sudo rule'),
+ doc=_(u'Search for users without these member of sudo rules.'),
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.ListOfEntries(
+ 'result',
+ ),
+ output.Output(
+ 'count',
+ int,
+ doc=_(u'Number of entries returned'),
+ ),
+ output.Output(
+ 'truncated',
+ bool,
+ doc=_(u'True if not all results were returned'),
+ ),
+ )
+
+
+@register()
+class user_mod(Method):
+ __doc__ = _("Modify a user.")
+
+ takes_args = (
+ parameters.Str(
+ 'uid',
+ cli_name='login',
+ label=_(u'User login'),
+ default_from=DefaultFrom(lambda givenname, sn: givenname[0] + sn, 'principal'),
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'givenname',
+ required=False,
+ cli_name='first',
+ label=_(u'First name'),
+ ),
+ parameters.Str(
+ 'sn',
+ required=False,
+ cli_name='last',
+ label=_(u'Last name'),
+ ),
+ parameters.Str(
+ 'cn',
+ required=False,
+ label=_(u'Full name'),
+ default_from=DefaultFrom(lambda givenname, sn: '%s %s' % (givenname, sn), 'principal'),
+ ),
+ parameters.Str(
+ 'displayname',
+ required=False,
+ label=_(u'Display name'),
+ default_from=DefaultFrom(lambda givenname, sn: '%s %s' % (givenname, sn), 'principal'),
+ ),
+ parameters.Str(
+ 'initials',
+ required=False,
+ label=_(u'Initials'),
+ default_from=DefaultFrom(lambda givenname, sn: '%c%c' % (givenname[0], sn[0]), 'principal'),
+ ),
+ parameters.Str(
+ 'homedirectory',
+ required=False,
+ cli_name='homedir',
+ label=_(u'Home directory'),
+ ),
+ parameters.Str(
+ 'gecos',
+ required=False,
+ label=_(u'GECOS'),
+ default_from=DefaultFrom(lambda givenname, sn: '%s %s' % (givenname, sn), 'principal'),
+ ),
+ parameters.Str(
+ 'loginshell',
+ required=False,
+ cli_name='shell',
+ label=_(u'Login shell'),
+ ),
+ parameters.DateTime(
+ 'krbprincipalexpiration',
+ required=False,
+ cli_name='principal_expiration',
+ label=_(u'Kerberos principal expiration'),
+ ),
+ parameters.Str(
+ 'mail',
+ required=False,
+ multivalue=True,
+ cli_name='email',
+ label=_(u'Email address'),
+ ),
+ parameters.Password(
+ 'userpassword',
+ required=False,
+ cli_name='password',
+ label=_(u'Password'),
+ doc=_(u'Prompt to set the user password'),
+ exclude=('webui',),
+ confirm=True,
+ ),
+ parameters.Flag(
+ 'random',
+ required=False,
+ doc=_(u'Generate a random user password'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Int(
+ 'uidnumber',
+ required=False,
+ cli_name='uid',
+ label=_(u'UID'),
+ doc=_(u'User ID Number (system will assign one if not provided)'),
+ ),
+ parameters.Int(
+ 'gidnumber',
+ required=False,
+ label=_(u'GID'),
+ doc=_(u'Group ID Number'),
+ ),
+ parameters.Str(
+ 'street',
+ required=False,
+ label=_(u'Street address'),
+ ),
+ parameters.Str(
+ 'l',
+ required=False,
+ cli_name='city',
+ label=_(u'City'),
+ ),
+ parameters.Str(
+ 'st',
+ required=False,
+ cli_name='state',
+ label=_(u'State/Province'),
+ ),
+ parameters.Str(
+ 'postalcode',
+ required=False,
+ label=_(u'ZIP'),
+ ),
+ parameters.Str(
+ 'telephonenumber',
+ required=False,
+ multivalue=True,
+ cli_name='phone',
+ label=_(u'Telephone Number'),
+ ),
+ parameters.Str(
+ 'mobile',
+ required=False,
+ multivalue=True,
+ label=_(u'Mobile Telephone Number'),
+ ),
+ parameters.Str(
+ 'pager',
+ required=False,
+ multivalue=True,
+ label=_(u'Pager Number'),
+ ),
+ parameters.Str(
+ 'facsimiletelephonenumber',
+ required=False,
+ multivalue=True,
+ cli_name='fax',
+ label=_(u'Fax Number'),
+ ),
+ parameters.Str(
+ 'ou',
+ required=False,
+ cli_name='orgunit',
+ label=_(u'Org. Unit'),
+ ),
+ parameters.Str(
+ 'title',
+ required=False,
+ label=_(u'Job Title'),
+ ),
+ parameters.Str(
+ 'manager',
+ required=False,
+ label=_(u'Manager'),
+ ),
+ parameters.Str(
+ 'carlicense',
+ required=False,
+ multivalue=True,
+ label=_(u'Car License'),
+ ),
+ parameters.Bool(
+ 'nsaccountlock',
+ required=False,
+ label=_(u'Account disabled'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'ipasshpubkey',
+ required=False,
+ multivalue=True,
+ cli_name='sshpubkey',
+ label=_(u'SSH public key'),
+ no_convert=True,
+ ),
+ parameters.Str(
+ 'ipauserauthtype',
+ required=False,
+ multivalue=True,
+ cli_name='user_auth_type',
+ cli_metavar="['password', 'radius', 'otp']",
+ label=_(u'User authentication types'),
+ doc=_(u'Types of supported user authentication'),
+ ),
+ parameters.Str(
+ 'userclass',
+ required=False,
+ multivalue=True,
+ cli_name='class',
+ label=_(u'Class'),
+ doc=_(u'User category (semantics placed on this attribute are for local interpretation)'),
+ ),
+ parameters.Str(
+ 'ipatokenradiusconfiglink',
+ required=False,
+ cli_name='radius',
+ label=_(u'RADIUS proxy configuration'),
+ ),
+ parameters.Str(
+ 'ipatokenradiususername',
+ required=False,
+ cli_name='radius_username',
+ label=_(u'RADIUS proxy username'),
+ ),
+ parameters.Str(
+ 'departmentnumber',
+ required=False,
+ multivalue=True,
+ label=_(u'Department Number'),
+ ),
+ parameters.Str(
+ 'employeenumber',
+ required=False,
+ label=_(u'Employee Number'),
+ ),
+ parameters.Str(
+ 'employeetype',
+ required=False,
+ label=_(u'Employee Type'),
+ ),
+ parameters.Str(
+ 'preferredlanguage',
+ required=False,
+ label=_(u'Preferred Language'),
+ ),
+ parameters.Str(
+ 'setattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'addattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'delattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'),
+ exclude=('webui',),
+ ),
+ parameters.Flag(
+ 'rights',
+ label=_(u'Rights'),
+ doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'rename',
+ required=False,
+ label=_(u'Rename'),
+ doc=_(u'Rename the user object'),
+ default_from=DefaultFrom(lambda givenname, sn: givenname[0] + sn, 'principal'),
+ no_convert=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class user_show(Method):
+ __doc__ = _("Display information about a user.")
+
+ takes_args = (
+ parameters.Str(
+ 'uid',
+ cli_name='login',
+ label=_(u'User login'),
+ default_from=DefaultFrom(lambda givenname, sn: givenname[0] + sn, 'principal'),
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'rights',
+ label=_(u'Rights'),
+ doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class user_status(Method):
+ __doc__ = _("""
+Lockout status of a user account
+
+ An account may become locked if the password is entered incorrectly too
+ many times within a specific time period as controlled by password
+ policy. A locked account is a temporary condition and may be unlocked by
+ an administrator.
+
+ This connects to each IPA master and displays the lockout status on
+ each one.
+
+ To determine whether an account is locked on a given server you need
+ to compare the number of failed logins and the time of the last failure.
+ For an account to be locked it must exceed the maxfail failures within
+ the failinterval duration as specified in the password policy associated
+ with the user.
+
+ The failed login counter is modified only when a user attempts a log in
+ so it is possible that an account may appear locked but the last failed
+ login attempt is older than the lockouttime of the password policy. This
+ means that the user may attempt a login again.
+ """)
+
+ takes_args = (
+ parameters.Str(
+ 'uid',
+ cli_name='login',
+ label=_(u'User login'),
+ default_from=DefaultFrom(lambda givenname, sn: givenname[0] + sn, 'principal'),
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.ListOfEntries(
+ 'result',
+ ),
+ output.Output(
+ 'count',
+ int,
+ doc=_(u'Number of entries returned'),
+ ),
+ output.Output(
+ 'truncated',
+ bool,
+ doc=_(u'True if not all results were returned'),
+ ),
+ )
+
+
+@register()
+class user_unlock(Method):
+ __doc__ = _("""
+Unlock a user account
+
+ An account may become locked if the password is entered incorrectly too
+ many times within a specific time period as controlled by password
+ policy. A locked account is a temporary condition and may be unlocked by
+ an administrator.
+ """)
+
+ takes_args = (
+ parameters.Str(
+ 'uid',
+ cli_name='login',
+ label=_(u'User login'),
+ default_from=DefaultFrom(lambda givenname, sn: givenname[0] + sn, 'principal'),
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Output(
+ 'result',
+ bool,
+ doc=_(u'True means the operation was successful'),
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
diff --git a/ipaclient/remote_plugins/2_156/__init__.py b/ipaclient/remote_plugins/2_156/__init__.py
new file mode 100644
index 000000000..978635202
--- /dev/null
+++ b/ipaclient/remote_plugins/2_156/__init__.py
@@ -0,0 +1,15 @@
+#
+# Copyright (C) 2016 FreeIPA Contributors see COPYING for license
+#
+
+from ..compat import CompatCommand, CompatMethod, CompatObject
+
+Object = CompatObject
+
+
+class Command(CompatCommand):
+ api_version = u'2.156'
+
+
+class Method(Command, CompatMethod):
+ pass
diff --git a/ipaclient/remote_plugins/2_156/aci.py b/ipaclient/remote_plugins/2_156/aci.py
new file mode 100644
index 000000000..316abeb46
--- /dev/null
+++ b/ipaclient/remote_plugins/2_156/aci.py
@@ -0,0 +1,812 @@
+#
+# Copyright (C) 2016 FreeIPA Contributors see COPYING for license
+#
+
+# pylint: disable=unused-import
+import six
+
+from . import Command, Method, Object
+from ipalib import api, parameters, output
+from ipalib.parameters import DefaultFrom
+from ipalib.plugable import Registry
+from ipalib.text import _
+from ipapython.dn import DN
+from ipapython.dnsutil import DNSName
+
+if six.PY3:
+ unicode = str
+
+__doc__ = _("""
+Directory Server Access Control Instructions (ACIs)
+
+ACIs are used to allow or deny access to information. This module is
+currently designed to allow, not deny, access.
+
+The aci commands are designed to grant permissions that allow updating
+existing entries or adding or deleting new ones. The goal of the ACIs
+that ship with IPA is to provide a set of low-level permissions that
+grant access to special groups called taskgroups. These low-level
+permissions can be combined into roles that grant broader access. These
+roles are another type of group, roles.
+
+For example, if you have taskgroups that allow adding and modifying users you
+could create a role, useradmin. You would assign users to the useradmin
+role to allow them to do the operations defined by the taskgroups.
+
+You can create ACIs that delegate permission so users in group A can write
+attributes on group B.
+
+The type option is a map that applies to all entries in the users, groups or
+host location. It is primarily designed to be used when granting add
+permissions (to write new entries).
+
+An ACI consists of three parts:
+1. target
+2. permissions
+3. bind rules
+
+The target is a set of rules that define which LDAP objects are being
+targeted. This can include a list of attributes, an area of that LDAP
+tree or an LDAP filter.
+
+The targets include:
+- attrs: list of attributes affected
+- type: an object type (user, group, host, service, etc)
+- memberof: members of a group
+- targetgroup: grant access to modify a specific group. This is primarily
+ designed to enable users to add or remove members of a specific group.
+- filter: A legal LDAP filter used to narrow the scope of the target.
+- subtree: Used to apply a rule across an entire set of objects. For example,
+ to allow adding users you need to grant "add" permission to the subtree
+ ldap://uid=*,cn=users,cn=accounts,dc=example,dc=com. The subtree option
+ is a fail-safe for objects that may not be covered by the type option.
+
+The permissions define what the ACI is allowed to do, and are one or
+more of:
+1. write - write one or more attributes
+2. read - read one or more attributes
+3. add - add a new entry to the tree
+4. delete - delete an existing entry
+5. all - all permissions are granted
+
+Note the distinction between attributes and entries. The permissions are
+independent, so being able to add a user does not mean that the user will
+be editable.
+
+The bind rule defines who this ACI grants permissions to. The LDAP server
+allows this to be any valid LDAP entry but we encourage the use of
+taskgroups so that the rights can be easily shared through roles.
+
+For a more thorough description of access controls see
+http://www.redhat.com/docs/manuals/dir-server/ag/8.0/Managing_Access_Control.html
+
+EXAMPLES:
+
+NOTE: ACIs are now added via the permission plugin. These examples are to
+demonstrate how the various options work but this is done via the permission
+command-line now (see last example).
+
+ Add an ACI so that the group "secretaries" can update the address on any user:
+ ipa group-add --desc="Office secretaries" secretaries
+ ipa aci-add --attrs=streetAddress --memberof=ipausers --group=secretaries --permissions=write --prefix=none "Secretaries write addresses"
+
+ Show the new ACI:
+ ipa aci-show --prefix=none "Secretaries write addresses"
+
+ Add an ACI that allows members of the "addusers" permission to add new users:
+ ipa aci-add --type=user --permission=addusers --permissions=add --prefix=none "Add new users"
+
+ Add an ACI that allows members of the editors manage members of the admins group:
+ ipa aci-add --permissions=write --attrs=member --targetgroup=admins --group=editors --prefix=none "Editors manage admins"
+
+ Add an ACI that allows members of the admins group to manage the street and zip code of those in the editors group:
+ ipa aci-add --permissions=write --memberof=editors --group=admins --attrs=street --attrs=postalcode --prefix=none "admins edit the address of editors"
+
+ Add an ACI that allows the admins group manage the street and zipcode of those who work for the boss:
+ ipa aci-add --permissions=write --group=admins --attrs=street --attrs=postalcode --filter="(manager=uid=boss,cn=users,cn=accounts,dc=example,dc=com)" --prefix=none "Edit the address of those who work for the boss"
+
+ Add an entirely new kind of record to IPA that isn't covered by any of the --type options, creating a permission:
+ ipa permission-add --permissions=add --subtree="cn=*,cn=orange,cn=accounts,dc=example,dc=com" --desc="Add Orange Entries" add_orange
+
+
+The show command shows the raw 389-ds ACI.
+
+IMPORTANT: When modifying the target attributes of an existing ACI you
+must include all existing attributes as well. When doing an aci-mod the
+targetattr REPLACES the current attributes, it does not add to them.
+""")
+
+register = Registry()
+
+
+@register()
+class aci(Object):
+ takes_params = (
+ parameters.Str(
+ 'aciname',
+ primary_key=True,
+ label=_(u'ACI name'),
+ ),
+ parameters.Str(
+ 'permission',
+ required=False,
+ label=_(u'Permission'),
+ doc=_(u'Permission ACI grants access to'),
+ ),
+ parameters.Str(
+ 'group',
+ required=False,
+ label=_(u'User group'),
+ doc=_(u'User group ACI grants access to'),
+ ),
+ parameters.Str(
+ 'permissions',
+ multivalue=True,
+ label=_(u'Permissions'),
+ doc=_(u'Permissions to grant(read, write, add, delete, all)'),
+ ),
+ parameters.Str(
+ 'attrs',
+ required=False,
+ multivalue=True,
+ label=_(u'Attributes to which the permission applies'),
+ doc=_(u'Attributes'),
+ ),
+ parameters.Str(
+ 'type',
+ required=False,
+ label=_(u'Type'),
+ doc=_(u'type of IPA object (user, group, host, hostgroup, service, netgroup)'),
+ ),
+ parameters.Str(
+ 'memberof',
+ required=False,
+ label=_(u'Member of'),
+ doc=_(u'Member of a group'),
+ ),
+ parameters.Str(
+ 'filter',
+ required=False,
+ label=_(u'Filter'),
+ doc=_(u'Legal LDAP filter (e.g. ou=Engineering)'),
+ ),
+ parameters.Str(
+ 'subtree',
+ required=False,
+ label=_(u'Subtree'),
+ doc=_(u'Subtree to apply ACI to'),
+ ),
+ parameters.Str(
+ 'targetgroup',
+ required=False,
+ label=_(u'Target group'),
+ doc=_(u'Group to apply ACI to'),
+ ),
+ parameters.Flag(
+ 'selfaci',
+ required=False,
+ label=_(u'Target your own entry (self)'),
+ doc=_(u'Apply ACI to your own entry (self)'),
+ ),
+ )
+
+
+@register()
+class aci_add(Method):
+ __doc__ = _("Create new ACI.")
+
+ NO_CLI = True
+
+ takes_args = (
+ parameters.Str(
+ 'aciname',
+ cli_name='name',
+ label=_(u'ACI name'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'permission',
+ required=False,
+ label=_(u'Permission'),
+ doc=_(u'Permission ACI grants access to'),
+ ),
+ parameters.Str(
+ 'group',
+ required=False,
+ label=_(u'User group'),
+ doc=_(u'User group ACI grants access to'),
+ ),
+ parameters.Str(
+ 'permissions',
+ multivalue=True,
+ label=_(u'Permissions'),
+ doc=_(u'Permissions to grant(read, write, add, delete, all)'),
+ no_convert=True,
+ ),
+ parameters.Str(
+ 'attrs',
+ required=False,
+ multivalue=True,
+ label=_(u'Attributes to which the permission applies'),
+ doc=_(u'Attributes'),
+ ),
+ parameters.Str(
+ 'type',
+ required=False,
+ cli_metavar="['user', 'group', 'host', 'service', 'hostgroup', 'netgroup', 'dnsrecord']",
+ label=_(u'Type'),
+ doc=_(u'type of IPA object (user, group, host, hostgroup, service, netgroup)'),
+ ),
+ parameters.Str(
+ 'memberof',
+ required=False,
+ label=_(u'Member of'),
+ doc=_(u'Member of a group'),
+ ),
+ parameters.Str(
+ 'filter',
+ required=False,
+ label=_(u'Filter'),
+ doc=_(u'Legal LDAP filter (e.g. ou=Engineering)'),
+ ),
+ parameters.Str(
+ 'subtree',
+ required=False,
+ label=_(u'Subtree'),
+ doc=_(u'Subtree to apply ACI to'),
+ ),
+ parameters.Str(
+ 'targetgroup',
+ required=False,
+ label=_(u'Target group'),
+ doc=_(u'Group to apply ACI to'),
+ ),
+ parameters.Flag(
+ 'selfaci',
+ required=False,
+ cli_name='self',
+ label=_(u'Target your own entry (self)'),
+ doc=_(u'Apply ACI to your own entry (self)'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'aciprefix',
+ cli_name='prefix',
+ cli_metavar="['permission', 'delegation', 'selfservice', 'none']",
+ label=_(u'ACI prefix'),
+ doc=_(u'Prefix used to distinguish ACI types (permission, delegation, selfservice, none)'),
+ ),
+ parameters.Flag(
+ 'test',
+ required=False,
+ doc=_(u"Test the ACI syntax but don't write anything"),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class aci_del(Method):
+ __doc__ = _("Delete ACI.")
+
+ NO_CLI = True
+
+ takes_args = (
+ parameters.Str(
+ 'aciname',
+ cli_name='name',
+ label=_(u'ACI name'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'aciprefix',
+ cli_name='prefix',
+ cli_metavar="['permission', 'delegation', 'selfservice', 'none']",
+ label=_(u'ACI prefix'),
+ doc=_(u'Prefix used to distinguish ACI types (permission, delegation, selfservice, none)'),
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Output(
+ 'result',
+ bool,
+ doc=_(u'True means the operation was successful'),
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class aci_find(Method):
+ __doc__ = _("""
+Search for ACIs.
+
+ Returns a list of ACIs
+
+ EXAMPLES:
+
+ To find all ACIs that apply directly to members of the group ipausers:
+ ipa aci-find --memberof=ipausers
+
+ To find all ACIs that grant add access:
+ ipa aci-find --permissions=add
+
+ Note that the find command only looks for the given text in the set of
+ ACIs, it does not evaluate the ACIs to see if something would apply.
+ For example, searching on memberof=ipausers will find all ACIs that
+ have ipausers as a memberof. There may be other ACIs that apply to
+ members of that group indirectly.
+ """)
+
+ NO_CLI = True
+
+ takes_args = (
+ parameters.Str(
+ 'criteria',
+ required=False,
+ doc=_(u'A string searched in all relevant object attributes'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'aciname',
+ required=False,
+ cli_name='name',
+ label=_(u'ACI name'),
+ ),
+ parameters.Str(
+ 'permission',
+ required=False,
+ label=_(u'Permission'),
+ doc=_(u'Permission ACI grants access to'),
+ ),
+ parameters.Str(
+ 'group',
+ required=False,
+ label=_(u'User group'),
+ doc=_(u'User group ACI grants access to'),
+ ),
+ parameters.Str(
+ 'permissions',
+ required=False,
+ multivalue=True,
+ label=_(u'Permissions'),
+ doc=_(u'Permissions to grant(read, write, add, delete, all)'),
+ no_convert=True,
+ ),
+ parameters.Str(
+ 'attrs',
+ required=False,
+ multivalue=True,
+ label=_(u'Attributes to which the permission applies'),
+ doc=_(u'Attributes'),
+ ),
+ parameters.Str(
+ 'type',
+ required=False,
+ cli_metavar="['user', 'group', 'host', 'service', 'hostgroup', 'netgroup', 'dnsrecord']",
+ label=_(u'Type'),
+ doc=_(u'type of IPA object (user, group, host, hostgroup, service, netgroup)'),
+ ),
+ parameters.Str(
+ 'memberof',
+ required=False,
+ label=_(u'Member of'),
+ doc=_(u'Member of a group'),
+ ),
+ parameters.Str(
+ 'filter',
+ required=False,
+ label=_(u'Filter'),
+ doc=_(u'Legal LDAP filter (e.g. ou=Engineering)'),
+ ),
+ parameters.Str(
+ 'subtree',
+ required=False,
+ label=_(u'Subtree'),
+ doc=_(u'Subtree to apply ACI to'),
+ ),
+ parameters.Str(
+ 'targetgroup',
+ required=False,
+ label=_(u'Target group'),
+ doc=_(u'Group to apply ACI to'),
+ ),
+ parameters.Bool(
+ 'selfaci',
+ required=False,
+ cli_name='self',
+ label=_(u'Target your own entry (self)'),
+ doc=_(u'Apply ACI to your own entry (self)'),
+ default=False,
+ ),
+ parameters.Str(
+ 'aciprefix',
+ required=False,
+ cli_name='prefix',
+ cli_metavar="['permission', 'delegation', 'selfservice', 'none']",
+ label=_(u'ACI prefix'),
+ doc=_(u'Prefix used to distinguish ACI types (permission, delegation, selfservice, none)'),
+ ),
+ parameters.Flag(
+ 'pkey_only',
+ required=False,
+ label=_(u'Primary key only'),
+ doc=_(u'Results should contain primary key attribute only ("name")'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.ListOfEntries(
+ 'result',
+ ),
+ output.Output(
+ 'count',
+ int,
+ doc=_(u'Number of entries returned'),
+ ),
+ output.Output(
+ 'truncated',
+ bool,
+ doc=_(u'True if not all results were returned'),
+ ),
+ )
+
+
+@register()
+class aci_mod(Method):
+ __doc__ = _("Modify ACI.")
+
+ NO_CLI = True
+
+ takes_args = (
+ parameters.Str(
+ 'aciname',
+ cli_name='name',
+ label=_(u'ACI name'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'permission',
+ required=False,
+ label=_(u'Permission'),
+ doc=_(u'Permission ACI grants access to'),
+ ),
+ parameters.Str(
+ 'group',
+ required=False,
+ label=_(u'User group'),
+ doc=_(u'User group ACI grants access to'),
+ ),
+ parameters.Str(
+ 'permissions',
+ required=False,
+ multivalue=True,
+ label=_(u'Permissions'),
+ doc=_(u'Permissions to grant(read, write, add, delete, all)'),
+ no_convert=True,
+ ),
+ parameters.Str(
+ 'attrs',
+ required=False,
+ multivalue=True,
+ label=_(u'Attributes to which the permission applies'),
+ doc=_(u'Attributes'),
+ ),
+ parameters.Str(
+ 'type',
+ required=False,
+ cli_metavar="['user', 'group', 'host', 'service', 'hostgroup', 'netgroup', 'dnsrecord']",
+ label=_(u'Type'),
+ doc=_(u'type of IPA object (user, group, host, hostgroup, service, netgroup)'),
+ ),
+ parameters.Str(
+ 'memberof',
+ required=False,
+ label=_(u'Member of'),
+ doc=_(u'Member of a group'),
+ ),
+ parameters.Str(
+ 'filter',
+ required=False,
+ label=_(u'Filter'),
+ doc=_(u'Legal LDAP filter (e.g. ou=Engineering)'),
+ ),
+ parameters.Str(
+ 'subtree',
+ required=False,
+ label=_(u'Subtree'),
+ doc=_(u'Subtree to apply ACI to'),
+ ),
+ parameters.Str(
+ 'targetgroup',
+ required=False,
+ label=_(u'Target group'),
+ doc=_(u'Group to apply ACI to'),
+ ),
+ parameters.Flag(
+ 'selfaci',
+ required=False,
+ cli_name='self',
+ label=_(u'Target your own entry (self)'),
+ doc=_(u'Apply ACI to your own entry (self)'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'aciprefix',
+ cli_name='prefix',
+ cli_metavar="['permission', 'delegation', 'selfservice', 'none']",
+ label=_(u'ACI prefix'),
+ doc=_(u'Prefix used to distinguish ACI types (permission, delegation, selfservice, none)'),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class aci_rename(Method):
+ __doc__ = _("Rename an ACI.")
+
+ NO_CLI = True
+
+ takes_args = (
+ parameters.Str(
+ 'aciname',
+ cli_name='name',
+ label=_(u'ACI name'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'permission',
+ required=False,
+ label=_(u'Permission'),
+ doc=_(u'Permission ACI grants access to'),
+ ),
+ parameters.Str(
+ 'group',
+ required=False,
+ label=_(u'User group'),
+ doc=_(u'User group ACI grants access to'),
+ ),
+ parameters.Str(
+ 'permissions',
+ required=False,
+ multivalue=True,
+ label=_(u'Permissions'),
+ doc=_(u'Permissions to grant(read, write, add, delete, all)'),
+ no_convert=True,
+ ),
+ parameters.Str(
+ 'attrs',
+ required=False,
+ multivalue=True,
+ label=_(u'Attributes to which the permission applies'),
+ doc=_(u'Attributes'),
+ ),
+ parameters.Str(
+ 'type',
+ required=False,
+ cli_metavar="['user', 'group', 'host', 'service', 'hostgroup', 'netgroup', 'dnsrecord']",
+ label=_(u'Type'),
+ doc=_(u'type of IPA object (user, group, host, hostgroup, service, netgroup)'),
+ ),
+ parameters.Str(
+ 'memberof',
+ required=False,
+ label=_(u'Member of'),
+ doc=_(u'Member of a group'),
+ ),
+ parameters.Str(
+ 'filter',
+ required=False,
+ label=_(u'Filter'),
+ doc=_(u'Legal LDAP filter (e.g. ou=Engineering)'),
+ ),
+ parameters.Str(
+ 'subtree',
+ required=False,
+ label=_(u'Subtree'),
+ doc=_(u'Subtree to apply ACI to'),
+ ),
+ parameters.Str(
+ 'targetgroup',
+ required=False,
+ label=_(u'Target group'),
+ doc=_(u'Group to apply ACI to'),
+ ),
+ parameters.Flag(
+ 'selfaci',
+ required=False,
+ cli_name='self',
+ label=_(u'Target your own entry (self)'),
+ doc=_(u'Apply ACI to your own entry (self)'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'aciprefix',
+ cli_name='prefix',
+ cli_metavar="['permission', 'delegation', 'selfservice', 'none']",
+ label=_(u'ACI prefix'),
+ doc=_(u'Prefix used to distinguish ACI types (permission, delegation, selfservice, none)'),
+ ),
+ parameters.Str(
+ 'newname',
+ doc=_(u'New ACI name'),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class aci_show(Method):
+ __doc__ = _("Display a single ACI given an ACI name.")
+
+ NO_CLI = True
+
+ takes_args = (
+ parameters.Str(
+ 'aciname',
+ cli_name='name',
+ label=_(u'ACI name'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'aciprefix',
+ cli_name='prefix',
+ cli_metavar="['permission', 'delegation', 'selfservice', 'none']",
+ label=_(u'ACI prefix'),
+ doc=_(u'Prefix used to distinguish ACI types (permission, delegation, selfservice, none)'),
+ ),
+ parameters.DNParam(
+ 'location',
+ required=False,
+ label=_(u'Location of the ACI'),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
diff --git a/ipaclient/remote_plugins/2_156/automember.py b/ipaclient/remote_plugins/2_156/automember.py
new file mode 100644
index 000000000..09b5a8d01
--- /dev/null
+++ b/ipaclient/remote_plugins/2_156/automember.py
@@ -0,0 +1,827 @@
+#
+# Copyright (C) 2016 FreeIPA Contributors see COPYING for license
+#
+
+# pylint: disable=unused-import
+import six
+
+from . import Command, Method, Object
+from ipalib import api, parameters, output
+from ipalib.parameters import DefaultFrom
+from ipalib.plugable import Registry
+from ipalib.text import _
+from ipapython.dn import DN
+from ipapython.dnsutil import DNSName
+
+if six.PY3:
+ unicode = str
+
+__doc__ = _("""
+Auto Membership Rule.
+
+Bring clarity to the membership of hosts and users by configuring inclusive
+or exclusive regex patterns, you can automatically assign a new entries into
+a group or hostgroup based upon attribute information.
+
+A rule is directly associated with a group by name, so you cannot create
+a rule without an accompanying group or hostgroup.
+
+A condition is a regular expression used by 389-ds to match a new incoming
+entry with an automember rule. If it matches an inclusive rule then the
+entry is added to the appropriate group or hostgroup.
+
+A default group or hostgroup could be specified for entries that do not
+match any rule. In case of user entries this group will be a fallback group
+because all users are by default members of group specified in IPA config.
+
+The automember-rebuild command can be used to retroactively run automember rules
+against existing entries, thus rebuilding their membership.
+
+EXAMPLES:
+
+ Add the initial group or hostgroup:
+ ipa hostgroup-add --desc="Web Servers" webservers
+ ipa group-add --desc="Developers" devel
+
+ Add the initial rule:
+ ipa automember-add --type=hostgroup webservers
+ ipa automember-add --type=group devel
+
+ Add a condition to the rule:
+ ipa automember-add-condition --key=fqdn --type=hostgroup --inclusive-regex=^web[1-9]+\.example\.com webservers
+ ipa automember-add-condition --key=manager --type=group --inclusive-regex=^uid=mscott devel
+
+ Add an exclusive condition to the rule to prevent auto assignment:
+ ipa automember-add-condition --key=fqdn --type=hostgroup --exclusive-regex=^web5\.example\.com webservers
+
+ Add a host:
+ ipa host-add web1.example.com
+
+ Add a user:
+ ipa user-add --first=Tim --last=User --password tuser1 --manager=mscott
+
+ Verify automembership:
+ ipa hostgroup-show webservers
+ Host-group: webservers
+ Description: Web Servers
+ Member hosts: web1.example.com
+
+ ipa group-show devel
+ Group name: devel
+ Description: Developers
+ GID: 1004200000
+ Member users: tuser
+
+ Remove a condition from the rule:
+ ipa automember-remove-condition --key=fqdn --type=hostgroup --inclusive-regex=^web[1-9]+\.example\.com webservers
+
+ Modify the automember rule:
+ ipa automember-mod
+
+ Set the default (fallback) target group:
+ ipa automember-default-group-set --default-group=webservers --type=hostgroup
+ ipa automember-default-group-set --default-group=ipausers --type=group
+
+ Remove the default (fallback) target group:
+ ipa automember-default-group-remove --type=hostgroup
+ ipa automember-default-group-remove --type=group
+
+ Show the default (fallback) target group:
+ ipa automember-default-group-show --type=hostgroup
+ ipa automember-default-group-show --type=group
+
+ Find all of the automember rules:
+ ipa automember-find
+
+ Display a automember rule:
+ ipa automember-show --type=hostgroup webservers
+ ipa automember-show --type=group devel
+
+ Delete an automember rule:
+ ipa automember-del --type=hostgroup webservers
+ ipa automember-del --type=group devel
+
+ Rebuild membership for all users:
+ ipa automember-rebuild --type=group
+
+ Rebuild membership for all hosts:
+ ipa automember-rebuild --type=hostgroup
+
+ Rebuild membership for specified users:
+ ipa automember-rebuild --users=tuser1 --users=tuser2
+
+ Rebuild membership for specified hosts:
+ ipa automember-rebuild --hosts=web1.example.com --hosts=web2.example.com
+""")
+
+register = Registry()
+
+
+@register()
+class automember(Object):
+ takes_params = (
+ parameters.Str(
+ 'description',
+ required=False,
+ label=_(u'Description'),
+ doc=_(u'A description of this auto member rule'),
+ ),
+ parameters.Str(
+ 'automemberdefaultgroup',
+ required=False,
+ label=_(u'Default (fallback) Group'),
+ doc=_(u'Default group for entries to land'),
+ ),
+ )
+
+
+@register()
+class automember_add(Method):
+ __doc__ = _("Add an automember rule.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='automember_rule',
+ label=_(u'Automember Rule'),
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'description',
+ required=False,
+ cli_name='desc',
+ label=_(u'Description'),
+ doc=_(u'A description of this auto member rule'),
+ ),
+ parameters.Str(
+ 'setattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'addattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'type',
+ cli_metavar="['group', 'hostgroup']",
+ label=_(u'Grouping Type'),
+ doc=_(u'Grouping to which the rule applies'),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class automember_add_condition(Method):
+ __doc__ = _("Add conditions to an automember rule.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='automember_rule',
+ label=_(u'Automember Rule'),
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'description',
+ required=False,
+ cli_name='desc',
+ label=_(u'Description'),
+ doc=_(u'A description of this auto member rule'),
+ ),
+ parameters.Str(
+ 'automemberinclusiveregex',
+ required=False,
+ multivalue=True,
+ cli_name='inclusive_regex',
+ label=_(u'Inclusive Regex'),
+ alwaysask=True,
+ ),
+ parameters.Str(
+ 'automemberexclusiveregex',
+ required=False,
+ multivalue=True,
+ cli_name='exclusive_regex',
+ label=_(u'Exclusive Regex'),
+ alwaysask=True,
+ ),
+ parameters.Str(
+ 'key',
+ label=_(u'Attribute Key'),
+ doc=_(u'Attribute to filter via regex. For example fqdn for a host, or manager for a user'),
+ ),
+ parameters.Str(
+ 'type',
+ cli_metavar="['group', 'hostgroup']",
+ label=_(u'Grouping Type'),
+ doc=_(u'Grouping to which the rule applies'),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ output.Output(
+ 'failed',
+ dict,
+ doc=_(u'Conditions that could not be added'),
+ ),
+ output.Output(
+ 'completed',
+ int,
+ doc=_(u'Number of conditions added'),
+ ),
+ )
+
+
+@register()
+class automember_default_group_remove(Method):
+ __doc__ = _("Remove default (fallback) group for all unmatched entries.")
+
+ takes_options = (
+ parameters.Str(
+ 'description',
+ required=False,
+ cli_name='desc',
+ label=_(u'Description'),
+ doc=_(u'A description of this auto member rule'),
+ ),
+ parameters.Str(
+ 'type',
+ cli_metavar="['group', 'hostgroup']",
+ label=_(u'Grouping Type'),
+ doc=_(u'Grouping to which the rule applies'),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class automember_default_group_set(Method):
+ __doc__ = _("Set default (fallback) group for all unmatched entries.")
+
+ takes_options = (
+ parameters.Str(
+ 'description',
+ required=False,
+ cli_name='desc',
+ label=_(u'Description'),
+ doc=_(u'A description of this auto member rule'),
+ ),
+ parameters.Str(
+ 'automemberdefaultgroup',
+ cli_name='default_group',
+ label=_(u'Default (fallback) Group'),
+ doc=_(u'Default (fallback) group for entries to land'),
+ ),
+ parameters.Str(
+ 'type',
+ cli_metavar="['group', 'hostgroup']",
+ label=_(u'Grouping Type'),
+ doc=_(u'Grouping to which the rule applies'),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class automember_default_group_show(Method):
+ __doc__ = _("Display information about the default (fallback) automember groups.")
+
+ takes_options = (
+ parameters.Str(
+ 'type',
+ cli_metavar="['group', 'hostgroup']",
+ label=_(u'Grouping Type'),
+ doc=_(u'Grouping to which the rule applies'),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class automember_del(Method):
+ __doc__ = _("Delete an automember rule.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='automember_rule',
+ label=_(u'Automember Rule'),
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'type',
+ cli_metavar="['group', 'hostgroup']",
+ label=_(u'Grouping Type'),
+ doc=_(u'Grouping to which the rule applies'),
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Output(
+ 'result',
+ dict,
+ doc=_(u'List of deletions that failed'),
+ ),
+ output.ListOfPrimaryKeys(
+ 'value',
+ ),
+ )
+
+
+@register()
+class automember_find(Method):
+ __doc__ = _("Search for automember rules.")
+
+ takes_args = (
+ parameters.Str(
+ 'criteria',
+ required=False,
+ doc=_(u'A string searched in all relevant object attributes'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'description',
+ required=False,
+ cli_name='desc',
+ label=_(u'Description'),
+ doc=_(u'A description of this auto member rule'),
+ ),
+ parameters.Str(
+ 'type',
+ cli_metavar="['group', 'hostgroup']",
+ label=_(u'Grouping Type'),
+ doc=_(u'Grouping to which the rule applies'),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.ListOfEntries(
+ 'result',
+ ),
+ output.Output(
+ 'count',
+ int,
+ doc=_(u'Number of entries returned'),
+ ),
+ output.Output(
+ 'truncated',
+ bool,
+ doc=_(u'True if not all results were returned'),
+ ),
+ )
+
+
+@register()
+class automember_mod(Method):
+ __doc__ = _("Modify an automember rule.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='automember_rule',
+ label=_(u'Automember Rule'),
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'description',
+ required=False,
+ cli_name='desc',
+ label=_(u'Description'),
+ doc=_(u'A description of this auto member rule'),
+ ),
+ parameters.Str(
+ 'setattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'addattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'delattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'),
+ exclude=('webui',),
+ ),
+ parameters.Flag(
+ 'rights',
+ label=_(u'Rights'),
+ doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'type',
+ cli_metavar="['group', 'hostgroup']",
+ label=_(u'Grouping Type'),
+ doc=_(u'Grouping to which the rule applies'),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class automember_rebuild(Command):
+ __doc__ = _("Rebuild auto membership.")
+
+ takes_options = (
+ parameters.Str(
+ 'type',
+ required=False,
+ cli_metavar="['group', 'hostgroup']",
+ label=_(u'Rebuild membership for all members of a grouping'),
+ doc=_(u'Grouping to which the rule applies'),
+ ),
+ parameters.Str(
+ 'users',
+ required=False,
+ multivalue=True,
+ label=_(u'Users'),
+ doc=_(u'Rebuild membership for specified users'),
+ ),
+ parameters.Str(
+ 'hosts',
+ required=False,
+ multivalue=True,
+ label=_(u'Hosts'),
+ doc=_(u'Rebuild membership for specified hosts'),
+ ),
+ parameters.Flag(
+ 'no_wait',
+ required=False,
+ label=_(u'No wait'),
+ doc=_(u"Don't wait for rebuilding membership"),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class automember_remove_condition(Method):
+ __doc__ = _("Remove conditions from an automember rule.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='automember_rule',
+ label=_(u'Automember Rule'),
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'description',
+ required=False,
+ cli_name='desc',
+ label=_(u'Description'),
+ doc=_(u'A description of this auto member rule'),
+ ),
+ parameters.Str(
+ 'automemberinclusiveregex',
+ required=False,
+ multivalue=True,
+ cli_name='inclusive_regex',
+ label=_(u'Inclusive Regex'),
+ alwaysask=True,
+ ),
+ parameters.Str(
+ 'automemberexclusiveregex',
+ required=False,
+ multivalue=True,
+ cli_name='exclusive_regex',
+ label=_(u'Exclusive Regex'),
+ alwaysask=True,
+ ),
+ parameters.Str(
+ 'key',
+ label=_(u'Attribute Key'),
+ doc=_(u'Attribute to filter via regex. For example fqdn for a host, or manager for a user'),
+ ),
+ parameters.Str(
+ 'type',
+ cli_metavar="['group', 'hostgroup']",
+ label=_(u'Grouping Type'),
+ doc=_(u'Grouping to which the rule applies'),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ output.Output(
+ 'failed',
+ dict,
+ doc=_(u'Conditions that could not be removed'),
+ ),
+ output.Output(
+ 'completed',
+ int,
+ doc=_(u'Number of conditions removed'),
+ ),
+ )
+
+
+@register()
+class automember_show(Method):
+ __doc__ = _("Display information about an automember rule.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='automember_rule',
+ label=_(u'Automember Rule'),
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'type',
+ cli_metavar="['group', 'hostgroup']",
+ label=_(u'Grouping Type'),
+ doc=_(u'Grouping to which the rule applies'),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
diff --git a/ipaclient/remote_plugins/2_156/automount.py b/ipaclient/remote_plugins/2_156/automount.py
new file mode 100644
index 000000000..334cec034
--- /dev/null
+++ b/ipaclient/remote_plugins/2_156/automount.py
@@ -0,0 +1,1228 @@
+#
+# Copyright (C) 2016 FreeIPA Contributors see COPYING for license
+#
+
+# pylint: disable=unused-import
+import six
+
+from . import Command, Method, Object
+from ipalib import api, parameters, output
+from ipalib.parameters import DefaultFrom
+from ipalib.plugable import Registry
+from ipalib.text import _
+from ipapython.dn import DN
+from ipapython.dnsutil import DNSName
+
+if six.PY3:
+ unicode = str
+
+__doc__ = _("""
+Automount
+
+Stores automount(8) configuration for autofs(8) in IPA.
+
+The base of an automount configuration is the configuration file auto.master.
+This is also the base location in IPA. Multiple auto.master configurations
+can be stored in separate locations. A location is implementation-specific
+with the default being a location named 'default'. For example, you can have
+locations by geographic region, by floor, by type, etc.
+
+Automount has three basic object types: locations, maps and keys.
+
+A location defines a set of maps anchored in auto.master. This allows you
+to store multiple automount configurations. A location in itself isn't
+very interesting, it is just a point to start a new automount map.
+
+A map is roughly equivalent to a discrete automount file and provides
+storage for keys.
+
+A key is a mount point associated with a map.
+
+When a new location is created, two maps are automatically created for
+it: auto.master and auto.direct. auto.master is the root map for all
+automount maps for the location. auto.direct is the default map for
+direct mounts and is mounted on /-.
+
+An automount map may contain a submount key. This key defines a mount
+location within the map that references another map. This can be done
+either using automountmap-add-indirect --parentmap or manually
+with automountkey-add and setting info to "-type=autofs :<mapname>".
+
+EXAMPLES:
+
+Locations:
+
+ Create a named location, "Baltimore":
+ ipa automountlocation-add baltimore
+
+ Display the new location:
+ ipa automountlocation-show baltimore
+
+ Find available locations:
+ ipa automountlocation-find
+
+ Remove a named automount location:
+ ipa automountlocation-del baltimore
+
+ Show what the automount maps would look like if they were in the filesystem:
+ ipa automountlocation-tofiles baltimore
+
+ Import an existing configuration into a location:
+ ipa automountlocation-import baltimore /etc/auto.master
+
+ The import will fail if any duplicate entries are found. For
+ continuous operation where errors are ignored, use the --continue
+ option.
+
+Maps:
+
+ Create a new map, "auto.share":
+ ipa automountmap-add baltimore auto.share
+
+ Display the new map:
+ ipa automountmap-show baltimore auto.share
+
+ Find maps in the location baltimore:
+ ipa automountmap-find baltimore
+
+ Create an indirect map with auto.share as a submount:
+ ipa automountmap-add-indirect baltimore --parentmap=auto.share --mount=sub auto.man
+
+ This is equivalent to:
+
+ ipa automountmap-add-indirect baltimore --mount=/man auto.man
+ ipa automountkey-add baltimore auto.man --key=sub --info="-fstype=autofs ldap:auto.share"
+
+ Remove the auto.share map:
+ ipa automountmap-del baltimore auto.share
+
+Keys:
+
+ Create a new key for the auto.share map in location baltimore. This ties
+ the map we previously created to auto.master:
+ ipa automountkey-add baltimore auto.master --key=/share --info=auto.share
+
+ Create a new key for our auto.share map, an NFS mount for man pages:
+ ipa automountkey-add baltimore auto.share --key=man --info="-ro,soft,rsize=8192,wsize=8192 ipa.example.com:/shared/man"
+
+ Find all keys for the auto.share map:
+ ipa automountkey-find baltimore auto.share
+
+ Find all direct automount keys:
+ ipa automountkey-find baltimore --key=/-
+
+ Remove the man key from the auto.share map:
+ ipa automountkey-del baltimore auto.share --key=man
+""")
+
+register = Registry()
+
+
+@register()
+class automountkey(Object):
+ takes_params = (
+ parameters.Str(
+ 'automountkey',
+ label=_(u'Key'),
+ doc=_(u'Automount key name.'),
+ ),
+ parameters.Str(
+ 'automountinformation',
+ label=_(u'Mount information'),
+ ),
+ parameters.Str(
+ 'description',
+ required=False,
+ primary_key=True,
+ label=_(u'description'),
+ exclude=('webui', 'cli'),
+ ),
+ )
+
+
+@register()
+class automountlocation(Object):
+ takes_params = (
+ parameters.Str(
+ 'cn',
+ primary_key=True,
+ label=_(u'Location'),
+ doc=_(u'Automount location name.'),
+ ),
+ )
+
+
+@register()
+class automountmap(Object):
+ takes_params = (
+ parameters.Str(
+ 'automountmapname',
+ primary_key=True,
+ label=_(u'Map'),
+ doc=_(u'Automount map name.'),
+ ),
+ parameters.Str(
+ 'description',
+ required=False,
+ label=_(u'Description'),
+ ),
+ )
+
+
+@register()
+class automountkey_add(Method):
+ __doc__ = _("Create a new automount key.")
+
+ takes_args = (
+ parameters.Str(
+ 'automountlocationcn',
+ cli_name='automountlocation',
+ label=_(u'Location'),
+ doc=_(u'Automount location name.'),
+ ),
+ parameters.Str(
+ 'automountmapautomountmapname',
+ cli_name='automountmap',
+ label=_(u'Map'),
+ doc=_(u'Automount map name.'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'automountkey',
+ cli_name='key',
+ label=_(u'Key'),
+ doc=_(u'Automount key name.'),
+ ),
+ parameters.Str(
+ 'automountinformation',
+ cli_name='info',
+ label=_(u'Mount information'),
+ ),
+ parameters.Str(
+ 'setattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'addattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
+ exclude=('webui',),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class automountkey_del(Method):
+ __doc__ = _("Delete an automount key.")
+
+ takes_args = (
+ parameters.Str(
+ 'automountlocationcn',
+ cli_name='automountlocation',
+ label=_(u'Location'),
+ doc=_(u'Automount location name.'),
+ ),
+ parameters.Str(
+ 'automountmapautomountmapname',
+ cli_name='automountmap',
+ label=_(u'Map'),
+ doc=_(u'Automount map name.'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'continue',
+ doc=_(u"Continuous mode: Don't stop on errors."),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'automountkey',
+ cli_name='key',
+ label=_(u'Key'),
+ doc=_(u'Automount key name.'),
+ ),
+ parameters.Str(
+ 'automountinformation',
+ required=False,
+ cli_name='info',
+ label=_(u'Mount information'),
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Output(
+ 'result',
+ dict,
+ doc=_(u'List of deletions that failed'),
+ ),
+ output.ListOfPrimaryKeys(
+ 'value',
+ ),
+ )
+
+
+@register()
+class automountkey_find(Method):
+ __doc__ = _("Search for an automount key.")
+
+ takes_args = (
+ parameters.Str(
+ 'automountlocationcn',
+ cli_name='automountlocation',
+ label=_(u'Location'),
+ doc=_(u'Automount location name.'),
+ ),
+ parameters.Str(
+ 'automountmapautomountmapname',
+ cli_name='automountmap',
+ label=_(u'Map'),
+ doc=_(u'Automount map name.'),
+ ),
+ parameters.Str(
+ 'criteria',
+ required=False,
+ doc=_(u'A string searched in all relevant object attributes'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'automountkey',
+ required=False,
+ cli_name='key',
+ label=_(u'Key'),
+ doc=_(u'Automount key name.'),
+ ),
+ parameters.Str(
+ 'automountinformation',
+ required=False,
+ cli_name='info',
+ label=_(u'Mount information'),
+ ),
+ parameters.Int(
+ 'timelimit',
+ required=False,
+ label=_(u'Time Limit'),
+ doc=_(u'Time limit of search in seconds (0 is unlimited)'),
+ ),
+ parameters.Int(
+ 'sizelimit',
+ required=False,
+ label=_(u'Size Limit'),
+ doc=_(u'Maximum number of entries returned (0 is unlimited)'),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.ListOfEntries(
+ 'result',
+ ),
+ output.Output(
+ 'count',
+ int,
+ doc=_(u'Number of entries returned'),
+ ),
+ output.Output(
+ 'truncated',
+ bool,
+ doc=_(u'True if not all results were returned'),
+ ),
+ )
+
+
+@register()
+class automountkey_mod(Method):
+ __doc__ = _("Modify an automount key.")
+
+ takes_args = (
+ parameters.Str(
+ 'automountlocationcn',
+ cli_name='automountlocation',
+ label=_(u'Location'),
+ doc=_(u'Automount location name.'),
+ ),
+ parameters.Str(
+ 'automountmapautomountmapname',
+ cli_name='automountmap',
+ label=_(u'Map'),
+ doc=_(u'Automount map name.'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'automountkey',
+ cli_name='key',
+ label=_(u'Key'),
+ doc=_(u'Automount key name.'),
+ ),
+ parameters.Str(
+ 'automountinformation',
+ required=False,
+ cli_name='info',
+ label=_(u'Mount information'),
+ ),
+ parameters.Str(
+ 'setattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'addattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'delattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'),
+ exclude=('webui',),
+ ),
+ parameters.Flag(
+ 'rights',
+ label=_(u'Rights'),
+ doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'newautomountinformation',
+ required=False,
+ cli_name='newinfo',
+ label=_(u'New mount information'),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'rename',
+ required=False,
+ label=_(u'Rename'),
+ doc=_(u'Rename the automount key object'),
+ exclude=('webui',),
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class automountkey_show(Method):
+ __doc__ = _("Display an automount key.")
+
+ takes_args = (
+ parameters.Str(
+ 'automountlocationcn',
+ cli_name='automountlocation',
+ label=_(u'Location'),
+ doc=_(u'Automount location name.'),
+ ),
+ parameters.Str(
+ 'automountmapautomountmapname',
+ cli_name='automountmap',
+ label=_(u'Map'),
+ doc=_(u'Automount map name.'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'rights',
+ label=_(u'Rights'),
+ doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'automountkey',
+ cli_name='key',
+ label=_(u'Key'),
+ doc=_(u'Automount key name.'),
+ ),
+ parameters.Str(
+ 'automountinformation',
+ required=False,
+ cli_name='info',
+ label=_(u'Mount information'),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class automountlocation_add(Method):
+ __doc__ = _("Create a new automount location.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='location',
+ label=_(u'Location'),
+ doc=_(u'Automount location name.'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'setattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'addattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
+ exclude=('webui',),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class automountlocation_del(Method):
+ __doc__ = _("Delete an automount location.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ multivalue=True,
+ cli_name='location',
+ label=_(u'Location'),
+ doc=_(u'Automount location name.'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'continue',
+ doc=_(u"Continuous mode: Don't stop on errors."),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Output(
+ 'result',
+ dict,
+ doc=_(u'List of deletions that failed'),
+ ),
+ output.ListOfPrimaryKeys(
+ 'value',
+ ),
+ )
+
+
+@register()
+class automountlocation_find(Method):
+ __doc__ = _("Search for an automount location.")
+
+ takes_args = (
+ parameters.Str(
+ 'criteria',
+ required=False,
+ doc=_(u'A string searched in all relevant object attributes'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'cn',
+ required=False,
+ cli_name='location',
+ label=_(u'Location'),
+ doc=_(u'Automount location name.'),
+ ),
+ parameters.Int(
+ 'timelimit',
+ required=False,
+ label=_(u'Time Limit'),
+ doc=_(u'Time limit of search in seconds (0 is unlimited)'),
+ ),
+ parameters.Int(
+ 'sizelimit',
+ required=False,
+ label=_(u'Size Limit'),
+ doc=_(u'Maximum number of entries returned (0 is unlimited)'),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'pkey_only',
+ required=False,
+ label=_(u'Primary key only'),
+ doc=_(u'Results should contain primary key attribute only ("location")'),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.ListOfEntries(
+ 'result',
+ ),
+ output.Output(
+ 'count',
+ int,
+ doc=_(u'Number of entries returned'),
+ ),
+ output.Output(
+ 'truncated',
+ bool,
+ doc=_(u'True if not all results were returned'),
+ ),
+ )
+
+
+@register()
+class automountlocation_show(Method):
+ __doc__ = _("Display an automount location.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='location',
+ label=_(u'Location'),
+ doc=_(u'Automount location name.'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'rights',
+ label=_(u'Rights'),
+ doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class automountlocation_tofiles(Method):
+ __doc__ = _("Generate automount files for a specific location.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='location',
+ label=_(u'Location'),
+ doc=_(u'Automount location name.'),
+ ),
+ )
+ takes_options = (
+ )
+ has_output = (
+ output.Output(
+ 'result',
+ ),
+ )
+
+
+@register()
+class automountmap_add(Method):
+ __doc__ = _("Create a new automount map.")
+
+ takes_args = (
+ parameters.Str(
+ 'automountlocationcn',
+ cli_name='automountlocation',
+ label=_(u'Location'),
+ doc=_(u'Automount location name.'),
+ ),
+ parameters.Str(
+ 'automountmapname',
+ cli_name='map',
+ label=_(u'Map'),
+ doc=_(u'Automount map name.'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'description',
+ required=False,
+ cli_name='desc',
+ label=_(u'Description'),
+ ),
+ parameters.Str(
+ 'setattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'addattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
+ exclude=('webui',),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class automountmap_add_indirect(Method):
+ __doc__ = _("Create a new indirect mount point.")
+
+ takes_args = (
+ parameters.Str(
+ 'automountlocationcn',
+ cli_name='automountlocation',
+ label=_(u'Location'),
+ doc=_(u'Automount location name.'),
+ ),
+ parameters.Str(
+ 'automountmapname',
+ cli_name='map',
+ label=_(u'Map'),
+ doc=_(u'Automount map name.'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'description',
+ required=False,
+ cli_name='desc',
+ label=_(u'Description'),
+ ),
+ parameters.Str(
+ 'setattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'addattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'key',
+ cli_name='mount',
+ label=_(u'Mount point'),
+ ),
+ parameters.Str(
+ 'parentmap',
+ required=False,
+ label=_(u'Parent map'),
+ doc=_(u'Name of parent automount map (default: auto.master).'),
+ default=u'auto.master',
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class automountmap_del(Method):
+ __doc__ = _("Delete an automount map.")
+
+ takes_args = (
+ parameters.Str(
+ 'automountlocationcn',
+ cli_name='automountlocation',
+ label=_(u'Location'),
+ doc=_(u'Automount location name.'),
+ ),
+ parameters.Str(
+ 'automountmapname',
+ multivalue=True,
+ cli_name='map',
+ label=_(u'Map'),
+ doc=_(u'Automount map name.'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'continue',
+ doc=_(u"Continuous mode: Don't stop on errors."),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Output(
+ 'result',
+ dict,
+ doc=_(u'List of deletions that failed'),
+ ),
+ output.ListOfPrimaryKeys(
+ 'value',
+ ),
+ )
+
+
+@register()
+class automountmap_find(Method):
+ __doc__ = _("Search for an automount map.")
+
+ takes_args = (
+ parameters.Str(
+ 'automountlocationcn',
+ cli_name='automountlocation',
+ label=_(u'Location'),
+ doc=_(u'Automount location name.'),
+ ),
+ parameters.Str(
+ 'criteria',
+ required=False,
+ doc=_(u'A string searched in all relevant object attributes'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'automountmapname',
+ required=False,
+ cli_name='map',
+ label=_(u'Map'),
+ doc=_(u'Automount map name.'),
+ ),
+ parameters.Str(
+ 'description',
+ required=False,
+ cli_name='desc',
+ label=_(u'Description'),
+ ),
+ parameters.Int(
+ 'timelimit',
+ required=False,
+ label=_(u'Time Limit'),
+ doc=_(u'Time limit of search in seconds (0 is unlimited)'),
+ ),
+ parameters.Int(
+ 'sizelimit',
+ required=False,
+ label=_(u'Size Limit'),
+ doc=_(u'Maximum number of entries returned (0 is unlimited)'),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'pkey_only',
+ required=False,
+ label=_(u'Primary key only'),
+ doc=_(u'Results should contain primary key attribute only ("map")'),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.ListOfEntries(
+ 'result',
+ ),
+ output.Output(
+ 'count',
+ int,
+ doc=_(u'Number of entries returned'),
+ ),
+ output.Output(
+ 'truncated',
+ bool,
+ doc=_(u'True if not all results were returned'),
+ ),
+ )
+
+
+@register()
+class automountmap_mod(Method):
+ __doc__ = _("Modify an automount map.")
+
+ takes_args = (
+ parameters.Str(
+ 'automountlocationcn',
+ cli_name='automountlocation',
+ label=_(u'Location'),
+ doc=_(u'Automount location name.'),
+ ),
+ parameters.Str(
+ 'automountmapname',
+ cli_name='map',
+ label=_(u'Map'),
+ doc=_(u'Automount map name.'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'description',
+ required=False,
+ cli_name='desc',
+ label=_(u'Description'),
+ ),
+ parameters.Str(
+ 'setattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'addattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'delattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'),
+ exclude=('webui',),
+ ),
+ parameters.Flag(
+ 'rights',
+ label=_(u'Rights'),
+ doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class automountmap_show(Method):
+ __doc__ = _("Display an automount map.")
+
+ takes_args = (
+ parameters.Str(
+ 'automountlocationcn',
+ cli_name='automountlocation',
+ label=_(u'Location'),
+ doc=_(u'Automount location name.'),
+ ),
+ parameters.Str(
+ 'automountmapname',
+ cli_name='map',
+ label=_(u'Map'),
+ doc=_(u'Automount map name.'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'rights',
+ label=_(u'Rights'),
+ doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
diff --git a/ipaclient/remote_plugins/2_156/batch.py b/ipaclient/remote_plugins/2_156/batch.py
new file mode 100644
index 000000000..4a613b677
--- /dev/null
+++ b/ipaclient/remote_plugins/2_156/batch.py
@@ -0,0 +1,71 @@
+#
+# Copyright (C) 2016 FreeIPA Contributors see COPYING for license
+#
+
+# pylint: disable=unused-import
+import six
+
+from . import Command, Method, Object
+from ipalib import api, parameters, output
+from ipalib.parameters import DefaultFrom
+from ipalib.plugable import Registry
+from ipalib.text import _
+from ipapython.dn import DN
+from ipapython.dnsutil import DNSName
+
+if six.PY3:
+ unicode = str
+
+__doc__ = _("""
+Plugin to make multiple ipa calls via one remote procedure call
+
+To run this code in the lite-server
+
+curl -H "Content-Type:application/json" -H "Accept:application/json" -H "Accept-Language:en" --negotiate -u : --cacert /etc/ipa/ca.crt -d @batch_request.json -X POST http://localhost:8888/ipa/json
+
+where the contents of the file batch_request.json follow the below example
+
+{"method":"batch","params":[[
+ {"method":"group_find","params":[[],{}]},
+ {"method":"user_find","params":[[],{"whoami":"true","all":"true"}]},
+ {"method":"user_show","params":[["admin"],{"all":true}]}
+ ],{}],"id":1}
+
+The format of the response is nested the same way. At the top you will see
+ "error": null,
+ "id": 1,
+ "result": {
+ "count": 3,
+ "results": [
+
+
+And then a nested response for each IPA command method sent in the request
+""")
+
+register = Registry()
+
+
+@register()
+class batch(Command):
+ NO_CLI = True
+
+ takes_args = (
+ parameters.Str(
+ 'methods',
+ required=False,
+ multivalue=True,
+ doc=_(u'Nested Methods to execute'),
+ ),
+ )
+ takes_options = (
+ )
+ has_output = (
+ output.Output(
+ 'count',
+ int,
+ ),
+ output.Output(
+ 'results',
+ (list, tuple),
+ ),
+ )
diff --git a/ipaclient/remote_plugins/2_156/caacl.py b/ipaclient/remote_plugins/2_156/caacl.py
new file mode 100644
index 000000000..09cfc4b65
--- /dev/null
+++ b/ipaclient/remote_plugins/2_156/caacl.py
@@ -0,0 +1,1155 @@
+#
+# Copyright (C) 2016 FreeIPA Contributors see COPYING for license
+#
+
+# pylint: disable=unused-import
+import six
+
+from . import Command, Method, Object
+from ipalib import api, parameters, output
+from ipalib.parameters import DefaultFrom
+from ipalib.plugable import Registry
+from ipalib.text import _
+from ipapython.dn import DN
+from ipapython.dnsutil import DNSName
+
+if six.PY3:
+ unicode = str
+
+__doc__ = _("""
+Manage CA ACL rules.
+
+This plugin is used to define rules governing which principals are
+permitted to have certificates issued using a given certificate
+profile.
+
+PROFILE ID SYNTAX:
+
+A Profile ID is a string without spaces or punctuation starting with a letter
+and followed by a sequence of letters, digits or underscore ("_").
+
+EXAMPLES:
+
+ Create a CA ACL "test" that grants all users access to the
+ "UserCert" profile:
+ ipa caacl-add test --usercat=all
+ ipa caacl-add-profile test --certprofiles UserCert
+
+ Display the properties of a named CA ACL:
+ ipa caacl-show test
+
+ Create a CA ACL to let user "alice" use the "DNP3" profile:
+ ipa caacl-add-profile alice_dnp3 --certprofiles DNP3
+ ipa caacl-add-user alice_dnp3 --user=alice
+
+ Disable a CA ACL:
+ ipa caacl-disable test
+
+ Remove a CA ACL:
+ ipa caacl-del test
+""")
+
+register = Registry()
+
+
+@register()
+class caacl(Object):
+ takes_params = (
+ parameters.Str(
+ 'cn',
+ primary_key=True,
+ label=_(u'ACL name'),
+ ),
+ parameters.Str(
+ 'description',
+ required=False,
+ label=_(u'Description'),
+ ),
+ parameters.Bool(
+ 'ipaenabledflag',
+ required=False,
+ label=_(u'Enabled'),
+ ),
+ parameters.Str(
+ 'ipacertprofilecategory',
+ required=False,
+ label=_(u'Profile category'),
+ doc=_(u'Profile category the ACL applies to'),
+ ),
+ parameters.Str(
+ 'usercategory',
+ required=False,
+ label=_(u'User category'),
+ doc=_(u'User category the ACL applies to'),
+ ),
+ parameters.Str(
+ 'hostcategory',
+ required=False,
+ label=_(u'Host category'),
+ doc=_(u'Host category the ACL applies to'),
+ ),
+ parameters.Str(
+ 'servicecategory',
+ required=False,
+ label=_(u'Service category'),
+ doc=_(u'Service category the ACL applies to'),
+ ),
+ parameters.Str(
+ 'ipamembercertprofile_certprofile',
+ required=False,
+ label=_(u'Profiles'),
+ ),
+ parameters.Str(
+ 'memberuser_user',
+ required=False,
+ label=_(u'Users'),
+ ),
+ parameters.Str(
+ 'memberuser_group',
+ required=False,
+ label=_(u'User Groups'),
+ ),
+ parameters.Str(
+ 'memberhost_host',
+ required=False,
+ label=_(u'Hosts'),
+ ),
+ parameters.Str(
+ 'memberhost_hostgroup',
+ required=False,
+ label=_(u'Host Groups'),
+ ),
+ parameters.Str(
+ 'memberservice_service',
+ required=False,
+ label=_(u'Services'),
+ ),
+ )
+
+
+@register()
+class caacl_add(Method):
+ __doc__ = _("Create a new CA ACL.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='name',
+ label=_(u'ACL name'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'description',
+ required=False,
+ cli_name='desc',
+ label=_(u'Description'),
+ ),
+ parameters.Bool(
+ 'ipaenabledflag',
+ required=False,
+ label=_(u'Enabled'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'ipacertprofilecategory',
+ required=False,
+ cli_name='profilecat',
+ cli_metavar="['all']",
+ label=_(u'Profile category'),
+ doc=_(u'Profile category the ACL applies to'),
+ ),
+ parameters.Str(
+ 'usercategory',
+ required=False,
+ cli_name='usercat',
+ cli_metavar="['all']",
+ label=_(u'User category'),
+ doc=_(u'User category the ACL applies to'),
+ ),
+ parameters.Str(
+ 'hostcategory',
+ required=False,
+ cli_name='hostcat',
+ cli_metavar="['all']",
+ label=_(u'Host category'),
+ doc=_(u'Host category the ACL applies to'),
+ ),
+ parameters.Str(
+ 'servicecategory',
+ required=False,
+ cli_name='servicecat',
+ cli_metavar="['all']",
+ label=_(u'Service category'),
+ doc=_(u'Service category the ACL applies to'),
+ ),
+ parameters.Str(
+ 'setattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'addattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
+ exclude=('webui',),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class caacl_add_host(Method):
+ __doc__ = _("Add target hosts and hostgroups to a CA ACL.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='name',
+ label=_(u'ACL name'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'host',
+ required=False,
+ multivalue=True,
+ cli_name='hosts',
+ label=_(u'member host'),
+ doc=_(u'hosts to add'),
+ alwaysask=True,
+ ),
+ parameters.Str(
+ 'hostgroup',
+ required=False,
+ multivalue=True,
+ cli_name='hostgroups',
+ label=_(u'member host group'),
+ doc=_(u'host groups to add'),
+ alwaysask=True,
+ ),
+ )
+ has_output = (
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'failed',
+ dict,
+ doc=_(u'Members that could not be added'),
+ ),
+ output.Output(
+ 'completed',
+ int,
+ doc=_(u'Number of members added'),
+ ),
+ )
+
+
+@register()
+class caacl_add_profile(Method):
+ __doc__ = _("Add profiles to a CA ACL.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='name',
+ label=_(u'ACL name'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'certprofile',
+ required=False,
+ multivalue=True,
+ cli_name='certprofiles',
+ label=_(u'member Certificate Profile'),
+ doc=_(u'Certificate Profiles to add'),
+ alwaysask=True,
+ ),
+ )
+ has_output = (
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'failed',
+ dict,
+ doc=_(u'Members that could not be added'),
+ ),
+ output.Output(
+ 'completed',
+ int,
+ doc=_(u'Number of members added'),
+ ),
+ )
+
+
+@register()
+class caacl_add_service(Method):
+ __doc__ = _("Add services to a CA ACL.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='name',
+ label=_(u'ACL name'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'service',
+ required=False,
+ multivalue=True,
+ cli_name='services',
+ label=_(u'member service'),
+ doc=_(u'services to add'),
+ alwaysask=True,
+ ),
+ )
+ has_output = (
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'failed',
+ dict,
+ doc=_(u'Members that could not be added'),
+ ),
+ output.Output(
+ 'completed',
+ int,
+ doc=_(u'Number of members added'),
+ ),
+ )
+
+
+@register()
+class caacl_add_user(Method):
+ __doc__ = _("Add users and groups to a CA ACL.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='name',
+ label=_(u'ACL name'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'user',
+ required=False,
+ multivalue=True,
+ cli_name='users',
+ label=_(u'member user'),
+ doc=_(u'users to add'),
+ alwaysask=True,
+ ),
+ parameters.Str(
+ 'group',
+ required=False,
+ multivalue=True,
+ cli_name='groups',
+ label=_(u'member group'),
+ doc=_(u'groups to add'),
+ alwaysask=True,
+ ),
+ )
+ has_output = (
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'failed',
+ dict,
+ doc=_(u'Members that could not be added'),
+ ),
+ output.Output(
+ 'completed',
+ int,
+ doc=_(u'Number of members added'),
+ ),
+ )
+
+
+@register()
+class caacl_del(Method):
+ __doc__ = _("Delete a CA ACL.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ multivalue=True,
+ cli_name='name',
+ label=_(u'ACL name'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'continue',
+ doc=_(u"Continuous mode: Don't stop on errors."),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Output(
+ 'result',
+ dict,
+ doc=_(u'List of deletions that failed'),
+ ),
+ output.ListOfPrimaryKeys(
+ 'value',
+ ),
+ )
+
+
+@register()
+class caacl_disable(Method):
+ __doc__ = _("Disable a CA ACL.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='name',
+ label=_(u'ACL name'),
+ ),
+ )
+ takes_options = (
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Output(
+ 'result',
+ bool,
+ doc=_(u'True means the operation was successful'),
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class caacl_enable(Method):
+ __doc__ = _("Enable a CA ACL.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='name',
+ label=_(u'ACL name'),
+ ),
+ )
+ takes_options = (
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Output(
+ 'result',
+ bool,
+ doc=_(u'True means the operation was successful'),
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class caacl_find(Method):
+ __doc__ = _("Search for CA ACLs.")
+
+ takes_args = (
+ parameters.Str(
+ 'criteria',
+ required=False,
+ doc=_(u'A string searched in all relevant object attributes'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'cn',
+ required=False,
+ cli_name='name',
+ label=_(u'ACL name'),
+ ),
+ parameters.Str(
+ 'description',
+ required=False,
+ cli_name='desc',
+ label=_(u'Description'),
+ ),
+ parameters.Bool(
+ 'ipaenabledflag',
+ required=False,
+ label=_(u'Enabled'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'ipacertprofilecategory',
+ required=False,
+ cli_name='profilecat',
+ cli_metavar="['all']",
+ label=_(u'Profile category'),
+ doc=_(u'Profile category the ACL applies to'),
+ ),
+ parameters.Str(
+ 'usercategory',
+ required=False,
+ cli_name='usercat',
+ cli_metavar="['all']",
+ label=_(u'User category'),
+ doc=_(u'User category the ACL applies to'),
+ ),
+ parameters.Str(
+ 'hostcategory',
+ required=False,
+ cli_name='hostcat',
+ cli_metavar="['all']",
+ label=_(u'Host category'),
+ doc=_(u'Host category the ACL applies to'),
+ ),
+ parameters.Str(
+ 'servicecategory',
+ required=False,
+ cli_name='servicecat',
+ cli_metavar="['all']",
+ label=_(u'Service category'),
+ doc=_(u'Service category the ACL applies to'),
+ ),
+ parameters.Int(
+ 'timelimit',
+ required=False,
+ label=_(u'Time Limit'),
+ doc=_(u'Time limit of search in seconds (0 is unlimited)'),
+ ),
+ parameters.Int(
+ 'sizelimit',
+ required=False,
+ label=_(u'Size Limit'),
+ doc=_(u'Maximum number of entries returned (0 is unlimited)'),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'pkey_only',
+ required=False,
+ label=_(u'Primary key only'),
+ doc=_(u'Results should contain primary key attribute only ("name")'),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.ListOfEntries(
+ 'result',
+ ),
+ output.Output(
+ 'count',
+ int,
+ doc=_(u'Number of entries returned'),
+ ),
+ output.Output(
+ 'truncated',
+ bool,
+ doc=_(u'True if not all results were returned'),
+ ),
+ )
+
+
+@register()
+class caacl_mod(Method):
+ __doc__ = _("Modify a CA ACL.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='name',
+ label=_(u'ACL name'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'description',
+ required=False,
+ cli_name='desc',
+ label=_(u'Description'),
+ ),
+ parameters.Bool(
+ 'ipaenabledflag',
+ required=False,
+ label=_(u'Enabled'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'ipacertprofilecategory',
+ required=False,
+ cli_name='profilecat',
+ cli_metavar="['all']",
+ label=_(u'Profile category'),
+ doc=_(u'Profile category the ACL applies to'),
+ ),
+ parameters.Str(
+ 'usercategory',
+ required=False,
+ cli_name='usercat',
+ cli_metavar="['all']",
+ label=_(u'User category'),
+ doc=_(u'User category the ACL applies to'),
+ ),
+ parameters.Str(
+ 'hostcategory',
+ required=False,
+ cli_name='hostcat',
+ cli_metavar="['all']",
+ label=_(u'Host category'),
+ doc=_(u'Host category the ACL applies to'),
+ ),
+ parameters.Str(
+ 'servicecategory',
+ required=False,
+ cli_name='servicecat',
+ cli_metavar="['all']",
+ label=_(u'Service category'),
+ doc=_(u'Service category the ACL applies to'),
+ ),
+ parameters.Str(
+ 'setattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'addattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'delattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'),
+ exclude=('webui',),
+ ),
+ parameters.Flag(
+ 'rights',
+ label=_(u'Rights'),
+ doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class caacl_remove_host(Method):
+ __doc__ = _("Remove target hosts and hostgroups from a CA ACL.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='name',
+ label=_(u'ACL name'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'host',
+ required=False,
+ multivalue=True,
+ cli_name='hosts',
+ label=_(u'member host'),
+ doc=_(u'hosts to remove'),
+ alwaysask=True,
+ ),
+ parameters.Str(
+ 'hostgroup',
+ required=False,
+ multivalue=True,
+ cli_name='hostgroups',
+ label=_(u'member host group'),
+ doc=_(u'host groups to remove'),
+ alwaysask=True,
+ ),
+ )
+ has_output = (
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'failed',
+ dict,
+ doc=_(u'Members that could not be removed'),
+ ),
+ output.Output(
+ 'completed',
+ int,
+ doc=_(u'Number of members removed'),
+ ),
+ )
+
+
+@register()
+class caacl_remove_profile(Method):
+ __doc__ = _("Remove profiles from a CA ACL.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='name',
+ label=_(u'ACL name'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'certprofile',
+ required=False,
+ multivalue=True,
+ cli_name='certprofiles',
+ label=_(u'member Certificate Profile'),
+ doc=_(u'Certificate Profiles to remove'),
+ alwaysask=True,
+ ),
+ )
+ has_output = (
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'failed',
+ dict,
+ doc=_(u'Members that could not be removed'),
+ ),
+ output.Output(
+ 'completed',
+ int,
+ doc=_(u'Number of members removed'),
+ ),
+ )
+
+
+@register()
+class caacl_remove_service(Method):
+ __doc__ = _("Remove services from a CA ACL.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='name',
+ label=_(u'ACL name'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'service',
+ required=False,
+ multivalue=True,
+ cli_name='services',
+ label=_(u'member service'),
+ doc=_(u'services to remove'),
+ alwaysask=True,
+ ),
+ )
+ has_output = (
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'failed',
+ dict,
+ doc=_(u'Members that could not be removed'),
+ ),
+ output.Output(
+ 'completed',
+ int,
+ doc=_(u'Number of members removed'),
+ ),
+ )
+
+
+@register()
+class caacl_remove_user(Method):
+ __doc__ = _("Remove users and groups from a CA ACL.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='name',
+ label=_(u'ACL name'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'user',
+ required=False,
+ multivalue=True,
+ cli_name='users',
+ label=_(u'member user'),
+ doc=_(u'users to remove'),
+ alwaysask=True,
+ ),
+ parameters.Str(
+ 'group',
+ required=False,
+ multivalue=True,
+ cli_name='groups',
+ label=_(u'member group'),
+ doc=_(u'groups to remove'),
+ alwaysask=True,
+ ),
+ )
+ has_output = (
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'failed',
+ dict,
+ doc=_(u'Members that could not be removed'),
+ ),
+ output.Output(
+ 'completed',
+ int,
+ doc=_(u'Number of members removed'),
+ ),
+ )
+
+
+@register()
+class caacl_show(Method):
+ __doc__ = _("Display the properties of a CA ACL.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='name',
+ label=_(u'ACL name'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'rights',
+ label=_(u'Rights'),
+ doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
diff --git a/ipaclient/remote_plugins/2_156/cert.py b/ipaclient/remote_plugins/2_156/cert.py
new file mode 100644
index 000000000..de760fdcb
--- /dev/null
+++ b/ipaclient/remote_plugins/2_156/cert.py
@@ -0,0 +1,382 @@
+#
+# Copyright (C) 2016 FreeIPA Contributors see COPYING for license
+#
+
+# pylint: disable=unused-import
+import six
+
+from . import Command, Method, Object
+from ipalib import api, parameters, output
+from ipalib.parameters import DefaultFrom
+from ipalib.plugable import Registry
+from ipalib.text import _
+from ipapython.dn import DN
+from ipapython.dnsutil import DNSName
+
+if six.PY3:
+ unicode = str
+
+__doc__ = _("""
+IPA certificate operations
+
+Implements a set of commands for managing server SSL certificates.
+
+Certificate requests exist in the form of a Certificate Signing Request (CSR)
+in PEM format.
+
+The dogtag CA uses just the CN value of the CSR and forces the rest of the
+subject to values configured in the server.
+
+A certificate is stored with a service principal and a service principal
+needs a host.
+
+In order to request a certificate:
+
+* The host must exist
+* The service must exist (or you use the --add option to automatically add it)
+
+SEARCHING:
+
+Certificates may be searched on by certificate subject, serial number,
+revocation reason, validity dates and the issued date.
+
+When searching on dates the _from date does a >= search and the _to date
+does a <= search. When combined these are done as an AND.
+
+Dates are treated as GMT to match the dates in the certificates.
+
+The date format is YYYY-mm-dd.
+
+EXAMPLES:
+
+ Request a new certificate and add the principal:
+ ipa cert-request --add --principal=HTTP/lion.example.com example.csr
+
+ Retrieve an existing certificate:
+ ipa cert-show 1032
+
+ Revoke a certificate (see RFC 5280 for reason details):
+ ipa cert-revoke --revocation-reason=6 1032
+
+ Remove a certificate from revocation hold status:
+ ipa cert-remove-hold 1032
+
+ Check the status of a signing request:
+ ipa cert-status 10
+
+ Search for certificates by hostname:
+ ipa cert-find --subject=ipaserver.example.com
+
+ Search for revoked certificates by reason:
+ ipa cert-find --revocation-reason=5
+
+ Search for certificates based on issuance date
+ ipa cert-find --issuedon-from=2013-02-01 --issuedon-to=2013-02-07
+
+IPA currently immediately issues (or declines) all certificate requests so
+the status of a request is not normally useful. This is for future use
+or the case where a CA does not immediately issue a certificate.
+
+The following revocation reasons are supported:
+
+ * 0 - unspecified
+ * 1 - keyCompromise
+ * 2 - cACompromise
+ * 3 - affiliationChanged
+ * 4 - superseded
+ * 5 - cessationOfOperation
+ * 6 - certificateHold
+ * 8 - removeFromCRL
+ * 9 - privilegeWithdrawn
+ * 10 - aACompromise
+
+Note that reason code 7 is not used. See RFC 5280 for more details:
+
+http://www.ietf.org/rfc/rfc5280.txt
+""")
+
+register = Registry()
+
+
+@register()
+class ca_is_enabled(Command):
+ __doc__ = _("Checks if any of the servers has the CA service enabled.")
+
+ NO_CLI = True
+
+ takes_options = (
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Output(
+ 'result',
+ bool,
+ doc=_(u'True means the operation was successful'),
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class cert_find(Command):
+ __doc__ = _("Search for existing certificates.")
+
+ takes_options = (
+ parameters.Str(
+ 'subject',
+ required=False,
+ label=_(u'Subject'),
+ ),
+ parameters.Int(
+ 'revocation_reason',
+ required=False,
+ label=_(u'Reason'),
+ doc=_(u'Reason for revoking the certificate (0-10)'),
+ ),
+ parameters.Int(
+ 'min_serial_number',
+ required=False,
+ doc=_(u'minimum serial number'),
+ ),
+ parameters.Int(
+ 'max_serial_number',
+ required=False,
+ doc=_(u'maximum serial number'),
+ ),
+ parameters.Flag(
+ 'exactly',
+ required=False,
+ doc=_(u'match the common name exactly'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'validnotafter_from',
+ required=False,
+ doc=_(u'Valid not after from this date (YYYY-mm-dd)'),
+ ),
+ parameters.Str(
+ 'validnotafter_to',
+ required=False,
+ doc=_(u'Valid not after to this date (YYYY-mm-dd)'),
+ ),
+ parameters.Str(
+ 'validnotbefore_from',
+ required=False,
+ doc=_(u'Valid not before from this date (YYYY-mm-dd)'),
+ ),
+ parameters.Str(
+ 'validnotbefore_to',
+ required=False,
+ doc=_(u'Valid not before to this date (YYYY-mm-dd)'),
+ ),
+ parameters.Str(
+ 'issuedon_from',
+ required=False,
+ doc=_(u'Issued on from this date (YYYY-mm-dd)'),
+ ),
+ parameters.Str(
+ 'issuedon_to',
+ required=False,
+ doc=_(u'Issued on to this date (YYYY-mm-dd)'),
+ ),
+ parameters.Str(
+ 'revokedon_from',
+ required=False,
+ doc=_(u'Revoked on from this date (YYYY-mm-dd)'),
+ ),
+ parameters.Str(
+ 'revokedon_to',
+ required=False,
+ doc=_(u'Revoked on to this date (YYYY-mm-dd)'),
+ ),
+ parameters.Int(
+ 'sizelimit',
+ required=False,
+ label=_(u'Size Limit'),
+ doc=_(u'Maximum number of certs returned'),
+ default=100,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.ListOfEntries(
+ 'result',
+ ),
+ output.Output(
+ 'count',
+ int,
+ doc=_(u'Number of entries returned'),
+ ),
+ output.Output(
+ 'truncated',
+ bool,
+ doc=_(u'True if not all results were returned'),
+ ),
+ )
+
+
+@register()
+class cert_remove_hold(Command):
+ __doc__ = _("Take a revoked certificate off hold.")
+
+ takes_args = (
+ parameters.Str(
+ 'serial_number',
+ label=_(u'Serial number'),
+ doc=_(u'Serial number in decimal or if prefixed with 0x in hexadecimal'),
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ )
+ has_output = (
+ output.Output(
+ 'result',
+ ),
+ )
+
+
+@register()
+class cert_request(Command):
+ __doc__ = _("Submit a certificate signing request.")
+
+ takes_args = (
+ parameters.Str(
+ 'csr',
+ cli_name='csr_file',
+ label=_(u'CSR'),
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'principal',
+ label=_(u'Principal'),
+ doc=_(u'Principal for this certificate (e.g. HTTP/test.example.com)'),
+ ),
+ parameters.Str(
+ 'request_type',
+ default=u'pkcs10',
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'add',
+ doc=_(u"automatically add the principal if it doesn't exist"),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'profile_id',
+ required=False,
+ label=_(u'Profile ID'),
+ doc=_(u'Certificate Profile to use'),
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'result',
+ dict,
+ doc=_(u'Dictionary mapping variable name to value'),
+ ),
+ )
+
+
+@register()
+class cert_revoke(Command):
+ __doc__ = _("Revoke a certificate.")
+
+ takes_args = (
+ parameters.Str(
+ 'serial_number',
+ label=_(u'Serial number'),
+ doc=_(u'Serial number in decimal or if prefixed with 0x in hexadecimal'),
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Int(
+ 'revocation_reason',
+ label=_(u'Reason'),
+ doc=_(u'Reason for revoking the certificate (0-10)'),
+ default=0,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'result',
+ ),
+ )
+
+
+@register()
+class cert_show(Command):
+ __doc__ = _("Retrieve an existing certificate.")
+
+ takes_args = (
+ parameters.Str(
+ 'serial_number',
+ label=_(u'Serial number'),
+ doc=_(u'Serial number in decimal or if prefixed with 0x in hexadecimal'),
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'out',
+ required=False,
+ label=_(u'Output filename'),
+ doc=_(u'File to store the certificate in.'),
+ exclude=('webui',),
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'result',
+ ),
+ )
+
+
+@register()
+class cert_status(Command):
+ __doc__ = _("Check the status of a certificate signing request.")
+
+ takes_args = (
+ parameters.Str(
+ 'request_id',
+ label=_(u'Request id'),
+ ),
+ )
+ takes_options = (
+ )
+ has_output = (
+ output.Output(
+ 'result',
+ ),
+ )
diff --git a/ipaclient/remote_plugins/2_156/certprofile.py b/ipaclient/remote_plugins/2_156/certprofile.py
new file mode 100644
index 000000000..b612342a1
--- /dev/null
+++ b/ipaclient/remote_plugins/2_156/certprofile.py
@@ -0,0 +1,431 @@
+#
+# Copyright (C) 2016 FreeIPA Contributors see COPYING for license
+#
+
+# pylint: disable=unused-import
+import six
+
+from . import Command, Method, Object
+from ipalib import api, parameters, output
+from ipalib.parameters import DefaultFrom
+from ipalib.plugable import Registry
+from ipalib.text import _
+from ipapython.dn import DN
+from ipapython.dnsutil import DNSName
+
+if six.PY3:
+ unicode = str
+
+__doc__ = _("""
+Manage Certificate Profiles
+
+Certificate Profiles are used by Certificate Authority (CA) in the signing of
+certificates to determine if a Certificate Signing Request (CSR) is acceptable,
+and if so what features and extensions will be present on the certificate.
+
+The Certificate Profile format is the property-list format understood by the
+Dogtag or Red Hat Certificate System CA.
+
+PROFILE ID SYNTAX:
+
+A Profile ID is a string without spaces or punctuation starting with a letter
+and followed by a sequence of letters, digits or underscore ("_").
+
+EXAMPLES:
+
+ Import a profile that will not store issued certificates:
+ ipa certprofile-import ShortLivedUserCert \
+ --file UserCert.profile --desc "User Certificates" \
+ --store=false
+
+ Delete a certificate profile:
+ ipa certprofile-del ShortLivedUserCert
+
+ Show information about a profile:
+ ipa certprofile-show ShortLivedUserCert
+
+ Save profile configuration to a file:
+ ipa certprofile-show caIPAserviceCert --out caIPAserviceCert.cfg
+
+ Search for profiles that do not store certificates:
+ ipa certprofile-find --store=false
+
+PROFILE CONFIGURATION FORMAT:
+
+The profile configuration format is the raw property-list format
+used by Dogtag Certificate System. The XML format is not supported.
+
+The following restrictions apply to profiles managed by FreeIPA:
+
+- When importing a profile the "profileId" field, if present, must
+ match the ID given on the command line.
+
+- The "classId" field must be set to "caEnrollImpl"
+
+- The "auth.instance_id" field must be set to "raCertAuth"
+
+- The "certReqInputImpl" input class and "certOutputImpl" output
+ class must be used.
+""")
+
+register = Registry()
+
+
+@register()
+class certprofile(Object):
+ takes_params = (
+ parameters.Str(
+ 'cn',
+ primary_key=True,
+ label=_(u'Profile ID'),
+ doc=_(u'Profile ID for referring to this profile'),
+ ),
+ parameters.Str(
+ 'description',
+ label=_(u'Profile description'),
+ doc=_(u'Brief description of this profile'),
+ ),
+ parameters.Bool(
+ 'ipacertprofilestoreissued',
+ label=_(u'Store issued certificates'),
+ doc=_(u'Whether to store certs issued using this profile'),
+ ),
+ )
+
+
+@register()
+class certprofile_del(Method):
+ __doc__ = _("Delete a Certificate Profile.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ multivalue=True,
+ cli_name='id',
+ label=_(u'Profile ID'),
+ doc=_(u'Profile ID for referring to this profile'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'continue',
+ doc=_(u"Continuous mode: Don't stop on errors."),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Output(
+ 'result',
+ dict,
+ doc=_(u'List of deletions that failed'),
+ ),
+ output.ListOfPrimaryKeys(
+ 'value',
+ ),
+ )
+
+
+@register()
+class certprofile_find(Method):
+ __doc__ = _("Search for Certificate Profiles.")
+
+ takes_args = (
+ parameters.Str(
+ 'criteria',
+ required=False,
+ doc=_(u'A string searched in all relevant object attributes'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'cn',
+ required=False,
+ cli_name='id',
+ label=_(u'Profile ID'),
+ doc=_(u'Profile ID for referring to this profile'),
+ ),
+ parameters.Str(
+ 'description',
+ required=False,
+ cli_name='desc',
+ label=_(u'Profile description'),
+ doc=_(u'Brief description of this profile'),
+ ),
+ parameters.Bool(
+ 'ipacertprofilestoreissued',
+ required=False,
+ cli_name='store',
+ label=_(u'Store issued certificates'),
+ doc=_(u'Whether to store certs issued using this profile'),
+ default=True,
+ ),
+ parameters.Int(
+ 'timelimit',
+ required=False,
+ label=_(u'Time Limit'),
+ doc=_(u'Time limit of search in seconds (0 is unlimited)'),
+ ),
+ parameters.Int(
+ 'sizelimit',
+ required=False,
+ label=_(u'Size Limit'),
+ doc=_(u'Maximum number of entries returned (0 is unlimited)'),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'pkey_only',
+ required=False,
+ label=_(u'Primary key only'),
+ doc=_(u'Results should contain primary key attribute only ("id")'),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.ListOfEntries(
+ 'result',
+ ),
+ output.Output(
+ 'count',
+ int,
+ doc=_(u'Number of entries returned'),
+ ),
+ output.Output(
+ 'truncated',
+ bool,
+ doc=_(u'True if not all results were returned'),
+ ),
+ )
+
+
+@register()
+class certprofile_import(Method):
+ __doc__ = _("Import a Certificate Profile.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='id',
+ label=_(u'Profile ID'),
+ doc=_(u'Profile ID for referring to this profile'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'description',
+ cli_name='desc',
+ label=_(u'Profile description'),
+ doc=_(u'Brief description of this profile'),
+ ),
+ parameters.Bool(
+ 'ipacertprofilestoreissued',
+ cli_name='store',
+ label=_(u'Store issued certificates'),
+ doc=_(u'Whether to store certs issued using this profile'),
+ default=True,
+ ),
+ parameters.Str(
+ 'file',
+ label=_(u'Filename of a raw profile. The XML format is not supported.'),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class certprofile_mod(Method):
+ __doc__ = _("Modify Certificate Profile configuration.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='id',
+ label=_(u'Profile ID'),
+ doc=_(u'Profile ID for referring to this profile'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'description',
+ required=False,
+ cli_name='desc',
+ label=_(u'Profile description'),
+ doc=_(u'Brief description of this profile'),
+ ),
+ parameters.Bool(
+ 'ipacertprofilestoreissued',
+ required=False,
+ cli_name='store',
+ label=_(u'Store issued certificates'),
+ doc=_(u'Whether to store certs issued using this profile'),
+ default=True,
+ ),
+ parameters.Str(
+ 'setattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'addattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'delattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'),
+ exclude=('webui',),
+ ),
+ parameters.Flag(
+ 'rights',
+ label=_(u'Rights'),
+ doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'file',
+ required=False,
+ label=_(u'File containing profile configuration'),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class certprofile_show(Method):
+ __doc__ = _("Display the properties of a Certificate Profile.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='id',
+ label=_(u'Profile ID'),
+ doc=_(u'Profile ID for referring to this profile'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'rights',
+ label=_(u'Rights'),
+ doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'out',
+ required=False,
+ doc=_(u'Write profile configuration to file'),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
diff --git a/ipaclient/remote_plugins/2_156/config.py b/ipaclient/remote_plugins/2_156/config.py
new file mode 100644
index 000000000..a1f17ab5b
--- /dev/null
+++ b/ipaclient/remote_plugins/2_156/config.py
@@ -0,0 +1,408 @@
+#
+# Copyright (C) 2016 FreeIPA Contributors see COPYING for license
+#
+
+# pylint: disable=unused-import
+import six
+
+from . import Command, Method, Object
+from ipalib import api, parameters, output
+from ipalib.parameters import DefaultFrom
+from ipalib.plugable import Registry
+from ipalib.text import _
+from ipapython.dn import DN
+from ipapython.dnsutil import DNSName
+
+if six.PY3:
+ unicode = str
+
+__doc__ = _("""
+Server configuration
+
+Manage the default values that IPA uses and some of its tuning parameters.
+
+NOTES:
+
+The password notification value (--pwdexpnotify) is stored here so it will
+be replicated. It is not currently used to notify users in advance of an
+expiring password.
+
+Some attributes are read-only, provided only for information purposes. These
+include:
+
+Certificate Subject base: the configured certificate subject base,
+ e.g. O=EXAMPLE.COM. This is configurable only at install time.
+Password plug-in features: currently defines additional hashes that the
+ password will generate (there may be other conditions).
+
+When setting the order list for mapping SELinux users you may need to
+quote the value so it isn't interpreted by the shell.
+
+EXAMPLES:
+
+ Show basic server configuration:
+ ipa config-show
+
+ Show all configuration options:
+ ipa config-show --all
+
+ Change maximum username length to 99 characters:
+ ipa config-mod --maxusername=99
+
+ Increase default time and size limits for maximum IPA server search:
+ ipa config-mod --searchtimelimit=10 --searchrecordslimit=2000
+
+ Set default user e-mail domain:
+ ipa config-mod --emaildomain=example.com
+
+ Enable migration mode to make "ipa migrate-ds" command operational:
+ ipa config-mod --enable-migration=TRUE
+
+ Define SELinux user map order:
+ ipa config-mod --ipaselinuxusermaporder='guest_u:s0$xguest_u:s0$user_u:s0-s0:c0.c1023$staff_u:s0-s0:c0.c1023$unconfined_u:s0-s0:c0.c1023'
+""")
+
+register = Registry()
+
+
+@register()
+class config(Object):
+ takes_params = (
+ parameters.Int(
+ 'ipamaxusernamelength',
+ label=_(u'Maximum username length'),
+ ),
+ parameters.Str(
+ 'ipahomesrootdir',
+ label=_(u'Home directory base'),
+ doc=_(u'Default location of home directories'),
+ ),
+ parameters.Str(
+ 'ipadefaultloginshell',
+ label=_(u'Default shell'),
+ doc=_(u'Default shell for new users'),
+ ),
+ parameters.Str(
+ 'ipadefaultprimarygroup',
+ label=_(u'Default users group'),
+ doc=_(u'Default group for new users'),
+ ),
+ parameters.Str(
+ 'ipadefaultemaildomain',
+ required=False,
+ label=_(u'Default e-mail domain'),
+ ),
+ parameters.Int(
+ 'ipasearchtimelimit',
+ label=_(u'Search time limit'),
+ doc=_(u'Maximum amount of time (seconds) for a search (-1 or 0 is unlimited)'),
+ ),
+ parameters.Int(
+ 'ipasearchrecordslimit',
+ label=_(u'Search size limit'),
+ doc=_(u'Maximum number of records to search (-1 or 0 is unlimited)'),
+ ),
+ parameters.Str(
+ 'ipausersearchfields',
+ label=_(u'User search fields'),
+ doc=_(u'A comma-separated list of fields to search in when searching for users'),
+ ),
+ parameters.Str(
+ 'ipagroupsearchfields',
+ label=_(u'Group search fields'),
+ doc=_(u'A comma-separated list of fields to search in when searching for groups'),
+ ),
+ parameters.Bool(
+ 'ipamigrationenabled',
+ label=_(u'Enable migration mode'),
+ ),
+ parameters.DNParam(
+ 'ipacertificatesubjectbase',
+ label=_(u'Certificate Subject base'),
+ doc=_(u'Base for certificate subjects (OU=Test,O=Example)'),
+ ),
+ parameters.Str(
+ 'ipagroupobjectclasses',
+ multivalue=True,
+ label=_(u'Default group objectclasses'),
+ doc=_(u'Default group objectclasses (comma-separated list)'),
+ ),
+ parameters.Str(
+ 'ipauserobjectclasses',
+ multivalue=True,
+ label=_(u'Default user objectclasses'),
+ doc=_(u'Default user objectclasses (comma-separated list)'),
+ ),
+ parameters.Int(
+ 'ipapwdexpadvnotify',
+ label=_(u'Password Expiration Notification (days)'),
+ doc=_(u"Number of days's notice of impending password expiration"),
+ ),
+ parameters.Str(
+ 'ipaconfigstring',
+ required=False,
+ multivalue=True,
+ label=_(u'Password plugin features'),
+ doc=_(u'Extra hashes to generate in password plug-in'),
+ ),
+ parameters.Str(
+ 'ipaselinuxusermaporder',
+ label=_(u'SELinux user map order'),
+ doc=_(u'Order in increasing priority of SELinux users, delimited by $'),
+ ),
+ parameters.Str(
+ 'ipaselinuxusermapdefault',
+ required=False,
+ label=_(u'Default SELinux user'),
+ doc=_(u'Default SELinux user when no match is found in SELinux map rule'),
+ ),
+ parameters.Str(
+ 'ipakrbauthzdata',
+ required=False,
+ multivalue=True,
+ label=_(u'Default PAC types'),
+ doc=_(u'Default types of PAC supported for services'),
+ ),
+ parameters.Str(
+ 'ipauserauthtype',
+ required=False,
+ multivalue=True,
+ label=_(u'Default user authentication types'),
+ doc=_(u'Default types of supported user authentication'),
+ ),
+ )
+
+
+@register()
+class config_mod(Method):
+ __doc__ = _("Modify configuration options.")
+
+ takes_options = (
+ parameters.Int(
+ 'ipamaxusernamelength',
+ required=False,
+ cli_name='maxusername',
+ label=_(u'Maximum username length'),
+ ),
+ parameters.Str(
+ 'ipahomesrootdir',
+ required=False,
+ cli_name='homedirectory',
+ label=_(u'Home directory base'),
+ doc=_(u'Default location of home directories'),
+ ),
+ parameters.Str(
+ 'ipadefaultloginshell',
+ required=False,
+ cli_name='defaultshell',
+ label=_(u'Default shell'),
+ doc=_(u'Default shell for new users'),
+ ),
+ parameters.Str(
+ 'ipadefaultprimarygroup',
+ required=False,
+ cli_name='defaultgroup',
+ label=_(u'Default users group'),
+ doc=_(u'Default group for new users'),
+ ),
+ parameters.Str(
+ 'ipadefaultemaildomain',
+ required=False,
+ cli_name='emaildomain',
+ label=_(u'Default e-mail domain'),
+ ),
+ parameters.Int(
+ 'ipasearchtimelimit',
+ required=False,
+ cli_name='searchtimelimit',
+ label=_(u'Search time limit'),
+ doc=_(u'Maximum amount of time (seconds) for a search (-1 or 0 is unlimited)'),
+ ),
+ parameters.Int(
+ 'ipasearchrecordslimit',
+ required=False,
+ cli_name='searchrecordslimit',
+ label=_(u'Search size limit'),
+ doc=_(u'Maximum number of records to search (-1 or 0 is unlimited)'),
+ ),
+ parameters.Str(
+ 'ipausersearchfields',
+ required=False,
+ cli_name='usersearch',
+ label=_(u'User search fields'),
+ doc=_(u'A comma-separated list of fields to search in when searching for users'),
+ ),
+ parameters.Str(
+ 'ipagroupsearchfields',
+ required=False,
+ cli_name='groupsearch',
+ label=_(u'Group search fields'),
+ doc=_(u'A comma-separated list of fields to search in when searching for groups'),
+ ),
+ parameters.Bool(
+ 'ipamigrationenabled',
+ required=False,
+ cli_name='enable_migration',
+ label=_(u'Enable migration mode'),
+ ),
+ parameters.Str(
+ 'ipagroupobjectclasses',
+ required=False,
+ multivalue=True,
+ cli_name='groupobjectclasses',
+ label=_(u'Default group objectclasses'),
+ doc=_(u'Default group objectclasses (comma-separated list)'),
+ ),
+ parameters.Str(
+ 'ipauserobjectclasses',
+ required=False,
+ multivalue=True,
+ cli_name='userobjectclasses',
+ label=_(u'Default user objectclasses'),
+ doc=_(u'Default user objectclasses (comma-separated list)'),
+ ),
+ parameters.Int(
+ 'ipapwdexpadvnotify',
+ required=False,
+ cli_name='pwdexpnotify',
+ label=_(u'Password Expiration Notification (days)'),
+ doc=_(u"Number of days's notice of impending password expiration"),
+ ),
+ parameters.Str(
+ 'ipaconfigstring',
+ required=False,
+ multivalue=True,
+ cli_metavar="['AllowNThash', 'KDC:Disable Last Success', 'KDC:Disable Lockout']",
+ label=_(u'Password plugin features'),
+ doc=_(u'Extra hashes to generate in password plug-in'),
+ ),
+ parameters.Str(
+ 'ipaselinuxusermaporder',
+ required=False,
+ label=_(u'SELinux user map order'),
+ doc=_(u'Order in increasing priority of SELinux users, delimited by $'),
+ ),
+ parameters.Str(
+ 'ipaselinuxusermapdefault',
+ required=False,
+ label=_(u'Default SELinux user'),
+ doc=_(u'Default SELinux user when no match is found in SELinux map rule'),
+ ),
+ parameters.Str(
+ 'ipakrbauthzdata',
+ required=False,
+ multivalue=True,
+ cli_name='pac_type',
+ cli_metavar="['MS-PAC', 'PAD', 'nfs:NONE']",
+ label=_(u'Default PAC types'),
+ doc=_(u'Default types of PAC supported for services'),
+ ),
+ parameters.Str(
+ 'ipauserauthtype',
+ required=False,
+ multivalue=True,
+ cli_name='user_auth_type',
+ cli_metavar="['password', 'radius', 'otp', 'disabled']",
+ label=_(u'Default user authentication types'),
+ doc=_(u'Default types of supported user authentication'),
+ ),
+ parameters.Str(
+ 'setattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'addattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'delattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'),
+ exclude=('webui',),
+ ),
+ parameters.Flag(
+ 'rights',
+ label=_(u'Rights'),
+ doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class config_show(Method):
+ __doc__ = _("Show the current configuration.")
+
+ takes_options = (
+ parameters.Flag(
+ 'rights',
+ label=_(u'Rights'),
+ doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
diff --git a/ipaclient/remote_plugins/2_156/delegation.py b/ipaclient/remote_plugins/2_156/delegation.py
new file mode 100644
index 000000000..87496117f
--- /dev/null
+++ b/ipaclient/remote_plugins/2_156/delegation.py
@@ -0,0 +1,383 @@
+#
+# Copyright (C) 2016 FreeIPA Contributors see COPYING for license
+#
+
+# pylint: disable=unused-import
+import six
+
+from . import Command, Method, Object
+from ipalib import api, parameters, output
+from ipalib.parameters import DefaultFrom
+from ipalib.plugable import Registry
+from ipalib.text import _
+from ipapython.dn import DN
+from ipapython.dnsutil import DNSName
+
+if six.PY3:
+ unicode = str
+
+__doc__ = _("""
+Group to Group Delegation
+
+A permission enables fine-grained delegation of permissions. Access Control
+Rules, or instructions (ACIs), grant permission to permissions to perform
+given tasks such as adding a user, modifying a group, etc.
+
+Group to Group Delegations grants the members of one group to update a set
+of attributes of members of another group.
+
+EXAMPLES:
+
+ Add a delegation rule to allow managers to edit employee's addresses:
+ ipa delegation-add --attrs=street --group=managers --membergroup=employees "managers edit employees' street"
+
+ When managing the list of attributes you need to include all attributes
+ in the list, including existing ones. Add postalCode to the list:
+ ipa delegation-mod --attrs=street --attrs=postalCode --group=managers --membergroup=employees "managers edit employees' street"
+
+ Display our updated rule:
+ ipa delegation-show "managers edit employees' street"
+
+ Delete a rule:
+ ipa delegation-del "managers edit employees' street"
+""")
+
+register = Registry()
+
+
+@register()
+class delegation(Object):
+ takes_params = (
+ parameters.Str(
+ 'aciname',
+ primary_key=True,
+ label=_(u'Delegation name'),
+ ),
+ parameters.Str(
+ 'permissions',
+ required=False,
+ multivalue=True,
+ label=_(u'Permissions'),
+ doc=_(u'Permissions to grant (read, write). Default is write.'),
+ ),
+ parameters.Str(
+ 'attrs',
+ multivalue=True,
+ label=_(u'Attributes'),
+ doc=_(u'Attributes to which the delegation applies'),
+ ),
+ parameters.Str(
+ 'memberof',
+ label=_(u'Member user group'),
+ doc=_(u'User group to apply delegation to'),
+ ),
+ parameters.Str(
+ 'group',
+ label=_(u'User group'),
+ doc=_(u'User group ACI grants access to'),
+ ),
+ )
+
+
+@register()
+class delegation_add(Method):
+ __doc__ = _("Add a new delegation.")
+
+ takes_args = (
+ parameters.Str(
+ 'aciname',
+ cli_name='name',
+ label=_(u'Delegation name'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'permissions',
+ required=False,
+ multivalue=True,
+ label=_(u'Permissions'),
+ doc=_(u'Permissions to grant (read, write). Default is write.'),
+ ),
+ parameters.Str(
+ 'attrs',
+ multivalue=True,
+ label=_(u'Attributes'),
+ doc=_(u'Attributes to which the delegation applies'),
+ no_convert=True,
+ ),
+ parameters.Str(
+ 'memberof',
+ cli_name='membergroup',
+ label=_(u'Member user group'),
+ doc=_(u'User group to apply delegation to'),
+ ),
+ parameters.Str(
+ 'group',
+ label=_(u'User group'),
+ doc=_(u'User group ACI grants access to'),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class delegation_del(Method):
+ __doc__ = _("Delete a delegation.")
+
+ takes_args = (
+ parameters.Str(
+ 'aciname',
+ cli_name='name',
+ label=_(u'Delegation name'),
+ ),
+ )
+ takes_options = (
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Output(
+ 'result',
+ bool,
+ doc=_(u'True means the operation was successful'),
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class delegation_find(Method):
+ __doc__ = _("Search for delegations.")
+
+ takes_args = (
+ parameters.Str(
+ 'criteria',
+ required=False,
+ doc=_(u'A string searched in all relevant object attributes'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'aciname',
+ required=False,
+ cli_name='name',
+ label=_(u'Delegation name'),
+ ),
+ parameters.Str(
+ 'permissions',
+ required=False,
+ multivalue=True,
+ label=_(u'Permissions'),
+ doc=_(u'Permissions to grant (read, write). Default is write.'),
+ ),
+ parameters.Str(
+ 'attrs',
+ required=False,
+ multivalue=True,
+ label=_(u'Attributes'),
+ doc=_(u'Attributes to which the delegation applies'),
+ no_convert=True,
+ ),
+ parameters.Str(
+ 'memberof',
+ required=False,
+ cli_name='membergroup',
+ label=_(u'Member user group'),
+ doc=_(u'User group to apply delegation to'),
+ ),
+ parameters.Str(
+ 'group',
+ required=False,
+ label=_(u'User group'),
+ doc=_(u'User group ACI grants access to'),
+ ),
+ parameters.Flag(
+ 'pkey_only',
+ required=False,
+ label=_(u'Primary key only'),
+ doc=_(u'Results should contain primary key attribute only ("name")'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.ListOfEntries(
+ 'result',
+ ),
+ output.Output(
+ 'count',
+ int,
+ doc=_(u'Number of entries returned'),
+ ),
+ output.Output(
+ 'truncated',
+ bool,
+ doc=_(u'True if not all results were returned'),
+ ),
+ )
+
+
+@register()
+class delegation_mod(Method):
+ __doc__ = _("Modify a delegation.")
+
+ takes_args = (
+ parameters.Str(
+ 'aciname',
+ cli_name='name',
+ label=_(u'Delegation name'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'permissions',
+ required=False,
+ multivalue=True,
+ label=_(u'Permissions'),
+ doc=_(u'Permissions to grant (read, write). Default is write.'),
+ ),
+ parameters.Str(
+ 'attrs',
+ required=False,
+ multivalue=True,
+ label=_(u'Attributes'),
+ doc=_(u'Attributes to which the delegation applies'),
+ no_convert=True,
+ ),
+ parameters.Str(
+ 'memberof',
+ required=False,
+ cli_name='membergroup',
+ label=_(u'Member user group'),
+ doc=_(u'User group to apply delegation to'),
+ ),
+ parameters.Str(
+ 'group',
+ required=False,
+ label=_(u'User group'),
+ doc=_(u'User group ACI grants access to'),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class delegation_show(Method):
+ __doc__ = _("Display information about a delegation.")
+
+ takes_args = (
+ parameters.Str(
+ 'aciname',
+ cli_name='name',
+ label=_(u'Delegation name'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
diff --git a/ipaclient/remote_plugins/2_156/dns.py b/ipaclient/remote_plugins/2_156/dns.py
new file mode 100644
index 000000000..39a0b2695
--- /dev/null
+++ b/ipaclient/remote_plugins/2_156/dns.py
@@ -0,0 +1,5148 @@
+#
+# Copyright (C) 2016 FreeIPA Contributors see COPYING for license
+#
+
+# pylint: disable=unused-import
+import six
+
+from . import Command, Method, Object
+from ipalib import api, parameters, output
+from ipalib.parameters import DefaultFrom
+from ipalib.plugable import Registry
+from ipalib.text import _
+from ipapython.dn import DN
+from ipapython.dnsutil import DNSName
+
+if six.PY3:
+ unicode = str
+
+__doc__ = _("""
+Domain Name System (DNS)
+
+Manage DNS zone and resource records.
+
+SUPPORTED ZONE TYPES
+
+ * Master zone (dnszone-*), contains authoritative data.
+ * Forward zone (dnsforwardzone-*), forwards queries to configured forwarders
+ (a set of DNS servers).
+
+USING STRUCTURED PER-TYPE OPTIONS
+
+There are many structured DNS RR types where DNS data stored in LDAP server
+is not just a scalar value, for example an IP address or a domain name, but
+a data structure which may be often complex. A good example is a LOC record
+[RFC1876] which consists of many mandatory and optional parts (degrees,
+minutes, seconds of latitude and longitude, altitude or precision).
+
+It may be difficult to manipulate such DNS records without making a mistake
+and entering an invalid value. DNS module provides an abstraction over these
+raw records and allows to manipulate each RR type with specific options. For
+each supported RR type, DNS module provides a standard option to manipulate
+a raw records with format --<rrtype>-rec, e.g. --mx-rec, and special options
+for every part of the RR structure with format --<rrtype>-<partname>, e.g.
+--mx-preference and --mx-exchanger.
+
+When adding a record, either RR specific options or standard option for a raw
+value can be used, they just should not be combined in one add operation. When
+modifying an existing entry, new RR specific options can be used to change
+one part of a DNS record, where the standard option for raw value is used
+to specify the modified value. The following example demonstrates
+a modification of MX record preference from 0 to 1 in a record without
+modifying the exchanger:
+ipa dnsrecord-mod --mx-rec="0 mx.example.com." --mx-preference=1
+
+
+EXAMPLES:
+
+ Add new zone:
+ ipa dnszone-add example.com --admin-email=admin@example.com
+
+ Add system permission that can be used for per-zone privilege delegation:
+ ipa dnszone-add-permission example.com
+
+ Modify the zone to allow dynamic updates for hosts own records in realm EXAMPLE.COM:
+ ipa dnszone-mod example.com --dynamic-update=TRUE
+
+ This is the equivalent of:
+ ipa dnszone-mod example.com --dynamic-update=TRUE \
+ --update-policy="grant EXAMPLE.COM krb5-self * A; grant EXAMPLE.COM krb5-self * AAAA; grant EXAMPLE.COM krb5-self * SSHFP;"
+
+ Modify the zone to allow zone transfers for local network only:
+ ipa dnszone-mod example.com --allow-transfer=192.0.2.0/24
+
+ Add new reverse zone specified by network IP address:
+ ipa dnszone-add --name-from-ip=192.0.2.0/24
+
+ Add second nameserver for example.com:
+ ipa dnsrecord-add example.com @ --ns-rec=nameserver2.example.com
+
+ Add a mail server for example.com:
+ ipa dnsrecord-add example.com @ --mx-rec="10 mail1"
+
+ Add another record using MX record specific options:
+ ipa dnsrecord-add example.com @ --mx-preference=20 --mx-exchanger=mail2
+
+ Add another record using interactive mode (started when dnsrecord-add, dnsrecord-mod,
+ or dnsrecord-del are executed with no options):
+ ipa dnsrecord-add example.com @
+ Please choose a type of DNS resource record to be added
+ The most common types for this type of zone are: NS, MX, LOC
+
+ DNS resource record type: MX
+ MX Preference: 30
+ MX Exchanger: mail3
+ Record name: example.com
+ MX record: 10 mail1, 20 mail2, 30 mail3
+ NS record: nameserver.example.com., nameserver2.example.com.
+
+ Delete previously added nameserver from example.com:
+ ipa dnsrecord-del example.com @ --ns-rec=nameserver2.example.com.
+
+ Add LOC record for example.com:
+ ipa dnsrecord-add example.com @ --loc-rec="49 11 42.4 N 16 36 29.6 E 227.64m"
+
+ Add new A record for www.example.com. Create a reverse record in appropriate
+ reverse zone as well. In this case a PTR record "2" pointing to www.example.com
+ will be created in zone 2.0.192.in-addr.arpa.
+ ipa dnsrecord-add example.com www --a-rec=192.0.2.2 --a-create-reverse
+
+ Add new PTR record for www.example.com
+ ipa dnsrecord-add 2.0.192.in-addr.arpa. 2 --ptr-rec=www.example.com.
+
+ Add new SRV records for LDAP servers. Three quarters of the requests
+ should go to fast.example.com, one quarter to slow.example.com. If neither
+ is available, switch to backup.example.com.
+ ipa dnsrecord-add example.com _ldap._tcp --srv-rec="0 3 389 fast.example.com"
+ ipa dnsrecord-add example.com _ldap._tcp --srv-rec="0 1 389 slow.example.com"
+ ipa dnsrecord-add example.com _ldap._tcp --srv-rec="1 1 389 backup.example.com"
+
+ The interactive mode can be used for easy modification:
+ ipa dnsrecord-mod example.com _ldap._tcp
+ No option to modify specific record provided.
+ Current DNS record contents:
+
+ SRV record: 0 3 389 fast.example.com, 0 1 389 slow.example.com, 1 1 389 backup.example.com
+
+ Modify SRV record '0 3 389 fast.example.com'? Yes/No (default No):
+ Modify SRV record '0 1 389 slow.example.com'? Yes/No (default No): y
+ SRV Priority [0]: (keep the default value)
+ SRV Weight [1]: 2 (modified value)
+ SRV Port [389]: (keep the default value)
+ SRV Target [slow.example.com]: (keep the default value)
+ 1 SRV record skipped. Only one value per DNS record type can be modified at one time.
+ Record name: _ldap._tcp
+ SRV record: 0 3 389 fast.example.com, 1 1 389 backup.example.com, 0 2 389 slow.example.com
+
+ After this modification, three fifths of the requests should go to
+ fast.example.com and two fifths to slow.example.com.
+
+ An example of the interactive mode for dnsrecord-del command:
+ ipa dnsrecord-del example.com www
+ No option to delete specific record provided.
+ Delete all? Yes/No (default No): (do not delete all records)
+ Current DNS record contents:
+
+ A record: 192.0.2.2, 192.0.2.3
+
+ Delete A record '192.0.2.2'? Yes/No (default No):
+ Delete A record '192.0.2.3'? Yes/No (default No): y
+ Record name: www
+ A record: 192.0.2.2 (A record 192.0.2.3 has been deleted)
+
+ Show zone example.com:
+ ipa dnszone-show example.com
+
+ Find zone with "example" in its domain name:
+ ipa dnszone-find example
+
+ Find records for resources with "www" in their name in zone example.com:
+ ipa dnsrecord-find example.com www
+
+ Find A records with value 192.0.2.2 in zone example.com
+ ipa dnsrecord-find example.com --a-rec=192.0.2.2
+
+ Show records for resource www in zone example.com
+ ipa dnsrecord-show example.com www
+
+ Delegate zone sub.example to another nameserver:
+ ipa dnsrecord-add example.com ns.sub --a-rec=203.0.113.1
+ ipa dnsrecord-add example.com sub --ns-rec=ns.sub.example.com.
+
+ Delete zone example.com with all resource records:
+ ipa dnszone-del example.com
+
+ If a global forwarder is configured, all queries for which this server is not
+ authoritative (e.g. sub.example.com) will be routed to the global forwarder.
+ Global forwarding configuration can be overridden per-zone.
+
+ Semantics of forwarding in IPA matches BIND semantics and depends on the type
+ of zone:
+ * Master zone: local BIND replies authoritatively to queries for data in
+ the given zone (including authoritative NXDOMAIN answers) and forwarding
+ affects only queries for names below zone cuts (NS records) of locally
+ served zones.
+
+ * Forward zone: forward zone contains no authoritative data. BIND forwards
+ queries, which cannot be answered from its local cache, to configured
+ forwarders.
+
+ Semantics of the --forwarder-policy option:
+ * none - disable forwarding for the given zone.
+ * first - forward all queries to configured forwarders. If they fail,
+ do resolution using DNS root servers.
+ * only - forward all queries to configured forwarders and if they fail,
+ return failure.
+
+ Disable global forwarding for given sub-tree:
+ ipa dnszone-mod example.com --forward-policy=none
+
+ This configuration forwards all queries for names outside the example.com
+ sub-tree to global forwarders. Normal recursive resolution process is used
+ for names inside the example.com sub-tree (i.e. NS records are followed etc.).
+
+ Forward all requests for the zone external.example.com to another forwarder
+ using a "first" policy (it will send the queries to the selected forwarder
+ and if not answered it will use global root servers):
+ ipa dnsforwardzone-add external.example.com --forward-policy=first \
+ --forwarder=203.0.113.1
+
+ Change forward-policy for external.example.com:
+ ipa dnsforwardzone-mod external.example.com --forward-policy=only
+
+ Show forward zone external.example.com:
+ ipa dnsforwardzone-show external.example.com
+
+ List all forward zones:
+ ipa dnsforwardzone-find
+
+ Delete forward zone external.example.com:
+ ipa dnsforwardzone-del external.example.com
+
+ Resolve a host name to see if it exists (will add default IPA domain
+ if one is not included):
+ ipa dns-resolve www.example.com
+ ipa dns-resolve www
+
+
+GLOBAL DNS CONFIGURATION
+
+DNS configuration passed to command line install script is stored in a local
+configuration file on each IPA server where DNS service is configured. These
+local settings can be overridden with a common configuration stored in LDAP
+server:
+
+ Show global DNS configuration:
+ ipa dnsconfig-show
+
+ Modify global DNS configuration and set a list of global forwarders:
+ ipa dnsconfig-mod --forwarder=203.0.113.113
+""")
+
+register = Registry()
+
+
+@register()
+class dnsconfig(Object):
+ takes_params = (
+ parameters.Str(
+ 'idnsforwarders',
+ required=False,
+ multivalue=True,
+ label=_(u'Global forwarders'),
+ doc=_(u'Global forwarders. A custom port can be specified for each forwarder using a standard format "IP_ADDRESS port PORT"'),
+ ),
+ parameters.Str(
+ 'idnsforwardpolicy',
+ required=False,
+ label=_(u'Forward policy'),
+ doc=_(u'Global forwarding policy. Set to "none" to disable any configured global forwarders.'),
+ ),
+ parameters.Bool(
+ 'idnsallowsyncptr',
+ required=False,
+ label=_(u'Allow PTR sync'),
+ doc=_(u'Allow synchronization of forward (A, AAAA) and reverse (PTR) records'),
+ ),
+ parameters.Int(
+ 'idnszonerefresh',
+ required=False,
+ label=_(u'Zone refresh interval'),
+ ),
+ )
+
+
+@register()
+class dnsforwardzone(Object):
+ takes_params = (
+ parameters.DNSNameParam(
+ 'idnsname',
+ primary_key=True,
+ label=_(u'Zone name'),
+ doc=_(u'Zone name (FQDN)'),
+ ),
+ parameters.Str(
+ 'name_from_ip',
+ required=False,
+ label=_(u'Reverse zone IP network'),
+ doc=_(u'IP network to create reverse zone name from'),
+ ),
+ parameters.Bool(
+ 'idnszoneactive',
+ required=False,
+ label=_(u'Active zone'),
+ doc=_(u'Is zone active?'),
+ ),
+ parameters.Str(
+ 'idnsforwarders',
+ required=False,
+ multivalue=True,
+ label=_(u'Zone forwarders'),
+ doc=_(u'Per-zone forwarders. A custom port can be specified for each forwarder using a standard format "IP_ADDRESS port PORT"'),
+ ),
+ parameters.Str(
+ 'idnsforwardpolicy',
+ required=False,
+ label=_(u'Forward policy'),
+ doc=_(u'Per-zone conditional forwarding policy. Set to "none" to disable forwarding to global forwarder for this zone. In that case, conditional zone forwarders are disregarded.'),
+ ),
+ )
+
+
+@register()
+class dnsrecord(Object):
+ takes_params = (
+ parameters.DNSNameParam(
+ 'idnsname',
+ primary_key=True,
+ label=_(u'Record name'),
+ ),
+ parameters.Int(
+ 'dnsttl',
+ required=False,
+ label=_(u'Time to live'),
+ ),
+ parameters.Str(
+ 'dnsclass',
+ required=False,
+ ),
+ parameters.Str(
+ 'dnsrecords',
+ required=False,
+ label=_(u'Records'),
+ ),
+ parameters.Str(
+ 'dnstype',
+ required=False,
+ label=_(u'Record type'),
+ ),
+ parameters.Str(
+ 'dnsdata',
+ required=False,
+ label=_(u'Record data'),
+ ),
+ parameters.Str(
+ 'arecord',
+ required=False,
+ multivalue=True,
+ label=_(u'A record'),
+ doc=_(u'Raw A records'),
+ ),
+ parameters.Str(
+ 'a_part_ip_address',
+ required=False,
+ label=_(u'A IP Address'),
+ doc=_(u'IP Address'),
+ ),
+ parameters.Flag(
+ 'a_extra_create_reverse',
+ required=False,
+ label=_(u'A Create reverse'),
+ doc=_(u'Create reverse record for this IP Address'),
+ ),
+ parameters.Str(
+ 'aaaarecord',
+ required=False,
+ multivalue=True,
+ label=_(u'AAAA record'),
+ doc=_(u'Raw AAAA records'),
+ ),
+ parameters.Str(
+ 'aaaa_part_ip_address',
+ required=False,
+ label=_(u'AAAA IP Address'),
+ doc=_(u'IP Address'),
+ ),
+ parameters.Flag(
+ 'aaaa_extra_create_reverse',
+ required=False,
+ label=_(u'AAAA Create reverse'),
+ doc=_(u'Create reverse record for this IP Address'),
+ ),
+ parameters.Str(
+ 'a6record',
+ required=False,
+ multivalue=True,
+ label=_(u'A6 record'),
+ doc=_(u'Raw A6 records'),
+ ),
+ parameters.Str(
+ 'a6_part_data',
+ required=False,
+ label=_(u'A6 Record data'),
+ doc=_(u'Record data'),
+ ),
+ parameters.Str(
+ 'afsdbrecord',
+ required=False,
+ multivalue=True,
+ label=_(u'AFSDB record'),
+ doc=_(u'Raw AFSDB records'),
+ ),
+ parameters.Int(
+ 'afsdb_part_subtype',
+ required=False,
+ label=_(u'AFSDB Subtype'),
+ doc=_(u'Subtype'),
+ ),
+ parameters.DNSNameParam(
+ 'afsdb_part_hostname',
+ required=False,
+ label=_(u'AFSDB Hostname'),
+ doc=_(u'Hostname'),
+ ),
+ parameters.Str(
+ 'aplrecord',
+ required=False,
+ multivalue=True,
+ label=_(u'APL record'),
+ doc=_(u'Raw APL records'),
+ ),
+ parameters.Str(
+ 'certrecord',
+ required=False,
+ multivalue=True,
+ label=_(u'CERT record'),
+ doc=_(u'Raw CERT records'),
+ ),
+ parameters.Int(
+ 'cert_part_type',
+ required=False,
+ label=_(u'CERT Certificate Type'),
+ doc=_(u'Certificate Type'),
+ ),
+ parameters.Int(
+ 'cert_part_key_tag',
+ required=False,
+ label=_(u'CERT Key Tag'),
+ doc=_(u'Key Tag'),
+ ),
+ parameters.Int(
+ 'cert_part_algorithm',
+ required=False,
+ label=_(u'CERT Algorithm'),
+ doc=_(u'Algorithm'),
+ ),
+ parameters.Str(
+ 'cert_part_certificate_or_crl',
+ required=False,
+ label=_(u'CERT Certificate/CRL'),
+ doc=_(u'Certificate/CRL'),
+ ),
+ parameters.Str(
+ 'cnamerecord',
+ required=False,
+ multivalue=True,
+ label=_(u'CNAME record'),
+ doc=_(u'Raw CNAME records'),
+ ),
+ parameters.DNSNameParam(
+ 'cname_part_hostname',
+ required=False,
+ label=_(u'CNAME Hostname'),
+ doc=_(u'A hostname which this alias hostname points to'),
+ ),
+ parameters.Str(
+ 'dhcidrecord',
+ required=False,
+ multivalue=True,
+ label=_(u'DHCID record'),
+ doc=_(u'Raw DHCID records'),
+ ),
+ parameters.Str(
+ 'dlvrecord',
+ required=False,
+ multivalue=True,
+ label=_(u'DLV record'),
+ doc=_(u'Raw DLV records'),
+ ),
+ parameters.Int(
+ 'dlv_part_key_tag',
+ required=False,
+ label=_(u'DLV Key Tag'),
+ doc=_(u'Key Tag'),
+ ),
+ parameters.Int(
+ 'dlv_part_algorithm',
+ required=False,
+ label=_(u'DLV Algorithm'),
+ doc=_(u'Algorithm'),
+ ),
+ parameters.Int(
+ 'dlv_part_digest_type',
+ required=False,
+ label=_(u'DLV Digest Type'),
+ doc=_(u'Digest Type'),
+ ),
+ parameters.Str(
+ 'dlv_part_digest',
+ required=False,
+ label=_(u'DLV Digest'),
+ doc=_(u'Digest'),
+ ),
+ parameters.Str(
+ 'dnamerecord',
+ required=False,
+ multivalue=True,
+ label=_(u'DNAME record'),
+ doc=_(u'Raw DNAME records'),
+ ),
+ parameters.DNSNameParam(
+ 'dname_part_target',
+ required=False,
+ label=_(u'DNAME Target'),
+ doc=_(u'Target'),
+ ),
+ parameters.Str(
+ 'dsrecord',
+ required=False,
+ multivalue=True,
+ label=_(u'DS record'),
+ doc=_(u'Raw DS records'),
+ ),
+ parameters.Int(
+ 'ds_part_key_tag',
+ required=False,
+ label=_(u'DS Key Tag'),
+ doc=_(u'Key Tag'),
+ ),
+ parameters.Int(
+ 'ds_part_algorithm',
+ required=False,
+ label=_(u'DS Algorithm'),
+ doc=_(u'Algorithm'),
+ ),
+ parameters.Int(
+ 'ds_part_digest_type',
+ required=False,
+ label=_(u'DS Digest Type'),
+ doc=_(u'Digest Type'),
+ ),
+ parameters.Str(
+ 'ds_part_digest',
+ required=False,
+ label=_(u'DS Digest'),
+ doc=_(u'Digest'),
+ ),
+ parameters.Str(
+ 'hiprecord',
+ required=False,
+ multivalue=True,
+ label=_(u'HIP record'),
+ doc=_(u'Raw HIP records'),
+ ),
+ parameters.Str(
+ 'ipseckeyrecord',
+ required=False,
+ multivalue=True,
+ label=_(u'IPSECKEY record'),
+ doc=_(u'Raw IPSECKEY records'),
+ ),
+ parameters.Str(
+ 'keyrecord',
+ required=False,
+ multivalue=True,
+ label=_(u'KEY record'),
+ doc=_(u'Raw KEY records'),
+ ),
+ parameters.Str(
+ 'kxrecord',
+ required=False,
+ multivalue=True,
+ label=_(u'KX record'),
+ doc=_(u'Raw KX records'),
+ ),
+ parameters.Int(
+ 'kx_part_preference',
+ required=False,
+ label=_(u'KX Preference'),
+ doc=_(u'Preference given to this exchanger. Lower values are more preferred'),
+ ),
+ parameters.DNSNameParam(
+ 'kx_part_exchanger',
+ required=False,
+ label=_(u'KX Exchanger'),
+ doc=_(u'A host willing to act as a key exchanger'),
+ ),
+ parameters.Str(
+ 'locrecord',
+ required=False,
+ multivalue=True,
+ label=_(u'LOC record'),
+ doc=_(u'Raw LOC records'),
+ ),
+ parameters.Int(
+ 'loc_part_lat_deg',
+ required=False,
+ label=_(u'LOC Degrees Latitude'),
+ doc=_(u'Degrees Latitude'),
+ ),
+ parameters.Int(
+ 'loc_part_lat_min',
+ required=False,
+ label=_(u'LOC Minutes Latitude'),
+ doc=_(u'Minutes Latitude'),
+ ),
+ parameters.Decimal(
+ 'loc_part_lat_sec',
+ required=False,
+ label=_(u'LOC Seconds Latitude'),
+ doc=_(u'Seconds Latitude'),
+ ),
+ parameters.Str(
+ 'loc_part_lat_dir',
+ required=False,
+ label=_(u'LOC Direction Latitude'),
+ doc=_(u'Direction Latitude'),
+ ),
+ parameters.Int(
+ 'loc_part_lon_deg',
+ required=False,
+ label=_(u'LOC Degrees Longitude'),
+ doc=_(u'Degrees Longitude'),
+ ),
+ parameters.Int(
+ 'loc_part_lon_min',
+ required=False,
+ label=_(u'LOC Minutes Longitude'),
+ doc=_(u'Minutes Longitude'),
+ ),
+ parameters.Decimal(
+ 'loc_part_lon_sec',
+ required=False,
+ label=_(u'LOC Seconds Longitude'),
+ doc=_(u'Seconds Longitude'),
+ ),
+ parameters.Str(
+ 'loc_part_lon_dir',
+ required=False,
+ label=_(u'LOC Direction Longitude'),
+ doc=_(u'Direction Longitude'),
+ ),
+ parameters.Decimal(
+ 'loc_part_altitude',
+ required=False,
+ label=_(u'LOC Altitude'),
+ doc=_(u'Altitude'),
+ ),
+ parameters.Decimal(
+ 'loc_part_size',
+ required=False,
+ label=_(u'LOC Size'),
+ doc=_(u'Size'),
+ ),
+ parameters.Decimal(
+ 'loc_part_h_precision',
+ required=False,
+ label=_(u'LOC Horizontal Precision'),
+ doc=_(u'Horizontal Precision'),
+ ),
+ parameters.Decimal(
+ 'loc_part_v_precision',
+ required=False,
+ label=_(u'LOC Vertical Precision'),
+ doc=_(u'Vertical Precision'),
+ ),
+ parameters.Str(
+ 'mxrecord',
+ required=False,
+ multivalue=True,
+ label=_(u'MX record'),
+ doc=_(u'Raw MX records'),
+ ),
+ parameters.Int(
+ 'mx_part_preference',
+ required=False,
+ label=_(u'MX Preference'),
+ doc=_(u'Preference given to this exchanger. Lower values are more preferred'),
+ ),
+ parameters.DNSNameParam(
+ 'mx_part_exchanger',
+ required=False,
+ label=_(u'MX Exchanger'),
+ doc=_(u'A host willing to act as a mail exchanger'),
+ ),
+ parameters.Str(
+ 'naptrrecord',
+ required=False,
+ multivalue=True,
+ label=_(u'NAPTR record'),
+ doc=_(u'Raw NAPTR records'),
+ ),
+ parameters.Int(
+ 'naptr_part_order',
+ required=False,
+ label=_(u'NAPTR Order'),
+ doc=_(u'Order'),
+ ),
+ parameters.Int(
+ 'naptr_part_preference',
+ required=False,
+ label=_(u'NAPTR Preference'),
+ doc=_(u'Preference'),
+ ),
+ parameters.Str(
+ 'naptr_part_flags',
+ required=False,
+ label=_(u'NAPTR Flags'),
+ doc=_(u'Flags'),
+ ),
+ parameters.Str(
+ 'naptr_part_service',
+ required=False,
+ label=_(u'NAPTR Service'),
+ doc=_(u'Service'),
+ ),
+ parameters.Str(
+ 'naptr_part_regexp',
+ required=False,
+ label=_(u'NAPTR Regular Expression'),
+ doc=_(u'Regular Expression'),
+ ),
+ parameters.Str(
+ 'naptr_part_replacement',
+ required=False,
+ label=_(u'NAPTR Replacement'),
+ doc=_(u'Replacement'),
+ ),
+ parameters.Str(
+ 'nsrecord',
+ required=False,
+ multivalue=True,
+ label=_(u'NS record'),
+ doc=_(u'Raw NS records'),
+ ),
+ parameters.DNSNameParam(
+ 'ns_part_hostname',
+ required=False,
+ label=_(u'NS Hostname'),
+ doc=_(u'Hostname'),
+ ),
+ parameters.Str(
+ 'nsecrecord',
+ required=False,
+ multivalue=True,
+ label=_(u'NSEC record'),
+ doc=_(u'Raw NSEC records'),
+ ),
+ parameters.Str(
+ 'ptrrecord',
+ required=False,
+ multivalue=True,
+ label=_(u'PTR record'),
+ doc=_(u'Raw PTR records'),
+ ),
+ parameters.DNSNameParam(
+ 'ptr_part_hostname',
+ required=False,
+ label=_(u'PTR Hostname'),
+ doc=_(u'The hostname this reverse record points to'),
+ ),
+ parameters.Str(
+ 'rrsigrecord',
+ required=False,
+ multivalue=True,
+ label=_(u'RRSIG record'),
+ doc=_(u'Raw RRSIG records'),
+ ),
+ parameters.Str(
+ 'rprecord',
+ required=False,
+ multivalue=True,
+ label=_(u'RP record'),
+ doc=_(u'Raw RP records'),
+ ),
+ parameters.Str(
+ 'sigrecord',
+ required=False,
+ multivalue=True,
+ label=_(u'SIG record'),
+ doc=_(u'Raw SIG records'),
+ ),
+ parameters.Str(
+ 'spfrecord',
+ required=False,
+ multivalue=True,
+ label=_(u'SPF record'),
+ doc=_(u'Raw SPF records'),
+ ),
+ parameters.Str(
+ 'srvrecord',
+ required=False,
+ multivalue=True,
+ label=_(u'SRV record'),
+ doc=_(u'Raw SRV records'),
+ ),
+ parameters.Int(
+ 'srv_part_priority',
+ required=False,
+ label=_(u'SRV Priority'),
+ doc=_(u'Priority'),
+ ),
+ parameters.Int(
+ 'srv_part_weight',
+ required=False,
+ label=_(u'SRV Weight'),
+ doc=_(u'Weight'),
+ ),
+ parameters.Int(
+ 'srv_part_port',
+ required=False,
+ label=_(u'SRV Port'),
+ doc=_(u'Port'),
+ ),
+ parameters.DNSNameParam(
+ 'srv_part_target',
+ required=False,
+ label=_(u'SRV Target'),
+ doc=_(u"The domain name of the target host or '.' if the service is decidedly not available at this domain"),
+ ),
+ parameters.Str(
+ 'sshfprecord',
+ required=False,
+ multivalue=True,
+ label=_(u'SSHFP record'),
+ doc=_(u'Raw SSHFP records'),
+ ),
+ parameters.Int(
+ 'sshfp_part_algorithm',
+ required=False,
+ label=_(u'SSHFP Algorithm'),
+ doc=_(u'Algorithm'),
+ ),
+ parameters.Int(
+ 'sshfp_part_fp_type',
+ required=False,
+ label=_(u'SSHFP Fingerprint Type'),
+ doc=_(u'Fingerprint Type'),
+ ),
+ parameters.Str(
+ 'sshfp_part_fingerprint',
+ required=False,
+ label=_(u'SSHFP Fingerprint'),
+ doc=_(u'Fingerprint'),
+ ),
+ parameters.Str(
+ 'tlsarecord',
+ required=False,
+ multivalue=True,
+ label=_(u'TLSA record'),
+ doc=_(u'Raw TLSA records'),
+ ),
+ parameters.Int(
+ 'tlsa_part_cert_usage',
+ required=False,
+ label=_(u'TLSA Certificate Usage'),
+ doc=_(u'Certificate Usage'),
+ ),
+ parameters.Int(
+ 'tlsa_part_selector',
+ required=False,
+ label=_(u'TLSA Selector'),
+ doc=_(u'Selector'),
+ ),
+ parameters.Int(
+ 'tlsa_part_matching_type',
+ required=False,
+ label=_(u'TLSA Matching Type'),
+ doc=_(u'Matching Type'),
+ ),
+ parameters.Str(
+ 'tlsa_part_cert_association_data',
+ required=False,
+ label=_(u'TLSA Certificate Association Data'),
+ doc=_(u'Certificate Association Data'),
+ ),
+ parameters.Str(
+ 'txtrecord',
+ required=False,
+ multivalue=True,
+ label=_(u'TXT record'),
+ doc=_(u'Raw TXT records'),
+ ),
+ parameters.Str(
+ 'txt_part_data',
+ required=False,
+ label=_(u'TXT Text Data'),
+ doc=_(u'Text Data'),
+ ),
+ )
+
+
+@register()
+class dnszone(Object):
+ takes_params = (
+ parameters.DNSNameParam(
+ 'idnsname',
+ primary_key=True,
+ label=_(u'Zone name'),
+ doc=_(u'Zone name (FQDN)'),
+ ),
+ parameters.Str(
+ 'name_from_ip',
+ required=False,
+ label=_(u'Reverse zone IP network'),
+ doc=_(u'IP network to create reverse zone name from'),
+ ),
+ parameters.Bool(
+ 'idnszoneactive',
+ required=False,
+ label=_(u'Active zone'),
+ doc=_(u'Is zone active?'),
+ ),
+ parameters.Str(
+ 'idnsforwarders',
+ required=False,
+ multivalue=True,
+ label=_(u'Zone forwarders'),
+ doc=_(u'Per-zone forwarders. A custom port can be specified for each forwarder using a standard format "IP_ADDRESS port PORT"'),
+ ),
+ parameters.Str(
+ 'idnsforwardpolicy',
+ required=False,
+ label=_(u'Forward policy'),
+ doc=_(u'Per-zone conditional forwarding policy. Set to "none" to disable forwarding to global forwarder for this zone. In that case, conditional zone forwarders are disregarded.'),
+ ),
+ parameters.DNSNameParam(
+ 'idnssoamname',
+ required=False,
+ label=_(u'Authoritative nameserver'),
+ doc=_(u'Authoritative nameserver domain name'),
+ ),
+ parameters.DNSNameParam(
+ 'idnssoarname',
+ label=_(u'Administrator e-mail address'),
+ ),
+ parameters.Int(
+ 'idnssoaserial',
+ label=_(u'SOA serial'),
+ doc=_(u'SOA record serial number'),
+ ),
+ parameters.Int(
+ 'idnssoarefresh',
+ label=_(u'SOA refresh'),
+ doc=_(u'SOA record refresh time'),
+ ),
+ parameters.Int(
+ 'idnssoaretry',
+ label=_(u'SOA retry'),
+ doc=_(u'SOA record retry time'),
+ ),
+ parameters.Int(
+ 'idnssoaexpire',
+ label=_(u'SOA expire'),
+ doc=_(u'SOA record expire time'),
+ ),
+ parameters.Int(
+ 'idnssoaminimum',
+ label=_(u'SOA minimum'),
+ doc=_(u'How long should negative responses be cached'),
+ ),
+ parameters.Int(
+ 'dnsttl',
+ required=False,
+ label=_(u'Time to live'),
+ doc=_(u'Time to live for records at zone apex'),
+ ),
+ parameters.Str(
+ 'dnsclass',
+ required=False,
+ ),
+ parameters.Str(
+ 'idnsupdatepolicy',
+ required=False,
+ label=_(u'BIND update policy'),
+ ),
+ parameters.Bool(
+ 'idnsallowdynupdate',
+ required=False,
+ label=_(u'Dynamic update'),
+ doc=_(u'Allow dynamic updates.'),
+ ),
+ parameters.Str(
+ 'idnsallowquery',
+ required=False,
+ label=_(u'Allow query'),
+ doc=_(u'Semicolon separated list of IP addresses or networks which are allowed to issue queries'),
+ ),
+ parameters.Str(
+ 'idnsallowtransfer',
+ required=False,
+ label=_(u'Allow transfer'),
+ doc=_(u'Semicolon separated list of IP addresses or networks which are allowed to transfer the zone'),
+ ),
+ parameters.Bool(
+ 'idnsallowsyncptr',
+ required=False,
+ label=_(u'Allow PTR sync'),
+ doc=_(u'Allow synchronization of forward (A, AAAA) and reverse (PTR) records in the zone'),
+ ),
+ parameters.Bool(
+ 'idnssecinlinesigning',
+ required=False,
+ label=_(u'Allow in-line DNSSEC signing'),
+ doc=_(u'Allow inline DNSSEC signing of records in the zone'),
+ ),
+ parameters.Str(
+ 'nsec3paramrecord',
+ required=False,
+ label=_(u'NSEC3PARAM record'),
+ doc=_(u'NSEC3PARAM record for zone in format: hash_algorithm flags iterations salt'),
+ ),
+ )
+
+
+@register()
+class dns_is_enabled(Command):
+ __doc__ = _("Checks if any of the servers has the DNS service enabled.")
+
+ NO_CLI = True
+
+ takes_options = (
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Output(
+ 'result',
+ bool,
+ doc=_(u'True means the operation was successful'),
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class dns_resolve(Command):
+ __doc__ = _("Resolve a host name in DNS.")
+
+ takes_args = (
+ parameters.Str(
+ 'hostname',
+ label=_(u'Hostname'),
+ ),
+ )
+ takes_options = (
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Output(
+ 'result',
+ bool,
+ doc=_(u'True means the operation was successful'),
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class dnsconfig_mod(Method):
+ __doc__ = _("Modify global DNS configuration.")
+
+ takes_options = (
+ parameters.Str(
+ 'idnsforwarders',
+ required=False,
+ multivalue=True,
+ cli_name='forwarder',
+ label=_(u'Global forwarders'),
+ doc=_(u'Global forwarders. A custom port can be specified for each forwarder using a standard format "IP_ADDRESS port PORT"'),
+ ),
+ parameters.Str(
+ 'idnsforwardpolicy',
+ required=False,
+ cli_name='forward_policy',
+ cli_metavar="['only', 'first', 'none']",
+ label=_(u'Forward policy'),
+ doc=_(u'Global forwarding policy. Set to "none" to disable any configured global forwarders.'),
+ ),
+ parameters.Bool(
+ 'idnsallowsyncptr',
+ required=False,
+ cli_name='allow_sync_ptr',
+ label=_(u'Allow PTR sync'),
+ doc=_(u'Allow synchronization of forward (A, AAAA) and reverse (PTR) records'),
+ ),
+ parameters.Int(
+ 'idnszonerefresh',
+ required=False,
+ deprecated=True,
+ cli_name='zone_refresh',
+ label=_(u'Zone refresh interval'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'setattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'addattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'delattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'),
+ exclude=('webui',),
+ ),
+ parameters.Flag(
+ 'rights',
+ label=_(u'Rights'),
+ doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class dnsconfig_show(Method):
+ __doc__ = _("Show the current global DNS configuration.")
+
+ takes_options = (
+ parameters.Flag(
+ 'rights',
+ label=_(u'Rights'),
+ doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class dnsforwardzone_add(Method):
+ __doc__ = _("Create new DNS forward zone.")
+
+ takes_args = (
+ parameters.DNSNameParam(
+ 'idnsname',
+ cli_name='name',
+ label=_(u'Zone name'),
+ doc=_(u'Zone name (FQDN)'),
+ default_from=DefaultFrom(lambda name_from_ip: None, 'name_from_ip'),
+ # FIXME:
+ # lambda name_from_ip: _reverse_zone_name(name_from_ip)
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'name_from_ip',
+ required=False,
+ label=_(u'Reverse zone IP network'),
+ doc=_(u'IP network to create reverse zone name from'),
+ ),
+ parameters.Str(
+ 'idnsforwarders',
+ required=False,
+ multivalue=True,
+ cli_name='forwarder',
+ label=_(u'Zone forwarders'),
+ doc=_(u'Per-zone forwarders. A custom port can be specified for each forwarder using a standard format "IP_ADDRESS port PORT"'),
+ ),
+ parameters.Str(
+ 'idnsforwardpolicy',
+ required=False,
+ cli_name='forward_policy',
+ cli_metavar="['only', 'first', 'none']",
+ label=_(u'Forward policy'),
+ doc=_(u'Per-zone conditional forwarding policy. Set to "none" to disable forwarding to global forwarder for this zone. In that case, conditional zone forwarders are disregarded.'),
+ ),
+ parameters.Str(
+ 'setattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'addattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
+ exclude=('webui',),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class dnsforwardzone_add_permission(Method):
+ __doc__ = _("Add a permission for per-forward zone access delegation.")
+
+ takes_args = (
+ parameters.DNSNameParam(
+ 'idnsname',
+ cli_name='name',
+ label=_(u'Zone name'),
+ doc=_(u'Zone name (FQDN)'),
+ default_from=DefaultFrom(lambda name_from_ip: None, 'name_from_ip'),
+ # FIXME:
+ # lambda name_from_ip: _reverse_zone_name(name_from_ip)
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Output(
+ 'result',
+ bool,
+ doc=_(u'True means the operation was successful'),
+ ),
+ output.Output(
+ 'value',
+ unicode,
+ doc=_(u'Permission value'),
+ ),
+ )
+
+
+@register()
+class dnsforwardzone_del(Method):
+ __doc__ = _("Delete DNS forward zone.")
+
+ takes_args = (
+ parameters.DNSNameParam(
+ 'idnsname',
+ multivalue=True,
+ cli_name='name',
+ label=_(u'Zone name'),
+ doc=_(u'Zone name (FQDN)'),
+ default_from=DefaultFrom(lambda name_from_ip: None, 'name_from_ip'),
+ # FIXME:
+ # lambda name_from_ip: _reverse_zone_name(name_from_ip)
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'continue',
+ doc=_(u"Continuous mode: Don't stop on errors."),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Output(
+ 'result',
+ dict,
+ doc=_(u'List of deletions that failed'),
+ ),
+ output.ListOfPrimaryKeys(
+ 'value',
+ ),
+ )
+
+
+@register()
+class dnsforwardzone_disable(Method):
+ __doc__ = _("Disable DNS Forward Zone.")
+
+ takes_args = (
+ parameters.DNSNameParam(
+ 'idnsname',
+ cli_name='name',
+ label=_(u'Zone name'),
+ doc=_(u'Zone name (FQDN)'),
+ default_from=DefaultFrom(lambda name_from_ip: None, 'name_from_ip'),
+ # FIXME:
+ # lambda name_from_ip: _reverse_zone_name(name_from_ip)
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Output(
+ 'result',
+ bool,
+ doc=_(u'True means the operation was successful'),
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class dnsforwardzone_enable(Method):
+ __doc__ = _("Enable DNS Forward Zone.")
+
+ takes_args = (
+ parameters.DNSNameParam(
+ 'idnsname',
+ cli_name='name',
+ label=_(u'Zone name'),
+ doc=_(u'Zone name (FQDN)'),
+ default_from=DefaultFrom(lambda name_from_ip: None, 'name_from_ip'),
+ # FIXME:
+ # lambda name_from_ip: _reverse_zone_name(name_from_ip)
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Output(
+ 'result',
+ bool,
+ doc=_(u'True means the operation was successful'),
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class dnsforwardzone_find(Method):
+ __doc__ = _("Search for DNS forward zones.")
+
+ takes_args = (
+ parameters.Str(
+ 'criteria',
+ required=False,
+ doc=_(u'A string searched in all relevant object attributes'),
+ ),
+ )
+ takes_options = (
+ parameters.DNSNameParam(
+ 'idnsname',
+ required=False,
+ cli_name='name',
+ label=_(u'Zone name'),
+ doc=_(u'Zone name (FQDN)'),
+ default_from=DefaultFrom(lambda name_from_ip: None, 'name_from_ip'),
+ # FIXME:
+ # lambda name_from_ip: _reverse_zone_name(name_from_ip)
+ no_convert=True,
+ ),
+ parameters.Str(
+ 'name_from_ip',
+ required=False,
+ label=_(u'Reverse zone IP network'),
+ doc=_(u'IP network to create reverse zone name from'),
+ ),
+ parameters.Bool(
+ 'idnszoneactive',
+ required=False,
+ cli_name='zone_active',
+ label=_(u'Active zone'),
+ doc=_(u'Is zone active?'),
+ ),
+ parameters.Str(
+ 'idnsforwarders',
+ required=False,
+ multivalue=True,
+ cli_name='forwarder',
+ label=_(u'Zone forwarders'),
+ doc=_(u'Per-zone forwarders. A custom port can be specified for each forwarder using a standard format "IP_ADDRESS port PORT"'),
+ ),
+ parameters.Str(
+ 'idnsforwardpolicy',
+ required=False,
+ cli_name='forward_policy',
+ cli_metavar="['only', 'first', 'none']",
+ label=_(u'Forward policy'),
+ doc=_(u'Per-zone conditional forwarding policy. Set to "none" to disable forwarding to global forwarder for this zone. In that case, conditional zone forwarders are disregarded.'),
+ ),
+ parameters.Int(
+ 'timelimit',
+ required=False,
+ label=_(u'Time Limit'),
+ doc=_(u'Time limit of search in seconds (0 is unlimited)'),
+ ),
+ parameters.Int(
+ 'sizelimit',
+ required=False,
+ label=_(u'Size Limit'),
+ doc=_(u'Maximum number of entries returned (0 is unlimited)'),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'pkey_only',
+ required=False,
+ label=_(u'Primary key only'),
+ doc=_(u'Results should contain primary key attribute only ("name")'),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.ListOfEntries(
+ 'result',
+ ),
+ output.Output(
+ 'count',
+ int,
+ doc=_(u'Number of entries returned'),
+ ),
+ output.Output(
+ 'truncated',
+ bool,
+ doc=_(u'True if not all results were returned'),
+ ),
+ )
+
+
+@register()
+class dnsforwardzone_mod(Method):
+ __doc__ = _("Modify DNS forward zone.")
+
+ takes_args = (
+ parameters.DNSNameParam(
+ 'idnsname',
+ cli_name='name',
+ label=_(u'Zone name'),
+ doc=_(u'Zone name (FQDN)'),
+ default_from=DefaultFrom(lambda name_from_ip: None, 'name_from_ip'),
+ # FIXME:
+ # lambda name_from_ip: _reverse_zone_name(name_from_ip)
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'name_from_ip',
+ required=False,
+ label=_(u'Reverse zone IP network'),
+ doc=_(u'IP network to create reverse zone name from'),
+ ),
+ parameters.Str(
+ 'idnsforwarders',
+ required=False,
+ multivalue=True,
+ cli_name='forwarder',
+ label=_(u'Zone forwarders'),
+ doc=_(u'Per-zone forwarders. A custom port can be specified for each forwarder using a standard format "IP_ADDRESS port PORT"'),
+ ),
+ parameters.Str(
+ 'idnsforwardpolicy',
+ required=False,
+ cli_name='forward_policy',
+ cli_metavar="['only', 'first', 'none']",
+ label=_(u'Forward policy'),
+ doc=_(u'Per-zone conditional forwarding policy. Set to "none" to disable forwarding to global forwarder for this zone. In that case, conditional zone forwarders are disregarded.'),
+ ),
+ parameters.Str(
+ 'setattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'addattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'delattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'),
+ exclude=('webui',),
+ ),
+ parameters.Flag(
+ 'rights',
+ label=_(u'Rights'),
+ doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class dnsforwardzone_remove_permission(Method):
+ __doc__ = _("Remove a permission for per-forward zone access delegation.")
+
+ takes_args = (
+ parameters.DNSNameParam(
+ 'idnsname',
+ cli_name='name',
+ label=_(u'Zone name'),
+ doc=_(u'Zone name (FQDN)'),
+ default_from=DefaultFrom(lambda name_from_ip: None, 'name_from_ip'),
+ # FIXME:
+ # lambda name_from_ip: _reverse_zone_name(name_from_ip)
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Output(
+ 'result',
+ bool,
+ doc=_(u'True means the operation was successful'),
+ ),
+ output.Output(
+ 'value',
+ unicode,
+ doc=_(u'Permission value'),
+ ),
+ )
+
+
+@register()
+class dnsforwardzone_show(Method):
+ __doc__ = _("Display information about a DNS forward zone.")
+
+ takes_args = (
+ parameters.DNSNameParam(
+ 'idnsname',
+ cli_name='name',
+ label=_(u'Zone name'),
+ doc=_(u'Zone name (FQDN)'),
+ default_from=DefaultFrom(lambda name_from_ip: None, 'name_from_ip'),
+ # FIXME:
+ # lambda name_from_ip: _reverse_zone_name(name_from_ip)
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'rights',
+ label=_(u'Rights'),
+ doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class dnsrecord_add(Method):
+ __doc__ = _("Add new DNS resource record.")
+
+ takes_args = (
+ parameters.DNSNameParam(
+ 'dnszoneidnsname',
+ cli_name='dnszone',
+ label=_(u'Zone name'),
+ doc=_(u'Zone name (FQDN)'),
+ default_from=DefaultFrom(lambda name_from_ip: None, 'name_from_ip'),
+ # FIXME:
+ # lambda name_from_ip: _reverse_zone_name(name_from_ip)
+ no_convert=True,
+ ),
+ parameters.DNSNameParam(
+ 'idnsname',
+ cli_name='name',
+ label=_(u'Record name'),
+ ),
+ )
+ takes_options = (
+ parameters.Int(
+ 'dnsttl',
+ required=False,
+ cli_name='ttl',
+ label=_(u'Time to live'),
+ ),
+ parameters.Str(
+ 'dnsclass',
+ required=False,
+ cli_name='class',
+ cli_metavar="['IN', 'CS', 'CH', 'HS']",
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'arecord',
+ required=False,
+ multivalue=True,
+ cli_name='a_rec',
+ option_group=u'A Record',
+ label=_(u'A record'),
+ doc=_(u'Raw A records'),
+ ),
+ parameters.Str(
+ 'a_part_ip_address',
+ required=False,
+ cli_name='a_ip_address',
+ option_group=u'A Record',
+ label=_(u'A IP Address'),
+ doc=_(u'IP Address'),
+ ),
+ parameters.Flag(
+ 'a_extra_create_reverse',
+ required=False,
+ cli_name='a_create_reverse',
+ option_group=u'A Record',
+ label=_(u'A Create reverse'),
+ doc=_(u'Create reverse record for this IP Address'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'aaaarecord',
+ required=False,
+ multivalue=True,
+ cli_name='aaaa_rec',
+ option_group=u'AAAA Record',
+ label=_(u'AAAA record'),
+ doc=_(u'Raw AAAA records'),
+ ),
+ parameters.Str(
+ 'aaaa_part_ip_address',
+ required=False,
+ cli_name='aaaa_ip_address',
+ option_group=u'AAAA Record',
+ label=_(u'AAAA IP Address'),
+ doc=_(u'IP Address'),
+ ),
+ parameters.Flag(
+ 'aaaa_extra_create_reverse',
+ required=False,
+ cli_name='aaaa_create_reverse',
+ option_group=u'AAAA Record',
+ label=_(u'AAAA Create reverse'),
+ doc=_(u'Create reverse record for this IP Address'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'a6record',
+ required=False,
+ multivalue=True,
+ cli_name='a6_rec',
+ option_group=u'A6 Record',
+ label=_(u'A6 record'),
+ doc=_(u'Raw A6 records'),
+ ),
+ parameters.Str(
+ 'a6_part_data',
+ required=False,
+ cli_name='a6_data',
+ option_group=u'A6 Record',
+ label=_(u'A6 Record data'),
+ doc=_(u'Record data'),
+ ),
+ parameters.Str(
+ 'afsdbrecord',
+ required=False,
+ multivalue=True,
+ cli_name='afsdb_rec',
+ option_group=u'AFSDB Record',
+ label=_(u'AFSDB record'),
+ doc=_(u'Raw AFSDB records'),
+ ),
+ parameters.Int(
+ 'afsdb_part_subtype',
+ required=False,
+ cli_name='afsdb_subtype',
+ option_group=u'AFSDB Record',
+ label=_(u'AFSDB Subtype'),
+ doc=_(u'Subtype'),
+ ),
+ parameters.DNSNameParam(
+ 'afsdb_part_hostname',
+ required=False,
+ cli_name='afsdb_hostname',
+ option_group=u'AFSDB Record',
+ label=_(u'AFSDB Hostname'),
+ doc=_(u'Hostname'),
+ ),
+ parameters.Str(
+ 'aplrecord',
+ required=False,
+ multivalue=True,
+ cli_name='apl_rec',
+ option_group=u'APL Record',
+ label=_(u'APL record'),
+ doc=_(u'Raw APL records'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'certrecord',
+ required=False,
+ multivalue=True,
+ cli_name='cert_rec',
+ option_group=u'CERT Record',
+ label=_(u'CERT record'),
+ doc=_(u'Raw CERT records'),
+ ),
+ parameters.Int(
+ 'cert_part_type',
+ required=False,
+ cli_name='cert_type',
+ option_group=u'CERT Record',
+ label=_(u'CERT Certificate Type'),
+ doc=_(u'Certificate Type'),
+ ),
+ parameters.Int(
+ 'cert_part_key_tag',
+ required=False,
+ cli_name='cert_key_tag',
+ option_group=u'CERT Record',
+ label=_(u'CERT Key Tag'),
+ doc=_(u'Key Tag'),
+ ),
+ parameters.Int(
+ 'cert_part_algorithm',
+ required=False,
+ cli_name='cert_algorithm',
+ option_group=u'CERT Record',
+ label=_(u'CERT Algorithm'),
+ doc=_(u'Algorithm'),
+ ),
+ parameters.Str(
+ 'cert_part_certificate_or_crl',
+ required=False,
+ cli_name='cert_certificate_or_crl',
+ option_group=u'CERT Record',
+ label=_(u'CERT Certificate/CRL'),
+ doc=_(u'Certificate/CRL'),
+ ),
+ parameters.Str(
+ 'cnamerecord',
+ required=False,
+ multivalue=True,
+ cli_name='cname_rec',
+ option_group=u'CNAME Record',
+ label=_(u'CNAME record'),
+ doc=_(u'Raw CNAME records'),
+ ),
+ parameters.DNSNameParam(
+ 'cname_part_hostname',
+ required=False,
+ cli_name='cname_hostname',
+ option_group=u'CNAME Record',
+ label=_(u'CNAME Hostname'),
+ doc=_(u'A hostname which this alias hostname points to'),
+ ),
+ parameters.Str(
+ 'dhcidrecord',
+ required=False,
+ multivalue=True,
+ cli_name='dhcid_rec',
+ option_group=u'DHCID Record',
+ label=_(u'DHCID record'),
+ doc=_(u'Raw DHCID records'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'dlvrecord',
+ required=False,
+ multivalue=True,
+ cli_name='dlv_rec',
+ option_group=u'DLV Record',
+ label=_(u'DLV record'),
+ doc=_(u'Raw DLV records'),
+ ),
+ parameters.Int(
+ 'dlv_part_key_tag',
+ required=False,
+ cli_name='dlv_key_tag',
+ option_group=u'DLV Record',
+ label=_(u'DLV Key Tag'),
+ doc=_(u'Key Tag'),
+ ),
+ parameters.Int(
+ 'dlv_part_algorithm',
+ required=False,
+ cli_name='dlv_algorithm',
+ option_group=u'DLV Record',
+ label=_(u'DLV Algorithm'),
+ doc=_(u'Algorithm'),
+ ),
+ parameters.Int(
+ 'dlv_part_digest_type',
+ required=False,
+ cli_name='dlv_digest_type',
+ option_group=u'DLV Record',
+ label=_(u'DLV Digest Type'),
+ doc=_(u'Digest Type'),
+ ),
+ parameters.Str(
+ 'dlv_part_digest',
+ required=False,
+ cli_name='dlv_digest',
+ option_group=u'DLV Record',
+ label=_(u'DLV Digest'),
+ doc=_(u'Digest'),
+ ),
+ parameters.Str(
+ 'dnamerecord',
+ required=False,
+ multivalue=True,
+ cli_name='dname_rec',
+ option_group=u'DNAME Record',
+ label=_(u'DNAME record'),
+ doc=_(u'Raw DNAME records'),
+ ),
+ parameters.DNSNameParam(
+ 'dname_part_target',
+ required=False,
+ cli_name='dname_target',
+ option_group=u'DNAME Record',
+ label=_(u'DNAME Target'),
+ doc=_(u'Target'),
+ ),
+ parameters.Str(
+ 'dsrecord',
+ required=False,
+ multivalue=True,
+ cli_name='ds_rec',
+ option_group=u'DS Record',
+ label=_(u'DS record'),
+ doc=_(u'Raw DS records'),
+ ),
+ parameters.Int(
+ 'ds_part_key_tag',
+ required=False,
+ cli_name='ds_key_tag',
+ option_group=u'DS Record',
+ label=_(u'DS Key Tag'),
+ doc=_(u'Key Tag'),
+ ),
+ parameters.Int(
+ 'ds_part_algorithm',
+ required=False,
+ cli_name='ds_algorithm',
+ option_group=u'DS Record',
+ label=_(u'DS Algorithm'),
+ doc=_(u'Algorithm'),
+ ),
+ parameters.Int(
+ 'ds_part_digest_type',
+ required=False,
+ cli_name='ds_digest_type',
+ option_group=u'DS Record',
+ label=_(u'DS Digest Type'),
+ doc=_(u'Digest Type'),
+ ),
+ parameters.Str(
+ 'ds_part_digest',
+ required=False,
+ cli_name='ds_digest',
+ option_group=u'DS Record',
+ label=_(u'DS Digest'),
+ doc=_(u'Digest'),
+ ),
+ parameters.Str(
+ 'hiprecord',
+ required=False,
+ multivalue=True,
+ cli_name='hip_rec',
+ option_group=u'HIP Record',
+ label=_(u'HIP record'),
+ doc=_(u'Raw HIP records'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'ipseckeyrecord',
+ required=False,
+ multivalue=True,
+ cli_name='ipseckey_rec',
+ option_group=u'IPSECKEY Record',
+ label=_(u'IPSECKEY record'),
+ doc=_(u'Raw IPSECKEY records'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'keyrecord',
+ required=False,
+ multivalue=True,
+ cli_name='key_rec',
+ option_group=u'KEY Record',
+ label=_(u'KEY record'),
+ doc=_(u'Raw KEY records'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'kxrecord',
+ required=False,
+ multivalue=True,
+ cli_name='kx_rec',
+ option_group=u'KX Record',
+ label=_(u'KX record'),
+ doc=_(u'Raw KX records'),
+ ),
+ parameters.Int(
+ 'kx_part_preference',
+ required=False,
+ cli_name='kx_preference',
+ option_group=u'KX Record',
+ label=_(u'KX Preference'),
+ doc=_(u'Preference given to this exchanger. Lower values are more preferred'),
+ ),
+ parameters.DNSNameParam(
+ 'kx_part_exchanger',
+ required=False,
+ cli_name='kx_exchanger',
+ option_group=u'KX Record',
+ label=_(u'KX Exchanger'),
+ doc=_(u'A host willing to act as a key exchanger'),
+ ),
+ parameters.Str(
+ 'locrecord',
+ required=False,
+ multivalue=True,
+ cli_name='loc_rec',
+ option_group=u'LOC Record',
+ label=_(u'LOC record'),
+ doc=_(u'Raw LOC records'),
+ ),
+ parameters.Int(
+ 'loc_part_lat_deg',
+ required=False,
+ cli_name='loc_lat_deg',
+ option_group=u'LOC Record',
+ label=_(u'LOC Degrees Latitude'),
+ doc=_(u'Degrees Latitude'),
+ ),
+ parameters.Int(
+ 'loc_part_lat_min',
+ required=False,
+ cli_name='loc_lat_min',
+ option_group=u'LOC Record',
+ label=_(u'LOC Minutes Latitude'),
+ doc=_(u'Minutes Latitude'),
+ ),
+ parameters.Decimal(
+ 'loc_part_lat_sec',
+ required=False,
+ cli_name='loc_lat_sec',
+ option_group=u'LOC Record',
+ label=_(u'LOC Seconds Latitude'),
+ doc=_(u'Seconds Latitude'),
+ no_convert=True,
+ ),
+ parameters.Str(
+ 'loc_part_lat_dir',
+ required=False,
+ cli_name='loc_lat_dir',
+ option_group=u'LOC Record',
+ cli_metavar="['N', 'S']",
+ label=_(u'LOC Direction Latitude'),
+ doc=_(u'Direction Latitude'),
+ ),
+ parameters.Int(
+ 'loc_part_lon_deg',
+ required=False,
+ cli_name='loc_lon_deg',
+ option_group=u'LOC Record',
+ label=_(u'LOC Degrees Longitude'),
+ doc=_(u'Degrees Longitude'),
+ ),
+ parameters.Int(
+ 'loc_part_lon_min',
+ required=False,
+ cli_name='loc_lon_min',
+ option_group=u'LOC Record',
+ label=_(u'LOC Minutes Longitude'),
+ doc=_(u'Minutes Longitude'),
+ ),
+ parameters.Decimal(
+ 'loc_part_lon_sec',
+ required=False,
+ cli_name='loc_lon_sec',
+ option_group=u'LOC Record',
+ label=_(u'LOC Seconds Longitude'),
+ doc=_(u'Seconds Longitude'),
+ no_convert=True,
+ ),
+ parameters.Str(
+ 'loc_part_lon_dir',
+ required=False,
+ cli_name='loc_lon_dir',
+ option_group=u'LOC Record',
+ cli_metavar="['E', 'W']",
+ label=_(u'LOC Direction Longitude'),
+ doc=_(u'Direction Longitude'),
+ ),
+ parameters.Decimal(
+ 'loc_part_altitude',
+ required=False,
+ cli_name='loc_altitude',
+ option_group=u'LOC Record',
+ label=_(u'LOC Altitude'),
+ doc=_(u'Altitude'),
+ no_convert=True,
+ ),
+ parameters.Decimal(
+ 'loc_part_size',
+ required=False,
+ cli_name='loc_size',
+ option_group=u'LOC Record',
+ label=_(u'LOC Size'),
+ doc=_(u'Size'),
+ no_convert=True,
+ ),
+ parameters.Decimal(
+ 'loc_part_h_precision',
+ required=False,
+ cli_name='loc_h_precision',
+ option_group=u'LOC Record',
+ label=_(u'LOC Horizontal Precision'),
+ doc=_(u'Horizontal Precision'),
+ no_convert=True,
+ ),
+ parameters.Decimal(
+ 'loc_part_v_precision',
+ required=False,
+ cli_name='loc_v_precision',
+ option_group=u'LOC Record',
+ label=_(u'LOC Vertical Precision'),
+ doc=_(u'Vertical Precision'),
+ no_convert=True,
+ ),
+ parameters.Str(
+ 'mxrecord',
+ required=False,
+ multivalue=True,
+ cli_name='mx_rec',
+ option_group=u'MX Record',
+ label=_(u'MX record'),
+ doc=_(u'Raw MX records'),
+ ),
+ parameters.Int(
+ 'mx_part_preference',
+ required=False,
+ cli_name='mx_preference',
+ option_group=u'MX Record',
+ label=_(u'MX Preference'),
+ doc=_(u'Preference given to this exchanger. Lower values are more preferred'),
+ ),
+ parameters.DNSNameParam(
+ 'mx_part_exchanger',
+ required=False,
+ cli_name='mx_exchanger',
+ option_group=u'MX Record',
+ label=_(u'MX Exchanger'),
+ doc=_(u'A host willing to act as a mail exchanger'),
+ ),
+ parameters.Str(
+ 'naptrrecord',
+ required=False,
+ multivalue=True,
+ cli_name='naptr_rec',
+ option_group=u'NAPTR Record',
+ label=_(u'NAPTR record'),
+ doc=_(u'Raw NAPTR records'),
+ ),
+ parameters.Int(
+ 'naptr_part_order',
+ required=False,
+ cli_name='naptr_order',
+ option_group=u'NAPTR Record',
+ label=_(u'NAPTR Order'),
+ doc=_(u'Order'),
+ ),
+ parameters.Int(
+ 'naptr_part_preference',
+ required=False,
+ cli_name='naptr_preference',
+ option_group=u'NAPTR Record',
+ label=_(u'NAPTR Preference'),
+ doc=_(u'Preference'),
+ ),
+ parameters.Str(
+ 'naptr_part_flags',
+ required=False,
+ cli_name='naptr_flags',
+ option_group=u'NAPTR Record',
+ label=_(u'NAPTR Flags'),
+ doc=_(u'Flags'),
+ no_convert=True,
+ ),
+ parameters.Str(
+ 'naptr_part_service',
+ required=False,
+ cli_name='naptr_service',
+ option_group=u'NAPTR Record',
+ label=_(u'NAPTR Service'),
+ doc=_(u'Service'),
+ ),
+ parameters.Str(
+ 'naptr_part_regexp',
+ required=False,
+ cli_name='naptr_regexp',
+ option_group=u'NAPTR Record',
+ label=_(u'NAPTR Regular Expression'),
+ doc=_(u'Regular Expression'),
+ ),
+ parameters.Str(
+ 'naptr_part_replacement',
+ required=False,
+ cli_name='naptr_replacement',
+ option_group=u'NAPTR Record',
+ label=_(u'NAPTR Replacement'),
+ doc=_(u'Replacement'),
+ ),
+ parameters.Str(
+ 'nsrecord',
+ required=False,
+ multivalue=True,
+ cli_name='ns_rec',
+ option_group=u'NS Record',
+ label=_(u'NS record'),
+ doc=_(u'Raw NS records'),
+ ),
+ parameters.DNSNameParam(
+ 'ns_part_hostname',
+ required=False,
+ cli_name='ns_hostname',
+ option_group=u'NS Record',
+ label=_(u'NS Hostname'),
+ doc=_(u'Hostname'),
+ ),
+ parameters.Str(
+ 'nsecrecord',
+ required=False,
+ multivalue=True,
+ cli_name='nsec_rec',
+ option_group=u'NSEC Record',
+ label=_(u'NSEC record'),
+ doc=_(u'Raw NSEC records'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'ptrrecord',
+ required=False,
+ multivalue=True,
+ cli_name='ptr_rec',
+ option_group=u'PTR Record',
+ label=_(u'PTR record'),
+ doc=_(u'Raw PTR records'),
+ ),
+ parameters.DNSNameParam(
+ 'ptr_part_hostname',
+ required=False,
+ cli_name='ptr_hostname',
+ option_group=u'PTR Record',
+ label=_(u'PTR Hostname'),
+ doc=_(u'The hostname this reverse record points to'),
+ ),
+ parameters.Str(
+ 'rrsigrecord',
+ required=False,
+ multivalue=True,
+ cli_name='rrsig_rec',
+ option_group=u'RRSIG Record',
+ label=_(u'RRSIG record'),
+ doc=_(u'Raw RRSIG records'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'rprecord',
+ required=False,
+ multivalue=True,
+ cli_name='rp_rec',
+ option_group=u'RP Record',
+ label=_(u'RP record'),
+ doc=_(u'Raw RP records'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'sigrecord',
+ required=False,
+ multivalue=True,
+ cli_name='sig_rec',
+ option_group=u'SIG Record',
+ label=_(u'SIG record'),
+ doc=_(u'Raw SIG records'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'spfrecord',
+ required=False,
+ multivalue=True,
+ cli_name='spf_rec',
+ option_group=u'SPF Record',
+ label=_(u'SPF record'),
+ doc=_(u'Raw SPF records'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'srvrecord',
+ required=False,
+ multivalue=True,
+ cli_name='srv_rec',
+ option_group=u'SRV Record',
+ label=_(u'SRV record'),
+ doc=_(u'Raw SRV records'),
+ ),
+ parameters.Int(
+ 'srv_part_priority',
+ required=False,
+ cli_name='srv_priority',
+ option_group=u'SRV Record',
+ label=_(u'SRV Priority'),
+ doc=_(u'Priority'),
+ ),
+ parameters.Int(
+ 'srv_part_weight',
+ required=False,
+ cli_name='srv_weight',
+ option_group=u'SRV Record',
+ label=_(u'SRV Weight'),
+ doc=_(u'Weight'),
+ ),
+ parameters.Int(
+ 'srv_part_port',
+ required=False,
+ cli_name='srv_port',
+ option_group=u'SRV Record',
+ label=_(u'SRV Port'),
+ doc=_(u'Port'),
+ ),
+ parameters.DNSNameParam(
+ 'srv_part_target',
+ required=False,
+ cli_name='srv_target',
+ option_group=u'SRV Record',
+ label=_(u'SRV Target'),
+ doc=_(u"The domain name of the target host or '.' if the service is decidedly not available at this domain"),
+ ),
+ parameters.Str(
+ 'sshfprecord',
+ required=False,
+ multivalue=True,
+ cli_name='sshfp_rec',
+ option_group=u'SSHFP Record',
+ label=_(u'SSHFP record'),
+ doc=_(u'Raw SSHFP records'),
+ ),
+ parameters.Int(
+ 'sshfp_part_algorithm',
+ required=False,
+ cli_name='sshfp_algorithm',
+ option_group=u'SSHFP Record',
+ label=_(u'SSHFP Algorithm'),
+ doc=_(u'Algorithm'),
+ ),
+ parameters.Int(
+ 'sshfp_part_fp_type',
+ required=False,
+ cli_name='sshfp_fp_type',
+ option_group=u'SSHFP Record',
+ label=_(u'SSHFP Fingerprint Type'),
+ doc=_(u'Fingerprint Type'),
+ ),
+ parameters.Str(
+ 'sshfp_part_fingerprint',
+ required=False,
+ cli_name='sshfp_fingerprint',
+ option_group=u'SSHFP Record',
+ label=_(u'SSHFP Fingerprint'),
+ doc=_(u'Fingerprint'),
+ ),
+ parameters.Str(
+ 'tlsarecord',
+ required=False,
+ multivalue=True,
+ cli_name='tlsa_rec',
+ option_group=u'TLSA Record',
+ label=_(u'TLSA record'),
+ doc=_(u'Raw TLSA records'),
+ ),
+ parameters.Int(
+ 'tlsa_part_cert_usage',
+ required=False,
+ cli_name='tlsa_cert_usage',
+ option_group=u'TLSA Record',
+ label=_(u'TLSA Certificate Usage'),
+ doc=_(u'Certificate Usage'),
+ ),
+ parameters.Int(
+ 'tlsa_part_selector',
+ required=False,
+ cli_name='tlsa_selector',
+ option_group=u'TLSA Record',
+ label=_(u'TLSA Selector'),
+ doc=_(u'Selector'),
+ ),
+ parameters.Int(
+ 'tlsa_part_matching_type',
+ required=False,
+ cli_name='tlsa_matching_type',
+ option_group=u'TLSA Record',
+ label=_(u'TLSA Matching Type'),
+ doc=_(u'Matching Type'),
+ ),
+ parameters.Str(
+ 'tlsa_part_cert_association_data',
+ required=False,
+ cli_name='tlsa_cert_association_data',
+ option_group=u'TLSA Record',
+ label=_(u'TLSA Certificate Association Data'),
+ doc=_(u'Certificate Association Data'),
+ ),
+ parameters.Str(
+ 'txtrecord',
+ required=False,
+ multivalue=True,
+ cli_name='txt_rec',
+ option_group=u'TXT Record',
+ label=_(u'TXT record'),
+ doc=_(u'Raw TXT records'),
+ ),
+ parameters.Str(
+ 'txt_part_data',
+ required=False,
+ cli_name='txt_data',
+ option_group=u'TXT Record',
+ label=_(u'TXT Text Data'),
+ doc=_(u'Text Data'),
+ ),
+ parameters.Str(
+ 'setattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'addattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
+ exclude=('webui',),
+ ),
+ parameters.Flag(
+ 'force',
+ label=_(u'Force'),
+ doc=_(u'force NS record creation even if its hostname is not in DNS'),
+ exclude=('cli', 'webui'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'structured',
+ label=_(u'Structured'),
+ doc=_(u'Parse all raw DNS records and return them in a structured way'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class dnsrecord_del(Method):
+ __doc__ = _("Delete DNS resource record.")
+
+ takes_args = (
+ parameters.DNSNameParam(
+ 'dnszoneidnsname',
+ cli_name='dnszone',
+ label=_(u'Zone name'),
+ doc=_(u'Zone name (FQDN)'),
+ default_from=DefaultFrom(lambda name_from_ip: None, 'name_from_ip'),
+ # FIXME:
+ # lambda name_from_ip: _reverse_zone_name(name_from_ip)
+ no_convert=True,
+ ),
+ parameters.DNSNameParam(
+ 'idnsname',
+ cli_name='name',
+ label=_(u'Record name'),
+ ),
+ )
+ takes_options = (
+ parameters.Int(
+ 'dnsttl',
+ required=False,
+ cli_name='ttl',
+ label=_(u'Time to live'),
+ ),
+ parameters.Str(
+ 'dnsclass',
+ required=False,
+ cli_name='class',
+ cli_metavar="['IN', 'CS', 'CH', 'HS']",
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'arecord',
+ required=False,
+ multivalue=True,
+ cli_name='a_rec',
+ label=_(u'A record'),
+ doc=_(u'Raw A records'),
+ ),
+ parameters.Str(
+ 'aaaarecord',
+ required=False,
+ multivalue=True,
+ cli_name='aaaa_rec',
+ label=_(u'AAAA record'),
+ doc=_(u'Raw AAAA records'),
+ ),
+ parameters.Str(
+ 'a6record',
+ required=False,
+ multivalue=True,
+ cli_name='a6_rec',
+ label=_(u'A6 record'),
+ doc=_(u'Raw A6 records'),
+ ),
+ parameters.Str(
+ 'afsdbrecord',
+ required=False,
+ multivalue=True,
+ cli_name='afsdb_rec',
+ label=_(u'AFSDB record'),
+ doc=_(u'Raw AFSDB records'),
+ ),
+ parameters.Str(
+ 'aplrecord',
+ required=False,
+ multivalue=True,
+ cli_name='apl_rec',
+ label=_(u'APL record'),
+ doc=_(u'Raw APL records'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'certrecord',
+ required=False,
+ multivalue=True,
+ cli_name='cert_rec',
+ label=_(u'CERT record'),
+ doc=_(u'Raw CERT records'),
+ ),
+ parameters.Str(
+ 'cnamerecord',
+ required=False,
+ multivalue=True,
+ cli_name='cname_rec',
+ label=_(u'CNAME record'),
+ doc=_(u'Raw CNAME records'),
+ ),
+ parameters.Str(
+ 'dhcidrecord',
+ required=False,
+ multivalue=True,
+ cli_name='dhcid_rec',
+ label=_(u'DHCID record'),
+ doc=_(u'Raw DHCID records'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'dlvrecord',
+ required=False,
+ multivalue=True,
+ cli_name='dlv_rec',
+ label=_(u'DLV record'),
+ doc=_(u'Raw DLV records'),
+ ),
+ parameters.Str(
+ 'dnamerecord',
+ required=False,
+ multivalue=True,
+ cli_name='dname_rec',
+ label=_(u'DNAME record'),
+ doc=_(u'Raw DNAME records'),
+ ),
+ parameters.Str(
+ 'dsrecord',
+ required=False,
+ multivalue=True,
+ cli_name='ds_rec',
+ label=_(u'DS record'),
+ doc=_(u'Raw DS records'),
+ ),
+ parameters.Str(
+ 'hiprecord',
+ required=False,
+ multivalue=True,
+ cli_name='hip_rec',
+ label=_(u'HIP record'),
+ doc=_(u'Raw HIP records'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'ipseckeyrecord',
+ required=False,
+ multivalue=True,
+ cli_name='ipseckey_rec',
+ label=_(u'IPSECKEY record'),
+ doc=_(u'Raw IPSECKEY records'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'keyrecord',
+ required=False,
+ multivalue=True,
+ cli_name='key_rec',
+ label=_(u'KEY record'),
+ doc=_(u'Raw KEY records'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'kxrecord',
+ required=False,
+ multivalue=True,
+ cli_name='kx_rec',
+ label=_(u'KX record'),
+ doc=_(u'Raw KX records'),
+ ),
+ parameters.Str(
+ 'locrecord',
+ required=False,
+ multivalue=True,
+ cli_name='loc_rec',
+ label=_(u'LOC record'),
+ doc=_(u'Raw LOC records'),
+ ),
+ parameters.Str(
+ 'mxrecord',
+ required=False,
+ multivalue=True,
+ cli_name='mx_rec',
+ label=_(u'MX record'),
+ doc=_(u'Raw MX records'),
+ ),
+ parameters.Str(
+ 'naptrrecord',
+ required=False,
+ multivalue=True,
+ cli_name='naptr_rec',
+ label=_(u'NAPTR record'),
+ doc=_(u'Raw NAPTR records'),
+ ),
+ parameters.Str(
+ 'nsrecord',
+ required=False,
+ multivalue=True,
+ cli_name='ns_rec',
+ label=_(u'NS record'),
+ doc=_(u'Raw NS records'),
+ ),
+ parameters.Str(
+ 'nsecrecord',
+ required=False,
+ multivalue=True,
+ cli_name='nsec_rec',
+ label=_(u'NSEC record'),
+ doc=_(u'Raw NSEC records'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'ptrrecord',
+ required=False,
+ multivalue=True,
+ cli_name='ptr_rec',
+ label=_(u'PTR record'),
+ doc=_(u'Raw PTR records'),
+ ),
+ parameters.Str(
+ 'rrsigrecord',
+ required=False,
+ multivalue=True,
+ cli_name='rrsig_rec',
+ label=_(u'RRSIG record'),
+ doc=_(u'Raw RRSIG records'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'rprecord',
+ required=False,
+ multivalue=True,
+ cli_name='rp_rec',
+ label=_(u'RP record'),
+ doc=_(u'Raw RP records'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'sigrecord',
+ required=False,
+ multivalue=True,
+ cli_name='sig_rec',
+ label=_(u'SIG record'),
+ doc=_(u'Raw SIG records'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'spfrecord',
+ required=False,
+ multivalue=True,
+ cli_name='spf_rec',
+ label=_(u'SPF record'),
+ doc=_(u'Raw SPF records'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'srvrecord',
+ required=False,
+ multivalue=True,
+ cli_name='srv_rec',
+ label=_(u'SRV record'),
+ doc=_(u'Raw SRV records'),
+ ),
+ parameters.Str(
+ 'sshfprecord',
+ required=False,
+ multivalue=True,
+ cli_name='sshfp_rec',
+ label=_(u'SSHFP record'),
+ doc=_(u'Raw SSHFP records'),
+ ),
+ parameters.Str(
+ 'tlsarecord',
+ required=False,
+ multivalue=True,
+ cli_name='tlsa_rec',
+ label=_(u'TLSA record'),
+ doc=_(u'Raw TLSA records'),
+ ),
+ parameters.Str(
+ 'txtrecord',
+ required=False,
+ multivalue=True,
+ cli_name='txt_rec',
+ label=_(u'TXT record'),
+ doc=_(u'Raw TXT records'),
+ ),
+ parameters.Flag(
+ 'del_all',
+ label=_(u'Delete all associated records'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'structured',
+ label=_(u'Structured'),
+ doc=_(u'Parse all raw DNS records and return them in a structured way'),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Output(
+ 'result',
+ dict,
+ doc=_(u'List of deletions that failed'),
+ ),
+ output.ListOfPrimaryKeys(
+ 'value',
+ ),
+ )
+
+
+@register()
+class dnsrecord_delentry(Method):
+ __doc__ = _("Delete DNS record entry.")
+
+ NO_CLI = True
+
+ takes_args = (
+ parameters.DNSNameParam(
+ 'dnszoneidnsname',
+ cli_name='dnszone',
+ label=_(u'Zone name'),
+ doc=_(u'Zone name (FQDN)'),
+ default_from=DefaultFrom(lambda name_from_ip: None, 'name_from_ip'),
+ # FIXME:
+ # lambda name_from_ip: _reverse_zone_name(name_from_ip)
+ no_convert=True,
+ ),
+ parameters.DNSNameParam(
+ 'idnsname',
+ multivalue=True,
+ cli_name='name',
+ label=_(u'Record name'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'continue',
+ doc=_(u"Continuous mode: Don't stop on errors."),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Output(
+ 'result',
+ dict,
+ doc=_(u'List of deletions that failed'),
+ ),
+ output.ListOfPrimaryKeys(
+ 'value',
+ ),
+ )
+
+
+@register()
+class dnsrecord_find(Method):
+ __doc__ = _("Search for DNS resources.")
+
+ takes_args = (
+ parameters.DNSNameParam(
+ 'dnszoneidnsname',
+ cli_name='dnszone',
+ label=_(u'Zone name'),
+ doc=_(u'Zone name (FQDN)'),
+ default_from=DefaultFrom(lambda name_from_ip: None, 'name_from_ip'),
+ # FIXME:
+ # lambda name_from_ip: _reverse_zone_name(name_from_ip)
+ no_convert=True,
+ ),
+ parameters.Str(
+ 'criteria',
+ required=False,
+ doc=_(u'A string searched in all relevant object attributes'),
+ ),
+ )
+ takes_options = (
+ parameters.DNSNameParam(
+ 'idnsname',
+ required=False,
+ cli_name='name',
+ label=_(u'Record name'),
+ ),
+ parameters.Int(
+ 'dnsttl',
+ required=False,
+ cli_name='ttl',
+ label=_(u'Time to live'),
+ ),
+ parameters.Str(
+ 'dnsclass',
+ required=False,
+ cli_name='class',
+ cli_metavar="['IN', 'CS', 'CH', 'HS']",
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'arecord',
+ required=False,
+ multivalue=True,
+ cli_name='a_rec',
+ label=_(u'A record'),
+ doc=_(u'Raw A records'),
+ ),
+ parameters.Str(
+ 'aaaarecord',
+ required=False,
+ multivalue=True,
+ cli_name='aaaa_rec',
+ label=_(u'AAAA record'),
+ doc=_(u'Raw AAAA records'),
+ ),
+ parameters.Str(
+ 'a6record',
+ required=False,
+ multivalue=True,
+ cli_name='a6_rec',
+ label=_(u'A6 record'),
+ doc=_(u'Raw A6 records'),
+ ),
+ parameters.Str(
+ 'afsdbrecord',
+ required=False,
+ multivalue=True,
+ cli_name='afsdb_rec',
+ label=_(u'AFSDB record'),
+ doc=_(u'Raw AFSDB records'),
+ ),
+ parameters.Str(
+ 'aplrecord',
+ required=False,
+ multivalue=True,
+ cli_name='apl_rec',
+ label=_(u'APL record'),
+ doc=_(u'Raw APL records'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'certrecord',
+ required=False,
+ multivalue=True,
+ cli_name='cert_rec',
+ label=_(u'CERT record'),
+ doc=_(u'Raw CERT records'),
+ ),
+ parameters.Str(
+ 'cnamerecord',
+ required=False,
+ multivalue=True,
+ cli_name='cname_rec',
+ label=_(u'CNAME record'),
+ doc=_(u'Raw CNAME records'),
+ ),
+ parameters.Str(
+ 'dhcidrecord',
+ required=False,
+ multivalue=True,
+ cli_name='dhcid_rec',
+ label=_(u'DHCID record'),
+ doc=_(u'Raw DHCID records'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'dlvrecord',
+ required=False,
+ multivalue=True,
+ cli_name='dlv_rec',
+ label=_(u'DLV record'),
+ doc=_(u'Raw DLV records'),
+ ),
+ parameters.Str(
+ 'dnamerecord',
+ required=False,
+ multivalue=True,
+ cli_name='dname_rec',
+ label=_(u'DNAME record'),
+ doc=_(u'Raw DNAME records'),
+ ),
+ parameters.Str(
+ 'dsrecord',
+ required=False,
+ multivalue=True,
+ cli_name='ds_rec',
+ label=_(u'DS record'),
+ doc=_(u'Raw DS records'),
+ ),
+ parameters.Str(
+ 'hiprecord',
+ required=False,
+ multivalue=True,
+ cli_name='hip_rec',
+ label=_(u'HIP record'),
+ doc=_(u'Raw HIP records'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'ipseckeyrecord',
+ required=False,
+ multivalue=True,
+ cli_name='ipseckey_rec',
+ label=_(u'IPSECKEY record'),
+ doc=_(u'Raw IPSECKEY records'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'keyrecord',
+ required=False,
+ multivalue=True,
+ cli_name='key_rec',
+ label=_(u'KEY record'),
+ doc=_(u'Raw KEY records'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'kxrecord',
+ required=False,
+ multivalue=True,
+ cli_name='kx_rec',
+ label=_(u'KX record'),
+ doc=_(u'Raw KX records'),
+ ),
+ parameters.Str(
+ 'locrecord',
+ required=False,
+ multivalue=True,
+ cli_name='loc_rec',
+ label=_(u'LOC record'),
+ doc=_(u'Raw LOC records'),
+ ),
+ parameters.Str(
+ 'mxrecord',
+ required=False,
+ multivalue=True,
+ cli_name='mx_rec',
+ label=_(u'MX record'),
+ doc=_(u'Raw MX records'),
+ ),
+ parameters.Str(
+ 'naptrrecord',
+ required=False,
+ multivalue=True,
+ cli_name='naptr_rec',
+ label=_(u'NAPTR record'),
+ doc=_(u'Raw NAPTR records'),
+ ),
+ parameters.Str(
+ 'nsrecord',
+ required=False,
+ multivalue=True,
+ cli_name='ns_rec',
+ label=_(u'NS record'),
+ doc=_(u'Raw NS records'),
+ ),
+ parameters.Str(
+ 'nsecrecord',
+ required=False,
+ multivalue=True,
+ cli_name='nsec_rec',
+ label=_(u'NSEC record'),
+ doc=_(u'Raw NSEC records'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'ptrrecord',
+ required=False,
+ multivalue=True,
+ cli_name='ptr_rec',
+ label=_(u'PTR record'),
+ doc=_(u'Raw PTR records'),
+ ),
+ parameters.Str(
+ 'rrsigrecord',
+ required=False,
+ multivalue=True,
+ cli_name='rrsig_rec',
+ label=_(u'RRSIG record'),
+ doc=_(u'Raw RRSIG records'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'rprecord',
+ required=False,
+ multivalue=True,
+ cli_name='rp_rec',
+ label=_(u'RP record'),
+ doc=_(u'Raw RP records'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'sigrecord',
+ required=False,
+ multivalue=True,
+ cli_name='sig_rec',
+ label=_(u'SIG record'),
+ doc=_(u'Raw SIG records'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'spfrecord',
+ required=False,
+ multivalue=True,
+ cli_name='spf_rec',
+ label=_(u'SPF record'),
+ doc=_(u'Raw SPF records'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'srvrecord',
+ required=False,
+ multivalue=True,
+ cli_name='srv_rec',
+ label=_(u'SRV record'),
+ doc=_(u'Raw SRV records'),
+ ),
+ parameters.Str(
+ 'sshfprecord',
+ required=False,
+ multivalue=True,
+ cli_name='sshfp_rec',
+ label=_(u'SSHFP record'),
+ doc=_(u'Raw SSHFP records'),
+ ),
+ parameters.Str(
+ 'tlsarecord',
+ required=False,
+ multivalue=True,
+ cli_name='tlsa_rec',
+ label=_(u'TLSA record'),
+ doc=_(u'Raw TLSA records'),
+ ),
+ parameters.Str(
+ 'txtrecord',
+ required=False,
+ multivalue=True,
+ cli_name='txt_rec',
+ label=_(u'TXT record'),
+ doc=_(u'Raw TXT records'),
+ ),
+ parameters.Int(
+ 'timelimit',
+ required=False,
+ label=_(u'Time Limit'),
+ doc=_(u'Time limit of search in seconds (0 is unlimited)'),
+ ),
+ parameters.Int(
+ 'sizelimit',
+ required=False,
+ label=_(u'Size Limit'),
+ doc=_(u'Maximum number of entries returned (0 is unlimited)'),
+ ),
+ parameters.Flag(
+ 'structured',
+ label=_(u'Structured'),
+ doc=_(u'Parse all raw DNS records and return them in a structured way'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'pkey_only',
+ required=False,
+ label=_(u'Primary key only'),
+ doc=_(u'Results should contain primary key attribute only ("name")'),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.ListOfEntries(
+ 'result',
+ ),
+ output.Output(
+ 'count',
+ int,
+ doc=_(u'Number of entries returned'),
+ ),
+ output.Output(
+ 'truncated',
+ bool,
+ doc=_(u'True if not all results were returned'),
+ ),
+ )
+
+
+@register()
+class dnsrecord_mod(Method):
+ __doc__ = _("Modify a DNS resource record.")
+
+ takes_args = (
+ parameters.DNSNameParam(
+ 'dnszoneidnsname',
+ cli_name='dnszone',
+ label=_(u'Zone name'),
+ doc=_(u'Zone name (FQDN)'),
+ default_from=DefaultFrom(lambda name_from_ip: None, 'name_from_ip'),
+ # FIXME:
+ # lambda name_from_ip: _reverse_zone_name(name_from_ip)
+ no_convert=True,
+ ),
+ parameters.DNSNameParam(
+ 'idnsname',
+ cli_name='name',
+ label=_(u'Record name'),
+ ),
+ )
+ takes_options = (
+ parameters.Int(
+ 'dnsttl',
+ required=False,
+ cli_name='ttl',
+ label=_(u'Time to live'),
+ ),
+ parameters.Str(
+ 'dnsclass',
+ required=False,
+ cli_name='class',
+ cli_metavar="['IN', 'CS', 'CH', 'HS']",
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'arecord',
+ required=False,
+ multivalue=True,
+ cli_name='a_rec',
+ option_group=u'A Record',
+ label=_(u'A record'),
+ doc=_(u'Raw A records'),
+ ),
+ parameters.Str(
+ 'a_part_ip_address',
+ required=False,
+ cli_name='a_ip_address',
+ option_group=u'A Record',
+ label=_(u'A IP Address'),
+ doc=_(u'IP Address'),
+ ),
+ parameters.Str(
+ 'aaaarecord',
+ required=False,
+ multivalue=True,
+ cli_name='aaaa_rec',
+ option_group=u'AAAA Record',
+ label=_(u'AAAA record'),
+ doc=_(u'Raw AAAA records'),
+ ),
+ parameters.Str(
+ 'aaaa_part_ip_address',
+ required=False,
+ cli_name='aaaa_ip_address',
+ option_group=u'AAAA Record',
+ label=_(u'AAAA IP Address'),
+ doc=_(u'IP Address'),
+ ),
+ parameters.Str(
+ 'a6record',
+ required=False,
+ multivalue=True,
+ cli_name='a6_rec',
+ option_group=u'A6 Record',
+ label=_(u'A6 record'),
+ doc=_(u'Raw A6 records'),
+ ),
+ parameters.Str(
+ 'a6_part_data',
+ required=False,
+ cli_name='a6_data',
+ option_group=u'A6 Record',
+ label=_(u'A6 Record data'),
+ doc=_(u'Record data'),
+ ),
+ parameters.Str(
+ 'afsdbrecord',
+ required=False,
+ multivalue=True,
+ cli_name='afsdb_rec',
+ option_group=u'AFSDB Record',
+ label=_(u'AFSDB record'),
+ doc=_(u'Raw AFSDB records'),
+ ),
+ parameters.Int(
+ 'afsdb_part_subtype',
+ required=False,
+ cli_name='afsdb_subtype',
+ option_group=u'AFSDB Record',
+ label=_(u'AFSDB Subtype'),
+ doc=_(u'Subtype'),
+ ),
+ parameters.DNSNameParam(
+ 'afsdb_part_hostname',
+ required=False,
+ cli_name='afsdb_hostname',
+ option_group=u'AFSDB Record',
+ label=_(u'AFSDB Hostname'),
+ doc=_(u'Hostname'),
+ ),
+ parameters.Str(
+ 'aplrecord',
+ required=False,
+ multivalue=True,
+ cli_name='apl_rec',
+ option_group=u'APL Record',
+ label=_(u'APL record'),
+ doc=_(u'Raw APL records'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'certrecord',
+ required=False,
+ multivalue=True,
+ cli_name='cert_rec',
+ option_group=u'CERT Record',
+ label=_(u'CERT record'),
+ doc=_(u'Raw CERT records'),
+ ),
+ parameters.Int(
+ 'cert_part_type',
+ required=False,
+ cli_name='cert_type',
+ option_group=u'CERT Record',
+ label=_(u'CERT Certificate Type'),
+ doc=_(u'Certificate Type'),
+ ),
+ parameters.Int(
+ 'cert_part_key_tag',
+ required=False,
+ cli_name='cert_key_tag',
+ option_group=u'CERT Record',
+ label=_(u'CERT Key Tag'),
+ doc=_(u'Key Tag'),
+ ),
+ parameters.Int(
+ 'cert_part_algorithm',
+ required=False,
+ cli_name='cert_algorithm',
+ option_group=u'CERT Record',
+ label=_(u'CERT Algorithm'),
+ doc=_(u'Algorithm'),
+ ),
+ parameters.Str(
+ 'cert_part_certificate_or_crl',
+ required=False,
+ cli_name='cert_certificate_or_crl',
+ option_group=u'CERT Record',
+ label=_(u'CERT Certificate/CRL'),
+ doc=_(u'Certificate/CRL'),
+ ),
+ parameters.Str(
+ 'cnamerecord',
+ required=False,
+ multivalue=True,
+ cli_name='cname_rec',
+ option_group=u'CNAME Record',
+ label=_(u'CNAME record'),
+ doc=_(u'Raw CNAME records'),
+ ),
+ parameters.DNSNameParam(
+ 'cname_part_hostname',
+ required=False,
+ cli_name='cname_hostname',
+ option_group=u'CNAME Record',
+ label=_(u'CNAME Hostname'),
+ doc=_(u'A hostname which this alias hostname points to'),
+ ),
+ parameters.Str(
+ 'dhcidrecord',
+ required=False,
+ multivalue=True,
+ cli_name='dhcid_rec',
+ option_group=u'DHCID Record',
+ label=_(u'DHCID record'),
+ doc=_(u'Raw DHCID records'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'dlvrecord',
+ required=False,
+ multivalue=True,
+ cli_name='dlv_rec',
+ option_group=u'DLV Record',
+ label=_(u'DLV record'),
+ doc=_(u'Raw DLV records'),
+ ),
+ parameters.Int(
+ 'dlv_part_key_tag',
+ required=False,
+ cli_name='dlv_key_tag',
+ option_group=u'DLV Record',
+ label=_(u'DLV Key Tag'),
+ doc=_(u'Key Tag'),
+ ),
+ parameters.Int(
+ 'dlv_part_algorithm',
+ required=False,
+ cli_name='dlv_algorithm',
+ option_group=u'DLV Record',
+ label=_(u'DLV Algorithm'),
+ doc=_(u'Algorithm'),
+ ),
+ parameters.Int(
+ 'dlv_part_digest_type',
+ required=False,
+ cli_name='dlv_digest_type',
+ option_group=u'DLV Record',
+ label=_(u'DLV Digest Type'),
+ doc=_(u'Digest Type'),
+ ),
+ parameters.Str(
+ 'dlv_part_digest',
+ required=False,
+ cli_name='dlv_digest',
+ option_group=u'DLV Record',
+ label=_(u'DLV Digest'),
+ doc=_(u'Digest'),
+ ),
+ parameters.Str(
+ 'dnamerecord',
+ required=False,
+ multivalue=True,
+ cli_name='dname_rec',
+ option_group=u'DNAME Record',
+ label=_(u'DNAME record'),
+ doc=_(u'Raw DNAME records'),
+ ),
+ parameters.DNSNameParam(
+ 'dname_part_target',
+ required=False,
+ cli_name='dname_target',
+ option_group=u'DNAME Record',
+ label=_(u'DNAME Target'),
+ doc=_(u'Target'),
+ ),
+ parameters.Str(
+ 'dsrecord',
+ required=False,
+ multivalue=True,
+ cli_name='ds_rec',
+ option_group=u'DS Record',
+ label=_(u'DS record'),
+ doc=_(u'Raw DS records'),
+ ),
+ parameters.Int(
+ 'ds_part_key_tag',
+ required=False,
+ cli_name='ds_key_tag',
+ option_group=u'DS Record',
+ label=_(u'DS Key Tag'),
+ doc=_(u'Key Tag'),
+ ),
+ parameters.Int(
+ 'ds_part_algorithm',
+ required=False,
+ cli_name='ds_algorithm',
+ option_group=u'DS Record',
+ label=_(u'DS Algorithm'),
+ doc=_(u'Algorithm'),
+ ),
+ parameters.Int(
+ 'ds_part_digest_type',
+ required=False,
+ cli_name='ds_digest_type',
+ option_group=u'DS Record',
+ label=_(u'DS Digest Type'),
+ doc=_(u'Digest Type'),
+ ),
+ parameters.Str(
+ 'ds_part_digest',
+ required=False,
+ cli_name='ds_digest',
+ option_group=u'DS Record',
+ label=_(u'DS Digest'),
+ doc=_(u'Digest'),
+ ),
+ parameters.Str(
+ 'hiprecord',
+ required=False,
+ multivalue=True,
+ cli_name='hip_rec',
+ option_group=u'HIP Record',
+ label=_(u'HIP record'),
+ doc=_(u'Raw HIP records'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'ipseckeyrecord',
+ required=False,
+ multivalue=True,
+ cli_name='ipseckey_rec',
+ option_group=u'IPSECKEY Record',
+ label=_(u'IPSECKEY record'),
+ doc=_(u'Raw IPSECKEY records'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'keyrecord',
+ required=False,
+ multivalue=True,
+ cli_name='key_rec',
+ option_group=u'KEY Record',
+ label=_(u'KEY record'),
+ doc=_(u'Raw KEY records'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'kxrecord',
+ required=False,
+ multivalue=True,
+ cli_name='kx_rec',
+ option_group=u'KX Record',
+ label=_(u'KX record'),
+ doc=_(u'Raw KX records'),
+ ),
+ parameters.Int(
+ 'kx_part_preference',
+ required=False,
+ cli_name='kx_preference',
+ option_group=u'KX Record',
+ label=_(u'KX Preference'),
+ doc=_(u'Preference given to this exchanger. Lower values are more preferred'),
+ ),
+ parameters.DNSNameParam(
+ 'kx_part_exchanger',
+ required=False,
+ cli_name='kx_exchanger',
+ option_group=u'KX Record',
+ label=_(u'KX Exchanger'),
+ doc=_(u'A host willing to act as a key exchanger'),
+ ),
+ parameters.Str(
+ 'locrecord',
+ required=False,
+ multivalue=True,
+ cli_name='loc_rec',
+ option_group=u'LOC Record',
+ label=_(u'LOC record'),
+ doc=_(u'Raw LOC records'),
+ ),
+ parameters.Int(
+ 'loc_part_lat_deg',
+ required=False,
+ cli_name='loc_lat_deg',
+ option_group=u'LOC Record',
+ label=_(u'LOC Degrees Latitude'),
+ doc=_(u'Degrees Latitude'),
+ ),
+ parameters.Int(
+ 'loc_part_lat_min',
+ required=False,
+ cli_name='loc_lat_min',
+ option_group=u'LOC Record',
+ label=_(u'LOC Minutes Latitude'),
+ doc=_(u'Minutes Latitude'),
+ ),
+ parameters.Decimal(
+ 'loc_part_lat_sec',
+ required=False,
+ cli_name='loc_lat_sec',
+ option_group=u'LOC Record',
+ label=_(u'LOC Seconds Latitude'),
+ doc=_(u'Seconds Latitude'),
+ no_convert=True,
+ ),
+ parameters.Str(
+ 'loc_part_lat_dir',
+ required=False,
+ cli_name='loc_lat_dir',
+ option_group=u'LOC Record',
+ cli_metavar="['N', 'S']",
+ label=_(u'LOC Direction Latitude'),
+ doc=_(u'Direction Latitude'),
+ ),
+ parameters.Int(
+ 'loc_part_lon_deg',
+ required=False,
+ cli_name='loc_lon_deg',
+ option_group=u'LOC Record',
+ label=_(u'LOC Degrees Longitude'),
+ doc=_(u'Degrees Longitude'),
+ ),
+ parameters.Int(
+ 'loc_part_lon_min',
+ required=False,
+ cli_name='loc_lon_min',
+ option_group=u'LOC Record',
+ label=_(u'LOC Minutes Longitude'),
+ doc=_(u'Minutes Longitude'),
+ ),
+ parameters.Decimal(
+ 'loc_part_lon_sec',
+ required=False,
+ cli_name='loc_lon_sec',
+ option_group=u'LOC Record',
+ label=_(u'LOC Seconds Longitude'),
+ doc=_(u'Seconds Longitude'),
+ no_convert=True,
+ ),
+ parameters.Str(
+ 'loc_part_lon_dir',
+ required=False,
+ cli_name='loc_lon_dir',
+ option_group=u'LOC Record',
+ cli_metavar="['E', 'W']",
+ label=_(u'LOC Direction Longitude'),
+ doc=_(u'Direction Longitude'),
+ ),
+ parameters.Decimal(
+ 'loc_part_altitude',
+ required=False,
+ cli_name='loc_altitude',
+ option_group=u'LOC Record',
+ label=_(u'LOC Altitude'),
+ doc=_(u'Altitude'),
+ no_convert=True,
+ ),
+ parameters.Decimal(
+ 'loc_part_size',
+ required=False,
+ cli_name='loc_size',
+ option_group=u'LOC Record',
+ label=_(u'LOC Size'),
+ doc=_(u'Size'),
+ no_convert=True,
+ ),
+ parameters.Decimal(
+ 'loc_part_h_precision',
+ required=False,
+ cli_name='loc_h_precision',
+ option_group=u'LOC Record',
+ label=_(u'LOC Horizontal Precision'),
+ doc=_(u'Horizontal Precision'),
+ no_convert=True,
+ ),
+ parameters.Decimal(
+ 'loc_part_v_precision',
+ required=False,
+ cli_name='loc_v_precision',
+ option_group=u'LOC Record',
+ label=_(u'LOC Vertical Precision'),
+ doc=_(u'Vertical Precision'),
+ no_convert=True,
+ ),
+ parameters.Str(
+ 'mxrecord',
+ required=False,
+ multivalue=True,
+ cli_name='mx_rec',
+ option_group=u'MX Record',
+ label=_(u'MX record'),
+ doc=_(u'Raw MX records'),
+ ),
+ parameters.Int(
+ 'mx_part_preference',
+ required=False,
+ cli_name='mx_preference',
+ option_group=u'MX Record',
+ label=_(u'MX Preference'),
+ doc=_(u'Preference given to this exchanger. Lower values are more preferred'),
+ ),
+ parameters.DNSNameParam(
+ 'mx_part_exchanger',
+ required=False,
+ cli_name='mx_exchanger',
+ option_group=u'MX Record',
+ label=_(u'MX Exchanger'),
+ doc=_(u'A host willing to act as a mail exchanger'),
+ ),
+ parameters.Str(
+ 'naptrrecord',
+ required=False,
+ multivalue=True,
+ cli_name='naptr_rec',
+ option_group=u'NAPTR Record',
+ label=_(u'NAPTR record'),
+ doc=_(u'Raw NAPTR records'),
+ ),
+ parameters.Int(
+ 'naptr_part_order',
+ required=False,
+ cli_name='naptr_order',
+ option_group=u'NAPTR Record',
+ label=_(u'NAPTR Order'),
+ doc=_(u'Order'),
+ ),
+ parameters.Int(
+ 'naptr_part_preference',
+ required=False,
+ cli_name='naptr_preference',
+ option_group=u'NAPTR Record',
+ label=_(u'NAPTR Preference'),
+ doc=_(u'Preference'),
+ ),
+ parameters.Str(
+ 'naptr_part_flags',
+ required=False,
+ cli_name='naptr_flags',
+ option_group=u'NAPTR Record',
+ label=_(u'NAPTR Flags'),
+ doc=_(u'Flags'),
+ no_convert=True,
+ ),
+ parameters.Str(
+ 'naptr_part_service',
+ required=False,
+ cli_name='naptr_service',
+ option_group=u'NAPTR Record',
+ label=_(u'NAPTR Service'),
+ doc=_(u'Service'),
+ ),
+ parameters.Str(
+ 'naptr_part_regexp',
+ required=False,
+ cli_name='naptr_regexp',
+ option_group=u'NAPTR Record',
+ label=_(u'NAPTR Regular Expression'),
+ doc=_(u'Regular Expression'),
+ ),
+ parameters.Str(
+ 'naptr_part_replacement',
+ required=False,
+ cli_name='naptr_replacement',
+ option_group=u'NAPTR Record',
+ label=_(u'NAPTR Replacement'),
+ doc=_(u'Replacement'),
+ ),
+ parameters.Str(
+ 'nsrecord',
+ required=False,
+ multivalue=True,
+ cli_name='ns_rec',
+ option_group=u'NS Record',
+ label=_(u'NS record'),
+ doc=_(u'Raw NS records'),
+ ),
+ parameters.DNSNameParam(
+ 'ns_part_hostname',
+ required=False,
+ cli_name='ns_hostname',
+ option_group=u'NS Record',
+ label=_(u'NS Hostname'),
+ doc=_(u'Hostname'),
+ ),
+ parameters.Str(
+ 'nsecrecord',
+ required=False,
+ multivalue=True,
+ cli_name='nsec_rec',
+ option_group=u'NSEC Record',
+ label=_(u'NSEC record'),
+ doc=_(u'Raw NSEC records'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'ptrrecord',
+ required=False,
+ multivalue=True,
+ cli_name='ptr_rec',
+ option_group=u'PTR Record',
+ label=_(u'PTR record'),
+ doc=_(u'Raw PTR records'),
+ ),
+ parameters.DNSNameParam(
+ 'ptr_part_hostname',
+ required=False,
+ cli_name='ptr_hostname',
+ option_group=u'PTR Record',
+ label=_(u'PTR Hostname'),
+ doc=_(u'The hostname this reverse record points to'),
+ ),
+ parameters.Str(
+ 'rrsigrecord',
+ required=False,
+ multivalue=True,
+ cli_name='rrsig_rec',
+ option_group=u'RRSIG Record',
+ label=_(u'RRSIG record'),
+ doc=_(u'Raw RRSIG records'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'rprecord',
+ required=False,
+ multivalue=True,
+ cli_name='rp_rec',
+ option_group=u'RP Record',
+ label=_(u'RP record'),
+ doc=_(u'Raw RP records'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'sigrecord',
+ required=False,
+ multivalue=True,
+ cli_name='sig_rec',
+ option_group=u'SIG Record',
+ label=_(u'SIG record'),
+ doc=_(u'Raw SIG records'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'spfrecord',
+ required=False,
+ multivalue=True,
+ cli_name='spf_rec',
+ option_group=u'SPF Record',
+ label=_(u'SPF record'),
+ doc=_(u'Raw SPF records'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'srvrecord',
+ required=False,
+ multivalue=True,
+ cli_name='srv_rec',
+ option_group=u'SRV Record',
+ label=_(u'SRV record'),
+ doc=_(u'Raw SRV records'),
+ ),
+ parameters.Int(
+ 'srv_part_priority',
+ required=False,
+ cli_name='srv_priority',
+ option_group=u'SRV Record',
+ label=_(u'SRV Priority'),
+ doc=_(u'Priority'),
+ ),
+ parameters.Int(
+ 'srv_part_weight',
+ required=False,
+ cli_name='srv_weight',
+ option_group=u'SRV Record',
+ label=_(u'SRV Weight'),
+ doc=_(u'Weight'),
+ ),
+ parameters.Int(
+ 'srv_part_port',
+ required=False,
+ cli_name='srv_port',
+ option_group=u'SRV Record',
+ label=_(u'SRV Port'),
+ doc=_(u'Port'),
+ ),
+ parameters.DNSNameParam(
+ 'srv_part_target',
+ required=False,
+ cli_name='srv_target',
+ option_group=u'SRV Record',
+ label=_(u'SRV Target'),
+ doc=_(u"The domain name of the target host or '.' if the service is decidedly not available at this domain"),
+ ),
+ parameters.Str(
+ 'sshfprecord',
+ required=False,
+ multivalue=True,
+ cli_name='sshfp_rec',
+ option_group=u'SSHFP Record',
+ label=_(u'SSHFP record'),
+ doc=_(u'Raw SSHFP records'),
+ ),
+ parameters.Int(
+ 'sshfp_part_algorithm',
+ required=False,
+ cli_name='sshfp_algorithm',
+ option_group=u'SSHFP Record',
+ label=_(u'SSHFP Algorithm'),
+ doc=_(u'Algorithm'),
+ ),
+ parameters.Int(
+ 'sshfp_part_fp_type',
+ required=False,
+ cli_name='sshfp_fp_type',
+ option_group=u'SSHFP Record',
+ label=_(u'SSHFP Fingerprint Type'),
+ doc=_(u'Fingerprint Type'),
+ ),
+ parameters.Str(
+ 'sshfp_part_fingerprint',
+ required=False,
+ cli_name='sshfp_fingerprint',
+ option_group=u'SSHFP Record',
+ label=_(u'SSHFP Fingerprint'),
+ doc=_(u'Fingerprint'),
+ ),
+ parameters.Str(
+ 'tlsarecord',
+ required=False,
+ multivalue=True,
+ cli_name='tlsa_rec',
+ option_group=u'TLSA Record',
+ label=_(u'TLSA record'),
+ doc=_(u'Raw TLSA records'),
+ ),
+ parameters.Int(
+ 'tlsa_part_cert_usage',
+ required=False,
+ cli_name='tlsa_cert_usage',
+ option_group=u'TLSA Record',
+ label=_(u'TLSA Certificate Usage'),
+ doc=_(u'Certificate Usage'),
+ ),
+ parameters.Int(
+ 'tlsa_part_selector',
+ required=False,
+ cli_name='tlsa_selector',
+ option_group=u'TLSA Record',
+ label=_(u'TLSA Selector'),
+ doc=_(u'Selector'),
+ ),
+ parameters.Int(
+ 'tlsa_part_matching_type',
+ required=False,
+ cli_name='tlsa_matching_type',
+ option_group=u'TLSA Record',
+ label=_(u'TLSA Matching Type'),
+ doc=_(u'Matching Type'),
+ ),
+ parameters.Str(
+ 'tlsa_part_cert_association_data',
+ required=False,
+ cli_name='tlsa_cert_association_data',
+ option_group=u'TLSA Record',
+ label=_(u'TLSA Certificate Association Data'),
+ doc=_(u'Certificate Association Data'),
+ ),
+ parameters.Str(
+ 'txtrecord',
+ required=False,
+ multivalue=True,
+ cli_name='txt_rec',
+ option_group=u'TXT Record',
+ label=_(u'TXT record'),
+ doc=_(u'Raw TXT records'),
+ ),
+ parameters.Str(
+ 'txt_part_data',
+ required=False,
+ cli_name='txt_data',
+ option_group=u'TXT Record',
+ label=_(u'TXT Text Data'),
+ doc=_(u'Text Data'),
+ ),
+ parameters.Str(
+ 'setattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'addattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'delattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'),
+ exclude=('webui',),
+ ),
+ parameters.Flag(
+ 'rights',
+ label=_(u'Rights'),
+ doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'structured',
+ label=_(u'Structured'),
+ doc=_(u'Parse all raw DNS records and return them in a structured way'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.DNSNameParam(
+ 'rename',
+ required=False,
+ label=_(u'Rename'),
+ doc=_(u'Rename the DNS resource record object'),
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class dnsrecord_show(Method):
+ __doc__ = _("Display DNS resource.")
+
+ takes_args = (
+ parameters.DNSNameParam(
+ 'dnszoneidnsname',
+ cli_name='dnszone',
+ label=_(u'Zone name'),
+ doc=_(u'Zone name (FQDN)'),
+ default_from=DefaultFrom(lambda name_from_ip: None, 'name_from_ip'),
+ # FIXME:
+ # lambda name_from_ip: _reverse_zone_name(name_from_ip)
+ no_convert=True,
+ ),
+ parameters.DNSNameParam(
+ 'idnsname',
+ cli_name='name',
+ label=_(u'Record name'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'rights',
+ label=_(u'Rights'),
+ doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'structured',
+ label=_(u'Structured'),
+ doc=_(u'Parse all raw DNS records and return them in a structured way'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class dnszone_add(Method):
+ __doc__ = _("Create new DNS zone (SOA record).")
+
+ takes_args = (
+ parameters.DNSNameParam(
+ 'idnsname',
+ cli_name='name',
+ label=_(u'Zone name'),
+ doc=_(u'Zone name (FQDN)'),
+ default_from=DefaultFrom(lambda name_from_ip: None, 'name_from_ip'),
+ # FIXME:
+ # lambda name_from_ip: _reverse_zone_name(name_from_ip)
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'name_from_ip',
+ required=False,
+ label=_(u'Reverse zone IP network'),
+ doc=_(u'IP network to create reverse zone name from'),
+ ),
+ parameters.Str(
+ 'idnsforwarders',
+ required=False,
+ multivalue=True,
+ cli_name='forwarder',
+ label=_(u'Zone forwarders'),
+ doc=_(u'Per-zone forwarders. A custom port can be specified for each forwarder using a standard format "IP_ADDRESS port PORT"'),
+ ),
+ parameters.Str(
+ 'idnsforwardpolicy',
+ required=False,
+ cli_name='forward_policy',
+ cli_metavar="['only', 'first', 'none']",
+ label=_(u'Forward policy'),
+ doc=_(u'Per-zone conditional forwarding policy. Set to "none" to disable forwarding to global forwarder for this zone. In that case, conditional zone forwarders are disregarded.'),
+ ),
+ parameters.DNSNameParam(
+ 'idnssoamname',
+ required=False,
+ cli_name='name_server',
+ label=_(u'Authoritative nameserver'),
+ doc=_(u'Authoritative nameserver domain name'),
+ ),
+ parameters.DNSNameParam(
+ 'idnssoarname',
+ cli_name='admin_email',
+ label=_(u'Administrator e-mail address'),
+ default=DNSName(u'hostmaster'),
+ autofill=True,
+ no_convert=True,
+ ),
+ parameters.Int(
+ 'idnssoaserial',
+ cli_name='serial',
+ label=_(u'SOA serial'),
+ doc=_(u'SOA record serial number'),
+ default_from=DefaultFrom(lambda : None),
+ # FIXME:
+ # def _create_zone_serial():
+ # """
+ # Generate serial number for zones. bind-dyndb-ldap expects unix time in
+ # to be used for SOA serial.
+ #
+ # SOA serial in a date format would also work, but it may be set to far
+ # future when many DNS updates are done per day (more than 100). Unix
+ # timestamp is more resilient to this issue.
+ # """
+ # return int(time.time())
+ autofill=True,
+ ),
+ parameters.Int(
+ 'idnssoarefresh',
+ cli_name='refresh',
+ label=_(u'SOA refresh'),
+ doc=_(u'SOA record refresh time'),
+ default=3600,
+ autofill=True,
+ ),
+ parameters.Int(
+ 'idnssoaretry',
+ cli_name='retry',
+ label=_(u'SOA retry'),
+ doc=_(u'SOA record retry time'),
+ default=900,
+ autofill=True,
+ ),
+ parameters.Int(
+ 'idnssoaexpire',
+ cli_name='expire',
+ label=_(u'SOA expire'),
+ doc=_(u'SOA record expire time'),
+ default=1209600,
+ autofill=True,
+ ),
+ parameters.Int(
+ 'idnssoaminimum',
+ cli_name='minimum',
+ label=_(u'SOA minimum'),
+ doc=_(u'How long should negative responses be cached'),
+ default=3600,
+ autofill=True,
+ ),
+ parameters.Int(
+ 'dnsttl',
+ required=False,
+ cli_name='ttl',
+ label=_(u'Time to live'),
+ doc=_(u'Time to live for records at zone apex'),
+ ),
+ parameters.Str(
+ 'dnsclass',
+ required=False,
+ cli_name='class',
+ cli_metavar="['IN', 'CS', 'CH', 'HS']",
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'idnsupdatepolicy',
+ required=False,
+ cli_name='update_policy',
+ label=_(u'BIND update policy'),
+ default_from=DefaultFrom(lambda idnsname: None, 'idnsname'),
+ # FIXME:
+ # lambda idnsname: default_zone_update_policy(idnsname)
+ autofill=True,
+ ),
+ parameters.Bool(
+ 'idnsallowdynupdate',
+ required=False,
+ cli_name='dynamic_update',
+ label=_(u'Dynamic update'),
+ doc=_(u'Allow dynamic updates.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'idnsallowquery',
+ required=False,
+ cli_name='allow_query',
+ label=_(u'Allow query'),
+ doc=_(u'Semicolon separated list of IP addresses or networks which are allowed to issue queries'),
+ default=u'any;',
+ autofill=True,
+ no_convert=True,
+ ),
+ parameters.Str(
+ 'idnsallowtransfer',
+ required=False,
+ cli_name='allow_transfer',
+ label=_(u'Allow transfer'),
+ doc=_(u'Semicolon separated list of IP addresses or networks which are allowed to transfer the zone'),
+ default=u'none;',
+ autofill=True,
+ no_convert=True,
+ ),
+ parameters.Bool(
+ 'idnsallowsyncptr',
+ required=False,
+ cli_name='allow_sync_ptr',
+ label=_(u'Allow PTR sync'),
+ doc=_(u'Allow synchronization of forward (A, AAAA) and reverse (PTR) records in the zone'),
+ ),
+ parameters.Bool(
+ 'idnssecinlinesigning',
+ required=False,
+ cli_name='dnssec',
+ label=_(u'Allow in-line DNSSEC signing'),
+ doc=_(u'Allow inline DNSSEC signing of records in the zone'),
+ default=False,
+ ),
+ parameters.Str(
+ 'nsec3paramrecord',
+ required=False,
+ cli_name='nsec3param_rec',
+ label=_(u'NSEC3PARAM record'),
+ doc=_(u'NSEC3PARAM record for zone in format: hash_algorithm flags iterations salt'),
+ ),
+ parameters.Str(
+ 'setattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'addattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
+ exclude=('webui',),
+ ),
+ parameters.Flag(
+ 'force',
+ label=_(u'Force'),
+ doc=_(u'Force DNS zone creation even if nameserver is not resolvable.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'ip_address',
+ required=False,
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class dnszone_add_permission(Method):
+ __doc__ = _("Add a permission for per-zone access delegation.")
+
+ takes_args = (
+ parameters.DNSNameParam(
+ 'idnsname',
+ cli_name='name',
+ label=_(u'Zone name'),
+ doc=_(u'Zone name (FQDN)'),
+ default_from=DefaultFrom(lambda name_from_ip: None, 'name_from_ip'),
+ # FIXME:
+ # lambda name_from_ip: _reverse_zone_name(name_from_ip)
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Output(
+ 'result',
+ bool,
+ doc=_(u'True means the operation was successful'),
+ ),
+ output.Output(
+ 'value',
+ unicode,
+ doc=_(u'Permission value'),
+ ),
+ )
+
+
+@register()
+class dnszone_del(Method):
+ __doc__ = _("Delete DNS zone (SOA record).")
+
+ takes_args = (
+ parameters.DNSNameParam(
+ 'idnsname',
+ multivalue=True,
+ cli_name='name',
+ label=_(u'Zone name'),
+ doc=_(u'Zone name (FQDN)'),
+ default_from=DefaultFrom(lambda name_from_ip: None, 'name_from_ip'),
+ # FIXME:
+ # lambda name_from_ip: _reverse_zone_name(name_from_ip)
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'continue',
+ doc=_(u"Continuous mode: Don't stop on errors."),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Output(
+ 'result',
+ dict,
+ doc=_(u'List of deletions that failed'),
+ ),
+ output.ListOfPrimaryKeys(
+ 'value',
+ ),
+ )
+
+
+@register()
+class dnszone_disable(Method):
+ __doc__ = _("Disable DNS Zone.")
+
+ takes_args = (
+ parameters.DNSNameParam(
+ 'idnsname',
+ cli_name='name',
+ label=_(u'Zone name'),
+ doc=_(u'Zone name (FQDN)'),
+ default_from=DefaultFrom(lambda name_from_ip: None, 'name_from_ip'),
+ # FIXME:
+ # lambda name_from_ip: _reverse_zone_name(name_from_ip)
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Output(
+ 'result',
+ bool,
+ doc=_(u'True means the operation was successful'),
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class dnszone_enable(Method):
+ __doc__ = _("Enable DNS Zone.")
+
+ takes_args = (
+ parameters.DNSNameParam(
+ 'idnsname',
+ cli_name='name',
+ label=_(u'Zone name'),
+ doc=_(u'Zone name (FQDN)'),
+ default_from=DefaultFrom(lambda name_from_ip: None, 'name_from_ip'),
+ # FIXME:
+ # lambda name_from_ip: _reverse_zone_name(name_from_ip)
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Output(
+ 'result',
+ bool,
+ doc=_(u'True means the operation was successful'),
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class dnszone_find(Method):
+ __doc__ = _("Search for DNS zones (SOA records).")
+
+ takes_args = (
+ parameters.Str(
+ 'criteria',
+ required=False,
+ doc=_(u'A string searched in all relevant object attributes'),
+ ),
+ )
+ takes_options = (
+ parameters.DNSNameParam(
+ 'idnsname',
+ required=False,
+ cli_name='name',
+ label=_(u'Zone name'),
+ doc=_(u'Zone name (FQDN)'),
+ default_from=DefaultFrom(lambda name_from_ip: None, 'name_from_ip'),
+ # FIXME:
+ # lambda name_from_ip: _reverse_zone_name(name_from_ip)
+ no_convert=True,
+ ),
+ parameters.Str(
+ 'name_from_ip',
+ required=False,
+ label=_(u'Reverse zone IP network'),
+ doc=_(u'IP network to create reverse zone name from'),
+ ),
+ parameters.Bool(
+ 'idnszoneactive',
+ required=False,
+ cli_name='zone_active',
+ label=_(u'Active zone'),
+ doc=_(u'Is zone active?'),
+ ),
+ parameters.Str(
+ 'idnsforwarders',
+ required=False,
+ multivalue=True,
+ cli_name='forwarder',
+ label=_(u'Zone forwarders'),
+ doc=_(u'Per-zone forwarders. A custom port can be specified for each forwarder using a standard format "IP_ADDRESS port PORT"'),
+ ),
+ parameters.Str(
+ 'idnsforwardpolicy',
+ required=False,
+ cli_name='forward_policy',
+ cli_metavar="['only', 'first', 'none']",
+ label=_(u'Forward policy'),
+ doc=_(u'Per-zone conditional forwarding policy. Set to "none" to disable forwarding to global forwarder for this zone. In that case, conditional zone forwarders are disregarded.'),
+ ),
+ parameters.DNSNameParam(
+ 'idnssoamname',
+ required=False,
+ cli_name='name_server',
+ label=_(u'Authoritative nameserver'),
+ doc=_(u'Authoritative nameserver domain name'),
+ ),
+ parameters.DNSNameParam(
+ 'idnssoarname',
+ required=False,
+ cli_name='admin_email',
+ label=_(u'Administrator e-mail address'),
+ default=DNSName(u'hostmaster'),
+ no_convert=True,
+ ),
+ parameters.Int(
+ 'idnssoaserial',
+ required=False,
+ cli_name='serial',
+ label=_(u'SOA serial'),
+ doc=_(u'SOA record serial number'),
+ default_from=DefaultFrom(lambda : None),
+ # FIXME:
+ # def _create_zone_serial():
+ # """
+ # Generate serial number for zones. bind-dyndb-ldap expects unix time in
+ # to be used for SOA serial.
+ #
+ # SOA serial in a date format would also work, but it may be set to far
+ # future when many DNS updates are done per day (more than 100). Unix
+ # timestamp is more resilient to this issue.
+ # """
+ # return int(time.time())
+ ),
+ parameters.Int(
+ 'idnssoarefresh',
+ required=False,
+ cli_name='refresh',
+ label=_(u'SOA refresh'),
+ doc=_(u'SOA record refresh time'),
+ default=3600,
+ ),
+ parameters.Int(
+ 'idnssoaretry',
+ required=False,
+ cli_name='retry',
+ label=_(u'SOA retry'),
+ doc=_(u'SOA record retry time'),
+ default=900,
+ ),
+ parameters.Int(
+ 'idnssoaexpire',
+ required=False,
+ cli_name='expire',
+ label=_(u'SOA expire'),
+ doc=_(u'SOA record expire time'),
+ default=1209600,
+ ),
+ parameters.Int(
+ 'idnssoaminimum',
+ required=False,
+ cli_name='minimum',
+ label=_(u'SOA minimum'),
+ doc=_(u'How long should negative responses be cached'),
+ default=3600,
+ ),
+ parameters.Int(
+ 'dnsttl',
+ required=False,
+ cli_name='ttl',
+ label=_(u'Time to live'),
+ doc=_(u'Time to live for records at zone apex'),
+ ),
+ parameters.Str(
+ 'dnsclass',
+ required=False,
+ cli_name='class',
+ cli_metavar="['IN', 'CS', 'CH', 'HS']",
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'idnsupdatepolicy',
+ required=False,
+ cli_name='update_policy',
+ label=_(u'BIND update policy'),
+ default_from=DefaultFrom(lambda idnsname: None, 'idnsname'),
+ # FIXME:
+ # lambda idnsname: default_zone_update_policy(idnsname)
+ ),
+ parameters.Bool(
+ 'idnsallowdynupdate',
+ required=False,
+ cli_name='dynamic_update',
+ label=_(u'Dynamic update'),
+ doc=_(u'Allow dynamic updates.'),
+ default=False,
+ ),
+ parameters.Str(
+ 'idnsallowquery',
+ required=False,
+ cli_name='allow_query',
+ label=_(u'Allow query'),
+ doc=_(u'Semicolon separated list of IP addresses or networks which are allowed to issue queries'),
+ default=u'any;',
+ no_convert=True,
+ ),
+ parameters.Str(
+ 'idnsallowtransfer',
+ required=False,
+ cli_name='allow_transfer',
+ label=_(u'Allow transfer'),
+ doc=_(u'Semicolon separated list of IP addresses or networks which are allowed to transfer the zone'),
+ default=u'none;',
+ no_convert=True,
+ ),
+ parameters.Bool(
+ 'idnsallowsyncptr',
+ required=False,
+ cli_name='allow_sync_ptr',
+ label=_(u'Allow PTR sync'),
+ doc=_(u'Allow synchronization of forward (A, AAAA) and reverse (PTR) records in the zone'),
+ ),
+ parameters.Bool(
+ 'idnssecinlinesigning',
+ required=False,
+ cli_name='dnssec',
+ label=_(u'Allow in-line DNSSEC signing'),
+ doc=_(u'Allow inline DNSSEC signing of records in the zone'),
+ default=False,
+ ),
+ parameters.Str(
+ 'nsec3paramrecord',
+ required=False,
+ cli_name='nsec3param_rec',
+ label=_(u'NSEC3PARAM record'),
+ doc=_(u'NSEC3PARAM record for zone in format: hash_algorithm flags iterations salt'),
+ ),
+ parameters.Int(
+ 'timelimit',
+ required=False,
+ label=_(u'Time Limit'),
+ doc=_(u'Time limit of search in seconds (0 is unlimited)'),
+ ),
+ parameters.Int(
+ 'sizelimit',
+ required=False,
+ label=_(u'Size Limit'),
+ doc=_(u'Maximum number of entries returned (0 is unlimited)'),
+ ),
+ parameters.Flag(
+ 'forward_only',
+ label=_(u'Forward zones only'),
+ doc=_(u'Search for forward zones only'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'pkey_only',
+ required=False,
+ label=_(u'Primary key only'),
+ doc=_(u'Results should contain primary key attribute only ("name")'),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.ListOfEntries(
+ 'result',
+ ),
+ output.Output(
+ 'count',
+ int,
+ doc=_(u'Number of entries returned'),
+ ),
+ output.Output(
+ 'truncated',
+ bool,
+ doc=_(u'True if not all results were returned'),
+ ),
+ )
+
+
+@register()
+class dnszone_mod(Method):
+ __doc__ = _("Modify DNS zone (SOA record).")
+
+ takes_args = (
+ parameters.DNSNameParam(
+ 'idnsname',
+ cli_name='name',
+ label=_(u'Zone name'),
+ doc=_(u'Zone name (FQDN)'),
+ default_from=DefaultFrom(lambda name_from_ip: None, 'name_from_ip'),
+ # FIXME:
+ # lambda name_from_ip: _reverse_zone_name(name_from_ip)
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'name_from_ip',
+ required=False,
+ label=_(u'Reverse zone IP network'),
+ doc=_(u'IP network to create reverse zone name from'),
+ ),
+ parameters.Str(
+ 'idnsforwarders',
+ required=False,
+ multivalue=True,
+ cli_name='forwarder',
+ label=_(u'Zone forwarders'),
+ doc=_(u'Per-zone forwarders. A custom port can be specified for each forwarder using a standard format "IP_ADDRESS port PORT"'),
+ ),
+ parameters.Str(
+ 'idnsforwardpolicy',
+ required=False,
+ cli_name='forward_policy',
+ cli_metavar="['only', 'first', 'none']",
+ label=_(u'Forward policy'),
+ doc=_(u'Per-zone conditional forwarding policy. Set to "none" to disable forwarding to global forwarder for this zone. In that case, conditional zone forwarders are disregarded.'),
+ ),
+ parameters.DNSNameParam(
+ 'idnssoamname',
+ required=False,
+ cli_name='name_server',
+ label=_(u'Authoritative nameserver'),
+ doc=_(u'Authoritative nameserver domain name'),
+ ),
+ parameters.DNSNameParam(
+ 'idnssoarname',
+ required=False,
+ cli_name='admin_email',
+ label=_(u'Administrator e-mail address'),
+ default=DNSName(u'hostmaster'),
+ no_convert=True,
+ ),
+ parameters.Int(
+ 'idnssoaserial',
+ required=False,
+ cli_name='serial',
+ label=_(u'SOA serial'),
+ doc=_(u'SOA record serial number'),
+ default_from=DefaultFrom(lambda : None),
+ # FIXME:
+ # def _create_zone_serial():
+ # """
+ # Generate serial number for zones. bind-dyndb-ldap expects unix time in
+ # to be used for SOA serial.
+ #
+ # SOA serial in a date format would also work, but it may be set to far
+ # future when many DNS updates are done per day (more than 100). Unix
+ # timestamp is more resilient to this issue.
+ # """
+ # return int(time.time())
+ ),
+ parameters.Int(
+ 'idnssoarefresh',
+ required=False,
+ cli_name='refresh',
+ label=_(u'SOA refresh'),
+ doc=_(u'SOA record refresh time'),
+ default=3600,
+ ),
+ parameters.Int(
+ 'idnssoaretry',
+ required=False,
+ cli_name='retry',
+ label=_(u'SOA retry'),
+ doc=_(u'SOA record retry time'),
+ default=900,
+ ),
+ parameters.Int(
+ 'idnssoaexpire',
+ required=False,
+ cli_name='expire',
+ label=_(u'SOA expire'),
+ doc=_(u'SOA record expire time'),
+ default=1209600,
+ ),
+ parameters.Int(
+ 'idnssoaminimum',
+ required=False,
+ cli_name='minimum',
+ label=_(u'SOA minimum'),
+ doc=_(u'How long should negative responses be cached'),
+ default=3600,
+ ),
+ parameters.Int(
+ 'dnsttl',
+ required=False,
+ cli_name='ttl',
+ label=_(u'Time to live'),
+ doc=_(u'Time to live for records at zone apex'),
+ ),
+ parameters.Str(
+ 'dnsclass',
+ required=False,
+ cli_name='class',
+ cli_metavar="['IN', 'CS', 'CH', 'HS']",
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'idnsupdatepolicy',
+ required=False,
+ cli_name='update_policy',
+ label=_(u'BIND update policy'),
+ default_from=DefaultFrom(lambda idnsname: None, 'idnsname'),
+ # FIXME:
+ # lambda idnsname: default_zone_update_policy(idnsname)
+ ),
+ parameters.Bool(
+ 'idnsallowdynupdate',
+ required=False,
+ cli_name='dynamic_update',
+ label=_(u'Dynamic update'),
+ doc=_(u'Allow dynamic updates.'),
+ default=False,
+ ),
+ parameters.Str(
+ 'idnsallowquery',
+ required=False,
+ cli_name='allow_query',
+ label=_(u'Allow query'),
+ doc=_(u'Semicolon separated list of IP addresses or networks which are allowed to issue queries'),
+ default=u'any;',
+ no_convert=True,
+ ),
+ parameters.Str(
+ 'idnsallowtransfer',
+ required=False,
+ cli_name='allow_transfer',
+ label=_(u'Allow transfer'),
+ doc=_(u'Semicolon separated list of IP addresses or networks which are allowed to transfer the zone'),
+ default=u'none;',
+ no_convert=True,
+ ),
+ parameters.Bool(
+ 'idnsallowsyncptr',
+ required=False,
+ cli_name='allow_sync_ptr',
+ label=_(u'Allow PTR sync'),
+ doc=_(u'Allow synchronization of forward (A, AAAA) and reverse (PTR) records in the zone'),
+ ),
+ parameters.Bool(
+ 'idnssecinlinesigning',
+ required=False,
+ cli_name='dnssec',
+ label=_(u'Allow in-line DNSSEC signing'),
+ doc=_(u'Allow inline DNSSEC signing of records in the zone'),
+ default=False,
+ ),
+ parameters.Str(
+ 'nsec3paramrecord',
+ required=False,
+ cli_name='nsec3param_rec',
+ label=_(u'NSEC3PARAM record'),
+ doc=_(u'NSEC3PARAM record for zone in format: hash_algorithm flags iterations salt'),
+ ),
+ parameters.Str(
+ 'setattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'addattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'delattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'),
+ exclude=('webui',),
+ ),
+ parameters.Flag(
+ 'rights',
+ label=_(u'Rights'),
+ doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'force',
+ label=_(u'Force'),
+ doc=_(u'Force nameserver change even if nameserver not in DNS'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class dnszone_remove_permission(Method):
+ __doc__ = _("Remove a permission for per-zone access delegation.")
+
+ takes_args = (
+ parameters.DNSNameParam(
+ 'idnsname',
+ cli_name='name',
+ label=_(u'Zone name'),
+ doc=_(u'Zone name (FQDN)'),
+ default_from=DefaultFrom(lambda name_from_ip: None, 'name_from_ip'),
+ # FIXME:
+ # lambda name_from_ip: _reverse_zone_name(name_from_ip)
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Output(
+ 'result',
+ bool,
+ doc=_(u'True means the operation was successful'),
+ ),
+ output.Output(
+ 'value',
+ unicode,
+ doc=_(u'Permission value'),
+ ),
+ )
+
+
+@register()
+class dnszone_show(Method):
+ __doc__ = _("Display information about a DNS zone (SOA record).")
+
+ takes_args = (
+ parameters.DNSNameParam(
+ 'idnsname',
+ cli_name='name',
+ label=_(u'Zone name'),
+ doc=_(u'Zone name (FQDN)'),
+ default_from=DefaultFrom(lambda name_from_ip: None, 'name_from_ip'),
+ # FIXME:
+ # lambda name_from_ip: _reverse_zone_name(name_from_ip)
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'rights',
+ label=_(u'Rights'),
+ doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
diff --git a/ipaclient/remote_plugins/2_156/domainlevel.py b/ipaclient/remote_plugins/2_156/domainlevel.py
new file mode 100644
index 000000000..5e06114cc
--- /dev/null
+++ b/ipaclient/remote_plugins/2_156/domainlevel.py
@@ -0,0 +1,64 @@
+#
+# Copyright (C) 2016 FreeIPA Contributors see COPYING for license
+#
+
+# pylint: disable=unused-import
+import six
+
+from . import Command, Method, Object
+from ipalib import api, parameters, output
+from ipalib.parameters import DefaultFrom
+from ipalib.plugable import Registry
+from ipalib.text import _
+from ipapython.dn import DN
+from ipapython.dnsutil import DNSName
+
+if six.PY3:
+ unicode = str
+
+__doc__ = _("""
+Raise the IPA Domain Level.
+""")
+
+register = Registry()
+
+
+@register()
+class domainlevel_get(Command):
+ __doc__ = _("Query current Domain Level.")
+
+ NO_CLI = True
+
+ takes_options = (
+ )
+ has_output = (
+ output.Output(
+ 'result',
+ int,
+ doc=_(u'Current domain level:'),
+ ),
+ )
+
+
+@register()
+class domainlevel_set(Command):
+ __doc__ = _("Change current Domain Level.")
+
+ NO_CLI = True
+
+ takes_args = (
+ parameters.Int(
+ 'ipadomainlevel',
+ cli_name='level',
+ label=_(u'Domain Level'),
+ ),
+ )
+ takes_options = (
+ )
+ has_output = (
+ output.Output(
+ 'result',
+ int,
+ doc=_(u'Current domain level:'),
+ ),
+ )
diff --git a/ipaclient/remote_plugins/2_156/group.py b/ipaclient/remote_plugins/2_156/group.py
new file mode 100644
index 000000000..ed57c4caa
--- /dev/null
+++ b/ipaclient/remote_plugins/2_156/group.py
@@ -0,0 +1,912 @@
+#
+# Copyright (C) 2016 FreeIPA Contributors see COPYING for license
+#
+
+# pylint: disable=unused-import
+import six
+
+from . import Command, Method, Object
+from ipalib import api, parameters, output
+from ipalib.parameters import DefaultFrom
+from ipalib.plugable import Registry
+from ipalib.text import _
+from ipapython.dn import DN
+from ipapython.dnsutil import DNSName
+
+if six.PY3:
+ unicode = str
+
+__doc__ = _("""
+Groups of users
+
+Manage groups of users. By default, new groups are POSIX groups. You
+can add the --nonposix option to the group-add command to mark a new group
+as non-POSIX. You can use the --posix argument with the group-mod command
+to convert a non-POSIX group into a POSIX group. POSIX groups cannot be
+converted to non-POSIX groups.
+
+Every group must have a description.
+
+POSIX groups must have a Group ID (GID) number. Changing a GID is
+supported but can have an impact on your file permissions. It is not necessary
+to supply a GID when creating a group. IPA will generate one automatically
+if it is not provided.
+
+EXAMPLES:
+
+ Add a new group:
+ ipa group-add --desc='local administrators' localadmins
+
+ Add a new non-POSIX group:
+ ipa group-add --nonposix --desc='remote administrators' remoteadmins
+
+ Convert a non-POSIX group to posix:
+ ipa group-mod --posix remoteadmins
+
+ Add a new POSIX group with a specific Group ID number:
+ ipa group-add --gid=500 --desc='unix admins' unixadmins
+
+ Add a new POSIX group and let IPA assign a Group ID number:
+ ipa group-add --desc='printer admins' printeradmins
+
+ Remove a group:
+ ipa group-del unixadmins
+
+ To add the "remoteadmins" group to the "localadmins" group:
+ ipa group-add-member --groups=remoteadmins localadmins
+
+ Add multiple users to the "localadmins" group:
+ ipa group-add-member --users=test1 --users=test2 localadmins
+
+ Remove a user from the "localadmins" group:
+ ipa group-remove-member --users=test2 localadmins
+
+ Display information about a named group.
+ ipa group-show localadmins
+
+External group membership is designed to allow users from trusted domains
+to be mapped to local POSIX groups in order to actually use IPA resources.
+External members should be added to groups that specifically created as
+external and non-POSIX. Such group later should be included into one of POSIX
+groups.
+
+An external group member is currently a Security Identifier (SID) as defined by
+the trusted domain. When adding external group members, it is possible to
+specify them in either SID, or DOM\name, or name@domain format. IPA will attempt
+to resolve passed name to SID with the use of Global Catalog of the trusted domain.
+
+Example:
+
+1. Create group for the trusted domain admins' mapping and their local POSIX group:
+
+ ipa group-add --desc='<ad.domain> admins external map' ad_admins_external --external
+ ipa group-add --desc='<ad.domain> admins' ad_admins
+
+2. Add security identifier of Domain Admins of the <ad.domain> to the ad_admins_external
+ group:
+
+ ipa group-add-member ad_admins_external --external 'AD\Domain Admins'
+
+3. Allow members of ad_admins_external group to be associated with ad_admins POSIX group:
+
+ ipa group-add-member ad_admins --groups ad_admins_external
+
+4. List members of external members of ad_admins_external group to see their SIDs:
+
+ ipa group-show ad_admins_external
+""")
+
+register = Registry()
+
+
+@register()
+class group(Object):
+ takes_params = (
+ parameters.Str(
+ 'cn',
+ primary_key=True,
+ label=_(u'Group name'),
+ ),
+ parameters.Str(
+ 'description',
+ required=False,
+ label=_(u'Description'),
+ doc=_(u'Group description'),
+ ),
+ parameters.Int(
+ 'gidnumber',
+ required=False,
+ label=_(u'GID'),
+ doc=_(u'GID (use this option to set it manually)'),
+ ),
+ parameters.Str(
+ 'member_user',
+ required=False,
+ label=_(u'Member users'),
+ ),
+ parameters.Str(
+ 'member_group',
+ required=False,
+ label=_(u'Member groups'),
+ ),
+ parameters.Str(
+ 'memberof_group',
+ required=False,
+ label=_(u'Member of groups'),
+ ),
+ parameters.Str(
+ 'memberof_role',
+ required=False,
+ label=_(u'Roles'),
+ ),
+ parameters.Str(
+ 'memberof_netgroup',
+ required=False,
+ label=_(u'Member of netgroups'),
+ ),
+ parameters.Str(
+ 'memberof_sudorule',
+ required=False,
+ label=_(u'Member of Sudo rule'),
+ ),
+ parameters.Str(
+ 'memberof_hbacrule',
+ required=False,
+ label=_(u'Member of HBAC rule'),
+ ),
+ parameters.Str(
+ 'memberindirect_user',
+ required=False,
+ label=_(u'Indirect Member users'),
+ ),
+ parameters.Str(
+ 'memberindirect_group',
+ required=False,
+ label=_(u'Indirect Member groups'),
+ ),
+ parameters.Str(
+ 'memberofindirect_group',
+ required=False,
+ label=_(u'Indirect Member of group'),
+ ),
+ parameters.Str(
+ 'memberofindirect_netgroup',
+ required=False,
+ label=_(u'Indirect Member of netgroup'),
+ ),
+ parameters.Str(
+ 'memberofindirect_role',
+ required=False,
+ label=_(u'Indirect Member of role'),
+ ),
+ parameters.Str(
+ 'memberofindirect_sudorule',
+ required=False,
+ label=_(u'Indirect Member of Sudo rule'),
+ ),
+ parameters.Str(
+ 'memberofindirect_hbacrule',
+ required=False,
+ label=_(u'Indirect Member of HBAC rule'),
+ ),
+ )
+
+
+@register()
+class group_add(Method):
+ __doc__ = _("Create a new group.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='group_name',
+ label=_(u'Group name'),
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'description',
+ required=False,
+ cli_name='desc',
+ label=_(u'Description'),
+ doc=_(u'Group description'),
+ ),
+ parameters.Int(
+ 'gidnumber',
+ required=False,
+ cli_name='gid',
+ label=_(u'GID'),
+ doc=_(u'GID (use this option to set it manually)'),
+ ),
+ parameters.Str(
+ 'setattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'addattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
+ exclude=('webui',),
+ ),
+ parameters.Flag(
+ 'nonposix',
+ doc=_(u'Create as a non-POSIX group'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'external',
+ doc=_(u'Allow adding external non-IPA members from trusted domains'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class group_add_member(Method):
+ __doc__ = _("Add members to a group.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='group_name',
+ label=_(u'Group name'),
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'ipaexternalmember',
+ required=False,
+ multivalue=True,
+ cli_name='external',
+ label=_(u'External member'),
+ doc=_(u'Members of a trusted domain in DOM\\name or name@domain form'),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'user',
+ required=False,
+ multivalue=True,
+ cli_name='users',
+ label=_(u'member user'),
+ doc=_(u'users to add'),
+ alwaysask=True,
+ ),
+ parameters.Str(
+ 'group',
+ required=False,
+ multivalue=True,
+ cli_name='groups',
+ label=_(u'member group'),
+ doc=_(u'groups to add'),
+ alwaysask=True,
+ ),
+ )
+ has_output = (
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'failed',
+ dict,
+ doc=_(u'Members that could not be added'),
+ ),
+ output.Output(
+ 'completed',
+ int,
+ doc=_(u'Number of members added'),
+ ),
+ )
+
+
+@register()
+class group_del(Method):
+ __doc__ = _("Delete group.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ multivalue=True,
+ cli_name='group_name',
+ label=_(u'Group name'),
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'continue',
+ doc=_(u"Continuous mode: Don't stop on errors."),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Output(
+ 'result',
+ dict,
+ doc=_(u'List of deletions that failed'),
+ ),
+ output.ListOfPrimaryKeys(
+ 'value',
+ ),
+ )
+
+
+@register()
+class group_detach(Method):
+ __doc__ = _("Detach a managed group from a user.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='group_name',
+ label=_(u'Group name'),
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Output(
+ 'result',
+ bool,
+ doc=_(u'True means the operation was successful'),
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class group_find(Method):
+ __doc__ = _("Search for groups.")
+
+ takes_args = (
+ parameters.Str(
+ 'criteria',
+ required=False,
+ doc=_(u'A string searched in all relevant object attributes'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'cn',
+ required=False,
+ cli_name='group_name',
+ label=_(u'Group name'),
+ no_convert=True,
+ ),
+ parameters.Str(
+ 'description',
+ required=False,
+ cli_name='desc',
+ label=_(u'Description'),
+ doc=_(u'Group description'),
+ ),
+ parameters.Int(
+ 'gidnumber',
+ required=False,
+ cli_name='gid',
+ label=_(u'GID'),
+ doc=_(u'GID (use this option to set it manually)'),
+ ),
+ parameters.Int(
+ 'timelimit',
+ required=False,
+ label=_(u'Time Limit'),
+ doc=_(u'Time limit of search in seconds (0 is unlimited)'),
+ ),
+ parameters.Int(
+ 'sizelimit',
+ required=False,
+ label=_(u'Size Limit'),
+ doc=_(u'Maximum number of entries returned (0 is unlimited)'),
+ ),
+ parameters.Flag(
+ 'private',
+ doc=_(u'search for private groups'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'posix',
+ doc=_(u'search for POSIX groups'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'external',
+ doc=_(u'search for groups with support of external non-IPA members from trusted domains'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'nonposix',
+ doc=_(u'search for non-POSIX groups'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'pkey_only',
+ required=False,
+ label=_(u'Primary key only'),
+ doc=_(u'Results should contain primary key attribute only ("group-name")'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'user',
+ required=False,
+ multivalue=True,
+ cli_name='users',
+ label=_(u'user'),
+ doc=_(u'Search for groups with these member users.'),
+ ),
+ parameters.Str(
+ 'no_user',
+ required=False,
+ multivalue=True,
+ cli_name='no_users',
+ label=_(u'user'),
+ doc=_(u'Search for groups without these member users.'),
+ ),
+ parameters.Str(
+ 'group',
+ required=False,
+ multivalue=True,
+ cli_name='groups',
+ label=_(u'group'),
+ doc=_(u'Search for groups with these member groups.'),
+ ),
+ parameters.Str(
+ 'no_group',
+ required=False,
+ multivalue=True,
+ cli_name='no_groups',
+ label=_(u'group'),
+ doc=_(u'Search for groups without these member groups.'),
+ ),
+ parameters.Str(
+ 'in_group',
+ required=False,
+ multivalue=True,
+ cli_name='in_groups',
+ label=_(u'group'),
+ doc=_(u'Search for groups with these member of groups.'),
+ ),
+ parameters.Str(
+ 'not_in_group',
+ required=False,
+ multivalue=True,
+ cli_name='not_in_groups',
+ label=_(u'group'),
+ doc=_(u'Search for groups without these member of groups.'),
+ ),
+ parameters.Str(
+ 'in_netgroup',
+ required=False,
+ multivalue=True,
+ cli_name='in_netgroups',
+ label=_(u'netgroup'),
+ doc=_(u'Search for groups with these member of netgroups.'),
+ ),
+ parameters.Str(
+ 'not_in_netgroup',
+ required=False,
+ multivalue=True,
+ cli_name='not_in_netgroups',
+ label=_(u'netgroup'),
+ doc=_(u'Search for groups without these member of netgroups.'),
+ ),
+ parameters.Str(
+ 'in_role',
+ required=False,
+ multivalue=True,
+ cli_name='in_roles',
+ label=_(u'role'),
+ doc=_(u'Search for groups with these member of roles.'),
+ ),
+ parameters.Str(
+ 'not_in_role',
+ required=False,
+ multivalue=True,
+ cli_name='not_in_roles',
+ label=_(u'role'),
+ doc=_(u'Search for groups without these member of roles.'),
+ ),
+ parameters.Str(
+ 'in_hbacrule',
+ required=False,
+ multivalue=True,
+ cli_name='in_hbacrules',
+ label=_(u'HBAC rule'),
+ doc=_(u'Search for groups with these member of HBAC rules.'),
+ ),
+ parameters.Str(
+ 'not_in_hbacrule',
+ required=False,
+ multivalue=True,
+ cli_name='not_in_hbacrules',
+ label=_(u'HBAC rule'),
+ doc=_(u'Search for groups without these member of HBAC rules.'),
+ ),
+ parameters.Str(
+ 'in_sudorule',
+ required=False,
+ multivalue=True,
+ cli_name='in_sudorules',
+ label=_(u'sudo rule'),
+ doc=_(u'Search for groups with these member of sudo rules.'),
+ ),
+ parameters.Str(
+ 'not_in_sudorule',
+ required=False,
+ multivalue=True,
+ cli_name='not_in_sudorules',
+ label=_(u'sudo rule'),
+ doc=_(u'Search for groups without these member of sudo rules.'),
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.ListOfEntries(
+ 'result',
+ ),
+ output.Output(
+ 'count',
+ int,
+ doc=_(u'Number of entries returned'),
+ ),
+ output.Output(
+ 'truncated',
+ bool,
+ doc=_(u'True if not all results were returned'),
+ ),
+ )
+
+
+@register()
+class group_mod(Method):
+ __doc__ = _("Modify a group.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='group_name',
+ label=_(u'Group name'),
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'description',
+ required=False,
+ cli_name='desc',
+ label=_(u'Description'),
+ doc=_(u'Group description'),
+ ),
+ parameters.Int(
+ 'gidnumber',
+ required=False,
+ cli_name='gid',
+ label=_(u'GID'),
+ doc=_(u'GID (use this option to set it manually)'),
+ ),
+ parameters.Str(
+ 'setattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'addattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'delattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'),
+ exclude=('webui',),
+ ),
+ parameters.Flag(
+ 'rights',
+ label=_(u'Rights'),
+ doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'posix',
+ doc=_(u'change to a POSIX group'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'external',
+ doc=_(u'change to support external non-IPA members from trusted domains'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'rename',
+ required=False,
+ label=_(u'Rename'),
+ doc=_(u'Rename the group object'),
+ no_convert=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class group_remove_member(Method):
+ __doc__ = _("Remove members from a group.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='group_name',
+ label=_(u'Group name'),
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'ipaexternalmember',
+ required=False,
+ multivalue=True,
+ cli_name='external',
+ label=_(u'External member'),
+ doc=_(u'Members of a trusted domain in DOM\\name or name@domain form'),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'user',
+ required=False,
+ multivalue=True,
+ cli_name='users',
+ label=_(u'member user'),
+ doc=_(u'users to remove'),
+ alwaysask=True,
+ ),
+ parameters.Str(
+ 'group',
+ required=False,
+ multivalue=True,
+ cli_name='groups',
+ label=_(u'member group'),
+ doc=_(u'groups to remove'),
+ alwaysask=True,
+ ),
+ )
+ has_output = (
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'failed',
+ dict,
+ doc=_(u'Members that could not be removed'),
+ ),
+ output.Output(
+ 'completed',
+ int,
+ doc=_(u'Number of members removed'),
+ ),
+ )
+
+
+@register()
+class group_show(Method):
+ __doc__ = _("Display information about a named group.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='group_name',
+ label=_(u'Group name'),
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'rights',
+ label=_(u'Rights'),
+ doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
diff --git a/ipaclient/remote_plugins/2_156/hbacrule.py b/ipaclient/remote_plugins/2_156/hbacrule.py
new file mode 100644
index 000000000..567a1bb02
--- /dev/null
+++ b/ipaclient/remote_plugins/2_156/hbacrule.py
@@ -0,0 +1,1305 @@
+#
+# Copyright (C) 2016 FreeIPA Contributors see COPYING for license
+#
+
+# pylint: disable=unused-import
+import six
+
+from . import Command, Method, Object
+from ipalib import api, parameters, output
+from ipalib.parameters import DefaultFrom
+from ipalib.plugable import Registry
+from ipalib.text import _
+from ipapython.dn import DN
+from ipapython.dnsutil import DNSName
+
+if six.PY3:
+ unicode = str
+
+__doc__ = _("""
+Host-based access control
+
+Control who can access what services on what hosts. You
+can use HBAC to control which users or groups can
+access a service, or group of services, on a target host.
+
+You can also specify a category of users and target hosts.
+This is currently limited to "all", but might be expanded in the
+future.
+
+Target hosts in HBAC rules must be hosts managed by IPA.
+
+The available services and groups of services are controlled by the
+hbacsvc and hbacsvcgroup plug-ins respectively.
+
+EXAMPLES:
+
+ Create a rule, "test1", that grants all users access to the host "server" from
+ anywhere:
+ ipa hbacrule-add --usercat=all test1
+ ipa hbacrule-add-host --hosts=server.example.com test1
+
+ Display the properties of a named HBAC rule:
+ ipa hbacrule-show test1
+
+ Create a rule for a specific service. This lets the user john access
+ the sshd service on any machine from any machine:
+ ipa hbacrule-add --hostcat=all john_sshd
+ ipa hbacrule-add-user --users=john john_sshd
+ ipa hbacrule-add-service --hbacsvcs=sshd john_sshd
+
+ Create a rule for a new service group. This lets the user john access
+ the FTP service on any machine from any machine:
+ ipa hbacsvcgroup-add ftpers
+ ipa hbacsvc-add sftp
+ ipa hbacsvcgroup-add-member --hbacsvcs=ftp --hbacsvcs=sftp ftpers
+ ipa hbacrule-add --hostcat=all john_ftp
+ ipa hbacrule-add-user --users=john john_ftp
+ ipa hbacrule-add-service --hbacsvcgroups=ftpers john_ftp
+
+ Disable a named HBAC rule:
+ ipa hbacrule-disable test1
+
+ Remove a named HBAC rule:
+ ipa hbacrule-del allow_server
+""")
+
+register = Registry()
+
+
+@register()
+class hbacrule(Object):
+ takes_params = (
+ parameters.Str(
+ 'cn',
+ primary_key=True,
+ label=_(u'Rule name'),
+ ),
+ parameters.Str(
+ 'accessruletype',
+ label=_(u'Rule type'),
+ doc=_(u'Rule type (allow)'),
+ exclude=('webui', 'cli'),
+ ),
+ parameters.Str(
+ 'usercategory',
+ required=False,
+ label=_(u'User category'),
+ doc=_(u'User category the rule applies to'),
+ ),
+ parameters.Str(
+ 'hostcategory',
+ required=False,
+ label=_(u'Host category'),
+ doc=_(u'Host category the rule applies to'),
+ ),
+ parameters.Str(
+ 'sourcehostcategory',
+ required=False,
+ ),
+ parameters.Str(
+ 'servicecategory',
+ required=False,
+ label=_(u'Service category'),
+ doc=_(u'Service category the rule applies to'),
+ ),
+ parameters.Str(
+ 'description',
+ required=False,
+ label=_(u'Description'),
+ ),
+ parameters.Bool(
+ 'ipaenabledflag',
+ required=False,
+ label=_(u'Enabled'),
+ ),
+ parameters.Str(
+ 'memberuser_user',
+ required=False,
+ label=_(u'Users'),
+ ),
+ parameters.Str(
+ 'memberuser_group',
+ required=False,
+ label=_(u'User Groups'),
+ ),
+ parameters.Str(
+ 'memberhost_host',
+ required=False,
+ label=_(u'Hosts'),
+ ),
+ parameters.Str(
+ 'memberhost_hostgroup',
+ required=False,
+ label=_(u'Host Groups'),
+ ),
+ parameters.Str(
+ 'sourcehost_host',
+ required=False,
+ ),
+ parameters.Str(
+ 'sourcehost_hostgroup',
+ required=False,
+ ),
+ parameters.Str(
+ 'memberservice_hbacsvc',
+ required=False,
+ label=_(u'Services'),
+ ),
+ parameters.Str(
+ 'memberservice_hbacsvcgroup',
+ required=False,
+ label=_(u'Service Groups'),
+ ),
+ parameters.Str(
+ 'externalhost',
+ required=False,
+ multivalue=True,
+ label=_(u'External host'),
+ ),
+ )
+
+
+@register()
+class hbacrule_add(Method):
+ __doc__ = _("Create a new HBAC rule.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='name',
+ label=_(u'Rule name'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'accessruletype',
+ cli_name='type',
+ cli_metavar="['allow', 'deny']",
+ label=_(u'Rule type'),
+ doc=_(u'Rule type (allow)'),
+ exclude=('webui', 'cli'),
+ default=u'allow',
+ autofill=True,
+ ),
+ parameters.Str(
+ 'usercategory',
+ required=False,
+ cli_name='usercat',
+ cli_metavar="['all']",
+ label=_(u'User category'),
+ doc=_(u'User category the rule applies to'),
+ ),
+ parameters.Str(
+ 'hostcategory',
+ required=False,
+ cli_name='hostcat',
+ cli_metavar="['all']",
+ label=_(u'Host category'),
+ doc=_(u'Host category the rule applies to'),
+ ),
+ parameters.Str(
+ 'sourcehostcategory',
+ required=False,
+ deprecated=True,
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'servicecategory',
+ required=False,
+ cli_name='servicecat',
+ cli_metavar="['all']",
+ label=_(u'Service category'),
+ doc=_(u'Service category the rule applies to'),
+ ),
+ parameters.Str(
+ 'description',
+ required=False,
+ cli_name='desc',
+ label=_(u'Description'),
+ ),
+ parameters.Bool(
+ 'ipaenabledflag',
+ required=False,
+ label=_(u'Enabled'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'sourcehost_host',
+ required=False,
+ deprecated=True,
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'sourcehost_hostgroup',
+ required=False,
+ deprecated=True,
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'externalhost',
+ required=False,
+ multivalue=True,
+ label=_(u'External host'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'setattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'addattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
+ exclude=('webui',),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class hbacrule_add_host(Method):
+ __doc__ = _("Add target hosts and hostgroups to an HBAC rule.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='name',
+ label=_(u'Rule name'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'host',
+ required=False,
+ multivalue=True,
+ cli_name='hosts',
+ label=_(u'member host'),
+ doc=_(u'hosts to add'),
+ alwaysask=True,
+ ),
+ parameters.Str(
+ 'hostgroup',
+ required=False,
+ multivalue=True,
+ cli_name='hostgroups',
+ label=_(u'member host group'),
+ doc=_(u'host groups to add'),
+ alwaysask=True,
+ ),
+ )
+ has_output = (
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'failed',
+ dict,
+ doc=_(u'Members that could not be added'),
+ ),
+ output.Output(
+ 'completed',
+ int,
+ doc=_(u'Number of members added'),
+ ),
+ )
+
+
+@register()
+class hbacrule_add_service(Method):
+ __doc__ = _("Add services to an HBAC rule.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='name',
+ label=_(u'Rule name'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'hbacsvc',
+ required=False,
+ multivalue=True,
+ cli_name='hbacsvcs',
+ label=_(u'member HBAC service'),
+ doc=_(u'HBAC services to add'),
+ alwaysask=True,
+ ),
+ parameters.Str(
+ 'hbacsvcgroup',
+ required=False,
+ multivalue=True,
+ cli_name='hbacsvcgroups',
+ label=_(u'member HBAC service group'),
+ doc=_(u'HBAC service groups to add'),
+ alwaysask=True,
+ ),
+ )
+ has_output = (
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'failed',
+ dict,
+ doc=_(u'Members that could not be added'),
+ ),
+ output.Output(
+ 'completed',
+ int,
+ doc=_(u'Number of members added'),
+ ),
+ )
+
+
+@register()
+class hbacrule_add_sourcehost(Method):
+ NO_CLI = True
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='name',
+ label=_(u'Rule name'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'host',
+ required=False,
+ multivalue=True,
+ cli_name='hosts',
+ label=_(u'member host'),
+ doc=_(u'hosts to add'),
+ alwaysask=True,
+ ),
+ parameters.Str(
+ 'hostgroup',
+ required=False,
+ multivalue=True,
+ cli_name='hostgroups',
+ label=_(u'member host group'),
+ doc=_(u'host groups to add'),
+ alwaysask=True,
+ ),
+ )
+ has_output = (
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'failed',
+ dict,
+ doc=_(u'Members that could not be added'),
+ ),
+ output.Output(
+ 'completed',
+ int,
+ doc=_(u'Number of members added'),
+ ),
+ )
+
+
+@register()
+class hbacrule_add_user(Method):
+ __doc__ = _("Add users and groups to an HBAC rule.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='name',
+ label=_(u'Rule name'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'user',
+ required=False,
+ multivalue=True,
+ cli_name='users',
+ label=_(u'member user'),
+ doc=_(u'users to add'),
+ alwaysask=True,
+ ),
+ parameters.Str(
+ 'group',
+ required=False,
+ multivalue=True,
+ cli_name='groups',
+ label=_(u'member group'),
+ doc=_(u'groups to add'),
+ alwaysask=True,
+ ),
+ )
+ has_output = (
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'failed',
+ dict,
+ doc=_(u'Members that could not be added'),
+ ),
+ output.Output(
+ 'completed',
+ int,
+ doc=_(u'Number of members added'),
+ ),
+ )
+
+
+@register()
+class hbacrule_del(Method):
+ __doc__ = _("Delete an HBAC rule.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ multivalue=True,
+ cli_name='name',
+ label=_(u'Rule name'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'continue',
+ doc=_(u"Continuous mode: Don't stop on errors."),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Output(
+ 'result',
+ dict,
+ doc=_(u'List of deletions that failed'),
+ ),
+ output.ListOfPrimaryKeys(
+ 'value',
+ ),
+ )
+
+
+@register()
+class hbacrule_disable(Method):
+ __doc__ = _("Disable an HBAC rule.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='name',
+ label=_(u'Rule name'),
+ ),
+ )
+ takes_options = (
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Output(
+ 'result',
+ bool,
+ doc=_(u'True means the operation was successful'),
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class hbacrule_enable(Method):
+ __doc__ = _("Enable an HBAC rule.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='name',
+ label=_(u'Rule name'),
+ ),
+ )
+ takes_options = (
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Output(
+ 'result',
+ bool,
+ doc=_(u'True means the operation was successful'),
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class hbacrule_find(Method):
+ __doc__ = _("Search for HBAC rules.")
+
+ takes_args = (
+ parameters.Str(
+ 'criteria',
+ required=False,
+ doc=_(u'A string searched in all relevant object attributes'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'cn',
+ required=False,
+ cli_name='name',
+ label=_(u'Rule name'),
+ ),
+ parameters.Str(
+ 'accessruletype',
+ required=False,
+ cli_name='type',
+ cli_metavar="['allow', 'deny']",
+ label=_(u'Rule type'),
+ doc=_(u'Rule type (allow)'),
+ exclude=('webui', 'cli'),
+ default=u'allow',
+ ),
+ parameters.Str(
+ 'usercategory',
+ required=False,
+ cli_name='usercat',
+ cli_metavar="['all']",
+ label=_(u'User category'),
+ doc=_(u'User category the rule applies to'),
+ ),
+ parameters.Str(
+ 'hostcategory',
+ required=False,
+ cli_name='hostcat',
+ cli_metavar="['all']",
+ label=_(u'Host category'),
+ doc=_(u'Host category the rule applies to'),
+ ),
+ parameters.Str(
+ 'sourcehostcategory',
+ required=False,
+ deprecated=True,
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'servicecategory',
+ required=False,
+ cli_name='servicecat',
+ cli_metavar="['all']",
+ label=_(u'Service category'),
+ doc=_(u'Service category the rule applies to'),
+ ),
+ parameters.Str(
+ 'description',
+ required=False,
+ cli_name='desc',
+ label=_(u'Description'),
+ ),
+ parameters.Bool(
+ 'ipaenabledflag',
+ required=False,
+ label=_(u'Enabled'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'sourcehost_host',
+ required=False,
+ deprecated=True,
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'sourcehost_hostgroup',
+ required=False,
+ deprecated=True,
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'externalhost',
+ required=False,
+ multivalue=True,
+ label=_(u'External host'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Int(
+ 'timelimit',
+ required=False,
+ label=_(u'Time Limit'),
+ doc=_(u'Time limit of search in seconds (0 is unlimited)'),
+ ),
+ parameters.Int(
+ 'sizelimit',
+ required=False,
+ label=_(u'Size Limit'),
+ doc=_(u'Maximum number of entries returned (0 is unlimited)'),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'pkey_only',
+ required=False,
+ label=_(u'Primary key only'),
+ doc=_(u'Results should contain primary key attribute only ("name")'),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.ListOfEntries(
+ 'result',
+ ),
+ output.Output(
+ 'count',
+ int,
+ doc=_(u'Number of entries returned'),
+ ),
+ output.Output(
+ 'truncated',
+ bool,
+ doc=_(u'True if not all results were returned'),
+ ),
+ )
+
+
+@register()
+class hbacrule_mod(Method):
+ __doc__ = _("Modify an HBAC rule.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='name',
+ label=_(u'Rule name'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'accessruletype',
+ required=False,
+ cli_name='type',
+ cli_metavar="['allow', 'deny']",
+ label=_(u'Rule type'),
+ doc=_(u'Rule type (allow)'),
+ exclude=('webui', 'cli'),
+ default=u'allow',
+ ),
+ parameters.Str(
+ 'usercategory',
+ required=False,
+ cli_name='usercat',
+ cli_metavar="['all']",
+ label=_(u'User category'),
+ doc=_(u'User category the rule applies to'),
+ ),
+ parameters.Str(
+ 'hostcategory',
+ required=False,
+ cli_name='hostcat',
+ cli_metavar="['all']",
+ label=_(u'Host category'),
+ doc=_(u'Host category the rule applies to'),
+ ),
+ parameters.Str(
+ 'sourcehostcategory',
+ required=False,
+ deprecated=True,
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'servicecategory',
+ required=False,
+ cli_name='servicecat',
+ cli_metavar="['all']",
+ label=_(u'Service category'),
+ doc=_(u'Service category the rule applies to'),
+ ),
+ parameters.Str(
+ 'description',
+ required=False,
+ cli_name='desc',
+ label=_(u'Description'),
+ ),
+ parameters.Bool(
+ 'ipaenabledflag',
+ required=False,
+ label=_(u'Enabled'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'sourcehost_host',
+ required=False,
+ deprecated=True,
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'sourcehost_hostgroup',
+ required=False,
+ deprecated=True,
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'externalhost',
+ required=False,
+ multivalue=True,
+ label=_(u'External host'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'setattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'addattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'delattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'),
+ exclude=('webui',),
+ ),
+ parameters.Flag(
+ 'rights',
+ label=_(u'Rights'),
+ doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class hbacrule_remove_host(Method):
+ __doc__ = _("Remove target hosts and hostgroups from an HBAC rule.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='name',
+ label=_(u'Rule name'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'host',
+ required=False,
+ multivalue=True,
+ cli_name='hosts',
+ label=_(u'member host'),
+ doc=_(u'hosts to remove'),
+ alwaysask=True,
+ ),
+ parameters.Str(
+ 'hostgroup',
+ required=False,
+ multivalue=True,
+ cli_name='hostgroups',
+ label=_(u'member host group'),
+ doc=_(u'host groups to remove'),
+ alwaysask=True,
+ ),
+ )
+ has_output = (
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'failed',
+ dict,
+ doc=_(u'Members that could not be removed'),
+ ),
+ output.Output(
+ 'completed',
+ int,
+ doc=_(u'Number of members removed'),
+ ),
+ )
+
+
+@register()
+class hbacrule_remove_service(Method):
+ __doc__ = _("Remove service and service groups from an HBAC rule.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='name',
+ label=_(u'Rule name'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'hbacsvc',
+ required=False,
+ multivalue=True,
+ cli_name='hbacsvcs',
+ label=_(u'member HBAC service'),
+ doc=_(u'HBAC services to remove'),
+ alwaysask=True,
+ ),
+ parameters.Str(
+ 'hbacsvcgroup',
+ required=False,
+ multivalue=True,
+ cli_name='hbacsvcgroups',
+ label=_(u'member HBAC service group'),
+ doc=_(u'HBAC service groups to remove'),
+ alwaysask=True,
+ ),
+ )
+ has_output = (
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'failed',
+ dict,
+ doc=_(u'Members that could not be removed'),
+ ),
+ output.Output(
+ 'completed',
+ int,
+ doc=_(u'Number of members removed'),
+ ),
+ )
+
+
+@register()
+class hbacrule_remove_sourcehost(Method):
+ NO_CLI = True
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='name',
+ label=_(u'Rule name'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'host',
+ required=False,
+ multivalue=True,
+ cli_name='hosts',
+ label=_(u'member host'),
+ doc=_(u'hosts to remove'),
+ alwaysask=True,
+ ),
+ parameters.Str(
+ 'hostgroup',
+ required=False,
+ multivalue=True,
+ cli_name='hostgroups',
+ label=_(u'member host group'),
+ doc=_(u'host groups to remove'),
+ alwaysask=True,
+ ),
+ )
+ has_output = (
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'failed',
+ dict,
+ doc=_(u'Members that could not be removed'),
+ ),
+ output.Output(
+ 'completed',
+ int,
+ doc=_(u'Number of members removed'),
+ ),
+ )
+
+
+@register()
+class hbacrule_remove_user(Method):
+ __doc__ = _("Remove users and groups from an HBAC rule.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='name',
+ label=_(u'Rule name'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'user',
+ required=False,
+ multivalue=True,
+ cli_name='users',
+ label=_(u'member user'),
+ doc=_(u'users to remove'),
+ alwaysask=True,
+ ),
+ parameters.Str(
+ 'group',
+ required=False,
+ multivalue=True,
+ cli_name='groups',
+ label=_(u'member group'),
+ doc=_(u'groups to remove'),
+ alwaysask=True,
+ ),
+ )
+ has_output = (
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'failed',
+ dict,
+ doc=_(u'Members that could not be removed'),
+ ),
+ output.Output(
+ 'completed',
+ int,
+ doc=_(u'Number of members removed'),
+ ),
+ )
+
+
+@register()
+class hbacrule_show(Method):
+ __doc__ = _("Display the properties of an HBAC rule.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='name',
+ label=_(u'Rule name'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'rights',
+ label=_(u'Rights'),
+ doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
diff --git a/ipaclient/remote_plugins/2_156/hbacsvc.py b/ipaclient/remote_plugins/2_156/hbacsvc.py
new file mode 100644
index 000000000..0de241935
--- /dev/null
+++ b/ipaclient/remote_plugins/2_156/hbacsvc.py
@@ -0,0 +1,413 @@
+#
+# Copyright (C) 2016 FreeIPA Contributors see COPYING for license
+#
+
+# pylint: disable=unused-import
+import six
+
+from . import Command, Method, Object
+from ipalib import api, parameters, output
+from ipalib.parameters import DefaultFrom
+from ipalib.plugable import Registry
+from ipalib.text import _
+from ipapython.dn import DN
+from ipapython.dnsutil import DNSName
+
+if six.PY3:
+ unicode = str
+
+__doc__ = _("""
+HBAC Services
+
+The PAM services that HBAC can control access to. The name used here
+must match the service name that PAM is evaluating.
+
+EXAMPLES:
+
+ Add a new HBAC service:
+ ipa hbacsvc-add tftp
+
+ Modify an existing HBAC service:
+ ipa hbacsvc-mod --desc="TFTP service" tftp
+
+ Search for HBAC services. This example will return two results, the FTP
+ service and the newly-added tftp service:
+ ipa hbacsvc-find ftp
+
+ Delete an HBAC service:
+ ipa hbacsvc-del tftp
+""")
+
+register = Registry()
+
+
+@register()
+class hbacsvc(Object):
+ takes_params = (
+ parameters.Str(
+ 'cn',
+ primary_key=True,
+ label=_(u'Service name'),
+ doc=_(u'HBAC service'),
+ ),
+ parameters.Str(
+ 'description',
+ required=False,
+ label=_(u'Description'),
+ doc=_(u'HBAC service description'),
+ ),
+ parameters.Str(
+ 'memberof_hbacsvcgroup',
+ required=False,
+ label=_(u'Member of HBAC service groups'),
+ ),
+ )
+
+
+@register()
+class hbacsvc_add(Method):
+ __doc__ = _("Add a new HBAC service.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='service',
+ label=_(u'Service name'),
+ doc=_(u'HBAC service'),
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'description',
+ required=False,
+ cli_name='desc',
+ label=_(u'Description'),
+ doc=_(u'HBAC service description'),
+ ),
+ parameters.Str(
+ 'setattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'addattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
+ exclude=('webui',),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class hbacsvc_del(Method):
+ __doc__ = _("Delete an existing HBAC service.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ multivalue=True,
+ cli_name='service',
+ label=_(u'Service name'),
+ doc=_(u'HBAC service'),
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'continue',
+ doc=_(u"Continuous mode: Don't stop on errors."),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Output(
+ 'result',
+ dict,
+ doc=_(u'List of deletions that failed'),
+ ),
+ output.ListOfPrimaryKeys(
+ 'value',
+ ),
+ )
+
+
+@register()
+class hbacsvc_find(Method):
+ __doc__ = _("Search for HBAC services.")
+
+ takes_args = (
+ parameters.Str(
+ 'criteria',
+ required=False,
+ doc=_(u'A string searched in all relevant object attributes'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'cn',
+ required=False,
+ cli_name='service',
+ label=_(u'Service name'),
+ doc=_(u'HBAC service'),
+ no_convert=True,
+ ),
+ parameters.Str(
+ 'description',
+ required=False,
+ cli_name='desc',
+ label=_(u'Description'),
+ doc=_(u'HBAC service description'),
+ ),
+ parameters.Int(
+ 'timelimit',
+ required=False,
+ label=_(u'Time Limit'),
+ doc=_(u'Time limit of search in seconds (0 is unlimited)'),
+ ),
+ parameters.Int(
+ 'sizelimit',
+ required=False,
+ label=_(u'Size Limit'),
+ doc=_(u'Maximum number of entries returned (0 is unlimited)'),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'pkey_only',
+ required=False,
+ label=_(u'Primary key only'),
+ doc=_(u'Results should contain primary key attribute only ("service")'),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.ListOfEntries(
+ 'result',
+ ),
+ output.Output(
+ 'count',
+ int,
+ doc=_(u'Number of entries returned'),
+ ),
+ output.Output(
+ 'truncated',
+ bool,
+ doc=_(u'True if not all results were returned'),
+ ),
+ )
+
+
+@register()
+class hbacsvc_mod(Method):
+ __doc__ = _("Modify an HBAC service.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='service',
+ label=_(u'Service name'),
+ doc=_(u'HBAC service'),
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'description',
+ required=False,
+ cli_name='desc',
+ label=_(u'Description'),
+ doc=_(u'HBAC service description'),
+ ),
+ parameters.Str(
+ 'setattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'addattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'delattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'),
+ exclude=('webui',),
+ ),
+ parameters.Flag(
+ 'rights',
+ label=_(u'Rights'),
+ doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class hbacsvc_show(Method):
+ __doc__ = _("Display information about an HBAC service.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='service',
+ label=_(u'Service name'),
+ doc=_(u'HBAC service'),
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'rights',
+ label=_(u'Rights'),
+ doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
diff --git a/ipaclient/remote_plugins/2_156/hbacsvcgroup.py b/ipaclient/remote_plugins/2_156/hbacsvcgroup.py
new file mode 100644
index 000000000..f713b2fe8
--- /dev/null
+++ b/ipaclient/remote_plugins/2_156/hbacsvcgroup.py
@@ -0,0 +1,528 @@
+#
+# Copyright (C) 2016 FreeIPA Contributors see COPYING for license
+#
+
+# pylint: disable=unused-import
+import six
+
+from . import Command, Method, Object
+from ipalib import api, parameters, output
+from ipalib.parameters import DefaultFrom
+from ipalib.plugable import Registry
+from ipalib.text import _
+from ipapython.dn import DN
+from ipapython.dnsutil import DNSName
+
+if six.PY3:
+ unicode = str
+
+__doc__ = _("""
+HBAC Service Groups
+
+HBAC service groups can contain any number of individual services,
+or "members". Every group must have a description.
+
+EXAMPLES:
+
+ Add a new HBAC service group:
+ ipa hbacsvcgroup-add --desc="login services" login
+
+ Add members to an HBAC service group:
+ ipa hbacsvcgroup-add-member --hbacsvcs=sshd --hbacsvcs=login login
+
+ Display information about a named group:
+ ipa hbacsvcgroup-show login
+
+ Delete an HBAC service group:
+ ipa hbacsvcgroup-del login
+""")
+
+register = Registry()
+
+
+@register()
+class hbacsvcgroup(Object):
+ takes_params = (
+ parameters.Str(
+ 'cn',
+ primary_key=True,
+ label=_(u'Service group name'),
+ ),
+ parameters.Str(
+ 'description',
+ required=False,
+ label=_(u'Description'),
+ doc=_(u'HBAC service group description'),
+ ),
+ parameters.Str(
+ 'member_hbacsvc',
+ required=False,
+ label=_(u'Member HBAC service'),
+ ),
+ )
+
+
+@register()
+class hbacsvcgroup_add(Method):
+ __doc__ = _("Add a new HBAC service group.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='name',
+ label=_(u'Service group name'),
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'description',
+ required=False,
+ cli_name='desc',
+ label=_(u'Description'),
+ doc=_(u'HBAC service group description'),
+ ),
+ parameters.Str(
+ 'setattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'addattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
+ exclude=('webui',),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class hbacsvcgroup_add_member(Method):
+ __doc__ = _("Add members to an HBAC service group.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='name',
+ label=_(u'Service group name'),
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'hbacsvc',
+ required=False,
+ multivalue=True,
+ cli_name='hbacsvcs',
+ label=_(u'member HBAC service'),
+ doc=_(u'HBAC services to add'),
+ alwaysask=True,
+ ),
+ )
+ has_output = (
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'failed',
+ dict,
+ doc=_(u'Members that could not be added'),
+ ),
+ output.Output(
+ 'completed',
+ int,
+ doc=_(u'Number of members added'),
+ ),
+ )
+
+
+@register()
+class hbacsvcgroup_del(Method):
+ __doc__ = _("Delete an HBAC service group.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ multivalue=True,
+ cli_name='name',
+ label=_(u'Service group name'),
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'continue',
+ doc=_(u"Continuous mode: Don't stop on errors."),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Output(
+ 'result',
+ dict,
+ doc=_(u'List of deletions that failed'),
+ ),
+ output.ListOfPrimaryKeys(
+ 'value',
+ ),
+ )
+
+
+@register()
+class hbacsvcgroup_find(Method):
+ __doc__ = _("Search for an HBAC service group.")
+
+ takes_args = (
+ parameters.Str(
+ 'criteria',
+ required=False,
+ doc=_(u'A string searched in all relevant object attributes'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'cn',
+ required=False,
+ cli_name='name',
+ label=_(u'Service group name'),
+ no_convert=True,
+ ),
+ parameters.Str(
+ 'description',
+ required=False,
+ cli_name='desc',
+ label=_(u'Description'),
+ doc=_(u'HBAC service group description'),
+ ),
+ parameters.Int(
+ 'timelimit',
+ required=False,
+ label=_(u'Time Limit'),
+ doc=_(u'Time limit of search in seconds (0 is unlimited)'),
+ ),
+ parameters.Int(
+ 'sizelimit',
+ required=False,
+ label=_(u'Size Limit'),
+ doc=_(u'Maximum number of entries returned (0 is unlimited)'),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'pkey_only',
+ required=False,
+ label=_(u'Primary key only'),
+ doc=_(u'Results should contain primary key attribute only ("name")'),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.ListOfEntries(
+ 'result',
+ ),
+ output.Output(
+ 'count',
+ int,
+ doc=_(u'Number of entries returned'),
+ ),
+ output.Output(
+ 'truncated',
+ bool,
+ doc=_(u'True if not all results were returned'),
+ ),
+ )
+
+
+@register()
+class hbacsvcgroup_mod(Method):
+ __doc__ = _("Modify an HBAC service group.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='name',
+ label=_(u'Service group name'),
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'description',
+ required=False,
+ cli_name='desc',
+ label=_(u'Description'),
+ doc=_(u'HBAC service group description'),
+ ),
+ parameters.Str(
+ 'setattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'addattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'delattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'),
+ exclude=('webui',),
+ ),
+ parameters.Flag(
+ 'rights',
+ label=_(u'Rights'),
+ doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class hbacsvcgroup_remove_member(Method):
+ __doc__ = _("Remove members from an HBAC service group.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='name',
+ label=_(u'Service group name'),
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'hbacsvc',
+ required=False,
+ multivalue=True,
+ cli_name='hbacsvcs',
+ label=_(u'member HBAC service'),
+ doc=_(u'HBAC services to remove'),
+ alwaysask=True,
+ ),
+ )
+ has_output = (
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'failed',
+ dict,
+ doc=_(u'Members that could not be removed'),
+ ),
+ output.Output(
+ 'completed',
+ int,
+ doc=_(u'Number of members removed'),
+ ),
+ )
+
+
+@register()
+class hbacsvcgroup_show(Method):
+ __doc__ = _("Display information about an HBAC service group.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='name',
+ label=_(u'Service group name'),
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'rights',
+ label=_(u'Rights'),
+ doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
diff --git a/ipaclient/remote_plugins/2_156/hbactest.py b/ipaclient/remote_plugins/2_156/hbactest.py
new file mode 100644
index 000000000..b0c49b71b
--- /dev/null
+++ b/ipaclient/remote_plugins/2_156/hbactest.py
@@ -0,0 +1,284 @@
+#
+# Copyright (C) 2016 FreeIPA Contributors see COPYING for license
+#
+
+# pylint: disable=unused-import
+import six
+
+from . import Command, Method, Object
+from ipalib import api, parameters, output
+from ipalib.parameters import DefaultFrom
+from ipalib.plugable import Registry
+from ipalib.text import _
+from ipapython.dn import DN
+from ipapython.dnsutil import DNSName
+
+if six.PY3:
+ unicode = str
+
+__doc__ = _("""
+Simulate use of Host-based access controls
+
+HBAC rules control who can access what services on what hosts.
+You can use HBAC to control which users or groups can access a service,
+or group of services, on a target host.
+
+Since applying HBAC rules implies use of a production environment,
+this plugin aims to provide simulation of HBAC rules evaluation without
+having access to the production environment.
+
+ Test user coming to a service on a named host against
+ existing enabled rules.
+
+ ipa hbactest --user= --host= --service=
+ [--rules=rules-list] [--nodetail] [--enabled] [--disabled]
+ [--sizelimit= ]
+
+ --user, --host, and --service are mandatory, others are optional.
+
+ If --rules is specified simulate enabling of the specified rules and test
+ the login of the user using only these rules.
+
+ If --enabled is specified, all enabled HBAC rules will be added to simulation
+
+ If --disabled is specified, all disabled HBAC rules will be added to simulation
+
+ If --nodetail is specified, do not return information about rules matched/not matched.
+
+ If both --rules and --enabled are specified, apply simulation to --rules _and_
+ all IPA enabled rules.
+
+ If no --rules specified, simulation is run against all IPA enabled rules.
+ By default there is a IPA-wide limit to number of entries fetched, you can change it
+ with --sizelimit option.
+
+EXAMPLES:
+
+ 1. Use all enabled HBAC rules in IPA database to simulate:
+ $ ipa hbactest --user=a1a --host=bar --service=sshd
+ --------------------
+ Access granted: True
+ --------------------
+ Not matched rules: my-second-rule
+ Not matched rules: my-third-rule
+ Not matched rules: myrule
+ Matched rules: allow_all
+
+ 2. Disable detailed summary of how rules were applied:
+ $ ipa hbactest --user=a1a --host=bar --service=sshd --nodetail
+ --------------------
+ Access granted: True
+ --------------------
+
+ 3. Test explicitly specified HBAC rules:
+ $ ipa hbactest --user=a1a --host=bar --service=sshd \
+ --rules=myrule --rules=my-second-rule
+ ---------------------
+ Access granted: False
+ ---------------------
+ Not matched rules: my-second-rule
+ Not matched rules: myrule
+
+ 4. Use all enabled HBAC rules in IPA database + explicitly specified rules:
+ $ ipa hbactest --user=a1a --host=bar --service=sshd \
+ --rules=myrule --rules=my-second-rule --enabled
+ --------------------
+ Access granted: True
+ --------------------
+ Not matched rules: my-second-rule
+ Not matched rules: my-third-rule
+ Not matched rules: myrule
+ Matched rules: allow_all
+
+ 5. Test all disabled HBAC rules in IPA database:
+ $ ipa hbactest --user=a1a --host=bar --service=sshd --disabled
+ ---------------------
+ Access granted: False
+ ---------------------
+ Not matched rules: new-rule
+
+ 6. Test all disabled HBAC rules in IPA database + explicitly specified rules:
+ $ ipa hbactest --user=a1a --host=bar --service=sshd \
+ --rules=myrule --rules=my-second-rule --disabled
+ ---------------------
+ Access granted: False
+ ---------------------
+ Not matched rules: my-second-rule
+ Not matched rules: my-third-rule
+ Not matched rules: myrule
+
+ 7. Test all (enabled and disabled) HBAC rules in IPA database:
+ $ ipa hbactest --user=a1a --host=bar --service=sshd \
+ --enabled --disabled
+ --------------------
+ Access granted: True
+ --------------------
+ Not matched rules: my-second-rule
+ Not matched rules: my-third-rule
+ Not matched rules: myrule
+ Not matched rules: new-rule
+ Matched rules: allow_all
+
+
+HBACTEST AND TRUSTED DOMAINS
+
+When an external trusted domain is configured in IPA, HBAC rules are also applied
+on users accessing IPA resources from the trusted domain. Trusted domain users and
+groups (and their SIDs) can be then assigned to external groups which can be
+members of POSIX groups in IPA which can be used in HBAC rules and thus allowing
+access to resources protected by the HBAC system.
+
+hbactest plugin is capable of testing access for both local IPA users and users
+from the trusted domains, either by a fully qualified user name or by user SID.
+Such user names need to have a trusted domain specified as a short name
+(DOMAIN\Administrator) or with a user principal name (UPN), Administrator@ad.test.
+
+Please note that hbactest executed with a trusted domain user as --user parameter
+can be only run by members of "trust admins" group.
+
+EXAMPLES:
+
+ 1. Test if a user from a trusted domain specified by its shortname matches any
+ rule:
+
+ $ ipa hbactest --user 'DOMAIN\Administrator' --host `hostname` --service sshd
+ --------------------
+ Access granted: True
+ --------------------
+ Matched rules: allow_all
+ Matched rules: can_login
+
+ 2. Test if a user from a trusted domain specified by its domain name matches
+ any rule:
+
+ $ ipa hbactest --user 'Administrator@domain.com' --host `hostname` --service sshd
+ --------------------
+ Access granted: True
+ --------------------
+ Matched rules: allow_all
+ Matched rules: can_login
+
+ 3. Test if a user from a trusted domain specified by its SID matches any rule:
+
+ $ ipa hbactest --user S-1-5-21-3035198329-144811719-1378114514-500 \
+ --host `hostname` --service sshd
+ --------------------
+ Access granted: True
+ --------------------
+ Matched rules: allow_all
+ Matched rules: can_login
+
+ 4. Test if other user from a trusted domain specified by its SID matches any rule:
+
+ $ ipa hbactest --user S-1-5-21-3035198329-144811719-1378114514-1203 \
+ --host `hostname` --service sshd
+ --------------------
+ Access granted: True
+ --------------------
+ Matched rules: allow_all
+ Not matched rules: can_login
+
+ 5. Test if other user from a trusted domain specified by its shortname matches
+ any rule:
+
+ $ ipa hbactest --user 'DOMAIN\Otheruser' --host `hostname` --service sshd
+ --------------------
+ Access granted: True
+ --------------------
+ Matched rules: allow_all
+ Not matched rules: can_login
+""")
+
+register = Registry()
+
+
+@register()
+class hbactest(Command):
+ __doc__ = _("Simulate use of Host-based access controls")
+
+ takes_options = (
+ parameters.Str(
+ 'user',
+ label=_(u'User name'),
+ ),
+ parameters.Str(
+ 'sourcehost',
+ required=False,
+ deprecated=True,
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'targethost',
+ cli_name='host',
+ label=_(u'Target host'),
+ ),
+ parameters.Str(
+ 'service',
+ label=_(u'Service'),
+ ),
+ parameters.Str(
+ 'rules',
+ required=False,
+ multivalue=True,
+ label=_(u'Rules to test. If not specified, --enabled is assumed'),
+ ),
+ parameters.Flag(
+ 'nodetail',
+ required=False,
+ label=_(u'Hide details which rules are matched, not matched, or invalid'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'enabled',
+ required=False,
+ label=_(u'Include all enabled IPA rules into test [default]'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'disabled',
+ required=False,
+ label=_(u'Include all disabled IPA rules into test'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Int(
+ 'sizelimit',
+ required=False,
+ label=_(u'Size Limit'),
+ doc=_(u'Maximum number of rules to process when no --rules is specified'),
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Output(
+ 'warning',
+ (list, tuple, type(None)),
+ doc=_(u'Warning'),
+ ),
+ output.Output(
+ 'matched',
+ (list, tuple, type(None)),
+ doc=_(u'Matched rules'),
+ ),
+ output.Output(
+ 'notmatched',
+ (list, tuple, type(None)),
+ doc=_(u'Not matched rules'),
+ ),
+ output.Output(
+ 'error',
+ (list, tuple, type(None)),
+ doc=_(u'Non-existent or invalid rules'),
+ ),
+ output.Output(
+ 'value',
+ bool,
+ doc=_(u'Result of simulation'),
+ ),
+ )
diff --git a/ipaclient/remote_plugins/2_156/host.py b/ipaclient/remote_plugins/2_156/host.py
new file mode 100644
index 000000000..72b6ef881
--- /dev/null
+++ b/ipaclient/remote_plugins/2_156/host.py
@@ -0,0 +1,1680 @@
+#
+# Copyright (C) 2016 FreeIPA Contributors see COPYING for license
+#
+
+# pylint: disable=unused-import
+import six
+
+from . import Command, Method, Object
+from ipalib import api, parameters, output
+from ipalib.parameters import DefaultFrom
+from ipalib.plugable import Registry
+from ipalib.text import _
+from ipapython.dn import DN
+from ipapython.dnsutil import DNSName
+
+if six.PY3:
+ unicode = str
+
+__doc__ = _("""
+Hosts/Machines
+
+A host represents a machine. It can be used in a number of contexts:
+- service entries are associated with a host
+- a host stores the host/ service principal
+- a host can be used in Host-based Access Control (HBAC) rules
+- every enrolled client generates a host entry
+
+ENROLLMENT:
+
+There are three enrollment scenarios when enrolling a new client:
+
+1. You are enrolling as a full administrator. The host entry may exist
+ or not. A full administrator is a member of the hostadmin role
+ or the admins group.
+2. You are enrolling as a limited administrator. The host must already
+ exist. A limited administrator is a member a role with the
+ Host Enrollment privilege.
+3. The host has been created with a one-time password.
+
+RE-ENROLLMENT:
+
+Host that has been enrolled at some point, and lost its configuration (e.g. VM
+destroyed) can be re-enrolled.
+
+For more information, consult the manual pages for ipa-client-install.
+
+A host can optionally store information such as where it is located,
+the OS that it runs, etc.
+
+EXAMPLES:
+
+ Add a new host:
+ ipa host-add --location="3rd floor lab" --locality=Dallas test.example.com
+
+ Delete a host:
+ ipa host-del test.example.com
+
+ Add a new host with a one-time password:
+ ipa host-add --os='Fedora 12' --password=Secret123 test.example.com
+
+ Add a new host with a random one-time password:
+ ipa host-add --os='Fedora 12' --random test.example.com
+
+ Modify information about a host:
+ ipa host-mod --os='Fedora 12' test.example.com
+
+ Remove SSH public keys of a host and update DNS to reflect this change:
+ ipa host-mod --sshpubkey= --updatedns test.example.com
+
+ Disable the host Kerberos key, SSL certificate and all of its services:
+ ipa host-disable test.example.com
+
+ Add a host that can manage this host's keytab and certificate:
+ ipa host-add-managedby --hosts=test2 test
+
+ Allow user to create a keytab:
+ ipa host-allow-create-keytab test2 --users=tuser1
+""")
+
+register = Registry()
+
+
+@register()
+class host(Object):
+ takes_params = (
+ parameters.Str(
+ 'fqdn',
+ primary_key=True,
+ label=_(u'Host name'),
+ ),
+ parameters.Str(
+ 'description',
+ required=False,
+ label=_(u'Description'),
+ doc=_(u'A description of this host'),
+ ),
+ parameters.Str(
+ 'l',
+ required=False,
+ label=_(u'Locality'),
+ doc=_(u'Host locality (e.g. "Baltimore, MD")'),
+ ),
+ parameters.Str(
+ 'nshostlocation',
+ required=False,
+ label=_(u'Location'),
+ doc=_(u'Host location (e.g. "Lab 2")'),
+ ),
+ parameters.Str(
+ 'nshardwareplatform',
+ required=False,
+ label=_(u'Platform'),
+ doc=_(u'Host hardware platform (e.g. "Lenovo T61")'),
+ ),
+ parameters.Str(
+ 'nsosversion',
+ required=False,
+ label=_(u'Operating system'),
+ doc=_(u'Host operating system and version (e.g. "Fedora 9")'),
+ ),
+ parameters.Str(
+ 'userpassword',
+ required=False,
+ label=_(u'User password'),
+ doc=_(u'Password used in bulk enrollment'),
+ ),
+ parameters.Flag(
+ 'random',
+ required=False,
+ doc=_(u'Generate a random password to be used in bulk enrollment'),
+ ),
+ parameters.Str(
+ 'randompassword',
+ required=False,
+ label=_(u'Random password'),
+ ),
+ parameters.Bytes(
+ 'usercertificate',
+ required=False,
+ multivalue=True,
+ label=_(u'Certificate'),
+ doc=_(u'Base-64 encoded server certificate'),
+ ),
+ parameters.Str(
+ 'krbprincipalname',
+ required=False,
+ label=_(u'Principal name'),
+ ),
+ parameters.Str(
+ 'macaddress',
+ required=False,
+ multivalue=True,
+ label=_(u'MAC address'),
+ doc=_(u'Hardware MAC address(es) on this host'),
+ ),
+ parameters.Str(
+ 'ipasshpubkey',
+ required=False,
+ multivalue=True,
+ label=_(u'SSH public key'),
+ ),
+ parameters.Str(
+ 'userclass',
+ required=False,
+ multivalue=True,
+ label=_(u'Class'),
+ doc=_(u'Host category (semantics placed on this attribute are for local interpretation)'),
+ ),
+ parameters.Str(
+ 'ipaassignedidview',
+ required=False,
+ label=_(u'Assigned ID View'),
+ ),
+ parameters.Bool(
+ 'ipakrbrequirespreauth',
+ required=False,
+ label=_(u'Requires pre-authentication'),
+ doc=_(u'Pre-authentication is required for the service'),
+ ),
+ parameters.Bool(
+ 'ipakrbokasdelegate',
+ required=False,
+ label=_(u'Trusted for delegation'),
+ doc=_(u'Client credentials may be delegated to the service'),
+ ),
+ parameters.Flag(
+ 'has_password',
+ label=_(u'Password'),
+ ),
+ parameters.Str(
+ 'memberof_hostgroup',
+ required=False,
+ label=_(u'Member of host-groups'),
+ ),
+ parameters.Str(
+ 'memberof_role',
+ required=False,
+ label=_(u'Roles'),
+ ),
+ parameters.Str(
+ 'memberof_netgroup',
+ required=False,
+ label=_(u'Member of netgroups'),
+ ),
+ parameters.Str(
+ 'memberof_sudorule',
+ required=False,
+ label=_(u'Member of Sudo rule'),
+ ),
+ parameters.Str(
+ 'memberof_hbacrule',
+ required=False,
+ label=_(u'Member of HBAC rule'),
+ ),
+ parameters.Str(
+ 'memberofindirect_netgroup',
+ required=False,
+ label=_(u'Indirect Member of netgroup'),
+ ),
+ parameters.Str(
+ 'memberofindirect_hostgroup',
+ required=False,
+ label=_(u'Indirect Member of host-group'),
+ ),
+ parameters.Str(
+ 'memberofindirect_role',
+ required=False,
+ label=_(u'Indirect Member of role'),
+ ),
+ parameters.Str(
+ 'memberofindirect_sudorule',
+ required=False,
+ label=_(u'Indirect Member of Sudo rule'),
+ ),
+ parameters.Str(
+ 'memberofindirect_hbacrule',
+ required=False,
+ label=_(u'Indirect Member of HBAC rule'),
+ ),
+ parameters.Flag(
+ 'has_keytab',
+ label=_(u'Keytab'),
+ ),
+ parameters.Str(
+ 'managedby_host',
+ label=_(u'Managed by'),
+ ),
+ parameters.Str(
+ 'managing_host',
+ label=_(u'Managing'),
+ ),
+ parameters.Str(
+ 'ipaallowedtoperform_read_keys_user',
+ label=_(u'Users allowed to retrieve keytab'),
+ ),
+ parameters.Str(
+ 'ipaallowedtoperform_read_keys_group',
+ label=_(u'Groups allowed to retrieve keytab'),
+ ),
+ parameters.Str(
+ 'ipaallowedtoperform_read_keys_host',
+ label=_(u'Hosts allowed to retrieve keytab'),
+ ),
+ parameters.Str(
+ 'ipaallowedtoperform_read_keys_hostgroup',
+ label=_(u'Host Groups allowed to retrieve keytab'),
+ ),
+ parameters.Str(
+ 'ipaallowedtoperform_write_keys_user',
+ label=_(u'Users allowed to create keytab'),
+ ),
+ parameters.Str(
+ 'ipaallowedtoperform_write_keys_group',
+ label=_(u'Groups allowed to create keytab'),
+ ),
+ parameters.Str(
+ 'ipaallowedtoperform_write_keys_host',
+ label=_(u'Hosts allowed to create keytab'),
+ ),
+ parameters.Str(
+ 'ipaallowedtoperform_write_keys_hostgroup',
+ label=_(u'Host Groups allowed to create keytab'),
+ ),
+ )
+
+
+@register()
+class host_add(Method):
+ __doc__ = _("Add a new host.")
+
+ takes_args = (
+ parameters.Str(
+ 'fqdn',
+ cli_name='hostname',
+ label=_(u'Host name'),
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'description',
+ required=False,
+ cli_name='desc',
+ label=_(u'Description'),
+ doc=_(u'A description of this host'),
+ ),
+ parameters.Str(
+ 'l',
+ required=False,
+ cli_name='locality',
+ label=_(u'Locality'),
+ doc=_(u'Host locality (e.g. "Baltimore, MD")'),
+ ),
+ parameters.Str(
+ 'nshostlocation',
+ required=False,
+ cli_name='location',
+ label=_(u'Location'),
+ doc=_(u'Host location (e.g. "Lab 2")'),
+ ),
+ parameters.Str(
+ 'nshardwareplatform',
+ required=False,
+ cli_name='platform',
+ label=_(u'Platform'),
+ doc=_(u'Host hardware platform (e.g. "Lenovo T61")'),
+ ),
+ parameters.Str(
+ 'nsosversion',
+ required=False,
+ cli_name='os',
+ label=_(u'Operating system'),
+ doc=_(u'Host operating system and version (e.g. "Fedora 9")'),
+ ),
+ parameters.Str(
+ 'userpassword',
+ required=False,
+ cli_name='password',
+ label=_(u'User password'),
+ doc=_(u'Password used in bulk enrollment'),
+ ),
+ parameters.Flag(
+ 'random',
+ required=False,
+ doc=_(u'Generate a random password to be used in bulk enrollment'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Bytes(
+ 'usercertificate',
+ required=False,
+ multivalue=True,
+ cli_name='certificate',
+ label=_(u'Certificate'),
+ doc=_(u'Base-64 encoded server certificate'),
+ ),
+ parameters.Str(
+ 'macaddress',
+ required=False,
+ multivalue=True,
+ label=_(u'MAC address'),
+ doc=_(u'Hardware MAC address(es) on this host'),
+ no_convert=True,
+ ),
+ parameters.Str(
+ 'ipasshpubkey',
+ required=False,
+ multivalue=True,
+ cli_name='sshpubkey',
+ label=_(u'SSH public key'),
+ no_convert=True,
+ ),
+ parameters.Str(
+ 'userclass',
+ required=False,
+ multivalue=True,
+ cli_name='class',
+ label=_(u'Class'),
+ doc=_(u'Host category (semantics placed on this attribute are for local interpretation)'),
+ ),
+ parameters.Str(
+ 'ipaassignedidview',
+ required=False,
+ label=_(u'Assigned ID View'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Bool(
+ 'ipakrbrequirespreauth',
+ required=False,
+ cli_name='requires_pre_auth',
+ label=_(u'Requires pre-authentication'),
+ doc=_(u'Pre-authentication is required for the service'),
+ ),
+ parameters.Bool(
+ 'ipakrbokasdelegate',
+ required=False,
+ cli_name='ok_as_delegate',
+ label=_(u'Trusted for delegation'),
+ doc=_(u'Client credentials may be delegated to the service'),
+ ),
+ parameters.Str(
+ 'setattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'addattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
+ exclude=('webui',),
+ ),
+ parameters.Flag(
+ 'force',
+ label=_(u'Force'),
+ doc=_(u'force host name even if not in DNS'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_reverse',
+ doc=_(u'skip reverse DNS detection'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'ip_address',
+ required=False,
+ label=_(u'IP Address'),
+ doc=_(u'Add the host to DNS with this IP address'),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class host_add_cert(Method):
+ __doc__ = _("Add certificates to host entry")
+
+ takes_args = (
+ parameters.Str(
+ 'fqdn',
+ cli_name='hostname',
+ label=_(u'Host name'),
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Bytes(
+ 'usercertificate',
+ required=False,
+ multivalue=True,
+ cli_name='certificate',
+ label=_(u'Certificate'),
+ doc=_(u'Base-64 encoded server certificate'),
+ alwaysask=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class host_add_managedby(Method):
+ __doc__ = _("Add hosts that can manage this host.")
+
+ takes_args = (
+ parameters.Str(
+ 'fqdn',
+ cli_name='hostname',
+ label=_(u'Host name'),
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'host',
+ required=False,
+ multivalue=True,
+ cli_name='hosts',
+ label=_(u'member host'),
+ doc=_(u'hosts to add'),
+ alwaysask=True,
+ ),
+ )
+ has_output = (
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'failed',
+ dict,
+ doc=_(u'Members that could not be added'),
+ ),
+ output.Output(
+ 'completed',
+ int,
+ doc=_(u'Number of members added'),
+ ),
+ )
+
+
+@register()
+class host_allow_create_keytab(Method):
+ __doc__ = _("Allow users, groups, hosts or host groups to create a keytab of this host.")
+
+ takes_args = (
+ parameters.Str(
+ 'fqdn',
+ cli_name='hostname',
+ label=_(u'Host name'),
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'user',
+ required=False,
+ multivalue=True,
+ cli_name='users',
+ label=_(u'member user'),
+ doc=_(u'users to add'),
+ alwaysask=True,
+ ),
+ parameters.Str(
+ 'group',
+ required=False,
+ multivalue=True,
+ cli_name='groups',
+ label=_(u'member group'),
+ doc=_(u'groups to add'),
+ alwaysask=True,
+ ),
+ parameters.Str(
+ 'host',
+ required=False,
+ multivalue=True,
+ cli_name='hosts',
+ label=_(u'member host'),
+ doc=_(u'hosts to add'),
+ alwaysask=True,
+ ),
+ parameters.Str(
+ 'hostgroup',
+ required=False,
+ multivalue=True,
+ cli_name='hostgroups',
+ label=_(u'member host group'),
+ doc=_(u'host groups to add'),
+ alwaysask=True,
+ ),
+ )
+ has_output = (
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'failed',
+ dict,
+ doc=_(u'Members that could not be added'),
+ ),
+ output.Output(
+ 'completed',
+ int,
+ doc=_(u'Number of members added'),
+ ),
+ )
+
+
+@register()
+class host_allow_retrieve_keytab(Method):
+ __doc__ = _("Allow users, groups, hosts or host groups to retrieve a keytab of this host.")
+
+ takes_args = (
+ parameters.Str(
+ 'fqdn',
+ cli_name='hostname',
+ label=_(u'Host name'),
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'user',
+ required=False,
+ multivalue=True,
+ cli_name='users',
+ label=_(u'member user'),
+ doc=_(u'users to add'),
+ alwaysask=True,
+ ),
+ parameters.Str(
+ 'group',
+ required=False,
+ multivalue=True,
+ cli_name='groups',
+ label=_(u'member group'),
+ doc=_(u'groups to add'),
+ alwaysask=True,
+ ),
+ parameters.Str(
+ 'host',
+ required=False,
+ multivalue=True,
+ cli_name='hosts',
+ label=_(u'member host'),
+ doc=_(u'hosts to add'),
+ alwaysask=True,
+ ),
+ parameters.Str(
+ 'hostgroup',
+ required=False,
+ multivalue=True,
+ cli_name='hostgroups',
+ label=_(u'member host group'),
+ doc=_(u'host groups to add'),
+ alwaysask=True,
+ ),
+ )
+ has_output = (
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'failed',
+ dict,
+ doc=_(u'Members that could not be added'),
+ ),
+ output.Output(
+ 'completed',
+ int,
+ doc=_(u'Number of members added'),
+ ),
+ )
+
+
+@register()
+class host_del(Method):
+ __doc__ = _("Delete a host.")
+
+ takes_args = (
+ parameters.Str(
+ 'fqdn',
+ multivalue=True,
+ cli_name='hostname',
+ label=_(u'Host name'),
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'continue',
+ doc=_(u"Continuous mode: Don't stop on errors."),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'updatedns',
+ required=False,
+ doc=_(u'Remove entries from DNS'),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Output(
+ 'result',
+ dict,
+ doc=_(u'List of deletions that failed'),
+ ),
+ output.ListOfPrimaryKeys(
+ 'value',
+ ),
+ )
+
+
+@register()
+class host_disable(Method):
+ __doc__ = _("Disable the Kerberos key, SSL certificate and all services of a host.")
+
+ takes_args = (
+ parameters.Str(
+ 'fqdn',
+ cli_name='hostname',
+ label=_(u'Host name'),
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Output(
+ 'result',
+ bool,
+ doc=_(u'True means the operation was successful'),
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class host_disallow_create_keytab(Method):
+ __doc__ = _("Disallow users, groups, hosts or host groups to create a keytab of this host.")
+
+ takes_args = (
+ parameters.Str(
+ 'fqdn',
+ cli_name='hostname',
+ label=_(u'Host name'),
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'user',
+ required=False,
+ multivalue=True,
+ cli_name='users',
+ label=_(u'member user'),
+ doc=_(u'users to remove'),
+ alwaysask=True,
+ ),
+ parameters.Str(
+ 'group',
+ required=False,
+ multivalue=True,
+ cli_name='groups',
+ label=_(u'member group'),
+ doc=_(u'groups to remove'),
+ alwaysask=True,
+ ),
+ parameters.Str(
+ 'host',
+ required=False,
+ multivalue=True,
+ cli_name='hosts',
+ label=_(u'member host'),
+ doc=_(u'hosts to remove'),
+ alwaysask=True,
+ ),
+ parameters.Str(
+ 'hostgroup',
+ required=False,
+ multivalue=True,
+ cli_name='hostgroups',
+ label=_(u'member host group'),
+ doc=_(u'host groups to remove'),
+ alwaysask=True,
+ ),
+ )
+ has_output = (
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'failed',
+ dict,
+ doc=_(u'Members that could not be removed'),
+ ),
+ output.Output(
+ 'completed',
+ int,
+ doc=_(u'Number of members removed'),
+ ),
+ )
+
+
+@register()
+class host_disallow_retrieve_keytab(Method):
+ __doc__ = _("Disallow users, groups, hosts or host groups to retrieve a keytab of this host.")
+
+ takes_args = (
+ parameters.Str(
+ 'fqdn',
+ cli_name='hostname',
+ label=_(u'Host name'),
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'user',
+ required=False,
+ multivalue=True,
+ cli_name='users',
+ label=_(u'member user'),
+ doc=_(u'users to remove'),
+ alwaysask=True,
+ ),
+ parameters.Str(
+ 'group',
+ required=False,
+ multivalue=True,
+ cli_name='groups',
+ label=_(u'member group'),
+ doc=_(u'groups to remove'),
+ alwaysask=True,
+ ),
+ parameters.Str(
+ 'host',
+ required=False,
+ multivalue=True,
+ cli_name='hosts',
+ label=_(u'member host'),
+ doc=_(u'hosts to remove'),
+ alwaysask=True,
+ ),
+ parameters.Str(
+ 'hostgroup',
+ required=False,
+ multivalue=True,
+ cli_name='hostgroups',
+ label=_(u'member host group'),
+ doc=_(u'host groups to remove'),
+ alwaysask=True,
+ ),
+ )
+ has_output = (
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'failed',
+ dict,
+ doc=_(u'Members that could not be removed'),
+ ),
+ output.Output(
+ 'completed',
+ int,
+ doc=_(u'Number of members removed'),
+ ),
+ )
+
+
+@register()
+class host_find(Method):
+ __doc__ = _("Search for hosts.")
+
+ takes_args = (
+ parameters.Str(
+ 'criteria',
+ required=False,
+ doc=_(u'A string searched in all relevant object attributes'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'fqdn',
+ required=False,
+ cli_name='hostname',
+ label=_(u'Host name'),
+ no_convert=True,
+ ),
+ parameters.Str(
+ 'description',
+ required=False,
+ cli_name='desc',
+ label=_(u'Description'),
+ doc=_(u'A description of this host'),
+ ),
+ parameters.Str(
+ 'l',
+ required=False,
+ cli_name='locality',
+ label=_(u'Locality'),
+ doc=_(u'Host locality (e.g. "Baltimore, MD")'),
+ ),
+ parameters.Str(
+ 'nshostlocation',
+ required=False,
+ cli_name='location',
+ label=_(u'Location'),
+ doc=_(u'Host location (e.g. "Lab 2")'),
+ ),
+ parameters.Str(
+ 'nshardwareplatform',
+ required=False,
+ cli_name='platform',
+ label=_(u'Platform'),
+ doc=_(u'Host hardware platform (e.g. "Lenovo T61")'),
+ ),
+ parameters.Str(
+ 'nsosversion',
+ required=False,
+ cli_name='os',
+ label=_(u'Operating system'),
+ doc=_(u'Host operating system and version (e.g. "Fedora 9")'),
+ ),
+ parameters.Str(
+ 'userpassword',
+ required=False,
+ cli_name='password',
+ label=_(u'User password'),
+ doc=_(u'Password used in bulk enrollment'),
+ ),
+ parameters.Bytes(
+ 'usercertificate',
+ required=False,
+ multivalue=True,
+ cli_name='certificate',
+ label=_(u'Certificate'),
+ doc=_(u'Base-64 encoded server certificate'),
+ ),
+ parameters.Str(
+ 'macaddress',
+ required=False,
+ multivalue=True,
+ label=_(u'MAC address'),
+ doc=_(u'Hardware MAC address(es) on this host'),
+ no_convert=True,
+ ),
+ parameters.Str(
+ 'userclass',
+ required=False,
+ multivalue=True,
+ cli_name='class',
+ label=_(u'Class'),
+ doc=_(u'Host category (semantics placed on this attribute are for local interpretation)'),
+ ),
+ parameters.Str(
+ 'ipaassignedidview',
+ required=False,
+ label=_(u'Assigned ID View'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Int(
+ 'timelimit',
+ required=False,
+ label=_(u'Time Limit'),
+ doc=_(u'Time limit of search in seconds (0 is unlimited)'),
+ ),
+ parameters.Int(
+ 'sizelimit',
+ required=False,
+ label=_(u'Size Limit'),
+ doc=_(u'Maximum number of entries returned (0 is unlimited)'),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'pkey_only',
+ required=False,
+ label=_(u'Primary key only'),
+ doc=_(u'Results should contain primary key attribute only ("hostname")'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'in_hostgroup',
+ required=False,
+ multivalue=True,
+ cli_name='in_hostgroups',
+ label=_(u'host group'),
+ doc=_(u'Search for hosts with these member of host groups.'),
+ ),
+ parameters.Str(
+ 'not_in_hostgroup',
+ required=False,
+ multivalue=True,
+ cli_name='not_in_hostgroups',
+ label=_(u'host group'),
+ doc=_(u'Search for hosts without these member of host groups.'),
+ ),
+ parameters.Str(
+ 'in_netgroup',
+ required=False,
+ multivalue=True,
+ cli_name='in_netgroups',
+ label=_(u'netgroup'),
+ doc=_(u'Search for hosts with these member of netgroups.'),
+ ),
+ parameters.Str(
+ 'not_in_netgroup',
+ required=False,
+ multivalue=True,
+ cli_name='not_in_netgroups',
+ label=_(u'netgroup'),
+ doc=_(u'Search for hosts without these member of netgroups.'),
+ ),
+ parameters.Str(
+ 'in_role',
+ required=False,
+ multivalue=True,
+ cli_name='in_roles',
+ label=_(u'role'),
+ doc=_(u'Search for hosts with these member of roles.'),
+ ),
+ parameters.Str(
+ 'not_in_role',
+ required=False,
+ multivalue=True,
+ cli_name='not_in_roles',
+ label=_(u'role'),
+ doc=_(u'Search for hosts without these member of roles.'),
+ ),
+ parameters.Str(
+ 'in_hbacrule',
+ required=False,
+ multivalue=True,
+ cli_name='in_hbacrules',
+ label=_(u'HBAC rule'),
+ doc=_(u'Search for hosts with these member of HBAC rules.'),
+ ),
+ parameters.Str(
+ 'not_in_hbacrule',
+ required=False,
+ multivalue=True,
+ cli_name='not_in_hbacrules',
+ label=_(u'HBAC rule'),
+ doc=_(u'Search for hosts without these member of HBAC rules.'),
+ ),
+ parameters.Str(
+ 'in_sudorule',
+ required=False,
+ multivalue=True,
+ cli_name='in_sudorules',
+ label=_(u'sudo rule'),
+ doc=_(u'Search for hosts with these member of sudo rules.'),
+ ),
+ parameters.Str(
+ 'not_in_sudorule',
+ required=False,
+ multivalue=True,
+ cli_name='not_in_sudorules',
+ label=_(u'sudo rule'),
+ doc=_(u'Search for hosts without these member of sudo rules.'),
+ ),
+ parameters.Str(
+ 'enroll_by_user',
+ required=False,
+ multivalue=True,
+ cli_name='enroll_by_users',
+ label=_(u'user'),
+ doc=_(u'Search for hosts with these enrolled by users.'),
+ ),
+ parameters.Str(
+ 'not_enroll_by_user',
+ required=False,
+ multivalue=True,
+ cli_name='not_enroll_by_users',
+ label=_(u'user'),
+ doc=_(u'Search for hosts without these enrolled by users.'),
+ ),
+ parameters.Str(
+ 'man_by_host',
+ required=False,
+ multivalue=True,
+ cli_name='man_by_hosts',
+ label=_(u'host'),
+ doc=_(u'Search for hosts with these managed by hosts.'),
+ ),
+ parameters.Str(
+ 'not_man_by_host',
+ required=False,
+ multivalue=True,
+ cli_name='not_man_by_hosts',
+ label=_(u'host'),
+ doc=_(u'Search for hosts without these managed by hosts.'),
+ ),
+ parameters.Str(
+ 'man_host',
+ required=False,
+ multivalue=True,
+ cli_name='man_hosts',
+ label=_(u'host'),
+ doc=_(u'Search for hosts with these managing hosts.'),
+ ),
+ parameters.Str(
+ 'not_man_host',
+ required=False,
+ multivalue=True,
+ cli_name='not_man_hosts',
+ label=_(u'host'),
+ doc=_(u'Search for hosts without these managing hosts.'),
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.ListOfEntries(
+ 'result',
+ ),
+ output.Output(
+ 'count',
+ int,
+ doc=_(u'Number of entries returned'),
+ ),
+ output.Output(
+ 'truncated',
+ bool,
+ doc=_(u'True if not all results were returned'),
+ ),
+ )
+
+
+@register()
+class host_mod(Method):
+ __doc__ = _("Modify information about a host.")
+
+ takes_args = (
+ parameters.Str(
+ 'fqdn',
+ cli_name='hostname',
+ label=_(u'Host name'),
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'description',
+ required=False,
+ cli_name='desc',
+ label=_(u'Description'),
+ doc=_(u'A description of this host'),
+ ),
+ parameters.Str(
+ 'l',
+ required=False,
+ cli_name='locality',
+ label=_(u'Locality'),
+ doc=_(u'Host locality (e.g. "Baltimore, MD")'),
+ ),
+ parameters.Str(
+ 'nshostlocation',
+ required=False,
+ cli_name='location',
+ label=_(u'Location'),
+ doc=_(u'Host location (e.g. "Lab 2")'),
+ ),
+ parameters.Str(
+ 'nshardwareplatform',
+ required=False,
+ cli_name='platform',
+ label=_(u'Platform'),
+ doc=_(u'Host hardware platform (e.g. "Lenovo T61")'),
+ ),
+ parameters.Str(
+ 'nsosversion',
+ required=False,
+ cli_name='os',
+ label=_(u'Operating system'),
+ doc=_(u'Host operating system and version (e.g. "Fedora 9")'),
+ ),
+ parameters.Str(
+ 'userpassword',
+ required=False,
+ cli_name='password',
+ label=_(u'User password'),
+ doc=_(u'Password used in bulk enrollment'),
+ ),
+ parameters.Flag(
+ 'random',
+ required=False,
+ doc=_(u'Generate a random password to be used in bulk enrollment'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Bytes(
+ 'usercertificate',
+ required=False,
+ multivalue=True,
+ cli_name='certificate',
+ label=_(u'Certificate'),
+ doc=_(u'Base-64 encoded server certificate'),
+ ),
+ parameters.Str(
+ 'macaddress',
+ required=False,
+ multivalue=True,
+ label=_(u'MAC address'),
+ doc=_(u'Hardware MAC address(es) on this host'),
+ no_convert=True,
+ ),
+ parameters.Str(
+ 'ipasshpubkey',
+ required=False,
+ multivalue=True,
+ cli_name='sshpubkey',
+ label=_(u'SSH public key'),
+ no_convert=True,
+ ),
+ parameters.Str(
+ 'userclass',
+ required=False,
+ multivalue=True,
+ cli_name='class',
+ label=_(u'Class'),
+ doc=_(u'Host category (semantics placed on this attribute are for local interpretation)'),
+ ),
+ parameters.Str(
+ 'ipaassignedidview',
+ required=False,
+ label=_(u'Assigned ID View'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Bool(
+ 'ipakrbrequirespreauth',
+ required=False,
+ cli_name='requires_pre_auth',
+ label=_(u'Requires pre-authentication'),
+ doc=_(u'Pre-authentication is required for the service'),
+ ),
+ parameters.Bool(
+ 'ipakrbokasdelegate',
+ required=False,
+ cli_name='ok_as_delegate',
+ label=_(u'Trusted for delegation'),
+ doc=_(u'Client credentials may be delegated to the service'),
+ ),
+ parameters.Str(
+ 'setattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'addattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'delattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'),
+ exclude=('webui',),
+ ),
+ parameters.Flag(
+ 'rights',
+ label=_(u'Rights'),
+ doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'krbprincipalname',
+ required=False,
+ cli_name='principalname',
+ label=_(u'Principal name'),
+ doc=_(u'Kerberos principal name for this host'),
+ ),
+ parameters.Flag(
+ 'updatedns',
+ required=False,
+ doc=_(u'Update DNS entries'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class host_remove_cert(Method):
+ __doc__ = _("Remove certificates from host entry")
+
+ takes_args = (
+ parameters.Str(
+ 'fqdn',
+ cli_name='hostname',
+ label=_(u'Host name'),
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Bytes(
+ 'usercertificate',
+ required=False,
+ multivalue=True,
+ cli_name='certificate',
+ label=_(u'Certificate'),
+ doc=_(u'Base-64 encoded server certificate'),
+ alwaysask=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class host_remove_managedby(Method):
+ __doc__ = _("Remove hosts that can manage this host.")
+
+ takes_args = (
+ parameters.Str(
+ 'fqdn',
+ cli_name='hostname',
+ label=_(u'Host name'),
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'host',
+ required=False,
+ multivalue=True,
+ cli_name='hosts',
+ label=_(u'member host'),
+ doc=_(u'hosts to remove'),
+ alwaysask=True,
+ ),
+ )
+ has_output = (
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'failed',
+ dict,
+ doc=_(u'Members that could not be removed'),
+ ),
+ output.Output(
+ 'completed',
+ int,
+ doc=_(u'Number of members removed'),
+ ),
+ )
+
+
+@register()
+class host_show(Method):
+ __doc__ = _("Display information about a host.")
+
+ takes_args = (
+ parameters.Str(
+ 'fqdn',
+ cli_name='hostname',
+ label=_(u'Host name'),
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'rights',
+ label=_(u'Rights'),
+ doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'out',
+ required=False,
+ doc=_(u'file to store certificate in'),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
diff --git a/ipaclient/remote_plugins/2_156/hostgroup.py b/ipaclient/remote_plugins/2_156/hostgroup.py
new file mode 100644
index 000000000..afda19d78
--- /dev/null
+++ b/ipaclient/remote_plugins/2_156/hostgroup.py
@@ -0,0 +1,709 @@
+#
+# Copyright (C) 2016 FreeIPA Contributors see COPYING for license
+#
+
+# pylint: disable=unused-import
+import six
+
+from . import Command, Method, Object
+from ipalib import api, parameters, output
+from ipalib.parameters import DefaultFrom
+from ipalib.plugable import Registry
+from ipalib.text import _
+from ipapython.dn import DN
+from ipapython.dnsutil import DNSName
+
+if six.PY3:
+ unicode = str
+
+__doc__ = _("""
+Groups of hosts.
+
+Manage groups of hosts. This is useful for applying access control to a
+number of hosts by using Host-based Access Control.
+
+EXAMPLES:
+
+ Add a new host group:
+ ipa hostgroup-add --desc="Baltimore hosts" baltimore
+
+ Add another new host group:
+ ipa hostgroup-add --desc="Maryland hosts" maryland
+
+ Add members to the hostgroup (using Bash brace expansion):
+ ipa hostgroup-add-member --hosts={box1,box2,box3} baltimore
+
+ Add a hostgroup as a member of another hostgroup:
+ ipa hostgroup-add-member --hostgroups=baltimore maryland
+
+ Remove a host from the hostgroup:
+ ipa hostgroup-remove-member --hosts=box2 baltimore
+
+ Display a host group:
+ ipa hostgroup-show baltimore
+
+ Delete a hostgroup:
+ ipa hostgroup-del baltimore
+""")
+
+register = Registry()
+
+
+@register()
+class hostgroup(Object):
+ takes_params = (
+ parameters.Str(
+ 'cn',
+ primary_key=True,
+ label=_(u'Host-group'),
+ doc=_(u'Name of host-group'),
+ ),
+ parameters.Str(
+ 'description',
+ required=False,
+ label=_(u'Description'),
+ doc=_(u'A description of this host-group'),
+ ),
+ parameters.Str(
+ 'member_host',
+ required=False,
+ label=_(u'Member hosts'),
+ ),
+ parameters.Str(
+ 'member_hostgroup',
+ required=False,
+ label=_(u'Member host-groups'),
+ ),
+ parameters.Str(
+ 'memberof_hostgroup',
+ required=False,
+ label=_(u'Member of host-groups'),
+ ),
+ parameters.Str(
+ 'memberof_netgroup',
+ required=False,
+ label=_(u'Member of netgroups'),
+ ),
+ parameters.Str(
+ 'memberof_sudorule',
+ required=False,
+ label=_(u'Member of Sudo rule'),
+ ),
+ parameters.Str(
+ 'memberof_hbacrule',
+ required=False,
+ label=_(u'Member of HBAC rule'),
+ ),
+ parameters.Str(
+ 'memberindirect_host',
+ required=False,
+ label=_(u'Indirect Member hosts'),
+ ),
+ parameters.Str(
+ 'memberindirect_hostgroup',
+ required=False,
+ label=_(u'Indirect Member host-groups'),
+ ),
+ parameters.Str(
+ 'memberofindirect_hostgroup',
+ required=False,
+ label=_(u'Indirect Member of host-group'),
+ ),
+ parameters.Str(
+ 'memberofindirect_sudorule',
+ required=False,
+ label=_(u'Indirect Member of Sudo rule'),
+ ),
+ parameters.Str(
+ 'memberofindirect_hbacrule',
+ required=False,
+ label=_(u'Indirect Member of HBAC rule'),
+ ),
+ )
+
+
+@register()
+class hostgroup_add(Method):
+ __doc__ = _("Add a new hostgroup.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='hostgroup_name',
+ label=_(u'Host-group'),
+ doc=_(u'Name of host-group'),
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'description',
+ required=False,
+ cli_name='desc',
+ label=_(u'Description'),
+ doc=_(u'A description of this host-group'),
+ ),
+ parameters.Str(
+ 'setattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'addattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
+ exclude=('webui',),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class hostgroup_add_member(Method):
+ __doc__ = _("Add members to a hostgroup.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='hostgroup_name',
+ label=_(u'Host-group'),
+ doc=_(u'Name of host-group'),
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'host',
+ required=False,
+ multivalue=True,
+ cli_name='hosts',
+ label=_(u'member host'),
+ doc=_(u'hosts to add'),
+ alwaysask=True,
+ ),
+ parameters.Str(
+ 'hostgroup',
+ required=False,
+ multivalue=True,
+ cli_name='hostgroups',
+ label=_(u'member host group'),
+ doc=_(u'host groups to add'),
+ alwaysask=True,
+ ),
+ )
+ has_output = (
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'failed',
+ dict,
+ doc=_(u'Members that could not be added'),
+ ),
+ output.Output(
+ 'completed',
+ int,
+ doc=_(u'Number of members added'),
+ ),
+ )
+
+
+@register()
+class hostgroup_del(Method):
+ __doc__ = _("Delete a hostgroup.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ multivalue=True,
+ cli_name='hostgroup_name',
+ label=_(u'Host-group'),
+ doc=_(u'Name of host-group'),
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'continue',
+ doc=_(u"Continuous mode: Don't stop on errors."),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Output(
+ 'result',
+ dict,
+ doc=_(u'List of deletions that failed'),
+ ),
+ output.ListOfPrimaryKeys(
+ 'value',
+ ),
+ )
+
+
+@register()
+class hostgroup_find(Method):
+ __doc__ = _("Search for hostgroups.")
+
+ takes_args = (
+ parameters.Str(
+ 'criteria',
+ required=False,
+ doc=_(u'A string searched in all relevant object attributes'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'cn',
+ required=False,
+ cli_name='hostgroup_name',
+ label=_(u'Host-group'),
+ doc=_(u'Name of host-group'),
+ no_convert=True,
+ ),
+ parameters.Str(
+ 'description',
+ required=False,
+ cli_name='desc',
+ label=_(u'Description'),
+ doc=_(u'A description of this host-group'),
+ ),
+ parameters.Int(
+ 'timelimit',
+ required=False,
+ label=_(u'Time Limit'),
+ doc=_(u'Time limit of search in seconds (0 is unlimited)'),
+ ),
+ parameters.Int(
+ 'sizelimit',
+ required=False,
+ label=_(u'Size Limit'),
+ doc=_(u'Maximum number of entries returned (0 is unlimited)'),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'pkey_only',
+ required=False,
+ label=_(u'Primary key only'),
+ doc=_(u'Results should contain primary key attribute only ("hostgroup-name")'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'host',
+ required=False,
+ multivalue=True,
+ cli_name='hosts',
+ label=_(u'host'),
+ doc=_(u'Search for host groups with these member hosts.'),
+ ),
+ parameters.Str(
+ 'no_host',
+ required=False,
+ multivalue=True,
+ cli_name='no_hosts',
+ label=_(u'host'),
+ doc=_(u'Search for host groups without these member hosts.'),
+ ),
+ parameters.Str(
+ 'hostgroup',
+ required=False,
+ multivalue=True,
+ cli_name='hostgroups',
+ label=_(u'host group'),
+ doc=_(u'Search for host groups with these member host groups.'),
+ ),
+ parameters.Str(
+ 'no_hostgroup',
+ required=False,
+ multivalue=True,
+ cli_name='no_hostgroups',
+ label=_(u'host group'),
+ doc=_(u'Search for host groups without these member host groups.'),
+ ),
+ parameters.Str(
+ 'in_hostgroup',
+ required=False,
+ multivalue=True,
+ cli_name='in_hostgroups',
+ label=_(u'host group'),
+ doc=_(u'Search for host groups with these member of host groups.'),
+ ),
+ parameters.Str(
+ 'not_in_hostgroup',
+ required=False,
+ multivalue=True,
+ cli_name='not_in_hostgroups',
+ label=_(u'host group'),
+ doc=_(u'Search for host groups without these member of host groups.'),
+ ),
+ parameters.Str(
+ 'in_netgroup',
+ required=False,
+ multivalue=True,
+ cli_name='in_netgroups',
+ label=_(u'netgroup'),
+ doc=_(u'Search for host groups with these member of netgroups.'),
+ ),
+ parameters.Str(
+ 'not_in_netgroup',
+ required=False,
+ multivalue=True,
+ cli_name='not_in_netgroups',
+ label=_(u'netgroup'),
+ doc=_(u'Search for host groups without these member of netgroups.'),
+ ),
+ parameters.Str(
+ 'in_hbacrule',
+ required=False,
+ multivalue=True,
+ cli_name='in_hbacrules',
+ label=_(u'HBAC rule'),
+ doc=_(u'Search for host groups with these member of HBAC rules.'),
+ ),
+ parameters.Str(
+ 'not_in_hbacrule',
+ required=False,
+ multivalue=True,
+ cli_name='not_in_hbacrules',
+ label=_(u'HBAC rule'),
+ doc=_(u'Search for host groups without these member of HBAC rules.'),
+ ),
+ parameters.Str(
+ 'in_sudorule',
+ required=False,
+ multivalue=True,
+ cli_name='in_sudorules',
+ label=_(u'sudo rule'),
+ doc=_(u'Search for host groups with these member of sudo rules.'),
+ ),
+ parameters.Str(
+ 'not_in_sudorule',
+ required=False,
+ multivalue=True,
+ cli_name='not_in_sudorules',
+ label=_(u'sudo rule'),
+ doc=_(u'Search for host groups without these member of sudo rules.'),
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.ListOfEntries(
+ 'result',
+ ),
+ output.Output(
+ 'count',
+ int,
+ doc=_(u'Number of entries returned'),
+ ),
+ output.Output(
+ 'truncated',
+ bool,
+ doc=_(u'True if not all results were returned'),
+ ),
+ )
+
+
+@register()
+class hostgroup_mod(Method):
+ __doc__ = _("Modify a hostgroup.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='hostgroup_name',
+ label=_(u'Host-group'),
+ doc=_(u'Name of host-group'),
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'description',
+ required=False,
+ cli_name='desc',
+ label=_(u'Description'),
+ doc=_(u'A description of this host-group'),
+ ),
+ parameters.Str(
+ 'setattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'addattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'delattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'),
+ exclude=('webui',),
+ ),
+ parameters.Flag(
+ 'rights',
+ label=_(u'Rights'),
+ doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class hostgroup_remove_member(Method):
+ __doc__ = _("Remove members from a hostgroup.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='hostgroup_name',
+ label=_(u'Host-group'),
+ doc=_(u'Name of host-group'),
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'host',
+ required=False,
+ multivalue=True,
+ cli_name='hosts',
+ label=_(u'member host'),
+ doc=_(u'hosts to remove'),
+ alwaysask=True,
+ ),
+ parameters.Str(
+ 'hostgroup',
+ required=False,
+ multivalue=True,
+ cli_name='hostgroups',
+ label=_(u'member host group'),
+ doc=_(u'host groups to remove'),
+ alwaysask=True,
+ ),
+ )
+ has_output = (
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'failed',
+ dict,
+ doc=_(u'Members that could not be removed'),
+ ),
+ output.Output(
+ 'completed',
+ int,
+ doc=_(u'Number of members removed'),
+ ),
+ )
+
+
+@register()
+class hostgroup_show(Method):
+ __doc__ = _("Display information about a hostgroup.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='hostgroup_name',
+ label=_(u'Host-group'),
+ doc=_(u'Name of host-group'),
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'rights',
+ label=_(u'Rights'),
+ doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
diff --git a/ipaclient/remote_plugins/2_156/idrange.py b/ipaclient/remote_plugins/2_156/idrange.py
new file mode 100644
index 000000000..e4f4728ac
--- /dev/null
+++ b/ipaclient/remote_plugins/2_156/idrange.py
@@ -0,0 +1,639 @@
+#
+# Copyright (C) 2016 FreeIPA Contributors see COPYING for license
+#
+
+# pylint: disable=unused-import
+import six
+
+from . import Command, Method, Object
+from ipalib import api, parameters, output
+from ipalib.parameters import DefaultFrom
+from ipalib.plugable import Registry
+from ipalib.text import _
+from ipapython.dn import DN
+from ipapython.dnsutil import DNSName
+
+if six.PY3:
+ unicode = str
+
+__doc__ = _("""
+ID ranges
+
+Manage ID ranges used to map Posix IDs to SIDs and back.
+
+There are two type of ID ranges which are both handled by this utility:
+
+ - the ID ranges of the local domain
+ - the ID ranges of trusted remote domains
+
+Both types have the following attributes in common:
+
+ - base-id: the first ID of the Posix ID range
+ - range-size: the size of the range
+
+With those two attributes a range object can reserve the Posix IDs starting
+with base-id up to but not including base-id+range-size exclusively.
+
+Additionally an ID range of the local domain may set
+ - rid-base: the first RID(*) of the corresponding RID range
+ - secondary-rid-base: first RID of the secondary RID range
+
+and an ID range of a trusted domain must set
+ - rid-base: the first RID of the corresponding RID range
+ - sid: domain SID of the trusted domain
+
+
+
+EXAMPLE: Add a new ID range for a trusted domain
+
+Since there might be more than one trusted domain the domain SID must be given
+while creating the ID range.
+
+ ipa idrange-add --base-id=1200000 --range-size=200000 --rid-base=0 \
+ --dom-sid=S-1-5-21-123-456-789 trusted_dom_range
+
+This ID range is then used by the IPA server and the SSSD IPA provider to
+assign Posix UIDs to users from the trusted domain.
+
+If e.g a range for a trusted domain is configured with the following values:
+ base-id = 1200000
+ range-size = 200000
+ rid-base = 0
+the RIDs 0 to 199999 are mapped to the Posix ID from 1200000 to 13999999. So
+RID 1000 <-> Posix ID 1201000
+
+
+
+EXAMPLE: Add a new ID range for the local domain
+
+To create an ID range for the local domain it is not necessary to specify a
+domain SID. But since it is possible that a user and a group can have the same
+value as Posix ID a second RID interval is needed to handle conflicts.
+
+ ipa idrange-add --base-id=1200000 --range-size=200000 --rid-base=1000 \
+ --secondary-rid-base=1000000 local_range
+
+The data from the ID ranges of the local domain are used by the IPA server
+internally to assign SIDs to IPA users and groups. The SID will then be stored
+in the user or group objects.
+
+If e.g. the ID range for the local domain is configured with the values from
+the example above then a new user with the UID 1200007 will get the RID 1007.
+If this RID is already used by a group the RID will be 1000007. This can only
+happen if a user or a group object was created with a fixed ID because the
+automatic assignment will not assign the same ID twice. Since there are only
+users and groups sharing the same ID namespace it is sufficient to have only
+one fallback range to handle conflicts.
+
+To find the Posix ID for a given RID from the local domain it has to be
+checked first if the RID falls in the primary or secondary RID range and
+the rid-base or the secondary-rid-base has to be subtracted, respectively,
+and the base-id has to be added to get the Posix ID.
+
+Typically the creation of ID ranges happens behind the scenes and this CLI
+must not be used at all. The ID range for the local domain will be created
+during installation or upgrade from an older version. The ID range for a
+trusted domain will be created together with the trust by 'ipa trust-add ...'.
+
+USE CASES:
+
+ Add an ID range from a transitively trusted domain
+
+ If the trusted domain (A) trusts another domain (B) as well and this trust
+ is transitive 'ipa trust-add domain-A' will only create a range for
+ domain A. The ID range for domain B must be added manually.
+
+ Add an additional ID range for the local domain
+
+ If the ID range of the local domain is exhausted, i.e. no new IDs can be
+ assigned to Posix users or groups by the DNA plugin, a new range has to be
+ created to allow new users and groups to be added. (Currently there is no
+ connection between this range CLI and the DNA plugin, but a future version
+ might be able to modify the configuration of the DNS plugin as well)
+
+In general it is not necessary to modify or delete ID ranges. If there is no
+other way to achieve a certain configuration than to modify or delete an ID
+range it should be done with great care. Because UIDs are stored in the file
+system and are used for access control it might be possible that users are
+allowed to access files of other users if an ID range got deleted and reused
+for a different domain.
+
+(*) The RID is typically the last integer of a user or group SID which follows
+the domain SID. E.g. if the domain SID is S-1-5-21-123-456-789 and a user from
+this domain has the SID S-1-5-21-123-456-789-1010 then 1010 id the RID of the
+user. RIDs are unique in a domain, 32bit values and are used for users and
+groups.
+
+=======
+WARNING:
+
+DNA plugin in 389-ds will allocate IDs based on the ranges configured for the
+local domain. Currently the DNA plugin *cannot* be reconfigured itself based
+on the local ranges set via this family of commands.
+
+Manual configuration change has to be done in the DNA plugin configuration for
+the new local range. Specifically, The dnaNextRange attribute of 'cn=Posix
+IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config' has to be
+modified to match the new range.
+=======
+""")
+
+register = Registry()
+
+
+@register()
+class idrange(Object):
+ takes_params = (
+ parameters.Str(
+ 'cn',
+ primary_key=True,
+ label=_(u'Range name'),
+ ),
+ parameters.Int(
+ 'ipabaseid',
+ label=_(u'First Posix ID of the range'),
+ ),
+ parameters.Int(
+ 'ipaidrangesize',
+ label=_(u'Number of IDs in the range'),
+ ),
+ parameters.Int(
+ 'ipabaserid',
+ required=False,
+ label=_(u'First RID of the corresponding RID range'),
+ ),
+ parameters.Int(
+ 'ipasecondarybaserid',
+ required=False,
+ label=_(u'First RID of the secondary RID range'),
+ ),
+ parameters.Str(
+ 'ipanttrusteddomainsid',
+ required=False,
+ label=_(u'Domain SID of the trusted domain'),
+ ),
+ parameters.Str(
+ 'ipanttrusteddomainname',
+ required=False,
+ label=_(u'Name of the trusted domain'),
+ ),
+ parameters.Str(
+ 'iparangetype',
+ required=False,
+ label=_(u'Range type'),
+ doc=_(u'ID range type, one of ipa-ad-trust-posix, ipa-ad-trust, ipa-local'),
+ ),
+ )
+
+
+@register()
+class idrange_add(Method):
+ __doc__ = _("""
+Add new ID range.
+
+ To add a new ID range you always have to specify
+
+ --base-id
+ --range-size
+
+ Additionally
+
+ --rid-base
+ --secondary-rid-base
+
+ may be given for a new ID range for the local domain while
+
+ --rid-base
+ --dom-sid
+
+ must be given to add a new range for a trusted AD domain.
+
+=======
+WARNING:
+
+DNA plugin in 389-ds will allocate IDs based on the ranges configured for the
+local domain. Currently the DNA plugin *cannot* be reconfigured itself based
+on the local ranges set via this family of commands.
+
+Manual configuration change has to be done in the DNA plugin configuration for
+the new local range. Specifically, The dnaNextRange attribute of 'cn=Posix
+IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config' has to be
+modified to match the new range.
+=======
+ """)
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='name',
+ label=_(u'Range name'),
+ ),
+ )
+ takes_options = (
+ parameters.Int(
+ 'ipabaseid',
+ cli_name='base_id',
+ label=_(u'First Posix ID of the range'),
+ ),
+ parameters.Int(
+ 'ipaidrangesize',
+ cli_name='range_size',
+ label=_(u'Number of IDs in the range'),
+ ),
+ parameters.Int(
+ 'ipabaserid',
+ required=False,
+ cli_name='rid_base',
+ label=_(u'First RID of the corresponding RID range'),
+ ),
+ parameters.Int(
+ 'ipasecondarybaserid',
+ required=False,
+ cli_name='secondary_rid_base',
+ label=_(u'First RID of the secondary RID range'),
+ ),
+ parameters.Str(
+ 'ipanttrusteddomainsid',
+ required=False,
+ cli_name='dom_sid',
+ label=_(u'Domain SID of the trusted domain'),
+ ),
+ parameters.Str(
+ 'ipanttrusteddomainname',
+ required=False,
+ cli_name='dom_name',
+ label=_(u'Name of the trusted domain'),
+ ),
+ parameters.Str(
+ 'iparangetype',
+ required=False,
+ cli_name='type',
+ cli_metavar="['ipa-ad-trust-posix', 'ipa-ad-trust', 'ipa-local']",
+ label=_(u'Range type'),
+ doc=_(u'ID range type, one of ipa-ad-trust-posix, ipa-ad-trust, ipa-local'),
+ ),
+ parameters.Str(
+ 'setattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'addattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
+ exclude=('webui',),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class idrange_del(Method):
+ __doc__ = _("Delete an ID range.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ multivalue=True,
+ cli_name='name',
+ label=_(u'Range name'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'continue',
+ doc=_(u"Continuous mode: Don't stop on errors."),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Output(
+ 'result',
+ dict,
+ doc=_(u'List of deletions that failed'),
+ ),
+ output.ListOfPrimaryKeys(
+ 'value',
+ ),
+ )
+
+
+@register()
+class idrange_find(Method):
+ __doc__ = _("Search for ranges.")
+
+ takes_args = (
+ parameters.Str(
+ 'criteria',
+ required=False,
+ doc=_(u'A string searched in all relevant object attributes'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'cn',
+ required=False,
+ cli_name='name',
+ label=_(u'Range name'),
+ ),
+ parameters.Int(
+ 'ipabaseid',
+ required=False,
+ cli_name='base_id',
+ label=_(u'First Posix ID of the range'),
+ ),
+ parameters.Int(
+ 'ipaidrangesize',
+ required=False,
+ cli_name='range_size',
+ label=_(u'Number of IDs in the range'),
+ ),
+ parameters.Int(
+ 'ipabaserid',
+ required=False,
+ cli_name='rid_base',
+ label=_(u'First RID of the corresponding RID range'),
+ ),
+ parameters.Int(
+ 'ipasecondarybaserid',
+ required=False,
+ cli_name='secondary_rid_base',
+ label=_(u'First RID of the secondary RID range'),
+ ),
+ parameters.Str(
+ 'ipanttrusteddomainsid',
+ required=False,
+ cli_name='dom_sid',
+ label=_(u'Domain SID of the trusted domain'),
+ ),
+ parameters.Str(
+ 'iparangetype',
+ required=False,
+ cli_name='type',
+ cli_metavar="['ipa-ad-trust-posix', 'ipa-ad-trust', 'ipa-local']",
+ label=_(u'Range type'),
+ doc=_(u'ID range type, one of ipa-ad-trust-posix, ipa-ad-trust, ipa-local'),
+ ),
+ parameters.Int(
+ 'timelimit',
+ required=False,
+ label=_(u'Time Limit'),
+ doc=_(u'Time limit of search in seconds (0 is unlimited)'),
+ ),
+ parameters.Int(
+ 'sizelimit',
+ required=False,
+ label=_(u'Size Limit'),
+ doc=_(u'Maximum number of entries returned (0 is unlimited)'),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'pkey_only',
+ required=False,
+ label=_(u'Primary key only'),
+ doc=_(u'Results should contain primary key attribute only ("name")'),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.ListOfEntries(
+ 'result',
+ ),
+ output.Output(
+ 'count',
+ int,
+ doc=_(u'Number of entries returned'),
+ ),
+ output.Output(
+ 'truncated',
+ bool,
+ doc=_(u'True if not all results were returned'),
+ ),
+ )
+
+
+@register()
+class idrange_mod(Method):
+ __doc__ = _("""
+Modify ID range.
+
+=======
+WARNING:
+
+DNA plugin in 389-ds will allocate IDs based on the ranges configured for the
+local domain. Currently the DNA plugin *cannot* be reconfigured itself based
+on the local ranges set via this family of commands.
+
+Manual configuration change has to be done in the DNA plugin configuration for
+the new local range. Specifically, The dnaNextRange attribute of 'cn=Posix
+IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config' has to be
+modified to match the new range.
+=======
+ """)
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='name',
+ label=_(u'Range name'),
+ ),
+ )
+ takes_options = (
+ parameters.Int(
+ 'ipabaseid',
+ required=False,
+ cli_name='base_id',
+ label=_(u'First Posix ID of the range'),
+ ),
+ parameters.Int(
+ 'ipaidrangesize',
+ required=False,
+ cli_name='range_size',
+ label=_(u'Number of IDs in the range'),
+ ),
+ parameters.Int(
+ 'ipabaserid',
+ required=False,
+ cli_name='rid_base',
+ label=_(u'First RID of the corresponding RID range'),
+ ),
+ parameters.Int(
+ 'ipasecondarybaserid',
+ required=False,
+ cli_name='secondary_rid_base',
+ label=_(u'First RID of the secondary RID range'),
+ ),
+ parameters.Str(
+ 'setattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'addattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'delattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'),
+ exclude=('webui',),
+ ),
+ parameters.Flag(
+ 'rights',
+ label=_(u'Rights'),
+ doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'ipanttrusteddomainsid',
+ required=False,
+ deprecated=True,
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'ipanttrusteddomainname',
+ required=False,
+ deprecated=True,
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class idrange_show(Method):
+ __doc__ = _("Display information about a range.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='name',
+ label=_(u'Range name'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'rights',
+ label=_(u'Rights'),
+ doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
diff --git a/ipaclient/remote_plugins/2_156/idviews.py b/ipaclient/remote_plugins/2_156/idviews.py
new file mode 100644
index 000000000..2b34cba46
--- /dev/null
+++ b/ipaclient/remote_plugins/2_156/idviews.py
@@ -0,0 +1,1491 @@
+#
+# Copyright (C) 2016 FreeIPA Contributors see COPYING for license
+#
+
+# pylint: disable=unused-import
+import six
+
+from . import Command, Method, Object
+from ipalib import api, parameters, output
+from ipalib.parameters import DefaultFrom
+from ipalib.plugable import Registry
+from ipalib.text import _
+from ipapython.dn import DN
+from ipapython.dnsutil import DNSName
+
+if six.PY3:
+ unicode = str
+
+__doc__ = _("""
+ID Views
+Manage ID Views
+IPA allows to override certain properties of users and groups per each host.
+This functionality is primarily used to allow migration from older systems or
+other Identity Management solutions.
+""")
+
+register = Registry()
+
+
+@register()
+class idoverridegroup(Object):
+ takes_params = (
+ parameters.Str(
+ 'ipaanchoruuid',
+ primary_key=True,
+ label=_(u'Anchor to override'),
+ ),
+ parameters.Str(
+ 'description',
+ required=False,
+ label=_(u'Description'),
+ ),
+ parameters.Str(
+ 'cn',
+ required=False,
+ label=_(u'Group name'),
+ ),
+ parameters.Int(
+ 'gidnumber',
+ required=False,
+ label=_(u'GID'),
+ doc=_(u'Group ID Number'),
+ ),
+ )
+
+
+@register()
+class idoverrideuser(Object):
+ takes_params = (
+ parameters.Str(
+ 'ipaanchoruuid',
+ primary_key=True,
+ label=_(u'Anchor to override'),
+ ),
+ parameters.Str(
+ 'description',
+ required=False,
+ label=_(u'Description'),
+ ),
+ parameters.Str(
+ 'uid',
+ required=False,
+ label=_(u'User login'),
+ ),
+ parameters.Int(
+ 'uidnumber',
+ required=False,
+ label=_(u'UID'),
+ doc=_(u'User ID Number'),
+ ),
+ parameters.Str(
+ 'gecos',
+ required=False,
+ label=_(u'GECOS'),
+ ),
+ parameters.Int(
+ 'gidnumber',
+ required=False,
+ label=_(u'GID'),
+ doc=_(u'Group ID Number'),
+ ),
+ parameters.Str(
+ 'homedirectory',
+ required=False,
+ label=_(u'Home directory'),
+ ),
+ parameters.Str(
+ 'loginshell',
+ required=False,
+ label=_(u'Login shell'),
+ ),
+ parameters.Str(
+ 'ipaoriginaluid',
+ required=False,
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'ipasshpubkey',
+ required=False,
+ multivalue=True,
+ label=_(u'SSH public key'),
+ ),
+ )
+
+
+@register()
+class idview(Object):
+ takes_params = (
+ parameters.Str(
+ 'cn',
+ primary_key=True,
+ label=_(u'ID View Name'),
+ ),
+ parameters.Str(
+ 'description',
+ required=False,
+ label=_(u'Description'),
+ ),
+ )
+
+
+@register()
+class idoverridegroup_add(Method):
+ __doc__ = _("Add a new Group ID override.")
+
+ takes_args = (
+ parameters.Str(
+ 'idviewcn',
+ cli_name='idview',
+ label=_(u'ID View Name'),
+ ),
+ parameters.Str(
+ 'ipaanchoruuid',
+ cli_name='anchor',
+ label=_(u'Anchor to override'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'description',
+ required=False,
+ cli_name='desc',
+ label=_(u'Description'),
+ ),
+ parameters.Str(
+ 'cn',
+ required=False,
+ cli_name='group_name',
+ label=_(u'Group name'),
+ no_convert=True,
+ ),
+ parameters.Int(
+ 'gidnumber',
+ required=False,
+ cli_name='gid',
+ label=_(u'GID'),
+ doc=_(u'Group ID Number'),
+ ),
+ parameters.Str(
+ 'setattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'addattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
+ exclude=('webui',),
+ ),
+ parameters.Flag(
+ 'fallback_to_ldap',
+ required=False,
+ label=_(u'Fallback to AD DC LDAP'),
+ doc=_(u'Allow falling back to AD DC LDAP when resolving AD trusted objects. For two-way trusts only.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class idoverridegroup_del(Method):
+ __doc__ = _("Delete an Group ID override.")
+
+ takes_args = (
+ parameters.Str(
+ 'idviewcn',
+ cli_name='idview',
+ label=_(u'ID View Name'),
+ ),
+ parameters.Str(
+ 'ipaanchoruuid',
+ multivalue=True,
+ cli_name='anchor',
+ label=_(u'Anchor to override'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'continue',
+ doc=_(u"Continuous mode: Don't stop on errors."),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'fallback_to_ldap',
+ required=False,
+ label=_(u'Fallback to AD DC LDAP'),
+ doc=_(u'Allow falling back to AD DC LDAP when resolving AD trusted objects. For two-way trusts only.'),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Output(
+ 'result',
+ dict,
+ doc=_(u'List of deletions that failed'),
+ ),
+ output.ListOfPrimaryKeys(
+ 'value',
+ ),
+ )
+
+
+@register()
+class idoverridegroup_find(Method):
+ __doc__ = _("Search for an Group ID override.")
+
+ takes_args = (
+ parameters.Str(
+ 'idviewcn',
+ cli_name='idview',
+ label=_(u'ID View Name'),
+ ),
+ parameters.Str(
+ 'criteria',
+ required=False,
+ doc=_(u'A string searched in all relevant object attributes'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'ipaanchoruuid',
+ required=False,
+ cli_name='anchor',
+ label=_(u'Anchor to override'),
+ ),
+ parameters.Str(
+ 'description',
+ required=False,
+ cli_name='desc',
+ label=_(u'Description'),
+ ),
+ parameters.Str(
+ 'cn',
+ required=False,
+ cli_name='group_name',
+ label=_(u'Group name'),
+ no_convert=True,
+ ),
+ parameters.Int(
+ 'gidnumber',
+ required=False,
+ cli_name='gid',
+ label=_(u'GID'),
+ doc=_(u'Group ID Number'),
+ ),
+ parameters.Int(
+ 'timelimit',
+ required=False,
+ label=_(u'Time Limit'),
+ doc=_(u'Time limit of search in seconds (0 is unlimited)'),
+ ),
+ parameters.Int(
+ 'sizelimit',
+ required=False,
+ label=_(u'Size Limit'),
+ doc=_(u'Maximum number of entries returned (0 is unlimited)'),
+ ),
+ parameters.Flag(
+ 'fallback_to_ldap',
+ required=False,
+ label=_(u'Fallback to AD DC LDAP'),
+ doc=_(u'Allow falling back to AD DC LDAP when resolving AD trusted objects. For two-way trusts only.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'pkey_only',
+ required=False,
+ label=_(u'Primary key only'),
+ doc=_(u'Results should contain primary key attribute only ("anchor")'),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.ListOfEntries(
+ 'result',
+ ),
+ output.Output(
+ 'count',
+ int,
+ doc=_(u'Number of entries returned'),
+ ),
+ output.Output(
+ 'truncated',
+ bool,
+ doc=_(u'True if not all results were returned'),
+ ),
+ )
+
+
+@register()
+class idoverridegroup_mod(Method):
+ __doc__ = _("Modify an Group ID override.")
+
+ takes_args = (
+ parameters.Str(
+ 'idviewcn',
+ cli_name='idview',
+ label=_(u'ID View Name'),
+ ),
+ parameters.Str(
+ 'ipaanchoruuid',
+ cli_name='anchor',
+ label=_(u'Anchor to override'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'description',
+ required=False,
+ cli_name='desc',
+ label=_(u'Description'),
+ ),
+ parameters.Str(
+ 'cn',
+ required=False,
+ cli_name='group_name',
+ label=_(u'Group name'),
+ no_convert=True,
+ ),
+ parameters.Int(
+ 'gidnumber',
+ required=False,
+ cli_name='gid',
+ label=_(u'GID'),
+ doc=_(u'Group ID Number'),
+ ),
+ parameters.Str(
+ 'setattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'addattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'delattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'),
+ exclude=('webui',),
+ ),
+ parameters.Flag(
+ 'rights',
+ label=_(u'Rights'),
+ doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'fallback_to_ldap',
+ required=False,
+ label=_(u'Fallback to AD DC LDAP'),
+ doc=_(u'Allow falling back to AD DC LDAP when resolving AD trusted objects. For two-way trusts only.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'rename',
+ required=False,
+ label=_(u'Rename'),
+ doc=_(u'Rename the Group ID override object'),
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class idoverridegroup_show(Method):
+ __doc__ = _("Display information about an Group ID override.")
+
+ takes_args = (
+ parameters.Str(
+ 'idviewcn',
+ cli_name='idview',
+ label=_(u'ID View Name'),
+ ),
+ parameters.Str(
+ 'ipaanchoruuid',
+ cli_name='anchor',
+ label=_(u'Anchor to override'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'rights',
+ label=_(u'Rights'),
+ doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'fallback_to_ldap',
+ required=False,
+ label=_(u'Fallback to AD DC LDAP'),
+ doc=_(u'Allow falling back to AD DC LDAP when resolving AD trusted objects. For two-way trusts only.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class idoverrideuser_add(Method):
+ __doc__ = _("Add a new User ID override.")
+
+ takes_args = (
+ parameters.Str(
+ 'idviewcn',
+ cli_name='idview',
+ label=_(u'ID View Name'),
+ ),
+ parameters.Str(
+ 'ipaanchoruuid',
+ cli_name='anchor',
+ label=_(u'Anchor to override'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'description',
+ required=False,
+ cli_name='desc',
+ label=_(u'Description'),
+ ),
+ parameters.Str(
+ 'uid',
+ required=False,
+ cli_name='login',
+ label=_(u'User login'),
+ no_convert=True,
+ ),
+ parameters.Int(
+ 'uidnumber',
+ required=False,
+ cli_name='uid',
+ label=_(u'UID'),
+ doc=_(u'User ID Number'),
+ ),
+ parameters.Str(
+ 'gecos',
+ required=False,
+ label=_(u'GECOS'),
+ ),
+ parameters.Int(
+ 'gidnumber',
+ required=False,
+ label=_(u'GID'),
+ doc=_(u'Group ID Number'),
+ ),
+ parameters.Str(
+ 'homedirectory',
+ required=False,
+ cli_name='homedir',
+ label=_(u'Home directory'),
+ ),
+ parameters.Str(
+ 'loginshell',
+ required=False,
+ cli_name='shell',
+ label=_(u'Login shell'),
+ ),
+ parameters.Str(
+ 'ipaoriginaluid',
+ required=False,
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'ipasshpubkey',
+ required=False,
+ multivalue=True,
+ cli_name='sshpubkey',
+ label=_(u'SSH public key'),
+ no_convert=True,
+ ),
+ parameters.Str(
+ 'setattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'addattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
+ exclude=('webui',),
+ ),
+ parameters.Flag(
+ 'fallback_to_ldap',
+ required=False,
+ label=_(u'Fallback to AD DC LDAP'),
+ doc=_(u'Allow falling back to AD DC LDAP when resolving AD trusted objects. For two-way trusts only.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class idoverrideuser_del(Method):
+ __doc__ = _("Delete an User ID override.")
+
+ takes_args = (
+ parameters.Str(
+ 'idviewcn',
+ cli_name='idview',
+ label=_(u'ID View Name'),
+ ),
+ parameters.Str(
+ 'ipaanchoruuid',
+ multivalue=True,
+ cli_name='anchor',
+ label=_(u'Anchor to override'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'continue',
+ doc=_(u"Continuous mode: Don't stop on errors."),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'fallback_to_ldap',
+ required=False,
+ label=_(u'Fallback to AD DC LDAP'),
+ doc=_(u'Allow falling back to AD DC LDAP when resolving AD trusted objects. For two-way trusts only.'),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Output(
+ 'result',
+ dict,
+ doc=_(u'List of deletions that failed'),
+ ),
+ output.ListOfPrimaryKeys(
+ 'value',
+ ),
+ )
+
+
+@register()
+class idoverrideuser_find(Method):
+ __doc__ = _("Search for an User ID override.")
+
+ takes_args = (
+ parameters.Str(
+ 'idviewcn',
+ cli_name='idview',
+ label=_(u'ID View Name'),
+ ),
+ parameters.Str(
+ 'criteria',
+ required=False,
+ doc=_(u'A string searched in all relevant object attributes'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'ipaanchoruuid',
+ required=False,
+ cli_name='anchor',
+ label=_(u'Anchor to override'),
+ ),
+ parameters.Str(
+ 'description',
+ required=False,
+ cli_name='desc',
+ label=_(u'Description'),
+ ),
+ parameters.Str(
+ 'uid',
+ required=False,
+ cli_name='login',
+ label=_(u'User login'),
+ no_convert=True,
+ ),
+ parameters.Int(
+ 'uidnumber',
+ required=False,
+ cli_name='uid',
+ label=_(u'UID'),
+ doc=_(u'User ID Number'),
+ ),
+ parameters.Str(
+ 'gecos',
+ required=False,
+ label=_(u'GECOS'),
+ ),
+ parameters.Int(
+ 'gidnumber',
+ required=False,
+ label=_(u'GID'),
+ doc=_(u'Group ID Number'),
+ ),
+ parameters.Str(
+ 'homedirectory',
+ required=False,
+ cli_name='homedir',
+ label=_(u'Home directory'),
+ ),
+ parameters.Str(
+ 'loginshell',
+ required=False,
+ cli_name='shell',
+ label=_(u'Login shell'),
+ ),
+ parameters.Str(
+ 'ipaoriginaluid',
+ required=False,
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Int(
+ 'timelimit',
+ required=False,
+ label=_(u'Time Limit'),
+ doc=_(u'Time limit of search in seconds (0 is unlimited)'),
+ ),
+ parameters.Int(
+ 'sizelimit',
+ required=False,
+ label=_(u'Size Limit'),
+ doc=_(u'Maximum number of entries returned (0 is unlimited)'),
+ ),
+ parameters.Flag(
+ 'fallback_to_ldap',
+ required=False,
+ label=_(u'Fallback to AD DC LDAP'),
+ doc=_(u'Allow falling back to AD DC LDAP when resolving AD trusted objects. For two-way trusts only.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'pkey_only',
+ required=False,
+ label=_(u'Primary key only'),
+ doc=_(u'Results should contain primary key attribute only ("anchor")'),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.ListOfEntries(
+ 'result',
+ ),
+ output.Output(
+ 'count',
+ int,
+ doc=_(u'Number of entries returned'),
+ ),
+ output.Output(
+ 'truncated',
+ bool,
+ doc=_(u'True if not all results were returned'),
+ ),
+ )
+
+
+@register()
+class idoverrideuser_mod(Method):
+ __doc__ = _("Modify an User ID override.")
+
+ takes_args = (
+ parameters.Str(
+ 'idviewcn',
+ cli_name='idview',
+ label=_(u'ID View Name'),
+ ),
+ parameters.Str(
+ 'ipaanchoruuid',
+ cli_name='anchor',
+ label=_(u'Anchor to override'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'description',
+ required=False,
+ cli_name='desc',
+ label=_(u'Description'),
+ ),
+ parameters.Str(
+ 'uid',
+ required=False,
+ cli_name='login',
+ label=_(u'User login'),
+ no_convert=True,
+ ),
+ parameters.Int(
+ 'uidnumber',
+ required=False,
+ cli_name='uid',
+ label=_(u'UID'),
+ doc=_(u'User ID Number'),
+ ),
+ parameters.Str(
+ 'gecos',
+ required=False,
+ label=_(u'GECOS'),
+ ),
+ parameters.Int(
+ 'gidnumber',
+ required=False,
+ label=_(u'GID'),
+ doc=_(u'Group ID Number'),
+ ),
+ parameters.Str(
+ 'homedirectory',
+ required=False,
+ cli_name='homedir',
+ label=_(u'Home directory'),
+ ),
+ parameters.Str(
+ 'loginshell',
+ required=False,
+ cli_name='shell',
+ label=_(u'Login shell'),
+ ),
+ parameters.Str(
+ 'ipaoriginaluid',
+ required=False,
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'ipasshpubkey',
+ required=False,
+ multivalue=True,
+ cli_name='sshpubkey',
+ label=_(u'SSH public key'),
+ no_convert=True,
+ ),
+ parameters.Str(
+ 'setattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'addattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'delattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'),
+ exclude=('webui',),
+ ),
+ parameters.Flag(
+ 'rights',
+ label=_(u'Rights'),
+ doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'fallback_to_ldap',
+ required=False,
+ label=_(u'Fallback to AD DC LDAP'),
+ doc=_(u'Allow falling back to AD DC LDAP when resolving AD trusted objects. For two-way trusts only.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'rename',
+ required=False,
+ label=_(u'Rename'),
+ doc=_(u'Rename the User ID override object'),
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class idoverrideuser_show(Method):
+ __doc__ = _("Display information about an User ID override.")
+
+ takes_args = (
+ parameters.Str(
+ 'idviewcn',
+ cli_name='idview',
+ label=_(u'ID View Name'),
+ ),
+ parameters.Str(
+ 'ipaanchoruuid',
+ cli_name='anchor',
+ label=_(u'Anchor to override'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'rights',
+ label=_(u'Rights'),
+ doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'fallback_to_ldap',
+ required=False,
+ label=_(u'Fallback to AD DC LDAP'),
+ doc=_(u'Allow falling back to AD DC LDAP when resolving AD trusted objects. For two-way trusts only.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class idview_add(Method):
+ __doc__ = _("Add a new ID View.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='name',
+ label=_(u'ID View Name'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'description',
+ required=False,
+ cli_name='desc',
+ label=_(u'Description'),
+ ),
+ parameters.Str(
+ 'setattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'addattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
+ exclude=('webui',),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class idview_apply(Method):
+ __doc__ = _("Applies ID View to specified hosts or current members of specified hostgroups. If any other ID View is applied to the host, it is overridden.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='name',
+ label=_(u'ID View Name'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'host',
+ required=False,
+ multivalue=True,
+ cli_name='hosts',
+ label=_(u'hosts'),
+ doc=_(u'Hosts to apply the ID View to'),
+ ),
+ parameters.Str(
+ 'hostgroup',
+ required=False,
+ multivalue=True,
+ cli_name='hostgroups',
+ label=_(u'hostgroups'),
+ doc=_(u'Hostgroups to whose hosts apply the ID View to. Please note that view is not applied automatically to any hosts added to the hostgroup after running the idview-apply command.'),
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Output(
+ 'succeeded',
+ dict,
+ doc=_(u'Hosts that this ID View was applied to.'),
+ ),
+ output.Output(
+ 'failed',
+ dict,
+ doc=_(u'Hosts or hostgroups that this ID View could not be applied to.'),
+ ),
+ output.Output(
+ 'completed',
+ int,
+ doc=_(u'Number of hosts the ID View was applied to:'),
+ ),
+ )
+
+
+@register()
+class idview_del(Method):
+ __doc__ = _("Delete an ID View.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ multivalue=True,
+ cli_name='name',
+ label=_(u'ID View Name'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'continue',
+ doc=_(u"Continuous mode: Don't stop on errors."),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Output(
+ 'result',
+ dict,
+ doc=_(u'List of deletions that failed'),
+ ),
+ output.ListOfPrimaryKeys(
+ 'value',
+ ),
+ )
+
+
+@register()
+class idview_find(Method):
+ __doc__ = _("Search for an ID View.")
+
+ takes_args = (
+ parameters.Str(
+ 'criteria',
+ required=False,
+ doc=_(u'A string searched in all relevant object attributes'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'cn',
+ required=False,
+ cli_name='name',
+ label=_(u'ID View Name'),
+ ),
+ parameters.Str(
+ 'description',
+ required=False,
+ cli_name='desc',
+ label=_(u'Description'),
+ ),
+ parameters.Int(
+ 'timelimit',
+ required=False,
+ label=_(u'Time Limit'),
+ doc=_(u'Time limit of search in seconds (0 is unlimited)'),
+ ),
+ parameters.Int(
+ 'sizelimit',
+ required=False,
+ label=_(u'Size Limit'),
+ doc=_(u'Maximum number of entries returned (0 is unlimited)'),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'pkey_only',
+ required=False,
+ label=_(u'Primary key only'),
+ doc=_(u'Results should contain primary key attribute only ("name")'),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.ListOfEntries(
+ 'result',
+ ),
+ output.Output(
+ 'count',
+ int,
+ doc=_(u'Number of entries returned'),
+ ),
+ output.Output(
+ 'truncated',
+ bool,
+ doc=_(u'True if not all results were returned'),
+ ),
+ )
+
+
+@register()
+class idview_mod(Method):
+ __doc__ = _("Modify an ID View.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='name',
+ label=_(u'ID View Name'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'description',
+ required=False,
+ cli_name='desc',
+ label=_(u'Description'),
+ ),
+ parameters.Str(
+ 'setattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'addattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'delattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'),
+ exclude=('webui',),
+ ),
+ parameters.Flag(
+ 'rights',
+ label=_(u'Rights'),
+ doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'rename',
+ required=False,
+ label=_(u'Rename'),
+ doc=_(u'Rename the ID View object'),
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class idview_show(Method):
+ __doc__ = _("Display information about an ID View.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='name',
+ label=_(u'ID View Name'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'rights',
+ label=_(u'Rights'),
+ doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'show_hosts',
+ required=False,
+ doc=_(u'Enumerate all the hosts the view applies to.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class idview_unapply(Method):
+ __doc__ = _("Clears ID View from specified hosts or current members of specified hostgroups.")
+
+ takes_options = (
+ parameters.Str(
+ 'host',
+ required=False,
+ multivalue=True,
+ cli_name='hosts',
+ label=_(u'hosts'),
+ doc=_(u'Hosts to clear (any) ID View from.'),
+ ),
+ parameters.Str(
+ 'hostgroup',
+ required=False,
+ multivalue=True,
+ cli_name='hostgroups',
+ label=_(u'hostgroups'),
+ doc=_(u'Hostgroups whose hosts should have ID Views cleared. Note that view is not cleared automatically from any host added to the hostgroup after running idview-unapply command.'),
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Output(
+ 'succeeded',
+ dict,
+ doc=_(u'Hosts that ID View was cleared from.'),
+ ),
+ output.Output(
+ 'failed',
+ dict,
+ doc=_(u'Hosts or hostgroups that ID View could not be cleared from.'),
+ ),
+ output.Output(
+ 'completed',
+ int,
+ doc=_(u'Number of hosts that had a ID View was unset:'),
+ ),
+ )
diff --git a/ipaclient/remote_plugins/2_156/internal.py b/ipaclient/remote_plugins/2_156/internal.py
new file mode 100644
index 000000000..7fec8d26f
--- /dev/null
+++ b/ipaclient/remote_plugins/2_156/internal.py
@@ -0,0 +1,92 @@
+#
+# Copyright (C) 2016 FreeIPA Contributors see COPYING for license
+#
+
+# pylint: disable=unused-import
+import six
+
+from . import Command, Method, Object
+from ipalib import api, parameters, output
+from ipalib.parameters import DefaultFrom
+from ipalib.plugable import Registry
+from ipalib.text import _
+from ipapython.dn import DN
+from ipapython.dnsutil import DNSName
+
+if six.PY3:
+ unicode = str
+
+__doc__ = _("""
+Plugins not accessible directly through the CLI, commands used internally
+""")
+
+register = Registry()
+
+
+@register()
+class i18n_messages(Command):
+ NO_CLI = True
+
+ takes_options = (
+ )
+ has_output = (
+ output.Output(
+ 'texts',
+ dict,
+ doc=_(u'Dict of I18N messages'),
+ ),
+ )
+
+
+@register()
+class json_metadata(Command):
+ __doc__ = _("Export plugin meta-data for the webUI.")
+
+ NO_CLI = True
+
+ takes_args = (
+ parameters.Str(
+ 'objname',
+ required=False,
+ doc=_(u'Name of object to export'),
+ ),
+ parameters.Str(
+ 'methodname',
+ required=False,
+ doc=_(u'Name of method to export'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'object',
+ required=False,
+ doc=_(u'Name of object to export'),
+ ),
+ parameters.Str(
+ 'method',
+ required=False,
+ doc=_(u'Name of method to export'),
+ ),
+ parameters.Str(
+ 'command',
+ required=False,
+ doc=_(u'Name of command to export'),
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'objects',
+ dict,
+ doc=_(u'Dict of JSON encoded IPA Objects'),
+ ),
+ output.Output(
+ 'methods',
+ dict,
+ doc=_(u'Dict of JSON encoded IPA Methods'),
+ ),
+ output.Output(
+ 'commands',
+ dict,
+ doc=_(u'Dict of JSON encoded IPA Commands'),
+ ),
+ )
diff --git a/ipaclient/remote_plugins/2_156/join.py b/ipaclient/remote_plugins/2_156/join.py
new file mode 100644
index 000000000..dc0904dc4
--- /dev/null
+++ b/ipaclient/remote_plugins/2_156/join.py
@@ -0,0 +1,64 @@
+#
+# Copyright (C) 2016 FreeIPA Contributors see COPYING for license
+#
+
+# pylint: disable=unused-import
+import six
+
+from . import Command, Method, Object
+from ipalib import api, parameters, output
+from ipalib.parameters import DefaultFrom
+from ipalib.plugable import Registry
+from ipalib.text import _
+from ipapython.dn import DN
+from ipapython.dnsutil import DNSName
+
+if six.PY3:
+ unicode = str
+
+__doc__ = _("""
+Joining an IPA domain
+""")
+
+register = Registry()
+
+
+@register()
+class join(Command):
+ __doc__ = _("Join an IPA domain")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='hostname',
+ doc=_(u'The hostname to register as'),
+ default_from=DefaultFrom(lambda : None),
+ # FIXME:
+ # lambda: unicode(installutils.get_fqdn())
+ autofill=True,
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'realm',
+ doc=_(u'The IPA realm'),
+ default_from=DefaultFrom(lambda : None),
+ # FIXME:
+ # lambda: get_realm()
+ autofill=True,
+ ),
+ parameters.Str(
+ 'nshardwareplatform',
+ required=False,
+ cli_name='platform',
+ doc=_(u'Hardware platform of the host (e.g. Lenovo T61)'),
+ ),
+ parameters.Str(
+ 'nsosversion',
+ required=False,
+ cli_name='os',
+ doc=_(u'Operating System and version of the host (e.g. Fedora 9)'),
+ ),
+ )
+ has_output = (
+ )
diff --git a/ipaclient/remote_plugins/2_156/krbtpolicy.py b/ipaclient/remote_plugins/2_156/krbtpolicy.py
new file mode 100644
index 000000000..42a4b2bc7
--- /dev/null
+++ b/ipaclient/remote_plugins/2_156/krbtpolicy.py
@@ -0,0 +1,266 @@
+#
+# Copyright (C) 2016 FreeIPA Contributors see COPYING for license
+#
+
+# pylint: disable=unused-import
+import six
+
+from . import Command, Method, Object
+from ipalib import api, parameters, output
+from ipalib.parameters import DefaultFrom
+from ipalib.plugable import Registry
+from ipalib.text import _
+from ipapython.dn import DN
+from ipapython.dnsutil import DNSName
+
+if six.PY3:
+ unicode = str
+
+__doc__ = _("""
+Kerberos ticket policy
+
+There is a single Kerberos ticket policy. This policy defines the
+maximum ticket lifetime and the maximum renewal age, the period during
+which the ticket is renewable.
+
+You can also create a per-user ticket policy by specifying the user login.
+
+For changes to the global policy to take effect, restarting the KDC service
+is required, which can be achieved using:
+
+service krb5kdc restart
+
+Changes to per-user policies take effect immediately for newly requested
+tickets (e.g. when the user next runs kinit).
+
+EXAMPLES:
+
+ Display the current Kerberos ticket policy:
+ ipa krbtpolicy-show
+
+ Reset the policy to the default:
+ ipa krbtpolicy-reset
+
+ Modify the policy to 8 hours max life, 1-day max renewal:
+ ipa krbtpolicy-mod --maxlife=28800 --maxrenew=86400
+
+ Display effective Kerberos ticket policy for user 'admin':
+ ipa krbtpolicy-show admin
+
+ Reset per-user policy for user 'admin':
+ ipa krbtpolicy-reset admin
+
+ Modify per-user policy for user 'admin':
+ ipa krbtpolicy-mod admin --maxlife=3600
+""")
+
+register = Registry()
+
+
+@register()
+class krbtpolicy(Object):
+ takes_params = (
+ parameters.Str(
+ 'uid',
+ required=False,
+ primary_key=True,
+ label=_(u'User name'),
+ doc=_(u'Manage ticket policy for specific user'),
+ ),
+ parameters.Int(
+ 'krbmaxticketlife',
+ required=False,
+ label=_(u'Max life'),
+ doc=_(u'Maximum ticket life (seconds)'),
+ ),
+ parameters.Int(
+ 'krbmaxrenewableage',
+ required=False,
+ label=_(u'Max renew'),
+ doc=_(u'Maximum renewable age (seconds)'),
+ ),
+ )
+
+
+@register()
+class krbtpolicy_mod(Method):
+ __doc__ = _("Modify Kerberos ticket policy.")
+
+ takes_args = (
+ parameters.Str(
+ 'uid',
+ required=False,
+ cli_name='user',
+ label=_(u'User name'),
+ doc=_(u'Manage ticket policy for specific user'),
+ ),
+ )
+ takes_options = (
+ parameters.Int(
+ 'krbmaxticketlife',
+ required=False,
+ cli_name='maxlife',
+ label=_(u'Max life'),
+ doc=_(u'Maximum ticket life (seconds)'),
+ ),
+ parameters.Int(
+ 'krbmaxrenewableage',
+ required=False,
+ cli_name='maxrenew',
+ label=_(u'Max renew'),
+ doc=_(u'Maximum renewable age (seconds)'),
+ ),
+ parameters.Str(
+ 'setattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'addattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'delattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'),
+ exclude=('webui',),
+ ),
+ parameters.Flag(
+ 'rights',
+ label=_(u'Rights'),
+ doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class krbtpolicy_reset(Method):
+ __doc__ = _("Reset Kerberos ticket policy to the default values.")
+
+ takes_args = (
+ parameters.Str(
+ 'uid',
+ required=False,
+ cli_name='user',
+ label=_(u'User name'),
+ doc=_(u'Manage ticket policy for specific user'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class krbtpolicy_show(Method):
+ __doc__ = _("Display the current Kerberos ticket policy.")
+
+ takes_args = (
+ parameters.Str(
+ 'uid',
+ required=False,
+ cli_name='user',
+ label=_(u'User name'),
+ doc=_(u'Manage ticket policy for specific user'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'rights',
+ label=_(u'Rights'),
+ doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
diff --git a/ipaclient/remote_plugins/2_156/migration.py b/ipaclient/remote_plugins/2_156/migration.py
new file mode 100644
index 000000000..89049f257
--- /dev/null
+++ b/ipaclient/remote_plugins/2_156/migration.py
@@ -0,0 +1,319 @@
+#
+# Copyright (C) 2016 FreeIPA Contributors see COPYING for license
+#
+
+# pylint: disable=unused-import
+import six
+
+from . import Command, Method, Object
+from ipalib import api, parameters, output
+from ipalib.parameters import DefaultFrom
+from ipalib.plugable import Registry
+from ipalib.text import _
+from ipapython.dn import DN
+from ipapython.dnsutil import DNSName
+
+if six.PY3:
+ unicode = str
+
+__doc__ = _("""
+Migration to IPA
+
+Migrate users and groups from an LDAP server to IPA.
+
+This performs an LDAP query against the remote server searching for
+users and groups in a container. In order to migrate passwords you need
+to bind as a user that can read the userPassword attribute on the remote
+server. This is generally restricted to high-level admins such as
+cn=Directory Manager in 389-ds (this is the default bind user).
+
+The default user container is ou=People.
+
+The default group container is ou=Groups.
+
+Users and groups that already exist on the IPA server are skipped.
+
+Two LDAP schemas define how group members are stored: RFC2307 and
+RFC2307bis. RFC2307bis uses member and uniquemember to specify group
+members, RFC2307 uses memberUid. The default schema is RFC2307bis.
+
+The schema compat feature allows IPA to reformat data for systems that
+do not support RFC2307bis. It is recommended that this feature is disabled
+during migration to reduce system overhead. It can be re-enabled after
+migration. To migrate with it enabled use the "--with-compat" option.
+
+Migrated users do not have Kerberos credentials, they have only their
+LDAP password. To complete the migration process, users need to go
+to http://ipa.example.com/ipa/migration and authenticate using their
+LDAP password in order to generate their Kerberos credentials.
+
+Migration is disabled by default. Use the command ipa config-mod to
+enable it:
+
+ ipa config-mod --enable-migration=TRUE
+
+If a base DN is not provided with --basedn then IPA will use either
+the value of defaultNamingContext if it is set or the first value
+in namingContexts set in the root of the remote LDAP server.
+
+Users are added as members to the default user group. This can be a
+time-intensive task so during migration this is done in a batch
+mode for every 100 users. As a result there will be a window in which
+users will be added to IPA but will not be members of the default
+user group.
+
+EXAMPLES:
+
+ The simplest migration, accepting all defaults:
+ ipa migrate-ds ldap://ds.example.com:389
+
+ Specify the user and group container. This can be used to migrate user
+ and group data from an IPA v1 server:
+ ipa migrate-ds --user-container='cn=users,cn=accounts' \
+ --group-container='cn=groups,cn=accounts' \
+ ldap://ds.example.com:389
+
+ Since IPA v2 server already contain predefined groups that may collide with
+ groups in migrated (IPA v1) server (for example admins, ipausers), users
+ having colliding group as their primary group may happen to belong to
+ an unknown group on new IPA v2 server.
+ Use --group-overwrite-gid option to overwrite GID of already existing groups
+ to prevent this issue:
+ ipa migrate-ds --group-overwrite-gid \
+ --user-container='cn=users,cn=accounts' \
+ --group-container='cn=groups,cn=accounts' \
+ ldap://ds.example.com:389
+
+ Migrated users or groups may have object class and accompanied attributes
+ unknown to the IPA v2 server. These object classes and attributes may be
+ left out of the migration process:
+ ipa migrate-ds --user-container='cn=users,cn=accounts' \
+ --group-container='cn=groups,cn=accounts' \
+ --user-ignore-objectclass=radiusprofile \
+ --user-ignore-attribute=radiusgroupname \
+ ldap://ds.example.com:389
+
+LOGGING
+
+Migration will log warnings and errors to the Apache error log. This
+file should be evaluated post-migration to correct or investigate any
+issues that were discovered.
+
+For every 100 users migrated an info-level message will be displayed to
+give the current progress and duration to make it possible to track
+the progress of migration.
+
+If the log level is debug, either by setting debug = True in
+/etc/ipa/default.conf or /etc/ipa/server.conf, then an entry will be printed
+for each user added plus a summary when the default user group is
+updated.
+""")
+
+register = Registry()
+
+
+@register()
+class migrate_ds(Command):
+ __doc__ = _("Migrate users and groups from DS to IPA.")
+
+ takes_args = (
+ parameters.Str(
+ 'ldapuri',
+ cli_name='ldap_uri',
+ label=_(u'LDAP URI'),
+ doc=_(u'LDAP URI of DS server to migrate from'),
+ ),
+ parameters.Password(
+ 'bindpw',
+ cli_name='password',
+ label=_(u'Password'),
+ doc=_(u'bind password'),
+ ),
+ )
+ takes_options = (
+ parameters.DNParam(
+ 'binddn',
+ required=False,
+ cli_name='bind_dn',
+ label=_(u'Bind DN'),
+ default=DN(u'cn=directory manager'),
+ autofill=True,
+ ),
+ parameters.DNParam(
+ 'usercontainer',
+ cli_name='user_container',
+ label=_(u'User container'),
+ doc=_(u'DN of container for users in DS relative to base DN'),
+ default=DN(u'ou=people'),
+ autofill=True,
+ ),
+ parameters.DNParam(
+ 'groupcontainer',
+ cli_name='group_container',
+ label=_(u'Group container'),
+ doc=_(u'DN of container for groups in DS relative to base DN'),
+ default=DN(u'ou=groups'),
+ autofill=True,
+ ),
+ parameters.Str(
+ 'userobjectclass',
+ multivalue=True,
+ cli_name='user_objectclass',
+ label=_(u'User object class'),
+ doc=_(u'Objectclasses used to search for user entries in DS'),
+ default=(u'person',),
+ autofill=True,
+ ),
+ parameters.Str(
+ 'groupobjectclass',
+ multivalue=True,
+ cli_name='group_objectclass',
+ label=_(u'Group object class'),
+ doc=_(u'Objectclasses used to search for group entries in DS'),
+ default=(u'groupOfUniqueNames', u'groupOfNames'),
+ autofill=True,
+ ),
+ parameters.Str(
+ 'userignoreobjectclass',
+ required=False,
+ multivalue=True,
+ cli_name='user_ignore_objectclass',
+ label=_(u'Ignore user object class'),
+ doc=_(u'Objectclasses to be ignored for user entries in DS'),
+ default=(),
+ autofill=True,
+ ),
+ parameters.Str(
+ 'userignoreattribute',
+ required=False,
+ multivalue=True,
+ cli_name='user_ignore_attribute',
+ label=_(u'Ignore user attribute'),
+ doc=_(u'Attributes to be ignored for user entries in DS'),
+ default=(),
+ autofill=True,
+ ),
+ parameters.Str(
+ 'groupignoreobjectclass',
+ required=False,
+ multivalue=True,
+ cli_name='group_ignore_objectclass',
+ label=_(u'Ignore group object class'),
+ doc=_(u'Objectclasses to be ignored for group entries in DS'),
+ default=(),
+ autofill=True,
+ ),
+ parameters.Str(
+ 'groupignoreattribute',
+ required=False,
+ multivalue=True,
+ cli_name='group_ignore_attribute',
+ label=_(u'Ignore group attribute'),
+ doc=_(u'Attributes to be ignored for group entries in DS'),
+ default=(),
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'groupoverwritegid',
+ cli_name='group_overwrite_gid',
+ label=_(u'Overwrite GID'),
+ doc=_(u'When migrating a group already existing in IPA domain overwrite the group GID and report as success'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'schema',
+ required=False,
+ cli_metavar="['RFC2307bis', 'RFC2307']",
+ label=_(u'LDAP schema'),
+ doc=_(u'The schema used on the LDAP server. Supported values are RFC2307 and RFC2307bis. The default is RFC2307bis'),
+ default=u'RFC2307bis',
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'continue',
+ required=False,
+ label=_(u'Continue'),
+ doc=_(u'Continuous operation mode. Errors are reported but the process continues'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.DNParam(
+ 'basedn',
+ required=False,
+ cli_name='base_dn',
+ label=_(u'Base DN'),
+ doc=_(u'Base DN on remote LDAP server'),
+ ),
+ parameters.Flag(
+ 'compat',
+ required=False,
+ cli_name='with_compat',
+ label=_(u'Ignore compat plugin'),
+ doc=_(u'Allows migration despite the usage of compat plugin'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'cacertfile',
+ required=False,
+ cli_name='ca_cert_file',
+ label=_(u'CA certificate'),
+ doc=_(u'Load CA certificate of LDAP server from FILE'),
+ ),
+ parameters.Bool(
+ 'use_def_group',
+ required=False,
+ cli_name='use_default_group',
+ label=_(u'Add to default group'),
+ doc=_(u'Add migrated users without a group to a default group (default: true)'),
+ default=True,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'scope',
+ cli_metavar="['base', 'subtree', 'onelevel']",
+ label=_(u'Search scope'),
+ doc=_(u'LDAP search scope for users and groups: base, onelevel, or subtree. Defaults to onelevel'),
+ default=u'onelevel',
+ autofill=True,
+ ),
+ parameters.Str(
+ 'exclude_groups',
+ required=False,
+ multivalue=True,
+ doc=_(u'groups to exclude from migration'),
+ default=(),
+ autofill=True,
+ ),
+ parameters.Str(
+ 'exclude_users',
+ required=False,
+ multivalue=True,
+ doc=_(u'users to exclude from migration'),
+ default=(),
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'result',
+ dict,
+ doc=_(u'Lists of objects migrated; categorized by type.'),
+ ),
+ output.Output(
+ 'failed',
+ dict,
+ doc=_(u'Lists of objects that could not be migrated; categorized by type.'),
+ ),
+ output.Output(
+ 'enabled',
+ bool,
+ doc=_(u'False if migration mode was disabled.'),
+ ),
+ output.Output(
+ 'compat',
+ bool,
+ doc=_(u'False if migration fails because the compatibility plug-in is enabled.'),
+ ),
+ )
diff --git a/ipaclient/remote_plugins/2_156/misc.py b/ipaclient/remote_plugins/2_156/misc.py
new file mode 100644
index 000000000..4889e666b
--- /dev/null
+++ b/ipaclient/remote_plugins/2_156/misc.py
@@ -0,0 +1,113 @@
+#
+# Copyright (C) 2016 FreeIPA Contributors see COPYING for license
+#
+
+# pylint: disable=unused-import
+import six
+
+from . import Command, Method, Object
+from ipalib import api, parameters, output
+from ipalib.parameters import DefaultFrom
+from ipalib.plugable import Registry
+from ipalib.text import _
+from ipapython.dn import DN
+from ipapython.dnsutil import DNSName
+
+if six.PY3:
+ unicode = str
+
+__doc__ = _("""
+Misc plug-ins
+""")
+
+register = Registry()
+
+
+@register()
+class env(Command):
+ __doc__ = _("Show environment variables.")
+
+ takes_args = (
+ parameters.Str(
+ 'variables',
+ required=False,
+ multivalue=True,
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'server',
+ required=False,
+ doc=_(u'Forward to server instead of running locally'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=True,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'result',
+ dict,
+ doc=_(u'Dictionary mapping variable name to value'),
+ ),
+ output.Output(
+ 'total',
+ int,
+ doc=_(u'Total number of variables env (>= count)'),
+ ),
+ output.Output(
+ 'count',
+ int,
+ doc=_(u'Number of variables returned (<= total)'),
+ ),
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ )
+
+
+@register()
+class plugins(Command):
+ __doc__ = _("Show all loaded plugins.")
+
+ takes_options = (
+ parameters.Flag(
+ 'server',
+ required=False,
+ doc=_(u'Forward to server instead of running locally'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=True,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'result',
+ dict,
+ doc=_(u'Dictionary mapping plugin names to bases'),
+ ),
+ output.Output(
+ 'count',
+ int,
+ doc=_(u'Number of plugins loaded'),
+ ),
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ )
diff --git a/ipaclient/remote_plugins/2_156/netgroup.py b/ipaclient/remote_plugins/2_156/netgroup.py
new file mode 100644
index 000000000..a04d99276
--- /dev/null
+++ b/ipaclient/remote_plugins/2_156/netgroup.py
@@ -0,0 +1,865 @@
+#
+# Copyright (C) 2016 FreeIPA Contributors see COPYING for license
+#
+
+# pylint: disable=unused-import
+import six
+
+from . import Command, Method, Object
+from ipalib import api, parameters, output
+from ipalib.parameters import DefaultFrom
+from ipalib.plugable import Registry
+from ipalib.text import _
+from ipapython.dn import DN
+from ipapython.dnsutil import DNSName
+
+if six.PY3:
+ unicode = str
+
+__doc__ = _("""
+Netgroups
+
+A netgroup is a group used for permission checking. It can contain both
+user and host values.
+
+EXAMPLES:
+
+ Add a new netgroup:
+ ipa netgroup-add --desc="NFS admins" admins
+
+ Add members to the netgroup:
+ ipa netgroup-add-member --users=tuser1 --users=tuser2 admins
+
+ Remove a member from the netgroup:
+ ipa netgroup-remove-member --users=tuser2 admins
+
+ Display information about a netgroup:
+ ipa netgroup-show admins
+
+ Delete a netgroup:
+ ipa netgroup-del admins
+""")
+
+register = Registry()
+
+
+@register()
+class netgroup(Object):
+ takes_params = (
+ parameters.Str(
+ 'cn',
+ primary_key=True,
+ label=_(u'Netgroup name'),
+ ),
+ parameters.Str(
+ 'description',
+ required=False,
+ label=_(u'Description'),
+ doc=_(u'Netgroup description'),
+ ),
+ parameters.Str(
+ 'nisdomainname',
+ required=False,
+ label=_(u'NIS domain name'),
+ ),
+ parameters.Str(
+ 'ipauniqueid',
+ required=False,
+ label=_(u'IPA unique ID'),
+ doc=_(u'IPA unique ID'),
+ ),
+ parameters.Str(
+ 'usercategory',
+ required=False,
+ label=_(u'User category'),
+ doc=_(u'User category the rule applies to'),
+ ),
+ parameters.Str(
+ 'hostcategory',
+ required=False,
+ label=_(u'Host category'),
+ doc=_(u'Host category the rule applies to'),
+ ),
+ parameters.Str(
+ 'externalhost',
+ required=False,
+ multivalue=True,
+ label=_(u'External host'),
+ ),
+ parameters.Str(
+ 'member_netgroup',
+ required=False,
+ label=_(u'Member netgroups'),
+ ),
+ parameters.Str(
+ 'memberof_netgroup',
+ required=False,
+ label=_(u'Member of netgroups'),
+ ),
+ parameters.Str(
+ 'memberindirect_netgroup',
+ required=False,
+ label=_(u'Indirect Member netgroups'),
+ ),
+ parameters.Str(
+ 'memberuser_user',
+ required=False,
+ label=_(u'Member User'),
+ ),
+ parameters.Str(
+ 'memberuser_group',
+ required=False,
+ label=_(u'Member Group'),
+ ),
+ parameters.Str(
+ 'memberhost_host',
+ required=False,
+ label=_(u'Member Host'),
+ ),
+ parameters.Str(
+ 'memberhost_hostgroup',
+ required=False,
+ label=_(u'Member Hostgroup'),
+ ),
+ )
+
+
+@register()
+class netgroup_add(Method):
+ __doc__ = _("Add a new netgroup.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='name',
+ label=_(u'Netgroup name'),
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'description',
+ required=False,
+ cli_name='desc',
+ label=_(u'Description'),
+ doc=_(u'Netgroup description'),
+ ),
+ parameters.Str(
+ 'nisdomainname',
+ required=False,
+ cli_name='nisdomain',
+ label=_(u'NIS domain name'),
+ ),
+ parameters.Str(
+ 'usercategory',
+ required=False,
+ cli_name='usercat',
+ cli_metavar="['all']",
+ label=_(u'User category'),
+ doc=_(u'User category the rule applies to'),
+ ),
+ parameters.Str(
+ 'hostcategory',
+ required=False,
+ cli_name='hostcat',
+ cli_metavar="['all']",
+ label=_(u'Host category'),
+ doc=_(u'Host category the rule applies to'),
+ ),
+ parameters.Str(
+ 'externalhost',
+ required=False,
+ multivalue=True,
+ label=_(u'External host'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'setattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'addattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
+ exclude=('webui',),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class netgroup_add_member(Method):
+ __doc__ = _("Add members to a netgroup.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='name',
+ label=_(u'Netgroup name'),
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'user',
+ required=False,
+ multivalue=True,
+ cli_name='users',
+ label=_(u'member user'),
+ doc=_(u'users to add'),
+ alwaysask=True,
+ ),
+ parameters.Str(
+ 'group',
+ required=False,
+ multivalue=True,
+ cli_name='groups',
+ label=_(u'member group'),
+ doc=_(u'groups to add'),
+ alwaysask=True,
+ ),
+ parameters.Str(
+ 'host',
+ required=False,
+ multivalue=True,
+ cli_name='hosts',
+ label=_(u'member host'),
+ doc=_(u'hosts to add'),
+ alwaysask=True,
+ ),
+ parameters.Str(
+ 'hostgroup',
+ required=False,
+ multivalue=True,
+ cli_name='hostgroups',
+ label=_(u'member host group'),
+ doc=_(u'host groups to add'),
+ alwaysask=True,
+ ),
+ parameters.Str(
+ 'netgroup',
+ required=False,
+ multivalue=True,
+ cli_name='netgroups',
+ label=_(u'member netgroup'),
+ doc=_(u'netgroups to add'),
+ alwaysask=True,
+ ),
+ )
+ has_output = (
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'failed',
+ dict,
+ doc=_(u'Members that could not be added'),
+ ),
+ output.Output(
+ 'completed',
+ int,
+ doc=_(u'Number of members added'),
+ ),
+ )
+
+
+@register()
+class netgroup_del(Method):
+ __doc__ = _("Delete a netgroup.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ multivalue=True,
+ cli_name='name',
+ label=_(u'Netgroup name'),
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'continue',
+ doc=_(u"Continuous mode: Don't stop on errors."),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Output(
+ 'result',
+ dict,
+ doc=_(u'List of deletions that failed'),
+ ),
+ output.ListOfPrimaryKeys(
+ 'value',
+ ),
+ )
+
+
+@register()
+class netgroup_find(Method):
+ __doc__ = _("Search for a netgroup.")
+
+ takes_args = (
+ parameters.Str(
+ 'criteria',
+ required=False,
+ doc=_(u'A string searched in all relevant object attributes'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'cn',
+ required=False,
+ cli_name='name',
+ label=_(u'Netgroup name'),
+ no_convert=True,
+ ),
+ parameters.Str(
+ 'description',
+ required=False,
+ cli_name='desc',
+ label=_(u'Description'),
+ doc=_(u'Netgroup description'),
+ ),
+ parameters.Str(
+ 'nisdomainname',
+ required=False,
+ cli_name='nisdomain',
+ label=_(u'NIS domain name'),
+ ),
+ parameters.Str(
+ 'ipauniqueid',
+ required=False,
+ cli_name='uuid',
+ label=_(u'IPA unique ID'),
+ doc=_(u'IPA unique ID'),
+ ),
+ parameters.Str(
+ 'usercategory',
+ required=False,
+ cli_name='usercat',
+ cli_metavar="['all']",
+ label=_(u'User category'),
+ doc=_(u'User category the rule applies to'),
+ ),
+ parameters.Str(
+ 'hostcategory',
+ required=False,
+ cli_name='hostcat',
+ cli_metavar="['all']",
+ label=_(u'Host category'),
+ doc=_(u'Host category the rule applies to'),
+ ),
+ parameters.Str(
+ 'externalhost',
+ required=False,
+ multivalue=True,
+ label=_(u'External host'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Int(
+ 'timelimit',
+ required=False,
+ label=_(u'Time Limit'),
+ doc=_(u'Time limit of search in seconds (0 is unlimited)'),
+ ),
+ parameters.Int(
+ 'sizelimit',
+ required=False,
+ label=_(u'Size Limit'),
+ doc=_(u'Maximum number of entries returned (0 is unlimited)'),
+ ),
+ parameters.Flag(
+ 'private',
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'managed',
+ doc=_(u'search for managed groups'),
+ default=False,
+ default_from=DefaultFrom(lambda private: private),
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'pkey_only',
+ required=False,
+ label=_(u'Primary key only'),
+ doc=_(u'Results should contain primary key attribute only ("name")'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'netgroup',
+ required=False,
+ multivalue=True,
+ cli_name='netgroups',
+ label=_(u'netgroup'),
+ doc=_(u'Search for netgroups with these member netgroups.'),
+ ),
+ parameters.Str(
+ 'no_netgroup',
+ required=False,
+ multivalue=True,
+ cli_name='no_netgroups',
+ label=_(u'netgroup'),
+ doc=_(u'Search for netgroups without these member netgroups.'),
+ ),
+ parameters.Str(
+ 'user',
+ required=False,
+ multivalue=True,
+ cli_name='users',
+ label=_(u'user'),
+ doc=_(u'Search for netgroups with these member users.'),
+ ),
+ parameters.Str(
+ 'no_user',
+ required=False,
+ multivalue=True,
+ cli_name='no_users',
+ label=_(u'user'),
+ doc=_(u'Search for netgroups without these member users.'),
+ ),
+ parameters.Str(
+ 'group',
+ required=False,
+ multivalue=True,
+ cli_name='groups',
+ label=_(u'group'),
+ doc=_(u'Search for netgroups with these member groups.'),
+ ),
+ parameters.Str(
+ 'no_group',
+ required=False,
+ multivalue=True,
+ cli_name='no_groups',
+ label=_(u'group'),
+ doc=_(u'Search for netgroups without these member groups.'),
+ ),
+ parameters.Str(
+ 'host',
+ required=False,
+ multivalue=True,
+ cli_name='hosts',
+ label=_(u'host'),
+ doc=_(u'Search for netgroups with these member hosts.'),
+ ),
+ parameters.Str(
+ 'no_host',
+ required=False,
+ multivalue=True,
+ cli_name='no_hosts',
+ label=_(u'host'),
+ doc=_(u'Search for netgroups without these member hosts.'),
+ ),
+ parameters.Str(
+ 'hostgroup',
+ required=False,
+ multivalue=True,
+ cli_name='hostgroups',
+ label=_(u'host group'),
+ doc=_(u'Search for netgroups with these member host groups.'),
+ ),
+ parameters.Str(
+ 'no_hostgroup',
+ required=False,
+ multivalue=True,
+ cli_name='no_hostgroups',
+ label=_(u'host group'),
+ doc=_(u'Search for netgroups without these member host groups.'),
+ ),
+ parameters.Str(
+ 'in_netgroup',
+ required=False,
+ multivalue=True,
+ cli_name='in_netgroups',
+ label=_(u'netgroup'),
+ doc=_(u'Search for netgroups with these member of netgroups.'),
+ ),
+ parameters.Str(
+ 'not_in_netgroup',
+ required=False,
+ multivalue=True,
+ cli_name='not_in_netgroups',
+ label=_(u'netgroup'),
+ doc=_(u'Search for netgroups without these member of netgroups.'),
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.ListOfEntries(
+ 'result',
+ ),
+ output.Output(
+ 'count',
+ int,
+ doc=_(u'Number of entries returned'),
+ ),
+ output.Output(
+ 'truncated',
+ bool,
+ doc=_(u'True if not all results were returned'),
+ ),
+ )
+
+
+@register()
+class netgroup_mod(Method):
+ __doc__ = _("Modify a netgroup.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='name',
+ label=_(u'Netgroup name'),
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'description',
+ required=False,
+ cli_name='desc',
+ label=_(u'Description'),
+ doc=_(u'Netgroup description'),
+ ),
+ parameters.Str(
+ 'nisdomainname',
+ required=False,
+ cli_name='nisdomain',
+ label=_(u'NIS domain name'),
+ ),
+ parameters.Str(
+ 'usercategory',
+ required=False,
+ cli_name='usercat',
+ cli_metavar="['all']",
+ label=_(u'User category'),
+ doc=_(u'User category the rule applies to'),
+ ),
+ parameters.Str(
+ 'hostcategory',
+ required=False,
+ cli_name='hostcat',
+ cli_metavar="['all']",
+ label=_(u'Host category'),
+ doc=_(u'Host category the rule applies to'),
+ ),
+ parameters.Str(
+ 'externalhost',
+ required=False,
+ multivalue=True,
+ label=_(u'External host'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'setattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'addattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'delattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'),
+ exclude=('webui',),
+ ),
+ parameters.Flag(
+ 'rights',
+ label=_(u'Rights'),
+ doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class netgroup_remove_member(Method):
+ __doc__ = _("Remove members from a netgroup.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='name',
+ label=_(u'Netgroup name'),
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'user',
+ required=False,
+ multivalue=True,
+ cli_name='users',
+ label=_(u'member user'),
+ doc=_(u'users to remove'),
+ alwaysask=True,
+ ),
+ parameters.Str(
+ 'group',
+ required=False,
+ multivalue=True,
+ cli_name='groups',
+ label=_(u'member group'),
+ doc=_(u'groups to remove'),
+ alwaysask=True,
+ ),
+ parameters.Str(
+ 'host',
+ required=False,
+ multivalue=True,
+ cli_name='hosts',
+ label=_(u'member host'),
+ doc=_(u'hosts to remove'),
+ alwaysask=True,
+ ),
+ parameters.Str(
+ 'hostgroup',
+ required=False,
+ multivalue=True,
+ cli_name='hostgroups',
+ label=_(u'member host group'),
+ doc=_(u'host groups to remove'),
+ alwaysask=True,
+ ),
+ parameters.Str(
+ 'netgroup',
+ required=False,
+ multivalue=True,
+ cli_name='netgroups',
+ label=_(u'member netgroup'),
+ doc=_(u'netgroups to remove'),
+ alwaysask=True,
+ ),
+ )
+ has_output = (
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'failed',
+ dict,
+ doc=_(u'Members that could not be removed'),
+ ),
+ output.Output(
+ 'completed',
+ int,
+ doc=_(u'Number of members removed'),
+ ),
+ )
+
+
+@register()
+class netgroup_show(Method):
+ __doc__ = _("Display information about a netgroup.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='name',
+ label=_(u'Netgroup name'),
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'rights',
+ label=_(u'Rights'),
+ doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
diff --git a/ipaclient/remote_plugins/2_156/otpconfig.py b/ipaclient/remote_plugins/2_156/otpconfig.py
new file mode 100644
index 000000000..1aceb903e
--- /dev/null
+++ b/ipaclient/remote_plugins/2_156/otpconfig.py
@@ -0,0 +1,206 @@
+#
+# Copyright (C) 2016 FreeIPA Contributors see COPYING for license
+#
+
+# pylint: disable=unused-import
+import six
+
+from . import Command, Method, Object
+from ipalib import api, parameters, output
+from ipalib.parameters import DefaultFrom
+from ipalib.plugable import Registry
+from ipalib.text import _
+from ipapython.dn import DN
+from ipapython.dnsutil import DNSName
+
+if six.PY3:
+ unicode = str
+
+__doc__ = _("""
+OTP configuration
+
+Manage the default values that IPA uses for OTP tokens.
+
+EXAMPLES:
+
+ Show basic OTP configuration:
+ ipa otpconfig-show
+
+ Show all OTP configuration options:
+ ipa otpconfig-show --all
+
+ Change maximum TOTP authentication window to 10 minutes:
+ ipa otpconfig-mod --totp-auth-window=600
+
+ Change maximum TOTP synchronization window to 12 hours:
+ ipa otpconfig-mod --totp-sync-window=43200
+
+ Change maximum HOTP authentication window to 5:
+ ipa hotpconfig-mod --hotp-auth-window=5
+
+ Change maximum HOTP synchronization window to 50:
+ ipa hotpconfig-mod --hotp-sync-window=50
+""")
+
+register = Registry()
+
+
+@register()
+class otpconfig(Object):
+ takes_params = (
+ parameters.Int(
+ 'ipatokentotpauthwindow',
+ label=_(u'TOTP authentication Window'),
+ doc=_(u'TOTP authentication time variance (seconds)'),
+ ),
+ parameters.Int(
+ 'ipatokentotpsyncwindow',
+ label=_(u'TOTP Synchronization Window'),
+ doc=_(u'TOTP synchronization time variance (seconds)'),
+ ),
+ parameters.Int(
+ 'ipatokenhotpauthwindow',
+ label=_(u'HOTP Authentication Window'),
+ doc=_(u'HOTP authentication skip-ahead'),
+ ),
+ parameters.Int(
+ 'ipatokenhotpsyncwindow',
+ label=_(u'HOTP Synchronization Window'),
+ doc=_(u'HOTP synchronization skip-ahead'),
+ ),
+ )
+
+
+@register()
+class otpconfig_mod(Method):
+ __doc__ = _("Modify OTP configuration options.")
+
+ takes_options = (
+ parameters.Int(
+ 'ipatokentotpauthwindow',
+ required=False,
+ cli_name='totp_auth_window',
+ label=_(u'TOTP authentication Window'),
+ doc=_(u'TOTP authentication time variance (seconds)'),
+ ),
+ parameters.Int(
+ 'ipatokentotpsyncwindow',
+ required=False,
+ cli_name='totp_sync_window',
+ label=_(u'TOTP Synchronization Window'),
+ doc=_(u'TOTP synchronization time variance (seconds)'),
+ ),
+ parameters.Int(
+ 'ipatokenhotpauthwindow',
+ required=False,
+ cli_name='hotp_auth_window',
+ label=_(u'HOTP Authentication Window'),
+ doc=_(u'HOTP authentication skip-ahead'),
+ ),
+ parameters.Int(
+ 'ipatokenhotpsyncwindow',
+ required=False,
+ cli_name='hotp_sync_window',
+ label=_(u'HOTP Synchronization Window'),
+ doc=_(u'HOTP synchronization skip-ahead'),
+ ),
+ parameters.Str(
+ 'setattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'addattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'delattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'),
+ exclude=('webui',),
+ ),
+ parameters.Flag(
+ 'rights',
+ label=_(u'Rights'),
+ doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class otpconfig_show(Method):
+ __doc__ = _("Show the current OTP configuration.")
+
+ takes_options = (
+ parameters.Flag(
+ 'rights',
+ label=_(u'Rights'),
+ doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
diff --git a/ipaclient/remote_plugins/2_156/otptoken.py b/ipaclient/remote_plugins/2_156/otptoken.py
new file mode 100644
index 000000000..0b2b54c6e
--- /dev/null
+++ b/ipaclient/remote_plugins/2_156/otptoken.py
@@ -0,0 +1,893 @@
+#
+# Copyright (C) 2016 FreeIPA Contributors see COPYING for license
+#
+
+# pylint: disable=unused-import
+import six
+
+from . import Command, Method, Object
+from ipalib import api, parameters, output
+from ipalib.parameters import DefaultFrom
+from ipalib.plugable import Registry
+from ipalib.text import _
+from ipapython.dn import DN
+from ipapython.dnsutil import DNSName
+
+if six.PY3:
+ unicode = str
+
+__doc__ = _("""
+OTP Tokens
+
+Manage OTP tokens.
+
+IPA supports the use of OTP tokens for multi-factor authentication. This
+code enables the management of OTP tokens.
+
+EXAMPLES:
+
+ Add a new token:
+ ipa otptoken-add --type=totp --owner=jdoe --desc="My soft token"
+
+ Examine the token:
+ ipa otptoken-show a93db710-a31a-4639-8647-f15b2c70b78a
+
+ Change the vendor:
+ ipa otptoken-mod a93db710-a31a-4639-8647-f15b2c70b78a --vendor="Red Hat"
+
+ Delete a token:
+ ipa otptoken-del a93db710-a31a-4639-8647-f15b2c70b78a
+""")
+
+register = Registry()
+
+
+@register()
+class otptoken(Object):
+ takes_params = (
+ parameters.Str(
+ 'ipatokenuniqueid',
+ primary_key=True,
+ label=_(u'Unique ID'),
+ ),
+ parameters.Str(
+ 'type',
+ required=False,
+ label=_(u'Type'),
+ doc=_(u'Type of the token'),
+ ),
+ parameters.Str(
+ 'description',
+ required=False,
+ label=_(u'Description'),
+ doc=_(u'Token description (informational only)'),
+ ),
+ parameters.Str(
+ 'ipatokenowner',
+ required=False,
+ label=_(u'Owner'),
+ doc=_(u'Assigned user of the token (default: self)'),
+ ),
+ parameters.Str(
+ 'managedby_user',
+ required=False,
+ label=_(u'Manager'),
+ doc=_(u'Assigned manager of the token (default: self)'),
+ ),
+ parameters.Bool(
+ 'ipatokendisabled',
+ required=False,
+ label=_(u'Disabled'),
+ doc=_(u'Mark the token as disabled (default: false)'),
+ ),
+ parameters.DateTime(
+ 'ipatokennotbefore',
+ required=False,
+ label=_(u'Validity start'),
+ doc=_(u'First date/time the token can be used'),
+ ),
+ parameters.DateTime(
+ 'ipatokennotafter',
+ required=False,
+ label=_(u'Validity end'),
+ doc=_(u'Last date/time the token can be used'),
+ ),
+ parameters.Str(
+ 'ipatokenvendor',
+ required=False,
+ label=_(u'Vendor'),
+ doc=_(u'Token vendor name (informational only)'),
+ ),
+ parameters.Str(
+ 'ipatokenmodel',
+ required=False,
+ label=_(u'Model'),
+ doc=_(u'Token model (informational only)'),
+ ),
+ parameters.Str(
+ 'ipatokenserial',
+ required=False,
+ label=_(u'Serial'),
+ doc=_(u'Token serial (informational only)'),
+ ),
+ parameters.Bytes(
+ 'ipatokenotpkey',
+ required=False,
+ label=_(u'Key'),
+ doc=_(u'Token secret (Base32; default: random)'),
+ ),
+ parameters.Str(
+ 'ipatokenotpalgorithm',
+ required=False,
+ label=_(u'Algorithm'),
+ doc=_(u'Token hash algorithm'),
+ ),
+ parameters.Int(
+ 'ipatokenotpdigits',
+ required=False,
+ label=_(u'Digits'),
+ doc=_(u'Number of digits each token code will have'),
+ ),
+ parameters.Int(
+ 'ipatokentotpclockoffset',
+ required=False,
+ label=_(u'Clock offset'),
+ doc=_(u'TOTP token / FreeIPA server time difference'),
+ ),
+ parameters.Int(
+ 'ipatokentotptimestep',
+ required=False,
+ label=_(u'Clock interval'),
+ doc=_(u'Length of TOTP token code validity'),
+ ),
+ parameters.Int(
+ 'ipatokenhotpcounter',
+ required=False,
+ label=_(u'Counter'),
+ doc=_(u'Initial counter for the HOTP token'),
+ ),
+ )
+
+
+@register()
+class otptoken_add(Method):
+ __doc__ = _("Add a new OTP token.")
+
+ takes_args = (
+ parameters.Str(
+ 'ipatokenuniqueid',
+ required=False,
+ cli_name='id',
+ label=_(u'Unique ID'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'type',
+ required=False,
+ cli_metavar="['totp', 'hotp', 'TOTP', 'HOTP']",
+ label=_(u'Type'),
+ doc=_(u'Type of the token'),
+ default=u'totp',
+ autofill=True,
+ ),
+ parameters.Str(
+ 'description',
+ required=False,
+ cli_name='desc',
+ label=_(u'Description'),
+ doc=_(u'Token description (informational only)'),
+ ),
+ parameters.Str(
+ 'ipatokenowner',
+ required=False,
+ cli_name='owner',
+ label=_(u'Owner'),
+ doc=_(u'Assigned user of the token (default: self)'),
+ ),
+ parameters.Bool(
+ 'ipatokendisabled',
+ required=False,
+ cli_name='disabled',
+ label=_(u'Disabled'),
+ doc=_(u'Mark the token as disabled (default: false)'),
+ ),
+ parameters.DateTime(
+ 'ipatokennotbefore',
+ required=False,
+ cli_name='not_before',
+ label=_(u'Validity start'),
+ doc=_(u'First date/time the token can be used'),
+ ),
+ parameters.DateTime(
+ 'ipatokennotafter',
+ required=False,
+ cli_name='not_after',
+ label=_(u'Validity end'),
+ doc=_(u'Last date/time the token can be used'),
+ ),
+ parameters.Str(
+ 'ipatokenvendor',
+ required=False,
+ cli_name='vendor',
+ label=_(u'Vendor'),
+ doc=_(u'Token vendor name (informational only)'),
+ ),
+ parameters.Str(
+ 'ipatokenmodel',
+ required=False,
+ cli_name='model',
+ label=_(u'Model'),
+ doc=_(u'Token model (informational only)'),
+ ),
+ parameters.Str(
+ 'ipatokenserial',
+ required=False,
+ cli_name='serial',
+ label=_(u'Serial'),
+ doc=_(u'Token serial (informational only)'),
+ ),
+ parameters.Bytes(
+ 'ipatokenotpkey',
+ required=False,
+ cli_name='key',
+ label=_(u'Key'),
+ doc=_(u'Token secret (Base32; default: random)'),
+ default_from=DefaultFrom(lambda : None),
+ # FIXME:
+ # lambda: os.urandom(KEY_LENGTH)
+ autofill=True,
+ ),
+ parameters.Str(
+ 'ipatokenotpalgorithm',
+ required=False,
+ cli_name='algo',
+ cli_metavar="['sha1', 'sha256', 'sha384', 'sha512']",
+ label=_(u'Algorithm'),
+ doc=_(u'Token hash algorithm'),
+ default=u'sha1',
+ autofill=True,
+ ),
+ parameters.Int(
+ 'ipatokenotpdigits',
+ required=False,
+ cli_name='digits',
+ cli_metavar="['6', '8']",
+ label=_(u'Digits'),
+ doc=_(u'Number of digits each token code will have'),
+ default=6,
+ autofill=True,
+ ),
+ parameters.Int(
+ 'ipatokentotpclockoffset',
+ required=False,
+ cli_name='offset',
+ label=_(u'Clock offset'),
+ doc=_(u'TOTP token / FreeIPA server time difference'),
+ default=0,
+ autofill=True,
+ ),
+ parameters.Int(
+ 'ipatokentotptimestep',
+ required=False,
+ cli_name='interval',
+ label=_(u'Clock interval'),
+ doc=_(u'Length of TOTP token code validity'),
+ default=30,
+ autofill=True,
+ ),
+ parameters.Int(
+ 'ipatokenhotpcounter',
+ required=False,
+ cli_name='counter',
+ label=_(u'Counter'),
+ doc=_(u'Initial counter for the HOTP token'),
+ default=0,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'setattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'addattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
+ exclude=('webui',),
+ ),
+ parameters.Flag(
+ 'qrcode',
+ required=False,
+ label=_(u'(deprecated)'),
+ exclude=('cli', 'webui'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_qrcode',
+ label=_(u'Do not display QR code'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class otptoken_add_managedby(Method):
+ __doc__ = _("Add users that can manage this token.")
+
+ takes_args = (
+ parameters.Str(
+ 'ipatokenuniqueid',
+ cli_name='id',
+ label=_(u'Unique ID'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'user',
+ required=False,
+ multivalue=True,
+ cli_name='users',
+ label=_(u'member user'),
+ doc=_(u'users to add'),
+ alwaysask=True,
+ ),
+ )
+ has_output = (
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'failed',
+ dict,
+ doc=_(u'Members that could not be added'),
+ ),
+ output.Output(
+ 'completed',
+ int,
+ doc=_(u'Number of members added'),
+ ),
+ )
+
+
+@register()
+class otptoken_del(Method):
+ __doc__ = _("Delete an OTP token.")
+
+ takes_args = (
+ parameters.Str(
+ 'ipatokenuniqueid',
+ multivalue=True,
+ cli_name='id',
+ label=_(u'Unique ID'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'continue',
+ doc=_(u"Continuous mode: Don't stop on errors."),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Output(
+ 'result',
+ dict,
+ doc=_(u'List of deletions that failed'),
+ ),
+ output.ListOfPrimaryKeys(
+ 'value',
+ ),
+ )
+
+
+@register()
+class otptoken_find(Method):
+ __doc__ = _("Search for OTP token.")
+
+ takes_args = (
+ parameters.Str(
+ 'criteria',
+ required=False,
+ doc=_(u'A string searched in all relevant object attributes'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'ipatokenuniqueid',
+ required=False,
+ cli_name='id',
+ label=_(u'Unique ID'),
+ ),
+ parameters.Str(
+ 'type',
+ required=False,
+ cli_metavar="['totp', 'hotp', 'TOTP', 'HOTP']",
+ label=_(u'Type'),
+ doc=_(u'Type of the token'),
+ default=u'totp',
+ ),
+ parameters.Str(
+ 'description',
+ required=False,
+ cli_name='desc',
+ label=_(u'Description'),
+ doc=_(u'Token description (informational only)'),
+ ),
+ parameters.Str(
+ 'ipatokenowner',
+ required=False,
+ cli_name='owner',
+ label=_(u'Owner'),
+ doc=_(u'Assigned user of the token (default: self)'),
+ ),
+ parameters.Bool(
+ 'ipatokendisabled',
+ required=False,
+ cli_name='disabled',
+ label=_(u'Disabled'),
+ doc=_(u'Mark the token as disabled (default: false)'),
+ ),
+ parameters.DateTime(
+ 'ipatokennotbefore',
+ required=False,
+ cli_name='not_before',
+ label=_(u'Validity start'),
+ doc=_(u'First date/time the token can be used'),
+ ),
+ parameters.DateTime(
+ 'ipatokennotafter',
+ required=False,
+ cli_name='not_after',
+ label=_(u'Validity end'),
+ doc=_(u'Last date/time the token can be used'),
+ ),
+ parameters.Str(
+ 'ipatokenvendor',
+ required=False,
+ cli_name='vendor',
+ label=_(u'Vendor'),
+ doc=_(u'Token vendor name (informational only)'),
+ ),
+ parameters.Str(
+ 'ipatokenmodel',
+ required=False,
+ cli_name='model',
+ label=_(u'Model'),
+ doc=_(u'Token model (informational only)'),
+ ),
+ parameters.Str(
+ 'ipatokenserial',
+ required=False,
+ cli_name='serial',
+ label=_(u'Serial'),
+ doc=_(u'Token serial (informational only)'),
+ ),
+ parameters.Str(
+ 'ipatokenotpalgorithm',
+ required=False,
+ cli_name='algo',
+ cli_metavar="['sha1', 'sha256', 'sha384', 'sha512']",
+ label=_(u'Algorithm'),
+ doc=_(u'Token hash algorithm'),
+ default=u'sha1',
+ ),
+ parameters.Int(
+ 'ipatokenotpdigits',
+ required=False,
+ cli_name='digits',
+ cli_metavar="['6', '8']",
+ label=_(u'Digits'),
+ doc=_(u'Number of digits each token code will have'),
+ default=6,
+ ),
+ parameters.Int(
+ 'ipatokentotpclockoffset',
+ required=False,
+ cli_name='offset',
+ label=_(u'Clock offset'),
+ doc=_(u'TOTP token / FreeIPA server time difference'),
+ default=0,
+ ),
+ parameters.Int(
+ 'ipatokentotptimestep',
+ required=False,
+ cli_name='interval',
+ label=_(u'Clock interval'),
+ doc=_(u'Length of TOTP token code validity'),
+ default=30,
+ ),
+ parameters.Int(
+ 'ipatokenhotpcounter',
+ required=False,
+ cli_name='counter',
+ label=_(u'Counter'),
+ doc=_(u'Initial counter for the HOTP token'),
+ default=0,
+ ),
+ parameters.Int(
+ 'timelimit',
+ required=False,
+ label=_(u'Time Limit'),
+ doc=_(u'Time limit of search in seconds (0 is unlimited)'),
+ ),
+ parameters.Int(
+ 'sizelimit',
+ required=False,
+ label=_(u'Size Limit'),
+ doc=_(u'Maximum number of entries returned (0 is unlimited)'),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'pkey_only',
+ required=False,
+ label=_(u'Primary key only'),
+ doc=_(u'Results should contain primary key attribute only ("id")'),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.ListOfEntries(
+ 'result',
+ ),
+ output.Output(
+ 'count',
+ int,
+ doc=_(u'Number of entries returned'),
+ ),
+ output.Output(
+ 'truncated',
+ bool,
+ doc=_(u'True if not all results were returned'),
+ ),
+ )
+
+
+@register()
+class otptoken_mod(Method):
+ __doc__ = _("Modify a OTP token.")
+
+ takes_args = (
+ parameters.Str(
+ 'ipatokenuniqueid',
+ cli_name='id',
+ label=_(u'Unique ID'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'description',
+ required=False,
+ cli_name='desc',
+ label=_(u'Description'),
+ doc=_(u'Token description (informational only)'),
+ ),
+ parameters.Str(
+ 'ipatokenowner',
+ required=False,
+ cli_name='owner',
+ label=_(u'Owner'),
+ doc=_(u'Assigned user of the token (default: self)'),
+ ),
+ parameters.Bool(
+ 'ipatokendisabled',
+ required=False,
+ cli_name='disabled',
+ label=_(u'Disabled'),
+ doc=_(u'Mark the token as disabled (default: false)'),
+ ),
+ parameters.DateTime(
+ 'ipatokennotbefore',
+ required=False,
+ cli_name='not_before',
+ label=_(u'Validity start'),
+ doc=_(u'First date/time the token can be used'),
+ ),
+ parameters.DateTime(
+ 'ipatokennotafter',
+ required=False,
+ cli_name='not_after',
+ label=_(u'Validity end'),
+ doc=_(u'Last date/time the token can be used'),
+ ),
+ parameters.Str(
+ 'ipatokenvendor',
+ required=False,
+ cli_name='vendor',
+ label=_(u'Vendor'),
+ doc=_(u'Token vendor name (informational only)'),
+ ),
+ parameters.Str(
+ 'ipatokenmodel',
+ required=False,
+ cli_name='model',
+ label=_(u'Model'),
+ doc=_(u'Token model (informational only)'),
+ ),
+ parameters.Str(
+ 'ipatokenserial',
+ required=False,
+ cli_name='serial',
+ label=_(u'Serial'),
+ doc=_(u'Token serial (informational only)'),
+ ),
+ parameters.Str(
+ 'setattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'addattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'delattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'),
+ exclude=('webui',),
+ ),
+ parameters.Flag(
+ 'rights',
+ label=_(u'Rights'),
+ doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'rename',
+ required=False,
+ label=_(u'Rename'),
+ doc=_(u'Rename the OTP token object'),
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class otptoken_remove_managedby(Method):
+ __doc__ = _("Remove users that can manage this token.")
+
+ takes_args = (
+ parameters.Str(
+ 'ipatokenuniqueid',
+ cli_name='id',
+ label=_(u'Unique ID'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'user',
+ required=False,
+ multivalue=True,
+ cli_name='users',
+ label=_(u'member user'),
+ doc=_(u'users to remove'),
+ alwaysask=True,
+ ),
+ )
+ has_output = (
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'failed',
+ dict,
+ doc=_(u'Members that could not be removed'),
+ ),
+ output.Output(
+ 'completed',
+ int,
+ doc=_(u'Number of members removed'),
+ ),
+ )
+
+
+@register()
+class otptoken_show(Method):
+ __doc__ = _("Display information about an OTP token.")
+
+ takes_args = (
+ parameters.Str(
+ 'ipatokenuniqueid',
+ cli_name='id',
+ label=_(u'Unique ID'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'rights',
+ label=_(u'Rights'),
+ doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
diff --git a/ipaclient/remote_plugins/2_156/otptoken_yubikey.py b/ipaclient/remote_plugins/2_156/otptoken_yubikey.py
new file mode 100644
index 000000000..61fe1b484
--- /dev/null
+++ b/ipaclient/remote_plugins/2_156/otptoken_yubikey.py
@@ -0,0 +1,33 @@
+#
+# Copyright (C) 2016 FreeIPA Contributors see COPYING for license
+#
+
+# pylint: disable=unused-import
+import six
+
+from . import Command, Method, Object
+from ipalib import api, parameters, output
+from ipalib.parameters import DefaultFrom
+from ipalib.plugable import Registry
+from ipalib.text import _
+from ipapython.dn import DN
+from ipapython.dnsutil import DNSName
+
+if six.PY3:
+ unicode = str
+
+__doc__ = _("""
+YubiKey Tokens
+
+Manage YubiKey tokens.
+
+This code is an extension to the otptoken plugin and provides support for
+reading/writing YubiKey tokens directly.
+
+EXAMPLES:
+
+ Add a new token:
+ ipa otptoken-add-yubikey --owner=jdoe --desc="My YubiKey"
+""")
+
+register = Registry()
diff --git a/ipaclient/remote_plugins/2_156/passwd.py b/ipaclient/remote_plugins/2_156/passwd.py
new file mode 100644
index 000000000..66ec54b5c
--- /dev/null
+++ b/ipaclient/remote_plugins/2_156/passwd.py
@@ -0,0 +1,93 @@
+#
+# Copyright (C) 2016 FreeIPA Contributors see COPYING for license
+#
+
+# pylint: disable=unused-import
+import six
+
+from . import Command, Method, Object
+from ipalib import api, parameters, output
+from ipalib.parameters import DefaultFrom
+from ipalib.plugable import Registry
+from ipalib.text import _
+from ipapython.dn import DN
+from ipapython.dnsutil import DNSName
+
+if six.PY3:
+ unicode = str
+
+__doc__ = _("""
+Set a user's password
+
+If someone other than a user changes that user's password (e.g., Helpdesk
+resets it) then the password will need to be changed the first time it
+is used. This is so the end-user is the only one who knows the password.
+
+The IPA password policy controls how often a password may be changed,
+what strength requirements exist, and the length of the password history.
+
+EXAMPLES:
+
+ To reset your own password:
+ ipa passwd
+
+ To change another user's password:
+ ipa passwd tuser1
+""")
+
+register = Registry()
+
+
+@register()
+class passwd(Command):
+ __doc__ = _("Set a user's password.")
+
+ takes_args = (
+ parameters.Str(
+ 'principal',
+ cli_name='user',
+ label=_(u'User name'),
+ default_from=DefaultFrom(lambda : None),
+ # FIXME:
+ # lambda: util.get_current_principal()
+ autofill=True,
+ no_convert=True,
+ ),
+ parameters.Password(
+ 'password',
+ label=_(u'New Password'),
+ confirm=True,
+ ),
+ parameters.Password(
+ 'current_password',
+ label=_(u'Current Password'),
+ default_from=DefaultFrom(lambda principal: None, 'principal'),
+ # FIXME:
+ # lambda principal: get_current_password(principal)
+ autofill=True,
+ ),
+ )
+ takes_options = (
+ parameters.Password(
+ 'otp',
+ required=False,
+ label=_(u'OTP'),
+ doc=_(u'One Time Password'),
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Output(
+ 'result',
+ bool,
+ doc=_(u'True means the operation was successful'),
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
diff --git a/ipaclient/remote_plugins/2_156/permission.py b/ipaclient/remote_plugins/2_156/permission.py
new file mode 100644
index 000000000..94cd1bbaa
--- /dev/null
+++ b/ipaclient/remote_plugins/2_156/permission.py
@@ -0,0 +1,1099 @@
+#
+# Copyright (C) 2016 FreeIPA Contributors see COPYING for license
+#
+
+# pylint: disable=unused-import
+import six
+
+from . import Command, Method, Object
+from ipalib import api, parameters, output
+from ipalib.parameters import DefaultFrom
+from ipalib.plugable import Registry
+from ipalib.text import _
+from ipapython.dn import DN
+from ipapython.dnsutil import DNSName
+
+if six.PY3:
+ unicode = str
+
+__doc__ = _("""
+Permissions
+
+A permission enables fine-grained delegation of rights. A permission is
+a human-readable wrapper around a 389-ds Access Control Rule,
+or instruction (ACI).
+A permission grants the right to perform a specific task such as adding a
+user, modifying a group, etc.
+
+A permission may not contain other permissions.
+
+* A permission grants access to read, write, add, delete, read, search,
+ or compare.
+* A privilege combines similar permissions (for example all the permissions
+ needed to add a user).
+* A role grants a set of privileges to users, groups, hosts or hostgroups.
+
+A permission is made up of a number of different parts:
+
+1. The name of the permission.
+2. The target of the permission.
+3. The rights granted by the permission.
+
+Rights define what operations are allowed, and may be one or more
+of the following:
+1. write - write one or more attributes
+2. read - read one or more attributes
+3. search - search on one or more attributes
+4. compare - compare one or more attributes
+5. add - add a new entry to the tree
+6. delete - delete an existing entry
+7. all - all permissions are granted
+
+Note the distinction between attributes and entries. The permissions are
+independent, so being able to add a user does not mean that the user will
+be editable.
+
+There are a number of allowed targets:
+1. subtree: a DN; the permission applies to the subtree under this DN
+2. target filter: an LDAP filter
+3. target: DN with possible wildcards, specifies entries permission applies to
+
+Additionally, there are the following convenience options.
+Setting one of these options will set the corresponding attribute(s).
+1. type: a type of object (user, group, etc); sets subtree and target filter.
+2. memberof: apply to members of a group; sets target filter
+3. targetgroup: grant access to modify a specific group (such as granting
+ the rights to manage group membership); sets target.
+
+Managed permissions
+
+Permissions that come with IPA by default can be so-called "managed"
+permissions. These have a default set of attributes they apply to,
+but the administrator can add/remove individual attributes to/from the set.
+
+Deleting or renaming a managed permission, as well as changing its target,
+is not allowed.
+
+EXAMPLES:
+
+ Add a permission that grants the creation of users:
+ ipa permission-add --type=user --permissions=add "Add Users"
+
+ Add a permission that grants the ability to manage group membership:
+ ipa permission-add --attrs=member --permissions=write --type=group "Manage Group Members"
+""")
+
+register = Registry()
+
+
+@register()
+class permission(Object):
+ takes_params = (
+ parameters.Str(
+ 'cn',
+ primary_key=True,
+ label=_(u'Permission name'),
+ ),
+ parameters.Str(
+ 'ipapermright',
+ required=False,
+ multivalue=True,
+ label=_(u'Granted rights'),
+ doc=_(u'Rights to grant (read, search, compare, write, add, delete, all)'),
+ ),
+ parameters.Str(
+ 'attrs',
+ required=False,
+ multivalue=True,
+ label=_(u'Effective attributes'),
+ doc=_(u'All attributes to which the permission applies'),
+ ),
+ parameters.Str(
+ 'ipapermincludedattr',
+ required=False,
+ multivalue=True,
+ label=_(u'Included attributes'),
+ doc=_(u'User-specified attributes to which the permission applies'),
+ ),
+ parameters.Str(
+ 'ipapermexcludedattr',
+ required=False,
+ multivalue=True,
+ label=_(u'Excluded attributes'),
+ doc=_(u'User-specified attributes to which the permission explicitly does not apply'),
+ ),
+ parameters.Str(
+ 'ipapermdefaultattr',
+ required=False,
+ multivalue=True,
+ label=_(u'Default attributes'),
+ doc=_(u'Attributes to which the permission applies by default'),
+ ),
+ parameters.Str(
+ 'ipapermbindruletype',
+ label=_(u'Bind rule type'),
+ ),
+ parameters.Str(
+ 'ipapermlocation',
+ required=False,
+ label=_(u'Subtree'),
+ doc=_(u'Subtree to apply permissions to'),
+ ),
+ parameters.Str(
+ 'extratargetfilter',
+ required=False,
+ multivalue=True,
+ label=_(u'Extra target filter'),
+ ),
+ parameters.Str(
+ 'ipapermtargetfilter',
+ required=False,
+ multivalue=True,
+ label=_(u'Raw target filter'),
+ doc=_(u'All target filters, including those implied by type and memberof'),
+ ),
+ parameters.DNParam(
+ 'ipapermtarget',
+ required=False,
+ label=_(u'Target DN'),
+ doc=_(u'Optional DN to apply the permission to (must be in the subtree, but may not yet exist)'),
+ ),
+ parameters.DNParam(
+ 'ipapermtargetto',
+ required=False,
+ label=_(u'Target DN subtree'),
+ doc=_(u'Optional DN subtree where an entry can be moved to (must be in the subtree, but may not yet exist)'),
+ ),
+ parameters.DNParam(
+ 'ipapermtargetfrom',
+ required=False,
+ label=_(u'Origin DN subtree'),
+ doc=_(u'Optional DN subtree from where an entry can be moved (must be in the subtree, but may not yet exist)'),
+ ),
+ parameters.Str(
+ 'memberof',
+ required=False,
+ multivalue=True,
+ label=_(u'Member of group'),
+ doc=_(u'Target members of a group (sets memberOf targetfilter)'),
+ ),
+ parameters.Str(
+ 'targetgroup',
+ required=False,
+ label=_(u'Target group'),
+ doc=_(u'User group to apply permissions to (sets target)'),
+ ),
+ parameters.Str(
+ 'type',
+ required=False,
+ label=_(u'Type'),
+ doc=_(u'Type of IPA object (sets subtree and objectClass targetfilter)'),
+ ),
+ parameters.Str(
+ 'filter',
+ required=False,
+ multivalue=True,
+ doc=_(u'Deprecated; use extratargetfilter'),
+ ),
+ parameters.Str(
+ 'subtree',
+ required=False,
+ multivalue=True,
+ doc=_(u'Deprecated; use ipapermlocation'),
+ ),
+ parameters.Str(
+ 'permissions',
+ required=False,
+ multivalue=True,
+ doc=_(u'Deprecated; use ipapermright'),
+ ),
+ parameters.Str(
+ 'member_privilege',
+ required=False,
+ label=_(u'Granted to Privilege'),
+ ),
+ parameters.Str(
+ 'memberindirect_role',
+ required=False,
+ label=_(u'Indirect Member of roles'),
+ ),
+ )
+
+
+@register()
+class permission_add(Method):
+ __doc__ = _("Add a new permission.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='name',
+ label=_(u'Permission name'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'ipapermright',
+ required=False,
+ multivalue=True,
+ cli_name='right',
+ cli_metavar="['read', 'search', 'compare', 'write', 'add', 'delete', 'all']",
+ label=_(u'Granted rights'),
+ doc=_(u'Rights to grant (read, search, compare, write, add, delete, all)'),
+ alwaysask=True,
+ ),
+ parameters.Str(
+ 'attrs',
+ required=False,
+ multivalue=True,
+ label=_(u'Effective attributes'),
+ doc=_(u'All attributes to which the permission applies'),
+ ),
+ parameters.Str(
+ 'ipapermbindruletype',
+ cli_name='bindtype',
+ cli_metavar="['permission', 'all', 'anonymous']",
+ label=_(u'Bind rule type'),
+ default=u'permission',
+ autofill=True,
+ ),
+ parameters.Str(
+ 'ipapermlocation',
+ required=False,
+ cli_name='subtree',
+ label=_(u'Subtree'),
+ doc=_(u'Subtree to apply permissions to'),
+ alwaysask=True,
+ ),
+ parameters.Str(
+ 'extratargetfilter',
+ required=False,
+ multivalue=True,
+ cli_name='filter',
+ label=_(u'Extra target filter'),
+ ),
+ parameters.Str(
+ 'ipapermtargetfilter',
+ required=False,
+ multivalue=True,
+ cli_name='rawfilter',
+ label=_(u'Raw target filter'),
+ doc=_(u'All target filters, including those implied by type and memberof'),
+ ),
+ parameters.DNParam(
+ 'ipapermtarget',
+ required=False,
+ cli_name='target',
+ label=_(u'Target DN'),
+ doc=_(u'Optional DN to apply the permission to (must be in the subtree, but may not yet exist)'),
+ ),
+ parameters.DNParam(
+ 'ipapermtargetto',
+ required=False,
+ cli_name='targetto',
+ label=_(u'Target DN subtree'),
+ doc=_(u'Optional DN subtree where an entry can be moved to (must be in the subtree, but may not yet exist)'),
+ ),
+ parameters.DNParam(
+ 'ipapermtargetfrom',
+ required=False,
+ cli_name='targetfrom',
+ label=_(u'Origin DN subtree'),
+ doc=_(u'Optional DN subtree from where an entry can be moved (must be in the subtree, but may not yet exist)'),
+ ),
+ parameters.Str(
+ 'memberof',
+ required=False,
+ multivalue=True,
+ label=_(u'Member of group'),
+ doc=_(u'Target members of a group (sets memberOf targetfilter)'),
+ alwaysask=True,
+ ),
+ parameters.Str(
+ 'targetgroup',
+ required=False,
+ label=_(u'Target group'),
+ doc=_(u'User group to apply permissions to (sets target)'),
+ alwaysask=True,
+ ),
+ parameters.Str(
+ 'type',
+ required=False,
+ label=_(u'Type'),
+ doc=_(u'Type of IPA object (sets subtree and objectClass targetfilter)'),
+ alwaysask=True,
+ ),
+ parameters.Str(
+ 'filter',
+ required=False,
+ multivalue=True,
+ doc=_(u'Deprecated; use extratargetfilter'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'subtree',
+ required=False,
+ multivalue=True,
+ doc=_(u'Deprecated; use ipapermlocation'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'permissions',
+ required=False,
+ multivalue=True,
+ doc=_(u'Deprecated; use ipapermright'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'setattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'addattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
+ exclude=('webui',),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class permission_add_member(Method):
+ __doc__ = _("Add members to a permission.")
+
+ NO_CLI = True
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='name',
+ label=_(u'Permission name'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'privilege',
+ required=False,
+ multivalue=True,
+ cli_name='privileges',
+ label=_(u'member privilege'),
+ doc=_(u'privileges to add'),
+ alwaysask=True,
+ ),
+ )
+ has_output = (
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'failed',
+ dict,
+ doc=_(u'Members that could not be added'),
+ ),
+ output.Output(
+ 'completed',
+ int,
+ doc=_(u'Number of members added'),
+ ),
+ )
+
+
+@register()
+class permission_add_noaci(Method):
+ __doc__ = _("Add a system permission without an ACI (internal command)")
+
+ NO_CLI = True
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='name',
+ label=_(u'Permission name'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'ipapermissiontype',
+ multivalue=True,
+ label=_(u'Permission flags'),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class permission_del(Method):
+ __doc__ = _("Delete a permission.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ multivalue=True,
+ cli_name='name',
+ label=_(u'Permission name'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'continue',
+ doc=_(u"Continuous mode: Don't stop on errors."),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'force',
+ label=_(u'Force'),
+ doc=_(u'force delete of SYSTEM permissions'),
+ exclude=('cli', 'webui'),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Output(
+ 'result',
+ dict,
+ doc=_(u'List of deletions that failed'),
+ ),
+ output.ListOfPrimaryKeys(
+ 'value',
+ ),
+ )
+
+
+@register()
+class permission_find(Method):
+ __doc__ = _("Search for permissions.")
+
+ takes_args = (
+ parameters.Str(
+ 'criteria',
+ required=False,
+ doc=_(u'A string searched in all relevant object attributes'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'cn',
+ required=False,
+ cli_name='name',
+ label=_(u'Permission name'),
+ ),
+ parameters.Str(
+ 'ipapermright',
+ required=False,
+ multivalue=True,
+ cli_name='right',
+ cli_metavar="['read', 'search', 'compare', 'write', 'add', 'delete', 'all']",
+ label=_(u'Granted rights'),
+ doc=_(u'Rights to grant (read, search, compare, write, add, delete, all)'),
+ ),
+ parameters.Str(
+ 'attrs',
+ required=False,
+ multivalue=True,
+ label=_(u'Effective attributes'),
+ doc=_(u'All attributes to which the permission applies'),
+ ),
+ parameters.Str(
+ 'ipapermincludedattr',
+ required=False,
+ multivalue=True,
+ cli_name='includedattrs',
+ label=_(u'Included attributes'),
+ doc=_(u'User-specified attributes to which the permission applies'),
+ ),
+ parameters.Str(
+ 'ipapermexcludedattr',
+ required=False,
+ multivalue=True,
+ cli_name='excludedattrs',
+ label=_(u'Excluded attributes'),
+ doc=_(u'User-specified attributes to which the permission explicitly does not apply'),
+ ),
+ parameters.Str(
+ 'ipapermdefaultattr',
+ required=False,
+ multivalue=True,
+ cli_name='defaultattrs',
+ label=_(u'Default attributes'),
+ doc=_(u'Attributes to which the permission applies by default'),
+ ),
+ parameters.Str(
+ 'ipapermbindruletype',
+ required=False,
+ cli_name='bindtype',
+ cli_metavar="['permission', 'all', 'anonymous']",
+ label=_(u'Bind rule type'),
+ default=u'permission',
+ ),
+ parameters.Str(
+ 'ipapermlocation',
+ required=False,
+ cli_name='subtree',
+ label=_(u'Subtree'),
+ doc=_(u'Subtree to apply permissions to'),
+ ),
+ parameters.Str(
+ 'extratargetfilter',
+ required=False,
+ multivalue=True,
+ cli_name='filter',
+ label=_(u'Extra target filter'),
+ ),
+ parameters.Str(
+ 'ipapermtargetfilter',
+ required=False,
+ multivalue=True,
+ cli_name='rawfilter',
+ label=_(u'Raw target filter'),
+ doc=_(u'All target filters, including those implied by type and memberof'),
+ ),
+ parameters.DNParam(
+ 'ipapermtarget',
+ required=False,
+ cli_name='target',
+ label=_(u'Target DN'),
+ doc=_(u'Optional DN to apply the permission to (must be in the subtree, but may not yet exist)'),
+ ),
+ parameters.DNParam(
+ 'ipapermtargetto',
+ required=False,
+ cli_name='targetto',
+ label=_(u'Target DN subtree'),
+ doc=_(u'Optional DN subtree where an entry can be moved to (must be in the subtree, but may not yet exist)'),
+ ),
+ parameters.DNParam(
+ 'ipapermtargetfrom',
+ required=False,
+ cli_name='targetfrom',
+ label=_(u'Origin DN subtree'),
+ doc=_(u'Optional DN subtree from where an entry can be moved (must be in the subtree, but may not yet exist)'),
+ ),
+ parameters.Str(
+ 'memberof',
+ required=False,
+ multivalue=True,
+ label=_(u'Member of group'),
+ doc=_(u'Target members of a group (sets memberOf targetfilter)'),
+ ),
+ parameters.Str(
+ 'targetgroup',
+ required=False,
+ label=_(u'Target group'),
+ doc=_(u'User group to apply permissions to (sets target)'),
+ ),
+ parameters.Str(
+ 'type',
+ required=False,
+ label=_(u'Type'),
+ doc=_(u'Type of IPA object (sets subtree and objectClass targetfilter)'),
+ ),
+ parameters.Str(
+ 'filter',
+ required=False,
+ multivalue=True,
+ doc=_(u'Deprecated; use extratargetfilter'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'subtree',
+ required=False,
+ multivalue=True,
+ doc=_(u'Deprecated; use ipapermlocation'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'permissions',
+ required=False,
+ multivalue=True,
+ doc=_(u'Deprecated; use ipapermright'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Int(
+ 'timelimit',
+ required=False,
+ label=_(u'Time Limit'),
+ doc=_(u'Time limit of search in seconds (0 is unlimited)'),
+ ),
+ parameters.Int(
+ 'sizelimit',
+ required=False,
+ label=_(u'Size Limit'),
+ doc=_(u'Maximum number of entries returned (0 is unlimited)'),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'pkey_only',
+ required=False,
+ label=_(u'Primary key only'),
+ doc=_(u'Results should contain primary key attribute only ("name")'),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.ListOfEntries(
+ 'result',
+ ),
+ output.Output(
+ 'count',
+ int,
+ doc=_(u'Number of entries returned'),
+ ),
+ output.Output(
+ 'truncated',
+ bool,
+ doc=_(u'True if not all results were returned'),
+ ),
+ )
+
+
+@register()
+class permission_mod(Method):
+ __doc__ = _("Modify a permission.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='name',
+ label=_(u'Permission name'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'ipapermright',
+ required=False,
+ multivalue=True,
+ cli_name='right',
+ cli_metavar="['read', 'search', 'compare', 'write', 'add', 'delete', 'all']",
+ label=_(u'Granted rights'),
+ doc=_(u'Rights to grant (read, search, compare, write, add, delete, all)'),
+ ),
+ parameters.Str(
+ 'attrs',
+ required=False,
+ multivalue=True,
+ label=_(u'Effective attributes'),
+ doc=_(u'All attributes to which the permission applies'),
+ ),
+ parameters.Str(
+ 'ipapermincludedattr',
+ required=False,
+ multivalue=True,
+ cli_name='includedattrs',
+ label=_(u'Included attributes'),
+ doc=_(u'User-specified attributes to which the permission applies'),
+ ),
+ parameters.Str(
+ 'ipapermexcludedattr',
+ required=False,
+ multivalue=True,
+ cli_name='excludedattrs',
+ label=_(u'Excluded attributes'),
+ doc=_(u'User-specified attributes to which the permission explicitly does not apply'),
+ ),
+ parameters.Str(
+ 'ipapermbindruletype',
+ required=False,
+ cli_name='bindtype',
+ cli_metavar="['permission', 'all', 'anonymous']",
+ label=_(u'Bind rule type'),
+ default=u'permission',
+ ),
+ parameters.Str(
+ 'ipapermlocation',
+ required=False,
+ cli_name='subtree',
+ label=_(u'Subtree'),
+ doc=_(u'Subtree to apply permissions to'),
+ ),
+ parameters.Str(
+ 'extratargetfilter',
+ required=False,
+ multivalue=True,
+ cli_name='filter',
+ label=_(u'Extra target filter'),
+ ),
+ parameters.Str(
+ 'ipapermtargetfilter',
+ required=False,
+ multivalue=True,
+ cli_name='rawfilter',
+ label=_(u'Raw target filter'),
+ doc=_(u'All target filters, including those implied by type and memberof'),
+ ),
+ parameters.DNParam(
+ 'ipapermtarget',
+ required=False,
+ cli_name='target',
+ label=_(u'Target DN'),
+ doc=_(u'Optional DN to apply the permission to (must be in the subtree, but may not yet exist)'),
+ ),
+ parameters.DNParam(
+ 'ipapermtargetto',
+ required=False,
+ cli_name='targetto',
+ label=_(u'Target DN subtree'),
+ doc=_(u'Optional DN subtree where an entry can be moved to (must be in the subtree, but may not yet exist)'),
+ ),
+ parameters.DNParam(
+ 'ipapermtargetfrom',
+ required=False,
+ cli_name='targetfrom',
+ label=_(u'Origin DN subtree'),
+ doc=_(u'Optional DN subtree from where an entry can be moved (must be in the subtree, but may not yet exist)'),
+ ),
+ parameters.Str(
+ 'memberof',
+ required=False,
+ multivalue=True,
+ label=_(u'Member of group'),
+ doc=_(u'Target members of a group (sets memberOf targetfilter)'),
+ ),
+ parameters.Str(
+ 'targetgroup',
+ required=False,
+ label=_(u'Target group'),
+ doc=_(u'User group to apply permissions to (sets target)'),
+ ),
+ parameters.Str(
+ 'type',
+ required=False,
+ label=_(u'Type'),
+ doc=_(u'Type of IPA object (sets subtree and objectClass targetfilter)'),
+ ),
+ parameters.Str(
+ 'filter',
+ required=False,
+ multivalue=True,
+ doc=_(u'Deprecated; use extratargetfilter'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'subtree',
+ required=False,
+ multivalue=True,
+ doc=_(u'Deprecated; use ipapermlocation'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'permissions',
+ required=False,
+ multivalue=True,
+ doc=_(u'Deprecated; use ipapermright'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'setattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'addattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'delattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'),
+ exclude=('webui',),
+ ),
+ parameters.Flag(
+ 'rights',
+ label=_(u'Rights'),
+ doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'rename',
+ required=False,
+ label=_(u'Rename'),
+ doc=_(u'Rename the permission object'),
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class permission_remove_member(Method):
+ __doc__ = _("Remove members from a permission.")
+
+ NO_CLI = True
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='name',
+ label=_(u'Permission name'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'privilege',
+ required=False,
+ multivalue=True,
+ cli_name='privileges',
+ label=_(u'member privilege'),
+ doc=_(u'privileges to remove'),
+ alwaysask=True,
+ ),
+ )
+ has_output = (
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'failed',
+ dict,
+ doc=_(u'Members that could not be removed'),
+ ),
+ output.Output(
+ 'completed',
+ int,
+ doc=_(u'Number of members removed'),
+ ),
+ )
+
+
+@register()
+class permission_show(Method):
+ __doc__ = _("Display information about a permission.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='name',
+ label=_(u'Permission name'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'rights',
+ label=_(u'Rights'),
+ doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
diff --git a/ipaclient/remote_plugins/2_156/ping.py b/ipaclient/remote_plugins/2_156/ping.py
new file mode 100644
index 000000000..e9344127c
--- /dev/null
+++ b/ipaclient/remote_plugins/2_156/ping.py
@@ -0,0 +1,62 @@
+#
+# Copyright (C) 2016 FreeIPA Contributors see COPYING for license
+#
+
+# pylint: disable=unused-import
+import six
+
+from . import Command, Method, Object
+from ipalib import api, parameters, output
+from ipalib.parameters import DefaultFrom
+from ipalib.plugable import Registry
+from ipalib.text import _
+from ipapython.dn import DN
+from ipapython.dnsutil import DNSName
+
+if six.PY3:
+ unicode = str
+
+__doc__ = _("""
+Ping the remote IPA server to ensure it is running.
+
+The ping command sends an echo request to an IPA server. The server
+returns its version information. This is used by an IPA client
+to confirm that the server is available and accepting requests.
+
+The server from xmlrpc_uri in /etc/ipa/default.conf is contacted first.
+If it does not respond then the client will contact any servers defined
+by ldap SRV records in DNS.
+
+EXAMPLES:
+
+ Ping an IPA server:
+ ipa ping
+ ------------------------------------------
+ IPA server version 2.1.9. API version 2.20
+ ------------------------------------------
+
+ Ping an IPA server verbosely:
+ ipa -v ping
+ ipa: INFO: trying https://ipa.example.com/ipa/xml
+ ipa: INFO: Forwarding 'ping' to server 'https://ipa.example.com/ipa/xml'
+ -----------------------------------------------------
+ IPA server version 2.1.9. API version 2.20
+ -----------------------------------------------------
+""")
+
+register = Registry()
+
+
+@register()
+class ping(Command):
+ __doc__ = _("Ping a remote server.")
+
+ takes_options = (
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ )
diff --git a/ipaclient/remote_plugins/2_156/pkinit.py b/ipaclient/remote_plugins/2_156/pkinit.py
new file mode 100644
index 000000000..fcb4c6b6b
--- /dev/null
+++ b/ipaclient/remote_plugins/2_156/pkinit.py
@@ -0,0 +1,63 @@
+#
+# Copyright (C) 2016 FreeIPA Contributors see COPYING for license
+#
+
+# pylint: disable=unused-import
+import six
+
+from . import Command, Method, Object
+from ipalib import api, parameters, output
+from ipalib.parameters import DefaultFrom
+from ipalib.plugable import Registry
+from ipalib.text import _
+from ipapython.dn import DN
+from ipapython.dnsutil import DNSName
+
+if six.PY3:
+ unicode = str
+
+__doc__ = _("""
+Kerberos pkinit options
+
+Enable or disable anonymous pkinit using the principal
+WELLKNOWN/ANONYMOUS@REALM. The server must have been installed with
+pkinit support.
+
+EXAMPLES:
+
+ Enable anonymous pkinit:
+ ipa pkinit-anonymous enable
+
+ Disable anonymous pkinit:
+ ipa pkinit-anonymous disable
+
+For more information on anonymous pkinit see:
+
+http://k5wiki.kerberos.org/wiki/Projects/Anonymous_pkinit
+""")
+
+register = Registry()
+
+
+@register()
+class pkinit(Object):
+ takes_params = (
+ )
+
+
+@register()
+class pkinit_anonymous(Command):
+ __doc__ = _("Enable or Disable Anonymous PKINIT.")
+
+ takes_args = (
+ parameters.Str(
+ 'action',
+ ),
+ )
+ takes_options = (
+ )
+ has_output = (
+ output.Output(
+ 'result',
+ ),
+ )
diff --git a/ipaclient/remote_plugins/2_156/privilege.py b/ipaclient/remote_plugins/2_156/privilege.py
new file mode 100644
index 000000000..9fb436a92
--- /dev/null
+++ b/ipaclient/remote_plugins/2_156/privilege.py
@@ -0,0 +1,656 @@
+#
+# Copyright (C) 2016 FreeIPA Contributors see COPYING for license
+#
+
+# pylint: disable=unused-import
+import six
+
+from . import Command, Method, Object
+from ipalib import api, parameters, output
+from ipalib.parameters import DefaultFrom
+from ipalib.plugable import Registry
+from ipalib.text import _
+from ipapython.dn import DN
+from ipapython.dnsutil import DNSName
+
+if six.PY3:
+ unicode = str
+
+__doc__ = _("""
+Privileges
+
+A privilege combines permissions into a logical task. A permission provides
+the rights to do a single task. There are some IPA operations that require
+multiple permissions to succeed. A privilege is where permissions are
+combined in order to perform a specific task.
+
+For example, adding a user requires the following permissions:
+ * Creating a new user entry
+ * Resetting a user password
+ * Adding the new user to the default IPA users group
+
+Combining these three low-level tasks into a higher level task in the
+form of a privilege named "Add User" makes it easier to manage Roles.
+
+A privilege may not contain other privileges.
+
+See role and permission for additional information.
+""")
+
+register = Registry()
+
+
+@register()
+class privilege(Object):
+ takes_params = (
+ parameters.Str(
+ 'cn',
+ primary_key=True,
+ label=_(u'Privilege name'),
+ ),
+ parameters.Str(
+ 'description',
+ required=False,
+ label=_(u'Description'),
+ doc=_(u'Privilege description'),
+ ),
+ parameters.Str(
+ 'memberof_permission',
+ required=False,
+ label=_(u'Permissions'),
+ ),
+ parameters.Str(
+ 'member_role',
+ required=False,
+ label=_(u'Granting privilege to roles'),
+ ),
+ )
+
+
+@register()
+class privilege_add(Method):
+ __doc__ = _("Add a new privilege.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='name',
+ label=_(u'Privilege name'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'description',
+ required=False,
+ cli_name='desc',
+ label=_(u'Description'),
+ doc=_(u'Privilege description'),
+ ),
+ parameters.Str(
+ 'setattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'addattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
+ exclude=('webui',),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class privilege_add_member(Method):
+ __doc__ = _("Add members to a privilege.")
+
+ NO_CLI = True
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='name',
+ label=_(u'Privilege name'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'role',
+ required=False,
+ multivalue=True,
+ cli_name='roles',
+ label=_(u'member role'),
+ doc=_(u'roles to add'),
+ alwaysask=True,
+ ),
+ )
+ has_output = (
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'failed',
+ dict,
+ doc=_(u'Members that could not be added'),
+ ),
+ output.Output(
+ 'completed',
+ int,
+ doc=_(u'Number of members added'),
+ ),
+ )
+
+
+@register()
+class privilege_add_permission(Method):
+ __doc__ = _("Add permissions to a privilege.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='name',
+ label=_(u'Privilege name'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'permission',
+ required=False,
+ multivalue=True,
+ cli_name='permissions',
+ label=_(u'permission'),
+ doc=_(u'permissions'),
+ alwaysask=True,
+ ),
+ )
+ has_output = (
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'failed',
+ dict,
+ doc=_(u'Members that could not be added'),
+ ),
+ output.Output(
+ 'completed',
+ int,
+ doc=_(u'Number of permissions added'),
+ ),
+ )
+
+
+@register()
+class privilege_del(Method):
+ __doc__ = _("Delete a privilege.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ multivalue=True,
+ cli_name='name',
+ label=_(u'Privilege name'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'continue',
+ doc=_(u"Continuous mode: Don't stop on errors."),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Output(
+ 'result',
+ dict,
+ doc=_(u'List of deletions that failed'),
+ ),
+ output.ListOfPrimaryKeys(
+ 'value',
+ ),
+ )
+
+
+@register()
+class privilege_find(Method):
+ __doc__ = _("Search for privileges.")
+
+ takes_args = (
+ parameters.Str(
+ 'criteria',
+ required=False,
+ doc=_(u'A string searched in all relevant object attributes'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'cn',
+ required=False,
+ cli_name='name',
+ label=_(u'Privilege name'),
+ ),
+ parameters.Str(
+ 'description',
+ required=False,
+ cli_name='desc',
+ label=_(u'Description'),
+ doc=_(u'Privilege description'),
+ ),
+ parameters.Int(
+ 'timelimit',
+ required=False,
+ label=_(u'Time Limit'),
+ doc=_(u'Time limit of search in seconds (0 is unlimited)'),
+ ),
+ parameters.Int(
+ 'sizelimit',
+ required=False,
+ label=_(u'Size Limit'),
+ doc=_(u'Maximum number of entries returned (0 is unlimited)'),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'pkey_only',
+ required=False,
+ label=_(u'Primary key only'),
+ doc=_(u'Results should contain primary key attribute only ("name")'),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.ListOfEntries(
+ 'result',
+ ),
+ output.Output(
+ 'count',
+ int,
+ doc=_(u'Number of entries returned'),
+ ),
+ output.Output(
+ 'truncated',
+ bool,
+ doc=_(u'True if not all results were returned'),
+ ),
+ )
+
+
+@register()
+class privilege_mod(Method):
+ __doc__ = _("Modify a privilege.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='name',
+ label=_(u'Privilege name'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'description',
+ required=False,
+ cli_name='desc',
+ label=_(u'Description'),
+ doc=_(u'Privilege description'),
+ ),
+ parameters.Str(
+ 'setattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'addattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'delattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'),
+ exclude=('webui',),
+ ),
+ parameters.Flag(
+ 'rights',
+ label=_(u'Rights'),
+ doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'rename',
+ required=False,
+ label=_(u'Rename'),
+ doc=_(u'Rename the privilege object'),
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class privilege_remove_member(Method):
+ __doc__ = _("Remove members from a privilege")
+
+ NO_CLI = True
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='name',
+ label=_(u'Privilege name'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'role',
+ required=False,
+ multivalue=True,
+ cli_name='roles',
+ label=_(u'member role'),
+ doc=_(u'roles to remove'),
+ alwaysask=True,
+ ),
+ )
+ has_output = (
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'failed',
+ dict,
+ doc=_(u'Members that could not be removed'),
+ ),
+ output.Output(
+ 'completed',
+ int,
+ doc=_(u'Number of members removed'),
+ ),
+ )
+
+
+@register()
+class privilege_remove_permission(Method):
+ __doc__ = _("Remove permissions from a privilege.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='name',
+ label=_(u'Privilege name'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'permission',
+ required=False,
+ multivalue=True,
+ cli_name='permissions',
+ label=_(u'permission'),
+ doc=_(u'permissions'),
+ alwaysask=True,
+ ),
+ )
+ has_output = (
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'failed',
+ dict,
+ doc=_(u'Members that could not be added'),
+ ),
+ output.Output(
+ 'completed',
+ int,
+ doc=_(u'Number of permissions removed'),
+ ),
+ )
+
+
+@register()
+class privilege_show(Method):
+ __doc__ = _("Display information about a privilege.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='name',
+ label=_(u'Privilege name'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'rights',
+ label=_(u'Rights'),
+ doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
diff --git a/ipaclient/remote_plugins/2_156/pwpolicy.py b/ipaclient/remote_plugins/2_156/pwpolicy.py
new file mode 100644
index 000000000..6010579d3
--- /dev/null
+++ b/ipaclient/remote_plugins/2_156/pwpolicy.py
@@ -0,0 +1,937 @@
+#
+# Copyright (C) 2016 FreeIPA Contributors see COPYING for license
+#
+
+# pylint: disable=unused-import
+import six
+
+from . import Command, Method, Object
+from ipalib import api, parameters, output
+from ipalib.parameters import DefaultFrom
+from ipalib.plugable import Registry
+from ipalib.text import _
+from ipapython.dn import DN
+from ipapython.dnsutil import DNSName
+
+if six.PY3:
+ unicode = str
+
+__doc__ = _("""
+Password policy
+
+A password policy sets limitations on IPA passwords, including maximum
+lifetime, minimum lifetime, the number of passwords to save in
+history, the number of character classes required (for stronger passwords)
+and the minimum password length.
+
+By default there is a single, global policy for all users. You can also
+create a password policy to apply to a group. Each user is only subject
+to one password policy, either the group policy or the global policy. A
+group policy stands alone; it is not a super-set of the global policy plus
+custom settings.
+
+Each group password policy requires a unique priority setting. If a user
+is in multiple groups that have password policies, this priority determines
+which password policy is applied. A lower value indicates a higher priority
+policy.
+
+Group password policies are automatically removed when the groups they
+are associated with are removed.
+
+EXAMPLES:
+
+ Modify the global policy:
+ ipa pwpolicy-mod --minlength=10
+
+ Add a new group password policy:
+ ipa pwpolicy-add --maxlife=90 --minlife=1 --history=10 --minclasses=3 --minlength=8 --priority=10 localadmins
+
+ Display the global password policy:
+ ipa pwpolicy-show
+
+ Display a group password policy:
+ ipa pwpolicy-show localadmins
+
+ Display the policy that would be applied to a given user:
+ ipa pwpolicy-show --user=tuser1
+
+ Modify a group password policy:
+ ipa pwpolicy-mod --minclasses=2 localadmins
+""")
+
+register = Registry()
+
+
+@register()
+class cosentry(Object):
+ takes_params = (
+ parameters.Str(
+ 'cn',
+ primary_key=True,
+ ),
+ parameters.DNParam(
+ 'krbpwdpolicyreference',
+ ),
+ parameters.Int(
+ 'cospriority',
+ ),
+ )
+
+
+@register()
+class pwpolicy(Object):
+ takes_params = (
+ parameters.Str(
+ 'cn',
+ required=False,
+ primary_key=True,
+ label=_(u'Group'),
+ doc=_(u'Manage password policy for specific group'),
+ ),
+ parameters.Int(
+ 'krbmaxpwdlife',
+ required=False,
+ label=_(u'Max lifetime (days)'),
+ doc=_(u'Maximum password lifetime (in days)'),
+ ),
+ parameters.Int(
+ 'krbminpwdlife',
+ required=False,
+ label=_(u'Min lifetime (hours)'),
+ doc=_(u'Minimum password lifetime (in hours)'),
+ ),
+ parameters.Int(
+ 'krbpwdhistorylength',
+ required=False,
+ label=_(u'History size'),
+ doc=_(u'Password history size'),
+ ),
+ parameters.Int(
+ 'krbpwdmindiffchars',
+ required=False,
+ label=_(u'Character classes'),
+ doc=_(u'Minimum number of character classes'),
+ ),
+ parameters.Int(
+ 'krbpwdminlength',
+ required=False,
+ label=_(u'Min length'),
+ doc=_(u'Minimum length of password'),
+ ),
+ parameters.Int(
+ 'cospriority',
+ label=_(u'Priority'),
+ doc=_(u'Priority of the policy (higher number means lower priority'),
+ ),
+ parameters.Int(
+ 'krbpwdmaxfailure',
+ required=False,
+ label=_(u'Max failures'),
+ doc=_(u'Consecutive failures before lockout'),
+ ),
+ parameters.Int(
+ 'krbpwdfailurecountinterval',
+ required=False,
+ label=_(u'Failure reset interval'),
+ doc=_(u'Period after which failure count will be reset (seconds)'),
+ ),
+ parameters.Int(
+ 'krbpwdlockoutduration',
+ required=False,
+ label=_(u'Lockout duration'),
+ doc=_(u'Period for which lockout is enforced (seconds)'),
+ ),
+ )
+
+
+@register()
+class cosentry_add(Method):
+ NO_CLI = True
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ ),
+ )
+ takes_options = (
+ parameters.DNParam(
+ 'krbpwdpolicyreference',
+ ),
+ parameters.Int(
+ 'cospriority',
+ ),
+ parameters.Str(
+ 'setattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'addattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
+ exclude=('webui',),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class cosentry_del(Method):
+ NO_CLI = True
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ multivalue=True,
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'continue',
+ doc=_(u"Continuous mode: Don't stop on errors."),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Output(
+ 'result',
+ dict,
+ doc=_(u'List of deletions that failed'),
+ ),
+ output.ListOfPrimaryKeys(
+ 'value',
+ ),
+ )
+
+
+@register()
+class cosentry_find(Method):
+ NO_CLI = True
+
+ takes_args = (
+ parameters.Str(
+ 'criteria',
+ required=False,
+ doc=_(u'A string searched in all relevant object attributes'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'cn',
+ required=False,
+ ),
+ parameters.DNParam(
+ 'krbpwdpolicyreference',
+ required=False,
+ ),
+ parameters.Int(
+ 'cospriority',
+ required=False,
+ ),
+ parameters.Int(
+ 'timelimit',
+ required=False,
+ label=_(u'Time Limit'),
+ doc=_(u'Time limit of search in seconds (0 is unlimited)'),
+ ),
+ parameters.Int(
+ 'sizelimit',
+ required=False,
+ label=_(u'Size Limit'),
+ doc=_(u'Maximum number of entries returned (0 is unlimited)'),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'pkey_only',
+ required=False,
+ label=_(u'Primary key only'),
+ doc=_(u'Results should contain primary key attribute only ("cn")'),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.ListOfEntries(
+ 'result',
+ ),
+ output.Output(
+ 'count',
+ int,
+ doc=_(u'Number of entries returned'),
+ ),
+ output.Output(
+ 'truncated',
+ bool,
+ doc=_(u'True if not all results were returned'),
+ ),
+ )
+
+
+@register()
+class cosentry_mod(Method):
+ NO_CLI = True
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ ),
+ )
+ takes_options = (
+ parameters.DNParam(
+ 'krbpwdpolicyreference',
+ required=False,
+ ),
+ parameters.Int(
+ 'cospriority',
+ required=False,
+ ),
+ parameters.Str(
+ 'setattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'addattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'delattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'),
+ exclude=('webui',),
+ ),
+ parameters.Flag(
+ 'rights',
+ label=_(u'Rights'),
+ doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class cosentry_show(Method):
+ NO_CLI = True
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'rights',
+ label=_(u'Rights'),
+ doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class pwpolicy_add(Method):
+ __doc__ = _("Add a new group password policy.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='group',
+ label=_(u'Group'),
+ doc=_(u'Manage password policy for specific group'),
+ ),
+ )
+ takes_options = (
+ parameters.Int(
+ 'krbmaxpwdlife',
+ required=False,
+ cli_name='maxlife',
+ label=_(u'Max lifetime (days)'),
+ doc=_(u'Maximum password lifetime (in days)'),
+ ),
+ parameters.Int(
+ 'krbminpwdlife',
+ required=False,
+ cli_name='minlife',
+ label=_(u'Min lifetime (hours)'),
+ doc=_(u'Minimum password lifetime (in hours)'),
+ ),
+ parameters.Int(
+ 'krbpwdhistorylength',
+ required=False,
+ cli_name='history',
+ label=_(u'History size'),
+ doc=_(u'Password history size'),
+ ),
+ parameters.Int(
+ 'krbpwdmindiffchars',
+ required=False,
+ cli_name='minclasses',
+ label=_(u'Character classes'),
+ doc=_(u'Minimum number of character classes'),
+ ),
+ parameters.Int(
+ 'krbpwdminlength',
+ required=False,
+ cli_name='minlength',
+ label=_(u'Min length'),
+ doc=_(u'Minimum length of password'),
+ ),
+ parameters.Int(
+ 'cospriority',
+ cli_name='priority',
+ label=_(u'Priority'),
+ doc=_(u'Priority of the policy (higher number means lower priority'),
+ ),
+ parameters.Int(
+ 'krbpwdmaxfailure',
+ required=False,
+ cli_name='maxfail',
+ label=_(u'Max failures'),
+ doc=_(u'Consecutive failures before lockout'),
+ ),
+ parameters.Int(
+ 'krbpwdfailurecountinterval',
+ required=False,
+ cli_name='failinterval',
+ label=_(u'Failure reset interval'),
+ doc=_(u'Period after which failure count will be reset (seconds)'),
+ ),
+ parameters.Int(
+ 'krbpwdlockoutduration',
+ required=False,
+ cli_name='lockouttime',
+ label=_(u'Lockout duration'),
+ doc=_(u'Period for which lockout is enforced (seconds)'),
+ ),
+ parameters.Str(
+ 'setattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'addattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
+ exclude=('webui',),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class pwpolicy_del(Method):
+ __doc__ = _("Delete a group password policy.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ multivalue=True,
+ cli_name='group',
+ label=_(u'Group'),
+ doc=_(u'Manage password policy for specific group'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'continue',
+ doc=_(u"Continuous mode: Don't stop on errors."),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Output(
+ 'result',
+ dict,
+ doc=_(u'List of deletions that failed'),
+ ),
+ output.ListOfPrimaryKeys(
+ 'value',
+ ),
+ )
+
+
+@register()
+class pwpolicy_find(Method):
+ __doc__ = _("Search for group password policies.")
+
+ takes_args = (
+ parameters.Str(
+ 'criteria',
+ required=False,
+ doc=_(u'A string searched in all relevant object attributes'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'cn',
+ required=False,
+ cli_name='group',
+ label=_(u'Group'),
+ doc=_(u'Manage password policy for specific group'),
+ ),
+ parameters.Int(
+ 'krbmaxpwdlife',
+ required=False,
+ cli_name='maxlife',
+ label=_(u'Max lifetime (days)'),
+ doc=_(u'Maximum password lifetime (in days)'),
+ ),
+ parameters.Int(
+ 'krbminpwdlife',
+ required=False,
+ cli_name='minlife',
+ label=_(u'Min lifetime (hours)'),
+ doc=_(u'Minimum password lifetime (in hours)'),
+ ),
+ parameters.Int(
+ 'krbpwdhistorylength',
+ required=False,
+ cli_name='history',
+ label=_(u'History size'),
+ doc=_(u'Password history size'),
+ ),
+ parameters.Int(
+ 'krbpwdmindiffchars',
+ required=False,
+ cli_name='minclasses',
+ label=_(u'Character classes'),
+ doc=_(u'Minimum number of character classes'),
+ ),
+ parameters.Int(
+ 'krbpwdminlength',
+ required=False,
+ cli_name='minlength',
+ label=_(u'Min length'),
+ doc=_(u'Minimum length of password'),
+ ),
+ parameters.Int(
+ 'cospriority',
+ required=False,
+ cli_name='priority',
+ label=_(u'Priority'),
+ doc=_(u'Priority of the policy (higher number means lower priority'),
+ ),
+ parameters.Int(
+ 'krbpwdmaxfailure',
+ required=False,
+ cli_name='maxfail',
+ label=_(u'Max failures'),
+ doc=_(u'Consecutive failures before lockout'),
+ ),
+ parameters.Int(
+ 'krbpwdfailurecountinterval',
+ required=False,
+ cli_name='failinterval',
+ label=_(u'Failure reset interval'),
+ doc=_(u'Period after which failure count will be reset (seconds)'),
+ ),
+ parameters.Int(
+ 'krbpwdlockoutduration',
+ required=False,
+ cli_name='lockouttime',
+ label=_(u'Lockout duration'),
+ doc=_(u'Period for which lockout is enforced (seconds)'),
+ ),
+ parameters.Int(
+ 'timelimit',
+ required=False,
+ label=_(u'Time Limit'),
+ doc=_(u'Time limit of search in seconds (0 is unlimited)'),
+ ),
+ parameters.Int(
+ 'sizelimit',
+ required=False,
+ label=_(u'Size Limit'),
+ doc=_(u'Maximum number of entries returned (0 is unlimited)'),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'pkey_only',
+ required=False,
+ label=_(u'Primary key only'),
+ doc=_(u'Results should contain primary key attribute only ("group")'),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.ListOfEntries(
+ 'result',
+ ),
+ output.Output(
+ 'count',
+ int,
+ doc=_(u'Number of entries returned'),
+ ),
+ output.Output(
+ 'truncated',
+ bool,
+ doc=_(u'True if not all results were returned'),
+ ),
+ )
+
+
+@register()
+class pwpolicy_mod(Method):
+ __doc__ = _("Modify a group password policy.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ required=False,
+ cli_name='group',
+ label=_(u'Group'),
+ doc=_(u'Manage password policy for specific group'),
+ ),
+ )
+ takes_options = (
+ parameters.Int(
+ 'krbmaxpwdlife',
+ required=False,
+ cli_name='maxlife',
+ label=_(u'Max lifetime (days)'),
+ doc=_(u'Maximum password lifetime (in days)'),
+ ),
+ parameters.Int(
+ 'krbminpwdlife',
+ required=False,
+ cli_name='minlife',
+ label=_(u'Min lifetime (hours)'),
+ doc=_(u'Minimum password lifetime (in hours)'),
+ ),
+ parameters.Int(
+ 'krbpwdhistorylength',
+ required=False,
+ cli_name='history',
+ label=_(u'History size'),
+ doc=_(u'Password history size'),
+ ),
+ parameters.Int(
+ 'krbpwdmindiffchars',
+ required=False,
+ cli_name='minclasses',
+ label=_(u'Character classes'),
+ doc=_(u'Minimum number of character classes'),
+ ),
+ parameters.Int(
+ 'krbpwdminlength',
+ required=False,
+ cli_name='minlength',
+ label=_(u'Min length'),
+ doc=_(u'Minimum length of password'),
+ ),
+ parameters.Int(
+ 'cospriority',
+ required=False,
+ cli_name='priority',
+ label=_(u'Priority'),
+ doc=_(u'Priority of the policy (higher number means lower priority'),
+ ),
+ parameters.Int(
+ 'krbpwdmaxfailure',
+ required=False,
+ cli_name='maxfail',
+ label=_(u'Max failures'),
+ doc=_(u'Consecutive failures before lockout'),
+ ),
+ parameters.Int(
+ 'krbpwdfailurecountinterval',
+ required=False,
+ cli_name='failinterval',
+ label=_(u'Failure reset interval'),
+ doc=_(u'Period after which failure count will be reset (seconds)'),
+ ),
+ parameters.Int(
+ 'krbpwdlockoutduration',
+ required=False,
+ cli_name='lockouttime',
+ label=_(u'Lockout duration'),
+ doc=_(u'Period for which lockout is enforced (seconds)'),
+ ),
+ parameters.Str(
+ 'setattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'addattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'delattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'),
+ exclude=('webui',),
+ ),
+ parameters.Flag(
+ 'rights',
+ label=_(u'Rights'),
+ doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class pwpolicy_show(Method):
+ __doc__ = _("Display information about password policy.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ required=False,
+ cli_name='group',
+ label=_(u'Group'),
+ doc=_(u'Manage password policy for specific group'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'rights',
+ label=_(u'Rights'),
+ doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'user',
+ required=False,
+ label=_(u'User'),
+ doc=_(u'Display effective policy for a specific user'),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
diff --git a/ipaclient/remote_plugins/2_156/radiusproxy.py b/ipaclient/remote_plugins/2_156/radiusproxy.py
new file mode 100644
index 000000000..9bc020b5d
--- /dev/null
+++ b/ipaclient/remote_plugins/2_156/radiusproxy.py
@@ -0,0 +1,521 @@
+#
+# Copyright (C) 2016 FreeIPA Contributors see COPYING for license
+#
+
+# pylint: disable=unused-import
+import six
+
+from . import Command, Method, Object
+from ipalib import api, parameters, output
+from ipalib.parameters import DefaultFrom
+from ipalib.plugable import Registry
+from ipalib.text import _
+from ipapython.dn import DN
+from ipapython.dnsutil import DNSName
+
+if six.PY3:
+ unicode = str
+
+__doc__ = _("""
+RADIUS Proxy Servers
+
+Manage RADIUS Proxy Servers.
+
+IPA supports the use of an external RADIUS proxy server for krb5 OTP
+authentications. This permits a great deal of flexibility when
+integrating with third-party authentication services.
+
+EXAMPLES:
+
+ Add a new server:
+ ipa radiusproxy-add MyRADIUS --server=radius.example.com:1812
+
+ Find all servers whose entries include the string "example.com":
+ ipa radiusproxy-find example.com
+
+ Examine the configuration:
+ ipa radiusproxy-show MyRADIUS
+
+ Change the secret:
+ ipa radiusproxy-mod MyRADIUS --secret
+
+ Delete a configuration:
+ ipa radiusproxy-del MyRADIUS
+""")
+
+register = Registry()
+
+
+@register()
+class radiusproxy(Object):
+ takes_params = (
+ parameters.Str(
+ 'cn',
+ primary_key=True,
+ label=_(u'RADIUS proxy server name'),
+ ),
+ parameters.Str(
+ 'description',
+ required=False,
+ label=_(u'Description'),
+ doc=_(u'A description of this RADIUS proxy server'),
+ ),
+ parameters.Str(
+ 'ipatokenradiusserver',
+ multivalue=True,
+ label=_(u'Server'),
+ doc=_(u'The hostname or IP (with or without port)'),
+ ),
+ parameters.Password(
+ 'ipatokenradiussecret',
+ label=_(u'Secret'),
+ doc=_(u'The secret used to encrypt data'),
+ ),
+ parameters.Int(
+ 'ipatokenradiustimeout',
+ required=False,
+ label=_(u'Timeout'),
+ doc=_(u'The total timeout across all retries (in seconds)'),
+ ),
+ parameters.Int(
+ 'ipatokenradiusretries',
+ required=False,
+ label=_(u'Retries'),
+ doc=_(u'The number of times to retry authentication'),
+ ),
+ parameters.Str(
+ 'ipatokenusermapattribute',
+ required=False,
+ label=_(u'User attribute'),
+ doc=_(u'The username attribute on the user object'),
+ ),
+ )
+
+
+@register()
+class radiusproxy_add(Method):
+ __doc__ = _("Add a new RADIUS proxy server.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='name',
+ label=_(u'RADIUS proxy server name'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'description',
+ required=False,
+ cli_name='desc',
+ label=_(u'Description'),
+ doc=_(u'A description of this RADIUS proxy server'),
+ ),
+ parameters.Str(
+ 'ipatokenradiusserver',
+ multivalue=True,
+ cli_name='server',
+ label=_(u'Server'),
+ doc=_(u'The hostname or IP (with or without port)'),
+ ),
+ parameters.Password(
+ 'ipatokenradiussecret',
+ cli_name='secret',
+ label=_(u'Secret'),
+ doc=_(u'The secret used to encrypt data'),
+ exclude=('cli', 'webui'),
+ confirm=True,
+ ),
+ parameters.Int(
+ 'ipatokenradiustimeout',
+ required=False,
+ cli_name='timeout',
+ label=_(u'Timeout'),
+ doc=_(u'The total timeout across all retries (in seconds)'),
+ ),
+ parameters.Int(
+ 'ipatokenradiusretries',
+ required=False,
+ cli_name='retries',
+ label=_(u'Retries'),
+ doc=_(u'The number of times to retry authentication'),
+ ),
+ parameters.Str(
+ 'ipatokenusermapattribute',
+ required=False,
+ cli_name='userattr',
+ label=_(u'User attribute'),
+ doc=_(u'The username attribute on the user object'),
+ ),
+ parameters.Str(
+ 'setattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'addattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
+ exclude=('webui',),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class radiusproxy_del(Method):
+ __doc__ = _("Delete a RADIUS proxy server.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ multivalue=True,
+ cli_name='name',
+ label=_(u'RADIUS proxy server name'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'continue',
+ doc=_(u"Continuous mode: Don't stop on errors."),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Output(
+ 'result',
+ dict,
+ doc=_(u'List of deletions that failed'),
+ ),
+ output.ListOfPrimaryKeys(
+ 'value',
+ ),
+ )
+
+
+@register()
+class radiusproxy_find(Method):
+ __doc__ = _("Search for RADIUS proxy servers.")
+
+ takes_args = (
+ parameters.Str(
+ 'criteria',
+ required=False,
+ doc=_(u'A string searched in all relevant object attributes'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'cn',
+ required=False,
+ cli_name='name',
+ label=_(u'RADIUS proxy server name'),
+ ),
+ parameters.Str(
+ 'description',
+ required=False,
+ cli_name='desc',
+ label=_(u'Description'),
+ doc=_(u'A description of this RADIUS proxy server'),
+ ),
+ parameters.Str(
+ 'ipatokenradiusserver',
+ required=False,
+ multivalue=True,
+ cli_name='server',
+ label=_(u'Server'),
+ doc=_(u'The hostname or IP (with or without port)'),
+ ),
+ parameters.Password(
+ 'ipatokenradiussecret',
+ required=False,
+ cli_name='secret',
+ label=_(u'Secret'),
+ doc=_(u'The secret used to encrypt data'),
+ exclude=('cli', 'webui'),
+ confirm=True,
+ ),
+ parameters.Int(
+ 'ipatokenradiustimeout',
+ required=False,
+ cli_name='timeout',
+ label=_(u'Timeout'),
+ doc=_(u'The total timeout across all retries (in seconds)'),
+ ),
+ parameters.Int(
+ 'ipatokenradiusretries',
+ required=False,
+ cli_name='retries',
+ label=_(u'Retries'),
+ doc=_(u'The number of times to retry authentication'),
+ ),
+ parameters.Str(
+ 'ipatokenusermapattribute',
+ required=False,
+ cli_name='userattr',
+ label=_(u'User attribute'),
+ doc=_(u'The username attribute on the user object'),
+ ),
+ parameters.Int(
+ 'timelimit',
+ required=False,
+ label=_(u'Time Limit'),
+ doc=_(u'Time limit of search in seconds (0 is unlimited)'),
+ ),
+ parameters.Int(
+ 'sizelimit',
+ required=False,
+ label=_(u'Size Limit'),
+ doc=_(u'Maximum number of entries returned (0 is unlimited)'),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'pkey_only',
+ required=False,
+ label=_(u'Primary key only'),
+ doc=_(u'Results should contain primary key attribute only ("name")'),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.ListOfEntries(
+ 'result',
+ ),
+ output.Output(
+ 'count',
+ int,
+ doc=_(u'Number of entries returned'),
+ ),
+ output.Output(
+ 'truncated',
+ bool,
+ doc=_(u'True if not all results were returned'),
+ ),
+ )
+
+
+@register()
+class radiusproxy_mod(Method):
+ __doc__ = _("Modify a RADIUS proxy server.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='name',
+ label=_(u'RADIUS proxy server name'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'description',
+ required=False,
+ cli_name='desc',
+ label=_(u'Description'),
+ doc=_(u'A description of this RADIUS proxy server'),
+ ),
+ parameters.Str(
+ 'ipatokenradiusserver',
+ required=False,
+ multivalue=True,
+ cli_name='server',
+ label=_(u'Server'),
+ doc=_(u'The hostname or IP (with or without port)'),
+ ),
+ parameters.Password(
+ 'ipatokenradiussecret',
+ required=False,
+ cli_name='secret',
+ label=_(u'Secret'),
+ doc=_(u'The secret used to encrypt data'),
+ exclude=('cli', 'webui'),
+ confirm=True,
+ ),
+ parameters.Int(
+ 'ipatokenradiustimeout',
+ required=False,
+ cli_name='timeout',
+ label=_(u'Timeout'),
+ doc=_(u'The total timeout across all retries (in seconds)'),
+ ),
+ parameters.Int(
+ 'ipatokenradiusretries',
+ required=False,
+ cli_name='retries',
+ label=_(u'Retries'),
+ doc=_(u'The number of times to retry authentication'),
+ ),
+ parameters.Str(
+ 'ipatokenusermapattribute',
+ required=False,
+ cli_name='userattr',
+ label=_(u'User attribute'),
+ doc=_(u'The username attribute on the user object'),
+ ),
+ parameters.Str(
+ 'setattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'addattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'delattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'),
+ exclude=('webui',),
+ ),
+ parameters.Flag(
+ 'rights',
+ label=_(u'Rights'),
+ doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'rename',
+ required=False,
+ label=_(u'Rename'),
+ doc=_(u'Rename the RADIUS proxy server object'),
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class radiusproxy_show(Method):
+ __doc__ = _("Display information about a RADIUS proxy server.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='name',
+ label=_(u'RADIUS proxy server name'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'rights',
+ label=_(u'Rights'),
+ doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
diff --git a/ipaclient/remote_plugins/2_156/realmdomains.py b/ipaclient/remote_plugins/2_156/realmdomains.py
new file mode 100644
index 000000000..f8f563a45
--- /dev/null
+++ b/ipaclient/remote_plugins/2_156/realmdomains.py
@@ -0,0 +1,195 @@
+#
+# Copyright (C) 2016 FreeIPA Contributors see COPYING for license
+#
+
+# pylint: disable=unused-import
+import six
+
+from . import Command, Method, Object
+from ipalib import api, parameters, output
+from ipalib.parameters import DefaultFrom
+from ipalib.plugable import Registry
+from ipalib.text import _
+from ipapython.dn import DN
+from ipapython.dnsutil import DNSName
+
+if six.PY3:
+ unicode = str
+
+__doc__ = _("""
+Realm domains
+
+Manage the list of domains associated with IPA realm.
+
+EXAMPLES:
+
+ Display the current list of realm domains:
+ ipa realmdomains-show
+
+ Replace the list of realm domains:
+ ipa realmdomains-mod --domain=example.com
+ ipa realmdomains-mod --domain={example1.com,example2.com,example3.com}
+
+ Add a domain to the list of realm domains:
+ ipa realmdomains-mod --add-domain=newdomain.com
+
+ Delete a domain from the list of realm domains:
+ ipa realmdomains-mod --del-domain=olddomain.com
+""")
+
+register = Registry()
+
+
+@register()
+class realmdomains(Object):
+ takes_params = (
+ parameters.Str(
+ 'associateddomain',
+ multivalue=True,
+ label=_(u'Domain'),
+ ),
+ parameters.Str(
+ 'add_domain',
+ required=False,
+ label=_(u'Add domain'),
+ ),
+ parameters.Str(
+ 'del_domain',
+ required=False,
+ label=_(u'Delete domain'),
+ ),
+ )
+
+
+@register()
+class realmdomains_mod(Method):
+ __doc__ = _("Modify realm domains.")
+
+ takes_options = (
+ parameters.Str(
+ 'associateddomain',
+ required=False,
+ multivalue=True,
+ cli_name='domain',
+ label=_(u'Domain'),
+ no_convert=True,
+ ),
+ parameters.Str(
+ 'add_domain',
+ required=False,
+ label=_(u'Add domain'),
+ no_convert=True,
+ ),
+ parameters.Str(
+ 'del_domain',
+ required=False,
+ label=_(u'Delete domain'),
+ no_convert=True,
+ ),
+ parameters.Str(
+ 'setattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'addattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'delattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'),
+ exclude=('webui',),
+ ),
+ parameters.Flag(
+ 'rights',
+ label=_(u'Rights'),
+ doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'force',
+ label=_(u'Force'),
+ doc=_(u'Force adding domain even if not in DNS'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class realmdomains_show(Method):
+ __doc__ = _("Display the list of realm domains.")
+
+ takes_options = (
+ parameters.Flag(
+ 'rights',
+ label=_(u'Rights'),
+ doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
diff --git a/ipaclient/remote_plugins/2_156/role.py b/ipaclient/remote_plugins/2_156/role.py
new file mode 100644
index 000000000..122d4cdee
--- /dev/null
+++ b/ipaclient/remote_plugins/2_156/role.py
@@ -0,0 +1,758 @@
+#
+# Copyright (C) 2016 FreeIPA Contributors see COPYING for license
+#
+
+# pylint: disable=unused-import
+import six
+
+from . import Command, Method, Object
+from ipalib import api, parameters, output
+from ipalib.parameters import DefaultFrom
+from ipalib.plugable import Registry
+from ipalib.text import _
+from ipapython.dn import DN
+from ipapython.dnsutil import DNSName
+
+if six.PY3:
+ unicode = str
+
+__doc__ = _("""
+Roles
+
+A role is used for fine-grained delegation. A permission grants the ability
+to perform given low-level tasks (add a user, modify a group, etc.). A
+privilege combines one or more permissions into a higher-level abstraction
+such as useradmin. A useradmin would be able to add, delete and modify users.
+
+Privileges are assigned to Roles.
+
+Users, groups, hosts and hostgroups may be members of a Role.
+
+Roles can not contain other roles.
+
+EXAMPLES:
+
+ Add a new role:
+ ipa role-add --desc="Junior-level admin" junioradmin
+
+ Add some privileges to this role:
+ ipa role-add-privilege --privileges=addusers junioradmin
+ ipa role-add-privilege --privileges=change_password junioradmin
+ ipa role-add-privilege --privileges=add_user_to_default_group junioradmin
+
+ Add a group of users to this role:
+ ipa group-add --desc="User admins" useradmins
+ ipa role-add-member --groups=useradmins junioradmin
+
+ Display information about a role:
+ ipa role-show junioradmin
+
+ The result of this is that any users in the group 'junioradmin' can
+ add users, reset passwords or add a user to the default IPA user group.
+""")
+
+register = Registry()
+
+
+@register()
+class role(Object):
+ takes_params = (
+ parameters.Str(
+ 'cn',
+ primary_key=True,
+ label=_(u'Role name'),
+ ),
+ parameters.Str(
+ 'description',
+ required=False,
+ label=_(u'Description'),
+ doc=_(u'A description of this role-group'),
+ ),
+ parameters.Str(
+ 'member_user',
+ required=False,
+ label=_(u'Member users'),
+ ),
+ parameters.Str(
+ 'member_group',
+ required=False,
+ label=_(u'Member groups'),
+ ),
+ parameters.Str(
+ 'member_host',
+ required=False,
+ label=_(u'Member hosts'),
+ ),
+ parameters.Str(
+ 'member_hostgroup',
+ required=False,
+ label=_(u'Member host-groups'),
+ ),
+ parameters.Str(
+ 'memberof_privilege',
+ required=False,
+ label=_(u'Privileges'),
+ ),
+ parameters.Str(
+ 'member_service',
+ required=False,
+ label=_(u'Member services'),
+ ),
+ )
+
+
+@register()
+class role_add(Method):
+ __doc__ = _("Add a new role.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='name',
+ label=_(u'Role name'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'description',
+ required=False,
+ cli_name='desc',
+ label=_(u'Description'),
+ doc=_(u'A description of this role-group'),
+ ),
+ parameters.Str(
+ 'setattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'addattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
+ exclude=('webui',),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class role_add_member(Method):
+ __doc__ = _("Add members to a role.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='name',
+ label=_(u'Role name'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'user',
+ required=False,
+ multivalue=True,
+ cli_name='users',
+ label=_(u'member user'),
+ doc=_(u'users to add'),
+ alwaysask=True,
+ ),
+ parameters.Str(
+ 'group',
+ required=False,
+ multivalue=True,
+ cli_name='groups',
+ label=_(u'member group'),
+ doc=_(u'groups to add'),
+ alwaysask=True,
+ ),
+ parameters.Str(
+ 'host',
+ required=False,
+ multivalue=True,
+ cli_name='hosts',
+ label=_(u'member host'),
+ doc=_(u'hosts to add'),
+ alwaysask=True,
+ ),
+ parameters.Str(
+ 'hostgroup',
+ required=False,
+ multivalue=True,
+ cli_name='hostgroups',
+ label=_(u'member host group'),
+ doc=_(u'host groups to add'),
+ alwaysask=True,
+ ),
+ parameters.Str(
+ 'service',
+ required=False,
+ multivalue=True,
+ cli_name='services',
+ label=_(u'member service'),
+ doc=_(u'services to add'),
+ alwaysask=True,
+ ),
+ )
+ has_output = (
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'failed',
+ dict,
+ doc=_(u'Members that could not be added'),
+ ),
+ output.Output(
+ 'completed',
+ int,
+ doc=_(u'Number of members added'),
+ ),
+ )
+
+
+@register()
+class role_add_privilege(Method):
+ __doc__ = _("Add privileges to a role.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='name',
+ label=_(u'Role name'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'privilege',
+ required=False,
+ multivalue=True,
+ cli_name='privileges',
+ label=_(u'privilege'),
+ doc=_(u'privileges'),
+ alwaysask=True,
+ ),
+ )
+ has_output = (
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'failed',
+ dict,
+ doc=_(u'Members that could not be added'),
+ ),
+ output.Output(
+ 'completed',
+ int,
+ doc=_(u'Number of privileges added'),
+ ),
+ )
+
+
+@register()
+class role_del(Method):
+ __doc__ = _("Delete a role.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ multivalue=True,
+ cli_name='name',
+ label=_(u'Role name'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'continue',
+ doc=_(u"Continuous mode: Don't stop on errors."),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Output(
+ 'result',
+ dict,
+ doc=_(u'List of deletions that failed'),
+ ),
+ output.ListOfPrimaryKeys(
+ 'value',
+ ),
+ )
+
+
+@register()
+class role_find(Method):
+ __doc__ = _("Search for roles.")
+
+ takes_args = (
+ parameters.Str(
+ 'criteria',
+ required=False,
+ doc=_(u'A string searched in all relevant object attributes'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'cn',
+ required=False,
+ cli_name='name',
+ label=_(u'Role name'),
+ ),
+ parameters.Str(
+ 'description',
+ required=False,
+ cli_name='desc',
+ label=_(u'Description'),
+ doc=_(u'A description of this role-group'),
+ ),
+ parameters.Int(
+ 'timelimit',
+ required=False,
+ label=_(u'Time Limit'),
+ doc=_(u'Time limit of search in seconds (0 is unlimited)'),
+ ),
+ parameters.Int(
+ 'sizelimit',
+ required=False,
+ label=_(u'Size Limit'),
+ doc=_(u'Maximum number of entries returned (0 is unlimited)'),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'pkey_only',
+ required=False,
+ label=_(u'Primary key only'),
+ doc=_(u'Results should contain primary key attribute only ("name")'),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.ListOfEntries(
+ 'result',
+ ),
+ output.Output(
+ 'count',
+ int,
+ doc=_(u'Number of entries returned'),
+ ),
+ output.Output(
+ 'truncated',
+ bool,
+ doc=_(u'True if not all results were returned'),
+ ),
+ )
+
+
+@register()
+class role_mod(Method):
+ __doc__ = _("Modify a role.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='name',
+ label=_(u'Role name'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'description',
+ required=False,
+ cli_name='desc',
+ label=_(u'Description'),
+ doc=_(u'A description of this role-group'),
+ ),
+ parameters.Str(
+ 'setattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'addattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'delattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'),
+ exclude=('webui',),
+ ),
+ parameters.Flag(
+ 'rights',
+ label=_(u'Rights'),
+ doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'rename',
+ required=False,
+ label=_(u'Rename'),
+ doc=_(u'Rename the role object'),
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class role_remove_member(Method):
+ __doc__ = _("Remove members from a role.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='name',
+ label=_(u'Role name'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'user',
+ required=False,
+ multivalue=True,
+ cli_name='users',
+ label=_(u'member user'),
+ doc=_(u'users to remove'),
+ alwaysask=True,
+ ),
+ parameters.Str(
+ 'group',
+ required=False,
+ multivalue=True,
+ cli_name='groups',
+ label=_(u'member group'),
+ doc=_(u'groups to remove'),
+ alwaysask=True,
+ ),
+ parameters.Str(
+ 'host',
+ required=False,
+ multivalue=True,
+ cli_name='hosts',
+ label=_(u'member host'),
+ doc=_(u'hosts to remove'),
+ alwaysask=True,
+ ),
+ parameters.Str(
+ 'hostgroup',
+ required=False,
+ multivalue=True,
+ cli_name='hostgroups',
+ label=_(u'member host group'),
+ doc=_(u'host groups to remove'),
+ alwaysask=True,
+ ),
+ parameters.Str(
+ 'service',
+ required=False,
+ multivalue=True,
+ cli_name='services',
+ label=_(u'member service'),
+ doc=_(u'services to remove'),
+ alwaysask=True,
+ ),
+ )
+ has_output = (
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'failed',
+ dict,
+ doc=_(u'Members that could not be removed'),
+ ),
+ output.Output(
+ 'completed',
+ int,
+ doc=_(u'Number of members removed'),
+ ),
+ )
+
+
+@register()
+class role_remove_privilege(Method):
+ __doc__ = _("Remove privileges from a role.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='name',
+ label=_(u'Role name'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'privilege',
+ required=False,
+ multivalue=True,
+ cli_name='privileges',
+ label=_(u'privilege'),
+ doc=_(u'privileges'),
+ alwaysask=True,
+ ),
+ )
+ has_output = (
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'failed',
+ dict,
+ doc=_(u'Members that could not be added'),
+ ),
+ output.Output(
+ 'completed',
+ int,
+ doc=_(u'Number of privileges removed'),
+ ),
+ )
+
+
+@register()
+class role_show(Method):
+ __doc__ = _("Display information about a role.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='name',
+ label=_(u'Role name'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'rights',
+ label=_(u'Rights'),
+ doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
diff --git a/ipaclient/remote_plugins/2_156/selfservice.py b/ipaclient/remote_plugins/2_156/selfservice.py
new file mode 100644
index 000000000..5d7e36f30
--- /dev/null
+++ b/ipaclient/remote_plugins/2_156/selfservice.py
@@ -0,0 +1,338 @@
+#
+# Copyright (C) 2016 FreeIPA Contributors see COPYING for license
+#
+
+# pylint: disable=unused-import
+import six
+
+from . import Command, Method, Object
+from ipalib import api, parameters, output
+from ipalib.parameters import DefaultFrom
+from ipalib.plugable import Registry
+from ipalib.text import _
+from ipapython.dn import DN
+from ipapython.dnsutil import DNSName
+
+if six.PY3:
+ unicode = str
+
+__doc__ = _("""
+Self-service Permissions
+
+A permission enables fine-grained delegation of permissions. Access Control
+Rules, or instructions (ACIs), grant permission to permissions to perform
+given tasks such as adding a user, modifying a group, etc.
+
+A Self-service permission defines what an object can change in its own entry.
+
+
+EXAMPLES:
+
+ Add a self-service rule to allow users to manage their address (using Bash
+ brace expansion):
+ ipa selfservice-add --permissions=write --attrs={street,postalCode,l,c,st} "Users manage their own address"
+
+ When managing the list of attributes you need to include all attributes
+ in the list, including existing ones.
+ Add telephoneNumber to the list (using Bash brace expansion):
+ ipa selfservice-mod --attrs={street,postalCode,l,c,st,telephoneNumber} "Users manage their own address"
+
+ Display our updated rule:
+ ipa selfservice-show "Users manage their own address"
+
+ Delete a rule:
+ ipa selfservice-del "Users manage their own address"
+""")
+
+register = Registry()
+
+
+@register()
+class selfservice(Object):
+ takes_params = (
+ parameters.Str(
+ 'aciname',
+ primary_key=True,
+ label=_(u'Self-service name'),
+ ),
+ parameters.Str(
+ 'permissions',
+ required=False,
+ multivalue=True,
+ label=_(u'Permissions'),
+ doc=_(u'Permissions to grant (read, write). Default is write.'),
+ ),
+ parameters.Str(
+ 'attrs',
+ multivalue=True,
+ label=_(u'Attributes'),
+ doc=_(u'Attributes to which the permission applies.'),
+ ),
+ )
+
+
+@register()
+class selfservice_add(Method):
+ __doc__ = _("Add a new self-service permission.")
+
+ takes_args = (
+ parameters.Str(
+ 'aciname',
+ cli_name='name',
+ label=_(u'Self-service name'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'permissions',
+ required=False,
+ multivalue=True,
+ label=_(u'Permissions'),
+ doc=_(u'Permissions to grant (read, write). Default is write.'),
+ ),
+ parameters.Str(
+ 'attrs',
+ multivalue=True,
+ label=_(u'Attributes'),
+ doc=_(u'Attributes to which the permission applies.'),
+ no_convert=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class selfservice_del(Method):
+ __doc__ = _("Delete a self-service permission.")
+
+ takes_args = (
+ parameters.Str(
+ 'aciname',
+ cli_name='name',
+ label=_(u'Self-service name'),
+ ),
+ )
+ takes_options = (
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Output(
+ 'result',
+ bool,
+ doc=_(u'True means the operation was successful'),
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class selfservice_find(Method):
+ __doc__ = _("Search for a self-service permission.")
+
+ takes_args = (
+ parameters.Str(
+ 'criteria',
+ required=False,
+ doc=_(u'A string searched in all relevant object attributes'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'aciname',
+ required=False,
+ cli_name='name',
+ label=_(u'Self-service name'),
+ ),
+ parameters.Str(
+ 'permissions',
+ required=False,
+ multivalue=True,
+ label=_(u'Permissions'),
+ doc=_(u'Permissions to grant (read, write). Default is write.'),
+ ),
+ parameters.Str(
+ 'attrs',
+ required=False,
+ multivalue=True,
+ label=_(u'Attributes'),
+ doc=_(u'Attributes to which the permission applies.'),
+ no_convert=True,
+ ),
+ parameters.Flag(
+ 'pkey_only',
+ required=False,
+ label=_(u'Primary key only'),
+ doc=_(u'Results should contain primary key attribute only ("name")'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.ListOfEntries(
+ 'result',
+ ),
+ output.Output(
+ 'count',
+ int,
+ doc=_(u'Number of entries returned'),
+ ),
+ output.Output(
+ 'truncated',
+ bool,
+ doc=_(u'True if not all results were returned'),
+ ),
+ )
+
+
+@register()
+class selfservice_mod(Method):
+ __doc__ = _("Modify a self-service permission.")
+
+ takes_args = (
+ parameters.Str(
+ 'aciname',
+ cli_name='name',
+ label=_(u'Self-service name'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'permissions',
+ required=False,
+ multivalue=True,
+ label=_(u'Permissions'),
+ doc=_(u'Permissions to grant (read, write). Default is write.'),
+ ),
+ parameters.Str(
+ 'attrs',
+ required=False,
+ multivalue=True,
+ label=_(u'Attributes'),
+ doc=_(u'Attributes to which the permission applies.'),
+ no_convert=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class selfservice_show(Method):
+ __doc__ = _("Display information about a self-service permission.")
+
+ takes_args = (
+ parameters.Str(
+ 'aciname',
+ cli_name='name',
+ label=_(u'Self-service name'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
diff --git a/ipaclient/remote_plugins/2_156/selinuxusermap.py b/ipaclient/remote_plugins/2_156/selinuxusermap.py
new file mode 100644
index 000000000..cf572f9c7
--- /dev/null
+++ b/ipaclient/remote_plugins/2_156/selinuxusermap.py
@@ -0,0 +1,905 @@
+#
+# Copyright (C) 2016 FreeIPA Contributors see COPYING for license
+#
+
+# pylint: disable=unused-import
+import six
+
+from . import Command, Method, Object
+from ipalib import api, parameters, output
+from ipalib.parameters import DefaultFrom
+from ipalib.plugable import Registry
+from ipalib.text import _
+from ipapython.dn import DN
+from ipapython.dnsutil import DNSName
+
+if six.PY3:
+ unicode = str
+
+__doc__ = _("""
+SELinux User Mapping
+
+Map IPA users to SELinux users by host.
+
+Hosts, hostgroups, users and groups can be either defined within
+the rule or it may point to an existing HBAC rule. When using
+--hbacrule option to selinuxusermap-find an exact match is made on the
+HBAC rule name, so only one or zero entries will be returned.
+
+EXAMPLES:
+
+ Create a rule, "test1", that sets all users to xguest_u:s0 on the host "server":
+ ipa selinuxusermap-add --usercat=all --selinuxuser=xguest_u:s0 test1
+ ipa selinuxusermap-add-host --hosts=server.example.com test1
+
+ Create a rule, "test2", that sets all users to guest_u:s0 and uses an existing HBAC rule for users and hosts:
+ ipa selinuxusermap-add --usercat=all --hbacrule=webserver --selinuxuser=guest_u:s0 test2
+
+ Display the properties of a rule:
+ ipa selinuxusermap-show test2
+
+ Create a rule for a specific user. This sets the SELinux context for
+ user john to unconfined_u:s0-s0:c0.c1023 on any machine:
+ ipa selinuxusermap-add --hostcat=all --selinuxuser=unconfined_u:s0-s0:c0.c1023 john_unconfined
+ ipa selinuxusermap-add-user --users=john john_unconfined
+
+ Disable a rule:
+ ipa selinuxusermap-disable test1
+
+ Enable a rule:
+ ipa selinuxusermap-enable test1
+
+ Find a rule referencing a specific HBAC rule:
+ ipa selinuxusermap-find --hbacrule=allow_some
+
+ Remove a rule:
+ ipa selinuxusermap-del john_unconfined
+
+SEEALSO:
+
+ The list controlling the order in which the SELinux user map is applied
+ and the default SELinux user are available in the config-show command.
+""")
+
+register = Registry()
+
+
+@register()
+class selinuxusermap(Object):
+ takes_params = (
+ parameters.Str(
+ 'cn',
+ primary_key=True,
+ label=_(u'Rule name'),
+ ),
+ parameters.Str(
+ 'ipaselinuxuser',
+ label=_(u'SELinux User'),
+ ),
+ parameters.Str(
+ 'seealso',
+ required=False,
+ label=_(u'HBAC Rule'),
+ doc=_(u'HBAC Rule that defines the users, groups and hostgroups'),
+ ),
+ parameters.Str(
+ 'usercategory',
+ required=False,
+ label=_(u'User category'),
+ doc=_(u'User category the rule applies to'),
+ ),
+ parameters.Str(
+ 'hostcategory',
+ required=False,
+ label=_(u'Host category'),
+ doc=_(u'Host category the rule applies to'),
+ ),
+ parameters.Str(
+ 'description',
+ required=False,
+ label=_(u'Description'),
+ ),
+ parameters.Bool(
+ 'ipaenabledflag',
+ required=False,
+ label=_(u'Enabled'),
+ ),
+ parameters.Str(
+ 'memberuser_user',
+ required=False,
+ label=_(u'Users'),
+ ),
+ parameters.Str(
+ 'memberuser_group',
+ required=False,
+ label=_(u'User Groups'),
+ ),
+ parameters.Str(
+ 'memberhost_host',
+ required=False,
+ label=_(u'Hosts'),
+ ),
+ parameters.Str(
+ 'memberhost_hostgroup',
+ required=False,
+ label=_(u'Host Groups'),
+ ),
+ )
+
+
+@register()
+class selinuxusermap_add(Method):
+ __doc__ = _("Create a new SELinux User Map.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='name',
+ label=_(u'Rule name'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'ipaselinuxuser',
+ cli_name='selinuxuser',
+ label=_(u'SELinux User'),
+ ),
+ parameters.Str(
+ 'seealso',
+ required=False,
+ cli_name='hbacrule',
+ label=_(u'HBAC Rule'),
+ doc=_(u'HBAC Rule that defines the users, groups and hostgroups'),
+ ),
+ parameters.Str(
+ 'usercategory',
+ required=False,
+ cli_name='usercat',
+ cli_metavar="['all']",
+ label=_(u'User category'),
+ doc=_(u'User category the rule applies to'),
+ ),
+ parameters.Str(
+ 'hostcategory',
+ required=False,
+ cli_name='hostcat',
+ cli_metavar="['all']",
+ label=_(u'Host category'),
+ doc=_(u'Host category the rule applies to'),
+ ),
+ parameters.Str(
+ 'description',
+ required=False,
+ cli_name='desc',
+ label=_(u'Description'),
+ ),
+ parameters.Bool(
+ 'ipaenabledflag',
+ required=False,
+ label=_(u'Enabled'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'setattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'addattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
+ exclude=('webui',),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class selinuxusermap_add_host(Method):
+ __doc__ = _("Add target hosts and hostgroups to an SELinux User Map rule.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='name',
+ label=_(u'Rule name'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'host',
+ required=False,
+ multivalue=True,
+ cli_name='hosts',
+ label=_(u'member host'),
+ doc=_(u'hosts to add'),
+ alwaysask=True,
+ ),
+ parameters.Str(
+ 'hostgroup',
+ required=False,
+ multivalue=True,
+ cli_name='hostgroups',
+ label=_(u'member host group'),
+ doc=_(u'host groups to add'),
+ alwaysask=True,
+ ),
+ )
+ has_output = (
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'failed',
+ dict,
+ doc=_(u'Members that could not be added'),
+ ),
+ output.Output(
+ 'completed',
+ int,
+ doc=_(u'Number of members added'),
+ ),
+ )
+
+
+@register()
+class selinuxusermap_add_user(Method):
+ __doc__ = _("Add users and groups to an SELinux User Map rule.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='name',
+ label=_(u'Rule name'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'user',
+ required=False,
+ multivalue=True,
+ cli_name='users',
+ label=_(u'member user'),
+ doc=_(u'users to add'),
+ alwaysask=True,
+ ),
+ parameters.Str(
+ 'group',
+ required=False,
+ multivalue=True,
+ cli_name='groups',
+ label=_(u'member group'),
+ doc=_(u'groups to add'),
+ alwaysask=True,
+ ),
+ )
+ has_output = (
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'failed',
+ dict,
+ doc=_(u'Members that could not be added'),
+ ),
+ output.Output(
+ 'completed',
+ int,
+ doc=_(u'Number of members added'),
+ ),
+ )
+
+
+@register()
+class selinuxusermap_del(Method):
+ __doc__ = _("Delete a SELinux User Map.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ multivalue=True,
+ cli_name='name',
+ label=_(u'Rule name'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'continue',
+ doc=_(u"Continuous mode: Don't stop on errors."),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Output(
+ 'result',
+ dict,
+ doc=_(u'List of deletions that failed'),
+ ),
+ output.ListOfPrimaryKeys(
+ 'value',
+ ),
+ )
+
+
+@register()
+class selinuxusermap_disable(Method):
+ __doc__ = _("Disable an SELinux User Map rule.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='name',
+ label=_(u'Rule name'),
+ ),
+ )
+ takes_options = (
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Output(
+ 'result',
+ bool,
+ doc=_(u'True means the operation was successful'),
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class selinuxusermap_enable(Method):
+ __doc__ = _("Enable an SELinux User Map rule.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='name',
+ label=_(u'Rule name'),
+ ),
+ )
+ takes_options = (
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Output(
+ 'result',
+ bool,
+ doc=_(u'True means the operation was successful'),
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class selinuxusermap_find(Method):
+ __doc__ = _("Search for SELinux User Maps.")
+
+ takes_args = (
+ parameters.Str(
+ 'criteria',
+ required=False,
+ doc=_(u'A string searched in all relevant object attributes'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'cn',
+ required=False,
+ cli_name='name',
+ label=_(u'Rule name'),
+ ),
+ parameters.Str(
+ 'ipaselinuxuser',
+ required=False,
+ cli_name='selinuxuser',
+ label=_(u'SELinux User'),
+ ),
+ parameters.Str(
+ 'seealso',
+ required=False,
+ cli_name='hbacrule',
+ label=_(u'HBAC Rule'),
+ doc=_(u'HBAC Rule that defines the users, groups and hostgroups'),
+ ),
+ parameters.Str(
+ 'usercategory',
+ required=False,
+ cli_name='usercat',
+ cli_metavar="['all']",
+ label=_(u'User category'),
+ doc=_(u'User category the rule applies to'),
+ ),
+ parameters.Str(
+ 'hostcategory',
+ required=False,
+ cli_name='hostcat',
+ cli_metavar="['all']",
+ label=_(u'Host category'),
+ doc=_(u'Host category the rule applies to'),
+ ),
+ parameters.Str(
+ 'description',
+ required=False,
+ cli_name='desc',
+ label=_(u'Description'),
+ ),
+ parameters.Bool(
+ 'ipaenabledflag',
+ required=False,
+ label=_(u'Enabled'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Int(
+ 'timelimit',
+ required=False,
+ label=_(u'Time Limit'),
+ doc=_(u'Time limit of search in seconds (0 is unlimited)'),
+ ),
+ parameters.Int(
+ 'sizelimit',
+ required=False,
+ label=_(u'Size Limit'),
+ doc=_(u'Maximum number of entries returned (0 is unlimited)'),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'pkey_only',
+ required=False,
+ label=_(u'Primary key only'),
+ doc=_(u'Results should contain primary key attribute only ("name")'),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.ListOfEntries(
+ 'result',
+ ),
+ output.Output(
+ 'count',
+ int,
+ doc=_(u'Number of entries returned'),
+ ),
+ output.Output(
+ 'truncated',
+ bool,
+ doc=_(u'True if not all results were returned'),
+ ),
+ )
+
+
+@register()
+class selinuxusermap_mod(Method):
+ __doc__ = _("Modify a SELinux User Map.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='name',
+ label=_(u'Rule name'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'ipaselinuxuser',
+ required=False,
+ cli_name='selinuxuser',
+ label=_(u'SELinux User'),
+ ),
+ parameters.Str(
+ 'seealso',
+ required=False,
+ cli_name='hbacrule',
+ label=_(u'HBAC Rule'),
+ doc=_(u'HBAC Rule that defines the users, groups and hostgroups'),
+ ),
+ parameters.Str(
+ 'usercategory',
+ required=False,
+ cli_name='usercat',
+ cli_metavar="['all']",
+ label=_(u'User category'),
+ doc=_(u'User category the rule applies to'),
+ ),
+ parameters.Str(
+ 'hostcategory',
+ required=False,
+ cli_name='hostcat',
+ cli_metavar="['all']",
+ label=_(u'Host category'),
+ doc=_(u'Host category the rule applies to'),
+ ),
+ parameters.Str(
+ 'description',
+ required=False,
+ cli_name='desc',
+ label=_(u'Description'),
+ ),
+ parameters.Bool(
+ 'ipaenabledflag',
+ required=False,
+ label=_(u'Enabled'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'setattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'addattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'delattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'),
+ exclude=('webui',),
+ ),
+ parameters.Flag(
+ 'rights',
+ label=_(u'Rights'),
+ doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class selinuxusermap_remove_host(Method):
+ __doc__ = _("Remove target hosts and hostgroups from an SELinux User Map rule.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='name',
+ label=_(u'Rule name'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'host',
+ required=False,
+ multivalue=True,
+ cli_name='hosts',
+ label=_(u'member host'),
+ doc=_(u'hosts to remove'),
+ alwaysask=True,
+ ),
+ parameters.Str(
+ 'hostgroup',
+ required=False,
+ multivalue=True,
+ cli_name='hostgroups',
+ label=_(u'member host group'),
+ doc=_(u'host groups to remove'),
+ alwaysask=True,
+ ),
+ )
+ has_output = (
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'failed',
+ dict,
+ doc=_(u'Members that could not be removed'),
+ ),
+ output.Output(
+ 'completed',
+ int,
+ doc=_(u'Number of members removed'),
+ ),
+ )
+
+
+@register()
+class selinuxusermap_remove_user(Method):
+ __doc__ = _("Remove users and groups from an SELinux User Map rule.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='name',
+ label=_(u'Rule name'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'user',
+ required=False,
+ multivalue=True,
+ cli_name='users',
+ label=_(u'member user'),
+ doc=_(u'users to remove'),
+ alwaysask=True,
+ ),
+ parameters.Str(
+ 'group',
+ required=False,
+ multivalue=True,
+ cli_name='groups',
+ label=_(u'member group'),
+ doc=_(u'groups to remove'),
+ alwaysask=True,
+ ),
+ )
+ has_output = (
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'failed',
+ dict,
+ doc=_(u'Members that could not be removed'),
+ ),
+ output.Output(
+ 'completed',
+ int,
+ doc=_(u'Number of members removed'),
+ ),
+ )
+
+
+@register()
+class selinuxusermap_show(Method):
+ __doc__ = _("Display the properties of a SELinux User Map rule.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='name',
+ label=_(u'Rule name'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'rights',
+ label=_(u'Rights'),
+ doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
diff --git a/ipaclient/remote_plugins/2_156/server.py b/ipaclient/remote_plugins/2_156/server.py
new file mode 100644
index 000000000..0b24b53d9
--- /dev/null
+++ b/ipaclient/remote_plugins/2_156/server.py
@@ -0,0 +1,246 @@
+#
+# Copyright (C) 2016 FreeIPA Contributors see COPYING for license
+#
+
+# pylint: disable=unused-import
+import six
+
+from . import Command, Method, Object
+from ipalib import api, parameters, output
+from ipalib.parameters import DefaultFrom
+from ipalib.plugable import Registry
+from ipalib.text import _
+from ipapython.dn import DN
+from ipapython.dnsutil import DNSName
+
+if six.PY3:
+ unicode = str
+
+__doc__ = _("""
+IPA servers
+
+Get information about installed IPA servers.
+
+EXAMPLES:
+
+ Find all servers:
+ ipa server-find
+
+ Show specific server:
+ ipa server-show ipa.example.com
+""")
+
+register = Registry()
+
+
+@register()
+class server(Object):
+ takes_params = (
+ parameters.Str(
+ 'cn',
+ primary_key=True,
+ label=_(u'Server name'),
+ doc=_(u'IPA server hostname'),
+ ),
+ parameters.Str(
+ 'iparepltopomanagedsuffix',
+ label=_(u'Managed suffix'),
+ ),
+ parameters.Int(
+ 'ipamindomainlevel',
+ label=_(u'Min domain level'),
+ doc=_(u'Minimum domain level'),
+ ),
+ parameters.Int(
+ 'ipamaxdomainlevel',
+ label=_(u'Max domain level'),
+ doc=_(u'Maximum domain level'),
+ ),
+ )
+
+
+@register()
+class server_del(Method):
+ __doc__ = _("Delete IPA server.")
+
+ NO_CLI = True
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ multivalue=True,
+ cli_name='name',
+ label=_(u'Server name'),
+ doc=_(u'IPA server hostname'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'continue',
+ doc=_(u"Continuous mode: Don't stop on errors."),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Output(
+ 'result',
+ dict,
+ doc=_(u'List of deletions that failed'),
+ ),
+ output.ListOfPrimaryKeys(
+ 'value',
+ ),
+ )
+
+
+@register()
+class server_find(Method):
+ __doc__ = _("Search for IPA servers.")
+
+ takes_args = (
+ parameters.Str(
+ 'criteria',
+ required=False,
+ doc=_(u'A string searched in all relevant object attributes'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'cn',
+ required=False,
+ cli_name='name',
+ label=_(u'Server name'),
+ doc=_(u'IPA server hostname'),
+ ),
+ parameters.Str(
+ 'iparepltopomanagedsuffix',
+ required=False,
+ cli_name='suffix',
+ label=_(u'Managed suffix'),
+ ),
+ parameters.Int(
+ 'ipamindomainlevel',
+ required=False,
+ cli_name='minlevel',
+ label=_(u'Min domain level'),
+ doc=_(u'Minimum domain level'),
+ ),
+ parameters.Int(
+ 'ipamaxdomainlevel',
+ required=False,
+ cli_name='maxlevel',
+ label=_(u'Max domain level'),
+ doc=_(u'Maximum domain level'),
+ ),
+ parameters.Int(
+ 'timelimit',
+ required=False,
+ label=_(u'Time Limit'),
+ doc=_(u'Time limit of search in seconds (0 is unlimited)'),
+ ),
+ parameters.Int(
+ 'sizelimit',
+ required=False,
+ label=_(u'Size Limit'),
+ doc=_(u'Maximum number of entries returned (0 is unlimited)'),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'pkey_only',
+ required=False,
+ label=_(u'Primary key only'),
+ doc=_(u'Results should contain primary key attribute only ("name")'),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.ListOfEntries(
+ 'result',
+ ),
+ output.Output(
+ 'count',
+ int,
+ doc=_(u'Number of entries returned'),
+ ),
+ output.Output(
+ 'truncated',
+ bool,
+ doc=_(u'True if not all results were returned'),
+ ),
+ )
+
+
+@register()
+class server_show(Method):
+ __doc__ = _("Show IPA server.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='name',
+ label=_(u'Server name'),
+ doc=_(u'IPA server hostname'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'rights',
+ label=_(u'Rights'),
+ doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
diff --git a/ipaclient/remote_plugins/2_156/service.py b/ipaclient/remote_plugins/2_156/service.py
new file mode 100644
index 000000000..0c7b9d803
--- /dev/null
+++ b/ipaclient/remote_plugins/2_156/service.py
@@ -0,0 +1,1225 @@
+#
+# Copyright (C) 2016 FreeIPA Contributors see COPYING for license
+#
+
+# pylint: disable=unused-import
+import six
+
+from . import Command, Method, Object
+from ipalib import api, parameters, output
+from ipalib.parameters import DefaultFrom
+from ipalib.plugable import Registry
+from ipalib.text import _
+from ipapython.dn import DN
+from ipapython.dnsutil import DNSName
+
+if six.PY3:
+ unicode = str
+
+__doc__ = _("""
+Services
+
+A IPA service represents a service that runs on a host. The IPA service
+record can store a Kerberos principal, an SSL certificate, or both.
+
+An IPA service can be managed directly from a machine, provided that
+machine has been given the correct permission. This is true even for
+machines other than the one the service is associated with. For example,
+requesting an SSL certificate using the host service principal credentials
+of the host. To manage a service using host credentials you need to
+kinit as the host:
+
+ # kinit -kt /etc/krb5.keytab host/ipa.example.com@EXAMPLE.COM
+
+Adding an IPA service allows the associated service to request an SSL
+certificate or keytab, but this is performed as a separate step; they
+are not produced as a result of adding the service.
+
+Only the public aspect of a certificate is stored in a service record;
+the private key is not stored.
+
+EXAMPLES:
+
+ Add a new IPA service:
+ ipa service-add HTTP/web.example.com
+
+ Allow a host to manage an IPA service certificate:
+ ipa service-add-host --hosts=web.example.com HTTP/web.example.com
+ ipa role-add-member --hosts=web.example.com certadmin
+
+ Override a default list of supported PAC types for the service:
+ ipa service-mod HTTP/web.example.com --pac-type=MS-PAC
+
+ A typical use case where overriding the PAC type is needed is NFS.
+ Currently the related code in the Linux kernel can only handle Kerberos
+ tickets up to a maximal size. Since the PAC data can become quite large it
+ is recommended to set --pac-type=NONE for NFS services.
+
+ Delete an IPA service:
+ ipa service-del HTTP/web.example.com
+
+ Find all IPA services associated with a host:
+ ipa service-find web.example.com
+
+ Find all HTTP services:
+ ipa service-find HTTP
+
+ Disable the service Kerberos key and SSL certificate:
+ ipa service-disable HTTP/web.example.com
+
+ Request a certificate for an IPA service:
+ ipa cert-request --principal=HTTP/web.example.com example.csr
+
+ Allow user to create a keytab:
+ ipa service-allow-create-keytab HTTP/web.example.com --users=tuser1
+
+ Generate and retrieve a keytab for an IPA service:
+ ipa-getkeytab -s ipa.example.com -p HTTP/web.example.com -k /etc/httpd/httpd.keytab
+""")
+
+register = Registry()
+
+
+@register()
+class service(Object):
+ takes_params = (
+ parameters.Str(
+ 'krbprincipalname',
+ primary_key=True,
+ label=_(u'Principal'),
+ doc=_(u'Service principal'),
+ ),
+ parameters.Bytes(
+ 'usercertificate',
+ required=False,
+ multivalue=True,
+ label=_(u'Certificate'),
+ doc=_(u'Base-64 encoded server certificate'),
+ ),
+ parameters.Str(
+ 'ipakrbauthzdata',
+ required=False,
+ multivalue=True,
+ label=_(u'PAC type'),
+ doc=_(u"Override default list of supported PAC types. Use 'NONE' to disable PAC support for this service, e.g. this might be necessary for NFS services."),
+ ),
+ parameters.Bool(
+ 'ipakrbrequirespreauth',
+ required=False,
+ label=_(u'Requires pre-authentication'),
+ doc=_(u'Pre-authentication is required for the service'),
+ ),
+ parameters.Bool(
+ 'ipakrbokasdelegate',
+ required=False,
+ label=_(u'Trusted for delegation'),
+ doc=_(u'Client credentials may be delegated to the service'),
+ ),
+ parameters.Str(
+ 'memberof_role',
+ required=False,
+ label=_(u'Roles'),
+ ),
+ parameters.Flag(
+ 'has_keytab',
+ label=_(u'Keytab'),
+ ),
+ parameters.Str(
+ 'managedby_host',
+ label=_(u'Managed by'),
+ ),
+ parameters.Str(
+ 'ipaallowedtoperform_read_keys_user',
+ label=_(u'Users allowed to retrieve keytab'),
+ ),
+ parameters.Str(
+ 'ipaallowedtoperform_read_keys_group',
+ label=_(u'Groups allowed to retrieve keytab'),
+ ),
+ parameters.Str(
+ 'ipaallowedtoperform_read_keys_host',
+ label=_(u'Hosts allowed to retrieve keytab'),
+ ),
+ parameters.Str(
+ 'ipaallowedtoperform_read_keys_hostgroup',
+ label=_(u'Host Groups allowed to retrieve keytab'),
+ ),
+ parameters.Str(
+ 'ipaallowedtoperform_write_keys_user',
+ label=_(u'Users allowed to create keytab'),
+ ),
+ parameters.Str(
+ 'ipaallowedtoperform_write_keys_group',
+ label=_(u'Groups allowed to create keytab'),
+ ),
+ parameters.Str(
+ 'ipaallowedtoperform_write_keys_host',
+ label=_(u'Hosts allowed to create keytab'),
+ ),
+ parameters.Str(
+ 'ipaallowedtoperform_write_keys_hostgroup',
+ label=_(u'Host Groups allowed to create keytab'),
+ ),
+ )
+
+
+@register()
+class service_add(Method):
+ __doc__ = _("Add a new IPA new service.")
+
+ takes_args = (
+ parameters.Str(
+ 'krbprincipalname',
+ cli_name='principal',
+ label=_(u'Principal'),
+ doc=_(u'Service principal'),
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Bytes(
+ 'usercertificate',
+ required=False,
+ multivalue=True,
+ cli_name='certificate',
+ label=_(u'Certificate'),
+ doc=_(u'Base-64 encoded server certificate'),
+ ),
+ parameters.Str(
+ 'ipakrbauthzdata',
+ required=False,
+ multivalue=True,
+ cli_name='pac_type',
+ cli_metavar="['MS-PAC', 'PAD', 'NONE']",
+ label=_(u'PAC type'),
+ doc=_(u"Override default list of supported PAC types. Use 'NONE' to disable PAC support for this service, e.g. this might be necessary for NFS services."),
+ ),
+ parameters.Bool(
+ 'ipakrbrequirespreauth',
+ required=False,
+ cli_name='requires_pre_auth',
+ label=_(u'Requires pre-authentication'),
+ doc=_(u'Pre-authentication is required for the service'),
+ ),
+ parameters.Bool(
+ 'ipakrbokasdelegate',
+ required=False,
+ cli_name='ok_as_delegate',
+ label=_(u'Trusted for delegation'),
+ doc=_(u'Client credentials may be delegated to the service'),
+ ),
+ parameters.Str(
+ 'setattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'addattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
+ exclude=('webui',),
+ ),
+ parameters.Flag(
+ 'force',
+ label=_(u'Force'),
+ doc=_(u'force principal name even if not in DNS'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class service_add_cert(Method):
+ __doc__ = _("Add new certificates to a service")
+
+ takes_args = (
+ parameters.Str(
+ 'krbprincipalname',
+ cli_name='principal',
+ label=_(u'Principal'),
+ doc=_(u'Service principal'),
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Bytes(
+ 'usercertificate',
+ required=False,
+ multivalue=True,
+ cli_name='certificate',
+ label=_(u'Certificate'),
+ doc=_(u'Base-64 encoded server certificate'),
+ alwaysask=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class service_add_host(Method):
+ __doc__ = _("Add hosts that can manage this service.")
+
+ takes_args = (
+ parameters.Str(
+ 'krbprincipalname',
+ cli_name='principal',
+ label=_(u'Principal'),
+ doc=_(u'Service principal'),
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'host',
+ required=False,
+ multivalue=True,
+ cli_name='hosts',
+ label=_(u'member host'),
+ doc=_(u'hosts to add'),
+ alwaysask=True,
+ ),
+ )
+ has_output = (
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'failed',
+ dict,
+ doc=_(u'Members that could not be added'),
+ ),
+ output.Output(
+ 'completed',
+ int,
+ doc=_(u'Number of members added'),
+ ),
+ )
+
+
+@register()
+class service_allow_create_keytab(Method):
+ __doc__ = _("Allow users, groups, hosts or host groups to create a keytab of this service.")
+
+ takes_args = (
+ parameters.Str(
+ 'krbprincipalname',
+ cli_name='principal',
+ label=_(u'Principal'),
+ doc=_(u'Service principal'),
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'user',
+ required=False,
+ multivalue=True,
+ cli_name='users',
+ label=_(u'member user'),
+ doc=_(u'users to add'),
+ alwaysask=True,
+ ),
+ parameters.Str(
+ 'group',
+ required=False,
+ multivalue=True,
+ cli_name='groups',
+ label=_(u'member group'),
+ doc=_(u'groups to add'),
+ alwaysask=True,
+ ),
+ parameters.Str(
+ 'host',
+ required=False,
+ multivalue=True,
+ cli_name='hosts',
+ label=_(u'member host'),
+ doc=_(u'hosts to add'),
+ alwaysask=True,
+ ),
+ parameters.Str(
+ 'hostgroup',
+ required=False,
+ multivalue=True,
+ cli_name='hostgroups',
+ label=_(u'member host group'),
+ doc=_(u'host groups to add'),
+ alwaysask=True,
+ ),
+ )
+ has_output = (
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'failed',
+ dict,
+ doc=_(u'Members that could not be added'),
+ ),
+ output.Output(
+ 'completed',
+ int,
+ doc=_(u'Number of members added'),
+ ),
+ )
+
+
+@register()
+class service_allow_retrieve_keytab(Method):
+ __doc__ = _("Allow users, groups, hosts or host groups to retrieve a keytab of this service.")
+
+ takes_args = (
+ parameters.Str(
+ 'krbprincipalname',
+ cli_name='principal',
+ label=_(u'Principal'),
+ doc=_(u'Service principal'),
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'user',
+ required=False,
+ multivalue=True,
+ cli_name='users',
+ label=_(u'member user'),
+ doc=_(u'users to add'),
+ alwaysask=True,
+ ),
+ parameters.Str(
+ 'group',
+ required=False,
+ multivalue=True,
+ cli_name='groups',
+ label=_(u'member group'),
+ doc=_(u'groups to add'),
+ alwaysask=True,
+ ),
+ parameters.Str(
+ 'host',
+ required=False,
+ multivalue=True,
+ cli_name='hosts',
+ label=_(u'member host'),
+ doc=_(u'hosts to add'),
+ alwaysask=True,
+ ),
+ parameters.Str(
+ 'hostgroup',
+ required=False,
+ multivalue=True,
+ cli_name='hostgroups',
+ label=_(u'member host group'),
+ doc=_(u'host groups to add'),
+ alwaysask=True,
+ ),
+ )
+ has_output = (
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'failed',
+ dict,
+ doc=_(u'Members that could not be added'),
+ ),
+ output.Output(
+ 'completed',
+ int,
+ doc=_(u'Number of members added'),
+ ),
+ )
+
+
+@register()
+class service_del(Method):
+ __doc__ = _("Delete an IPA service.")
+
+ takes_args = (
+ parameters.Str(
+ 'krbprincipalname',
+ multivalue=True,
+ cli_name='principal',
+ label=_(u'Principal'),
+ doc=_(u'Service principal'),
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'continue',
+ doc=_(u"Continuous mode: Don't stop on errors."),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Output(
+ 'result',
+ dict,
+ doc=_(u'List of deletions that failed'),
+ ),
+ output.ListOfPrimaryKeys(
+ 'value',
+ ),
+ )
+
+
+@register()
+class service_disable(Method):
+ __doc__ = _("Disable the Kerberos key and SSL certificate of a service.")
+
+ takes_args = (
+ parameters.Str(
+ 'krbprincipalname',
+ cli_name='principal',
+ label=_(u'Principal'),
+ doc=_(u'Service principal'),
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Output(
+ 'result',
+ bool,
+ doc=_(u'True means the operation was successful'),
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class service_disallow_create_keytab(Method):
+ __doc__ = _("Disallow users, groups, hosts or host groups to create a keytab of this service.")
+
+ takes_args = (
+ parameters.Str(
+ 'krbprincipalname',
+ cli_name='principal',
+ label=_(u'Principal'),
+ doc=_(u'Service principal'),
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'user',
+ required=False,
+ multivalue=True,
+ cli_name='users',
+ label=_(u'member user'),
+ doc=_(u'users to remove'),
+ alwaysask=True,
+ ),
+ parameters.Str(
+ 'group',
+ required=False,
+ multivalue=True,
+ cli_name='groups',
+ label=_(u'member group'),
+ doc=_(u'groups to remove'),
+ alwaysask=True,
+ ),
+ parameters.Str(
+ 'host',
+ required=False,
+ multivalue=True,
+ cli_name='hosts',
+ label=_(u'member host'),
+ doc=_(u'hosts to remove'),
+ alwaysask=True,
+ ),
+ parameters.Str(
+ 'hostgroup',
+ required=False,
+ multivalue=True,
+ cli_name='hostgroups',
+ label=_(u'member host group'),
+ doc=_(u'host groups to remove'),
+ alwaysask=True,
+ ),
+ )
+ has_output = (
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'failed',
+ dict,
+ doc=_(u'Members that could not be removed'),
+ ),
+ output.Output(
+ 'completed',
+ int,
+ doc=_(u'Number of members removed'),
+ ),
+ )
+
+
+@register()
+class service_disallow_retrieve_keytab(Method):
+ __doc__ = _("Disallow users, groups, hosts or host groups to retrieve a keytab of this service.")
+
+ takes_args = (
+ parameters.Str(
+ 'krbprincipalname',
+ cli_name='principal',
+ label=_(u'Principal'),
+ doc=_(u'Service principal'),
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'user',
+ required=False,
+ multivalue=True,
+ cli_name='users',
+ label=_(u'member user'),
+ doc=_(u'users to remove'),
+ alwaysask=True,
+ ),
+ parameters.Str(
+ 'group',
+ required=False,
+ multivalue=True,
+ cli_name='groups',
+ label=_(u'member group'),
+ doc=_(u'groups to remove'),
+ alwaysask=True,
+ ),
+ parameters.Str(
+ 'host',
+ required=False,
+ multivalue=True,
+ cli_name='hosts',
+ label=_(u'member host'),
+ doc=_(u'hosts to remove'),
+ alwaysask=True,
+ ),
+ parameters.Str(
+ 'hostgroup',
+ required=False,
+ multivalue=True,
+ cli_name='hostgroups',
+ label=_(u'member host group'),
+ doc=_(u'host groups to remove'),
+ alwaysask=True,
+ ),
+ )
+ has_output = (
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'failed',
+ dict,
+ doc=_(u'Members that could not be removed'),
+ ),
+ output.Output(
+ 'completed',
+ int,
+ doc=_(u'Number of members removed'),
+ ),
+ )
+
+
+@register()
+class service_find(Method):
+ __doc__ = _("Search for IPA services.")
+
+ takes_args = (
+ parameters.Str(
+ 'criteria',
+ required=False,
+ doc=_(u'A string searched in all relevant object attributes'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'krbprincipalname',
+ required=False,
+ cli_name='principal',
+ label=_(u'Principal'),
+ doc=_(u'Service principal'),
+ no_convert=True,
+ ),
+ parameters.Str(
+ 'ipakrbauthzdata',
+ required=False,
+ multivalue=True,
+ cli_name='pac_type',
+ cli_metavar="['MS-PAC', 'PAD', 'NONE']",
+ label=_(u'PAC type'),
+ doc=_(u"Override default list of supported PAC types. Use 'NONE' to disable PAC support for this service, e.g. this might be necessary for NFS services."),
+ ),
+ parameters.Int(
+ 'timelimit',
+ required=False,
+ label=_(u'Time Limit'),
+ doc=_(u'Time limit of search in seconds (0 is unlimited)'),
+ ),
+ parameters.Int(
+ 'sizelimit',
+ required=False,
+ label=_(u'Size Limit'),
+ doc=_(u'Maximum number of entries returned (0 is unlimited)'),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'pkey_only',
+ required=False,
+ label=_(u'Primary key only'),
+ doc=_(u'Results should contain primary key attribute only ("principal")'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'man_by_host',
+ required=False,
+ multivalue=True,
+ cli_name='man_by_hosts',
+ label=_(u'host'),
+ doc=_(u'Search for services with these managed by hosts.'),
+ ),
+ parameters.Str(
+ 'not_man_by_host',
+ required=False,
+ multivalue=True,
+ cli_name='not_man_by_hosts',
+ label=_(u'host'),
+ doc=_(u'Search for services without these managed by hosts.'),
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.ListOfEntries(
+ 'result',
+ ),
+ output.Output(
+ 'count',
+ int,
+ doc=_(u'Number of entries returned'),
+ ),
+ output.Output(
+ 'truncated',
+ bool,
+ doc=_(u'True if not all results were returned'),
+ ),
+ )
+
+
+@register()
+class service_mod(Method):
+ __doc__ = _("Modify an existing IPA service.")
+
+ takes_args = (
+ parameters.Str(
+ 'krbprincipalname',
+ cli_name='principal',
+ label=_(u'Principal'),
+ doc=_(u'Service principal'),
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Bytes(
+ 'usercertificate',
+ required=False,
+ multivalue=True,
+ cli_name='certificate',
+ label=_(u'Certificate'),
+ doc=_(u'Base-64 encoded server certificate'),
+ ),
+ parameters.Str(
+ 'ipakrbauthzdata',
+ required=False,
+ multivalue=True,
+ cli_name='pac_type',
+ cli_metavar="['MS-PAC', 'PAD', 'NONE']",
+ label=_(u'PAC type'),
+ doc=_(u"Override default list of supported PAC types. Use 'NONE' to disable PAC support for this service, e.g. this might be necessary for NFS services."),
+ ),
+ parameters.Bool(
+ 'ipakrbrequirespreauth',
+ required=False,
+ cli_name='requires_pre_auth',
+ label=_(u'Requires pre-authentication'),
+ doc=_(u'Pre-authentication is required for the service'),
+ ),
+ parameters.Bool(
+ 'ipakrbokasdelegate',
+ required=False,
+ cli_name='ok_as_delegate',
+ label=_(u'Trusted for delegation'),
+ doc=_(u'Client credentials may be delegated to the service'),
+ ),
+ parameters.Str(
+ 'setattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'addattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'delattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'),
+ exclude=('webui',),
+ ),
+ parameters.Flag(
+ 'rights',
+ label=_(u'Rights'),
+ doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class service_remove_cert(Method):
+ __doc__ = _("Remove certificates from a service")
+
+ takes_args = (
+ parameters.Str(
+ 'krbprincipalname',
+ cli_name='principal',
+ label=_(u'Principal'),
+ doc=_(u'Service principal'),
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Bytes(
+ 'usercertificate',
+ required=False,
+ multivalue=True,
+ cli_name='certificate',
+ label=_(u'Certificate'),
+ doc=_(u'Base-64 encoded server certificate'),
+ alwaysask=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class service_remove_host(Method):
+ __doc__ = _("Remove hosts that can manage this service.")
+
+ takes_args = (
+ parameters.Str(
+ 'krbprincipalname',
+ cli_name='principal',
+ label=_(u'Principal'),
+ doc=_(u'Service principal'),
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'host',
+ required=False,
+ multivalue=True,
+ cli_name='hosts',
+ label=_(u'member host'),
+ doc=_(u'hosts to remove'),
+ alwaysask=True,
+ ),
+ )
+ has_output = (
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'failed',
+ dict,
+ doc=_(u'Members that could not be removed'),
+ ),
+ output.Output(
+ 'completed',
+ int,
+ doc=_(u'Number of members removed'),
+ ),
+ )
+
+
+@register()
+class service_show(Method):
+ __doc__ = _("Display information about an IPA service.")
+
+ takes_args = (
+ parameters.Str(
+ 'krbprincipalname',
+ cli_name='principal',
+ label=_(u'Principal'),
+ doc=_(u'Service principal'),
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'rights',
+ label=_(u'Rights'),
+ doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'out',
+ required=False,
+ doc=_(u'file to store certificate in'),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
diff --git a/ipaclient/remote_plugins/2_156/servicedelegation.py b/ipaclient/remote_plugins/2_156/servicedelegation.py
new file mode 100644
index 000000000..d96462d91
--- /dev/null
+++ b/ipaclient/remote_plugins/2_156/servicedelegation.py
@@ -0,0 +1,907 @@
+#
+# Copyright (C) 2016 FreeIPA Contributors see COPYING for license
+#
+
+# pylint: disable=unused-import
+import six
+
+from . import Command, Method, Object
+from ipalib import api, parameters, output
+from ipalib.parameters import DefaultFrom
+from ipalib.plugable import Registry
+from ipalib.text import _
+from ipapython.dn import DN
+from ipapython.dnsutil import DNSName
+
+if six.PY3:
+ unicode = str
+
+__doc__ = _("""
+Service Constrained Delegation
+
+Manage rules to allow constrained delegation of credentials so
+that a service can impersonate a user when communicating with another
+service without requiring the user to actually forward their TGT.
+This makes for a much better method of delegating credentials as it
+prevents exposure of the short term secret of the user.
+
+The naming convention is to append the word "target" or "targets" to
+a matching rule name. This is not mandatory but helps conceptually
+to associate rules and targets.
+
+A rule consists of two things:
+ - A list of targets the rule applies to
+ - A list of memberPrincipals that are allowed to delegate for
+ those targets
+
+A target consists of a list of principals that can be delegated.
+
+In English, a rule says that this principal can delegate as this
+list of principals, as defined by these targets.
+
+EXAMPLES:
+
+ Add a new constrained delegation rule:
+ ipa servicedelegationrule-add ftp-delegation
+
+ Add a new constrained delegation target:
+ ipa servicedelegationtarget-add ftp-delegation-target
+
+ Add a principal to the rule:
+ ipa servicedelegationrule-add-member --principals=ftp/ipa.example.com ftp-delegation
+
+ Add our target to the rule:
+ ipa servicedelegationrule-add-target --servicedelegationtargets=ftp-delegation-target ftp-delegation
+
+ Add a principal to the target:
+ ipa servicedelegationtarget-add-member --principals=ldap/ipa.example.com ftp-delegation-target
+
+ Display information about a named delegation rule and target:
+ ipa servicedelegationrule_show ftp-delegation
+ ipa servicedelegationtarget_show ftp-delegation-target
+
+ Remove a constrained delegation:
+ ipa servicedelegationrule-del ftp-delegation-target
+ ipa servicedelegationtarget-del ftp-delegation
+
+In this example the ftp service can get a TGT for the ldap service on
+the bound user's behalf.
+
+It is strongly discouraged to modify the delegations that ship with
+IPA, ipa-http-delegation and its targets ipa-cifs-delegation-targets and
+ipa-ldap-delegation-targets. Incorrect changes can remove the ability
+to delegate, causing the framework to stop functioning.
+""")
+
+register = Registry()
+
+
+@register()
+class servicedelegationrule(Object):
+ takes_params = (
+ parameters.Str(
+ 'cn',
+ primary_key=True,
+ label=_(u'Delegation name'),
+ ),
+ parameters.Str(
+ 'ipaallowedtarget_servicedelegationtarget',
+ label=_(u'Allowed Target'),
+ ),
+ )
+
+
+@register()
+class servicedelegationtarget(Object):
+ takes_params = (
+ parameters.Str(
+ 'cn',
+ primary_key=True,
+ label=_(u'Delegation name'),
+ ),
+ )
+
+
+@register()
+class servicedelegationrule_add(Method):
+ __doc__ = _("Create a new service delegation rule.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='delegation_name',
+ label=_(u'Delegation name'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'setattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'addattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
+ exclude=('webui',),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class servicedelegationrule_add_member(Method):
+ __doc__ = _("Add member to a named service delegation rule.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='delegation_name',
+ label=_(u'Delegation name'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'principal',
+ required=False,
+ multivalue=True,
+ cli_name='principals',
+ label=_(u'member principal'),
+ doc=_(u'principal to add'),
+ alwaysask=True,
+ ),
+ )
+ has_output = (
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'failed',
+ dict,
+ doc=_(u'Members that could not be added'),
+ ),
+ output.Output(
+ 'completed',
+ int,
+ doc=_(u'Number of members added'),
+ ),
+ )
+
+
+@register()
+class servicedelegationrule_add_target(Method):
+ __doc__ = _("Add target to a named service delegation rule.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='delegation_name',
+ label=_(u'Delegation name'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'servicedelegationtarget',
+ required=False,
+ multivalue=True,
+ cli_name='servicedelegationtargets',
+ label=_(u'member service delegation target'),
+ doc=_(u'service delegation targets to add'),
+ alwaysask=True,
+ ),
+ )
+ has_output = (
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'failed',
+ dict,
+ doc=_(u'Members that could not be added'),
+ ),
+ output.Output(
+ 'completed',
+ int,
+ doc=_(u'Number of members added'),
+ ),
+ )
+
+
+@register()
+class servicedelegationrule_del(Method):
+ __doc__ = _("Delete service delegation.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ multivalue=True,
+ cli_name='delegation_name',
+ label=_(u'Delegation name'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'continue',
+ doc=_(u"Continuous mode: Don't stop on errors."),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Output(
+ 'result',
+ dict,
+ doc=_(u'List of deletions that failed'),
+ ),
+ output.ListOfPrimaryKeys(
+ 'value',
+ ),
+ )
+
+
+@register()
+class servicedelegationrule_find(Method):
+ __doc__ = _("Search for service delegations rule.")
+
+ takes_args = (
+ parameters.Str(
+ 'criteria',
+ required=False,
+ doc=_(u'A string searched in all relevant object attributes'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'cn',
+ required=False,
+ cli_name='delegation_name',
+ label=_(u'Delegation name'),
+ ),
+ parameters.Int(
+ 'timelimit',
+ required=False,
+ label=_(u'Time Limit'),
+ doc=_(u'Time limit of search in seconds (0 is unlimited)'),
+ ),
+ parameters.Int(
+ 'sizelimit',
+ required=False,
+ label=_(u'Size Limit'),
+ doc=_(u'Maximum number of entries returned (0 is unlimited)'),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'pkey_only',
+ required=False,
+ label=_(u'Primary key only'),
+ doc=_(u'Results should contain primary key attribute only ("delegation-name")'),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.ListOfEntries(
+ 'result',
+ ),
+ output.Output(
+ 'count',
+ int,
+ doc=_(u'Number of entries returned'),
+ ),
+ output.Output(
+ 'truncated',
+ bool,
+ doc=_(u'True if not all results were returned'),
+ ),
+ )
+
+
+@register()
+class servicedelegationrule_remove_member(Method):
+ __doc__ = _("Remove member from a named service delegation rule.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='delegation_name',
+ label=_(u'Delegation name'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'principal',
+ required=False,
+ multivalue=True,
+ cli_name='principals',
+ label=_(u'member principal'),
+ doc=_(u'principal to remove'),
+ alwaysask=True,
+ ),
+ )
+ has_output = (
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'failed',
+ dict,
+ doc=_(u'Members that could not be removed'),
+ ),
+ output.Output(
+ 'completed',
+ int,
+ doc=_(u'Number of members removed'),
+ ),
+ )
+
+
+@register()
+class servicedelegationrule_remove_target(Method):
+ __doc__ = _("Remove target from a named service delegation rule.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='delegation_name',
+ label=_(u'Delegation name'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'servicedelegationtarget',
+ required=False,
+ multivalue=True,
+ cli_name='servicedelegationtargets',
+ label=_(u'member service delegation target'),
+ doc=_(u'service delegation targets to remove'),
+ alwaysask=True,
+ ),
+ )
+ has_output = (
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'failed',
+ dict,
+ doc=_(u'Members that could not be removed'),
+ ),
+ output.Output(
+ 'completed',
+ int,
+ doc=_(u'Number of members removed'),
+ ),
+ )
+
+
+@register()
+class servicedelegationrule_show(Method):
+ __doc__ = _("Display information about a named service delegation rule.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='delegation_name',
+ label=_(u'Delegation name'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'rights',
+ label=_(u'Rights'),
+ doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class servicedelegationtarget_add(Method):
+ __doc__ = _("Create a new service delegation target.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='delegation_name',
+ label=_(u'Delegation name'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'setattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'addattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
+ exclude=('webui',),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class servicedelegationtarget_add_member(Method):
+ __doc__ = _("Add member to a named service delegation target.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='delegation_name',
+ label=_(u'Delegation name'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'principal',
+ required=False,
+ multivalue=True,
+ cli_name='principals',
+ label=_(u'member principal'),
+ doc=_(u'principal to add'),
+ alwaysask=True,
+ ),
+ )
+ has_output = (
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'failed',
+ dict,
+ doc=_(u'Members that could not be added'),
+ ),
+ output.Output(
+ 'completed',
+ int,
+ doc=_(u'Number of members added'),
+ ),
+ )
+
+
+@register()
+class servicedelegationtarget_del(Method):
+ __doc__ = _("Delete service delegation target.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ multivalue=True,
+ cli_name='delegation_name',
+ label=_(u'Delegation name'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'continue',
+ doc=_(u"Continuous mode: Don't stop on errors."),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Output(
+ 'result',
+ dict,
+ doc=_(u'List of deletions that failed'),
+ ),
+ output.ListOfPrimaryKeys(
+ 'value',
+ ),
+ )
+
+
+@register()
+class servicedelegationtarget_find(Method):
+ __doc__ = _("Search for service delegation target.")
+
+ takes_args = (
+ parameters.Str(
+ 'criteria',
+ required=False,
+ doc=_(u'A string searched in all relevant object attributes'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'cn',
+ required=False,
+ cli_name='delegation_name',
+ label=_(u'Delegation name'),
+ ),
+ parameters.Int(
+ 'timelimit',
+ required=False,
+ label=_(u'Time Limit'),
+ doc=_(u'Time limit of search in seconds (0 is unlimited)'),
+ ),
+ parameters.Int(
+ 'sizelimit',
+ required=False,
+ label=_(u'Size Limit'),
+ doc=_(u'Maximum number of entries returned (0 is unlimited)'),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'pkey_only',
+ required=False,
+ label=_(u'Primary key only'),
+ doc=_(u'Results should contain primary key attribute only ("delegation-name")'),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.ListOfEntries(
+ 'result',
+ ),
+ output.Output(
+ 'count',
+ int,
+ doc=_(u'Number of entries returned'),
+ ),
+ output.Output(
+ 'truncated',
+ bool,
+ doc=_(u'True if not all results were returned'),
+ ),
+ )
+
+
+@register()
+class servicedelegationtarget_remove_member(Method):
+ __doc__ = _("Remove member from a named service delegation target.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='delegation_name',
+ label=_(u'Delegation name'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'principal',
+ required=False,
+ multivalue=True,
+ cli_name='principals',
+ label=_(u'member principal'),
+ doc=_(u'principal to remove'),
+ alwaysask=True,
+ ),
+ )
+ has_output = (
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'failed',
+ dict,
+ doc=_(u'Members that could not be removed'),
+ ),
+ output.Output(
+ 'completed',
+ int,
+ doc=_(u'Number of members removed'),
+ ),
+ )
+
+
+@register()
+class servicedelegationtarget_show(Method):
+ __doc__ = _("Display information about a named service delegation target.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='delegation_name',
+ label=_(u'Delegation name'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'rights',
+ label=_(u'Rights'),
+ doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
diff --git a/ipaclient/remote_plugins/2_156/session.py b/ipaclient/remote_plugins/2_156/session.py
new file mode 100644
index 000000000..7b30c92a0
--- /dev/null
+++ b/ipaclient/remote_plugins/2_156/session.py
@@ -0,0 +1,34 @@
+#
+# Copyright (C) 2016 FreeIPA Contributors see COPYING for license
+#
+
+# pylint: disable=unused-import
+import six
+
+from . import Command, Method, Object
+from ipalib import api, parameters, output
+from ipalib.parameters import DefaultFrom
+from ipalib.plugable import Registry
+from ipalib.text import _
+from ipapython.dn import DN
+from ipapython.dnsutil import DNSName
+
+if six.PY3:
+ unicode = str
+
+register = Registry()
+
+
+@register()
+class session_logout(Command):
+ __doc__ = _("RPC command used to log the current user out of their session.")
+
+ NO_CLI = True
+
+ takes_options = (
+ )
+ has_output = (
+ output.Output(
+ 'result',
+ ),
+ )
diff --git a/ipaclient/remote_plugins/2_156/stageuser.py b/ipaclient/remote_plugins/2_156/stageuser.py
new file mode 100644
index 000000000..a660cc9ce
--- /dev/null
+++ b/ipaclient/remote_plugins/2_156/stageuser.py
@@ -0,0 +1,1492 @@
+#
+# Copyright (C) 2016 FreeIPA Contributors see COPYING for license
+#
+
+# pylint: disable=unused-import
+import six
+
+from . import Command, Method, Object
+from ipalib import api, parameters, output
+from ipalib.parameters import DefaultFrom
+from ipalib.plugable import Registry
+from ipalib.text import _
+from ipapython.dn import DN
+from ipapython.dnsutil import DNSName
+
+if six.PY3:
+ unicode = str
+
+__doc__ = _("""
+Stageusers
+
+Manage stage user entries.
+
+Stage user entries are directly under the container: "cn=stage users,
+cn=accounts, cn=provisioning, SUFFIX".
+User can not authenticate with those entries (even if the entries
+contain credentials) and are candidate to become Active entries.
+
+Active user entries are Posix users directly under the container: "cn=accounts, SUFFIX".
+User can authenticate with Active entries, at the condition they have
+credentials
+
+Delete user entries are Posix users directly under the container: "cn=deleted users,
+cn=accounts, cn=provisioning, SUFFIX".
+User can not authenticate with those entries (even if the entries contain credentials)
+
+The stage user container contains entries
+ - created by 'stageuser-add' commands that are Posix users
+ - created by external provisioning system
+
+A valid stage user entry MUST:
+ - entry RDN is 'uid'
+ - ipaUniqueID is 'autogenerate'
+
+IPA supports a wide range of username formats, but you need to be aware of any
+restrictions that may apply to your particular environment. For example,
+usernames that start with a digit or usernames that exceed a certain length
+may cause problems for some UNIX systems.
+Use 'ipa config-mod' to change the username format allowed by IPA tools.
+
+
+EXAMPLES:
+
+ Add a new stageuser:
+ ipa stageuser-add --first=Tim --last=User --password tuser1
+
+ Add a stageuser from the Delete container
+ ipa stageuser-add --first=Tim --last=User --from-delete tuser1
+""")
+
+register = Registry()
+
+
+@register()
+class stageuser(Object):
+ takes_params = (
+ parameters.Str(
+ 'uid',
+ primary_key=True,
+ label=_(u'User login'),
+ ),
+ parameters.Str(
+ 'givenname',
+ label=_(u'First name'),
+ ),
+ parameters.Str(
+ 'sn',
+ label=_(u'Last name'),
+ ),
+ parameters.Str(
+ 'cn',
+ label=_(u'Full name'),
+ ),
+ parameters.Str(
+ 'displayname',
+ required=False,
+ label=_(u'Display name'),
+ ),
+ parameters.Str(
+ 'initials',
+ required=False,
+ label=_(u'Initials'),
+ ),
+ parameters.Str(
+ 'homedirectory',
+ required=False,
+ label=_(u'Home directory'),
+ ),
+ parameters.Str(
+ 'gecos',
+ required=False,
+ label=_(u'GECOS'),
+ ),
+ parameters.Str(
+ 'loginshell',
+ required=False,
+ label=_(u'Login shell'),
+ ),
+ parameters.Str(
+ 'krbprincipalname',
+ required=False,
+ label=_(u'Kerberos principal'),
+ ),
+ parameters.DateTime(
+ 'krbprincipalexpiration',
+ required=False,
+ label=_(u'Kerberos principal expiration'),
+ ),
+ parameters.Str(
+ 'mail',
+ required=False,
+ multivalue=True,
+ label=_(u'Email address'),
+ ),
+ parameters.Password(
+ 'userpassword',
+ required=False,
+ label=_(u'Password'),
+ doc=_(u'Prompt to set the user password'),
+ exclude=('webui',),
+ ),
+ parameters.Flag(
+ 'random',
+ required=False,
+ doc=_(u'Generate a random user password'),
+ ),
+ parameters.Str(
+ 'randompassword',
+ required=False,
+ label=_(u'Random password'),
+ ),
+ parameters.Int(
+ 'uidnumber',
+ required=False,
+ label=_(u'UID'),
+ doc=_(u'User ID Number (system will assign one if not provided)'),
+ ),
+ parameters.Int(
+ 'gidnumber',
+ required=False,
+ label=_(u'GID'),
+ doc=_(u'Group ID Number'),
+ ),
+ parameters.Str(
+ 'street',
+ required=False,
+ label=_(u'Street address'),
+ ),
+ parameters.Str(
+ 'l',
+ required=False,
+ label=_(u'City'),
+ ),
+ parameters.Str(
+ 'st',
+ required=False,
+ label=_(u'State/Province'),
+ ),
+ parameters.Str(
+ 'postalcode',
+ required=False,
+ label=_(u'ZIP'),
+ ),
+ parameters.Str(
+ 'telephonenumber',
+ required=False,
+ multivalue=True,
+ label=_(u'Telephone Number'),
+ ),
+ parameters.Str(
+ 'mobile',
+ required=False,
+ multivalue=True,
+ label=_(u'Mobile Telephone Number'),
+ ),
+ parameters.Str(
+ 'pager',
+ required=False,
+ multivalue=True,
+ label=_(u'Pager Number'),
+ ),
+ parameters.Str(
+ 'facsimiletelephonenumber',
+ required=False,
+ multivalue=True,
+ label=_(u'Fax Number'),
+ ),
+ parameters.Str(
+ 'ou',
+ required=False,
+ label=_(u'Org. Unit'),
+ ),
+ parameters.Str(
+ 'title',
+ required=False,
+ label=_(u'Job Title'),
+ ),
+ parameters.Str(
+ 'manager',
+ required=False,
+ label=_(u'Manager'),
+ ),
+ parameters.Str(
+ 'carlicense',
+ required=False,
+ multivalue=True,
+ label=_(u'Car License'),
+ ),
+ parameters.Str(
+ 'ipasshpubkey',
+ required=False,
+ multivalue=True,
+ label=_(u'SSH public key'),
+ ),
+ parameters.Str(
+ 'ipauserauthtype',
+ required=False,
+ multivalue=True,
+ label=_(u'User authentication types'),
+ doc=_(u'Types of supported user authentication'),
+ ),
+ parameters.Str(
+ 'userclass',
+ required=False,
+ multivalue=True,
+ label=_(u'Class'),
+ doc=_(u'User category (semantics placed on this attribute are for local interpretation)'),
+ ),
+ parameters.Str(
+ 'ipatokenradiusconfiglink',
+ required=False,
+ label=_(u'RADIUS proxy configuration'),
+ ),
+ parameters.Str(
+ 'ipatokenradiususername',
+ required=False,
+ label=_(u'RADIUS proxy username'),
+ ),
+ parameters.Str(
+ 'departmentnumber',
+ required=False,
+ multivalue=True,
+ label=_(u'Department Number'),
+ ),
+ parameters.Str(
+ 'employeenumber',
+ required=False,
+ label=_(u'Employee Number'),
+ ),
+ parameters.Str(
+ 'employeetype',
+ required=False,
+ label=_(u'Employee Type'),
+ ),
+ parameters.Str(
+ 'preferredlanguage',
+ required=False,
+ label=_(u'Preferred Language'),
+ ),
+ parameters.Bytes(
+ 'usercertificate',
+ required=False,
+ multivalue=True,
+ label=_(u'Certificate'),
+ doc=_(u'Base-64 encoded server certificate'),
+ ),
+ parameters.Flag(
+ 'has_password',
+ label=_(u'Password'),
+ ),
+ parameters.Str(
+ 'memberof_group',
+ required=False,
+ label=_(u'Member of groups'),
+ ),
+ parameters.Str(
+ 'memberof_role',
+ required=False,
+ label=_(u'Roles'),
+ ),
+ parameters.Str(
+ 'memberof_netgroup',
+ required=False,
+ label=_(u'Member of netgroups'),
+ ),
+ parameters.Str(
+ 'memberof_sudorule',
+ required=False,
+ label=_(u'Member of Sudo rule'),
+ ),
+ parameters.Str(
+ 'memberof_hbacrule',
+ required=False,
+ label=_(u'Member of HBAC rule'),
+ ),
+ parameters.Str(
+ 'memberofindirect_group',
+ required=False,
+ label=_(u'Indirect Member of group'),
+ ),
+ parameters.Str(
+ 'memberofindirect_netgroup',
+ required=False,
+ label=_(u'Indirect Member of netgroup'),
+ ),
+ parameters.Str(
+ 'memberofindirect_role',
+ required=False,
+ label=_(u'Indirect Member of role'),
+ ),
+ parameters.Str(
+ 'memberofindirect_sudorule',
+ required=False,
+ label=_(u'Indirect Member of Sudo rule'),
+ ),
+ parameters.Str(
+ 'memberofindirect_hbacrule',
+ required=False,
+ label=_(u'Indirect Member of HBAC rule'),
+ ),
+ parameters.Flag(
+ 'has_keytab',
+ label=_(u'Kerberos keys available'),
+ ),
+ )
+
+
+@register()
+class stageuser_activate(Method):
+ __doc__ = _("Activate a stage user.")
+
+ takes_args = (
+ parameters.Str(
+ 'uid',
+ cli_name='login',
+ label=_(u'User login'),
+ default_from=DefaultFrom(lambda givenname, sn: givenname[0] + sn, 'principal'),
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class stageuser_add(Method):
+ __doc__ = _("Add a new stage user.")
+
+ takes_args = (
+ parameters.Str(
+ 'uid',
+ cli_name='login',
+ label=_(u'User login'),
+ default_from=DefaultFrom(lambda givenname, sn: givenname[0] + sn, 'principal'),
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'givenname',
+ cli_name='first',
+ label=_(u'First name'),
+ ),
+ parameters.Str(
+ 'sn',
+ cli_name='last',
+ label=_(u'Last name'),
+ ),
+ parameters.Str(
+ 'cn',
+ label=_(u'Full name'),
+ default_from=DefaultFrom(lambda givenname, sn: '%s %s' % (givenname, sn), 'principal'),
+ autofill=True,
+ ),
+ parameters.Str(
+ 'displayname',
+ required=False,
+ label=_(u'Display name'),
+ default_from=DefaultFrom(lambda givenname, sn: '%s %s' % (givenname, sn), 'principal'),
+ autofill=True,
+ ),
+ parameters.Str(
+ 'initials',
+ required=False,
+ label=_(u'Initials'),
+ default_from=DefaultFrom(lambda givenname, sn: '%c%c' % (givenname[0], sn[0]), 'principal'),
+ autofill=True,
+ ),
+ parameters.Str(
+ 'homedirectory',
+ required=False,
+ cli_name='homedir',
+ label=_(u'Home directory'),
+ ),
+ parameters.Str(
+ 'gecos',
+ required=False,
+ label=_(u'GECOS'),
+ default_from=DefaultFrom(lambda givenname, sn: '%s %s' % (givenname, sn), 'principal'),
+ autofill=True,
+ ),
+ parameters.Str(
+ 'loginshell',
+ required=False,
+ cli_name='shell',
+ label=_(u'Login shell'),
+ ),
+ parameters.Str(
+ 'krbprincipalname',
+ required=False,
+ cli_name='principal',
+ label=_(u'Kerberos principal'),
+ default_from=DefaultFrom(lambda uid: '%s@%s' % (uid.lower(), api.env.realm), 'principal'),
+ autofill=True,
+ no_convert=True,
+ ),
+ parameters.DateTime(
+ 'krbprincipalexpiration',
+ required=False,
+ cli_name='principal_expiration',
+ label=_(u'Kerberos principal expiration'),
+ ),
+ parameters.Str(
+ 'mail',
+ required=False,
+ multivalue=True,
+ cli_name='email',
+ label=_(u'Email address'),
+ ),
+ parameters.Password(
+ 'userpassword',
+ required=False,
+ cli_name='password',
+ label=_(u'Password'),
+ doc=_(u'Prompt to set the user password'),
+ exclude=('webui',),
+ confirm=True,
+ ),
+ parameters.Flag(
+ 'random',
+ required=False,
+ doc=_(u'Generate a random user password'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Int(
+ 'uidnumber',
+ required=False,
+ cli_name='uid',
+ label=_(u'UID'),
+ doc=_(u'User ID Number (system will assign one if not provided)'),
+ ),
+ parameters.Int(
+ 'gidnumber',
+ required=False,
+ label=_(u'GID'),
+ doc=_(u'Group ID Number'),
+ ),
+ parameters.Str(
+ 'street',
+ required=False,
+ label=_(u'Street address'),
+ ),
+ parameters.Str(
+ 'l',
+ required=False,
+ cli_name='city',
+ label=_(u'City'),
+ ),
+ parameters.Str(
+ 'st',
+ required=False,
+ cli_name='state',
+ label=_(u'State/Province'),
+ ),
+ parameters.Str(
+ 'postalcode',
+ required=False,
+ label=_(u'ZIP'),
+ ),
+ parameters.Str(
+ 'telephonenumber',
+ required=False,
+ multivalue=True,
+ cli_name='phone',
+ label=_(u'Telephone Number'),
+ ),
+ parameters.Str(
+ 'mobile',
+ required=False,
+ multivalue=True,
+ label=_(u'Mobile Telephone Number'),
+ ),
+ parameters.Str(
+ 'pager',
+ required=False,
+ multivalue=True,
+ label=_(u'Pager Number'),
+ ),
+ parameters.Str(
+ 'facsimiletelephonenumber',
+ required=False,
+ multivalue=True,
+ cli_name='fax',
+ label=_(u'Fax Number'),
+ ),
+ parameters.Str(
+ 'ou',
+ required=False,
+ cli_name='orgunit',
+ label=_(u'Org. Unit'),
+ ),
+ parameters.Str(
+ 'title',
+ required=False,
+ label=_(u'Job Title'),
+ ),
+ parameters.Str(
+ 'manager',
+ required=False,
+ label=_(u'Manager'),
+ ),
+ parameters.Str(
+ 'carlicense',
+ required=False,
+ multivalue=True,
+ label=_(u'Car License'),
+ ),
+ parameters.Str(
+ 'ipasshpubkey',
+ required=False,
+ multivalue=True,
+ cli_name='sshpubkey',
+ label=_(u'SSH public key'),
+ no_convert=True,
+ ),
+ parameters.Str(
+ 'ipauserauthtype',
+ required=False,
+ multivalue=True,
+ cli_name='user_auth_type',
+ cli_metavar="['password', 'radius', 'otp']",
+ label=_(u'User authentication types'),
+ doc=_(u'Types of supported user authentication'),
+ ),
+ parameters.Str(
+ 'userclass',
+ required=False,
+ multivalue=True,
+ cli_name='class',
+ label=_(u'Class'),
+ doc=_(u'User category (semantics placed on this attribute are for local interpretation)'),
+ ),
+ parameters.Str(
+ 'ipatokenradiusconfiglink',
+ required=False,
+ cli_name='radius',
+ label=_(u'RADIUS proxy configuration'),
+ ),
+ parameters.Str(
+ 'ipatokenradiususername',
+ required=False,
+ cli_name='radius_username',
+ label=_(u'RADIUS proxy username'),
+ ),
+ parameters.Str(
+ 'departmentnumber',
+ required=False,
+ multivalue=True,
+ label=_(u'Department Number'),
+ ),
+ parameters.Str(
+ 'employeenumber',
+ required=False,
+ label=_(u'Employee Number'),
+ ),
+ parameters.Str(
+ 'employeetype',
+ required=False,
+ label=_(u'Employee Type'),
+ ),
+ parameters.Str(
+ 'preferredlanguage',
+ required=False,
+ label=_(u'Preferred Language'),
+ ),
+ parameters.Bytes(
+ 'usercertificate',
+ required=False,
+ multivalue=True,
+ cli_name='certificate',
+ label=_(u'Certificate'),
+ doc=_(u'Base-64 encoded server certificate'),
+ ),
+ parameters.Str(
+ 'setattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'addattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
+ exclude=('webui',),
+ ),
+ parameters.Bool(
+ 'from_delete',
+ required=False,
+ deprecated=True,
+ doc=_(u'Create Stage user in from a delete user'),
+ exclude=('cli', 'webui'),
+ default=False,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class stageuser_del(Method):
+ __doc__ = _("Delete a stage user.")
+
+ takes_args = (
+ parameters.Str(
+ 'uid',
+ multivalue=True,
+ cli_name='login',
+ label=_(u'User login'),
+ default_from=DefaultFrom(lambda givenname, sn: givenname[0] + sn, 'principal'),
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'continue',
+ doc=_(u"Continuous mode: Don't stop on errors."),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Output(
+ 'result',
+ dict,
+ doc=_(u'List of deletions that failed'),
+ ),
+ output.ListOfPrimaryKeys(
+ 'value',
+ ),
+ )
+
+
+@register()
+class stageuser_find(Method):
+ __doc__ = _("Search for stage users.")
+
+ takes_args = (
+ parameters.Str(
+ 'criteria',
+ required=False,
+ doc=_(u'A string searched in all relevant object attributes'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'uid',
+ required=False,
+ cli_name='login',
+ label=_(u'User login'),
+ default_from=DefaultFrom(lambda givenname, sn: givenname[0] + sn, 'principal'),
+ no_convert=True,
+ ),
+ parameters.Str(
+ 'givenname',
+ required=False,
+ cli_name='first',
+ label=_(u'First name'),
+ ),
+ parameters.Str(
+ 'sn',
+ required=False,
+ cli_name='last',
+ label=_(u'Last name'),
+ ),
+ parameters.Str(
+ 'cn',
+ required=False,
+ label=_(u'Full name'),
+ default_from=DefaultFrom(lambda givenname, sn: '%s %s' % (givenname, sn), 'principal'),
+ ),
+ parameters.Str(
+ 'displayname',
+ required=False,
+ label=_(u'Display name'),
+ default_from=DefaultFrom(lambda givenname, sn: '%s %s' % (givenname, sn), 'principal'),
+ ),
+ parameters.Str(
+ 'initials',
+ required=False,
+ label=_(u'Initials'),
+ default_from=DefaultFrom(lambda givenname, sn: '%c%c' % (givenname[0], sn[0]), 'principal'),
+ ),
+ parameters.Str(
+ 'homedirectory',
+ required=False,
+ cli_name='homedir',
+ label=_(u'Home directory'),
+ ),
+ parameters.Str(
+ 'gecos',
+ required=False,
+ label=_(u'GECOS'),
+ default_from=DefaultFrom(lambda givenname, sn: '%s %s' % (givenname, sn), 'principal'),
+ ),
+ parameters.Str(
+ 'loginshell',
+ required=False,
+ cli_name='shell',
+ label=_(u'Login shell'),
+ ),
+ parameters.Str(
+ 'krbprincipalname',
+ required=False,
+ cli_name='principal',
+ label=_(u'Kerberos principal'),
+ default_from=DefaultFrom(lambda uid: '%s@%s' % (uid.lower(), api.env.realm), 'principal'),
+ no_convert=True,
+ ),
+ parameters.DateTime(
+ 'krbprincipalexpiration',
+ required=False,
+ cli_name='principal_expiration',
+ label=_(u'Kerberos principal expiration'),
+ ),
+ parameters.Str(
+ 'mail',
+ required=False,
+ multivalue=True,
+ cli_name='email',
+ label=_(u'Email address'),
+ ),
+ parameters.Password(
+ 'userpassword',
+ required=False,
+ cli_name='password',
+ label=_(u'Password'),
+ doc=_(u'Prompt to set the user password'),
+ exclude=('webui',),
+ confirm=True,
+ ),
+ parameters.Int(
+ 'uidnumber',
+ required=False,
+ cli_name='uid',
+ label=_(u'UID'),
+ doc=_(u'User ID Number (system will assign one if not provided)'),
+ ),
+ parameters.Int(
+ 'gidnumber',
+ required=False,
+ label=_(u'GID'),
+ doc=_(u'Group ID Number'),
+ ),
+ parameters.Str(
+ 'street',
+ required=False,
+ label=_(u'Street address'),
+ ),
+ parameters.Str(
+ 'l',
+ required=False,
+ cli_name='city',
+ label=_(u'City'),
+ ),
+ parameters.Str(
+ 'st',
+ required=False,
+ cli_name='state',
+ label=_(u'State/Province'),
+ ),
+ parameters.Str(
+ 'postalcode',
+ required=False,
+ label=_(u'ZIP'),
+ ),
+ parameters.Str(
+ 'telephonenumber',
+ required=False,
+ multivalue=True,
+ cli_name='phone',
+ label=_(u'Telephone Number'),
+ ),
+ parameters.Str(
+ 'mobile',
+ required=False,
+ multivalue=True,
+ label=_(u'Mobile Telephone Number'),
+ ),
+ parameters.Str(
+ 'pager',
+ required=False,
+ multivalue=True,
+ label=_(u'Pager Number'),
+ ),
+ parameters.Str(
+ 'facsimiletelephonenumber',
+ required=False,
+ multivalue=True,
+ cli_name='fax',
+ label=_(u'Fax Number'),
+ ),
+ parameters.Str(
+ 'ou',
+ required=False,
+ cli_name='orgunit',
+ label=_(u'Org. Unit'),
+ ),
+ parameters.Str(
+ 'title',
+ required=False,
+ label=_(u'Job Title'),
+ ),
+ parameters.Str(
+ 'manager',
+ required=False,
+ label=_(u'Manager'),
+ ),
+ parameters.Str(
+ 'carlicense',
+ required=False,
+ multivalue=True,
+ label=_(u'Car License'),
+ ),
+ parameters.Str(
+ 'ipauserauthtype',
+ required=False,
+ multivalue=True,
+ cli_name='user_auth_type',
+ cli_metavar="['password', 'radius', 'otp']",
+ label=_(u'User authentication types'),
+ doc=_(u'Types of supported user authentication'),
+ ),
+ parameters.Str(
+ 'userclass',
+ required=False,
+ multivalue=True,
+ cli_name='class',
+ label=_(u'Class'),
+ doc=_(u'User category (semantics placed on this attribute are for local interpretation)'),
+ ),
+ parameters.Str(
+ 'ipatokenradiusconfiglink',
+ required=False,
+ cli_name='radius',
+ label=_(u'RADIUS proxy configuration'),
+ ),
+ parameters.Str(
+ 'ipatokenradiususername',
+ required=False,
+ cli_name='radius_username',
+ label=_(u'RADIUS proxy username'),
+ ),
+ parameters.Str(
+ 'departmentnumber',
+ required=False,
+ multivalue=True,
+ label=_(u'Department Number'),
+ ),
+ parameters.Str(
+ 'employeenumber',
+ required=False,
+ label=_(u'Employee Number'),
+ ),
+ parameters.Str(
+ 'employeetype',
+ required=False,
+ label=_(u'Employee Type'),
+ ),
+ parameters.Str(
+ 'preferredlanguage',
+ required=False,
+ label=_(u'Preferred Language'),
+ ),
+ parameters.Bytes(
+ 'usercertificate',
+ required=False,
+ multivalue=True,
+ cli_name='certificate',
+ label=_(u'Certificate'),
+ doc=_(u'Base-64 encoded server certificate'),
+ ),
+ parameters.Int(
+ 'timelimit',
+ required=False,
+ label=_(u'Time Limit'),
+ doc=_(u'Time limit of search in seconds (0 is unlimited)'),
+ ),
+ parameters.Int(
+ 'sizelimit',
+ required=False,
+ label=_(u'Size Limit'),
+ doc=_(u'Maximum number of entries returned (0 is unlimited)'),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'pkey_only',
+ required=False,
+ label=_(u'Primary key only'),
+ doc=_(u'Results should contain primary key attribute only ("login")'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'in_group',
+ required=False,
+ multivalue=True,
+ cli_name='in_groups',
+ label=_(u'group'),
+ doc=_(u'Search for stage users with these member of groups.'),
+ ),
+ parameters.Str(
+ 'not_in_group',
+ required=False,
+ multivalue=True,
+ cli_name='not_in_groups',
+ label=_(u'group'),
+ doc=_(u'Search for stage users without these member of groups.'),
+ ),
+ parameters.Str(
+ 'in_netgroup',
+ required=False,
+ multivalue=True,
+ cli_name='in_netgroups',
+ label=_(u'netgroup'),
+ doc=_(u'Search for stage users with these member of netgroups.'),
+ ),
+ parameters.Str(
+ 'not_in_netgroup',
+ required=False,
+ multivalue=True,
+ cli_name='not_in_netgroups',
+ label=_(u'netgroup'),
+ doc=_(u'Search for stage users without these member of netgroups.'),
+ ),
+ parameters.Str(
+ 'in_role',
+ required=False,
+ multivalue=True,
+ cli_name='in_roles',
+ label=_(u'role'),
+ doc=_(u'Search for stage users with these member of roles.'),
+ ),
+ parameters.Str(
+ 'not_in_role',
+ required=False,
+ multivalue=True,
+ cli_name='not_in_roles',
+ label=_(u'role'),
+ doc=_(u'Search for stage users without these member of roles.'),
+ ),
+ parameters.Str(
+ 'in_hbacrule',
+ required=False,
+ multivalue=True,
+ cli_name='in_hbacrules',
+ label=_(u'HBAC rule'),
+ doc=_(u'Search for stage users with these member of HBAC rules.'),
+ ),
+ parameters.Str(
+ 'not_in_hbacrule',
+ required=False,
+ multivalue=True,
+ cli_name='not_in_hbacrules',
+ label=_(u'HBAC rule'),
+ doc=_(u'Search for stage users without these member of HBAC rules.'),
+ ),
+ parameters.Str(
+ 'in_sudorule',
+ required=False,
+ multivalue=True,
+ cli_name='in_sudorules',
+ label=_(u'sudo rule'),
+ doc=_(u'Search for stage users with these member of sudo rules.'),
+ ),
+ parameters.Str(
+ 'not_in_sudorule',
+ required=False,
+ multivalue=True,
+ cli_name='not_in_sudorules',
+ label=_(u'sudo rule'),
+ doc=_(u'Search for stage users without these member of sudo rules.'),
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.ListOfEntries(
+ 'result',
+ ),
+ output.Output(
+ 'count',
+ int,
+ doc=_(u'Number of entries returned'),
+ ),
+ output.Output(
+ 'truncated',
+ bool,
+ doc=_(u'True if not all results were returned'),
+ ),
+ )
+
+
+@register()
+class stageuser_mod(Method):
+ __doc__ = _("Modify a stage user.")
+
+ takes_args = (
+ parameters.Str(
+ 'uid',
+ cli_name='login',
+ label=_(u'User login'),
+ default_from=DefaultFrom(lambda givenname, sn: givenname[0] + sn, 'principal'),
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'givenname',
+ required=False,
+ cli_name='first',
+ label=_(u'First name'),
+ ),
+ parameters.Str(
+ 'sn',
+ required=False,
+ cli_name='last',
+ label=_(u'Last name'),
+ ),
+ parameters.Str(
+ 'cn',
+ required=False,
+ label=_(u'Full name'),
+ default_from=DefaultFrom(lambda givenname, sn: '%s %s' % (givenname, sn), 'principal'),
+ ),
+ parameters.Str(
+ 'displayname',
+ required=False,
+ label=_(u'Display name'),
+ default_from=DefaultFrom(lambda givenname, sn: '%s %s' % (givenname, sn), 'principal'),
+ ),
+ parameters.Str(
+ 'initials',
+ required=False,
+ label=_(u'Initials'),
+ default_from=DefaultFrom(lambda givenname, sn: '%c%c' % (givenname[0], sn[0]), 'principal'),
+ ),
+ parameters.Str(
+ 'homedirectory',
+ required=False,
+ cli_name='homedir',
+ label=_(u'Home directory'),
+ ),
+ parameters.Str(
+ 'gecos',
+ required=False,
+ label=_(u'GECOS'),
+ default_from=DefaultFrom(lambda givenname, sn: '%s %s' % (givenname, sn), 'principal'),
+ ),
+ parameters.Str(
+ 'loginshell',
+ required=False,
+ cli_name='shell',
+ label=_(u'Login shell'),
+ ),
+ parameters.DateTime(
+ 'krbprincipalexpiration',
+ required=False,
+ cli_name='principal_expiration',
+ label=_(u'Kerberos principal expiration'),
+ ),
+ parameters.Str(
+ 'mail',
+ required=False,
+ multivalue=True,
+ cli_name='email',
+ label=_(u'Email address'),
+ ),
+ parameters.Password(
+ 'userpassword',
+ required=False,
+ cli_name='password',
+ label=_(u'Password'),
+ doc=_(u'Prompt to set the user password'),
+ exclude=('webui',),
+ confirm=True,
+ ),
+ parameters.Flag(
+ 'random',
+ required=False,
+ doc=_(u'Generate a random user password'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Int(
+ 'uidnumber',
+ required=False,
+ cli_name='uid',
+ label=_(u'UID'),
+ doc=_(u'User ID Number (system will assign one if not provided)'),
+ ),
+ parameters.Int(
+ 'gidnumber',
+ required=False,
+ label=_(u'GID'),
+ doc=_(u'Group ID Number'),
+ ),
+ parameters.Str(
+ 'street',
+ required=False,
+ label=_(u'Street address'),
+ ),
+ parameters.Str(
+ 'l',
+ required=False,
+ cli_name='city',
+ label=_(u'City'),
+ ),
+ parameters.Str(
+ 'st',
+ required=False,
+ cli_name='state',
+ label=_(u'State/Province'),
+ ),
+ parameters.Str(
+ 'postalcode',
+ required=False,
+ label=_(u'ZIP'),
+ ),
+ parameters.Str(
+ 'telephonenumber',
+ required=False,
+ multivalue=True,
+ cli_name='phone',
+ label=_(u'Telephone Number'),
+ ),
+ parameters.Str(
+ 'mobile',
+ required=False,
+ multivalue=True,
+ label=_(u'Mobile Telephone Number'),
+ ),
+ parameters.Str(
+ 'pager',
+ required=False,
+ multivalue=True,
+ label=_(u'Pager Number'),
+ ),
+ parameters.Str(
+ 'facsimiletelephonenumber',
+ required=False,
+ multivalue=True,
+ cli_name='fax',
+ label=_(u'Fax Number'),
+ ),
+ parameters.Str(
+ 'ou',
+ required=False,
+ cli_name='orgunit',
+ label=_(u'Org. Unit'),
+ ),
+ parameters.Str(
+ 'title',
+ required=False,
+ label=_(u'Job Title'),
+ ),
+ parameters.Str(
+ 'manager',
+ required=False,
+ label=_(u'Manager'),
+ ),
+ parameters.Str(
+ 'carlicense',
+ required=False,
+ multivalue=True,
+ label=_(u'Car License'),
+ ),
+ parameters.Str(
+ 'ipasshpubkey',
+ required=False,
+ multivalue=True,
+ cli_name='sshpubkey',
+ label=_(u'SSH public key'),
+ no_convert=True,
+ ),
+ parameters.Str(
+ 'ipauserauthtype',
+ required=False,
+ multivalue=True,
+ cli_name='user_auth_type',
+ cli_metavar="['password', 'radius', 'otp']",
+ label=_(u'User authentication types'),
+ doc=_(u'Types of supported user authentication'),
+ ),
+ parameters.Str(
+ 'userclass',
+ required=False,
+ multivalue=True,
+ cli_name='class',
+ label=_(u'Class'),
+ doc=_(u'User category (semantics placed on this attribute are for local interpretation)'),
+ ),
+ parameters.Str(
+ 'ipatokenradiusconfiglink',
+ required=False,
+ cli_name='radius',
+ label=_(u'RADIUS proxy configuration'),
+ ),
+ parameters.Str(
+ 'ipatokenradiususername',
+ required=False,
+ cli_name='radius_username',
+ label=_(u'RADIUS proxy username'),
+ ),
+ parameters.Str(
+ 'departmentnumber',
+ required=False,
+ multivalue=True,
+ label=_(u'Department Number'),
+ ),
+ parameters.Str(
+ 'employeenumber',
+ required=False,
+ label=_(u'Employee Number'),
+ ),
+ parameters.Str(
+ 'employeetype',
+ required=False,
+ label=_(u'Employee Type'),
+ ),
+ parameters.Str(
+ 'preferredlanguage',
+ required=False,
+ label=_(u'Preferred Language'),
+ ),
+ parameters.Bytes(
+ 'usercertificate',
+ required=False,
+ multivalue=True,
+ cli_name='certificate',
+ label=_(u'Certificate'),
+ doc=_(u'Base-64 encoded server certificate'),
+ ),
+ parameters.Str(
+ 'setattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'addattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'delattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'),
+ exclude=('webui',),
+ ),
+ parameters.Flag(
+ 'rights',
+ label=_(u'Rights'),
+ doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'rename',
+ required=False,
+ label=_(u'Rename'),
+ doc=_(u'Rename the stage user object'),
+ default_from=DefaultFrom(lambda givenname, sn: givenname[0] + sn, 'principal'),
+ no_convert=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class stageuser_show(Method):
+ __doc__ = _("Display information about a stage user.")
+
+ takes_args = (
+ parameters.Str(
+ 'uid',
+ cli_name='login',
+ label=_(u'User login'),
+ default_from=DefaultFrom(lambda givenname, sn: givenname[0] + sn, 'principal'),
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'rights',
+ label=_(u'Rights'),
+ doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
diff --git a/ipaclient/remote_plugins/2_156/sudocmd.py b/ipaclient/remote_plugins/2_156/sudocmd.py
new file mode 100644
index 000000000..ccc78a77a
--- /dev/null
+++ b/ipaclient/remote_plugins/2_156/sudocmd.py
@@ -0,0 +1,394 @@
+#
+# Copyright (C) 2016 FreeIPA Contributors see COPYING for license
+#
+
+# pylint: disable=unused-import
+import six
+
+from . import Command, Method, Object
+from ipalib import api, parameters, output
+from ipalib.parameters import DefaultFrom
+from ipalib.plugable import Registry
+from ipalib.text import _
+from ipapython.dn import DN
+from ipapython.dnsutil import DNSName
+
+if six.PY3:
+ unicode = str
+
+__doc__ = _("""
+Sudo Commands
+
+Commands used as building blocks for sudo
+
+EXAMPLES:
+
+ Create a new command
+ ipa sudocmd-add --desc='For reading log files' /usr/bin/less
+
+ Remove a command
+ ipa sudocmd-del /usr/bin/less
+""")
+
+register = Registry()
+
+
+@register()
+class sudocmd(Object):
+ takes_params = (
+ parameters.Str(
+ 'sudocmd',
+ primary_key=True,
+ label=_(u'Sudo Command'),
+ ),
+ parameters.Str(
+ 'description',
+ required=False,
+ label=_(u'Description'),
+ doc=_(u'A description of this command'),
+ ),
+ parameters.Str(
+ 'memberof_sudocmdgroup',
+ required=False,
+ label=_(u'Sudo Command Groups'),
+ ),
+ )
+
+
+@register()
+class sudocmd_add(Method):
+ __doc__ = _("Create new Sudo Command.")
+
+ takes_args = (
+ parameters.Str(
+ 'sudocmd',
+ cli_name='command',
+ label=_(u'Sudo Command'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'description',
+ required=False,
+ cli_name='desc',
+ label=_(u'Description'),
+ doc=_(u'A description of this command'),
+ ),
+ parameters.Str(
+ 'setattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'addattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
+ exclude=('webui',),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class sudocmd_del(Method):
+ __doc__ = _("Delete Sudo Command.")
+
+ takes_args = (
+ parameters.Str(
+ 'sudocmd',
+ multivalue=True,
+ cli_name='command',
+ label=_(u'Sudo Command'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'continue',
+ doc=_(u"Continuous mode: Don't stop on errors."),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Output(
+ 'result',
+ dict,
+ doc=_(u'List of deletions that failed'),
+ ),
+ output.ListOfPrimaryKeys(
+ 'value',
+ ),
+ )
+
+
+@register()
+class sudocmd_find(Method):
+ __doc__ = _("Search for Sudo Commands.")
+
+ takes_args = (
+ parameters.Str(
+ 'criteria',
+ required=False,
+ doc=_(u'A string searched in all relevant object attributes'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'sudocmd',
+ required=False,
+ cli_name='command',
+ label=_(u'Sudo Command'),
+ ),
+ parameters.Str(
+ 'description',
+ required=False,
+ cli_name='desc',
+ label=_(u'Description'),
+ doc=_(u'A description of this command'),
+ ),
+ parameters.Int(
+ 'timelimit',
+ required=False,
+ label=_(u'Time Limit'),
+ doc=_(u'Time limit of search in seconds (0 is unlimited)'),
+ ),
+ parameters.Int(
+ 'sizelimit',
+ required=False,
+ label=_(u'Size Limit'),
+ doc=_(u'Maximum number of entries returned (0 is unlimited)'),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'pkey_only',
+ required=False,
+ label=_(u'Primary key only'),
+ doc=_(u'Results should contain primary key attribute only ("command")'),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.ListOfEntries(
+ 'result',
+ ),
+ output.Output(
+ 'count',
+ int,
+ doc=_(u'Number of entries returned'),
+ ),
+ output.Output(
+ 'truncated',
+ bool,
+ doc=_(u'True if not all results were returned'),
+ ),
+ )
+
+
+@register()
+class sudocmd_mod(Method):
+ __doc__ = _("Modify Sudo Command.")
+
+ takes_args = (
+ parameters.Str(
+ 'sudocmd',
+ cli_name='command',
+ label=_(u'Sudo Command'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'description',
+ required=False,
+ cli_name='desc',
+ label=_(u'Description'),
+ doc=_(u'A description of this command'),
+ ),
+ parameters.Str(
+ 'setattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'addattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'delattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'),
+ exclude=('webui',),
+ ),
+ parameters.Flag(
+ 'rights',
+ label=_(u'Rights'),
+ doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class sudocmd_show(Method):
+ __doc__ = _("Display Sudo Command.")
+
+ takes_args = (
+ parameters.Str(
+ 'sudocmd',
+ cli_name='command',
+ label=_(u'Sudo Command'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'rights',
+ label=_(u'Rights'),
+ doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
diff --git a/ipaclient/remote_plugins/2_156/sudocmdgroup.py b/ipaclient/remote_plugins/2_156/sudocmdgroup.py
new file mode 100644
index 000000000..747213d93
--- /dev/null
+++ b/ipaclient/remote_plugins/2_156/sudocmdgroup.py
@@ -0,0 +1,540 @@
+#
+# Copyright (C) 2016 FreeIPA Contributors see COPYING for license
+#
+
+# pylint: disable=unused-import
+import six
+
+from . import Command, Method, Object
+from ipalib import api, parameters, output
+from ipalib.parameters import DefaultFrom
+from ipalib.plugable import Registry
+from ipalib.text import _
+from ipapython.dn import DN
+from ipapython.dnsutil import DNSName
+
+if six.PY3:
+ unicode = str
+
+__doc__ = _("""
+Groups of Sudo Commands
+
+Manage groups of Sudo Commands.
+
+EXAMPLES:
+
+ Add a new Sudo Command Group:
+ ipa sudocmdgroup-add --desc='administrators commands' admincmds
+
+ Remove a Sudo Command Group:
+ ipa sudocmdgroup-del admincmds
+
+ Manage Sudo Command Group membership, commands:
+ ipa sudocmdgroup-add-member --sudocmds=/usr/bin/less --sudocmds=/usr/bin/vim admincmds
+
+ Manage Sudo Command Group membership, commands:
+ ipa group-remove-member --sudocmds=/usr/bin/less admincmds
+
+ Show a Sudo Command Group:
+ ipa group-show localadmins
+""")
+
+register = Registry()
+
+
+@register()
+class sudocmdgroup(Object):
+ takes_params = (
+ parameters.Str(
+ 'cn',
+ primary_key=True,
+ label=_(u'Sudo Command Group'),
+ ),
+ parameters.Str(
+ 'description',
+ required=False,
+ label=_(u'Description'),
+ doc=_(u'Group description'),
+ ),
+ parameters.Str(
+ 'membercmd_sudocmd',
+ required=False,
+ label=_(u'Commands'),
+ ),
+ parameters.Str(
+ 'membercmd_sudocmdgroup',
+ required=False,
+ label=_(u'Sudo Command Groups'),
+ ),
+ parameters.Str(
+ 'member_sudocmd',
+ required=False,
+ label=_(u'Member Sudo commands'),
+ ),
+ )
+
+
+@register()
+class sudocmdgroup_add(Method):
+ __doc__ = _("Create new Sudo Command Group.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='sudocmdgroup_name',
+ label=_(u'Sudo Command Group'),
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'description',
+ required=False,
+ cli_name='desc',
+ label=_(u'Description'),
+ doc=_(u'Group description'),
+ ),
+ parameters.Str(
+ 'setattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'addattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
+ exclude=('webui',),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class sudocmdgroup_add_member(Method):
+ __doc__ = _("Add members to Sudo Command Group.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='sudocmdgroup_name',
+ label=_(u'Sudo Command Group'),
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'sudocmd',
+ required=False,
+ multivalue=True,
+ cli_name='sudocmds',
+ label=_(u'member sudo command'),
+ doc=_(u'sudo commands to add'),
+ alwaysask=True,
+ ),
+ )
+ has_output = (
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'failed',
+ dict,
+ doc=_(u'Members that could not be added'),
+ ),
+ output.Output(
+ 'completed',
+ int,
+ doc=_(u'Number of members added'),
+ ),
+ )
+
+
+@register()
+class sudocmdgroup_del(Method):
+ __doc__ = _("Delete Sudo Command Group.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ multivalue=True,
+ cli_name='sudocmdgroup_name',
+ label=_(u'Sudo Command Group'),
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'continue',
+ doc=_(u"Continuous mode: Don't stop on errors."),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Output(
+ 'result',
+ dict,
+ doc=_(u'List of deletions that failed'),
+ ),
+ output.ListOfPrimaryKeys(
+ 'value',
+ ),
+ )
+
+
+@register()
+class sudocmdgroup_find(Method):
+ __doc__ = _("Search for Sudo Command Groups.")
+
+ takes_args = (
+ parameters.Str(
+ 'criteria',
+ required=False,
+ doc=_(u'A string searched in all relevant object attributes'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'cn',
+ required=False,
+ cli_name='sudocmdgroup_name',
+ label=_(u'Sudo Command Group'),
+ no_convert=True,
+ ),
+ parameters.Str(
+ 'description',
+ required=False,
+ cli_name='desc',
+ label=_(u'Description'),
+ doc=_(u'Group description'),
+ ),
+ parameters.Int(
+ 'timelimit',
+ required=False,
+ label=_(u'Time Limit'),
+ doc=_(u'Time limit of search in seconds (0 is unlimited)'),
+ ),
+ parameters.Int(
+ 'sizelimit',
+ required=False,
+ label=_(u'Size Limit'),
+ doc=_(u'Maximum number of entries returned (0 is unlimited)'),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'pkey_only',
+ required=False,
+ label=_(u'Primary key only'),
+ doc=_(u'Results should contain primary key attribute only ("sudocmdgroup-name")'),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.ListOfEntries(
+ 'result',
+ ),
+ output.Output(
+ 'count',
+ int,
+ doc=_(u'Number of entries returned'),
+ ),
+ output.Output(
+ 'truncated',
+ bool,
+ doc=_(u'True if not all results were returned'),
+ ),
+ )
+
+
+@register()
+class sudocmdgroup_mod(Method):
+ __doc__ = _("Modify Sudo Command Group.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='sudocmdgroup_name',
+ label=_(u'Sudo Command Group'),
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'description',
+ required=False,
+ cli_name='desc',
+ label=_(u'Description'),
+ doc=_(u'Group description'),
+ ),
+ parameters.Str(
+ 'setattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'addattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'delattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'),
+ exclude=('webui',),
+ ),
+ parameters.Flag(
+ 'rights',
+ label=_(u'Rights'),
+ doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class sudocmdgroup_remove_member(Method):
+ __doc__ = _("Remove members from Sudo Command Group.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='sudocmdgroup_name',
+ label=_(u'Sudo Command Group'),
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'sudocmd',
+ required=False,
+ multivalue=True,
+ cli_name='sudocmds',
+ label=_(u'member sudo command'),
+ doc=_(u'sudo commands to remove'),
+ alwaysask=True,
+ ),
+ )
+ has_output = (
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'failed',
+ dict,
+ doc=_(u'Members that could not be removed'),
+ ),
+ output.Output(
+ 'completed',
+ int,
+ doc=_(u'Number of members removed'),
+ ),
+ )
+
+
+@register()
+class sudocmdgroup_show(Method):
+ __doc__ = _("Display Sudo Command Group.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='sudocmdgroup_name',
+ label=_(u'Sudo Command Group'),
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'rights',
+ label=_(u'Rights'),
+ doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
diff --git a/ipaclient/remote_plugins/2_156/sudorule.py b/ipaclient/remote_plugins/2_156/sudorule.py
new file mode 100644
index 000000000..5d185ed31
--- /dev/null
+++ b/ipaclient/remote_plugins/2_156/sudorule.py
@@ -0,0 +1,1774 @@
+#
+# Copyright (C) 2016 FreeIPA Contributors see COPYING for license
+#
+
+# pylint: disable=unused-import
+import six
+
+from . import Command, Method, Object
+from ipalib import api, parameters, output
+from ipalib.parameters import DefaultFrom
+from ipalib.plugable import Registry
+from ipalib.text import _
+from ipapython.dn import DN
+from ipapython.dnsutil import DNSName
+
+if six.PY3:
+ unicode = str
+
+__doc__ = _("""
+Sudo Rules
+
+Sudo (su "do") allows a system administrator to delegate authority to
+give certain users (or groups of users) the ability to run some (or all)
+commands as root or another user while providing an audit trail of the
+commands and their arguments.
+
+FreeIPA provides a means to configure the various aspects of Sudo:
+ Users: The user(s)/group(s) allowed to invoke Sudo.
+ Hosts: The host(s)/hostgroup(s) which the user is allowed to to invoke Sudo.
+ Allow Command: The specific command(s) permitted to be run via Sudo.
+ Deny Command: The specific command(s) prohibited to be run via Sudo.
+ RunAsUser: The user(s) or group(s) of users whose rights Sudo will be invoked with.
+ RunAsGroup: The group(s) whose gid rights Sudo will be invoked with.
+ Options: The various Sudoers Options that can modify Sudo's behavior.
+
+An order can be added to a sudorule to control the order in which they
+are evaluated (if the client supports it). This order is an integer and
+must be unique.
+
+FreeIPA provides a designated binddn to use with Sudo located at:
+uid=sudo,cn=sysaccounts,cn=etc,dc=example,dc=com
+
+To enable the binddn run the following command to set the password:
+LDAPTLS_CACERT=/etc/ipa/ca.crt /usr/bin/ldappasswd -S -W -h ipa.example.com -ZZ -D "cn=Directory Manager" uid=sudo,cn=sysaccounts,cn=etc,dc=example,dc=com
+
+EXAMPLES:
+
+ Create a new rule:
+ ipa sudorule-add readfiles
+
+ Add sudo command object and add it as allowed command in the rule:
+ ipa sudocmd-add /usr/bin/less
+ ipa sudorule-add-allow-command readfiles --sudocmds /usr/bin/less
+
+ Add a host to the rule:
+ ipa sudorule-add-host readfiles --hosts server.example.com
+
+ Add a user to the rule:
+ ipa sudorule-add-user readfiles --users jsmith
+
+ Add a special Sudo rule for default Sudo server configuration:
+ ipa sudorule-add defaults
+
+ Set a default Sudo option:
+ ipa sudorule-add-option defaults --sudooption '!authenticate'
+""")
+
+register = Registry()
+
+
+@register()
+class sudorule(Object):
+ takes_params = (
+ parameters.Str(
+ 'cn',
+ primary_key=True,
+ label=_(u'Rule name'),
+ ),
+ parameters.Str(
+ 'description',
+ required=False,
+ label=_(u'Description'),
+ ),
+ parameters.Bool(
+ 'ipaenabledflag',
+ required=False,
+ label=_(u'Enabled'),
+ ),
+ parameters.Str(
+ 'usercategory',
+ required=False,
+ label=_(u'User category'),
+ doc=_(u'User category the rule applies to'),
+ ),
+ parameters.Str(
+ 'hostcategory',
+ required=False,
+ label=_(u'Host category'),
+ doc=_(u'Host category the rule applies to'),
+ ),
+ parameters.Str(
+ 'cmdcategory',
+ required=False,
+ label=_(u'Command category'),
+ doc=_(u'Command category the rule applies to'),
+ ),
+ parameters.Str(
+ 'ipasudorunasusercategory',
+ required=False,
+ label=_(u'RunAs User category'),
+ doc=_(u'RunAs User category the rule applies to'),
+ ),
+ parameters.Str(
+ 'ipasudorunasgroupcategory',
+ required=False,
+ label=_(u'RunAs Group category'),
+ doc=_(u'RunAs Group category the rule applies to'),
+ ),
+ parameters.Int(
+ 'sudoorder',
+ required=False,
+ label=_(u'Sudo order'),
+ doc=_(u'integer to order the Sudo rules'),
+ ),
+ parameters.Str(
+ 'memberuser_user',
+ required=False,
+ label=_(u'Users'),
+ ),
+ parameters.Str(
+ 'memberuser_group',
+ required=False,
+ label=_(u'User Groups'),
+ ),
+ parameters.Str(
+ 'externaluser',
+ required=False,
+ label=_(u'External User'),
+ doc=_(u'External User the rule applies to (sudorule-find only)'),
+ ),
+ parameters.Str(
+ 'memberhost_host',
+ required=False,
+ label=_(u'Hosts'),
+ ),
+ parameters.Str(
+ 'memberhost_hostgroup',
+ required=False,
+ label=_(u'Host Groups'),
+ ),
+ parameters.Str(
+ 'hostmask',
+ multivalue=True,
+ label=_(u'Host Masks'),
+ ),
+ parameters.Str(
+ 'externalhost',
+ required=False,
+ multivalue=True,
+ label=_(u'External host'),
+ ),
+ parameters.Str(
+ 'memberallowcmd_sudocmd',
+ required=False,
+ label=_(u'Sudo Allow Commands'),
+ ),
+ parameters.Str(
+ 'memberdenycmd_sudocmd',
+ required=False,
+ label=_(u'Sudo Deny Commands'),
+ ),
+ parameters.Str(
+ 'memberallowcmd_sudocmdgroup',
+ required=False,
+ label=_(u'Sudo Allow Command Groups'),
+ ),
+ parameters.Str(
+ 'memberdenycmd_sudocmdgroup',
+ required=False,
+ label=_(u'Sudo Deny Command Groups'),
+ ),
+ parameters.Str(
+ 'ipasudorunas_user',
+ required=False,
+ label=_(u'RunAs Users'),
+ doc=_(u'Run as a user'),
+ ),
+ parameters.Str(
+ 'ipasudorunas_group',
+ required=False,
+ label=_(u'Groups of RunAs Users'),
+ doc=_(u'Run as any user within a specified group'),
+ ),
+ parameters.Str(
+ 'ipasudorunasextuser',
+ required=False,
+ label=_(u'RunAs External User'),
+ doc=_(u'External User the commands can run as (sudorule-find only)'),
+ ),
+ parameters.Str(
+ 'ipasudorunasextusergroup',
+ required=False,
+ label=_(u'External Groups of RunAs Users'),
+ doc=_(u'External Groups of users that the command can run as'),
+ ),
+ parameters.Str(
+ 'ipasudorunasgroup_group',
+ required=False,
+ label=_(u'RunAs Groups'),
+ doc=_(u'Run with the gid of a specified POSIX group'),
+ ),
+ parameters.Str(
+ 'ipasudorunasextgroup',
+ required=False,
+ label=_(u'RunAs External Group'),
+ doc=_(u'External Group the commands can run as (sudorule-find only)'),
+ ),
+ parameters.Str(
+ 'ipasudoopt',
+ required=False,
+ label=_(u'Sudo Option'),
+ ),
+ )
+
+
+@register()
+class sudorule_add(Method):
+ __doc__ = _("Create new Sudo Rule.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='sudorule_name',
+ label=_(u'Rule name'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'description',
+ required=False,
+ cli_name='desc',
+ label=_(u'Description'),
+ ),
+ parameters.Bool(
+ 'ipaenabledflag',
+ required=False,
+ label=_(u'Enabled'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'usercategory',
+ required=False,
+ cli_name='usercat',
+ cli_metavar="['all']",
+ label=_(u'User category'),
+ doc=_(u'User category the rule applies to'),
+ ),
+ parameters.Str(
+ 'hostcategory',
+ required=False,
+ cli_name='hostcat',
+ cli_metavar="['all']",
+ label=_(u'Host category'),
+ doc=_(u'Host category the rule applies to'),
+ ),
+ parameters.Str(
+ 'cmdcategory',
+ required=False,
+ cli_name='cmdcat',
+ cli_metavar="['all']",
+ label=_(u'Command category'),
+ doc=_(u'Command category the rule applies to'),
+ ),
+ parameters.Str(
+ 'ipasudorunasusercategory',
+ required=False,
+ cli_name='runasusercat',
+ cli_metavar="['all']",
+ label=_(u'RunAs User category'),
+ doc=_(u'RunAs User category the rule applies to'),
+ ),
+ parameters.Str(
+ 'ipasudorunasgroupcategory',
+ required=False,
+ cli_name='runasgroupcat',
+ cli_metavar="['all']",
+ label=_(u'RunAs Group category'),
+ doc=_(u'RunAs Group category the rule applies to'),
+ ),
+ parameters.Int(
+ 'sudoorder',
+ required=False,
+ cli_name='order',
+ label=_(u'Sudo order'),
+ doc=_(u'integer to order the Sudo rules'),
+ default=0,
+ ),
+ parameters.Str(
+ 'externaluser',
+ required=False,
+ label=_(u'External User'),
+ doc=_(u'External User the rule applies to (sudorule-find only)'),
+ ),
+ parameters.Str(
+ 'externalhost',
+ required=False,
+ multivalue=True,
+ label=_(u'External host'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'ipasudorunasextuser',
+ required=False,
+ cli_name='runasexternaluser',
+ label=_(u'RunAs External User'),
+ doc=_(u'External User the commands can run as (sudorule-find only)'),
+ ),
+ parameters.Str(
+ 'ipasudorunasextgroup',
+ required=False,
+ cli_name='runasexternalgroup',
+ label=_(u'RunAs External Group'),
+ doc=_(u'External Group the commands can run as (sudorule-find only)'),
+ ),
+ parameters.Str(
+ 'setattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'addattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
+ exclude=('webui',),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class sudorule_add_allow_command(Method):
+ __doc__ = _("Add commands and sudo command groups affected by Sudo Rule.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='sudorule_name',
+ label=_(u'Rule name'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'sudocmd',
+ required=False,
+ multivalue=True,
+ cli_name='sudocmds',
+ label=_(u'member sudo command'),
+ doc=_(u'sudo commands to add'),
+ alwaysask=True,
+ ),
+ parameters.Str(
+ 'sudocmdgroup',
+ required=False,
+ multivalue=True,
+ cli_name='sudocmdgroups',
+ label=_(u'member sudo command group'),
+ doc=_(u'sudo command groups to add'),
+ alwaysask=True,
+ ),
+ )
+ has_output = (
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'failed',
+ dict,
+ doc=_(u'Members that could not be added'),
+ ),
+ output.Output(
+ 'completed',
+ int,
+ doc=_(u'Number of members added'),
+ ),
+ )
+
+
+@register()
+class sudorule_add_deny_command(Method):
+ __doc__ = _("Add commands and sudo command groups affected by Sudo Rule.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='sudorule_name',
+ label=_(u'Rule name'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'sudocmd',
+ required=False,
+ multivalue=True,
+ cli_name='sudocmds',
+ label=_(u'member sudo command'),
+ doc=_(u'sudo commands to add'),
+ alwaysask=True,
+ ),
+ parameters.Str(
+ 'sudocmdgroup',
+ required=False,
+ multivalue=True,
+ cli_name='sudocmdgroups',
+ label=_(u'member sudo command group'),
+ doc=_(u'sudo command groups to add'),
+ alwaysask=True,
+ ),
+ )
+ has_output = (
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'failed',
+ dict,
+ doc=_(u'Members that could not be added'),
+ ),
+ output.Output(
+ 'completed',
+ int,
+ doc=_(u'Number of members added'),
+ ),
+ )
+
+
+@register()
+class sudorule_add_host(Method):
+ __doc__ = _("Add hosts and hostgroups affected by Sudo Rule.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='sudorule_name',
+ label=_(u'Rule name'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'host',
+ required=False,
+ multivalue=True,
+ cli_name='hosts',
+ label=_(u'member host'),
+ doc=_(u'hosts to add'),
+ alwaysask=True,
+ ),
+ parameters.Str(
+ 'hostgroup',
+ required=False,
+ multivalue=True,
+ cli_name='hostgroups',
+ label=_(u'member host group'),
+ doc=_(u'host groups to add'),
+ alwaysask=True,
+ ),
+ parameters.Str(
+ 'hostmask',
+ required=False,
+ multivalue=True,
+ label=_(u'host masks of allowed hosts'),
+ ),
+ )
+ has_output = (
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'failed',
+ dict,
+ doc=_(u'Members that could not be added'),
+ ),
+ output.Output(
+ 'completed',
+ int,
+ doc=_(u'Number of members added'),
+ ),
+ )
+
+
+@register()
+class sudorule_add_option(Method):
+ __doc__ = _("Add an option to the Sudo Rule.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='sudorule_name',
+ label=_(u'Rule name'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'ipasudoopt',
+ cli_name='sudooption',
+ label=_(u'Sudo Option'),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class sudorule_add_runasgroup(Method):
+ __doc__ = _("Add group for Sudo to execute as.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='sudorule_name',
+ label=_(u'Rule name'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'group',
+ required=False,
+ multivalue=True,
+ cli_name='groups',
+ label=_(u'member group'),
+ doc=_(u'groups to add'),
+ alwaysask=True,
+ ),
+ )
+ has_output = (
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'failed',
+ dict,
+ doc=_(u'Members that could not be added'),
+ ),
+ output.Output(
+ 'completed',
+ int,
+ doc=_(u'Number of members added'),
+ ),
+ )
+
+
+@register()
+class sudorule_add_runasuser(Method):
+ __doc__ = _("Add users and groups for Sudo to execute as.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='sudorule_name',
+ label=_(u'Rule name'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'user',
+ required=False,
+ multivalue=True,
+ cli_name='users',
+ label=_(u'member user'),
+ doc=_(u'users to add'),
+ alwaysask=True,
+ ),
+ parameters.Str(
+ 'group',
+ required=False,
+ multivalue=True,
+ cli_name='groups',
+ label=_(u'member group'),
+ doc=_(u'groups to add'),
+ alwaysask=True,
+ ),
+ )
+ has_output = (
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'failed',
+ dict,
+ doc=_(u'Members that could not be added'),
+ ),
+ output.Output(
+ 'completed',
+ int,
+ doc=_(u'Number of members added'),
+ ),
+ )
+
+
+@register()
+class sudorule_add_user(Method):
+ __doc__ = _("Add users and groups affected by Sudo Rule.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='sudorule_name',
+ label=_(u'Rule name'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'user',
+ required=False,
+ multivalue=True,
+ cli_name='users',
+ label=_(u'member user'),
+ doc=_(u'users to add'),
+ alwaysask=True,
+ ),
+ parameters.Str(
+ 'group',
+ required=False,
+ multivalue=True,
+ cli_name='groups',
+ label=_(u'member group'),
+ doc=_(u'groups to add'),
+ alwaysask=True,
+ ),
+ )
+ has_output = (
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'failed',
+ dict,
+ doc=_(u'Members that could not be added'),
+ ),
+ output.Output(
+ 'completed',
+ int,
+ doc=_(u'Number of members added'),
+ ),
+ )
+
+
+@register()
+class sudorule_del(Method):
+ __doc__ = _("Delete Sudo Rule.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ multivalue=True,
+ cli_name='sudorule_name',
+ label=_(u'Rule name'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'continue',
+ doc=_(u"Continuous mode: Don't stop on errors."),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Output(
+ 'result',
+ dict,
+ doc=_(u'List of deletions that failed'),
+ ),
+ output.ListOfPrimaryKeys(
+ 'value',
+ ),
+ )
+
+
+@register()
+class sudorule_disable(Method):
+ __doc__ = _("Disable a Sudo Rule.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='sudorule_name',
+ label=_(u'Rule name'),
+ ),
+ )
+ takes_options = (
+ )
+ has_output = (
+ output.Output(
+ 'result',
+ ),
+ )
+
+
+@register()
+class sudorule_enable(Method):
+ __doc__ = _("Enable a Sudo Rule.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='sudorule_name',
+ label=_(u'Rule name'),
+ ),
+ )
+ takes_options = (
+ )
+ has_output = (
+ output.Output(
+ 'result',
+ ),
+ )
+
+
+@register()
+class sudorule_find(Method):
+ __doc__ = _("Search for Sudo Rule.")
+
+ takes_args = (
+ parameters.Str(
+ 'criteria',
+ required=False,
+ doc=_(u'A string searched in all relevant object attributes'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'cn',
+ required=False,
+ cli_name='sudorule_name',
+ label=_(u'Rule name'),
+ ),
+ parameters.Str(
+ 'description',
+ required=False,
+ cli_name='desc',
+ label=_(u'Description'),
+ ),
+ parameters.Bool(
+ 'ipaenabledflag',
+ required=False,
+ label=_(u'Enabled'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'usercategory',
+ required=False,
+ cli_name='usercat',
+ cli_metavar="['all']",
+ label=_(u'User category'),
+ doc=_(u'User category the rule applies to'),
+ ),
+ parameters.Str(
+ 'hostcategory',
+ required=False,
+ cli_name='hostcat',
+ cli_metavar="['all']",
+ label=_(u'Host category'),
+ doc=_(u'Host category the rule applies to'),
+ ),
+ parameters.Str(
+ 'cmdcategory',
+ required=False,
+ cli_name='cmdcat',
+ cli_metavar="['all']",
+ label=_(u'Command category'),
+ doc=_(u'Command category the rule applies to'),
+ ),
+ parameters.Str(
+ 'ipasudorunasusercategory',
+ required=False,
+ cli_name='runasusercat',
+ cli_metavar="['all']",
+ label=_(u'RunAs User category'),
+ doc=_(u'RunAs User category the rule applies to'),
+ ),
+ parameters.Str(
+ 'ipasudorunasgroupcategory',
+ required=False,
+ cli_name='runasgroupcat',
+ cli_metavar="['all']",
+ label=_(u'RunAs Group category'),
+ doc=_(u'RunAs Group category the rule applies to'),
+ ),
+ parameters.Int(
+ 'sudoorder',
+ required=False,
+ cli_name='order',
+ label=_(u'Sudo order'),
+ doc=_(u'integer to order the Sudo rules'),
+ default=0,
+ ),
+ parameters.Str(
+ 'externaluser',
+ required=False,
+ label=_(u'External User'),
+ doc=_(u'External User the rule applies to (sudorule-find only)'),
+ ),
+ parameters.Str(
+ 'externalhost',
+ required=False,
+ multivalue=True,
+ label=_(u'External host'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'ipasudorunasextuser',
+ required=False,
+ cli_name='runasexternaluser',
+ label=_(u'RunAs External User'),
+ doc=_(u'External User the commands can run as (sudorule-find only)'),
+ ),
+ parameters.Str(
+ 'ipasudorunasextgroup',
+ required=False,
+ cli_name='runasexternalgroup',
+ label=_(u'RunAs External Group'),
+ doc=_(u'External Group the commands can run as (sudorule-find only)'),
+ ),
+ parameters.Int(
+ 'timelimit',
+ required=False,
+ label=_(u'Time Limit'),
+ doc=_(u'Time limit of search in seconds (0 is unlimited)'),
+ ),
+ parameters.Int(
+ 'sizelimit',
+ required=False,
+ label=_(u'Size Limit'),
+ doc=_(u'Maximum number of entries returned (0 is unlimited)'),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'pkey_only',
+ required=False,
+ label=_(u'Primary key only'),
+ doc=_(u'Results should contain primary key attribute only ("sudorule-name")'),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.ListOfEntries(
+ 'result',
+ ),
+ output.Output(
+ 'count',
+ int,
+ doc=_(u'Number of entries returned'),
+ ),
+ output.Output(
+ 'truncated',
+ bool,
+ doc=_(u'True if not all results were returned'),
+ ),
+ )
+
+
+@register()
+class sudorule_mod(Method):
+ __doc__ = _("Modify Sudo Rule.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='sudorule_name',
+ label=_(u'Rule name'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'description',
+ required=False,
+ cli_name='desc',
+ label=_(u'Description'),
+ ),
+ parameters.Bool(
+ 'ipaenabledflag',
+ required=False,
+ label=_(u'Enabled'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'usercategory',
+ required=False,
+ cli_name='usercat',
+ cli_metavar="['all']",
+ label=_(u'User category'),
+ doc=_(u'User category the rule applies to'),
+ ),
+ parameters.Str(
+ 'hostcategory',
+ required=False,
+ cli_name='hostcat',
+ cli_metavar="['all']",
+ label=_(u'Host category'),
+ doc=_(u'Host category the rule applies to'),
+ ),
+ parameters.Str(
+ 'cmdcategory',
+ required=False,
+ cli_name='cmdcat',
+ cli_metavar="['all']",
+ label=_(u'Command category'),
+ doc=_(u'Command category the rule applies to'),
+ ),
+ parameters.Str(
+ 'ipasudorunasusercategory',
+ required=False,
+ cli_name='runasusercat',
+ cli_metavar="['all']",
+ label=_(u'RunAs User category'),
+ doc=_(u'RunAs User category the rule applies to'),
+ ),
+ parameters.Str(
+ 'ipasudorunasgroupcategory',
+ required=False,
+ cli_name='runasgroupcat',
+ cli_metavar="['all']",
+ label=_(u'RunAs Group category'),
+ doc=_(u'RunAs Group category the rule applies to'),
+ ),
+ parameters.Int(
+ 'sudoorder',
+ required=False,
+ cli_name='order',
+ label=_(u'Sudo order'),
+ doc=_(u'integer to order the Sudo rules'),
+ default=0,
+ ),
+ parameters.Str(
+ 'externaluser',
+ required=False,
+ label=_(u'External User'),
+ doc=_(u'External User the rule applies to (sudorule-find only)'),
+ ),
+ parameters.Str(
+ 'externalhost',
+ required=False,
+ multivalue=True,
+ label=_(u'External host'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'ipasudorunasextuser',
+ required=False,
+ cli_name='runasexternaluser',
+ label=_(u'RunAs External User'),
+ doc=_(u'External User the commands can run as (sudorule-find only)'),
+ ),
+ parameters.Str(
+ 'ipasudorunasextgroup',
+ required=False,
+ cli_name='runasexternalgroup',
+ label=_(u'RunAs External Group'),
+ doc=_(u'External Group the commands can run as (sudorule-find only)'),
+ ),
+ parameters.Str(
+ 'setattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'addattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'delattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'),
+ exclude=('webui',),
+ ),
+ parameters.Flag(
+ 'rights',
+ label=_(u'Rights'),
+ doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class sudorule_remove_allow_command(Method):
+ __doc__ = _("Remove commands and sudo command groups affected by Sudo Rule.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='sudorule_name',
+ label=_(u'Rule name'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'sudocmd',
+ required=False,
+ multivalue=True,
+ cli_name='sudocmds',
+ label=_(u'member sudo command'),
+ doc=_(u'sudo commands to remove'),
+ alwaysask=True,
+ ),
+ parameters.Str(
+ 'sudocmdgroup',
+ required=False,
+ multivalue=True,
+ cli_name='sudocmdgroups',
+ label=_(u'member sudo command group'),
+ doc=_(u'sudo command groups to remove'),
+ alwaysask=True,
+ ),
+ )
+ has_output = (
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'failed',
+ dict,
+ doc=_(u'Members that could not be removed'),
+ ),
+ output.Output(
+ 'completed',
+ int,
+ doc=_(u'Number of members removed'),
+ ),
+ )
+
+
+@register()
+class sudorule_remove_deny_command(Method):
+ __doc__ = _("Remove commands and sudo command groups affected by Sudo Rule.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='sudorule_name',
+ label=_(u'Rule name'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'sudocmd',
+ required=False,
+ multivalue=True,
+ cli_name='sudocmds',
+ label=_(u'member sudo command'),
+ doc=_(u'sudo commands to remove'),
+ alwaysask=True,
+ ),
+ parameters.Str(
+ 'sudocmdgroup',
+ required=False,
+ multivalue=True,
+ cli_name='sudocmdgroups',
+ label=_(u'member sudo command group'),
+ doc=_(u'sudo command groups to remove'),
+ alwaysask=True,
+ ),
+ )
+ has_output = (
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'failed',
+ dict,
+ doc=_(u'Members that could not be removed'),
+ ),
+ output.Output(
+ 'completed',
+ int,
+ doc=_(u'Number of members removed'),
+ ),
+ )
+
+
+@register()
+class sudorule_remove_host(Method):
+ __doc__ = _("Remove hosts and hostgroups affected by Sudo Rule.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='sudorule_name',
+ label=_(u'Rule name'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'host',
+ required=False,
+ multivalue=True,
+ cli_name='hosts',
+ label=_(u'member host'),
+ doc=_(u'hosts to remove'),
+ alwaysask=True,
+ ),
+ parameters.Str(
+ 'hostgroup',
+ required=False,
+ multivalue=True,
+ cli_name='hostgroups',
+ label=_(u'member host group'),
+ doc=_(u'host groups to remove'),
+ alwaysask=True,
+ ),
+ parameters.Str(
+ 'hostmask',
+ required=False,
+ multivalue=True,
+ label=_(u'host masks of allowed hosts'),
+ ),
+ )
+ has_output = (
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'failed',
+ dict,
+ doc=_(u'Members that could not be removed'),
+ ),
+ output.Output(
+ 'completed',
+ int,
+ doc=_(u'Number of members removed'),
+ ),
+ )
+
+
+@register()
+class sudorule_remove_option(Method):
+ __doc__ = _("Remove an option from Sudo Rule.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='sudorule_name',
+ label=_(u'Rule name'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'ipasudoopt',
+ cli_name='sudooption',
+ label=_(u'Sudo Option'),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class sudorule_remove_runasgroup(Method):
+ __doc__ = _("Remove group for Sudo to execute as.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='sudorule_name',
+ label=_(u'Rule name'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'group',
+ required=False,
+ multivalue=True,
+ cli_name='groups',
+ label=_(u'member group'),
+ doc=_(u'groups to remove'),
+ alwaysask=True,
+ ),
+ )
+ has_output = (
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'failed',
+ dict,
+ doc=_(u'Members that could not be removed'),
+ ),
+ output.Output(
+ 'completed',
+ int,
+ doc=_(u'Number of members removed'),
+ ),
+ )
+
+
+@register()
+class sudorule_remove_runasuser(Method):
+ __doc__ = _("Remove users and groups for Sudo to execute as.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='sudorule_name',
+ label=_(u'Rule name'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'user',
+ required=False,
+ multivalue=True,
+ cli_name='users',
+ label=_(u'member user'),
+ doc=_(u'users to remove'),
+ alwaysask=True,
+ ),
+ parameters.Str(
+ 'group',
+ required=False,
+ multivalue=True,
+ cli_name='groups',
+ label=_(u'member group'),
+ doc=_(u'groups to remove'),
+ alwaysask=True,
+ ),
+ )
+ has_output = (
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'failed',
+ dict,
+ doc=_(u'Members that could not be removed'),
+ ),
+ output.Output(
+ 'completed',
+ int,
+ doc=_(u'Number of members removed'),
+ ),
+ )
+
+
+@register()
+class sudorule_remove_user(Method):
+ __doc__ = _("Remove users and groups affected by Sudo Rule.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='sudorule_name',
+ label=_(u'Rule name'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'user',
+ required=False,
+ multivalue=True,
+ cli_name='users',
+ label=_(u'member user'),
+ doc=_(u'users to remove'),
+ alwaysask=True,
+ ),
+ parameters.Str(
+ 'group',
+ required=False,
+ multivalue=True,
+ cli_name='groups',
+ label=_(u'member group'),
+ doc=_(u'groups to remove'),
+ alwaysask=True,
+ ),
+ )
+ has_output = (
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'failed',
+ dict,
+ doc=_(u'Members that could not be removed'),
+ ),
+ output.Output(
+ 'completed',
+ int,
+ doc=_(u'Number of members removed'),
+ ),
+ )
+
+
+@register()
+class sudorule_show(Method):
+ __doc__ = _("Display Sudo Rule.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='sudorule_name',
+ label=_(u'Rule name'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'rights',
+ label=_(u'Rights'),
+ doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
diff --git a/ipaclient/remote_plugins/2_156/topology.py b/ipaclient/remote_plugins/2_156/topology.py
new file mode 100644
index 000000000..ca0910687
--- /dev/null
+++ b/ipaclient/remote_plugins/2_156/topology.py
@@ -0,0 +1,1026 @@
+#
+# Copyright (C) 2016 FreeIPA Contributors see COPYING for license
+#
+
+# pylint: disable=unused-import
+import six
+
+from . import Command, Method, Object
+from ipalib import api, parameters, output
+from ipalib.parameters import DefaultFrom
+from ipalib.plugable import Registry
+from ipalib.text import _
+from ipapython.dn import DN
+from ipapython.dnsutil import DNSName
+
+if six.PY3:
+ unicode = str
+
+__doc__ = _("""
+Topology
+
+Management of a replication topology.
+
+Requires minimum domain level 1.
+""")
+
+register = Registry()
+
+
+@register()
+class topologysegment(Object):
+ takes_params = (
+ parameters.Str(
+ 'cn',
+ primary_key=True,
+ label=_(u'Segment name'),
+ doc=_(u'Arbitrary string identifying the segment'),
+ ),
+ parameters.Str(
+ 'iparepltoposegmentleftnode',
+ label=_(u'Left node'),
+ doc=_(u'Left replication node - an IPA server'),
+ ),
+ parameters.Str(
+ 'iparepltoposegmentrightnode',
+ label=_(u'Right node'),
+ doc=_(u'Right replication node - an IPA server'),
+ ),
+ parameters.Str(
+ 'iparepltoposegmentdirection',
+ label=_(u'Connectivity'),
+ doc=_(u'Direction of replication between left and right replication node'),
+ ),
+ parameters.Str(
+ 'nsds5replicastripattrs',
+ required=False,
+ label=_(u'Attributes to strip'),
+ doc=_(u'A space separated list of attributes which are removed from replication updates.'),
+ ),
+ parameters.Str(
+ 'nsds5replicatedattributelist',
+ required=False,
+ label=_(u'Attributes to replicate'),
+ doc=_(u'Attributes that are not replicated to a consumer server during a fractional update. E.g., `(objectclass=*) $ EXCLUDE accountlockout memberof'),
+ ),
+ parameters.Str(
+ 'nsds5replicatedattributelisttotal',
+ required=False,
+ label=_(u'Attributes for total update'),
+ doc=_(u'Attributes that are not replicated to a consumer server during a total update. E.g. (objectclass=*) $ EXCLUDE accountlockout'),
+ ),
+ parameters.Int(
+ 'nsds5replicatimeout',
+ required=False,
+ label=_(u'Session timeout'),
+ doc=_(u'Number of seconds outbound LDAP operations waits for a response from the remote replica before timing out and failing'),
+ ),
+ parameters.Str(
+ 'nsds5replicaenabled',
+ required=False,
+ label=_(u'Replication agreement enabled'),
+ doc=_(u'Whether a replication agreement is active, meaning whether replication is occurring per that agreement'),
+ ),
+ )
+
+
+@register()
+class topologysuffix(Object):
+ takes_params = (
+ parameters.Str(
+ 'cn',
+ primary_key=True,
+ label=_(u'Suffix name'),
+ ),
+ parameters.Str(
+ 'iparepltopoconfroot',
+ label=_(u'LDAP suffix to be managed'),
+ ),
+ )
+
+
+@register()
+class topologysegment_add(Method):
+ __doc__ = _("Add a new segment.")
+
+ NO_CLI = True
+
+ takes_args = (
+ parameters.Str(
+ 'topologysuffixcn',
+ cli_name='topologysuffix',
+ label=_(u'Suffix name'),
+ ),
+ parameters.Str(
+ 'cn',
+ cli_name='name',
+ label=_(u'Segment name'),
+ doc=_(u'Arbitrary string identifying the segment'),
+ default_from=DefaultFrom(lambda iparepltoposegmentleftnode, iparepltoposegmentrightnode: None, 'iparepltoposegmentleftnode', 'iparepltoposegmentrightnode'),
+ # FIXME:
+ # lambda iparepltoposegmentleftnode, iparepltoposegmentrightnode:
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'iparepltoposegmentleftnode',
+ cli_name='leftnode',
+ label=_(u'Left node'),
+ doc=_(u'Left replication node - an IPA server'),
+ no_convert=True,
+ ),
+ parameters.Str(
+ 'iparepltoposegmentrightnode',
+ cli_name='rightnode',
+ label=_(u'Right node'),
+ doc=_(u'Right replication node - an IPA server'),
+ no_convert=True,
+ ),
+ parameters.Str(
+ 'iparepltoposegmentdirection',
+ cli_name='direction',
+ cli_metavar="['both', 'left-right', 'right-left']",
+ label=_(u'Connectivity'),
+ doc=_(u'Direction of replication between left and right replication node'),
+ exclude=('cli', 'webui'),
+ default=u'both',
+ ),
+ parameters.Str(
+ 'nsds5replicastripattrs',
+ required=False,
+ cli_name='stripattrs',
+ label=_(u'Attributes to strip'),
+ doc=_(u'A space separated list of attributes which are removed from replication updates.'),
+ no_convert=True,
+ ),
+ parameters.Str(
+ 'nsds5replicatedattributelist',
+ required=False,
+ cli_name='replattrs',
+ label=_(u'Attributes to replicate'),
+ doc=_(u'Attributes that are not replicated to a consumer server during a fractional update. E.g., `(objectclass=*) $ EXCLUDE accountlockout memberof'),
+ ),
+ parameters.Str(
+ 'nsds5replicatedattributelisttotal',
+ required=False,
+ cli_name='replattrstotal',
+ label=_(u'Attributes for total update'),
+ doc=_(u'Attributes that are not replicated to a consumer server during a total update. E.g. (objectclass=*) $ EXCLUDE accountlockout'),
+ ),
+ parameters.Int(
+ 'nsds5replicatimeout',
+ required=False,
+ cli_name='timeout',
+ label=_(u'Session timeout'),
+ doc=_(u'Number of seconds outbound LDAP operations waits for a response from the remote replica before timing out and failing'),
+ ),
+ parameters.Str(
+ 'nsds5replicaenabled',
+ required=False,
+ cli_name='enabled',
+ cli_metavar="['on', 'off']",
+ label=_(u'Replication agreement enabled'),
+ doc=_(u'Whether a replication agreement is active, meaning whether replication is occurring per that agreement'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'setattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'addattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
+ exclude=('webui',),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class topologysegment_del(Method):
+ __doc__ = _("Delete a segment.")
+
+ NO_CLI = True
+
+ takes_args = (
+ parameters.Str(
+ 'topologysuffixcn',
+ cli_name='topologysuffix',
+ label=_(u'Suffix name'),
+ ),
+ parameters.Str(
+ 'cn',
+ multivalue=True,
+ cli_name='name',
+ label=_(u'Segment name'),
+ doc=_(u'Arbitrary string identifying the segment'),
+ default_from=DefaultFrom(lambda iparepltoposegmentleftnode, iparepltoposegmentrightnode: None, 'iparepltoposegmentleftnode', 'iparepltoposegmentrightnode'),
+ # FIXME:
+ # lambda iparepltoposegmentleftnode, iparepltoposegmentrightnode:
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'continue',
+ doc=_(u"Continuous mode: Don't stop on errors."),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Output(
+ 'result',
+ dict,
+ doc=_(u'List of deletions that failed'),
+ ),
+ output.ListOfPrimaryKeys(
+ 'value',
+ ),
+ )
+
+
+@register()
+class topologysegment_find(Method):
+ __doc__ = _("Search for topology segments.")
+
+ NO_CLI = True
+
+ takes_args = (
+ parameters.Str(
+ 'topologysuffixcn',
+ cli_name='topologysuffix',
+ label=_(u'Suffix name'),
+ ),
+ parameters.Str(
+ 'criteria',
+ required=False,
+ doc=_(u'A string searched in all relevant object attributes'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'cn',
+ required=False,
+ cli_name='name',
+ label=_(u'Segment name'),
+ doc=_(u'Arbitrary string identifying the segment'),
+ default_from=DefaultFrom(lambda iparepltoposegmentleftnode, iparepltoposegmentrightnode: None, 'iparepltoposegmentleftnode', 'iparepltoposegmentrightnode'),
+ # FIXME:
+ # lambda iparepltoposegmentleftnode, iparepltoposegmentrightnode:
+ no_convert=True,
+ ),
+ parameters.Str(
+ 'iparepltoposegmentleftnode',
+ required=False,
+ cli_name='leftnode',
+ label=_(u'Left node'),
+ doc=_(u'Left replication node - an IPA server'),
+ no_convert=True,
+ ),
+ parameters.Str(
+ 'iparepltoposegmentrightnode',
+ required=False,
+ cli_name='rightnode',
+ label=_(u'Right node'),
+ doc=_(u'Right replication node - an IPA server'),
+ no_convert=True,
+ ),
+ parameters.Str(
+ 'iparepltoposegmentdirection',
+ required=False,
+ cli_name='direction',
+ cli_metavar="['both', 'left-right', 'right-left']",
+ label=_(u'Connectivity'),
+ doc=_(u'Direction of replication between left and right replication node'),
+ exclude=('cli', 'webui'),
+ default=u'both',
+ ),
+ parameters.Str(
+ 'nsds5replicastripattrs',
+ required=False,
+ cli_name='stripattrs',
+ label=_(u'Attributes to strip'),
+ doc=_(u'A space separated list of attributes which are removed from replication updates.'),
+ no_convert=True,
+ ),
+ parameters.Str(
+ 'nsds5replicatedattributelist',
+ required=False,
+ cli_name='replattrs',
+ label=_(u'Attributes to replicate'),
+ doc=_(u'Attributes that are not replicated to a consumer server during a fractional update. E.g., `(objectclass=*) $ EXCLUDE accountlockout memberof'),
+ ),
+ parameters.Str(
+ 'nsds5replicatedattributelisttotal',
+ required=False,
+ cli_name='replattrstotal',
+ label=_(u'Attributes for total update'),
+ doc=_(u'Attributes that are not replicated to a consumer server during a total update. E.g. (objectclass=*) $ EXCLUDE accountlockout'),
+ ),
+ parameters.Int(
+ 'nsds5replicatimeout',
+ required=False,
+ cli_name='timeout',
+ label=_(u'Session timeout'),
+ doc=_(u'Number of seconds outbound LDAP operations waits for a response from the remote replica before timing out and failing'),
+ ),
+ parameters.Str(
+ 'nsds5replicaenabled',
+ required=False,
+ cli_name='enabled',
+ cli_metavar="['on', 'off']",
+ label=_(u'Replication agreement enabled'),
+ doc=_(u'Whether a replication agreement is active, meaning whether replication is occurring per that agreement'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Int(
+ 'timelimit',
+ required=False,
+ label=_(u'Time Limit'),
+ doc=_(u'Time limit of search in seconds (0 is unlimited)'),
+ ),
+ parameters.Int(
+ 'sizelimit',
+ required=False,
+ label=_(u'Size Limit'),
+ doc=_(u'Maximum number of entries returned (0 is unlimited)'),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'pkey_only',
+ required=False,
+ label=_(u'Primary key only'),
+ doc=_(u'Results should contain primary key attribute only ("name")'),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.ListOfEntries(
+ 'result',
+ ),
+ output.Output(
+ 'count',
+ int,
+ doc=_(u'Number of entries returned'),
+ ),
+ output.Output(
+ 'truncated',
+ bool,
+ doc=_(u'True if not all results were returned'),
+ ),
+ )
+
+
+@register()
+class topologysegment_mod(Method):
+ __doc__ = _("Modify a segment.")
+
+ NO_CLI = True
+
+ takes_args = (
+ parameters.Str(
+ 'topologysuffixcn',
+ cli_name='topologysuffix',
+ label=_(u'Suffix name'),
+ ),
+ parameters.Str(
+ 'cn',
+ cli_name='name',
+ label=_(u'Segment name'),
+ doc=_(u'Arbitrary string identifying the segment'),
+ default_from=DefaultFrom(lambda iparepltoposegmentleftnode, iparepltoposegmentrightnode: None, 'iparepltoposegmentleftnode', 'iparepltoposegmentrightnode'),
+ # FIXME:
+ # lambda iparepltoposegmentleftnode, iparepltoposegmentrightnode:
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'nsds5replicastripattrs',
+ required=False,
+ cli_name='stripattrs',
+ label=_(u'Attributes to strip'),
+ doc=_(u'A space separated list of attributes which are removed from replication updates.'),
+ no_convert=True,
+ ),
+ parameters.Str(
+ 'nsds5replicatedattributelist',
+ required=False,
+ cli_name='replattrs',
+ label=_(u'Attributes to replicate'),
+ doc=_(u'Attributes that are not replicated to a consumer server during a fractional update. E.g., `(objectclass=*) $ EXCLUDE accountlockout memberof'),
+ ),
+ parameters.Str(
+ 'nsds5replicatedattributelisttotal',
+ required=False,
+ cli_name='replattrstotal',
+ label=_(u'Attributes for total update'),
+ doc=_(u'Attributes that are not replicated to a consumer server during a total update. E.g. (objectclass=*) $ EXCLUDE accountlockout'),
+ ),
+ parameters.Int(
+ 'nsds5replicatimeout',
+ required=False,
+ cli_name='timeout',
+ label=_(u'Session timeout'),
+ doc=_(u'Number of seconds outbound LDAP operations waits for a response from the remote replica before timing out and failing'),
+ ),
+ parameters.Str(
+ 'nsds5replicaenabled',
+ required=False,
+ cli_name='enabled',
+ cli_metavar="['on', 'off']",
+ label=_(u'Replication agreement enabled'),
+ doc=_(u'Whether a replication agreement is active, meaning whether replication is occurring per that agreement'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'setattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'addattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'delattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'),
+ exclude=('webui',),
+ ),
+ parameters.Flag(
+ 'rights',
+ label=_(u'Rights'),
+ doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class topologysegment_reinitialize(Method):
+ __doc__ = _("Request a full re-initialization of the node retrieving data from the other node.")
+
+ NO_CLI = True
+
+ takes_args = (
+ parameters.Str(
+ 'topologysuffixcn',
+ cli_name='topologysuffix',
+ label=_(u'Suffix name'),
+ ),
+ parameters.Str(
+ 'cn',
+ cli_name='name',
+ label=_(u'Segment name'),
+ doc=_(u'Arbitrary string identifying the segment'),
+ default_from=DefaultFrom(lambda iparepltoposegmentleftnode, iparepltoposegmentrightnode: None, 'iparepltoposegmentleftnode', 'iparepltoposegmentrightnode'),
+ # FIXME:
+ # lambda iparepltoposegmentleftnode, iparepltoposegmentrightnode:
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'left',
+ required=False,
+ doc=_(u'Initialize left node'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'right',
+ required=False,
+ doc=_(u'Initialize right node'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'stop',
+ required=False,
+ doc=_(u'Stop already started refresh of chosen node(s)'),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Output(
+ 'result',
+ bool,
+ doc=_(u'True means the operation was successful'),
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class topologysegment_show(Method):
+ __doc__ = _("Display a segment.")
+
+ NO_CLI = True
+
+ takes_args = (
+ parameters.Str(
+ 'topologysuffixcn',
+ cli_name='topologysuffix',
+ label=_(u'Suffix name'),
+ ),
+ parameters.Str(
+ 'cn',
+ cli_name='name',
+ label=_(u'Segment name'),
+ doc=_(u'Arbitrary string identifying the segment'),
+ default_from=DefaultFrom(lambda iparepltoposegmentleftnode, iparepltoposegmentrightnode: None, 'iparepltoposegmentleftnode', 'iparepltoposegmentrightnode'),
+ # FIXME:
+ # lambda iparepltoposegmentleftnode, iparepltoposegmentrightnode:
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'rights',
+ label=_(u'Rights'),
+ doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class topologysuffix_add(Method):
+ __doc__ = _("Add a new topology suffix to be managed.")
+
+ NO_CLI = True
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='name',
+ label=_(u'Suffix name'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'iparepltopoconfroot',
+ cli_name='suffix',
+ label=_(u'LDAP suffix to be managed'),
+ no_convert=True,
+ ),
+ parameters.Str(
+ 'setattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'addattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
+ exclude=('webui',),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class topologysuffix_del(Method):
+ __doc__ = _("Delete a topology suffix.")
+
+ NO_CLI = True
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ multivalue=True,
+ cli_name='name',
+ label=_(u'Suffix name'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'continue',
+ doc=_(u"Continuous mode: Don't stop on errors."),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Output(
+ 'result',
+ dict,
+ doc=_(u'List of deletions that failed'),
+ ),
+ output.ListOfPrimaryKeys(
+ 'value',
+ ),
+ )
+
+
+@register()
+class topologysuffix_find(Method):
+ __doc__ = _("Search for topology suffices.")
+
+ NO_CLI = True
+
+ takes_args = (
+ parameters.Str(
+ 'criteria',
+ required=False,
+ doc=_(u'A string searched in all relevant object attributes'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'cn',
+ required=False,
+ cli_name='name',
+ label=_(u'Suffix name'),
+ ),
+ parameters.Str(
+ 'iparepltopoconfroot',
+ required=False,
+ cli_name='suffix',
+ label=_(u'LDAP suffix to be managed'),
+ no_convert=True,
+ ),
+ parameters.Int(
+ 'timelimit',
+ required=False,
+ label=_(u'Time Limit'),
+ doc=_(u'Time limit of search in seconds (0 is unlimited)'),
+ ),
+ parameters.Int(
+ 'sizelimit',
+ required=False,
+ label=_(u'Size Limit'),
+ doc=_(u'Maximum number of entries returned (0 is unlimited)'),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'pkey_only',
+ required=False,
+ label=_(u'Primary key only'),
+ doc=_(u'Results should contain primary key attribute only ("name")'),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.ListOfEntries(
+ 'result',
+ ),
+ output.Output(
+ 'count',
+ int,
+ doc=_(u'Number of entries returned'),
+ ),
+ output.Output(
+ 'truncated',
+ bool,
+ doc=_(u'True if not all results were returned'),
+ ),
+ )
+
+
+@register()
+class topologysuffix_mod(Method):
+ __doc__ = _("Modify a topology suffix.")
+
+ NO_CLI = True
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='name',
+ label=_(u'Suffix name'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'iparepltopoconfroot',
+ required=False,
+ cli_name='suffix',
+ label=_(u'LDAP suffix to be managed'),
+ no_convert=True,
+ ),
+ parameters.Str(
+ 'setattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'addattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'delattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'),
+ exclude=('webui',),
+ ),
+ parameters.Flag(
+ 'rights',
+ label=_(u'Rights'),
+ doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class topologysuffix_show(Method):
+ __doc__ = _("Show managed suffix.")
+
+ NO_CLI = True
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='name',
+ label=_(u'Suffix name'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'rights',
+ label=_(u'Rights'),
+ doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class topologysuffix_verify(Method):
+ __doc__ = _("""
+Verify replication topology for suffix.
+
+Checks done:
+ 1. check if a topology is not disconnected. In other words if there are
+ replication paths between all servers.
+ 2. check if servers don't have more than the recommended number of
+ replication agreements
+ """)
+
+ NO_CLI = True
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='name',
+ label=_(u'Suffix name'),
+ ),
+ )
+ takes_options = (
+ )
+ has_output = (
+ output.Output(
+ 'result',
+ ),
+ )
diff --git a/ipaclient/remote_plugins/2_156/trust.py b/ipaclient/remote_plugins/2_156/trust.py
new file mode 100644
index 000000000..369ffcd18
--- /dev/null
+++ b/ipaclient/remote_plugins/2_156/trust.py
@@ -0,0 +1,1264 @@
+#
+# Copyright (C) 2016 FreeIPA Contributors see COPYING for license
+#
+
+# pylint: disable=unused-import
+import six
+
+from . import Command, Method, Object
+from ipalib import api, parameters, output
+from ipalib.parameters import DefaultFrom
+from ipalib.plugable import Registry
+from ipalib.text import _
+from ipapython.dn import DN
+from ipapython.dnsutil import DNSName
+
+if six.PY3:
+ unicode = str
+
+__doc__ = _("""
+Cross-realm trusts
+
+Manage trust relationship between IPA and Active Directory domains.
+
+In order to allow users from a remote domain to access resources in IPA
+domain, trust relationship needs to be established. Currently IPA supports
+only trusts between IPA and Active Directory domains under control of Windows
+Server 2008 or later, with functional level 2008 or later.
+
+Please note that DNS on both IPA and Active Directory domain sides should be
+configured properly to discover each other. Trust relationship relies on
+ability to discover special resources in the other domain via DNS records.
+
+Examples:
+
+1. Establish cross-realm trust with Active Directory using AD administrator
+ credentials:
+
+ ipa trust-add --type=ad <ad.domain> --admin <AD domain administrator> --password
+
+2. List all existing trust relationships:
+
+ ipa trust-find
+
+3. Show details of the specific trust relationship:
+
+ ipa trust-show <ad.domain>
+
+4. Delete existing trust relationship:
+
+ ipa trust-del <ad.domain>
+
+Once trust relationship is established, remote users will need to be mapped
+to local POSIX groups in order to actually use IPA resources. The mapping should
+be done via use of external membership of non-POSIX group and then this group
+should be included into one of local POSIX groups.
+
+Example:
+
+1. Create group for the trusted domain admins' mapping and their local POSIX group:
+
+ ipa group-add --desc='<ad.domain> admins external map' ad_admins_external --external
+ ipa group-add --desc='<ad.domain> admins' ad_admins
+
+2. Add security identifier of Domain Admins of the <ad.domain> to the ad_admins_external
+ group:
+
+ ipa group-add-member ad_admins_external --external 'AD\Domain Admins'
+
+3. Allow members of ad_admins_external group to be associated with ad_admins POSIX group:
+
+ ipa group-add-member ad_admins --groups ad_admins_external
+
+4. List members of external members of ad_admins_external group to see their SIDs:
+
+ ipa group-show ad_admins_external
+
+
+GLOBAL TRUST CONFIGURATION
+
+When IPA AD trust subpackage is installed and ipa-adtrust-install is run,
+a local domain configuration (SID, GUID, NetBIOS name) is generated. These
+identifiers are then used when communicating with a trusted domain of the
+particular type.
+
+1. Show global trust configuration for Active Directory type of trusts:
+
+ ipa trustconfig-show --type ad
+
+2. Modify global configuration for all trusts of Active Directory type and set
+ a different fallback primary group (fallback primary group GID is used as
+ a primary user GID if user authenticating to IPA domain does not have any other
+ primary GID already set):
+
+ ipa trustconfig-mod --type ad --fallback-primary-group "alternative AD group"
+
+3. Change primary fallback group back to default hidden group (any group with
+ posixGroup object class is allowed):
+
+ ipa trustconfig-mod --type ad --fallback-primary-group "Default SMB Group"
+""")
+
+register = Registry()
+
+
+@register()
+class trust(Object):
+ takes_params = (
+ parameters.Str(
+ 'cn',
+ primary_key=True,
+ label=_(u'Realm name'),
+ ),
+ parameters.Str(
+ 'ipantflatname',
+ label=_(u'Domain NetBIOS name'),
+ ),
+ parameters.Str(
+ 'ipanttrusteddomainsid',
+ label=_(u'Domain Security Identifier'),
+ ),
+ parameters.Str(
+ 'ipantsidblacklistincoming',
+ required=False,
+ multivalue=True,
+ label=_(u'SID blacklist incoming'),
+ ),
+ parameters.Str(
+ 'ipantsidblacklistoutgoing',
+ required=False,
+ multivalue=True,
+ label=_(u'SID blacklist outgoing'),
+ ),
+ )
+
+
+@register()
+class trustconfig(Object):
+ takes_params = (
+ parameters.Str(
+ 'cn',
+ label=_(u'Domain'),
+ ),
+ parameters.Str(
+ 'ipantsecurityidentifier',
+ label=_(u'Security Identifier'),
+ ),
+ parameters.Str(
+ 'ipantflatname',
+ label=_(u'NetBIOS name'),
+ ),
+ parameters.Str(
+ 'ipantdomainguid',
+ label=_(u'Domain GUID'),
+ ),
+ parameters.Str(
+ 'ipantfallbackprimarygroup',
+ label=_(u'Fallback primary group'),
+ ),
+ )
+
+
+@register()
+class trustdomain(Object):
+ takes_params = (
+ parameters.Str(
+ 'cn',
+ primary_key=True,
+ label=_(u'Domain name'),
+ ),
+ parameters.Str(
+ 'ipantflatname',
+ required=False,
+ label=_(u'Domain NetBIOS name'),
+ ),
+ parameters.Str(
+ 'ipanttrusteddomainsid',
+ required=False,
+ label=_(u'Domain Security Identifier'),
+ ),
+ parameters.Str(
+ 'ipanttrustpartner',
+ required=False,
+ label=_(u'Trusted domain partner'),
+ ),
+ )
+
+
+@register()
+class adtrust_is_enabled(Command):
+ __doc__ = _("Determine whether ipa-adtrust-install has been run on this system")
+
+ NO_CLI = True
+
+ takes_options = (
+ )
+ has_output = (
+ output.Output(
+ 'result',
+ ),
+ )
+
+
+@register()
+class compat_is_enabled(Command):
+ __doc__ = _("Determine whether Schema Compatibility plugin is configured to serve trusted domain users and groups")
+
+ NO_CLI = True
+
+ takes_options = (
+ )
+ has_output = (
+ output.Output(
+ 'result',
+ ),
+ )
+
+
+@register()
+class sidgen_was_run(Command):
+ __doc__ = _("Determine whether ipa-adtrust-install has been run with sidgen task")
+
+ NO_CLI = True
+
+ takes_options = (
+ )
+ has_output = (
+ output.Output(
+ 'result',
+ ),
+ )
+
+
+@register()
+class trust_add(Method):
+ __doc__ = _("""
+Add new trust to use.
+
+This command establishes trust relationship to another domain
+which becomes 'trusted'. As result, users of the trusted domain
+may access resources of this domain.
+
+Only trusts to Active Directory domains are supported right now.
+
+The command can be safely run multiple times against the same domain,
+this will cause change to trust relationship credentials on both
+sides.
+ """)
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='realm',
+ label=_(u'Realm name'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'setattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'addattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'trust_type',
+ cli_name='type',
+ cli_metavar="['ad']",
+ label=_(u'Trust type (ad for Active Directory, default)'),
+ default=u'ad',
+ autofill=True,
+ ),
+ parameters.Str(
+ 'realm_admin',
+ required=False,
+ cli_name='admin',
+ label=_(u'Active Directory domain administrator'),
+ ),
+ parameters.Password(
+ 'realm_passwd',
+ required=False,
+ cli_name='password',
+ label=_(u"Active Directory domain administrator's password"),
+ ),
+ parameters.Str(
+ 'realm_server',
+ required=False,
+ cli_name='server',
+ label=_(u'Domain controller for the Active Directory domain (optional)'),
+ ),
+ parameters.Password(
+ 'trust_secret',
+ required=False,
+ label=_(u'Shared secret for the trust'),
+ ),
+ parameters.Int(
+ 'base_id',
+ required=False,
+ label=_(u'First Posix ID of the range reserved for the trusted domain'),
+ ),
+ parameters.Int(
+ 'range_size',
+ required=False,
+ label=_(u'Size of the ID range reserved for the trusted domain'),
+ ),
+ parameters.Str(
+ 'range_type',
+ required=False,
+ cli_metavar="['ipa-ad-trust-posix', 'ipa-ad-trust']",
+ label=_(u'Range type'),
+ doc=_(u'Type of trusted domain ID range, one of ipa-ad-trust-posix, ipa-ad-trust'),
+ ),
+ parameters.Bool(
+ 'bidirectional',
+ required=False,
+ cli_name='two_way',
+ label=_(u'Two-way trust'),
+ doc=_(u'Establish bi-directional trust. By default trust is inbound one-way only.'),
+ default=False,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class trust_del(Method):
+ __doc__ = _("Delete a trust.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ multivalue=True,
+ cli_name='realm',
+ label=_(u'Realm name'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'continue',
+ doc=_(u"Continuous mode: Don't stop on errors."),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Output(
+ 'result',
+ dict,
+ doc=_(u'List of deletions that failed'),
+ ),
+ output.ListOfPrimaryKeys(
+ 'value',
+ ),
+ )
+
+
+@register()
+class trust_fetch_domains(Method):
+ __doc__ = _("Refresh list of the domains associated with the trust")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='realm',
+ label=_(u'Realm name'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'rights',
+ label=_(u'Rights'),
+ doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'realm_server',
+ required=False,
+ cli_name='server',
+ label=_(u'Domain controller for the Active Directory domain (optional)'),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.ListOfEntries(
+ 'result',
+ ),
+ output.Output(
+ 'count',
+ int,
+ doc=_(u'Number of entries returned'),
+ ),
+ output.Output(
+ 'truncated',
+ bool,
+ doc=_(u'True if not all results were returned'),
+ ),
+ )
+
+
+@register()
+class trust_find(Method):
+ __doc__ = _("Search for trusts.")
+
+ takes_args = (
+ parameters.Str(
+ 'criteria',
+ required=False,
+ doc=_(u'A string searched in all relevant object attributes'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'cn',
+ required=False,
+ cli_name='realm',
+ label=_(u'Realm name'),
+ ),
+ parameters.Str(
+ 'ipantflatname',
+ required=False,
+ cli_name='flat_name',
+ label=_(u'Domain NetBIOS name'),
+ ),
+ parameters.Str(
+ 'ipanttrusteddomainsid',
+ required=False,
+ cli_name='sid',
+ label=_(u'Domain Security Identifier'),
+ ),
+ parameters.Str(
+ 'ipantsidblacklistincoming',
+ required=False,
+ multivalue=True,
+ cli_name='sid_blacklist_incoming',
+ label=_(u'SID blacklist incoming'),
+ ),
+ parameters.Str(
+ 'ipantsidblacklistoutgoing',
+ required=False,
+ multivalue=True,
+ cli_name='sid_blacklist_outgoing',
+ label=_(u'SID blacklist outgoing'),
+ ),
+ parameters.Int(
+ 'timelimit',
+ required=False,
+ label=_(u'Time Limit'),
+ doc=_(u'Time limit of search in seconds (0 is unlimited)'),
+ ),
+ parameters.Int(
+ 'sizelimit',
+ required=False,
+ label=_(u'Size Limit'),
+ doc=_(u'Maximum number of entries returned (0 is unlimited)'),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'pkey_only',
+ required=False,
+ label=_(u'Primary key only'),
+ doc=_(u'Results should contain primary key attribute only ("realm")'),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.ListOfEntries(
+ 'result',
+ ),
+ output.Output(
+ 'count',
+ int,
+ doc=_(u'Number of entries returned'),
+ ),
+ output.Output(
+ 'truncated',
+ bool,
+ doc=_(u'True if not all results were returned'),
+ ),
+ )
+
+
+@register()
+class trust_mod(Method):
+ __doc__ = _("""
+Modify a trust (for future use).
+
+ Currently only the default option to modify the LDAP attributes is
+ available. More specific options will be added in coming releases.
+ """)
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='realm',
+ label=_(u'Realm name'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'ipantsidblacklistincoming',
+ required=False,
+ multivalue=True,
+ cli_name='sid_blacklist_incoming',
+ label=_(u'SID blacklist incoming'),
+ ),
+ parameters.Str(
+ 'ipantsidblacklistoutgoing',
+ required=False,
+ multivalue=True,
+ cli_name='sid_blacklist_outgoing',
+ label=_(u'SID blacklist outgoing'),
+ ),
+ parameters.Str(
+ 'setattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'addattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'delattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'),
+ exclude=('webui',),
+ ),
+ parameters.Flag(
+ 'rights',
+ label=_(u'Rights'),
+ doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class trust_resolve(Command):
+ __doc__ = _("Resolve security identifiers of users and groups in trusted domains")
+
+ NO_CLI = True
+
+ takes_options = (
+ parameters.Str(
+ 'sids',
+ multivalue=True,
+ label=_(u'Security Identifiers (SIDs)'),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.ListOfEntries(
+ 'result',
+ ),
+ )
+
+
+@register()
+class trust_show(Method):
+ __doc__ = _("Display information about a trust.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='realm',
+ label=_(u'Realm name'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'rights',
+ label=_(u'Rights'),
+ doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class trustconfig_mod(Method):
+ __doc__ = _("Modify global trust configuration.")
+
+ takes_options = (
+ parameters.Str(
+ 'ipantfallbackprimarygroup',
+ required=False,
+ cli_name='fallback_primary_group',
+ label=_(u'Fallback primary group'),
+ ),
+ parameters.Str(
+ 'setattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'addattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'delattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'),
+ exclude=('webui',),
+ ),
+ parameters.Flag(
+ 'rights',
+ label=_(u'Rights'),
+ doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'trust_type',
+ cli_name='type',
+ cli_metavar="['ad']",
+ label=_(u'Trust type (ad for Active Directory, default)'),
+ default=u'ad',
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class trustconfig_show(Method):
+ __doc__ = _("Show global trust configuration.")
+
+ takes_options = (
+ parameters.Flag(
+ 'rights',
+ label=_(u'Rights'),
+ doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'trust_type',
+ cli_name='type',
+ cli_metavar="['ad']",
+ label=_(u'Trust type (ad for Active Directory, default)'),
+ default=u'ad',
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class trustdomain_add(Method):
+ __doc__ = _("Allow access from the trusted domain")
+
+ NO_CLI = True
+
+ takes_args = (
+ parameters.Str(
+ 'trustcn',
+ cli_name='trust',
+ label=_(u'Realm name'),
+ ),
+ parameters.Str(
+ 'cn',
+ cli_name='domain',
+ label=_(u'Domain name'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'ipantflatname',
+ required=False,
+ cli_name='flat_name',
+ label=_(u'Domain NetBIOS name'),
+ ),
+ parameters.Str(
+ 'ipanttrusteddomainsid',
+ required=False,
+ cli_name='sid',
+ label=_(u'Domain Security Identifier'),
+ ),
+ parameters.Str(
+ 'ipanttrustpartner',
+ required=False,
+ label=_(u'Trusted domain partner'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'setattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'addattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'trust_type',
+ cli_name='type',
+ cli_metavar="['ad']",
+ label=_(u'Trust type (ad for Active Directory, default)'),
+ default=u'ad',
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class trustdomain_del(Method):
+ __doc__ = _("Remove infromation about the domain associated with the trust.")
+
+ takes_args = (
+ parameters.Str(
+ 'trustcn',
+ cli_name='trust',
+ label=_(u'Realm name'),
+ ),
+ parameters.Str(
+ 'cn',
+ multivalue=True,
+ cli_name='domain',
+ label=_(u'Domain name'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'continue',
+ doc=_(u"Continuous mode: Don't stop on errors."),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Output(
+ 'result',
+ dict,
+ doc=_(u'List of deletions that failed'),
+ ),
+ output.ListOfPrimaryKeys(
+ 'value',
+ ),
+ )
+
+
+@register()
+class trustdomain_disable(Method):
+ __doc__ = _("Disable use of IPA resources by the domain of the trust")
+
+ takes_args = (
+ parameters.Str(
+ 'trustcn',
+ cli_name='trust',
+ label=_(u'Realm name'),
+ ),
+ parameters.Str(
+ 'cn',
+ cli_name='domain',
+ label=_(u'Domain name'),
+ ),
+ )
+ takes_options = (
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Output(
+ 'result',
+ bool,
+ doc=_(u'True means the operation was successful'),
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class trustdomain_enable(Method):
+ __doc__ = _("Allow use of IPA resources by the domain of the trust")
+
+ takes_args = (
+ parameters.Str(
+ 'trustcn',
+ cli_name='trust',
+ label=_(u'Realm name'),
+ ),
+ parameters.Str(
+ 'cn',
+ cli_name='domain',
+ label=_(u'Domain name'),
+ ),
+ )
+ takes_options = (
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Output(
+ 'result',
+ bool,
+ doc=_(u'True means the operation was successful'),
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class trustdomain_find(Method):
+ __doc__ = _("Search domains of the trust")
+
+ takes_args = (
+ parameters.Str(
+ 'trustcn',
+ cli_name='trust',
+ label=_(u'Realm name'),
+ ),
+ parameters.Str(
+ 'criteria',
+ required=False,
+ doc=_(u'A string searched in all relevant object attributes'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'cn',
+ required=False,
+ cli_name='domain',
+ label=_(u'Domain name'),
+ ),
+ parameters.Str(
+ 'ipantflatname',
+ required=False,
+ cli_name='flat_name',
+ label=_(u'Domain NetBIOS name'),
+ ),
+ parameters.Str(
+ 'ipanttrusteddomainsid',
+ required=False,
+ cli_name='sid',
+ label=_(u'Domain Security Identifier'),
+ ),
+ parameters.Str(
+ 'ipanttrustpartner',
+ required=False,
+ label=_(u'Trusted domain partner'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Int(
+ 'timelimit',
+ required=False,
+ label=_(u'Time Limit'),
+ doc=_(u'Time limit of search in seconds (0 is unlimited)'),
+ ),
+ parameters.Int(
+ 'sizelimit',
+ required=False,
+ label=_(u'Size Limit'),
+ doc=_(u'Maximum number of entries returned (0 is unlimited)'),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'pkey_only',
+ required=False,
+ label=_(u'Primary key only'),
+ doc=_(u'Results should contain primary key attribute only ("domain")'),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.ListOfEntries(
+ 'result',
+ ),
+ output.Output(
+ 'count',
+ int,
+ doc=_(u'Number of entries returned'),
+ ),
+ output.Output(
+ 'truncated',
+ bool,
+ doc=_(u'True if not all results were returned'),
+ ),
+ )
+
+
+@register()
+class trustdomain_mod(Method):
+ __doc__ = _("Modify trustdomain of the trust")
+
+ NO_CLI = True
+
+ takes_args = (
+ parameters.Str(
+ 'trustcn',
+ cli_name='trust',
+ label=_(u'Realm name'),
+ ),
+ parameters.Str(
+ 'cn',
+ cli_name='domain',
+ label=_(u'Domain name'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'ipantflatname',
+ required=False,
+ cli_name='flat_name',
+ label=_(u'Domain NetBIOS name'),
+ ),
+ parameters.Str(
+ 'ipanttrusteddomainsid',
+ required=False,
+ cli_name='sid',
+ label=_(u'Domain Security Identifier'),
+ ),
+ parameters.Str(
+ 'ipanttrustpartner',
+ required=False,
+ label=_(u'Trusted domain partner'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'setattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'addattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'delattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'),
+ exclude=('webui',),
+ ),
+ parameters.Flag(
+ 'rights',
+ label=_(u'Rights'),
+ doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'trust_type',
+ cli_name='type',
+ cli_metavar="['ad']",
+ label=_(u'Trust type (ad for Active Directory, default)'),
+ default=u'ad',
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
diff --git a/ipaclient/remote_plugins/2_156/user.py b/ipaclient/remote_plugins/2_156/user.py
new file mode 100644
index 000000000..e545ca179
--- /dev/null
+++ b/ipaclient/remote_plugins/2_156/user.py
@@ -0,0 +1,1869 @@
+#
+# Copyright (C) 2016 FreeIPA Contributors see COPYING for license
+#
+
+# pylint: disable=unused-import
+import six
+
+from . import Command, Method, Object
+from ipalib import api, parameters, output
+from ipalib.parameters import DefaultFrom
+from ipalib.plugable import Registry
+from ipalib.text import _
+from ipapython.dn import DN
+from ipapython.dnsutil import DNSName
+
+if six.PY3:
+ unicode = str
+
+__doc__ = _("""
+Users
+
+Manage user entries. All users are POSIX users.
+
+IPA supports a wide range of username formats, but you need to be aware of any
+restrictions that may apply to your particular environment. For example,
+usernames that start with a digit or usernames that exceed a certain length
+may cause problems for some UNIX systems.
+Use 'ipa config-mod' to change the username format allowed by IPA tools.
+
+Disabling a user account prevents that user from obtaining new Kerberos
+credentials. It does not invalidate any credentials that have already
+been issued.
+
+Password management is not a part of this module. For more information
+about this topic please see: ipa help passwd
+
+Account lockout on password failure happens per IPA master. The user-status
+command can be used to identify which master the user is locked out on.
+It is on that master the administrator must unlock the user.
+
+EXAMPLES:
+
+ Add a new user:
+ ipa user-add --first=Tim --last=User --password tuser1
+
+ Find all users whose entries include the string "Tim":
+ ipa user-find Tim
+
+ Find all users with "Tim" as the first name:
+ ipa user-find --first=Tim
+
+ Disable a user account:
+ ipa user-disable tuser1
+
+ Enable a user account:
+ ipa user-enable tuser1
+
+ Delete a user:
+ ipa user-del tuser1
+""")
+
+register = Registry()
+
+
+@register()
+class user(Object):
+ takes_params = (
+ parameters.Str(
+ 'uid',
+ primary_key=True,
+ label=_(u'User login'),
+ ),
+ parameters.Str(
+ 'givenname',
+ label=_(u'First name'),
+ ),
+ parameters.Str(
+ 'sn',
+ label=_(u'Last name'),
+ ),
+ parameters.Str(
+ 'cn',
+ label=_(u'Full name'),
+ ),
+ parameters.Str(
+ 'displayname',
+ required=False,
+ label=_(u'Display name'),
+ ),
+ parameters.Str(
+ 'initials',
+ required=False,
+ label=_(u'Initials'),
+ ),
+ parameters.Str(
+ 'homedirectory',
+ required=False,
+ label=_(u'Home directory'),
+ ),
+ parameters.Str(
+ 'gecos',
+ required=False,
+ label=_(u'GECOS'),
+ ),
+ parameters.Str(
+ 'loginshell',
+ required=False,
+ label=_(u'Login shell'),
+ ),
+ parameters.Str(
+ 'krbprincipalname',
+ required=False,
+ label=_(u'Kerberos principal'),
+ ),
+ parameters.DateTime(
+ 'krbprincipalexpiration',
+ required=False,
+ label=_(u'Kerberos principal expiration'),
+ ),
+ parameters.Str(
+ 'mail',
+ required=False,
+ multivalue=True,
+ label=_(u'Email address'),
+ ),
+ parameters.Password(
+ 'userpassword',
+ required=False,
+ label=_(u'Password'),
+ doc=_(u'Prompt to set the user password'),
+ exclude=('webui',),
+ ),
+ parameters.Flag(
+ 'random',
+ required=False,
+ doc=_(u'Generate a random user password'),
+ ),
+ parameters.Str(
+ 'randompassword',
+ required=False,
+ label=_(u'Random password'),
+ ),
+ parameters.Int(
+ 'uidnumber',
+ required=False,
+ label=_(u'UID'),
+ doc=_(u'User ID Number (system will assign one if not provided)'),
+ ),
+ parameters.Int(
+ 'gidnumber',
+ required=False,
+ label=_(u'GID'),
+ doc=_(u'Group ID Number'),
+ ),
+ parameters.Str(
+ 'street',
+ required=False,
+ label=_(u'Street address'),
+ ),
+ parameters.Str(
+ 'l',
+ required=False,
+ label=_(u'City'),
+ ),
+ parameters.Str(
+ 'st',
+ required=False,
+ label=_(u'State/Province'),
+ ),
+ parameters.Str(
+ 'postalcode',
+ required=False,
+ label=_(u'ZIP'),
+ ),
+ parameters.Str(
+ 'telephonenumber',
+ required=False,
+ multivalue=True,
+ label=_(u'Telephone Number'),
+ ),
+ parameters.Str(
+ 'mobile',
+ required=False,
+ multivalue=True,
+ label=_(u'Mobile Telephone Number'),
+ ),
+ parameters.Str(
+ 'pager',
+ required=False,
+ multivalue=True,
+ label=_(u'Pager Number'),
+ ),
+ parameters.Str(
+ 'facsimiletelephonenumber',
+ required=False,
+ multivalue=True,
+ label=_(u'Fax Number'),
+ ),
+ parameters.Str(
+ 'ou',
+ required=False,
+ label=_(u'Org. Unit'),
+ ),
+ parameters.Str(
+ 'title',
+ required=False,
+ label=_(u'Job Title'),
+ ),
+ parameters.Str(
+ 'manager',
+ required=False,
+ label=_(u'Manager'),
+ ),
+ parameters.Str(
+ 'carlicense',
+ required=False,
+ multivalue=True,
+ label=_(u'Car License'),
+ ),
+ parameters.Str(
+ 'ipasshpubkey',
+ required=False,
+ multivalue=True,
+ label=_(u'SSH public key'),
+ ),
+ parameters.Str(
+ 'ipauserauthtype',
+ required=False,
+ multivalue=True,
+ label=_(u'User authentication types'),
+ doc=_(u'Types of supported user authentication'),
+ ),
+ parameters.Str(
+ 'userclass',
+ required=False,
+ multivalue=True,
+ label=_(u'Class'),
+ doc=_(u'User category (semantics placed on this attribute are for local interpretation)'),
+ ),
+ parameters.Str(
+ 'ipatokenradiusconfiglink',
+ required=False,
+ label=_(u'RADIUS proxy configuration'),
+ ),
+ parameters.Str(
+ 'ipatokenradiususername',
+ required=False,
+ label=_(u'RADIUS proxy username'),
+ ),
+ parameters.Str(
+ 'departmentnumber',
+ required=False,
+ multivalue=True,
+ label=_(u'Department Number'),
+ ),
+ parameters.Str(
+ 'employeenumber',
+ required=False,
+ label=_(u'Employee Number'),
+ ),
+ parameters.Str(
+ 'employeetype',
+ required=False,
+ label=_(u'Employee Type'),
+ ),
+ parameters.Str(
+ 'preferredlanguage',
+ required=False,
+ label=_(u'Preferred Language'),
+ ),
+ parameters.Bytes(
+ 'usercertificate',
+ required=False,
+ multivalue=True,
+ label=_(u'Certificate'),
+ doc=_(u'Base-64 encoded server certificate'),
+ ),
+ parameters.Bool(
+ 'nsaccountlock',
+ required=False,
+ label=_(u'Account disabled'),
+ ),
+ parameters.Bool(
+ 'preserved',
+ required=False,
+ label=_(u'Preserved user'),
+ ),
+ parameters.Flag(
+ 'has_password',
+ label=_(u'Password'),
+ ),
+ parameters.Str(
+ 'memberof_group',
+ required=False,
+ label=_(u'Member of groups'),
+ ),
+ parameters.Str(
+ 'memberof_role',
+ required=False,
+ label=_(u'Roles'),
+ ),
+ parameters.Str(
+ 'memberof_netgroup',
+ required=False,
+ label=_(u'Member of netgroups'),
+ ),
+ parameters.Str(
+ 'memberof_sudorule',
+ required=False,
+ label=_(u'Member of Sudo rule'),
+ ),
+ parameters.Str(
+ 'memberof_hbacrule',
+ required=False,
+ label=_(u'Member of HBAC rule'),
+ ),
+ parameters.Str(
+ 'memberofindirect_group',
+ required=False,
+ label=_(u'Indirect Member of group'),
+ ),
+ parameters.Str(
+ 'memberofindirect_netgroup',
+ required=False,
+ label=_(u'Indirect Member of netgroup'),
+ ),
+ parameters.Str(
+ 'memberofindirect_role',
+ required=False,
+ label=_(u'Indirect Member of role'),
+ ),
+ parameters.Str(
+ 'memberofindirect_sudorule',
+ required=False,
+ label=_(u'Indirect Member of Sudo rule'),
+ ),
+ parameters.Str(
+ 'memberofindirect_hbacrule',
+ required=False,
+ label=_(u'Indirect Member of HBAC rule'),
+ ),
+ parameters.Flag(
+ 'has_keytab',
+ label=_(u'Kerberos keys available'),
+ ),
+ )
+
+
+@register()
+class user_add(Method):
+ __doc__ = _("Add a new user.")
+
+ takes_args = (
+ parameters.Str(
+ 'uid',
+ cli_name='login',
+ label=_(u'User login'),
+ default_from=DefaultFrom(lambda givenname, sn: givenname[0] + sn, 'iparepltoposegmentleftnode', 'iparepltoposegmentrightnode'),
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'givenname',
+ cli_name='first',
+ label=_(u'First name'),
+ ),
+ parameters.Str(
+ 'sn',
+ cli_name='last',
+ label=_(u'Last name'),
+ ),
+ parameters.Str(
+ 'cn',
+ label=_(u'Full name'),
+ default_from=DefaultFrom(lambda givenname, sn: '%s %s' % (givenname, sn), 'iparepltoposegmentleftnode', 'iparepltoposegmentrightnode'),
+ autofill=True,
+ ),
+ parameters.Str(
+ 'displayname',
+ required=False,
+ label=_(u'Display name'),
+ default_from=DefaultFrom(lambda givenname, sn: '%s %s' % (givenname, sn), 'iparepltoposegmentleftnode', 'iparepltoposegmentrightnode'),
+ autofill=True,
+ ),
+ parameters.Str(
+ 'initials',
+ required=False,
+ label=_(u'Initials'),
+ default_from=DefaultFrom(lambda givenname, sn: '%c%c' % (givenname[0], sn[0]), 'iparepltoposegmentleftnode', 'iparepltoposegmentrightnode'),
+ autofill=True,
+ ),
+ parameters.Str(
+ 'homedirectory',
+ required=False,
+ cli_name='homedir',
+ label=_(u'Home directory'),
+ ),
+ parameters.Str(
+ 'gecos',
+ required=False,
+ label=_(u'GECOS'),
+ default_from=DefaultFrom(lambda givenname, sn: '%s %s' % (givenname, sn), 'iparepltoposegmentleftnode', 'iparepltoposegmentrightnode'),
+ autofill=True,
+ ),
+ parameters.Str(
+ 'loginshell',
+ required=False,
+ cli_name='shell',
+ label=_(u'Login shell'),
+ ),
+ parameters.Str(
+ 'krbprincipalname',
+ required=False,
+ cli_name='principal',
+ label=_(u'Kerberos principal'),
+ default_from=DefaultFrom(lambda uid: '%s@%s' % (uid.lower(), api.env.realm), 'iparepltoposegmentleftnode', 'iparepltoposegmentrightnode'),
+ autofill=True,
+ no_convert=True,
+ ),
+ parameters.DateTime(
+ 'krbprincipalexpiration',
+ required=False,
+ cli_name='principal_expiration',
+ label=_(u'Kerberos principal expiration'),
+ ),
+ parameters.Str(
+ 'mail',
+ required=False,
+ multivalue=True,
+ cli_name='email',
+ label=_(u'Email address'),
+ ),
+ parameters.Password(
+ 'userpassword',
+ required=False,
+ cli_name='password',
+ label=_(u'Password'),
+ doc=_(u'Prompt to set the user password'),
+ exclude=('webui',),
+ confirm=True,
+ ),
+ parameters.Flag(
+ 'random',
+ required=False,
+ doc=_(u'Generate a random user password'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Int(
+ 'uidnumber',
+ required=False,
+ cli_name='uid',
+ label=_(u'UID'),
+ doc=_(u'User ID Number (system will assign one if not provided)'),
+ ),
+ parameters.Int(
+ 'gidnumber',
+ required=False,
+ label=_(u'GID'),
+ doc=_(u'Group ID Number'),
+ ),
+ parameters.Str(
+ 'street',
+ required=False,
+ label=_(u'Street address'),
+ ),
+ parameters.Str(
+ 'l',
+ required=False,
+ cli_name='city',
+ label=_(u'City'),
+ ),
+ parameters.Str(
+ 'st',
+ required=False,
+ cli_name='state',
+ label=_(u'State/Province'),
+ ),
+ parameters.Str(
+ 'postalcode',
+ required=False,
+ label=_(u'ZIP'),
+ ),
+ parameters.Str(
+ 'telephonenumber',
+ required=False,
+ multivalue=True,
+ cli_name='phone',
+ label=_(u'Telephone Number'),
+ ),
+ parameters.Str(
+ 'mobile',
+ required=False,
+ multivalue=True,
+ label=_(u'Mobile Telephone Number'),
+ ),
+ parameters.Str(
+ 'pager',
+ required=False,
+ multivalue=True,
+ label=_(u'Pager Number'),
+ ),
+ parameters.Str(
+ 'facsimiletelephonenumber',
+ required=False,
+ multivalue=True,
+ cli_name='fax',
+ label=_(u'Fax Number'),
+ ),
+ parameters.Str(
+ 'ou',
+ required=False,
+ cli_name='orgunit',
+ label=_(u'Org. Unit'),
+ ),
+ parameters.Str(
+ 'title',
+ required=False,
+ label=_(u'Job Title'),
+ ),
+ parameters.Str(
+ 'manager',
+ required=False,
+ label=_(u'Manager'),
+ ),
+ parameters.Str(
+ 'carlicense',
+ required=False,
+ multivalue=True,
+ label=_(u'Car License'),
+ ),
+ parameters.Str(
+ 'ipasshpubkey',
+ required=False,
+ multivalue=True,
+ cli_name='sshpubkey',
+ label=_(u'SSH public key'),
+ no_convert=True,
+ ),
+ parameters.Str(
+ 'ipauserauthtype',
+ required=False,
+ multivalue=True,
+ cli_name='user_auth_type',
+ cli_metavar="['password', 'radius', 'otp']",
+ label=_(u'User authentication types'),
+ doc=_(u'Types of supported user authentication'),
+ ),
+ parameters.Str(
+ 'userclass',
+ required=False,
+ multivalue=True,
+ cli_name='class',
+ label=_(u'Class'),
+ doc=_(u'User category (semantics placed on this attribute are for local interpretation)'),
+ ),
+ parameters.Str(
+ 'ipatokenradiusconfiglink',
+ required=False,
+ cli_name='radius',
+ label=_(u'RADIUS proxy configuration'),
+ ),
+ parameters.Str(
+ 'ipatokenradiususername',
+ required=False,
+ cli_name='radius_username',
+ label=_(u'RADIUS proxy username'),
+ ),
+ parameters.Str(
+ 'departmentnumber',
+ required=False,
+ multivalue=True,
+ label=_(u'Department Number'),
+ ),
+ parameters.Str(
+ 'employeenumber',
+ required=False,
+ label=_(u'Employee Number'),
+ ),
+ parameters.Str(
+ 'employeetype',
+ required=False,
+ label=_(u'Employee Type'),
+ ),
+ parameters.Str(
+ 'preferredlanguage',
+ required=False,
+ label=_(u'Preferred Language'),
+ ),
+ parameters.Bytes(
+ 'usercertificate',
+ required=False,
+ multivalue=True,
+ cli_name='certificate',
+ label=_(u'Certificate'),
+ doc=_(u'Base-64 encoded server certificate'),
+ ),
+ parameters.Bool(
+ 'nsaccountlock',
+ required=False,
+ label=_(u'Account disabled'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'setattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'addattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
+ exclude=('webui',),
+ ),
+ parameters.Flag(
+ 'noprivate',
+ doc=_(u"Don't create user private group"),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class user_add_cert(Method):
+ __doc__ = _("Add one or more certificates to the user entry")
+
+ takes_args = (
+ parameters.Str(
+ 'uid',
+ cli_name='login',
+ label=_(u'User login'),
+ default_from=DefaultFrom(lambda givenname, sn: givenname[0] + sn, 'iparepltoposegmentleftnode', 'iparepltoposegmentrightnode'),
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Bytes(
+ 'usercertificate',
+ required=False,
+ multivalue=True,
+ cli_name='certificate',
+ label=_(u'Certificate'),
+ doc=_(u'Base-64 encoded server certificate'),
+ alwaysask=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class user_del(Method):
+ __doc__ = _("Delete a user.")
+
+ takes_args = (
+ parameters.Str(
+ 'uid',
+ multivalue=True,
+ cli_name='login',
+ label=_(u'User login'),
+ default_from=DefaultFrom(lambda givenname, sn: givenname[0] + sn, 'iparepltoposegmentleftnode', 'iparepltoposegmentrightnode'),
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'continue',
+ doc=_(u"Continuous mode: Don't stop on errors."),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Bool(
+ 'preserve',
+ required=False,
+ exclude=('cli',),
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Output(
+ 'result',
+ dict,
+ doc=_(u'List of deletions that failed'),
+ ),
+ output.ListOfPrimaryKeys(
+ 'value',
+ ),
+ )
+
+
+@register()
+class user_disable(Method):
+ __doc__ = _("Disable a user account.")
+
+ takes_args = (
+ parameters.Str(
+ 'uid',
+ cli_name='login',
+ label=_(u'User login'),
+ default_from=DefaultFrom(lambda givenname, sn: givenname[0] + sn, 'iparepltoposegmentleftnode', 'iparepltoposegmentrightnode'),
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Output(
+ 'result',
+ bool,
+ doc=_(u'True means the operation was successful'),
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class user_enable(Method):
+ __doc__ = _("Enable a user account.")
+
+ takes_args = (
+ parameters.Str(
+ 'uid',
+ cli_name='login',
+ label=_(u'User login'),
+ default_from=DefaultFrom(lambda givenname, sn: givenname[0] + sn, 'iparepltoposegmentleftnode', 'iparepltoposegmentrightnode'),
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Output(
+ 'result',
+ bool,
+ doc=_(u'True means the operation was successful'),
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class user_find(Method):
+ __doc__ = _("Search for users.")
+
+ takes_args = (
+ parameters.Str(
+ 'criteria',
+ required=False,
+ doc=_(u'A string searched in all relevant object attributes'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'uid',
+ required=False,
+ cli_name='login',
+ label=_(u'User login'),
+ default_from=DefaultFrom(lambda givenname, sn: givenname[0] + sn, 'iparepltoposegmentleftnode', 'iparepltoposegmentrightnode'),
+ no_convert=True,
+ ),
+ parameters.Str(
+ 'givenname',
+ required=False,
+ cli_name='first',
+ label=_(u'First name'),
+ ),
+ parameters.Str(
+ 'sn',
+ required=False,
+ cli_name='last',
+ label=_(u'Last name'),
+ ),
+ parameters.Str(
+ 'cn',
+ required=False,
+ label=_(u'Full name'),
+ default_from=DefaultFrom(lambda givenname, sn: '%s %s' % (givenname, sn), 'iparepltoposegmentleftnode', 'iparepltoposegmentrightnode'),
+ ),
+ parameters.Str(
+ 'displayname',
+ required=False,
+ label=_(u'Display name'),
+ default_from=DefaultFrom(lambda givenname, sn: '%s %s' % (givenname, sn), 'iparepltoposegmentleftnode', 'iparepltoposegmentrightnode'),
+ ),
+ parameters.Str(
+ 'initials',
+ required=False,
+ label=_(u'Initials'),
+ default_from=DefaultFrom(lambda givenname, sn: '%c%c' % (givenname[0], sn[0]), 'iparepltoposegmentleftnode', 'iparepltoposegmentrightnode'),
+ ),
+ parameters.Str(
+ 'homedirectory',
+ required=False,
+ cli_name='homedir',
+ label=_(u'Home directory'),
+ ),
+ parameters.Str(
+ 'gecos',
+ required=False,
+ label=_(u'GECOS'),
+ default_from=DefaultFrom(lambda givenname, sn: '%s %s' % (givenname, sn), 'iparepltoposegmentleftnode', 'iparepltoposegmentrightnode'),
+ ),
+ parameters.Str(
+ 'loginshell',
+ required=False,
+ cli_name='shell',
+ label=_(u'Login shell'),
+ ),
+ parameters.Str(
+ 'krbprincipalname',
+ required=False,
+ cli_name='principal',
+ label=_(u'Kerberos principal'),
+ default_from=DefaultFrom(lambda uid: '%s@%s' % (uid.lower(), api.env.realm), 'iparepltoposegmentleftnode', 'iparepltoposegmentrightnode'),
+ no_convert=True,
+ ),
+ parameters.DateTime(
+ 'krbprincipalexpiration',
+ required=False,
+ cli_name='principal_expiration',
+ label=_(u'Kerberos principal expiration'),
+ ),
+ parameters.Str(
+ 'mail',
+ required=False,
+ multivalue=True,
+ cli_name='email',
+ label=_(u'Email address'),
+ ),
+ parameters.Password(
+ 'userpassword',
+ required=False,
+ cli_name='password',
+ label=_(u'Password'),
+ doc=_(u'Prompt to set the user password'),
+ exclude=('webui',),
+ confirm=True,
+ ),
+ parameters.Int(
+ 'uidnumber',
+ required=False,
+ cli_name='uid',
+ label=_(u'UID'),
+ doc=_(u'User ID Number (system will assign one if not provided)'),
+ ),
+ parameters.Int(
+ 'gidnumber',
+ required=False,
+ label=_(u'GID'),
+ doc=_(u'Group ID Number'),
+ ),
+ parameters.Str(
+ 'street',
+ required=False,
+ label=_(u'Street address'),
+ ),
+ parameters.Str(
+ 'l',
+ required=False,
+ cli_name='city',
+ label=_(u'City'),
+ ),
+ parameters.Str(
+ 'st',
+ required=False,
+ cli_name='state',
+ label=_(u'State/Province'),
+ ),
+ parameters.Str(
+ 'postalcode',
+ required=False,
+ label=_(u'ZIP'),
+ ),
+ parameters.Str(
+ 'telephonenumber',
+ required=False,
+ multivalue=True,
+ cli_name='phone',
+ label=_(u'Telephone Number'),
+ ),
+ parameters.Str(
+ 'mobile',
+ required=False,
+ multivalue=True,
+ label=_(u'Mobile Telephone Number'),
+ ),
+ parameters.Str(
+ 'pager',
+ required=False,
+ multivalue=True,
+ label=_(u'Pager Number'),
+ ),
+ parameters.Str(
+ 'facsimiletelephonenumber',
+ required=False,
+ multivalue=True,
+ cli_name='fax',
+ label=_(u'Fax Number'),
+ ),
+ parameters.Str(
+ 'ou',
+ required=False,
+ cli_name='orgunit',
+ label=_(u'Org. Unit'),
+ ),
+ parameters.Str(
+ 'title',
+ required=False,
+ label=_(u'Job Title'),
+ ),
+ parameters.Str(
+ 'manager',
+ required=False,
+ label=_(u'Manager'),
+ ),
+ parameters.Str(
+ 'carlicense',
+ required=False,
+ multivalue=True,
+ label=_(u'Car License'),
+ ),
+ parameters.Str(
+ 'ipauserauthtype',
+ required=False,
+ multivalue=True,
+ cli_name='user_auth_type',
+ cli_metavar="['password', 'radius', 'otp']",
+ label=_(u'User authentication types'),
+ doc=_(u'Types of supported user authentication'),
+ ),
+ parameters.Str(
+ 'userclass',
+ required=False,
+ multivalue=True,
+ cli_name='class',
+ label=_(u'Class'),
+ doc=_(u'User category (semantics placed on this attribute are for local interpretation)'),
+ ),
+ parameters.Str(
+ 'ipatokenradiusconfiglink',
+ required=False,
+ cli_name='radius',
+ label=_(u'RADIUS proxy configuration'),
+ ),
+ parameters.Str(
+ 'ipatokenradiususername',
+ required=False,
+ cli_name='radius_username',
+ label=_(u'RADIUS proxy username'),
+ ),
+ parameters.Str(
+ 'departmentnumber',
+ required=False,
+ multivalue=True,
+ label=_(u'Department Number'),
+ ),
+ parameters.Str(
+ 'employeenumber',
+ required=False,
+ label=_(u'Employee Number'),
+ ),
+ parameters.Str(
+ 'employeetype',
+ required=False,
+ label=_(u'Employee Type'),
+ ),
+ parameters.Str(
+ 'preferredlanguage',
+ required=False,
+ label=_(u'Preferred Language'),
+ ),
+ parameters.Bytes(
+ 'usercertificate',
+ required=False,
+ multivalue=True,
+ cli_name='certificate',
+ label=_(u'Certificate'),
+ doc=_(u'Base-64 encoded server certificate'),
+ ),
+ parameters.Bool(
+ 'nsaccountlock',
+ required=False,
+ label=_(u'Account disabled'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Bool(
+ 'preserved',
+ required=False,
+ label=_(u'Preserved user'),
+ default=False,
+ ),
+ parameters.Int(
+ 'timelimit',
+ required=False,
+ label=_(u'Time Limit'),
+ doc=_(u'Time limit of search in seconds (0 is unlimited)'),
+ ),
+ parameters.Int(
+ 'sizelimit',
+ required=False,
+ label=_(u'Size Limit'),
+ doc=_(u'Maximum number of entries returned (0 is unlimited)'),
+ ),
+ parameters.Flag(
+ 'whoami',
+ label=_(u'Self'),
+ doc=_(u'Display user record for current Kerberos principal'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'pkey_only',
+ required=False,
+ label=_(u'Primary key only'),
+ doc=_(u'Results should contain primary key attribute only ("login")'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'in_group',
+ required=False,
+ multivalue=True,
+ cli_name='in_groups',
+ label=_(u'group'),
+ doc=_(u'Search for users with these member of groups.'),
+ ),
+ parameters.Str(
+ 'not_in_group',
+ required=False,
+ multivalue=True,
+ cli_name='not_in_groups',
+ label=_(u'group'),
+ doc=_(u'Search for users without these member of groups.'),
+ ),
+ parameters.Str(
+ 'in_netgroup',
+ required=False,
+ multivalue=True,
+ cli_name='in_netgroups',
+ label=_(u'netgroup'),
+ doc=_(u'Search for users with these member of netgroups.'),
+ ),
+ parameters.Str(
+ 'not_in_netgroup',
+ required=False,
+ multivalue=True,
+ cli_name='not_in_netgroups',
+ label=_(u'netgroup'),
+ doc=_(u'Search for users without these member of netgroups.'),
+ ),
+ parameters.Str(
+ 'in_role',
+ required=False,
+ multivalue=True,
+ cli_name='in_roles',
+ label=_(u'role'),
+ doc=_(u'Search for users with these member of roles.'),
+ ),
+ parameters.Str(
+ 'not_in_role',
+ required=False,
+ multivalue=True,
+ cli_name='not_in_roles',
+ label=_(u'role'),
+ doc=_(u'Search for users without these member of roles.'),
+ ),
+ parameters.Str(
+ 'in_hbacrule',
+ required=False,
+ multivalue=True,
+ cli_name='in_hbacrules',
+ label=_(u'HBAC rule'),
+ doc=_(u'Search for users with these member of HBAC rules.'),
+ ),
+ parameters.Str(
+ 'not_in_hbacrule',
+ required=False,
+ multivalue=True,
+ cli_name='not_in_hbacrules',
+ label=_(u'HBAC rule'),
+ doc=_(u'Search for users without these member of HBAC rules.'),
+ ),
+ parameters.Str(
+ 'in_sudorule',
+ required=False,
+ multivalue=True,
+ cli_name='in_sudorules',
+ label=_(u'sudo rule'),
+ doc=_(u'Search for users with these member of sudo rules.'),
+ ),
+ parameters.Str(
+ 'not_in_sudorule',
+ required=False,
+ multivalue=True,
+ cli_name='not_in_sudorules',
+ label=_(u'sudo rule'),
+ doc=_(u'Search for users without these member of sudo rules.'),
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.ListOfEntries(
+ 'result',
+ ),
+ output.Output(
+ 'count',
+ int,
+ doc=_(u'Number of entries returned'),
+ ),
+ output.Output(
+ 'truncated',
+ bool,
+ doc=_(u'True if not all results were returned'),
+ ),
+ )
+
+
+@register()
+class user_mod(Method):
+ __doc__ = _("Modify a user.")
+
+ takes_args = (
+ parameters.Str(
+ 'uid',
+ cli_name='login',
+ label=_(u'User login'),
+ default_from=DefaultFrom(lambda givenname, sn: givenname[0] + sn, 'iparepltoposegmentleftnode', 'iparepltoposegmentrightnode'),
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'givenname',
+ required=False,
+ cli_name='first',
+ label=_(u'First name'),
+ ),
+ parameters.Str(
+ 'sn',
+ required=False,
+ cli_name='last',
+ label=_(u'Last name'),
+ ),
+ parameters.Str(
+ 'cn',
+ required=False,
+ label=_(u'Full name'),
+ default_from=DefaultFrom(lambda givenname, sn: '%s %s' % (givenname, sn), 'iparepltoposegmentleftnode', 'iparepltoposegmentrightnode'),
+ ),
+ parameters.Str(
+ 'displayname',
+ required=False,
+ label=_(u'Display name'),
+ default_from=DefaultFrom(lambda givenname, sn: '%s %s' % (givenname, sn), 'iparepltoposegmentleftnode', 'iparepltoposegmentrightnode'),
+ ),
+ parameters.Str(
+ 'initials',
+ required=False,
+ label=_(u'Initials'),
+ default_from=DefaultFrom(lambda givenname, sn: '%c%c' % (givenname[0], sn[0]), 'iparepltoposegmentleftnode', 'iparepltoposegmentrightnode'),
+ ),
+ parameters.Str(
+ 'homedirectory',
+ required=False,
+ cli_name='homedir',
+ label=_(u'Home directory'),
+ ),
+ parameters.Str(
+ 'gecos',
+ required=False,
+ label=_(u'GECOS'),
+ default_from=DefaultFrom(lambda givenname, sn: '%s %s' % (givenname, sn), 'iparepltoposegmentleftnode', 'iparepltoposegmentrightnode'),
+ ),
+ parameters.Str(
+ 'loginshell',
+ required=False,
+ cli_name='shell',
+ label=_(u'Login shell'),
+ ),
+ parameters.DateTime(
+ 'krbprincipalexpiration',
+ required=False,
+ cli_name='principal_expiration',
+ label=_(u'Kerberos principal expiration'),
+ ),
+ parameters.Str(
+ 'mail',
+ required=False,
+ multivalue=True,
+ cli_name='email',
+ label=_(u'Email address'),
+ ),
+ parameters.Password(
+ 'userpassword',
+ required=False,
+ cli_name='password',
+ label=_(u'Password'),
+ doc=_(u'Prompt to set the user password'),
+ exclude=('webui',),
+ confirm=True,
+ ),
+ parameters.Flag(
+ 'random',
+ required=False,
+ doc=_(u'Generate a random user password'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Int(
+ 'uidnumber',
+ required=False,
+ cli_name='uid',
+ label=_(u'UID'),
+ doc=_(u'User ID Number (system will assign one if not provided)'),
+ ),
+ parameters.Int(
+ 'gidnumber',
+ required=False,
+ label=_(u'GID'),
+ doc=_(u'Group ID Number'),
+ ),
+ parameters.Str(
+ 'street',
+ required=False,
+ label=_(u'Street address'),
+ ),
+ parameters.Str(
+ 'l',
+ required=False,
+ cli_name='city',
+ label=_(u'City'),
+ ),
+ parameters.Str(
+ 'st',
+ required=False,
+ cli_name='state',
+ label=_(u'State/Province'),
+ ),
+ parameters.Str(
+ 'postalcode',
+ required=False,
+ label=_(u'ZIP'),
+ ),
+ parameters.Str(
+ 'telephonenumber',
+ required=False,
+ multivalue=True,
+ cli_name='phone',
+ label=_(u'Telephone Number'),
+ ),
+ parameters.Str(
+ 'mobile',
+ required=False,
+ multivalue=True,
+ label=_(u'Mobile Telephone Number'),
+ ),
+ parameters.Str(
+ 'pager',
+ required=False,
+ multivalue=True,
+ label=_(u'Pager Number'),
+ ),
+ parameters.Str(
+ 'facsimiletelephonenumber',
+ required=False,
+ multivalue=True,
+ cli_name='fax',
+ label=_(u'Fax Number'),
+ ),
+ parameters.Str(
+ 'ou',
+ required=False,
+ cli_name='orgunit',
+ label=_(u'Org. Unit'),
+ ),
+ parameters.Str(
+ 'title',
+ required=False,
+ label=_(u'Job Title'),
+ ),
+ parameters.Str(
+ 'manager',
+ required=False,
+ label=_(u'Manager'),
+ ),
+ parameters.Str(
+ 'carlicense',
+ required=False,
+ multivalue=True,
+ label=_(u'Car License'),
+ ),
+ parameters.Str(
+ 'ipasshpubkey',
+ required=False,
+ multivalue=True,
+ cli_name='sshpubkey',
+ label=_(u'SSH public key'),
+ no_convert=True,
+ ),
+ parameters.Str(
+ 'ipauserauthtype',
+ required=False,
+ multivalue=True,
+ cli_name='user_auth_type',
+ cli_metavar="['password', 'radius', 'otp']",
+ label=_(u'User authentication types'),
+ doc=_(u'Types of supported user authentication'),
+ ),
+ parameters.Str(
+ 'userclass',
+ required=False,
+ multivalue=True,
+ cli_name='class',
+ label=_(u'Class'),
+ doc=_(u'User category (semantics placed on this attribute are for local interpretation)'),
+ ),
+ parameters.Str(
+ 'ipatokenradiusconfiglink',
+ required=False,
+ cli_name='radius',
+ label=_(u'RADIUS proxy configuration'),
+ ),
+ parameters.Str(
+ 'ipatokenradiususername',
+ required=False,
+ cli_name='radius_username',
+ label=_(u'RADIUS proxy username'),
+ ),
+ parameters.Str(
+ 'departmentnumber',
+ required=False,
+ multivalue=True,
+ label=_(u'Department Number'),
+ ),
+ parameters.Str(
+ 'employeenumber',
+ required=False,
+ label=_(u'Employee Number'),
+ ),
+ parameters.Str(
+ 'employeetype',
+ required=False,
+ label=_(u'Employee Type'),
+ ),
+ parameters.Str(
+ 'preferredlanguage',
+ required=False,
+ label=_(u'Preferred Language'),
+ ),
+ parameters.Bytes(
+ 'usercertificate',
+ required=False,
+ multivalue=True,
+ cli_name='certificate',
+ label=_(u'Certificate'),
+ doc=_(u'Base-64 encoded server certificate'),
+ ),
+ parameters.Bool(
+ 'nsaccountlock',
+ required=False,
+ label=_(u'Account disabled'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'setattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'addattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'delattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'),
+ exclude=('webui',),
+ ),
+ parameters.Flag(
+ 'rights',
+ label=_(u'Rights'),
+ doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'rename',
+ required=False,
+ label=_(u'Rename'),
+ doc=_(u'Rename the user object'),
+ default_from=DefaultFrom(lambda givenname, sn: givenname[0] + sn, 'iparepltoposegmentleftnode', 'iparepltoposegmentrightnode'),
+ no_convert=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class user_remove_cert(Method):
+ __doc__ = _("Remove one or more certificates to the user entry")
+
+ takes_args = (
+ parameters.Str(
+ 'uid',
+ cli_name='login',
+ label=_(u'User login'),
+ default_from=DefaultFrom(lambda givenname, sn: givenname[0] + sn, 'iparepltoposegmentleftnode', 'iparepltoposegmentrightnode'),
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Bytes(
+ 'usercertificate',
+ required=False,
+ multivalue=True,
+ cli_name='certificate',
+ label=_(u'Certificate'),
+ doc=_(u'Base-64 encoded server certificate'),
+ alwaysask=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class user_show(Method):
+ __doc__ = _("Display information about a user.")
+
+ takes_args = (
+ parameters.Str(
+ 'uid',
+ cli_name='login',
+ label=_(u'User login'),
+ default_from=DefaultFrom(lambda givenname, sn: givenname[0] + sn, 'iparepltoposegmentleftnode', 'iparepltoposegmentrightnode'),
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'rights',
+ label=_(u'Rights'),
+ doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'out',
+ required=False,
+ doc=_(u'file to store certificate in'),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class user_stage(Method):
+ __doc__ = _("Move deleted user into staged area")
+
+ takes_args = (
+ parameters.Str(
+ 'uid',
+ multivalue=True,
+ cli_name='login',
+ label=_(u'User login'),
+ default_from=DefaultFrom(lambda givenname, sn: givenname[0] + sn, 'iparepltoposegmentleftnode', 'iparepltoposegmentrightnode'),
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'continue',
+ doc=_(u"Continuous mode: Don't stop on errors."),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Output(
+ 'result',
+ dict,
+ doc=_(u'List of deletions that failed'),
+ ),
+ output.ListOfPrimaryKeys(
+ 'value',
+ ),
+ )
+
+
+@register()
+class user_status(Method):
+ __doc__ = _("""
+Lockout status of a user account
+
+ An account may become locked if the password is entered incorrectly too
+ many times within a specific time period as controlled by password
+ policy. A locked account is a temporary condition and may be unlocked by
+ an administrator.
+
+ This connects to each IPA master and displays the lockout status on
+ each one.
+
+ To determine whether an account is locked on a given server you need
+ to compare the number of failed logins and the time of the last failure.
+ For an account to be locked it must exceed the maxfail failures within
+ the failinterval duration as specified in the password policy associated
+ with the user.
+
+ The failed login counter is modified only when a user attempts a log in
+ so it is possible that an account may appear locked but the last failed
+ login attempt is older than the lockouttime of the password policy. This
+ means that the user may attempt a login again.
+ """)
+
+ takes_args = (
+ parameters.Str(
+ 'uid',
+ cli_name='login',
+ label=_(u'User login'),
+ default_from=DefaultFrom(lambda givenname, sn: givenname[0] + sn, 'iparepltoposegmentleftnode', 'iparepltoposegmentrightnode'),
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.ListOfEntries(
+ 'result',
+ ),
+ output.Output(
+ 'count',
+ int,
+ doc=_(u'Number of entries returned'),
+ ),
+ output.Output(
+ 'truncated',
+ bool,
+ doc=_(u'True if not all results were returned'),
+ ),
+ )
+
+
+@register()
+class user_undel(Method):
+ __doc__ = _("Undelete a delete user account.")
+
+ takes_args = (
+ parameters.Str(
+ 'uid',
+ cli_name='login',
+ label=_(u'User login'),
+ default_from=DefaultFrom(lambda givenname, sn: givenname[0] + sn, 'iparepltoposegmentleftnode', 'iparepltoposegmentrightnode'),
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Output(
+ 'result',
+ bool,
+ doc=_(u'True means the operation was successful'),
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class user_unlock(Method):
+ __doc__ = _("""
+Unlock a user account
+
+ An account may become locked if the password is entered incorrectly too
+ many times within a specific time period as controlled by password
+ policy. A locked account is a temporary condition and may be unlocked by
+ an administrator.
+ """)
+
+ takes_args = (
+ parameters.Str(
+ 'uid',
+ cli_name='login',
+ label=_(u'User login'),
+ default_from=DefaultFrom(lambda givenname, sn: givenname[0] + sn, 'iparepltoposegmentleftnode', 'iparepltoposegmentrightnode'),
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Output(
+ 'result',
+ bool,
+ doc=_(u'True means the operation was successful'),
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
diff --git a/ipaclient/remote_plugins/2_156/vault.py b/ipaclient/remote_plugins/2_156/vault.py
new file mode 100644
index 000000000..8da030cf3
--- /dev/null
+++ b/ipaclient/remote_plugins/2_156/vault.py
@@ -0,0 +1,1680 @@
+#
+# Copyright (C) 2016 FreeIPA Contributors see COPYING for license
+#
+
+# pylint: disable=unused-import
+import six
+
+from . import Command, Method, Object
+from ipalib import api, parameters, output
+from ipalib.parameters import DefaultFrom
+from ipalib.plugable import Registry
+from ipalib.text import _
+from ipapython.dn import DN
+from ipapython.dnsutil import DNSName
+
+if six.PY3:
+ unicode = str
+
+__doc__ = _("""
+Vaults
+
+Manage vaults.
+
+Vault is a secure place to store a secret.
+
+Based on the ownership there are three vault categories:
+* user/private vault
+* service vault
+* shared vault
+
+User vaults are vaults owned used by a particular user. Private
+vaults are vaults owned the current user. Service vaults are
+vaults owned by a service. Shared vaults are owned by the admin
+but they can be used by other users or services.
+
+Based on the security mechanism there are three types of
+vaults:
+* standard vault
+* symmetric vault
+* asymmetric vault
+
+Standard vault uses a secure mechanism to transport and
+store the secret. The secret can only be retrieved by users
+that have access to the vault.
+
+Symmetric vault is similar to the standard vault, but it
+pre-encrypts the secret using a password before transport.
+The secret can only be retrieved using the same password.
+
+Asymmetric vault is similar to the standard vault, but it
+pre-encrypts the secret using a public key before transport.
+The secret can only be retrieved using the private key.
+
+EXAMPLES:
+
+ List vaults:
+ ipa vault-find
+ [--user <user>|--service <service>|--shared]
+
+ Add a standard vault:
+ ipa vault-add <name>
+ [--user <user>|--service <service>|--shared]
+ --type standard
+
+ Add a symmetric vault:
+ ipa vault-add <name>
+ [--user <user>|--service <service>|--shared]
+ --type symmetric --password-file password.txt
+
+ Add an asymmetric vault:
+ ipa vault-add <name>
+ [--user <user>|--service <service>|--shared]
+ --type asymmetric --public-key-file public.pem
+
+ Show a vault:
+ ipa vault-show <name>
+ [--user <user>|--service <service>|--shared]
+
+ Modify vault description:
+ ipa vault-mod <name>
+ [--user <user>|--service <service>|--shared]
+ --desc <description>
+
+ Modify vault type:
+ ipa vault-mod <name>
+ [--user <user>|--service <service>|--shared]
+ --type <type>
+ [old password/private key]
+ [new password/public key]
+
+ Modify symmetric vault password:
+ ipa vault-mod <name>
+ [--user <user>|--service <service>|--shared]
+ --change-password
+ ipa vault-mod <name>
+ [--user <user>|--service <service>|--shared]
+ --old-password <old password>
+ --new-password <new password>
+ ipa vault-mod <name>
+ [--user <user>|--service <service>|--shared]
+ --old-password-file <old password file>
+ --new-password-file <new password file>
+
+ Modify asymmetric vault keys:
+ ipa vault-mod <name>
+ [--user <user>|--service <service>|--shared]
+ --private-key-file <old private key file>
+ --public-key-file <new public key file>
+
+ Delete a vault:
+ ipa vault-del <name>
+ [--user <user>|--service <service>|--shared]
+
+ Display vault configuration:
+ ipa vaultconfig-show
+
+ Archive data into standard vault:
+ ipa vault-archive <name>
+ [--user <user>|--service <service>|--shared]
+ --in <input file>
+
+ Archive data into symmetric vault:
+ ipa vault-archive <name>
+ [--user <user>|--service <service>|--shared]
+ --in <input file>
+ --password-file password.txt
+
+ Archive data into asymmetric vault:
+ ipa vault-archive <name>
+ [--user <user>|--service <service>|--shared]
+ --in <input file>
+
+ Retrieve data from standard vault:
+ ipa vault-retrieve <name>
+ [--user <user>|--service <service>|--shared]
+ --out <output file>
+
+ Retrieve data from symmetric vault:
+ ipa vault-retrieve <name>
+ [--user <user>|--service <service>|--shared]
+ --out <output file>
+ --password-file password.txt
+
+ Retrieve data from asymmetric vault:
+ ipa vault-retrieve <name>
+ [--user <user>|--service <service>|--shared]
+ --out <output file> --private-key-file private.pem
+
+ Add vault owners:
+ ipa vault-add-owner <name>
+ [--user <user>|--service <service>|--shared]
+ [--users <users>] [--groups <groups>] [--services <services>]
+
+ Delete vault owners:
+ ipa vault-remove-owner <name>
+ [--user <user>|--service <service>|--shared]
+ [--users <users>] [--groups <groups>] [--services <services>]
+
+ Add vault members:
+ ipa vault-add-member <name>
+ [--user <user>|--service <service>|--shared]
+ [--users <users>] [--groups <groups>] [--services <services>]
+
+ Delete vault members:
+ ipa vault-remove-member <name>
+ [--user <user>|--service <service>|--shared]
+ [--users <users>] [--groups <groups>] [--services <services>]
+""")
+
+register = Registry()
+
+
+@register()
+class vault(Object):
+ takes_params = (
+ parameters.Str(
+ 'cn',
+ primary_key=True,
+ label=_(u'Vault name'),
+ ),
+ parameters.Str(
+ 'description',
+ required=False,
+ label=_(u'Description'),
+ doc=_(u'Vault description'),
+ ),
+ parameters.Str(
+ 'ipavaulttype',
+ required=False,
+ label=_(u'Type'),
+ doc=_(u'Vault type'),
+ ),
+ parameters.Bytes(
+ 'ipavaultsalt',
+ required=False,
+ label=_(u'Salt'),
+ doc=_(u'Vault salt'),
+ ),
+ parameters.Bytes(
+ 'ipavaultpublickey',
+ required=False,
+ label=_(u'Public key'),
+ doc=_(u'Vault public key'),
+ ),
+ parameters.Str(
+ 'owner_user',
+ required=False,
+ label=_(u'Owner users'),
+ ),
+ parameters.Str(
+ 'owner_group',
+ required=False,
+ label=_(u'Owner groups'),
+ ),
+ parameters.Str(
+ 'owner_service',
+ required=False,
+ label=_(u'Owner services'),
+ ),
+ parameters.Str(
+ 'owner',
+ required=False,
+ label=_(u'Failed owners'),
+ ),
+ parameters.Str(
+ 'service',
+ required=False,
+ label=_(u'Vault service'),
+ ),
+ parameters.Flag(
+ 'shared',
+ required=False,
+ label=_(u'Shared vault'),
+ ),
+ parameters.Str(
+ 'username',
+ required=False,
+ label=_(u'Vault user'),
+ ),
+ parameters.Str(
+ 'member_user',
+ required=False,
+ label=_(u'Member users'),
+ ),
+ parameters.Str(
+ 'member_group',
+ required=False,
+ label=_(u'Member groups'),
+ ),
+ parameters.Str(
+ 'member_service',
+ required=False,
+ label=_(u'Member services'),
+ ),
+ )
+
+
+@register()
+class vaultconfig(Object):
+ takes_params = (
+ parameters.Bytes(
+ 'transport_cert',
+ label=_(u'Transport Certificate'),
+ ),
+ )
+
+
+@register()
+class vaultcontainer(Object):
+ takes_params = (
+ parameters.Str(
+ 'owner_user',
+ required=False,
+ label=_(u'Owner users'),
+ ),
+ parameters.Str(
+ 'owner_group',
+ required=False,
+ label=_(u'Owner groups'),
+ ),
+ parameters.Str(
+ 'owner_service',
+ required=False,
+ label=_(u'Owner services'),
+ ),
+ parameters.Str(
+ 'owner',
+ required=False,
+ label=_(u'Failed owners'),
+ ),
+ parameters.Str(
+ 'service',
+ required=False,
+ label=_(u'Vault service'),
+ ),
+ parameters.Flag(
+ 'shared',
+ required=False,
+ label=_(u'Shared vault'),
+ ),
+ parameters.Str(
+ 'username',
+ required=False,
+ label=_(u'Vault user'),
+ ),
+ )
+
+
+@register()
+class kra_is_enabled(Command):
+ NO_CLI = True
+
+ takes_options = (
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Output(
+ 'result',
+ bool,
+ doc=_(u'True means the operation was successful'),
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class vault_add_internal(Method):
+ NO_CLI = True
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='name',
+ label=_(u'Vault name'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'description',
+ required=False,
+ cli_name='desc',
+ label=_(u'Description'),
+ doc=_(u'Vault description'),
+ ),
+ parameters.Str(
+ 'ipavaulttype',
+ required=False,
+ cli_name='type',
+ cli_metavar="['standard', 'symmetric', 'asymmetric']",
+ label=_(u'Type'),
+ doc=_(u'Vault type'),
+ default=u'symmetric',
+ autofill=True,
+ ),
+ parameters.Bytes(
+ 'ipavaultsalt',
+ required=False,
+ cli_name='salt',
+ label=_(u'Salt'),
+ doc=_(u'Vault salt'),
+ ),
+ parameters.Bytes(
+ 'ipavaultpublickey',
+ required=False,
+ cli_name='public_key',
+ label=_(u'Public key'),
+ doc=_(u'Vault public key'),
+ ),
+ parameters.Str(
+ 'service',
+ required=False,
+ doc=_(u'Service name of the service vault'),
+ no_convert=True,
+ ),
+ parameters.Flag(
+ 'shared',
+ required=False,
+ doc=_(u'Shared vault'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'username',
+ required=False,
+ cli_name='user',
+ doc=_(u'Username of the user vault'),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class vault_add_member(Method):
+ __doc__ = _("Add members to a vault.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='name',
+ label=_(u'Vault name'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'service',
+ required=False,
+ doc=_(u'Service name of the service vault'),
+ no_convert=True,
+ ),
+ parameters.Flag(
+ 'shared',
+ required=False,
+ doc=_(u'Shared vault'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'username',
+ required=False,
+ cli_name='user',
+ doc=_(u'Username of the user vault'),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'user',
+ required=False,
+ multivalue=True,
+ cli_name='users',
+ label=_(u'member user'),
+ doc=_(u'users to add'),
+ alwaysask=True,
+ ),
+ parameters.Str(
+ 'group',
+ required=False,
+ multivalue=True,
+ cli_name='groups',
+ label=_(u'member group'),
+ doc=_(u'groups to add'),
+ alwaysask=True,
+ ),
+ parameters.Str(
+ 'services',
+ required=False,
+ multivalue=True,
+ label=_(u'member service'),
+ doc=_(u'services to add'),
+ alwaysask=True,
+ ),
+ )
+ has_output = (
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'failed',
+ dict,
+ doc=_(u'Members that could not be added'),
+ ),
+ output.Output(
+ 'completed',
+ int,
+ doc=_(u'Number of members added'),
+ ),
+ )
+
+
+@register()
+class vault_add_owner(Method):
+ __doc__ = _("Add owners to a vault.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='name',
+ label=_(u'Vault name'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'service',
+ required=False,
+ doc=_(u'Service name of the service vault'),
+ no_convert=True,
+ ),
+ parameters.Flag(
+ 'shared',
+ required=False,
+ doc=_(u'Shared vault'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'username',
+ required=False,
+ cli_name='user',
+ doc=_(u'Username of the user vault'),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'user',
+ required=False,
+ multivalue=True,
+ cli_name='users',
+ label=_(u'owner user'),
+ doc=_(u'users to add'),
+ alwaysask=True,
+ ),
+ parameters.Str(
+ 'group',
+ required=False,
+ multivalue=True,
+ cli_name='groups',
+ label=_(u'owner group'),
+ doc=_(u'groups to add'),
+ alwaysask=True,
+ ),
+ parameters.Str(
+ 'services',
+ required=False,
+ multivalue=True,
+ label=_(u'owner service'),
+ doc=_(u'services to add'),
+ alwaysask=True,
+ ),
+ )
+ has_output = (
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'failed',
+ dict,
+ doc=_(u'Owners that could not be added'),
+ ),
+ output.Output(
+ 'completed',
+ int,
+ doc=_(u'Number of owners added'),
+ ),
+ )
+
+
+@register()
+class vault_archive_internal(Method):
+ NO_CLI = True
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='name',
+ label=_(u'Vault name'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'service',
+ required=False,
+ doc=_(u'Service name of the service vault'),
+ no_convert=True,
+ ),
+ parameters.Flag(
+ 'shared',
+ required=False,
+ doc=_(u'Shared vault'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'username',
+ required=False,
+ cli_name='user',
+ doc=_(u'Username of the user vault'),
+ ),
+ parameters.Bytes(
+ 'session_key',
+ doc=_(u'Session key wrapped with transport certificate'),
+ ),
+ parameters.Bytes(
+ 'vault_data',
+ doc=_(u'Vault data encrypted with session key'),
+ ),
+ parameters.Bytes(
+ 'nonce',
+ doc=_(u'Nonce'),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class vault_del(Method):
+ __doc__ = _("Delete a vault.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ multivalue=True,
+ cli_name='name',
+ label=_(u'Vault name'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'continue',
+ doc=_(u"Continuous mode: Don't stop on errors."),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'service',
+ required=False,
+ doc=_(u'Service name of the service vault'),
+ no_convert=True,
+ ),
+ parameters.Flag(
+ 'shared',
+ required=False,
+ doc=_(u'Shared vault'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'username',
+ required=False,
+ cli_name='user',
+ doc=_(u'Username of the user vault'),
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Output(
+ 'result',
+ dict,
+ doc=_(u'List of deletions that failed'),
+ ),
+ output.ListOfPrimaryKeys(
+ 'value',
+ ),
+ )
+
+
+@register()
+class vault_find(Method):
+ __doc__ = _("Search for vaults.")
+
+ takes_args = (
+ parameters.Str(
+ 'criteria',
+ required=False,
+ doc=_(u'A string searched in all relevant object attributes'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'cn',
+ required=False,
+ cli_name='name',
+ label=_(u'Vault name'),
+ ),
+ parameters.Str(
+ 'description',
+ required=False,
+ cli_name='desc',
+ label=_(u'Description'),
+ doc=_(u'Vault description'),
+ ),
+ parameters.Str(
+ 'ipavaulttype',
+ required=False,
+ cli_name='type',
+ cli_metavar="['standard', 'symmetric', 'asymmetric']",
+ label=_(u'Type'),
+ doc=_(u'Vault type'),
+ default=u'symmetric',
+ ),
+ parameters.Int(
+ 'timelimit',
+ required=False,
+ label=_(u'Time Limit'),
+ doc=_(u'Time limit of search in seconds (0 is unlimited)'),
+ ),
+ parameters.Int(
+ 'sizelimit',
+ required=False,
+ label=_(u'Size Limit'),
+ doc=_(u'Maximum number of entries returned (0 is unlimited)'),
+ ),
+ parameters.Str(
+ 'service',
+ required=False,
+ doc=_(u'Service name of the service vault'),
+ no_convert=True,
+ ),
+ parameters.Flag(
+ 'shared',
+ required=False,
+ doc=_(u'Shared vault'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'username',
+ required=False,
+ cli_name='user',
+ doc=_(u'Username of the user vault'),
+ ),
+ parameters.Flag(
+ 'services',
+ required=False,
+ doc=_(u'List all service vaults'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'users',
+ required=False,
+ doc=_(u'List all user vaults'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'pkey_only',
+ required=False,
+ label=_(u'Primary key only'),
+ doc=_(u'Results should contain primary key attribute only ("name")'),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.ListOfEntries(
+ 'result',
+ ),
+ output.Output(
+ 'count',
+ int,
+ doc=_(u'Number of entries returned'),
+ ),
+ output.Output(
+ 'truncated',
+ bool,
+ doc=_(u'True if not all results were returned'),
+ ),
+ )
+
+
+@register()
+class vault_mod_internal(Method):
+ NO_CLI = True
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='name',
+ label=_(u'Vault name'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'description',
+ required=False,
+ cli_name='desc',
+ label=_(u'Description'),
+ doc=_(u'Vault description'),
+ ),
+ parameters.Str(
+ 'ipavaulttype',
+ required=False,
+ cli_name='type',
+ cli_metavar="['standard', 'symmetric', 'asymmetric']",
+ label=_(u'Type'),
+ doc=_(u'Vault type'),
+ default=u'symmetric',
+ ),
+ parameters.Bytes(
+ 'ipavaultsalt',
+ required=False,
+ cli_name='salt',
+ label=_(u'Salt'),
+ doc=_(u'Vault salt'),
+ ),
+ parameters.Bytes(
+ 'ipavaultpublickey',
+ required=False,
+ cli_name='public_key',
+ label=_(u'Public key'),
+ doc=_(u'Vault public key'),
+ ),
+ parameters.Str(
+ 'setattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'addattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'delattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'),
+ exclude=('webui',),
+ ),
+ parameters.Flag(
+ 'rights',
+ label=_(u'Rights'),
+ doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'service',
+ required=False,
+ doc=_(u'Service name of the service vault'),
+ no_convert=True,
+ ),
+ parameters.Flag(
+ 'shared',
+ required=False,
+ doc=_(u'Shared vault'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'username',
+ required=False,
+ cli_name='user',
+ doc=_(u'Username of the user vault'),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class vault_remove_member(Method):
+ __doc__ = _("Remove members from a vault.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='name',
+ label=_(u'Vault name'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'service',
+ required=False,
+ doc=_(u'Service name of the service vault'),
+ no_convert=True,
+ ),
+ parameters.Flag(
+ 'shared',
+ required=False,
+ doc=_(u'Shared vault'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'username',
+ required=False,
+ cli_name='user',
+ doc=_(u'Username of the user vault'),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'user',
+ required=False,
+ multivalue=True,
+ cli_name='users',
+ label=_(u'member user'),
+ doc=_(u'users to remove'),
+ alwaysask=True,
+ ),
+ parameters.Str(
+ 'group',
+ required=False,
+ multivalue=True,
+ cli_name='groups',
+ label=_(u'member group'),
+ doc=_(u'groups to remove'),
+ alwaysask=True,
+ ),
+ parameters.Str(
+ 'services',
+ required=False,
+ multivalue=True,
+ label=_(u'member service'),
+ doc=_(u'services to remove'),
+ alwaysask=True,
+ ),
+ )
+ has_output = (
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'failed',
+ dict,
+ doc=_(u'Members that could not be removed'),
+ ),
+ output.Output(
+ 'completed',
+ int,
+ doc=_(u'Number of members removed'),
+ ),
+ )
+
+
+@register()
+class vault_remove_owner(Method):
+ __doc__ = _("Remove owners from a vault.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='name',
+ label=_(u'Vault name'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'service',
+ required=False,
+ doc=_(u'Service name of the service vault'),
+ no_convert=True,
+ ),
+ parameters.Flag(
+ 'shared',
+ required=False,
+ doc=_(u'Shared vault'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'username',
+ required=False,
+ cli_name='user',
+ doc=_(u'Username of the user vault'),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'user',
+ required=False,
+ multivalue=True,
+ cli_name='users',
+ label=_(u'owner user'),
+ doc=_(u'users to remove'),
+ alwaysask=True,
+ ),
+ parameters.Str(
+ 'group',
+ required=False,
+ multivalue=True,
+ cli_name='groups',
+ label=_(u'owner group'),
+ doc=_(u'groups to remove'),
+ alwaysask=True,
+ ),
+ parameters.Str(
+ 'services',
+ required=False,
+ multivalue=True,
+ label=_(u'owner service'),
+ doc=_(u'services to remove'),
+ alwaysask=True,
+ ),
+ )
+ has_output = (
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'failed',
+ dict,
+ doc=_(u'Owners that could not be removed'),
+ ),
+ output.Output(
+ 'completed',
+ int,
+ doc=_(u'Number of owners removed'),
+ ),
+ )
+
+
+@register()
+class vault_retrieve_internal(Method):
+ NO_CLI = True
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='name',
+ label=_(u'Vault name'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'service',
+ required=False,
+ doc=_(u'Service name of the service vault'),
+ no_convert=True,
+ ),
+ parameters.Flag(
+ 'shared',
+ required=False,
+ doc=_(u'Shared vault'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'username',
+ required=False,
+ cli_name='user',
+ doc=_(u'Username of the user vault'),
+ ),
+ parameters.Bytes(
+ 'session_key',
+ doc=_(u'Session key wrapped with transport certificate'),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class vault_show(Method):
+ __doc__ = _("Display information about a vault.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='name',
+ label=_(u'Vault name'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'rights',
+ label=_(u'Rights'),
+ doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'service',
+ required=False,
+ doc=_(u'Service name of the service vault'),
+ no_convert=True,
+ ),
+ parameters.Flag(
+ 'shared',
+ required=False,
+ doc=_(u'Shared vault'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'username',
+ required=False,
+ cli_name='user',
+ doc=_(u'Username of the user vault'),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class vaultconfig_show(Method):
+ __doc__ = _("Show vault configuration.")
+
+ takes_options = (
+ parameters.Str(
+ 'transport_out',
+ required=False,
+ doc=_(u'Output file to store the transport certificate'),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class vaultcontainer_add_owner(Method):
+ __doc__ = _("Add owners to a vault container.")
+
+ takes_options = (
+ parameters.Str(
+ 'service',
+ required=False,
+ doc=_(u'Service name of the service vault'),
+ no_convert=True,
+ ),
+ parameters.Flag(
+ 'shared',
+ required=False,
+ doc=_(u'Shared vault'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'username',
+ required=False,
+ cli_name='user',
+ doc=_(u'Username of the user vault'),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'user',
+ required=False,
+ multivalue=True,
+ cli_name='users',
+ label=_(u'owner user'),
+ doc=_(u'users to add'),
+ alwaysask=True,
+ ),
+ parameters.Str(
+ 'group',
+ required=False,
+ multivalue=True,
+ cli_name='groups',
+ label=_(u'owner group'),
+ doc=_(u'groups to add'),
+ alwaysask=True,
+ ),
+ parameters.Str(
+ 'services',
+ required=False,
+ multivalue=True,
+ label=_(u'owner service'),
+ doc=_(u'services to add'),
+ alwaysask=True,
+ ),
+ )
+ has_output = (
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'failed',
+ dict,
+ doc=_(u'Owners that could not be added'),
+ ),
+ output.Output(
+ 'completed',
+ int,
+ doc=_(u'Number of owners added'),
+ ),
+ )
+
+
+@register()
+class vaultcontainer_del(Method):
+ __doc__ = _("Delete a vault container.")
+
+ takes_options = (
+ parameters.Flag(
+ 'continue',
+ doc=_(u"Continuous mode: Don't stop on errors."),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'service',
+ required=False,
+ doc=_(u'Service name of the service vault'),
+ no_convert=True,
+ ),
+ parameters.Flag(
+ 'shared',
+ required=False,
+ doc=_(u'Shared vault'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'username',
+ required=False,
+ cli_name='user',
+ doc=_(u'Username of the user vault'),
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Output(
+ 'result',
+ dict,
+ doc=_(u'List of deletions that failed'),
+ ),
+ output.ListOfPrimaryKeys(
+ 'value',
+ ),
+ )
+
+
+@register()
+class vaultcontainer_remove_owner(Method):
+ __doc__ = _("Remove owners from a vault container.")
+
+ takes_options = (
+ parameters.Str(
+ 'service',
+ required=False,
+ doc=_(u'Service name of the service vault'),
+ no_convert=True,
+ ),
+ parameters.Flag(
+ 'shared',
+ required=False,
+ doc=_(u'Shared vault'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'username',
+ required=False,
+ cli_name='user',
+ doc=_(u'Username of the user vault'),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'user',
+ required=False,
+ multivalue=True,
+ cli_name='users',
+ label=_(u'owner user'),
+ doc=_(u'users to remove'),
+ alwaysask=True,
+ ),
+ parameters.Str(
+ 'group',
+ required=False,
+ multivalue=True,
+ cli_name='groups',
+ label=_(u'owner group'),
+ doc=_(u'groups to remove'),
+ alwaysask=True,
+ ),
+ parameters.Str(
+ 'services',
+ required=False,
+ multivalue=True,
+ label=_(u'owner service'),
+ doc=_(u'services to remove'),
+ alwaysask=True,
+ ),
+ )
+ has_output = (
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'failed',
+ dict,
+ doc=_(u'Owners that could not be removed'),
+ ),
+ output.Output(
+ 'completed',
+ int,
+ doc=_(u'Number of owners removed'),
+ ),
+ )
+
+
+@register()
+class vaultcontainer_show(Method):
+ __doc__ = _("Display information about a vault container.")
+
+ takes_options = (
+ parameters.Flag(
+ 'rights',
+ label=_(u'Rights'),
+ doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'service',
+ required=False,
+ doc=_(u'Service name of the service vault'),
+ no_convert=True,
+ ),
+ parameters.Flag(
+ 'shared',
+ required=False,
+ doc=_(u'Shared vault'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'username',
+ required=False,
+ cli_name='user',
+ doc=_(u'Username of the user vault'),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
diff --git a/ipaclient/remote_plugins/2_164/__init__.py b/ipaclient/remote_plugins/2_164/__init__.py
new file mode 100644
index 000000000..c17e26a61
--- /dev/null
+++ b/ipaclient/remote_plugins/2_164/__init__.py
@@ -0,0 +1,15 @@
+#
+# Copyright (C) 2016 FreeIPA Contributors see COPYING for license
+#
+
+from ..compat import CompatCommand, CompatMethod, CompatObject
+
+Object = CompatObject
+
+
+class Command(CompatCommand):
+ api_version = u'2.164'
+
+
+class Method(Command, CompatMethod):
+ pass
diff --git a/ipaclient/remote_plugins/2_164/aci.py b/ipaclient/remote_plugins/2_164/aci.py
new file mode 100644
index 000000000..316abeb46
--- /dev/null
+++ b/ipaclient/remote_plugins/2_164/aci.py
@@ -0,0 +1,812 @@
+#
+# Copyright (C) 2016 FreeIPA Contributors see COPYING for license
+#
+
+# pylint: disable=unused-import
+import six
+
+from . import Command, Method, Object
+from ipalib import api, parameters, output
+from ipalib.parameters import DefaultFrom
+from ipalib.plugable import Registry
+from ipalib.text import _
+from ipapython.dn import DN
+from ipapython.dnsutil import DNSName
+
+if six.PY3:
+ unicode = str
+
+__doc__ = _("""
+Directory Server Access Control Instructions (ACIs)
+
+ACIs are used to allow or deny access to information. This module is
+currently designed to allow, not deny, access.
+
+The aci commands are designed to grant permissions that allow updating
+existing entries or adding or deleting new ones. The goal of the ACIs
+that ship with IPA is to provide a set of low-level permissions that
+grant access to special groups called taskgroups. These low-level
+permissions can be combined into roles that grant broader access. These
+roles are another type of group, roles.
+
+For example, if you have taskgroups that allow adding and modifying users you
+could create a role, useradmin. You would assign users to the useradmin
+role to allow them to do the operations defined by the taskgroups.
+
+You can create ACIs that delegate permission so users in group A can write
+attributes on group B.
+
+The type option is a map that applies to all entries in the users, groups or
+host location. It is primarily designed to be used when granting add
+permissions (to write new entries).
+
+An ACI consists of three parts:
+1. target
+2. permissions
+3. bind rules
+
+The target is a set of rules that define which LDAP objects are being
+targeted. This can include a list of attributes, an area of that LDAP
+tree or an LDAP filter.
+
+The targets include:
+- attrs: list of attributes affected
+- type: an object type (user, group, host, service, etc)
+- memberof: members of a group
+- targetgroup: grant access to modify a specific group. This is primarily
+ designed to enable users to add or remove members of a specific group.
+- filter: A legal LDAP filter used to narrow the scope of the target.
+- subtree: Used to apply a rule across an entire set of objects. For example,
+ to allow adding users you need to grant "add" permission to the subtree
+ ldap://uid=*,cn=users,cn=accounts,dc=example,dc=com. The subtree option
+ is a fail-safe for objects that may not be covered by the type option.
+
+The permissions define what the ACI is allowed to do, and are one or
+more of:
+1. write - write one or more attributes
+2. read - read one or more attributes
+3. add - add a new entry to the tree
+4. delete - delete an existing entry
+5. all - all permissions are granted
+
+Note the distinction between attributes and entries. The permissions are
+independent, so being able to add a user does not mean that the user will
+be editable.
+
+The bind rule defines who this ACI grants permissions to. The LDAP server
+allows this to be any valid LDAP entry but we encourage the use of
+taskgroups so that the rights can be easily shared through roles.
+
+For a more thorough description of access controls see
+http://www.redhat.com/docs/manuals/dir-server/ag/8.0/Managing_Access_Control.html
+
+EXAMPLES:
+
+NOTE: ACIs are now added via the permission plugin. These examples are to
+demonstrate how the various options work but this is done via the permission
+command-line now (see last example).
+
+ Add an ACI so that the group "secretaries" can update the address on any user:
+ ipa group-add --desc="Office secretaries" secretaries
+ ipa aci-add --attrs=streetAddress --memberof=ipausers --group=secretaries --permissions=write --prefix=none "Secretaries write addresses"
+
+ Show the new ACI:
+ ipa aci-show --prefix=none "Secretaries write addresses"
+
+ Add an ACI that allows members of the "addusers" permission to add new users:
+ ipa aci-add --type=user --permission=addusers --permissions=add --prefix=none "Add new users"
+
+ Add an ACI that allows members of the editors manage members of the admins group:
+ ipa aci-add --permissions=write --attrs=member --targetgroup=admins --group=editors --prefix=none "Editors manage admins"
+
+ Add an ACI that allows members of the admins group to manage the street and zip code of those in the editors group:
+ ipa aci-add --permissions=write --memberof=editors --group=admins --attrs=street --attrs=postalcode --prefix=none "admins edit the address of editors"
+
+ Add an ACI that allows the admins group manage the street and zipcode of those who work for the boss:
+ ipa aci-add --permissions=write --group=admins --attrs=street --attrs=postalcode --filter="(manager=uid=boss,cn=users,cn=accounts,dc=example,dc=com)" --prefix=none "Edit the address of those who work for the boss"
+
+ Add an entirely new kind of record to IPA that isn't covered by any of the --type options, creating a permission:
+ ipa permission-add --permissions=add --subtree="cn=*,cn=orange,cn=accounts,dc=example,dc=com" --desc="Add Orange Entries" add_orange
+
+
+The show command shows the raw 389-ds ACI.
+
+IMPORTANT: When modifying the target attributes of an existing ACI you
+must include all existing attributes as well. When doing an aci-mod the
+targetattr REPLACES the current attributes, it does not add to them.
+""")
+
+register = Registry()
+
+
+@register()
+class aci(Object):
+ takes_params = (
+ parameters.Str(
+ 'aciname',
+ primary_key=True,
+ label=_(u'ACI name'),
+ ),
+ parameters.Str(
+ 'permission',
+ required=False,
+ label=_(u'Permission'),
+ doc=_(u'Permission ACI grants access to'),
+ ),
+ parameters.Str(
+ 'group',
+ required=False,
+ label=_(u'User group'),
+ doc=_(u'User group ACI grants access to'),
+ ),
+ parameters.Str(
+ 'permissions',
+ multivalue=True,
+ label=_(u'Permissions'),
+ doc=_(u'Permissions to grant(read, write, add, delete, all)'),
+ ),
+ parameters.Str(
+ 'attrs',
+ required=False,
+ multivalue=True,
+ label=_(u'Attributes to which the permission applies'),
+ doc=_(u'Attributes'),
+ ),
+ parameters.Str(
+ 'type',
+ required=False,
+ label=_(u'Type'),
+ doc=_(u'type of IPA object (user, group, host, hostgroup, service, netgroup)'),
+ ),
+ parameters.Str(
+ 'memberof',
+ required=False,
+ label=_(u'Member of'),
+ doc=_(u'Member of a group'),
+ ),
+ parameters.Str(
+ 'filter',
+ required=False,
+ label=_(u'Filter'),
+ doc=_(u'Legal LDAP filter (e.g. ou=Engineering)'),
+ ),
+ parameters.Str(
+ 'subtree',
+ required=False,
+ label=_(u'Subtree'),
+ doc=_(u'Subtree to apply ACI to'),
+ ),
+ parameters.Str(
+ 'targetgroup',
+ required=False,
+ label=_(u'Target group'),
+ doc=_(u'Group to apply ACI to'),
+ ),
+ parameters.Flag(
+ 'selfaci',
+ required=False,
+ label=_(u'Target your own entry (self)'),
+ doc=_(u'Apply ACI to your own entry (self)'),
+ ),
+ )
+
+
+@register()
+class aci_add(Method):
+ __doc__ = _("Create new ACI.")
+
+ NO_CLI = True
+
+ takes_args = (
+ parameters.Str(
+ 'aciname',
+ cli_name='name',
+ label=_(u'ACI name'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'permission',
+ required=False,
+ label=_(u'Permission'),
+ doc=_(u'Permission ACI grants access to'),
+ ),
+ parameters.Str(
+ 'group',
+ required=False,
+ label=_(u'User group'),
+ doc=_(u'User group ACI grants access to'),
+ ),
+ parameters.Str(
+ 'permissions',
+ multivalue=True,
+ label=_(u'Permissions'),
+ doc=_(u'Permissions to grant(read, write, add, delete, all)'),
+ no_convert=True,
+ ),
+ parameters.Str(
+ 'attrs',
+ required=False,
+ multivalue=True,
+ label=_(u'Attributes to which the permission applies'),
+ doc=_(u'Attributes'),
+ ),
+ parameters.Str(
+ 'type',
+ required=False,
+ cli_metavar="['user', 'group', 'host', 'service', 'hostgroup', 'netgroup', 'dnsrecord']",
+ label=_(u'Type'),
+ doc=_(u'type of IPA object (user, group, host, hostgroup, service, netgroup)'),
+ ),
+ parameters.Str(
+ 'memberof',
+ required=False,
+ label=_(u'Member of'),
+ doc=_(u'Member of a group'),
+ ),
+ parameters.Str(
+ 'filter',
+ required=False,
+ label=_(u'Filter'),
+ doc=_(u'Legal LDAP filter (e.g. ou=Engineering)'),
+ ),
+ parameters.Str(
+ 'subtree',
+ required=False,
+ label=_(u'Subtree'),
+ doc=_(u'Subtree to apply ACI to'),
+ ),
+ parameters.Str(
+ 'targetgroup',
+ required=False,
+ label=_(u'Target group'),
+ doc=_(u'Group to apply ACI to'),
+ ),
+ parameters.Flag(
+ 'selfaci',
+ required=False,
+ cli_name='self',
+ label=_(u'Target your own entry (self)'),
+ doc=_(u'Apply ACI to your own entry (self)'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'aciprefix',
+ cli_name='prefix',
+ cli_metavar="['permission', 'delegation', 'selfservice', 'none']",
+ label=_(u'ACI prefix'),
+ doc=_(u'Prefix used to distinguish ACI types (permission, delegation, selfservice, none)'),
+ ),
+ parameters.Flag(
+ 'test',
+ required=False,
+ doc=_(u"Test the ACI syntax but don't write anything"),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class aci_del(Method):
+ __doc__ = _("Delete ACI.")
+
+ NO_CLI = True
+
+ takes_args = (
+ parameters.Str(
+ 'aciname',
+ cli_name='name',
+ label=_(u'ACI name'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'aciprefix',
+ cli_name='prefix',
+ cli_metavar="['permission', 'delegation', 'selfservice', 'none']",
+ label=_(u'ACI prefix'),
+ doc=_(u'Prefix used to distinguish ACI types (permission, delegation, selfservice, none)'),
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Output(
+ 'result',
+ bool,
+ doc=_(u'True means the operation was successful'),
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class aci_find(Method):
+ __doc__ = _("""
+Search for ACIs.
+
+ Returns a list of ACIs
+
+ EXAMPLES:
+
+ To find all ACIs that apply directly to members of the group ipausers:
+ ipa aci-find --memberof=ipausers
+
+ To find all ACIs that grant add access:
+ ipa aci-find --permissions=add
+
+ Note that the find command only looks for the given text in the set of
+ ACIs, it does not evaluate the ACIs to see if something would apply.
+ For example, searching on memberof=ipausers will find all ACIs that
+ have ipausers as a memberof. There may be other ACIs that apply to
+ members of that group indirectly.
+ """)
+
+ NO_CLI = True
+
+ takes_args = (
+ parameters.Str(
+ 'criteria',
+ required=False,
+ doc=_(u'A string searched in all relevant object attributes'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'aciname',
+ required=False,
+ cli_name='name',
+ label=_(u'ACI name'),
+ ),
+ parameters.Str(
+ 'permission',
+ required=False,
+ label=_(u'Permission'),
+ doc=_(u'Permission ACI grants access to'),
+ ),
+ parameters.Str(
+ 'group',
+ required=False,
+ label=_(u'User group'),
+ doc=_(u'User group ACI grants access to'),
+ ),
+ parameters.Str(
+ 'permissions',
+ required=False,
+ multivalue=True,
+ label=_(u'Permissions'),
+ doc=_(u'Permissions to grant(read, write, add, delete, all)'),
+ no_convert=True,
+ ),
+ parameters.Str(
+ 'attrs',
+ required=False,
+ multivalue=True,
+ label=_(u'Attributes to which the permission applies'),
+ doc=_(u'Attributes'),
+ ),
+ parameters.Str(
+ 'type',
+ required=False,
+ cli_metavar="['user', 'group', 'host', 'service', 'hostgroup', 'netgroup', 'dnsrecord']",
+ label=_(u'Type'),
+ doc=_(u'type of IPA object (user, group, host, hostgroup, service, netgroup)'),
+ ),
+ parameters.Str(
+ 'memberof',
+ required=False,
+ label=_(u'Member of'),
+ doc=_(u'Member of a group'),
+ ),
+ parameters.Str(
+ 'filter',
+ required=False,
+ label=_(u'Filter'),
+ doc=_(u'Legal LDAP filter (e.g. ou=Engineering)'),
+ ),
+ parameters.Str(
+ 'subtree',
+ required=False,
+ label=_(u'Subtree'),
+ doc=_(u'Subtree to apply ACI to'),
+ ),
+ parameters.Str(
+ 'targetgroup',
+ required=False,
+ label=_(u'Target group'),
+ doc=_(u'Group to apply ACI to'),
+ ),
+ parameters.Bool(
+ 'selfaci',
+ required=False,
+ cli_name='self',
+ label=_(u'Target your own entry (self)'),
+ doc=_(u'Apply ACI to your own entry (self)'),
+ default=False,
+ ),
+ parameters.Str(
+ 'aciprefix',
+ required=False,
+ cli_name='prefix',
+ cli_metavar="['permission', 'delegation', 'selfservice', 'none']",
+ label=_(u'ACI prefix'),
+ doc=_(u'Prefix used to distinguish ACI types (permission, delegation, selfservice, none)'),
+ ),
+ parameters.Flag(
+ 'pkey_only',
+ required=False,
+ label=_(u'Primary key only'),
+ doc=_(u'Results should contain primary key attribute only ("name")'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.ListOfEntries(
+ 'result',
+ ),
+ output.Output(
+ 'count',
+ int,
+ doc=_(u'Number of entries returned'),
+ ),
+ output.Output(
+ 'truncated',
+ bool,
+ doc=_(u'True if not all results were returned'),
+ ),
+ )
+
+
+@register()
+class aci_mod(Method):
+ __doc__ = _("Modify ACI.")
+
+ NO_CLI = True
+
+ takes_args = (
+ parameters.Str(
+ 'aciname',
+ cli_name='name',
+ label=_(u'ACI name'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'permission',
+ required=False,
+ label=_(u'Permission'),
+ doc=_(u'Permission ACI grants access to'),
+ ),
+ parameters.Str(
+ 'group',
+ required=False,
+ label=_(u'User group'),
+ doc=_(u'User group ACI grants access to'),
+ ),
+ parameters.Str(
+ 'permissions',
+ required=False,
+ multivalue=True,
+ label=_(u'Permissions'),
+ doc=_(u'Permissions to grant(read, write, add, delete, all)'),
+ no_convert=True,
+ ),
+ parameters.Str(
+ 'attrs',
+ required=False,
+ multivalue=True,
+ label=_(u'Attributes to which the permission applies'),
+ doc=_(u'Attributes'),
+ ),
+ parameters.Str(
+ 'type',
+ required=False,
+ cli_metavar="['user', 'group', 'host', 'service', 'hostgroup', 'netgroup', 'dnsrecord']",
+ label=_(u'Type'),
+ doc=_(u'type of IPA object (user, group, host, hostgroup, service, netgroup)'),
+ ),
+ parameters.Str(
+ 'memberof',
+ required=False,
+ label=_(u'Member of'),
+ doc=_(u'Member of a group'),
+ ),
+ parameters.Str(
+ 'filter',
+ required=False,
+ label=_(u'Filter'),
+ doc=_(u'Legal LDAP filter (e.g. ou=Engineering)'),
+ ),
+ parameters.Str(
+ 'subtree',
+ required=False,
+ label=_(u'Subtree'),
+ doc=_(u'Subtree to apply ACI to'),
+ ),
+ parameters.Str(
+ 'targetgroup',
+ required=False,
+ label=_(u'Target group'),
+ doc=_(u'Group to apply ACI to'),
+ ),
+ parameters.Flag(
+ 'selfaci',
+ required=False,
+ cli_name='self',
+ label=_(u'Target your own entry (self)'),
+ doc=_(u'Apply ACI to your own entry (self)'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'aciprefix',
+ cli_name='prefix',
+ cli_metavar="['permission', 'delegation', 'selfservice', 'none']",
+ label=_(u'ACI prefix'),
+ doc=_(u'Prefix used to distinguish ACI types (permission, delegation, selfservice, none)'),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class aci_rename(Method):
+ __doc__ = _("Rename an ACI.")
+
+ NO_CLI = True
+
+ takes_args = (
+ parameters.Str(
+ 'aciname',
+ cli_name='name',
+ label=_(u'ACI name'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'permission',
+ required=False,
+ label=_(u'Permission'),
+ doc=_(u'Permission ACI grants access to'),
+ ),
+ parameters.Str(
+ 'group',
+ required=False,
+ label=_(u'User group'),
+ doc=_(u'User group ACI grants access to'),
+ ),
+ parameters.Str(
+ 'permissions',
+ required=False,
+ multivalue=True,
+ label=_(u'Permissions'),
+ doc=_(u'Permissions to grant(read, write, add, delete, all)'),
+ no_convert=True,
+ ),
+ parameters.Str(
+ 'attrs',
+ required=False,
+ multivalue=True,
+ label=_(u'Attributes to which the permission applies'),
+ doc=_(u'Attributes'),
+ ),
+ parameters.Str(
+ 'type',
+ required=False,
+ cli_metavar="['user', 'group', 'host', 'service', 'hostgroup', 'netgroup', 'dnsrecord']",
+ label=_(u'Type'),
+ doc=_(u'type of IPA object (user, group, host, hostgroup, service, netgroup)'),
+ ),
+ parameters.Str(
+ 'memberof',
+ required=False,
+ label=_(u'Member of'),
+ doc=_(u'Member of a group'),
+ ),
+ parameters.Str(
+ 'filter',
+ required=False,
+ label=_(u'Filter'),
+ doc=_(u'Legal LDAP filter (e.g. ou=Engineering)'),
+ ),
+ parameters.Str(
+ 'subtree',
+ required=False,
+ label=_(u'Subtree'),
+ doc=_(u'Subtree to apply ACI to'),
+ ),
+ parameters.Str(
+ 'targetgroup',
+ required=False,
+ label=_(u'Target group'),
+ doc=_(u'Group to apply ACI to'),
+ ),
+ parameters.Flag(
+ 'selfaci',
+ required=False,
+ cli_name='self',
+ label=_(u'Target your own entry (self)'),
+ doc=_(u'Apply ACI to your own entry (self)'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'aciprefix',
+ cli_name='prefix',
+ cli_metavar="['permission', 'delegation', 'selfservice', 'none']",
+ label=_(u'ACI prefix'),
+ doc=_(u'Prefix used to distinguish ACI types (permission, delegation, selfservice, none)'),
+ ),
+ parameters.Str(
+ 'newname',
+ doc=_(u'New ACI name'),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class aci_show(Method):
+ __doc__ = _("Display a single ACI given an ACI name.")
+
+ NO_CLI = True
+
+ takes_args = (
+ parameters.Str(
+ 'aciname',
+ cli_name='name',
+ label=_(u'ACI name'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'aciprefix',
+ cli_name='prefix',
+ cli_metavar="['permission', 'delegation', 'selfservice', 'none']",
+ label=_(u'ACI prefix'),
+ doc=_(u'Prefix used to distinguish ACI types (permission, delegation, selfservice, none)'),
+ ),
+ parameters.DNParam(
+ 'location',
+ required=False,
+ label=_(u'Location of the ACI'),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
diff --git a/ipaclient/remote_plugins/2_164/automember.py b/ipaclient/remote_plugins/2_164/automember.py
new file mode 100644
index 000000000..09b5a8d01
--- /dev/null
+++ b/ipaclient/remote_plugins/2_164/automember.py
@@ -0,0 +1,827 @@
+#
+# Copyright (C) 2016 FreeIPA Contributors see COPYING for license
+#
+
+# pylint: disable=unused-import
+import six
+
+from . import Command, Method, Object
+from ipalib import api, parameters, output
+from ipalib.parameters import DefaultFrom
+from ipalib.plugable import Registry
+from ipalib.text import _
+from ipapython.dn import DN
+from ipapython.dnsutil import DNSName
+
+if six.PY3:
+ unicode = str
+
+__doc__ = _("""
+Auto Membership Rule.
+
+Bring clarity to the membership of hosts and users by configuring inclusive
+or exclusive regex patterns, you can automatically assign a new entries into
+a group or hostgroup based upon attribute information.
+
+A rule is directly associated with a group by name, so you cannot create
+a rule without an accompanying group or hostgroup.
+
+A condition is a regular expression used by 389-ds to match a new incoming
+entry with an automember rule. If it matches an inclusive rule then the
+entry is added to the appropriate group or hostgroup.
+
+A default group or hostgroup could be specified for entries that do not
+match any rule. In case of user entries this group will be a fallback group
+because all users are by default members of group specified in IPA config.
+
+The automember-rebuild command can be used to retroactively run automember rules
+against existing entries, thus rebuilding their membership.
+
+EXAMPLES:
+
+ Add the initial group or hostgroup:
+ ipa hostgroup-add --desc="Web Servers" webservers
+ ipa group-add --desc="Developers" devel
+
+ Add the initial rule:
+ ipa automember-add --type=hostgroup webservers
+ ipa automember-add --type=group devel
+
+ Add a condition to the rule:
+ ipa automember-add-condition --key=fqdn --type=hostgroup --inclusive-regex=^web[1-9]+\.example\.com webservers
+ ipa automember-add-condition --key=manager --type=group --inclusive-regex=^uid=mscott devel
+
+ Add an exclusive condition to the rule to prevent auto assignment:
+ ipa automember-add-condition --key=fqdn --type=hostgroup --exclusive-regex=^web5\.example\.com webservers
+
+ Add a host:
+ ipa host-add web1.example.com
+
+ Add a user:
+ ipa user-add --first=Tim --last=User --password tuser1 --manager=mscott
+
+ Verify automembership:
+ ipa hostgroup-show webservers
+ Host-group: webservers
+ Description: Web Servers
+ Member hosts: web1.example.com
+
+ ipa group-show devel
+ Group name: devel
+ Description: Developers
+ GID: 1004200000
+ Member users: tuser
+
+ Remove a condition from the rule:
+ ipa automember-remove-condition --key=fqdn --type=hostgroup --inclusive-regex=^web[1-9]+\.example\.com webservers
+
+ Modify the automember rule:
+ ipa automember-mod
+
+ Set the default (fallback) target group:
+ ipa automember-default-group-set --default-group=webservers --type=hostgroup
+ ipa automember-default-group-set --default-group=ipausers --type=group
+
+ Remove the default (fallback) target group:
+ ipa automember-default-group-remove --type=hostgroup
+ ipa automember-default-group-remove --type=group
+
+ Show the default (fallback) target group:
+ ipa automember-default-group-show --type=hostgroup
+ ipa automember-default-group-show --type=group
+
+ Find all of the automember rules:
+ ipa automember-find
+
+ Display a automember rule:
+ ipa automember-show --type=hostgroup webservers
+ ipa automember-show --type=group devel
+
+ Delete an automember rule:
+ ipa automember-del --type=hostgroup webservers
+ ipa automember-del --type=group devel
+
+ Rebuild membership for all users:
+ ipa automember-rebuild --type=group
+
+ Rebuild membership for all hosts:
+ ipa automember-rebuild --type=hostgroup
+
+ Rebuild membership for specified users:
+ ipa automember-rebuild --users=tuser1 --users=tuser2
+
+ Rebuild membership for specified hosts:
+ ipa automember-rebuild --hosts=web1.example.com --hosts=web2.example.com
+""")
+
+register = Registry()
+
+
+@register()
+class automember(Object):
+ takes_params = (
+ parameters.Str(
+ 'description',
+ required=False,
+ label=_(u'Description'),
+ doc=_(u'A description of this auto member rule'),
+ ),
+ parameters.Str(
+ 'automemberdefaultgroup',
+ required=False,
+ label=_(u'Default (fallback) Group'),
+ doc=_(u'Default group for entries to land'),
+ ),
+ )
+
+
+@register()
+class automember_add(Method):
+ __doc__ = _("Add an automember rule.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='automember_rule',
+ label=_(u'Automember Rule'),
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'description',
+ required=False,
+ cli_name='desc',
+ label=_(u'Description'),
+ doc=_(u'A description of this auto member rule'),
+ ),
+ parameters.Str(
+ 'setattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'addattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'type',
+ cli_metavar="['group', 'hostgroup']",
+ label=_(u'Grouping Type'),
+ doc=_(u'Grouping to which the rule applies'),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class automember_add_condition(Method):
+ __doc__ = _("Add conditions to an automember rule.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='automember_rule',
+ label=_(u'Automember Rule'),
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'description',
+ required=False,
+ cli_name='desc',
+ label=_(u'Description'),
+ doc=_(u'A description of this auto member rule'),
+ ),
+ parameters.Str(
+ 'automemberinclusiveregex',
+ required=False,
+ multivalue=True,
+ cli_name='inclusive_regex',
+ label=_(u'Inclusive Regex'),
+ alwaysask=True,
+ ),
+ parameters.Str(
+ 'automemberexclusiveregex',
+ required=False,
+ multivalue=True,
+ cli_name='exclusive_regex',
+ label=_(u'Exclusive Regex'),
+ alwaysask=True,
+ ),
+ parameters.Str(
+ 'key',
+ label=_(u'Attribute Key'),
+ doc=_(u'Attribute to filter via regex. For example fqdn for a host, or manager for a user'),
+ ),
+ parameters.Str(
+ 'type',
+ cli_metavar="['group', 'hostgroup']",
+ label=_(u'Grouping Type'),
+ doc=_(u'Grouping to which the rule applies'),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ output.Output(
+ 'failed',
+ dict,
+ doc=_(u'Conditions that could not be added'),
+ ),
+ output.Output(
+ 'completed',
+ int,
+ doc=_(u'Number of conditions added'),
+ ),
+ )
+
+
+@register()
+class automember_default_group_remove(Method):
+ __doc__ = _("Remove default (fallback) group for all unmatched entries.")
+
+ takes_options = (
+ parameters.Str(
+ 'description',
+ required=False,
+ cli_name='desc',
+ label=_(u'Description'),
+ doc=_(u'A description of this auto member rule'),
+ ),
+ parameters.Str(
+ 'type',
+ cli_metavar="['group', 'hostgroup']",
+ label=_(u'Grouping Type'),
+ doc=_(u'Grouping to which the rule applies'),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class automember_default_group_set(Method):
+ __doc__ = _("Set default (fallback) group for all unmatched entries.")
+
+ takes_options = (
+ parameters.Str(
+ 'description',
+ required=False,
+ cli_name='desc',
+ label=_(u'Description'),
+ doc=_(u'A description of this auto member rule'),
+ ),
+ parameters.Str(
+ 'automemberdefaultgroup',
+ cli_name='default_group',
+ label=_(u'Default (fallback) Group'),
+ doc=_(u'Default (fallback) group for entries to land'),
+ ),
+ parameters.Str(
+ 'type',
+ cli_metavar="['group', 'hostgroup']",
+ label=_(u'Grouping Type'),
+ doc=_(u'Grouping to which the rule applies'),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class automember_default_group_show(Method):
+ __doc__ = _("Display information about the default (fallback) automember groups.")
+
+ takes_options = (
+ parameters.Str(
+ 'type',
+ cli_metavar="['group', 'hostgroup']",
+ label=_(u'Grouping Type'),
+ doc=_(u'Grouping to which the rule applies'),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class automember_del(Method):
+ __doc__ = _("Delete an automember rule.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='automember_rule',
+ label=_(u'Automember Rule'),
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'type',
+ cli_metavar="['group', 'hostgroup']",
+ label=_(u'Grouping Type'),
+ doc=_(u'Grouping to which the rule applies'),
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Output(
+ 'result',
+ dict,
+ doc=_(u'List of deletions that failed'),
+ ),
+ output.ListOfPrimaryKeys(
+ 'value',
+ ),
+ )
+
+
+@register()
+class automember_find(Method):
+ __doc__ = _("Search for automember rules.")
+
+ takes_args = (
+ parameters.Str(
+ 'criteria',
+ required=False,
+ doc=_(u'A string searched in all relevant object attributes'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'description',
+ required=False,
+ cli_name='desc',
+ label=_(u'Description'),
+ doc=_(u'A description of this auto member rule'),
+ ),
+ parameters.Str(
+ 'type',
+ cli_metavar="['group', 'hostgroup']",
+ label=_(u'Grouping Type'),
+ doc=_(u'Grouping to which the rule applies'),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.ListOfEntries(
+ 'result',
+ ),
+ output.Output(
+ 'count',
+ int,
+ doc=_(u'Number of entries returned'),
+ ),
+ output.Output(
+ 'truncated',
+ bool,
+ doc=_(u'True if not all results were returned'),
+ ),
+ )
+
+
+@register()
+class automember_mod(Method):
+ __doc__ = _("Modify an automember rule.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='automember_rule',
+ label=_(u'Automember Rule'),
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'description',
+ required=False,
+ cli_name='desc',
+ label=_(u'Description'),
+ doc=_(u'A description of this auto member rule'),
+ ),
+ parameters.Str(
+ 'setattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'addattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'delattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'),
+ exclude=('webui',),
+ ),
+ parameters.Flag(
+ 'rights',
+ label=_(u'Rights'),
+ doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'type',
+ cli_metavar="['group', 'hostgroup']",
+ label=_(u'Grouping Type'),
+ doc=_(u'Grouping to which the rule applies'),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class automember_rebuild(Command):
+ __doc__ = _("Rebuild auto membership.")
+
+ takes_options = (
+ parameters.Str(
+ 'type',
+ required=False,
+ cli_metavar="['group', 'hostgroup']",
+ label=_(u'Rebuild membership for all members of a grouping'),
+ doc=_(u'Grouping to which the rule applies'),
+ ),
+ parameters.Str(
+ 'users',
+ required=False,
+ multivalue=True,
+ label=_(u'Users'),
+ doc=_(u'Rebuild membership for specified users'),
+ ),
+ parameters.Str(
+ 'hosts',
+ required=False,
+ multivalue=True,
+ label=_(u'Hosts'),
+ doc=_(u'Rebuild membership for specified hosts'),
+ ),
+ parameters.Flag(
+ 'no_wait',
+ required=False,
+ label=_(u'No wait'),
+ doc=_(u"Don't wait for rebuilding membership"),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class automember_remove_condition(Method):
+ __doc__ = _("Remove conditions from an automember rule.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='automember_rule',
+ label=_(u'Automember Rule'),
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'description',
+ required=False,
+ cli_name='desc',
+ label=_(u'Description'),
+ doc=_(u'A description of this auto member rule'),
+ ),
+ parameters.Str(
+ 'automemberinclusiveregex',
+ required=False,
+ multivalue=True,
+ cli_name='inclusive_regex',
+ label=_(u'Inclusive Regex'),
+ alwaysask=True,
+ ),
+ parameters.Str(
+ 'automemberexclusiveregex',
+ required=False,
+ multivalue=True,
+ cli_name='exclusive_regex',
+ label=_(u'Exclusive Regex'),
+ alwaysask=True,
+ ),
+ parameters.Str(
+ 'key',
+ label=_(u'Attribute Key'),
+ doc=_(u'Attribute to filter via regex. For example fqdn for a host, or manager for a user'),
+ ),
+ parameters.Str(
+ 'type',
+ cli_metavar="['group', 'hostgroup']",
+ label=_(u'Grouping Type'),
+ doc=_(u'Grouping to which the rule applies'),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ output.Output(
+ 'failed',
+ dict,
+ doc=_(u'Conditions that could not be removed'),
+ ),
+ output.Output(
+ 'completed',
+ int,
+ doc=_(u'Number of conditions removed'),
+ ),
+ )
+
+
+@register()
+class automember_show(Method):
+ __doc__ = _("Display information about an automember rule.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='automember_rule',
+ label=_(u'Automember Rule'),
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'type',
+ cli_metavar="['group', 'hostgroup']",
+ label=_(u'Grouping Type'),
+ doc=_(u'Grouping to which the rule applies'),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
diff --git a/ipaclient/remote_plugins/2_164/automount.py b/ipaclient/remote_plugins/2_164/automount.py
new file mode 100644
index 000000000..334cec034
--- /dev/null
+++ b/ipaclient/remote_plugins/2_164/automount.py
@@ -0,0 +1,1228 @@
+#
+# Copyright (C) 2016 FreeIPA Contributors see COPYING for license
+#
+
+# pylint: disable=unused-import
+import six
+
+from . import Command, Method, Object
+from ipalib import api, parameters, output
+from ipalib.parameters import DefaultFrom
+from ipalib.plugable import Registry
+from ipalib.text import _
+from ipapython.dn import DN
+from ipapython.dnsutil import DNSName
+
+if six.PY3:
+ unicode = str
+
+__doc__ = _("""
+Automount
+
+Stores automount(8) configuration for autofs(8) in IPA.
+
+The base of an automount configuration is the configuration file auto.master.
+This is also the base location in IPA. Multiple auto.master configurations
+can be stored in separate locations. A location is implementation-specific
+with the default being a location named 'default'. For example, you can have
+locations by geographic region, by floor, by type, etc.
+
+Automount has three basic object types: locations, maps and keys.
+
+A location defines a set of maps anchored in auto.master. This allows you
+to store multiple automount configurations. A location in itself isn't
+very interesting, it is just a point to start a new automount map.
+
+A map is roughly equivalent to a discrete automount file and provides
+storage for keys.
+
+A key is a mount point associated with a map.
+
+When a new location is created, two maps are automatically created for
+it: auto.master and auto.direct. auto.master is the root map for all
+automount maps for the location. auto.direct is the default map for
+direct mounts and is mounted on /-.
+
+An automount map may contain a submount key. This key defines a mount
+location within the map that references another map. This can be done
+either using automountmap-add-indirect --parentmap or manually
+with automountkey-add and setting info to "-type=autofs :<mapname>".
+
+EXAMPLES:
+
+Locations:
+
+ Create a named location, "Baltimore":
+ ipa automountlocation-add baltimore
+
+ Display the new location:
+ ipa automountlocation-show baltimore
+
+ Find available locations:
+ ipa automountlocation-find
+
+ Remove a named automount location:
+ ipa automountlocation-del baltimore
+
+ Show what the automount maps would look like if they were in the filesystem:
+ ipa automountlocation-tofiles baltimore
+
+ Import an existing configuration into a location:
+ ipa automountlocation-import baltimore /etc/auto.master
+
+ The import will fail if any duplicate entries are found. For
+ continuous operation where errors are ignored, use the --continue
+ option.
+
+Maps:
+
+ Create a new map, "auto.share":
+ ipa automountmap-add baltimore auto.share
+
+ Display the new map:
+ ipa automountmap-show baltimore auto.share
+
+ Find maps in the location baltimore:
+ ipa automountmap-find baltimore
+
+ Create an indirect map with auto.share as a submount:
+ ipa automountmap-add-indirect baltimore --parentmap=auto.share --mount=sub auto.man
+
+ This is equivalent to:
+
+ ipa automountmap-add-indirect baltimore --mount=/man auto.man
+ ipa automountkey-add baltimore auto.man --key=sub --info="-fstype=autofs ldap:auto.share"
+
+ Remove the auto.share map:
+ ipa automountmap-del baltimore auto.share
+
+Keys:
+
+ Create a new key for the auto.share map in location baltimore. This ties
+ the map we previously created to auto.master:
+ ipa automountkey-add baltimore auto.master --key=/share --info=auto.share
+
+ Create a new key for our auto.share map, an NFS mount for man pages:
+ ipa automountkey-add baltimore auto.share --key=man --info="-ro,soft,rsize=8192,wsize=8192 ipa.example.com:/shared/man"
+
+ Find all keys for the auto.share map:
+ ipa automountkey-find baltimore auto.share
+
+ Find all direct automount keys:
+ ipa automountkey-find baltimore --key=/-
+
+ Remove the man key from the auto.share map:
+ ipa automountkey-del baltimore auto.share --key=man
+""")
+
+register = Registry()
+
+
+@register()
+class automountkey(Object):
+ takes_params = (
+ parameters.Str(
+ 'automountkey',
+ label=_(u'Key'),
+ doc=_(u'Automount key name.'),
+ ),
+ parameters.Str(
+ 'automountinformation',
+ label=_(u'Mount information'),
+ ),
+ parameters.Str(
+ 'description',
+ required=False,
+ primary_key=True,
+ label=_(u'description'),
+ exclude=('webui', 'cli'),
+ ),
+ )
+
+
+@register()
+class automountlocation(Object):
+ takes_params = (
+ parameters.Str(
+ 'cn',
+ primary_key=True,
+ label=_(u'Location'),
+ doc=_(u'Automount location name.'),
+ ),
+ )
+
+
+@register()
+class automountmap(Object):
+ takes_params = (
+ parameters.Str(
+ 'automountmapname',
+ primary_key=True,
+ label=_(u'Map'),
+ doc=_(u'Automount map name.'),
+ ),
+ parameters.Str(
+ 'description',
+ required=False,
+ label=_(u'Description'),
+ ),
+ )
+
+
+@register()
+class automountkey_add(Method):
+ __doc__ = _("Create a new automount key.")
+
+ takes_args = (
+ parameters.Str(
+ 'automountlocationcn',
+ cli_name='automountlocation',
+ label=_(u'Location'),
+ doc=_(u'Automount location name.'),
+ ),
+ parameters.Str(
+ 'automountmapautomountmapname',
+ cli_name='automountmap',
+ label=_(u'Map'),
+ doc=_(u'Automount map name.'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'automountkey',
+ cli_name='key',
+ label=_(u'Key'),
+ doc=_(u'Automount key name.'),
+ ),
+ parameters.Str(
+ 'automountinformation',
+ cli_name='info',
+ label=_(u'Mount information'),
+ ),
+ parameters.Str(
+ 'setattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'addattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
+ exclude=('webui',),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class automountkey_del(Method):
+ __doc__ = _("Delete an automount key.")
+
+ takes_args = (
+ parameters.Str(
+ 'automountlocationcn',
+ cli_name='automountlocation',
+ label=_(u'Location'),
+ doc=_(u'Automount location name.'),
+ ),
+ parameters.Str(
+ 'automountmapautomountmapname',
+ cli_name='automountmap',
+ label=_(u'Map'),
+ doc=_(u'Automount map name.'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'continue',
+ doc=_(u"Continuous mode: Don't stop on errors."),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'automountkey',
+ cli_name='key',
+ label=_(u'Key'),
+ doc=_(u'Automount key name.'),
+ ),
+ parameters.Str(
+ 'automountinformation',
+ required=False,
+ cli_name='info',
+ label=_(u'Mount information'),
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Output(
+ 'result',
+ dict,
+ doc=_(u'List of deletions that failed'),
+ ),
+ output.ListOfPrimaryKeys(
+ 'value',
+ ),
+ )
+
+
+@register()
+class automountkey_find(Method):
+ __doc__ = _("Search for an automount key.")
+
+ takes_args = (
+ parameters.Str(
+ 'automountlocationcn',
+ cli_name='automountlocation',
+ label=_(u'Location'),
+ doc=_(u'Automount location name.'),
+ ),
+ parameters.Str(
+ 'automountmapautomountmapname',
+ cli_name='automountmap',
+ label=_(u'Map'),
+ doc=_(u'Automount map name.'),
+ ),
+ parameters.Str(
+ 'criteria',
+ required=False,
+ doc=_(u'A string searched in all relevant object attributes'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'automountkey',
+ required=False,
+ cli_name='key',
+ label=_(u'Key'),
+ doc=_(u'Automount key name.'),
+ ),
+ parameters.Str(
+ 'automountinformation',
+ required=False,
+ cli_name='info',
+ label=_(u'Mount information'),
+ ),
+ parameters.Int(
+ 'timelimit',
+ required=False,
+ label=_(u'Time Limit'),
+ doc=_(u'Time limit of search in seconds (0 is unlimited)'),
+ ),
+ parameters.Int(
+ 'sizelimit',
+ required=False,
+ label=_(u'Size Limit'),
+ doc=_(u'Maximum number of entries returned (0 is unlimited)'),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.ListOfEntries(
+ 'result',
+ ),
+ output.Output(
+ 'count',
+ int,
+ doc=_(u'Number of entries returned'),
+ ),
+ output.Output(
+ 'truncated',
+ bool,
+ doc=_(u'True if not all results were returned'),
+ ),
+ )
+
+
+@register()
+class automountkey_mod(Method):
+ __doc__ = _("Modify an automount key.")
+
+ takes_args = (
+ parameters.Str(
+ 'automountlocationcn',
+ cli_name='automountlocation',
+ label=_(u'Location'),
+ doc=_(u'Automount location name.'),
+ ),
+ parameters.Str(
+ 'automountmapautomountmapname',
+ cli_name='automountmap',
+ label=_(u'Map'),
+ doc=_(u'Automount map name.'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'automountkey',
+ cli_name='key',
+ label=_(u'Key'),
+ doc=_(u'Automount key name.'),
+ ),
+ parameters.Str(
+ 'automountinformation',
+ required=False,
+ cli_name='info',
+ label=_(u'Mount information'),
+ ),
+ parameters.Str(
+ 'setattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'addattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'delattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'),
+ exclude=('webui',),
+ ),
+ parameters.Flag(
+ 'rights',
+ label=_(u'Rights'),
+ doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'newautomountinformation',
+ required=False,
+ cli_name='newinfo',
+ label=_(u'New mount information'),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'rename',
+ required=False,
+ label=_(u'Rename'),
+ doc=_(u'Rename the automount key object'),
+ exclude=('webui',),
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class automountkey_show(Method):
+ __doc__ = _("Display an automount key.")
+
+ takes_args = (
+ parameters.Str(
+ 'automountlocationcn',
+ cli_name='automountlocation',
+ label=_(u'Location'),
+ doc=_(u'Automount location name.'),
+ ),
+ parameters.Str(
+ 'automountmapautomountmapname',
+ cli_name='automountmap',
+ label=_(u'Map'),
+ doc=_(u'Automount map name.'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'rights',
+ label=_(u'Rights'),
+ doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'automountkey',
+ cli_name='key',
+ label=_(u'Key'),
+ doc=_(u'Automount key name.'),
+ ),
+ parameters.Str(
+ 'automountinformation',
+ required=False,
+ cli_name='info',
+ label=_(u'Mount information'),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class automountlocation_add(Method):
+ __doc__ = _("Create a new automount location.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='location',
+ label=_(u'Location'),
+ doc=_(u'Automount location name.'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'setattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'addattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
+ exclude=('webui',),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class automountlocation_del(Method):
+ __doc__ = _("Delete an automount location.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ multivalue=True,
+ cli_name='location',
+ label=_(u'Location'),
+ doc=_(u'Automount location name.'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'continue',
+ doc=_(u"Continuous mode: Don't stop on errors."),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Output(
+ 'result',
+ dict,
+ doc=_(u'List of deletions that failed'),
+ ),
+ output.ListOfPrimaryKeys(
+ 'value',
+ ),
+ )
+
+
+@register()
+class automountlocation_find(Method):
+ __doc__ = _("Search for an automount location.")
+
+ takes_args = (
+ parameters.Str(
+ 'criteria',
+ required=False,
+ doc=_(u'A string searched in all relevant object attributes'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'cn',
+ required=False,
+ cli_name='location',
+ label=_(u'Location'),
+ doc=_(u'Automount location name.'),
+ ),
+ parameters.Int(
+ 'timelimit',
+ required=False,
+ label=_(u'Time Limit'),
+ doc=_(u'Time limit of search in seconds (0 is unlimited)'),
+ ),
+ parameters.Int(
+ 'sizelimit',
+ required=False,
+ label=_(u'Size Limit'),
+ doc=_(u'Maximum number of entries returned (0 is unlimited)'),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'pkey_only',
+ required=False,
+ label=_(u'Primary key only'),
+ doc=_(u'Results should contain primary key attribute only ("location")'),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.ListOfEntries(
+ 'result',
+ ),
+ output.Output(
+ 'count',
+ int,
+ doc=_(u'Number of entries returned'),
+ ),
+ output.Output(
+ 'truncated',
+ bool,
+ doc=_(u'True if not all results were returned'),
+ ),
+ )
+
+
+@register()
+class automountlocation_show(Method):
+ __doc__ = _("Display an automount location.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='location',
+ label=_(u'Location'),
+ doc=_(u'Automount location name.'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'rights',
+ label=_(u'Rights'),
+ doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class automountlocation_tofiles(Method):
+ __doc__ = _("Generate automount files for a specific location.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='location',
+ label=_(u'Location'),
+ doc=_(u'Automount location name.'),
+ ),
+ )
+ takes_options = (
+ )
+ has_output = (
+ output.Output(
+ 'result',
+ ),
+ )
+
+
+@register()
+class automountmap_add(Method):
+ __doc__ = _("Create a new automount map.")
+
+ takes_args = (
+ parameters.Str(
+ 'automountlocationcn',
+ cli_name='automountlocation',
+ label=_(u'Location'),
+ doc=_(u'Automount location name.'),
+ ),
+ parameters.Str(
+ 'automountmapname',
+ cli_name='map',
+ label=_(u'Map'),
+ doc=_(u'Automount map name.'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'description',
+ required=False,
+ cli_name='desc',
+ label=_(u'Description'),
+ ),
+ parameters.Str(
+ 'setattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'addattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
+ exclude=('webui',),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class automountmap_add_indirect(Method):
+ __doc__ = _("Create a new indirect mount point.")
+
+ takes_args = (
+ parameters.Str(
+ 'automountlocationcn',
+ cli_name='automountlocation',
+ label=_(u'Location'),
+ doc=_(u'Automount location name.'),
+ ),
+ parameters.Str(
+ 'automountmapname',
+ cli_name='map',
+ label=_(u'Map'),
+ doc=_(u'Automount map name.'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'description',
+ required=False,
+ cli_name='desc',
+ label=_(u'Description'),
+ ),
+ parameters.Str(
+ 'setattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'addattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'key',
+ cli_name='mount',
+ label=_(u'Mount point'),
+ ),
+ parameters.Str(
+ 'parentmap',
+ required=False,
+ label=_(u'Parent map'),
+ doc=_(u'Name of parent automount map (default: auto.master).'),
+ default=u'auto.master',
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class automountmap_del(Method):
+ __doc__ = _("Delete an automount map.")
+
+ takes_args = (
+ parameters.Str(
+ 'automountlocationcn',
+ cli_name='automountlocation',
+ label=_(u'Location'),
+ doc=_(u'Automount location name.'),
+ ),
+ parameters.Str(
+ 'automountmapname',
+ multivalue=True,
+ cli_name='map',
+ label=_(u'Map'),
+ doc=_(u'Automount map name.'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'continue',
+ doc=_(u"Continuous mode: Don't stop on errors."),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Output(
+ 'result',
+ dict,
+ doc=_(u'List of deletions that failed'),
+ ),
+ output.ListOfPrimaryKeys(
+ 'value',
+ ),
+ )
+
+
+@register()
+class automountmap_find(Method):
+ __doc__ = _("Search for an automount map.")
+
+ takes_args = (
+ parameters.Str(
+ 'automountlocationcn',
+ cli_name='automountlocation',
+ label=_(u'Location'),
+ doc=_(u'Automount location name.'),
+ ),
+ parameters.Str(
+ 'criteria',
+ required=False,
+ doc=_(u'A string searched in all relevant object attributes'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'automountmapname',
+ required=False,
+ cli_name='map',
+ label=_(u'Map'),
+ doc=_(u'Automount map name.'),
+ ),
+ parameters.Str(
+ 'description',
+ required=False,
+ cli_name='desc',
+ label=_(u'Description'),
+ ),
+ parameters.Int(
+ 'timelimit',
+ required=False,
+ label=_(u'Time Limit'),
+ doc=_(u'Time limit of search in seconds (0 is unlimited)'),
+ ),
+ parameters.Int(
+ 'sizelimit',
+ required=False,
+ label=_(u'Size Limit'),
+ doc=_(u'Maximum number of entries returned (0 is unlimited)'),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'pkey_only',
+ required=False,
+ label=_(u'Primary key only'),
+ doc=_(u'Results should contain primary key attribute only ("map")'),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.ListOfEntries(
+ 'result',
+ ),
+ output.Output(
+ 'count',
+ int,
+ doc=_(u'Number of entries returned'),
+ ),
+ output.Output(
+ 'truncated',
+ bool,
+ doc=_(u'True if not all results were returned'),
+ ),
+ )
+
+
+@register()
+class automountmap_mod(Method):
+ __doc__ = _("Modify an automount map.")
+
+ takes_args = (
+ parameters.Str(
+ 'automountlocationcn',
+ cli_name='automountlocation',
+ label=_(u'Location'),
+ doc=_(u'Automount location name.'),
+ ),
+ parameters.Str(
+ 'automountmapname',
+ cli_name='map',
+ label=_(u'Map'),
+ doc=_(u'Automount map name.'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'description',
+ required=False,
+ cli_name='desc',
+ label=_(u'Description'),
+ ),
+ parameters.Str(
+ 'setattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'addattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'delattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'),
+ exclude=('webui',),
+ ),
+ parameters.Flag(
+ 'rights',
+ label=_(u'Rights'),
+ doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class automountmap_show(Method):
+ __doc__ = _("Display an automount map.")
+
+ takes_args = (
+ parameters.Str(
+ 'automountlocationcn',
+ cli_name='automountlocation',
+ label=_(u'Location'),
+ doc=_(u'Automount location name.'),
+ ),
+ parameters.Str(
+ 'automountmapname',
+ cli_name='map',
+ label=_(u'Map'),
+ doc=_(u'Automount map name.'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'rights',
+ label=_(u'Rights'),
+ doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
diff --git a/ipaclient/remote_plugins/2_164/batch.py b/ipaclient/remote_plugins/2_164/batch.py
new file mode 100644
index 000000000..4a613b677
--- /dev/null
+++ b/ipaclient/remote_plugins/2_164/batch.py
@@ -0,0 +1,71 @@
+#
+# Copyright (C) 2016 FreeIPA Contributors see COPYING for license
+#
+
+# pylint: disable=unused-import
+import six
+
+from . import Command, Method, Object
+from ipalib import api, parameters, output
+from ipalib.parameters import DefaultFrom
+from ipalib.plugable import Registry
+from ipalib.text import _
+from ipapython.dn import DN
+from ipapython.dnsutil import DNSName
+
+if six.PY3:
+ unicode = str
+
+__doc__ = _("""
+Plugin to make multiple ipa calls via one remote procedure call
+
+To run this code in the lite-server
+
+curl -H "Content-Type:application/json" -H "Accept:application/json" -H "Accept-Language:en" --negotiate -u : --cacert /etc/ipa/ca.crt -d @batch_request.json -X POST http://localhost:8888/ipa/json
+
+where the contents of the file batch_request.json follow the below example
+
+{"method":"batch","params":[[
+ {"method":"group_find","params":[[],{}]},
+ {"method":"user_find","params":[[],{"whoami":"true","all":"true"}]},
+ {"method":"user_show","params":[["admin"],{"all":true}]}
+ ],{}],"id":1}
+
+The format of the response is nested the same way. At the top you will see
+ "error": null,
+ "id": 1,
+ "result": {
+ "count": 3,
+ "results": [
+
+
+And then a nested response for each IPA command method sent in the request
+""")
+
+register = Registry()
+
+
+@register()
+class batch(Command):
+ NO_CLI = True
+
+ takes_args = (
+ parameters.Str(
+ 'methods',
+ required=False,
+ multivalue=True,
+ doc=_(u'Nested Methods to execute'),
+ ),
+ )
+ takes_options = (
+ )
+ has_output = (
+ output.Output(
+ 'count',
+ int,
+ ),
+ output.Output(
+ 'results',
+ (list, tuple),
+ ),
+ )
diff --git a/ipaclient/remote_plugins/2_164/caacl.py b/ipaclient/remote_plugins/2_164/caacl.py
new file mode 100644
index 000000000..09cfc4b65
--- /dev/null
+++ b/ipaclient/remote_plugins/2_164/caacl.py
@@ -0,0 +1,1155 @@
+#
+# Copyright (C) 2016 FreeIPA Contributors see COPYING for license
+#
+
+# pylint: disable=unused-import
+import six
+
+from . import Command, Method, Object
+from ipalib import api, parameters, output
+from ipalib.parameters import DefaultFrom
+from ipalib.plugable import Registry
+from ipalib.text import _
+from ipapython.dn import DN
+from ipapython.dnsutil import DNSName
+
+if six.PY3:
+ unicode = str
+
+__doc__ = _("""
+Manage CA ACL rules.
+
+This plugin is used to define rules governing which principals are
+permitted to have certificates issued using a given certificate
+profile.
+
+PROFILE ID SYNTAX:
+
+A Profile ID is a string without spaces or punctuation starting with a letter
+and followed by a sequence of letters, digits or underscore ("_").
+
+EXAMPLES:
+
+ Create a CA ACL "test" that grants all users access to the
+ "UserCert" profile:
+ ipa caacl-add test --usercat=all
+ ipa caacl-add-profile test --certprofiles UserCert
+
+ Display the properties of a named CA ACL:
+ ipa caacl-show test
+
+ Create a CA ACL to let user "alice" use the "DNP3" profile:
+ ipa caacl-add-profile alice_dnp3 --certprofiles DNP3
+ ipa caacl-add-user alice_dnp3 --user=alice
+
+ Disable a CA ACL:
+ ipa caacl-disable test
+
+ Remove a CA ACL:
+ ipa caacl-del test
+""")
+
+register = Registry()
+
+
+@register()
+class caacl(Object):
+ takes_params = (
+ parameters.Str(
+ 'cn',
+ primary_key=True,
+ label=_(u'ACL name'),
+ ),
+ parameters.Str(
+ 'description',
+ required=False,
+ label=_(u'Description'),
+ ),
+ parameters.Bool(
+ 'ipaenabledflag',
+ required=False,
+ label=_(u'Enabled'),
+ ),
+ parameters.Str(
+ 'ipacertprofilecategory',
+ required=False,
+ label=_(u'Profile category'),
+ doc=_(u'Profile category the ACL applies to'),
+ ),
+ parameters.Str(
+ 'usercategory',
+ required=False,
+ label=_(u'User category'),
+ doc=_(u'User category the ACL applies to'),
+ ),
+ parameters.Str(
+ 'hostcategory',
+ required=False,
+ label=_(u'Host category'),
+ doc=_(u'Host category the ACL applies to'),
+ ),
+ parameters.Str(
+ 'servicecategory',
+ required=False,
+ label=_(u'Service category'),
+ doc=_(u'Service category the ACL applies to'),
+ ),
+ parameters.Str(
+ 'ipamembercertprofile_certprofile',
+ required=False,
+ label=_(u'Profiles'),
+ ),
+ parameters.Str(
+ 'memberuser_user',
+ required=False,
+ label=_(u'Users'),
+ ),
+ parameters.Str(
+ 'memberuser_group',
+ required=False,
+ label=_(u'User Groups'),
+ ),
+ parameters.Str(
+ 'memberhost_host',
+ required=False,
+ label=_(u'Hosts'),
+ ),
+ parameters.Str(
+ 'memberhost_hostgroup',
+ required=False,
+ label=_(u'Host Groups'),
+ ),
+ parameters.Str(
+ 'memberservice_service',
+ required=False,
+ label=_(u'Services'),
+ ),
+ )
+
+
+@register()
+class caacl_add(Method):
+ __doc__ = _("Create a new CA ACL.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='name',
+ label=_(u'ACL name'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'description',
+ required=False,
+ cli_name='desc',
+ label=_(u'Description'),
+ ),
+ parameters.Bool(
+ 'ipaenabledflag',
+ required=False,
+ label=_(u'Enabled'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'ipacertprofilecategory',
+ required=False,
+ cli_name='profilecat',
+ cli_metavar="['all']",
+ label=_(u'Profile category'),
+ doc=_(u'Profile category the ACL applies to'),
+ ),
+ parameters.Str(
+ 'usercategory',
+ required=False,
+ cli_name='usercat',
+ cli_metavar="['all']",
+ label=_(u'User category'),
+ doc=_(u'User category the ACL applies to'),
+ ),
+ parameters.Str(
+ 'hostcategory',
+ required=False,
+ cli_name='hostcat',
+ cli_metavar="['all']",
+ label=_(u'Host category'),
+ doc=_(u'Host category the ACL applies to'),
+ ),
+ parameters.Str(
+ 'servicecategory',
+ required=False,
+ cli_name='servicecat',
+ cli_metavar="['all']",
+ label=_(u'Service category'),
+ doc=_(u'Service category the ACL applies to'),
+ ),
+ parameters.Str(
+ 'setattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'addattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
+ exclude=('webui',),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class caacl_add_host(Method):
+ __doc__ = _("Add target hosts and hostgroups to a CA ACL.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='name',
+ label=_(u'ACL name'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'host',
+ required=False,
+ multivalue=True,
+ cli_name='hosts',
+ label=_(u'member host'),
+ doc=_(u'hosts to add'),
+ alwaysask=True,
+ ),
+ parameters.Str(
+ 'hostgroup',
+ required=False,
+ multivalue=True,
+ cli_name='hostgroups',
+ label=_(u'member host group'),
+ doc=_(u'host groups to add'),
+ alwaysask=True,
+ ),
+ )
+ has_output = (
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'failed',
+ dict,
+ doc=_(u'Members that could not be added'),
+ ),
+ output.Output(
+ 'completed',
+ int,
+ doc=_(u'Number of members added'),
+ ),
+ )
+
+
+@register()
+class caacl_add_profile(Method):
+ __doc__ = _("Add profiles to a CA ACL.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='name',
+ label=_(u'ACL name'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'certprofile',
+ required=False,
+ multivalue=True,
+ cli_name='certprofiles',
+ label=_(u'member Certificate Profile'),
+ doc=_(u'Certificate Profiles to add'),
+ alwaysask=True,
+ ),
+ )
+ has_output = (
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'failed',
+ dict,
+ doc=_(u'Members that could not be added'),
+ ),
+ output.Output(
+ 'completed',
+ int,
+ doc=_(u'Number of members added'),
+ ),
+ )
+
+
+@register()
+class caacl_add_service(Method):
+ __doc__ = _("Add services to a CA ACL.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='name',
+ label=_(u'ACL name'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'service',
+ required=False,
+ multivalue=True,
+ cli_name='services',
+ label=_(u'member service'),
+ doc=_(u'services to add'),
+ alwaysask=True,
+ ),
+ )
+ has_output = (
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'failed',
+ dict,
+ doc=_(u'Members that could not be added'),
+ ),
+ output.Output(
+ 'completed',
+ int,
+ doc=_(u'Number of members added'),
+ ),
+ )
+
+
+@register()
+class caacl_add_user(Method):
+ __doc__ = _("Add users and groups to a CA ACL.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='name',
+ label=_(u'ACL name'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'user',
+ required=False,
+ multivalue=True,
+ cli_name='users',
+ label=_(u'member user'),
+ doc=_(u'users to add'),
+ alwaysask=True,
+ ),
+ parameters.Str(
+ 'group',
+ required=False,
+ multivalue=True,
+ cli_name='groups',
+ label=_(u'member group'),
+ doc=_(u'groups to add'),
+ alwaysask=True,
+ ),
+ )
+ has_output = (
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'failed',
+ dict,
+ doc=_(u'Members that could not be added'),
+ ),
+ output.Output(
+ 'completed',
+ int,
+ doc=_(u'Number of members added'),
+ ),
+ )
+
+
+@register()
+class caacl_del(Method):
+ __doc__ = _("Delete a CA ACL.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ multivalue=True,
+ cli_name='name',
+ label=_(u'ACL name'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'continue',
+ doc=_(u"Continuous mode: Don't stop on errors."),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Output(
+ 'result',
+ dict,
+ doc=_(u'List of deletions that failed'),
+ ),
+ output.ListOfPrimaryKeys(
+ 'value',
+ ),
+ )
+
+
+@register()
+class caacl_disable(Method):
+ __doc__ = _("Disable a CA ACL.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='name',
+ label=_(u'ACL name'),
+ ),
+ )
+ takes_options = (
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Output(
+ 'result',
+ bool,
+ doc=_(u'True means the operation was successful'),
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class caacl_enable(Method):
+ __doc__ = _("Enable a CA ACL.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='name',
+ label=_(u'ACL name'),
+ ),
+ )
+ takes_options = (
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Output(
+ 'result',
+ bool,
+ doc=_(u'True means the operation was successful'),
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class caacl_find(Method):
+ __doc__ = _("Search for CA ACLs.")
+
+ takes_args = (
+ parameters.Str(
+ 'criteria',
+ required=False,
+ doc=_(u'A string searched in all relevant object attributes'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'cn',
+ required=False,
+ cli_name='name',
+ label=_(u'ACL name'),
+ ),
+ parameters.Str(
+ 'description',
+ required=False,
+ cli_name='desc',
+ label=_(u'Description'),
+ ),
+ parameters.Bool(
+ 'ipaenabledflag',
+ required=False,
+ label=_(u'Enabled'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'ipacertprofilecategory',
+ required=False,
+ cli_name='profilecat',
+ cli_metavar="['all']",
+ label=_(u'Profile category'),
+ doc=_(u'Profile category the ACL applies to'),
+ ),
+ parameters.Str(
+ 'usercategory',
+ required=False,
+ cli_name='usercat',
+ cli_metavar="['all']",
+ label=_(u'User category'),
+ doc=_(u'User category the ACL applies to'),
+ ),
+ parameters.Str(
+ 'hostcategory',
+ required=False,
+ cli_name='hostcat',
+ cli_metavar="['all']",
+ label=_(u'Host category'),
+ doc=_(u'Host category the ACL applies to'),
+ ),
+ parameters.Str(
+ 'servicecategory',
+ required=False,
+ cli_name='servicecat',
+ cli_metavar="['all']",
+ label=_(u'Service category'),
+ doc=_(u'Service category the ACL applies to'),
+ ),
+ parameters.Int(
+ 'timelimit',
+ required=False,
+ label=_(u'Time Limit'),
+ doc=_(u'Time limit of search in seconds (0 is unlimited)'),
+ ),
+ parameters.Int(
+ 'sizelimit',
+ required=False,
+ label=_(u'Size Limit'),
+ doc=_(u'Maximum number of entries returned (0 is unlimited)'),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'pkey_only',
+ required=False,
+ label=_(u'Primary key only'),
+ doc=_(u'Results should contain primary key attribute only ("name")'),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.ListOfEntries(
+ 'result',
+ ),
+ output.Output(
+ 'count',
+ int,
+ doc=_(u'Number of entries returned'),
+ ),
+ output.Output(
+ 'truncated',
+ bool,
+ doc=_(u'True if not all results were returned'),
+ ),
+ )
+
+
+@register()
+class caacl_mod(Method):
+ __doc__ = _("Modify a CA ACL.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='name',
+ label=_(u'ACL name'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'description',
+ required=False,
+ cli_name='desc',
+ label=_(u'Description'),
+ ),
+ parameters.Bool(
+ 'ipaenabledflag',
+ required=False,
+ label=_(u'Enabled'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'ipacertprofilecategory',
+ required=False,
+ cli_name='profilecat',
+ cli_metavar="['all']",
+ label=_(u'Profile category'),
+ doc=_(u'Profile category the ACL applies to'),
+ ),
+ parameters.Str(
+ 'usercategory',
+ required=False,
+ cli_name='usercat',
+ cli_metavar="['all']",
+ label=_(u'User category'),
+ doc=_(u'User category the ACL applies to'),
+ ),
+ parameters.Str(
+ 'hostcategory',
+ required=False,
+ cli_name='hostcat',
+ cli_metavar="['all']",
+ label=_(u'Host category'),
+ doc=_(u'Host category the ACL applies to'),
+ ),
+ parameters.Str(
+ 'servicecategory',
+ required=False,
+ cli_name='servicecat',
+ cli_metavar="['all']",
+ label=_(u'Service category'),
+ doc=_(u'Service category the ACL applies to'),
+ ),
+ parameters.Str(
+ 'setattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'addattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'delattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'),
+ exclude=('webui',),
+ ),
+ parameters.Flag(
+ 'rights',
+ label=_(u'Rights'),
+ doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class caacl_remove_host(Method):
+ __doc__ = _("Remove target hosts and hostgroups from a CA ACL.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='name',
+ label=_(u'ACL name'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'host',
+ required=False,
+ multivalue=True,
+ cli_name='hosts',
+ label=_(u'member host'),
+ doc=_(u'hosts to remove'),
+ alwaysask=True,
+ ),
+ parameters.Str(
+ 'hostgroup',
+ required=False,
+ multivalue=True,
+ cli_name='hostgroups',
+ label=_(u'member host group'),
+ doc=_(u'host groups to remove'),
+ alwaysask=True,
+ ),
+ )
+ has_output = (
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'failed',
+ dict,
+ doc=_(u'Members that could not be removed'),
+ ),
+ output.Output(
+ 'completed',
+ int,
+ doc=_(u'Number of members removed'),
+ ),
+ )
+
+
+@register()
+class caacl_remove_profile(Method):
+ __doc__ = _("Remove profiles from a CA ACL.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='name',
+ label=_(u'ACL name'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'certprofile',
+ required=False,
+ multivalue=True,
+ cli_name='certprofiles',
+ label=_(u'member Certificate Profile'),
+ doc=_(u'Certificate Profiles to remove'),
+ alwaysask=True,
+ ),
+ )
+ has_output = (
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'failed',
+ dict,
+ doc=_(u'Members that could not be removed'),
+ ),
+ output.Output(
+ 'completed',
+ int,
+ doc=_(u'Number of members removed'),
+ ),
+ )
+
+
+@register()
+class caacl_remove_service(Method):
+ __doc__ = _("Remove services from a CA ACL.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='name',
+ label=_(u'ACL name'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'service',
+ required=False,
+ multivalue=True,
+ cli_name='services',
+ label=_(u'member service'),
+ doc=_(u'services to remove'),
+ alwaysask=True,
+ ),
+ )
+ has_output = (
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'failed',
+ dict,
+ doc=_(u'Members that could not be removed'),
+ ),
+ output.Output(
+ 'completed',
+ int,
+ doc=_(u'Number of members removed'),
+ ),
+ )
+
+
+@register()
+class caacl_remove_user(Method):
+ __doc__ = _("Remove users and groups from a CA ACL.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='name',
+ label=_(u'ACL name'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'user',
+ required=False,
+ multivalue=True,
+ cli_name='users',
+ label=_(u'member user'),
+ doc=_(u'users to remove'),
+ alwaysask=True,
+ ),
+ parameters.Str(
+ 'group',
+ required=False,
+ multivalue=True,
+ cli_name='groups',
+ label=_(u'member group'),
+ doc=_(u'groups to remove'),
+ alwaysask=True,
+ ),
+ )
+ has_output = (
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'failed',
+ dict,
+ doc=_(u'Members that could not be removed'),
+ ),
+ output.Output(
+ 'completed',
+ int,
+ doc=_(u'Number of members removed'),
+ ),
+ )
+
+
+@register()
+class caacl_show(Method):
+ __doc__ = _("Display the properties of a CA ACL.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='name',
+ label=_(u'ACL name'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'rights',
+ label=_(u'Rights'),
+ doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
diff --git a/ipaclient/remote_plugins/2_164/cert.py b/ipaclient/remote_plugins/2_164/cert.py
new file mode 100644
index 000000000..de760fdcb
--- /dev/null
+++ b/ipaclient/remote_plugins/2_164/cert.py
@@ -0,0 +1,382 @@
+#
+# Copyright (C) 2016 FreeIPA Contributors see COPYING for license
+#
+
+# pylint: disable=unused-import
+import six
+
+from . import Command, Method, Object
+from ipalib import api, parameters, output
+from ipalib.parameters import DefaultFrom
+from ipalib.plugable import Registry
+from ipalib.text import _
+from ipapython.dn import DN
+from ipapython.dnsutil import DNSName
+
+if six.PY3:
+ unicode = str
+
+__doc__ = _("""
+IPA certificate operations
+
+Implements a set of commands for managing server SSL certificates.
+
+Certificate requests exist in the form of a Certificate Signing Request (CSR)
+in PEM format.
+
+The dogtag CA uses just the CN value of the CSR and forces the rest of the
+subject to values configured in the server.
+
+A certificate is stored with a service principal and a service principal
+needs a host.
+
+In order to request a certificate:
+
+* The host must exist
+* The service must exist (or you use the --add option to automatically add it)
+
+SEARCHING:
+
+Certificates may be searched on by certificate subject, serial number,
+revocation reason, validity dates and the issued date.
+
+When searching on dates the _from date does a >= search and the _to date
+does a <= search. When combined these are done as an AND.
+
+Dates are treated as GMT to match the dates in the certificates.
+
+The date format is YYYY-mm-dd.
+
+EXAMPLES:
+
+ Request a new certificate and add the principal:
+ ipa cert-request --add --principal=HTTP/lion.example.com example.csr
+
+ Retrieve an existing certificate:
+ ipa cert-show 1032
+
+ Revoke a certificate (see RFC 5280 for reason details):
+ ipa cert-revoke --revocation-reason=6 1032
+
+ Remove a certificate from revocation hold status:
+ ipa cert-remove-hold 1032
+
+ Check the status of a signing request:
+ ipa cert-status 10
+
+ Search for certificates by hostname:
+ ipa cert-find --subject=ipaserver.example.com
+
+ Search for revoked certificates by reason:
+ ipa cert-find --revocation-reason=5
+
+ Search for certificates based on issuance date
+ ipa cert-find --issuedon-from=2013-02-01 --issuedon-to=2013-02-07
+
+IPA currently immediately issues (or declines) all certificate requests so
+the status of a request is not normally useful. This is for future use
+or the case where a CA does not immediately issue a certificate.
+
+The following revocation reasons are supported:
+
+ * 0 - unspecified
+ * 1 - keyCompromise
+ * 2 - cACompromise
+ * 3 - affiliationChanged
+ * 4 - superseded
+ * 5 - cessationOfOperation
+ * 6 - certificateHold
+ * 8 - removeFromCRL
+ * 9 - privilegeWithdrawn
+ * 10 - aACompromise
+
+Note that reason code 7 is not used. See RFC 5280 for more details:
+
+http://www.ietf.org/rfc/rfc5280.txt
+""")
+
+register = Registry()
+
+
+@register()
+class ca_is_enabled(Command):
+ __doc__ = _("Checks if any of the servers has the CA service enabled.")
+
+ NO_CLI = True
+
+ takes_options = (
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Output(
+ 'result',
+ bool,
+ doc=_(u'True means the operation was successful'),
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class cert_find(Command):
+ __doc__ = _("Search for existing certificates.")
+
+ takes_options = (
+ parameters.Str(
+ 'subject',
+ required=False,
+ label=_(u'Subject'),
+ ),
+ parameters.Int(
+ 'revocation_reason',
+ required=False,
+ label=_(u'Reason'),
+ doc=_(u'Reason for revoking the certificate (0-10)'),
+ ),
+ parameters.Int(
+ 'min_serial_number',
+ required=False,
+ doc=_(u'minimum serial number'),
+ ),
+ parameters.Int(
+ 'max_serial_number',
+ required=False,
+ doc=_(u'maximum serial number'),
+ ),
+ parameters.Flag(
+ 'exactly',
+ required=False,
+ doc=_(u'match the common name exactly'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'validnotafter_from',
+ required=False,
+ doc=_(u'Valid not after from this date (YYYY-mm-dd)'),
+ ),
+ parameters.Str(
+ 'validnotafter_to',
+ required=False,
+ doc=_(u'Valid not after to this date (YYYY-mm-dd)'),
+ ),
+ parameters.Str(
+ 'validnotbefore_from',
+ required=False,
+ doc=_(u'Valid not before from this date (YYYY-mm-dd)'),
+ ),
+ parameters.Str(
+ 'validnotbefore_to',
+ required=False,
+ doc=_(u'Valid not before to this date (YYYY-mm-dd)'),
+ ),
+ parameters.Str(
+ 'issuedon_from',
+ required=False,
+ doc=_(u'Issued on from this date (YYYY-mm-dd)'),
+ ),
+ parameters.Str(
+ 'issuedon_to',
+ required=False,
+ doc=_(u'Issued on to this date (YYYY-mm-dd)'),
+ ),
+ parameters.Str(
+ 'revokedon_from',
+ required=False,
+ doc=_(u'Revoked on from this date (YYYY-mm-dd)'),
+ ),
+ parameters.Str(
+ 'revokedon_to',
+ required=False,
+ doc=_(u'Revoked on to this date (YYYY-mm-dd)'),
+ ),
+ parameters.Int(
+ 'sizelimit',
+ required=False,
+ label=_(u'Size Limit'),
+ doc=_(u'Maximum number of certs returned'),
+ default=100,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.ListOfEntries(
+ 'result',
+ ),
+ output.Output(
+ 'count',
+ int,
+ doc=_(u'Number of entries returned'),
+ ),
+ output.Output(
+ 'truncated',
+ bool,
+ doc=_(u'True if not all results were returned'),
+ ),
+ )
+
+
+@register()
+class cert_remove_hold(Command):
+ __doc__ = _("Take a revoked certificate off hold.")
+
+ takes_args = (
+ parameters.Str(
+ 'serial_number',
+ label=_(u'Serial number'),
+ doc=_(u'Serial number in decimal or if prefixed with 0x in hexadecimal'),
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ )
+ has_output = (
+ output.Output(
+ 'result',
+ ),
+ )
+
+
+@register()
+class cert_request(Command):
+ __doc__ = _("Submit a certificate signing request.")
+
+ takes_args = (
+ parameters.Str(
+ 'csr',
+ cli_name='csr_file',
+ label=_(u'CSR'),
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'principal',
+ label=_(u'Principal'),
+ doc=_(u'Principal for this certificate (e.g. HTTP/test.example.com)'),
+ ),
+ parameters.Str(
+ 'request_type',
+ default=u'pkcs10',
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'add',
+ doc=_(u"automatically add the principal if it doesn't exist"),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'profile_id',
+ required=False,
+ label=_(u'Profile ID'),
+ doc=_(u'Certificate Profile to use'),
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'result',
+ dict,
+ doc=_(u'Dictionary mapping variable name to value'),
+ ),
+ )
+
+
+@register()
+class cert_revoke(Command):
+ __doc__ = _("Revoke a certificate.")
+
+ takes_args = (
+ parameters.Str(
+ 'serial_number',
+ label=_(u'Serial number'),
+ doc=_(u'Serial number in decimal or if prefixed with 0x in hexadecimal'),
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Int(
+ 'revocation_reason',
+ label=_(u'Reason'),
+ doc=_(u'Reason for revoking the certificate (0-10)'),
+ default=0,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'result',
+ ),
+ )
+
+
+@register()
+class cert_show(Command):
+ __doc__ = _("Retrieve an existing certificate.")
+
+ takes_args = (
+ parameters.Str(
+ 'serial_number',
+ label=_(u'Serial number'),
+ doc=_(u'Serial number in decimal or if prefixed with 0x in hexadecimal'),
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'out',
+ required=False,
+ label=_(u'Output filename'),
+ doc=_(u'File to store the certificate in.'),
+ exclude=('webui',),
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'result',
+ ),
+ )
+
+
+@register()
+class cert_status(Command):
+ __doc__ = _("Check the status of a certificate signing request.")
+
+ takes_args = (
+ parameters.Str(
+ 'request_id',
+ label=_(u'Request id'),
+ ),
+ )
+ takes_options = (
+ )
+ has_output = (
+ output.Output(
+ 'result',
+ ),
+ )
diff --git a/ipaclient/remote_plugins/2_164/certprofile.py b/ipaclient/remote_plugins/2_164/certprofile.py
new file mode 100644
index 000000000..b612342a1
--- /dev/null
+++ b/ipaclient/remote_plugins/2_164/certprofile.py
@@ -0,0 +1,431 @@
+#
+# Copyright (C) 2016 FreeIPA Contributors see COPYING for license
+#
+
+# pylint: disable=unused-import
+import six
+
+from . import Command, Method, Object
+from ipalib import api, parameters, output
+from ipalib.parameters import DefaultFrom
+from ipalib.plugable import Registry
+from ipalib.text import _
+from ipapython.dn import DN
+from ipapython.dnsutil import DNSName
+
+if six.PY3:
+ unicode = str
+
+__doc__ = _("""
+Manage Certificate Profiles
+
+Certificate Profiles are used by Certificate Authority (CA) in the signing of
+certificates to determine if a Certificate Signing Request (CSR) is acceptable,
+and if so what features and extensions will be present on the certificate.
+
+The Certificate Profile format is the property-list format understood by the
+Dogtag or Red Hat Certificate System CA.
+
+PROFILE ID SYNTAX:
+
+A Profile ID is a string without spaces or punctuation starting with a letter
+and followed by a sequence of letters, digits or underscore ("_").
+
+EXAMPLES:
+
+ Import a profile that will not store issued certificates:
+ ipa certprofile-import ShortLivedUserCert \
+ --file UserCert.profile --desc "User Certificates" \
+ --store=false
+
+ Delete a certificate profile:
+ ipa certprofile-del ShortLivedUserCert
+
+ Show information about a profile:
+ ipa certprofile-show ShortLivedUserCert
+
+ Save profile configuration to a file:
+ ipa certprofile-show caIPAserviceCert --out caIPAserviceCert.cfg
+
+ Search for profiles that do not store certificates:
+ ipa certprofile-find --store=false
+
+PROFILE CONFIGURATION FORMAT:
+
+The profile configuration format is the raw property-list format
+used by Dogtag Certificate System. The XML format is not supported.
+
+The following restrictions apply to profiles managed by FreeIPA:
+
+- When importing a profile the "profileId" field, if present, must
+ match the ID given on the command line.
+
+- The "classId" field must be set to "caEnrollImpl"
+
+- The "auth.instance_id" field must be set to "raCertAuth"
+
+- The "certReqInputImpl" input class and "certOutputImpl" output
+ class must be used.
+""")
+
+register = Registry()
+
+
+@register()
+class certprofile(Object):
+ takes_params = (
+ parameters.Str(
+ 'cn',
+ primary_key=True,
+ label=_(u'Profile ID'),
+ doc=_(u'Profile ID for referring to this profile'),
+ ),
+ parameters.Str(
+ 'description',
+ label=_(u'Profile description'),
+ doc=_(u'Brief description of this profile'),
+ ),
+ parameters.Bool(
+ 'ipacertprofilestoreissued',
+ label=_(u'Store issued certificates'),
+ doc=_(u'Whether to store certs issued using this profile'),
+ ),
+ )
+
+
+@register()
+class certprofile_del(Method):
+ __doc__ = _("Delete a Certificate Profile.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ multivalue=True,
+ cli_name='id',
+ label=_(u'Profile ID'),
+ doc=_(u'Profile ID for referring to this profile'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'continue',
+ doc=_(u"Continuous mode: Don't stop on errors."),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Output(
+ 'result',
+ dict,
+ doc=_(u'List of deletions that failed'),
+ ),
+ output.ListOfPrimaryKeys(
+ 'value',
+ ),
+ )
+
+
+@register()
+class certprofile_find(Method):
+ __doc__ = _("Search for Certificate Profiles.")
+
+ takes_args = (
+ parameters.Str(
+ 'criteria',
+ required=False,
+ doc=_(u'A string searched in all relevant object attributes'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'cn',
+ required=False,
+ cli_name='id',
+ label=_(u'Profile ID'),
+ doc=_(u'Profile ID for referring to this profile'),
+ ),
+ parameters.Str(
+ 'description',
+ required=False,
+ cli_name='desc',
+ label=_(u'Profile description'),
+ doc=_(u'Brief description of this profile'),
+ ),
+ parameters.Bool(
+ 'ipacertprofilestoreissued',
+ required=False,
+ cli_name='store',
+ label=_(u'Store issued certificates'),
+ doc=_(u'Whether to store certs issued using this profile'),
+ default=True,
+ ),
+ parameters.Int(
+ 'timelimit',
+ required=False,
+ label=_(u'Time Limit'),
+ doc=_(u'Time limit of search in seconds (0 is unlimited)'),
+ ),
+ parameters.Int(
+ 'sizelimit',
+ required=False,
+ label=_(u'Size Limit'),
+ doc=_(u'Maximum number of entries returned (0 is unlimited)'),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'pkey_only',
+ required=False,
+ label=_(u'Primary key only'),
+ doc=_(u'Results should contain primary key attribute only ("id")'),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.ListOfEntries(
+ 'result',
+ ),
+ output.Output(
+ 'count',
+ int,
+ doc=_(u'Number of entries returned'),
+ ),
+ output.Output(
+ 'truncated',
+ bool,
+ doc=_(u'True if not all results were returned'),
+ ),
+ )
+
+
+@register()
+class certprofile_import(Method):
+ __doc__ = _("Import a Certificate Profile.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='id',
+ label=_(u'Profile ID'),
+ doc=_(u'Profile ID for referring to this profile'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'description',
+ cli_name='desc',
+ label=_(u'Profile description'),
+ doc=_(u'Brief description of this profile'),
+ ),
+ parameters.Bool(
+ 'ipacertprofilestoreissued',
+ cli_name='store',
+ label=_(u'Store issued certificates'),
+ doc=_(u'Whether to store certs issued using this profile'),
+ default=True,
+ ),
+ parameters.Str(
+ 'file',
+ label=_(u'Filename of a raw profile. The XML format is not supported.'),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class certprofile_mod(Method):
+ __doc__ = _("Modify Certificate Profile configuration.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='id',
+ label=_(u'Profile ID'),
+ doc=_(u'Profile ID for referring to this profile'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'description',
+ required=False,
+ cli_name='desc',
+ label=_(u'Profile description'),
+ doc=_(u'Brief description of this profile'),
+ ),
+ parameters.Bool(
+ 'ipacertprofilestoreissued',
+ required=False,
+ cli_name='store',
+ label=_(u'Store issued certificates'),
+ doc=_(u'Whether to store certs issued using this profile'),
+ default=True,
+ ),
+ parameters.Str(
+ 'setattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'addattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'delattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'),
+ exclude=('webui',),
+ ),
+ parameters.Flag(
+ 'rights',
+ label=_(u'Rights'),
+ doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'file',
+ required=False,
+ label=_(u'File containing profile configuration'),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class certprofile_show(Method):
+ __doc__ = _("Display the properties of a Certificate Profile.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='id',
+ label=_(u'Profile ID'),
+ doc=_(u'Profile ID for referring to this profile'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'rights',
+ label=_(u'Rights'),
+ doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'out',
+ required=False,
+ doc=_(u'Write profile configuration to file'),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
diff --git a/ipaclient/remote_plugins/2_164/config.py b/ipaclient/remote_plugins/2_164/config.py
new file mode 100644
index 000000000..4997d0324
--- /dev/null
+++ b/ipaclient/remote_plugins/2_164/config.py
@@ -0,0 +1,408 @@
+#
+# Copyright (C) 2016 FreeIPA Contributors see COPYING for license
+#
+
+# pylint: disable=unused-import
+import six
+
+from . import Command, Method, Object
+from ipalib import api, parameters, output
+from ipalib.parameters import DefaultFrom
+from ipalib.plugable import Registry
+from ipalib.text import _
+from ipapython.dn import DN
+from ipapython.dnsutil import DNSName
+
+if six.PY3:
+ unicode = str
+
+__doc__ = _("""
+Server configuration
+
+Manage the default values that IPA uses and some of its tuning parameters.
+
+NOTES:
+
+The password notification value (--pwdexpnotify) is stored here so it will
+be replicated. It is not currently used to notify users in advance of an
+expiring password.
+
+Some attributes are read-only, provided only for information purposes. These
+include:
+
+Certificate Subject base: the configured certificate subject base,
+ e.g. O=EXAMPLE.COM. This is configurable only at install time.
+Password plug-in features: currently defines additional hashes that the
+ password will generate (there may be other conditions).
+
+When setting the order list for mapping SELinux users you may need to
+quote the value so it isn't interpreted by the shell.
+
+EXAMPLES:
+
+ Show basic server configuration:
+ ipa config-show
+
+ Show all configuration options:
+ ipa config-show --all
+
+ Change maximum username length to 99 characters:
+ ipa config-mod --maxusername=99
+
+ Increase default time and size limits for maximum IPA server search:
+ ipa config-mod --searchtimelimit=10 --searchrecordslimit=2000
+
+ Set default user e-mail domain:
+ ipa config-mod --emaildomain=example.com
+
+ Enable migration mode to make "ipa migrate-ds" command operational:
+ ipa config-mod --enable-migration=TRUE
+
+ Define SELinux user map order:
+ ipa config-mod --ipaselinuxusermaporder='guest_u:s0$xguest_u:s0$user_u:s0-s0:c0.c1023$staff_u:s0-s0:c0.c1023$unconfined_u:s0-s0:c0.c1023'
+""")
+
+register = Registry()
+
+
+@register()
+class config(Object):
+ takes_params = (
+ parameters.Int(
+ 'ipamaxusernamelength',
+ label=_(u'Maximum username length'),
+ ),
+ parameters.Str(
+ 'ipahomesrootdir',
+ label=_(u'Home directory base'),
+ doc=_(u'Default location of home directories'),
+ ),
+ parameters.Str(
+ 'ipadefaultloginshell',
+ label=_(u'Default shell'),
+ doc=_(u'Default shell for new users'),
+ ),
+ parameters.Str(
+ 'ipadefaultprimarygroup',
+ label=_(u'Default users group'),
+ doc=_(u'Default group for new users'),
+ ),
+ parameters.Str(
+ 'ipadefaultemaildomain',
+ required=False,
+ label=_(u'Default e-mail domain'),
+ ),
+ parameters.Int(
+ 'ipasearchtimelimit',
+ label=_(u'Search time limit'),
+ doc=_(u'Maximum amount of time (seconds) for a search (-1 or 0 is unlimited)'),
+ ),
+ parameters.Int(
+ 'ipasearchrecordslimit',
+ label=_(u'Search size limit'),
+ doc=_(u'Maximum number of records to search (-1 or 0 is unlimited)'),
+ ),
+ parameters.Str(
+ 'ipausersearchfields',
+ label=_(u'User search fields'),
+ doc=_(u'A comma-separated list of fields to search in when searching for users'),
+ ),
+ parameters.Str(
+ 'ipagroupsearchfields',
+ label=_(u'Group search fields'),
+ doc=_(u'A comma-separated list of fields to search in when searching for groups'),
+ ),
+ parameters.Bool(
+ 'ipamigrationenabled',
+ label=_(u'Enable migration mode'),
+ ),
+ parameters.DNParam(
+ 'ipacertificatesubjectbase',
+ label=_(u'Certificate Subject base'),
+ doc=_(u'Base for certificate subjects (OU=Test,O=Example)'),
+ ),
+ parameters.Str(
+ 'ipagroupobjectclasses',
+ multivalue=True,
+ label=_(u'Default group objectclasses'),
+ doc=_(u'Default group objectclasses (comma-separated list)'),
+ ),
+ parameters.Str(
+ 'ipauserobjectclasses',
+ multivalue=True,
+ label=_(u'Default user objectclasses'),
+ doc=_(u'Default user objectclasses (comma-separated list)'),
+ ),
+ parameters.Int(
+ 'ipapwdexpadvnotify',
+ label=_(u'Password Expiration Notification (days)'),
+ doc=_(u"Number of days's notice of impending password expiration"),
+ ),
+ parameters.Str(
+ 'ipaconfigstring',
+ required=False,
+ multivalue=True,
+ label=_(u'Password plugin features'),
+ doc=_(u'Extra hashes to generate in password plug-in'),
+ ),
+ parameters.Str(
+ 'ipaselinuxusermaporder',
+ label=_(u'SELinux user map order'),
+ doc=_(u'Order in increasing priority of SELinux users, delimited by $'),
+ ),
+ parameters.Str(
+ 'ipaselinuxusermapdefault',
+ required=False,
+ label=_(u'Default SELinux user'),
+ doc=_(u'Default SELinux user when no match is found in SELinux map rule'),
+ ),
+ parameters.Str(
+ 'ipakrbauthzdata',
+ required=False,
+ multivalue=True,
+ label=_(u'Default PAC types'),
+ doc=_(u'Default types of PAC supported for services'),
+ ),
+ parameters.Str(
+ 'ipauserauthtype',
+ required=False,
+ multivalue=True,
+ label=_(u'Default user authentication types'),
+ doc=_(u'Default types of supported user authentication'),
+ ),
+ )
+
+
+@register()
+class config_mod(Method):
+ __doc__ = _("Modify configuration options.")
+
+ takes_options = (
+ parameters.Int(
+ 'ipamaxusernamelength',
+ required=False,
+ cli_name='maxusername',
+ label=_(u'Maximum username length'),
+ ),
+ parameters.Str(
+ 'ipahomesrootdir',
+ required=False,
+ cli_name='homedirectory',
+ label=_(u'Home directory base'),
+ doc=_(u'Default location of home directories'),
+ ),
+ parameters.Str(
+ 'ipadefaultloginshell',
+ required=False,
+ cli_name='defaultshell',
+ label=_(u'Default shell'),
+ doc=_(u'Default shell for new users'),
+ ),
+ parameters.Str(
+ 'ipadefaultprimarygroup',
+ required=False,
+ cli_name='defaultgroup',
+ label=_(u'Default users group'),
+ doc=_(u'Default group for new users'),
+ ),
+ parameters.Str(
+ 'ipadefaultemaildomain',
+ required=False,
+ cli_name='emaildomain',
+ label=_(u'Default e-mail domain'),
+ ),
+ parameters.Int(
+ 'ipasearchtimelimit',
+ required=False,
+ cli_name='searchtimelimit',
+ label=_(u'Search time limit'),
+ doc=_(u'Maximum amount of time (seconds) for a search (-1 or 0 is unlimited)'),
+ ),
+ parameters.Int(
+ 'ipasearchrecordslimit',
+ required=False,
+ cli_name='searchrecordslimit',
+ label=_(u'Search size limit'),
+ doc=_(u'Maximum number of records to search (-1 or 0 is unlimited)'),
+ ),
+ parameters.Str(
+ 'ipausersearchfields',
+ required=False,
+ cli_name='usersearch',
+ label=_(u'User search fields'),
+ doc=_(u'A comma-separated list of fields to search in when searching for users'),
+ ),
+ parameters.Str(
+ 'ipagroupsearchfields',
+ required=False,
+ cli_name='groupsearch',
+ label=_(u'Group search fields'),
+ doc=_(u'A comma-separated list of fields to search in when searching for groups'),
+ ),
+ parameters.Bool(
+ 'ipamigrationenabled',
+ required=False,
+ cli_name='enable_migration',
+ label=_(u'Enable migration mode'),
+ ),
+ parameters.Str(
+ 'ipagroupobjectclasses',
+ required=False,
+ multivalue=True,
+ cli_name='groupobjectclasses',
+ label=_(u'Default group objectclasses'),
+ doc=_(u'Default group objectclasses (comma-separated list)'),
+ ),
+ parameters.Str(
+ 'ipauserobjectclasses',
+ required=False,
+ multivalue=True,
+ cli_name='userobjectclasses',
+ label=_(u'Default user objectclasses'),
+ doc=_(u'Default user objectclasses (comma-separated list)'),
+ ),
+ parameters.Int(
+ 'ipapwdexpadvnotify',
+ required=False,
+ cli_name='pwdexpnotify',
+ label=_(u'Password Expiration Notification (days)'),
+ doc=_(u"Number of days's notice of impending password expiration"),
+ ),
+ parameters.Str(
+ 'ipaconfigstring',
+ required=False,
+ multivalue=True,
+ cli_metavar="['AllowNThash', 'KDC:Disable Last Success', 'KDC:Disable Lockout', 'KDC:Disable Default Preauth for SPNs']",
+ label=_(u'Password plugin features'),
+ doc=_(u'Extra hashes to generate in password plug-in'),
+ ),
+ parameters.Str(
+ 'ipaselinuxusermaporder',
+ required=False,
+ label=_(u'SELinux user map order'),
+ doc=_(u'Order in increasing priority of SELinux users, delimited by $'),
+ ),
+ parameters.Str(
+ 'ipaselinuxusermapdefault',
+ required=False,
+ label=_(u'Default SELinux user'),
+ doc=_(u'Default SELinux user when no match is found in SELinux map rule'),
+ ),
+ parameters.Str(
+ 'ipakrbauthzdata',
+ required=False,
+ multivalue=True,
+ cli_name='pac_type',
+ cli_metavar="['MS-PAC', 'PAD', 'nfs:NONE']",
+ label=_(u'Default PAC types'),
+ doc=_(u'Default types of PAC supported for services'),
+ ),
+ parameters.Str(
+ 'ipauserauthtype',
+ required=False,
+ multivalue=True,
+ cli_name='user_auth_type',
+ cli_metavar="['password', 'radius', 'otp', 'disabled']",
+ label=_(u'Default user authentication types'),
+ doc=_(u'Default types of supported user authentication'),
+ ),
+ parameters.Str(
+ 'setattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'addattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'delattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'),
+ exclude=('webui',),
+ ),
+ parameters.Flag(
+ 'rights',
+ label=_(u'Rights'),
+ doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class config_show(Method):
+ __doc__ = _("Show the current configuration.")
+
+ takes_options = (
+ parameters.Flag(
+ 'rights',
+ label=_(u'Rights'),
+ doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
diff --git a/ipaclient/remote_plugins/2_164/delegation.py b/ipaclient/remote_plugins/2_164/delegation.py
new file mode 100644
index 000000000..87496117f
--- /dev/null
+++ b/ipaclient/remote_plugins/2_164/delegation.py
@@ -0,0 +1,383 @@
+#
+# Copyright (C) 2016 FreeIPA Contributors see COPYING for license
+#
+
+# pylint: disable=unused-import
+import six
+
+from . import Command, Method, Object
+from ipalib import api, parameters, output
+from ipalib.parameters import DefaultFrom
+from ipalib.plugable import Registry
+from ipalib.text import _
+from ipapython.dn import DN
+from ipapython.dnsutil import DNSName
+
+if six.PY3:
+ unicode = str
+
+__doc__ = _("""
+Group to Group Delegation
+
+A permission enables fine-grained delegation of permissions. Access Control
+Rules, or instructions (ACIs), grant permission to permissions to perform
+given tasks such as adding a user, modifying a group, etc.
+
+Group to Group Delegations grants the members of one group to update a set
+of attributes of members of another group.
+
+EXAMPLES:
+
+ Add a delegation rule to allow managers to edit employee's addresses:
+ ipa delegation-add --attrs=street --group=managers --membergroup=employees "managers edit employees' street"
+
+ When managing the list of attributes you need to include all attributes
+ in the list, including existing ones. Add postalCode to the list:
+ ipa delegation-mod --attrs=street --attrs=postalCode --group=managers --membergroup=employees "managers edit employees' street"
+
+ Display our updated rule:
+ ipa delegation-show "managers edit employees' street"
+
+ Delete a rule:
+ ipa delegation-del "managers edit employees' street"
+""")
+
+register = Registry()
+
+
+@register()
+class delegation(Object):
+ takes_params = (
+ parameters.Str(
+ 'aciname',
+ primary_key=True,
+ label=_(u'Delegation name'),
+ ),
+ parameters.Str(
+ 'permissions',
+ required=False,
+ multivalue=True,
+ label=_(u'Permissions'),
+ doc=_(u'Permissions to grant (read, write). Default is write.'),
+ ),
+ parameters.Str(
+ 'attrs',
+ multivalue=True,
+ label=_(u'Attributes'),
+ doc=_(u'Attributes to which the delegation applies'),
+ ),
+ parameters.Str(
+ 'memberof',
+ label=_(u'Member user group'),
+ doc=_(u'User group to apply delegation to'),
+ ),
+ parameters.Str(
+ 'group',
+ label=_(u'User group'),
+ doc=_(u'User group ACI grants access to'),
+ ),
+ )
+
+
+@register()
+class delegation_add(Method):
+ __doc__ = _("Add a new delegation.")
+
+ takes_args = (
+ parameters.Str(
+ 'aciname',
+ cli_name='name',
+ label=_(u'Delegation name'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'permissions',
+ required=False,
+ multivalue=True,
+ label=_(u'Permissions'),
+ doc=_(u'Permissions to grant (read, write). Default is write.'),
+ ),
+ parameters.Str(
+ 'attrs',
+ multivalue=True,
+ label=_(u'Attributes'),
+ doc=_(u'Attributes to which the delegation applies'),
+ no_convert=True,
+ ),
+ parameters.Str(
+ 'memberof',
+ cli_name='membergroup',
+ label=_(u'Member user group'),
+ doc=_(u'User group to apply delegation to'),
+ ),
+ parameters.Str(
+ 'group',
+ label=_(u'User group'),
+ doc=_(u'User group ACI grants access to'),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class delegation_del(Method):
+ __doc__ = _("Delete a delegation.")
+
+ takes_args = (
+ parameters.Str(
+ 'aciname',
+ cli_name='name',
+ label=_(u'Delegation name'),
+ ),
+ )
+ takes_options = (
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Output(
+ 'result',
+ bool,
+ doc=_(u'True means the operation was successful'),
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class delegation_find(Method):
+ __doc__ = _("Search for delegations.")
+
+ takes_args = (
+ parameters.Str(
+ 'criteria',
+ required=False,
+ doc=_(u'A string searched in all relevant object attributes'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'aciname',
+ required=False,
+ cli_name='name',
+ label=_(u'Delegation name'),
+ ),
+ parameters.Str(
+ 'permissions',
+ required=False,
+ multivalue=True,
+ label=_(u'Permissions'),
+ doc=_(u'Permissions to grant (read, write). Default is write.'),
+ ),
+ parameters.Str(
+ 'attrs',
+ required=False,
+ multivalue=True,
+ label=_(u'Attributes'),
+ doc=_(u'Attributes to which the delegation applies'),
+ no_convert=True,
+ ),
+ parameters.Str(
+ 'memberof',
+ required=False,
+ cli_name='membergroup',
+ label=_(u'Member user group'),
+ doc=_(u'User group to apply delegation to'),
+ ),
+ parameters.Str(
+ 'group',
+ required=False,
+ label=_(u'User group'),
+ doc=_(u'User group ACI grants access to'),
+ ),
+ parameters.Flag(
+ 'pkey_only',
+ required=False,
+ label=_(u'Primary key only'),
+ doc=_(u'Results should contain primary key attribute only ("name")'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.ListOfEntries(
+ 'result',
+ ),
+ output.Output(
+ 'count',
+ int,
+ doc=_(u'Number of entries returned'),
+ ),
+ output.Output(
+ 'truncated',
+ bool,
+ doc=_(u'True if not all results were returned'),
+ ),
+ )
+
+
+@register()
+class delegation_mod(Method):
+ __doc__ = _("Modify a delegation.")
+
+ takes_args = (
+ parameters.Str(
+ 'aciname',
+ cli_name='name',
+ label=_(u'Delegation name'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'permissions',
+ required=False,
+ multivalue=True,
+ label=_(u'Permissions'),
+ doc=_(u'Permissions to grant (read, write). Default is write.'),
+ ),
+ parameters.Str(
+ 'attrs',
+ required=False,
+ multivalue=True,
+ label=_(u'Attributes'),
+ doc=_(u'Attributes to which the delegation applies'),
+ no_convert=True,
+ ),
+ parameters.Str(
+ 'memberof',
+ required=False,
+ cli_name='membergroup',
+ label=_(u'Member user group'),
+ doc=_(u'User group to apply delegation to'),
+ ),
+ parameters.Str(
+ 'group',
+ required=False,
+ label=_(u'User group'),
+ doc=_(u'User group ACI grants access to'),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class delegation_show(Method):
+ __doc__ = _("Display information about a delegation.")
+
+ takes_args = (
+ parameters.Str(
+ 'aciname',
+ cli_name='name',
+ label=_(u'Delegation name'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
diff --git a/ipaclient/remote_plugins/2_164/dns.py b/ipaclient/remote_plugins/2_164/dns.py
new file mode 100644
index 000000000..b07a94f19
--- /dev/null
+++ b/ipaclient/remote_plugins/2_164/dns.py
@@ -0,0 +1,5167 @@
+#
+# Copyright (C) 2016 FreeIPA Contributors see COPYING for license
+#
+
+# pylint: disable=unused-import
+import six
+
+from . import Command, Method, Object
+from ipalib import api, parameters, output
+from ipalib.parameters import DefaultFrom
+from ipalib.plugable import Registry
+from ipalib.text import _
+from ipapython.dn import DN
+from ipapython.dnsutil import DNSName
+
+if six.PY3:
+ unicode = str
+
+__doc__ = _("""
+Domain Name System (DNS)
+
+Manage DNS zone and resource records.
+
+SUPPORTED ZONE TYPES
+
+ * Master zone (dnszone-*), contains authoritative data.
+ * Forward zone (dnsforwardzone-*), forwards queries to configured forwarders
+ (a set of DNS servers).
+
+USING STRUCTURED PER-TYPE OPTIONS
+
+There are many structured DNS RR types where DNS data stored in LDAP server
+is not just a scalar value, for example an IP address or a domain name, but
+a data structure which may be often complex. A good example is a LOC record
+[RFC1876] which consists of many mandatory and optional parts (degrees,
+minutes, seconds of latitude and longitude, altitude or precision).
+
+It may be difficult to manipulate such DNS records without making a mistake
+and entering an invalid value. DNS module provides an abstraction over these
+raw records and allows to manipulate each RR type with specific options. For
+each supported RR type, DNS module provides a standard option to manipulate
+a raw records with format --<rrtype>-rec, e.g. --mx-rec, and special options
+for every part of the RR structure with format --<rrtype>-<partname>, e.g.
+--mx-preference and --mx-exchanger.
+
+When adding a record, either RR specific options or standard option for a raw
+value can be used, they just should not be combined in one add operation. When
+modifying an existing entry, new RR specific options can be used to change
+one part of a DNS record, where the standard option for raw value is used
+to specify the modified value. The following example demonstrates
+a modification of MX record preference from 0 to 1 in a record without
+modifying the exchanger:
+ipa dnsrecord-mod --mx-rec="0 mx.example.com." --mx-preference=1
+
+
+EXAMPLES:
+
+ Add new zone:
+ ipa dnszone-add example.com --admin-email=admin@example.com
+
+ Add system permission that can be used for per-zone privilege delegation:
+ ipa dnszone-add-permission example.com
+
+ Modify the zone to allow dynamic updates for hosts own records in realm EXAMPLE.COM:
+ ipa dnszone-mod example.com --dynamic-update=TRUE
+
+ This is the equivalent of:
+ ipa dnszone-mod example.com --dynamic-update=TRUE \
+ --update-policy="grant EXAMPLE.COM krb5-self * A; grant EXAMPLE.COM krb5-self * AAAA; grant EXAMPLE.COM krb5-self * SSHFP;"
+
+ Modify the zone to allow zone transfers for local network only:
+ ipa dnszone-mod example.com --allow-transfer=192.0.2.0/24
+
+ Add new reverse zone specified by network IP address:
+ ipa dnszone-add --name-from-ip=192.0.2.0/24
+
+ Add second nameserver for example.com:
+ ipa dnsrecord-add example.com @ --ns-rec=nameserver2.example.com
+
+ Add a mail server for example.com:
+ ipa dnsrecord-add example.com @ --mx-rec="10 mail1"
+
+ Add another record using MX record specific options:
+ ipa dnsrecord-add example.com @ --mx-preference=20 --mx-exchanger=mail2
+
+ Add another record using interactive mode (started when dnsrecord-add, dnsrecord-mod,
+ or dnsrecord-del are executed with no options):
+ ipa dnsrecord-add example.com @
+ Please choose a type of DNS resource record to be added
+ The most common types for this type of zone are: NS, MX, LOC
+
+ DNS resource record type: MX
+ MX Preference: 30
+ MX Exchanger: mail3
+ Record name: example.com
+ MX record: 10 mail1, 20 mail2, 30 mail3
+ NS record: nameserver.example.com., nameserver2.example.com.
+
+ Delete previously added nameserver from example.com:
+ ipa dnsrecord-del example.com @ --ns-rec=nameserver2.example.com.
+
+ Add LOC record for example.com:
+ ipa dnsrecord-add example.com @ --loc-rec="49 11 42.4 N 16 36 29.6 E 227.64m"
+
+ Add new A record for www.example.com. Create a reverse record in appropriate
+ reverse zone as well. In this case a PTR record "2" pointing to www.example.com
+ will be created in zone 2.0.192.in-addr.arpa.
+ ipa dnsrecord-add example.com www --a-rec=192.0.2.2 --a-create-reverse
+
+ Add new PTR record for www.example.com
+ ipa dnsrecord-add 2.0.192.in-addr.arpa. 2 --ptr-rec=www.example.com.
+
+ Add new SRV records for LDAP servers. Three quarters of the requests
+ should go to fast.example.com, one quarter to slow.example.com. If neither
+ is available, switch to backup.example.com.
+ ipa dnsrecord-add example.com _ldap._tcp --srv-rec="0 3 389 fast.example.com"
+ ipa dnsrecord-add example.com _ldap._tcp --srv-rec="0 1 389 slow.example.com"
+ ipa dnsrecord-add example.com _ldap._tcp --srv-rec="1 1 389 backup.example.com"
+
+ The interactive mode can be used for easy modification:
+ ipa dnsrecord-mod example.com _ldap._tcp
+ No option to modify specific record provided.
+ Current DNS record contents:
+
+ SRV record: 0 3 389 fast.example.com, 0 1 389 slow.example.com, 1 1 389 backup.example.com
+
+ Modify SRV record '0 3 389 fast.example.com'? Yes/No (default No):
+ Modify SRV record '0 1 389 slow.example.com'? Yes/No (default No): y
+ SRV Priority [0]: (keep the default value)
+ SRV Weight [1]: 2 (modified value)
+ SRV Port [389]: (keep the default value)
+ SRV Target [slow.example.com]: (keep the default value)
+ 1 SRV record skipped. Only one value per DNS record type can be modified at one time.
+ Record name: _ldap._tcp
+ SRV record: 0 3 389 fast.example.com, 1 1 389 backup.example.com, 0 2 389 slow.example.com
+
+ After this modification, three fifths of the requests should go to
+ fast.example.com and two fifths to slow.example.com.
+
+ An example of the interactive mode for dnsrecord-del command:
+ ipa dnsrecord-del example.com www
+ No option to delete specific record provided.
+ Delete all? Yes/No (default No): (do not delete all records)
+ Current DNS record contents:
+
+ A record: 192.0.2.2, 192.0.2.3
+
+ Delete A record '192.0.2.2'? Yes/No (default No):
+ Delete A record '192.0.2.3'? Yes/No (default No): y
+ Record name: www
+ A record: 192.0.2.2 (A record 192.0.2.3 has been deleted)
+
+ Show zone example.com:
+ ipa dnszone-show example.com
+
+ Find zone with "example" in its domain name:
+ ipa dnszone-find example
+
+ Find records for resources with "www" in their name in zone example.com:
+ ipa dnsrecord-find example.com www
+
+ Find A records with value 192.0.2.2 in zone example.com
+ ipa dnsrecord-find example.com --a-rec=192.0.2.2
+
+ Show records for resource www in zone example.com
+ ipa dnsrecord-show example.com www
+
+ Delegate zone sub.example to another nameserver:
+ ipa dnsrecord-add example.com ns.sub --a-rec=203.0.113.1
+ ipa dnsrecord-add example.com sub --ns-rec=ns.sub.example.com.
+
+ Delete zone example.com with all resource records:
+ ipa dnszone-del example.com
+
+ If a global forwarder is configured, all queries for which this server is not
+ authoritative (e.g. sub.example.com) will be routed to the global forwarder.
+ Global forwarding configuration can be overridden per-zone.
+
+ Semantics of forwarding in IPA matches BIND semantics and depends on the type
+ of zone:
+ * Master zone: local BIND replies authoritatively to queries for data in
+ the given zone (including authoritative NXDOMAIN answers) and forwarding
+ affects only queries for names below zone cuts (NS records) of locally
+ served zones.
+
+ * Forward zone: forward zone contains no authoritative data. BIND forwards
+ queries, which cannot be answered from its local cache, to configured
+ forwarders.
+
+ Semantics of the --forwarder-policy option:
+ * none - disable forwarding for the given zone.
+ * first - forward all queries to configured forwarders. If they fail,
+ do resolution using DNS root servers.
+ * only - forward all queries to configured forwarders and if they fail,
+ return failure.
+
+ Disable global forwarding for given sub-tree:
+ ipa dnszone-mod example.com --forward-policy=none
+
+ This configuration forwards all queries for names outside the example.com
+ sub-tree to global forwarders. Normal recursive resolution process is used
+ for names inside the example.com sub-tree (i.e. NS records are followed etc.).
+
+ Forward all requests for the zone external.example.com to another forwarder
+ using a "first" policy (it will send the queries to the selected forwarder
+ and if not answered it will use global root servers):
+ ipa dnsforwardzone-add external.example.com --forward-policy=first \
+ --forwarder=203.0.113.1
+
+ Change forward-policy for external.example.com:
+ ipa dnsforwardzone-mod external.example.com --forward-policy=only
+
+ Show forward zone external.example.com:
+ ipa dnsforwardzone-show external.example.com
+
+ List all forward zones:
+ ipa dnsforwardzone-find
+
+ Delete forward zone external.example.com:
+ ipa dnsforwardzone-del external.example.com
+
+ Resolve a host name to see if it exists (will add default IPA domain
+ if one is not included):
+ ipa dns-resolve www.example.com
+ ipa dns-resolve www
+
+
+GLOBAL DNS CONFIGURATION
+
+DNS configuration passed to command line install script is stored in a local
+configuration file on each IPA server where DNS service is configured. These
+local settings can be overridden with a common configuration stored in LDAP
+server:
+
+ Show global DNS configuration:
+ ipa dnsconfig-show
+
+ Modify global DNS configuration and set a list of global forwarders:
+ ipa dnsconfig-mod --forwarder=203.0.113.113
+""")
+
+register = Registry()
+
+
+@register()
+class dnsconfig(Object):
+ takes_params = (
+ parameters.Str(
+ 'idnsforwarders',
+ required=False,
+ multivalue=True,
+ label=_(u'Global forwarders'),
+ doc=_(u'Global forwarders. A custom port can be specified for each forwarder using a standard format "IP_ADDRESS port PORT"'),
+ ),
+ parameters.Str(
+ 'idnsforwardpolicy',
+ required=False,
+ label=_(u'Forward policy'),
+ doc=_(u'Global forwarding policy. Set to "none" to disable any configured global forwarders.'),
+ ),
+ parameters.Bool(
+ 'idnsallowsyncptr',
+ required=False,
+ label=_(u'Allow PTR sync'),
+ doc=_(u'Allow synchronization of forward (A, AAAA) and reverse (PTR) records'),
+ ),
+ parameters.Int(
+ 'idnszonerefresh',
+ required=False,
+ label=_(u'Zone refresh interval'),
+ ),
+ )
+
+
+@register()
+class dnsforwardzone(Object):
+ takes_params = (
+ parameters.DNSNameParam(
+ 'idnsname',
+ primary_key=True,
+ label=_(u'Zone name'),
+ doc=_(u'Zone name (FQDN)'),
+ ),
+ parameters.Str(
+ 'name_from_ip',
+ required=False,
+ label=_(u'Reverse zone IP network'),
+ doc=_(u'IP network to create reverse zone name from'),
+ ),
+ parameters.Bool(
+ 'idnszoneactive',
+ required=False,
+ label=_(u'Active zone'),
+ doc=_(u'Is zone active?'),
+ ),
+ parameters.Str(
+ 'idnsforwarders',
+ required=False,
+ multivalue=True,
+ label=_(u'Zone forwarders'),
+ doc=_(u'Per-zone forwarders. A custom port can be specified for each forwarder using a standard format "IP_ADDRESS port PORT"'),
+ ),
+ parameters.Str(
+ 'idnsforwardpolicy',
+ required=False,
+ label=_(u'Forward policy'),
+ doc=_(u'Per-zone conditional forwarding policy. Set to "none" to disable forwarding to global forwarder for this zone. In that case, conditional zone forwarders are disregarded.'),
+ ),
+ )
+
+
+@register()
+class dnsrecord(Object):
+ takes_params = (
+ parameters.DNSNameParam(
+ 'idnsname',
+ primary_key=True,
+ label=_(u'Record name'),
+ ),
+ parameters.Int(
+ 'dnsttl',
+ required=False,
+ label=_(u'Time to live'),
+ ),
+ parameters.Str(
+ 'dnsclass',
+ required=False,
+ ),
+ parameters.Str(
+ 'dnsrecords',
+ required=False,
+ label=_(u'Records'),
+ ),
+ parameters.Str(
+ 'dnstype',
+ required=False,
+ label=_(u'Record type'),
+ ),
+ parameters.Str(
+ 'dnsdata',
+ required=False,
+ label=_(u'Record data'),
+ ),
+ parameters.Str(
+ 'arecord',
+ required=False,
+ multivalue=True,
+ label=_(u'A record'),
+ doc=_(u'Raw A records'),
+ ),
+ parameters.Str(
+ 'a_part_ip_address',
+ required=False,
+ label=_(u'A IP Address'),
+ doc=_(u'IP Address'),
+ ),
+ parameters.Flag(
+ 'a_extra_create_reverse',
+ required=False,
+ label=_(u'A Create reverse'),
+ doc=_(u'Create reverse record for this IP Address'),
+ ),
+ parameters.Str(
+ 'aaaarecord',
+ required=False,
+ multivalue=True,
+ label=_(u'AAAA record'),
+ doc=_(u'Raw AAAA records'),
+ ),
+ parameters.Str(
+ 'aaaa_part_ip_address',
+ required=False,
+ label=_(u'AAAA IP Address'),
+ doc=_(u'IP Address'),
+ ),
+ parameters.Flag(
+ 'aaaa_extra_create_reverse',
+ required=False,
+ label=_(u'AAAA Create reverse'),
+ doc=_(u'Create reverse record for this IP Address'),
+ ),
+ parameters.Str(
+ 'a6record',
+ required=False,
+ multivalue=True,
+ label=_(u'A6 record'),
+ doc=_(u'Raw A6 records'),
+ ),
+ parameters.Str(
+ 'a6_part_data',
+ required=False,
+ label=_(u'A6 Record data'),
+ doc=_(u'Record data'),
+ ),
+ parameters.Str(
+ 'afsdbrecord',
+ required=False,
+ multivalue=True,
+ label=_(u'AFSDB record'),
+ doc=_(u'Raw AFSDB records'),
+ ),
+ parameters.Int(
+ 'afsdb_part_subtype',
+ required=False,
+ label=_(u'AFSDB Subtype'),
+ doc=_(u'Subtype'),
+ ),
+ parameters.DNSNameParam(
+ 'afsdb_part_hostname',
+ required=False,
+ label=_(u'AFSDB Hostname'),
+ doc=_(u'Hostname'),
+ ),
+ parameters.Str(
+ 'aplrecord',
+ required=False,
+ multivalue=True,
+ label=_(u'APL record'),
+ doc=_(u'Raw APL records'),
+ ),
+ parameters.Str(
+ 'certrecord',
+ required=False,
+ multivalue=True,
+ label=_(u'CERT record'),
+ doc=_(u'Raw CERT records'),
+ ),
+ parameters.Int(
+ 'cert_part_type',
+ required=False,
+ label=_(u'CERT Certificate Type'),
+ doc=_(u'Certificate Type'),
+ ),
+ parameters.Int(
+ 'cert_part_key_tag',
+ required=False,
+ label=_(u'CERT Key Tag'),
+ doc=_(u'Key Tag'),
+ ),
+ parameters.Int(
+ 'cert_part_algorithm',
+ required=False,
+ label=_(u'CERT Algorithm'),
+ doc=_(u'Algorithm'),
+ ),
+ parameters.Str(
+ 'cert_part_certificate_or_crl',
+ required=False,
+ label=_(u'CERT Certificate/CRL'),
+ doc=_(u'Certificate/CRL'),
+ ),
+ parameters.Str(
+ 'cnamerecord',
+ required=False,
+ multivalue=True,
+ label=_(u'CNAME record'),
+ doc=_(u'Raw CNAME records'),
+ ),
+ parameters.DNSNameParam(
+ 'cname_part_hostname',
+ required=False,
+ label=_(u'CNAME Hostname'),
+ doc=_(u'A hostname which this alias hostname points to'),
+ ),
+ parameters.Str(
+ 'dhcidrecord',
+ required=False,
+ multivalue=True,
+ label=_(u'DHCID record'),
+ doc=_(u'Raw DHCID records'),
+ ),
+ parameters.Str(
+ 'dlvrecord',
+ required=False,
+ multivalue=True,
+ label=_(u'DLV record'),
+ doc=_(u'Raw DLV records'),
+ ),
+ parameters.Int(
+ 'dlv_part_key_tag',
+ required=False,
+ label=_(u'DLV Key Tag'),
+ doc=_(u'Key Tag'),
+ ),
+ parameters.Int(
+ 'dlv_part_algorithm',
+ required=False,
+ label=_(u'DLV Algorithm'),
+ doc=_(u'Algorithm'),
+ ),
+ parameters.Int(
+ 'dlv_part_digest_type',
+ required=False,
+ label=_(u'DLV Digest Type'),
+ doc=_(u'Digest Type'),
+ ),
+ parameters.Str(
+ 'dlv_part_digest',
+ required=False,
+ label=_(u'DLV Digest'),
+ doc=_(u'Digest'),
+ ),
+ parameters.Str(
+ 'dnamerecord',
+ required=False,
+ multivalue=True,
+ label=_(u'DNAME record'),
+ doc=_(u'Raw DNAME records'),
+ ),
+ parameters.DNSNameParam(
+ 'dname_part_target',
+ required=False,
+ label=_(u'DNAME Target'),
+ doc=_(u'Target'),
+ ),
+ parameters.Str(
+ 'dsrecord',
+ required=False,
+ multivalue=True,
+ label=_(u'DS record'),
+ doc=_(u'Raw DS records'),
+ ),
+ parameters.Int(
+ 'ds_part_key_tag',
+ required=False,
+ label=_(u'DS Key Tag'),
+ doc=_(u'Key Tag'),
+ ),
+ parameters.Int(
+ 'ds_part_algorithm',
+ required=False,
+ label=_(u'DS Algorithm'),
+ doc=_(u'Algorithm'),
+ ),
+ parameters.Int(
+ 'ds_part_digest_type',
+ required=False,
+ label=_(u'DS Digest Type'),
+ doc=_(u'Digest Type'),
+ ),
+ parameters.Str(
+ 'ds_part_digest',
+ required=False,
+ label=_(u'DS Digest'),
+ doc=_(u'Digest'),
+ ),
+ parameters.Str(
+ 'hiprecord',
+ required=False,
+ multivalue=True,
+ label=_(u'HIP record'),
+ doc=_(u'Raw HIP records'),
+ ),
+ parameters.Str(
+ 'ipseckeyrecord',
+ required=False,
+ multivalue=True,
+ label=_(u'IPSECKEY record'),
+ doc=_(u'Raw IPSECKEY records'),
+ ),
+ parameters.Str(
+ 'keyrecord',
+ required=False,
+ multivalue=True,
+ label=_(u'KEY record'),
+ doc=_(u'Raw KEY records'),
+ ),
+ parameters.Str(
+ 'kxrecord',
+ required=False,
+ multivalue=True,
+ label=_(u'KX record'),
+ doc=_(u'Raw KX records'),
+ ),
+ parameters.Int(
+ 'kx_part_preference',
+ required=False,
+ label=_(u'KX Preference'),
+ doc=_(u'Preference given to this exchanger. Lower values are more preferred'),
+ ),
+ parameters.DNSNameParam(
+ 'kx_part_exchanger',
+ required=False,
+ label=_(u'KX Exchanger'),
+ doc=_(u'A host willing to act as a key exchanger'),
+ ),
+ parameters.Str(
+ 'locrecord',
+ required=False,
+ multivalue=True,
+ label=_(u'LOC record'),
+ doc=_(u'Raw LOC records'),
+ ),
+ parameters.Int(
+ 'loc_part_lat_deg',
+ required=False,
+ label=_(u'LOC Degrees Latitude'),
+ doc=_(u'Degrees Latitude'),
+ ),
+ parameters.Int(
+ 'loc_part_lat_min',
+ required=False,
+ label=_(u'LOC Minutes Latitude'),
+ doc=_(u'Minutes Latitude'),
+ ),
+ parameters.Decimal(
+ 'loc_part_lat_sec',
+ required=False,
+ label=_(u'LOC Seconds Latitude'),
+ doc=_(u'Seconds Latitude'),
+ ),
+ parameters.Str(
+ 'loc_part_lat_dir',
+ required=False,
+ label=_(u'LOC Direction Latitude'),
+ doc=_(u'Direction Latitude'),
+ ),
+ parameters.Int(
+ 'loc_part_lon_deg',
+ required=False,
+ label=_(u'LOC Degrees Longitude'),
+ doc=_(u'Degrees Longitude'),
+ ),
+ parameters.Int(
+ 'loc_part_lon_min',
+ required=False,
+ label=_(u'LOC Minutes Longitude'),
+ doc=_(u'Minutes Longitude'),
+ ),
+ parameters.Decimal(
+ 'loc_part_lon_sec',
+ required=False,
+ label=_(u'LOC Seconds Longitude'),
+ doc=_(u'Seconds Longitude'),
+ ),
+ parameters.Str(
+ 'loc_part_lon_dir',
+ required=False,
+ label=_(u'LOC Direction Longitude'),
+ doc=_(u'Direction Longitude'),
+ ),
+ parameters.Decimal(
+ 'loc_part_altitude',
+ required=False,
+ label=_(u'LOC Altitude'),
+ doc=_(u'Altitude'),
+ ),
+ parameters.Decimal(
+ 'loc_part_size',
+ required=False,
+ label=_(u'LOC Size'),
+ doc=_(u'Size'),
+ ),
+ parameters.Decimal(
+ 'loc_part_h_precision',
+ required=False,
+ label=_(u'LOC Horizontal Precision'),
+ doc=_(u'Horizontal Precision'),
+ ),
+ parameters.Decimal(
+ 'loc_part_v_precision',
+ required=False,
+ label=_(u'LOC Vertical Precision'),
+ doc=_(u'Vertical Precision'),
+ ),
+ parameters.Str(
+ 'mxrecord',
+ required=False,
+ multivalue=True,
+ label=_(u'MX record'),
+ doc=_(u'Raw MX records'),
+ ),
+ parameters.Int(
+ 'mx_part_preference',
+ required=False,
+ label=_(u'MX Preference'),
+ doc=_(u'Preference given to this exchanger. Lower values are more preferred'),
+ ),
+ parameters.DNSNameParam(
+ 'mx_part_exchanger',
+ required=False,
+ label=_(u'MX Exchanger'),
+ doc=_(u'A host willing to act as a mail exchanger'),
+ ),
+ parameters.Str(
+ 'naptrrecord',
+ required=False,
+ multivalue=True,
+ label=_(u'NAPTR record'),
+ doc=_(u'Raw NAPTR records'),
+ ),
+ parameters.Int(
+ 'naptr_part_order',
+ required=False,
+ label=_(u'NAPTR Order'),
+ doc=_(u'Order'),
+ ),
+ parameters.Int(
+ 'naptr_part_preference',
+ required=False,
+ label=_(u'NAPTR Preference'),
+ doc=_(u'Preference'),
+ ),
+ parameters.Str(
+ 'naptr_part_flags',
+ required=False,
+ label=_(u'NAPTR Flags'),
+ doc=_(u'Flags'),
+ ),
+ parameters.Str(
+ 'naptr_part_service',
+ required=False,
+ label=_(u'NAPTR Service'),
+ doc=_(u'Service'),
+ ),
+ parameters.Str(
+ 'naptr_part_regexp',
+ required=False,
+ label=_(u'NAPTR Regular Expression'),
+ doc=_(u'Regular Expression'),
+ ),
+ parameters.Str(
+ 'naptr_part_replacement',
+ required=False,
+ label=_(u'NAPTR Replacement'),
+ doc=_(u'Replacement'),
+ ),
+ parameters.Str(
+ 'nsrecord',
+ required=False,
+ multivalue=True,
+ label=_(u'NS record'),
+ doc=_(u'Raw NS records'),
+ ),
+ parameters.DNSNameParam(
+ 'ns_part_hostname',
+ required=False,
+ label=_(u'NS Hostname'),
+ doc=_(u'Hostname'),
+ ),
+ parameters.Str(
+ 'nsecrecord',
+ required=False,
+ multivalue=True,
+ label=_(u'NSEC record'),
+ doc=_(u'Raw NSEC records'),
+ ),
+ parameters.Str(
+ 'ptrrecord',
+ required=False,
+ multivalue=True,
+ label=_(u'PTR record'),
+ doc=_(u'Raw PTR records'),
+ ),
+ parameters.DNSNameParam(
+ 'ptr_part_hostname',
+ required=False,
+ label=_(u'PTR Hostname'),
+ doc=_(u'The hostname this reverse record points to'),
+ ),
+ parameters.Str(
+ 'rrsigrecord',
+ required=False,
+ multivalue=True,
+ label=_(u'RRSIG record'),
+ doc=_(u'Raw RRSIG records'),
+ ),
+ parameters.Str(
+ 'rprecord',
+ required=False,
+ multivalue=True,
+ label=_(u'RP record'),
+ doc=_(u'Raw RP records'),
+ ),
+ parameters.Str(
+ 'sigrecord',
+ required=False,
+ multivalue=True,
+ label=_(u'SIG record'),
+ doc=_(u'Raw SIG records'),
+ ),
+ parameters.Str(
+ 'spfrecord',
+ required=False,
+ multivalue=True,
+ label=_(u'SPF record'),
+ doc=_(u'Raw SPF records'),
+ ),
+ parameters.Str(
+ 'srvrecord',
+ required=False,
+ multivalue=True,
+ label=_(u'SRV record'),
+ doc=_(u'Raw SRV records'),
+ ),
+ parameters.Int(
+ 'srv_part_priority',
+ required=False,
+ label=_(u'SRV Priority'),
+ doc=_(u'Priority'),
+ ),
+ parameters.Int(
+ 'srv_part_weight',
+ required=False,
+ label=_(u'SRV Weight'),
+ doc=_(u'Weight'),
+ ),
+ parameters.Int(
+ 'srv_part_port',
+ required=False,
+ label=_(u'SRV Port'),
+ doc=_(u'Port'),
+ ),
+ parameters.DNSNameParam(
+ 'srv_part_target',
+ required=False,
+ label=_(u'SRV Target'),
+ doc=_(u"The domain name of the target host or '.' if the service is decidedly not available at this domain"),
+ ),
+ parameters.Str(
+ 'sshfprecord',
+ required=False,
+ multivalue=True,
+ label=_(u'SSHFP record'),
+ doc=_(u'Raw SSHFP records'),
+ ),
+ parameters.Int(
+ 'sshfp_part_algorithm',
+ required=False,
+ label=_(u'SSHFP Algorithm'),
+ doc=_(u'Algorithm'),
+ ),
+ parameters.Int(
+ 'sshfp_part_fp_type',
+ required=False,
+ label=_(u'SSHFP Fingerprint Type'),
+ doc=_(u'Fingerprint Type'),
+ ),
+ parameters.Str(
+ 'sshfp_part_fingerprint',
+ required=False,
+ label=_(u'SSHFP Fingerprint'),
+ doc=_(u'Fingerprint'),
+ ),
+ parameters.Str(
+ 'tlsarecord',
+ required=False,
+ multivalue=True,
+ label=_(u'TLSA record'),
+ doc=_(u'Raw TLSA records'),
+ ),
+ parameters.Int(
+ 'tlsa_part_cert_usage',
+ required=False,
+ label=_(u'TLSA Certificate Usage'),
+ doc=_(u'Certificate Usage'),
+ ),
+ parameters.Int(
+ 'tlsa_part_selector',
+ required=False,
+ label=_(u'TLSA Selector'),
+ doc=_(u'Selector'),
+ ),
+ parameters.Int(
+ 'tlsa_part_matching_type',
+ required=False,
+ label=_(u'TLSA Matching Type'),
+ doc=_(u'Matching Type'),
+ ),
+ parameters.Str(
+ 'tlsa_part_cert_association_data',
+ required=False,
+ label=_(u'TLSA Certificate Association Data'),
+ doc=_(u'Certificate Association Data'),
+ ),
+ parameters.Str(
+ 'txtrecord',
+ required=False,
+ multivalue=True,
+ label=_(u'TXT record'),
+ doc=_(u'Raw TXT records'),
+ ),
+ parameters.Str(
+ 'txt_part_data',
+ required=False,
+ label=_(u'TXT Text Data'),
+ doc=_(u'Text Data'),
+ ),
+ )
+
+
+@register()
+class dnszone(Object):
+ takes_params = (
+ parameters.DNSNameParam(
+ 'idnsname',
+ primary_key=True,
+ label=_(u'Zone name'),
+ doc=_(u'Zone name (FQDN)'),
+ ),
+ parameters.Str(
+ 'name_from_ip',
+ required=False,
+ label=_(u'Reverse zone IP network'),
+ doc=_(u'IP network to create reverse zone name from'),
+ ),
+ parameters.Bool(
+ 'idnszoneactive',
+ required=False,
+ label=_(u'Active zone'),
+ doc=_(u'Is zone active?'),
+ ),
+ parameters.Str(
+ 'idnsforwarders',
+ required=False,
+ multivalue=True,
+ label=_(u'Zone forwarders'),
+ doc=_(u'Per-zone forwarders. A custom port can be specified for each forwarder using a standard format "IP_ADDRESS port PORT"'),
+ ),
+ parameters.Str(
+ 'idnsforwardpolicy',
+ required=False,
+ label=_(u'Forward policy'),
+ doc=_(u'Per-zone conditional forwarding policy. Set to "none" to disable forwarding to global forwarder for this zone. In that case, conditional zone forwarders are disregarded.'),
+ ),
+ parameters.DNSNameParam(
+ 'idnssoamname',
+ required=False,
+ label=_(u'Authoritative nameserver'),
+ doc=_(u'Authoritative nameserver domain name'),
+ ),
+ parameters.DNSNameParam(
+ 'idnssoarname',
+ label=_(u'Administrator e-mail address'),
+ ),
+ parameters.Int(
+ 'idnssoaserial',
+ label=_(u'SOA serial'),
+ doc=_(u'SOA record serial number'),
+ ),
+ parameters.Int(
+ 'idnssoarefresh',
+ label=_(u'SOA refresh'),
+ doc=_(u'SOA record refresh time'),
+ ),
+ parameters.Int(
+ 'idnssoaretry',
+ label=_(u'SOA retry'),
+ doc=_(u'SOA record retry time'),
+ ),
+ parameters.Int(
+ 'idnssoaexpire',
+ label=_(u'SOA expire'),
+ doc=_(u'SOA record expire time'),
+ ),
+ parameters.Int(
+ 'idnssoaminimum',
+ label=_(u'SOA minimum'),
+ doc=_(u'How long should negative responses be cached'),
+ ),
+ parameters.Int(
+ 'dnsttl',
+ required=False,
+ label=_(u'Time to live'),
+ doc=_(u'Time to live for records at zone apex'),
+ ),
+ parameters.Str(
+ 'dnsclass',
+ required=False,
+ ),
+ parameters.Str(
+ 'idnsupdatepolicy',
+ required=False,
+ label=_(u'BIND update policy'),
+ ),
+ parameters.Bool(
+ 'idnsallowdynupdate',
+ required=False,
+ label=_(u'Dynamic update'),
+ doc=_(u'Allow dynamic updates.'),
+ ),
+ parameters.Str(
+ 'idnsallowquery',
+ required=False,
+ label=_(u'Allow query'),
+ doc=_(u'Semicolon separated list of IP addresses or networks which are allowed to issue queries'),
+ ),
+ parameters.Str(
+ 'idnsallowtransfer',
+ required=False,
+ label=_(u'Allow transfer'),
+ doc=_(u'Semicolon separated list of IP addresses or networks which are allowed to transfer the zone'),
+ ),
+ parameters.Bool(
+ 'idnsallowsyncptr',
+ required=False,
+ label=_(u'Allow PTR sync'),
+ doc=_(u'Allow synchronization of forward (A, AAAA) and reverse (PTR) records in the zone'),
+ ),
+ parameters.Bool(
+ 'idnssecinlinesigning',
+ required=False,
+ label=_(u'Allow in-line DNSSEC signing'),
+ doc=_(u'Allow inline DNSSEC signing of records in the zone'),
+ ),
+ parameters.Str(
+ 'nsec3paramrecord',
+ required=False,
+ label=_(u'NSEC3PARAM record'),
+ doc=_(u'NSEC3PARAM record for zone in format: hash_algorithm flags iterations salt'),
+ ),
+ )
+
+
+@register()
+class dns_is_enabled(Command):
+ __doc__ = _("Checks if any of the servers has the DNS service enabled.")
+
+ NO_CLI = True
+
+ takes_options = (
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Output(
+ 'result',
+ bool,
+ doc=_(u'True means the operation was successful'),
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class dns_resolve(Command):
+ __doc__ = _("Resolve a host name in DNS. (Deprecated)")
+
+ NO_CLI = True
+
+ takes_args = (
+ parameters.Str(
+ 'hostname',
+ label=_(u'Hostname (FQDN)'),
+ ),
+ )
+ takes_options = (
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Output(
+ 'result',
+ bool,
+ doc=_(u'True means the operation was successful'),
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class dnsconfig_mod(Method):
+ __doc__ = _("Modify global DNS configuration.")
+
+ takes_options = (
+ parameters.Str(
+ 'idnsforwarders',
+ required=False,
+ multivalue=True,
+ cli_name='forwarder',
+ label=_(u'Global forwarders'),
+ doc=_(u'Global forwarders. A custom port can be specified for each forwarder using a standard format "IP_ADDRESS port PORT"'),
+ ),
+ parameters.Str(
+ 'idnsforwardpolicy',
+ required=False,
+ cli_name='forward_policy',
+ cli_metavar="['only', 'first', 'none']",
+ label=_(u'Forward policy'),
+ doc=_(u'Global forwarding policy. Set to "none" to disable any configured global forwarders.'),
+ ),
+ parameters.Bool(
+ 'idnsallowsyncptr',
+ required=False,
+ cli_name='allow_sync_ptr',
+ label=_(u'Allow PTR sync'),
+ doc=_(u'Allow synchronization of forward (A, AAAA) and reverse (PTR) records'),
+ ),
+ parameters.Int(
+ 'idnszonerefresh',
+ required=False,
+ deprecated=True,
+ cli_name='zone_refresh',
+ label=_(u'Zone refresh interval'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'setattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'addattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'delattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'),
+ exclude=('webui',),
+ ),
+ parameters.Flag(
+ 'rights',
+ label=_(u'Rights'),
+ doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class dnsconfig_show(Method):
+ __doc__ = _("Show the current global DNS configuration.")
+
+ takes_options = (
+ parameters.Flag(
+ 'rights',
+ label=_(u'Rights'),
+ doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class dnsforwardzone_add(Method):
+ __doc__ = _("Create new DNS forward zone.")
+
+ takes_args = (
+ parameters.DNSNameParam(
+ 'idnsname',
+ cli_name='name',
+ label=_(u'Zone name'),
+ doc=_(u'Zone name (FQDN)'),
+ default_from=DefaultFrom(lambda name_from_ip: None, 'name_from_ip'),
+ # FIXME:
+ # lambda name_from_ip: _reverse_zone_name(name_from_ip)
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'name_from_ip',
+ required=False,
+ label=_(u'Reverse zone IP network'),
+ doc=_(u'IP network to create reverse zone name from'),
+ ),
+ parameters.Str(
+ 'idnsforwarders',
+ required=False,
+ multivalue=True,
+ cli_name='forwarder',
+ label=_(u'Zone forwarders'),
+ doc=_(u'Per-zone forwarders. A custom port can be specified for each forwarder using a standard format "IP_ADDRESS port PORT"'),
+ ),
+ parameters.Str(
+ 'idnsforwardpolicy',
+ required=False,
+ cli_name='forward_policy',
+ cli_metavar="['only', 'first', 'none']",
+ label=_(u'Forward policy'),
+ doc=_(u'Per-zone conditional forwarding policy. Set to "none" to disable forwarding to global forwarder for this zone. In that case, conditional zone forwarders are disregarded.'),
+ ),
+ parameters.Str(
+ 'setattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'addattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
+ exclude=('webui',),
+ ),
+ parameters.Flag(
+ 'skip_overlap_check',
+ doc=_(u'Force DNS zone creation even if it will overlap with an existing zone.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class dnsforwardzone_add_permission(Method):
+ __doc__ = _("Add a permission for per-forward zone access delegation.")
+
+ takes_args = (
+ parameters.DNSNameParam(
+ 'idnsname',
+ cli_name='name',
+ label=_(u'Zone name'),
+ doc=_(u'Zone name (FQDN)'),
+ default_from=DefaultFrom(lambda name_from_ip: None, 'name_from_ip'),
+ # FIXME:
+ # lambda name_from_ip: _reverse_zone_name(name_from_ip)
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Output(
+ 'result',
+ bool,
+ doc=_(u'True means the operation was successful'),
+ ),
+ output.Output(
+ 'value',
+ unicode,
+ doc=_(u'Permission value'),
+ ),
+ )
+
+
+@register()
+class dnsforwardzone_del(Method):
+ __doc__ = _("Delete DNS forward zone.")
+
+ takes_args = (
+ parameters.DNSNameParam(
+ 'idnsname',
+ multivalue=True,
+ cli_name='name',
+ label=_(u'Zone name'),
+ doc=_(u'Zone name (FQDN)'),
+ default_from=DefaultFrom(lambda name_from_ip: None, 'name_from_ip'),
+ # FIXME:
+ # lambda name_from_ip: _reverse_zone_name(name_from_ip)
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'continue',
+ doc=_(u"Continuous mode: Don't stop on errors."),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Output(
+ 'result',
+ dict,
+ doc=_(u'List of deletions that failed'),
+ ),
+ output.ListOfPrimaryKeys(
+ 'value',
+ ),
+ )
+
+
+@register()
+class dnsforwardzone_disable(Method):
+ __doc__ = _("Disable DNS Forward Zone.")
+
+ takes_args = (
+ parameters.DNSNameParam(
+ 'idnsname',
+ cli_name='name',
+ label=_(u'Zone name'),
+ doc=_(u'Zone name (FQDN)'),
+ default_from=DefaultFrom(lambda name_from_ip: None, 'name_from_ip'),
+ # FIXME:
+ # lambda name_from_ip: _reverse_zone_name(name_from_ip)
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Output(
+ 'result',
+ bool,
+ doc=_(u'True means the operation was successful'),
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class dnsforwardzone_enable(Method):
+ __doc__ = _("Enable DNS Forward Zone.")
+
+ takes_args = (
+ parameters.DNSNameParam(
+ 'idnsname',
+ cli_name='name',
+ label=_(u'Zone name'),
+ doc=_(u'Zone name (FQDN)'),
+ default_from=DefaultFrom(lambda name_from_ip: None, 'name_from_ip'),
+ # FIXME:
+ # lambda name_from_ip: _reverse_zone_name(name_from_ip)
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Output(
+ 'result',
+ bool,
+ doc=_(u'True means the operation was successful'),
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class dnsforwardzone_find(Method):
+ __doc__ = _("Search for DNS forward zones.")
+
+ takes_args = (
+ parameters.Str(
+ 'criteria',
+ required=False,
+ doc=_(u'A string searched in all relevant object attributes'),
+ ),
+ )
+ takes_options = (
+ parameters.DNSNameParam(
+ 'idnsname',
+ required=False,
+ cli_name='name',
+ label=_(u'Zone name'),
+ doc=_(u'Zone name (FQDN)'),
+ default_from=DefaultFrom(lambda name_from_ip: None, 'name_from_ip'),
+ # FIXME:
+ # lambda name_from_ip: _reverse_zone_name(name_from_ip)
+ no_convert=True,
+ ),
+ parameters.Str(
+ 'name_from_ip',
+ required=False,
+ label=_(u'Reverse zone IP network'),
+ doc=_(u'IP network to create reverse zone name from'),
+ ),
+ parameters.Bool(
+ 'idnszoneactive',
+ required=False,
+ cli_name='zone_active',
+ label=_(u'Active zone'),
+ doc=_(u'Is zone active?'),
+ ),
+ parameters.Str(
+ 'idnsforwarders',
+ required=False,
+ multivalue=True,
+ cli_name='forwarder',
+ label=_(u'Zone forwarders'),
+ doc=_(u'Per-zone forwarders. A custom port can be specified for each forwarder using a standard format "IP_ADDRESS port PORT"'),
+ ),
+ parameters.Str(
+ 'idnsforwardpolicy',
+ required=False,
+ cli_name='forward_policy',
+ cli_metavar="['only', 'first', 'none']",
+ label=_(u'Forward policy'),
+ doc=_(u'Per-zone conditional forwarding policy. Set to "none" to disable forwarding to global forwarder for this zone. In that case, conditional zone forwarders are disregarded.'),
+ ),
+ parameters.Int(
+ 'timelimit',
+ required=False,
+ label=_(u'Time Limit'),
+ doc=_(u'Time limit of search in seconds (0 is unlimited)'),
+ ),
+ parameters.Int(
+ 'sizelimit',
+ required=False,
+ label=_(u'Size Limit'),
+ doc=_(u'Maximum number of entries returned (0 is unlimited)'),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'pkey_only',
+ required=False,
+ label=_(u'Primary key only'),
+ doc=_(u'Results should contain primary key attribute only ("name")'),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.ListOfEntries(
+ 'result',
+ ),
+ output.Output(
+ 'count',
+ int,
+ doc=_(u'Number of entries returned'),
+ ),
+ output.Output(
+ 'truncated',
+ bool,
+ doc=_(u'True if not all results were returned'),
+ ),
+ )
+
+
+@register()
+class dnsforwardzone_mod(Method):
+ __doc__ = _("Modify DNS forward zone.")
+
+ takes_args = (
+ parameters.DNSNameParam(
+ 'idnsname',
+ cli_name='name',
+ label=_(u'Zone name'),
+ doc=_(u'Zone name (FQDN)'),
+ default_from=DefaultFrom(lambda name_from_ip: None, 'name_from_ip'),
+ # FIXME:
+ # lambda name_from_ip: _reverse_zone_name(name_from_ip)
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'name_from_ip',
+ required=False,
+ label=_(u'Reverse zone IP network'),
+ doc=_(u'IP network to create reverse zone name from'),
+ ),
+ parameters.Str(
+ 'idnsforwarders',
+ required=False,
+ multivalue=True,
+ cli_name='forwarder',
+ label=_(u'Zone forwarders'),
+ doc=_(u'Per-zone forwarders. A custom port can be specified for each forwarder using a standard format "IP_ADDRESS port PORT"'),
+ ),
+ parameters.Str(
+ 'idnsforwardpolicy',
+ required=False,
+ cli_name='forward_policy',
+ cli_metavar="['only', 'first', 'none']",
+ label=_(u'Forward policy'),
+ doc=_(u'Per-zone conditional forwarding policy. Set to "none" to disable forwarding to global forwarder for this zone. In that case, conditional zone forwarders are disregarded.'),
+ ),
+ parameters.Str(
+ 'setattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'addattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'delattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'),
+ exclude=('webui',),
+ ),
+ parameters.Flag(
+ 'rights',
+ label=_(u'Rights'),
+ doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class dnsforwardzone_remove_permission(Method):
+ __doc__ = _("Remove a permission for per-forward zone access delegation.")
+
+ takes_args = (
+ parameters.DNSNameParam(
+ 'idnsname',
+ cli_name='name',
+ label=_(u'Zone name'),
+ doc=_(u'Zone name (FQDN)'),
+ default_from=DefaultFrom(lambda name_from_ip: None, 'name_from_ip'),
+ # FIXME:
+ # lambda name_from_ip: _reverse_zone_name(name_from_ip)
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Output(
+ 'result',
+ bool,
+ doc=_(u'True means the operation was successful'),
+ ),
+ output.Output(
+ 'value',
+ unicode,
+ doc=_(u'Permission value'),
+ ),
+ )
+
+
+@register()
+class dnsforwardzone_show(Method):
+ __doc__ = _("Display information about a DNS forward zone.")
+
+ takes_args = (
+ parameters.DNSNameParam(
+ 'idnsname',
+ cli_name='name',
+ label=_(u'Zone name'),
+ doc=_(u'Zone name (FQDN)'),
+ default_from=DefaultFrom(lambda name_from_ip: None, 'name_from_ip'),
+ # FIXME:
+ # lambda name_from_ip: _reverse_zone_name(name_from_ip)
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'rights',
+ label=_(u'Rights'),
+ doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class dnsrecord_add(Method):
+ __doc__ = _("Add new DNS resource record.")
+
+ takes_args = (
+ parameters.DNSNameParam(
+ 'dnszoneidnsname',
+ cli_name='dnszone',
+ label=_(u'Zone name'),
+ doc=_(u'Zone name (FQDN)'),
+ default_from=DefaultFrom(lambda name_from_ip: None, 'name_from_ip'),
+ # FIXME:
+ # lambda name_from_ip: _reverse_zone_name(name_from_ip)
+ no_convert=True,
+ ),
+ parameters.DNSNameParam(
+ 'idnsname',
+ cli_name='name',
+ label=_(u'Record name'),
+ ),
+ )
+ takes_options = (
+ parameters.Int(
+ 'dnsttl',
+ required=False,
+ cli_name='ttl',
+ label=_(u'Time to live'),
+ ),
+ parameters.Str(
+ 'dnsclass',
+ required=False,
+ cli_name='class',
+ cli_metavar="['IN', 'CS', 'CH', 'HS']",
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'arecord',
+ required=False,
+ multivalue=True,
+ cli_name='a_rec',
+ option_group=u'A Record',
+ label=_(u'A record'),
+ doc=_(u'Raw A records'),
+ ),
+ parameters.Str(
+ 'a_part_ip_address',
+ required=False,
+ cli_name='a_ip_address',
+ option_group=u'A Record',
+ label=_(u'A IP Address'),
+ doc=_(u'IP Address'),
+ ),
+ parameters.Flag(
+ 'a_extra_create_reverse',
+ required=False,
+ cli_name='a_create_reverse',
+ option_group=u'A Record',
+ label=_(u'A Create reverse'),
+ doc=_(u'Create reverse record for this IP Address'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'aaaarecord',
+ required=False,
+ multivalue=True,
+ cli_name='aaaa_rec',
+ option_group=u'AAAA Record',
+ label=_(u'AAAA record'),
+ doc=_(u'Raw AAAA records'),
+ ),
+ parameters.Str(
+ 'aaaa_part_ip_address',
+ required=False,
+ cli_name='aaaa_ip_address',
+ option_group=u'AAAA Record',
+ label=_(u'AAAA IP Address'),
+ doc=_(u'IP Address'),
+ ),
+ parameters.Flag(
+ 'aaaa_extra_create_reverse',
+ required=False,
+ cli_name='aaaa_create_reverse',
+ option_group=u'AAAA Record',
+ label=_(u'AAAA Create reverse'),
+ doc=_(u'Create reverse record for this IP Address'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'a6record',
+ required=False,
+ multivalue=True,
+ cli_name='a6_rec',
+ option_group=u'A6 Record',
+ label=_(u'A6 record'),
+ doc=_(u'Raw A6 records'),
+ ),
+ parameters.Str(
+ 'a6_part_data',
+ required=False,
+ cli_name='a6_data',
+ option_group=u'A6 Record',
+ label=_(u'A6 Record data'),
+ doc=_(u'Record data'),
+ ),
+ parameters.Str(
+ 'afsdbrecord',
+ required=False,
+ multivalue=True,
+ cli_name='afsdb_rec',
+ option_group=u'AFSDB Record',
+ label=_(u'AFSDB record'),
+ doc=_(u'Raw AFSDB records'),
+ ),
+ parameters.Int(
+ 'afsdb_part_subtype',
+ required=False,
+ cli_name='afsdb_subtype',
+ option_group=u'AFSDB Record',
+ label=_(u'AFSDB Subtype'),
+ doc=_(u'Subtype'),
+ ),
+ parameters.DNSNameParam(
+ 'afsdb_part_hostname',
+ required=False,
+ cli_name='afsdb_hostname',
+ option_group=u'AFSDB Record',
+ label=_(u'AFSDB Hostname'),
+ doc=_(u'Hostname'),
+ ),
+ parameters.Str(
+ 'aplrecord',
+ required=False,
+ multivalue=True,
+ cli_name='apl_rec',
+ option_group=u'APL Record',
+ label=_(u'APL record'),
+ doc=_(u'Raw APL records'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'certrecord',
+ required=False,
+ multivalue=True,
+ cli_name='cert_rec',
+ option_group=u'CERT Record',
+ label=_(u'CERT record'),
+ doc=_(u'Raw CERT records'),
+ ),
+ parameters.Int(
+ 'cert_part_type',
+ required=False,
+ cli_name='cert_type',
+ option_group=u'CERT Record',
+ label=_(u'CERT Certificate Type'),
+ doc=_(u'Certificate Type'),
+ ),
+ parameters.Int(
+ 'cert_part_key_tag',
+ required=False,
+ cli_name='cert_key_tag',
+ option_group=u'CERT Record',
+ label=_(u'CERT Key Tag'),
+ doc=_(u'Key Tag'),
+ ),
+ parameters.Int(
+ 'cert_part_algorithm',
+ required=False,
+ cli_name='cert_algorithm',
+ option_group=u'CERT Record',
+ label=_(u'CERT Algorithm'),
+ doc=_(u'Algorithm'),
+ ),
+ parameters.Str(
+ 'cert_part_certificate_or_crl',
+ required=False,
+ cli_name='cert_certificate_or_crl',
+ option_group=u'CERT Record',
+ label=_(u'CERT Certificate/CRL'),
+ doc=_(u'Certificate/CRL'),
+ ),
+ parameters.Str(
+ 'cnamerecord',
+ required=False,
+ multivalue=True,
+ cli_name='cname_rec',
+ option_group=u'CNAME Record',
+ label=_(u'CNAME record'),
+ doc=_(u'Raw CNAME records'),
+ ),
+ parameters.DNSNameParam(
+ 'cname_part_hostname',
+ required=False,
+ cli_name='cname_hostname',
+ option_group=u'CNAME Record',
+ label=_(u'CNAME Hostname'),
+ doc=_(u'A hostname which this alias hostname points to'),
+ ),
+ parameters.Str(
+ 'dhcidrecord',
+ required=False,
+ multivalue=True,
+ cli_name='dhcid_rec',
+ option_group=u'DHCID Record',
+ label=_(u'DHCID record'),
+ doc=_(u'Raw DHCID records'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'dlvrecord',
+ required=False,
+ multivalue=True,
+ cli_name='dlv_rec',
+ option_group=u'DLV Record',
+ label=_(u'DLV record'),
+ doc=_(u'Raw DLV records'),
+ ),
+ parameters.Int(
+ 'dlv_part_key_tag',
+ required=False,
+ cli_name='dlv_key_tag',
+ option_group=u'DLV Record',
+ label=_(u'DLV Key Tag'),
+ doc=_(u'Key Tag'),
+ ),
+ parameters.Int(
+ 'dlv_part_algorithm',
+ required=False,
+ cli_name='dlv_algorithm',
+ option_group=u'DLV Record',
+ label=_(u'DLV Algorithm'),
+ doc=_(u'Algorithm'),
+ ),
+ parameters.Int(
+ 'dlv_part_digest_type',
+ required=False,
+ cli_name='dlv_digest_type',
+ option_group=u'DLV Record',
+ label=_(u'DLV Digest Type'),
+ doc=_(u'Digest Type'),
+ ),
+ parameters.Str(
+ 'dlv_part_digest',
+ required=False,
+ cli_name='dlv_digest',
+ option_group=u'DLV Record',
+ label=_(u'DLV Digest'),
+ doc=_(u'Digest'),
+ ),
+ parameters.Str(
+ 'dnamerecord',
+ required=False,
+ multivalue=True,
+ cli_name='dname_rec',
+ option_group=u'DNAME Record',
+ label=_(u'DNAME record'),
+ doc=_(u'Raw DNAME records'),
+ ),
+ parameters.DNSNameParam(
+ 'dname_part_target',
+ required=False,
+ cli_name='dname_target',
+ option_group=u'DNAME Record',
+ label=_(u'DNAME Target'),
+ doc=_(u'Target'),
+ ),
+ parameters.Str(
+ 'dsrecord',
+ required=False,
+ multivalue=True,
+ cli_name='ds_rec',
+ option_group=u'DS Record',
+ label=_(u'DS record'),
+ doc=_(u'Raw DS records'),
+ ),
+ parameters.Int(
+ 'ds_part_key_tag',
+ required=False,
+ cli_name='ds_key_tag',
+ option_group=u'DS Record',
+ label=_(u'DS Key Tag'),
+ doc=_(u'Key Tag'),
+ ),
+ parameters.Int(
+ 'ds_part_algorithm',
+ required=False,
+ cli_name='ds_algorithm',
+ option_group=u'DS Record',
+ label=_(u'DS Algorithm'),
+ doc=_(u'Algorithm'),
+ ),
+ parameters.Int(
+ 'ds_part_digest_type',
+ required=False,
+ cli_name='ds_digest_type',
+ option_group=u'DS Record',
+ label=_(u'DS Digest Type'),
+ doc=_(u'Digest Type'),
+ ),
+ parameters.Str(
+ 'ds_part_digest',
+ required=False,
+ cli_name='ds_digest',
+ option_group=u'DS Record',
+ label=_(u'DS Digest'),
+ doc=_(u'Digest'),
+ ),
+ parameters.Str(
+ 'hiprecord',
+ required=False,
+ multivalue=True,
+ cli_name='hip_rec',
+ option_group=u'HIP Record',
+ label=_(u'HIP record'),
+ doc=_(u'Raw HIP records'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'ipseckeyrecord',
+ required=False,
+ multivalue=True,
+ cli_name='ipseckey_rec',
+ option_group=u'IPSECKEY Record',
+ label=_(u'IPSECKEY record'),
+ doc=_(u'Raw IPSECKEY records'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'keyrecord',
+ required=False,
+ multivalue=True,
+ cli_name='key_rec',
+ option_group=u'KEY Record',
+ label=_(u'KEY record'),
+ doc=_(u'Raw KEY records'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'kxrecord',
+ required=False,
+ multivalue=True,
+ cli_name='kx_rec',
+ option_group=u'KX Record',
+ label=_(u'KX record'),
+ doc=_(u'Raw KX records'),
+ ),
+ parameters.Int(
+ 'kx_part_preference',
+ required=False,
+ cli_name='kx_preference',
+ option_group=u'KX Record',
+ label=_(u'KX Preference'),
+ doc=_(u'Preference given to this exchanger. Lower values are more preferred'),
+ ),
+ parameters.DNSNameParam(
+ 'kx_part_exchanger',
+ required=False,
+ cli_name='kx_exchanger',
+ option_group=u'KX Record',
+ label=_(u'KX Exchanger'),
+ doc=_(u'A host willing to act as a key exchanger'),
+ ),
+ parameters.Str(
+ 'locrecord',
+ required=False,
+ multivalue=True,
+ cli_name='loc_rec',
+ option_group=u'LOC Record',
+ label=_(u'LOC record'),
+ doc=_(u'Raw LOC records'),
+ ),
+ parameters.Int(
+ 'loc_part_lat_deg',
+ required=False,
+ cli_name='loc_lat_deg',
+ option_group=u'LOC Record',
+ label=_(u'LOC Degrees Latitude'),
+ doc=_(u'Degrees Latitude'),
+ ),
+ parameters.Int(
+ 'loc_part_lat_min',
+ required=False,
+ cli_name='loc_lat_min',
+ option_group=u'LOC Record',
+ label=_(u'LOC Minutes Latitude'),
+ doc=_(u'Minutes Latitude'),
+ ),
+ parameters.Decimal(
+ 'loc_part_lat_sec',
+ required=False,
+ cli_name='loc_lat_sec',
+ option_group=u'LOC Record',
+ label=_(u'LOC Seconds Latitude'),
+ doc=_(u'Seconds Latitude'),
+ no_convert=True,
+ ),
+ parameters.Str(
+ 'loc_part_lat_dir',
+ required=False,
+ cli_name='loc_lat_dir',
+ option_group=u'LOC Record',
+ cli_metavar="['N', 'S']",
+ label=_(u'LOC Direction Latitude'),
+ doc=_(u'Direction Latitude'),
+ ),
+ parameters.Int(
+ 'loc_part_lon_deg',
+ required=False,
+ cli_name='loc_lon_deg',
+ option_group=u'LOC Record',
+ label=_(u'LOC Degrees Longitude'),
+ doc=_(u'Degrees Longitude'),
+ ),
+ parameters.Int(
+ 'loc_part_lon_min',
+ required=False,
+ cli_name='loc_lon_min',
+ option_group=u'LOC Record',
+ label=_(u'LOC Minutes Longitude'),
+ doc=_(u'Minutes Longitude'),
+ ),
+ parameters.Decimal(
+ 'loc_part_lon_sec',
+ required=False,
+ cli_name='loc_lon_sec',
+ option_group=u'LOC Record',
+ label=_(u'LOC Seconds Longitude'),
+ doc=_(u'Seconds Longitude'),
+ no_convert=True,
+ ),
+ parameters.Str(
+ 'loc_part_lon_dir',
+ required=False,
+ cli_name='loc_lon_dir',
+ option_group=u'LOC Record',
+ cli_metavar="['E', 'W']",
+ label=_(u'LOC Direction Longitude'),
+ doc=_(u'Direction Longitude'),
+ ),
+ parameters.Decimal(
+ 'loc_part_altitude',
+ required=False,
+ cli_name='loc_altitude',
+ option_group=u'LOC Record',
+ label=_(u'LOC Altitude'),
+ doc=_(u'Altitude'),
+ no_convert=True,
+ ),
+ parameters.Decimal(
+ 'loc_part_size',
+ required=False,
+ cli_name='loc_size',
+ option_group=u'LOC Record',
+ label=_(u'LOC Size'),
+ doc=_(u'Size'),
+ no_convert=True,
+ ),
+ parameters.Decimal(
+ 'loc_part_h_precision',
+ required=False,
+ cli_name='loc_h_precision',
+ option_group=u'LOC Record',
+ label=_(u'LOC Horizontal Precision'),
+ doc=_(u'Horizontal Precision'),
+ no_convert=True,
+ ),
+ parameters.Decimal(
+ 'loc_part_v_precision',
+ required=False,
+ cli_name='loc_v_precision',
+ option_group=u'LOC Record',
+ label=_(u'LOC Vertical Precision'),
+ doc=_(u'Vertical Precision'),
+ no_convert=True,
+ ),
+ parameters.Str(
+ 'mxrecord',
+ required=False,
+ multivalue=True,
+ cli_name='mx_rec',
+ option_group=u'MX Record',
+ label=_(u'MX record'),
+ doc=_(u'Raw MX records'),
+ ),
+ parameters.Int(
+ 'mx_part_preference',
+ required=False,
+ cli_name='mx_preference',
+ option_group=u'MX Record',
+ label=_(u'MX Preference'),
+ doc=_(u'Preference given to this exchanger. Lower values are more preferred'),
+ ),
+ parameters.DNSNameParam(
+ 'mx_part_exchanger',
+ required=False,
+ cli_name='mx_exchanger',
+ option_group=u'MX Record',
+ label=_(u'MX Exchanger'),
+ doc=_(u'A host willing to act as a mail exchanger'),
+ ),
+ parameters.Str(
+ 'naptrrecord',
+ required=False,
+ multivalue=True,
+ cli_name='naptr_rec',
+ option_group=u'NAPTR Record',
+ label=_(u'NAPTR record'),
+ doc=_(u'Raw NAPTR records'),
+ ),
+ parameters.Int(
+ 'naptr_part_order',
+ required=False,
+ cli_name='naptr_order',
+ option_group=u'NAPTR Record',
+ label=_(u'NAPTR Order'),
+ doc=_(u'Order'),
+ ),
+ parameters.Int(
+ 'naptr_part_preference',
+ required=False,
+ cli_name='naptr_preference',
+ option_group=u'NAPTR Record',
+ label=_(u'NAPTR Preference'),
+ doc=_(u'Preference'),
+ ),
+ parameters.Str(
+ 'naptr_part_flags',
+ required=False,
+ cli_name='naptr_flags',
+ option_group=u'NAPTR Record',
+ label=_(u'NAPTR Flags'),
+ doc=_(u'Flags'),
+ no_convert=True,
+ ),
+ parameters.Str(
+ 'naptr_part_service',
+ required=False,
+ cli_name='naptr_service',
+ option_group=u'NAPTR Record',
+ label=_(u'NAPTR Service'),
+ doc=_(u'Service'),
+ ),
+ parameters.Str(
+ 'naptr_part_regexp',
+ required=False,
+ cli_name='naptr_regexp',
+ option_group=u'NAPTR Record',
+ label=_(u'NAPTR Regular Expression'),
+ doc=_(u'Regular Expression'),
+ ),
+ parameters.Str(
+ 'naptr_part_replacement',
+ required=False,
+ cli_name='naptr_replacement',
+ option_group=u'NAPTR Record',
+ label=_(u'NAPTR Replacement'),
+ doc=_(u'Replacement'),
+ ),
+ parameters.Str(
+ 'nsrecord',
+ required=False,
+ multivalue=True,
+ cli_name='ns_rec',
+ option_group=u'NS Record',
+ label=_(u'NS record'),
+ doc=_(u'Raw NS records'),
+ ),
+ parameters.DNSNameParam(
+ 'ns_part_hostname',
+ required=False,
+ cli_name='ns_hostname',
+ option_group=u'NS Record',
+ label=_(u'NS Hostname'),
+ doc=_(u'Hostname'),
+ ),
+ parameters.Str(
+ 'nsecrecord',
+ required=False,
+ multivalue=True,
+ cli_name='nsec_rec',
+ option_group=u'NSEC Record',
+ label=_(u'NSEC record'),
+ doc=_(u'Raw NSEC records'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'ptrrecord',
+ required=False,
+ multivalue=True,
+ cli_name='ptr_rec',
+ option_group=u'PTR Record',
+ label=_(u'PTR record'),
+ doc=_(u'Raw PTR records'),
+ ),
+ parameters.DNSNameParam(
+ 'ptr_part_hostname',
+ required=False,
+ cli_name='ptr_hostname',
+ option_group=u'PTR Record',
+ label=_(u'PTR Hostname'),
+ doc=_(u'The hostname this reverse record points to'),
+ ),
+ parameters.Str(
+ 'rrsigrecord',
+ required=False,
+ multivalue=True,
+ cli_name='rrsig_rec',
+ option_group=u'RRSIG Record',
+ label=_(u'RRSIG record'),
+ doc=_(u'Raw RRSIG records'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'rprecord',
+ required=False,
+ multivalue=True,
+ cli_name='rp_rec',
+ option_group=u'RP Record',
+ label=_(u'RP record'),
+ doc=_(u'Raw RP records'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'sigrecord',
+ required=False,
+ multivalue=True,
+ cli_name='sig_rec',
+ option_group=u'SIG Record',
+ label=_(u'SIG record'),
+ doc=_(u'Raw SIG records'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'spfrecord',
+ required=False,
+ multivalue=True,
+ cli_name='spf_rec',
+ option_group=u'SPF Record',
+ label=_(u'SPF record'),
+ doc=_(u'Raw SPF records'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'srvrecord',
+ required=False,
+ multivalue=True,
+ cli_name='srv_rec',
+ option_group=u'SRV Record',
+ label=_(u'SRV record'),
+ doc=_(u'Raw SRV records'),
+ ),
+ parameters.Int(
+ 'srv_part_priority',
+ required=False,
+ cli_name='srv_priority',
+ option_group=u'SRV Record',
+ label=_(u'SRV Priority'),
+ doc=_(u'Priority'),
+ ),
+ parameters.Int(
+ 'srv_part_weight',
+ required=False,
+ cli_name='srv_weight',
+ option_group=u'SRV Record',
+ label=_(u'SRV Weight'),
+ doc=_(u'Weight'),
+ ),
+ parameters.Int(
+ 'srv_part_port',
+ required=False,
+ cli_name='srv_port',
+ option_group=u'SRV Record',
+ label=_(u'SRV Port'),
+ doc=_(u'Port'),
+ ),
+ parameters.DNSNameParam(
+ 'srv_part_target',
+ required=False,
+ cli_name='srv_target',
+ option_group=u'SRV Record',
+ label=_(u'SRV Target'),
+ doc=_(u"The domain name of the target host or '.' if the service is decidedly not available at this domain"),
+ ),
+ parameters.Str(
+ 'sshfprecord',
+ required=False,
+ multivalue=True,
+ cli_name='sshfp_rec',
+ option_group=u'SSHFP Record',
+ label=_(u'SSHFP record'),
+ doc=_(u'Raw SSHFP records'),
+ ),
+ parameters.Int(
+ 'sshfp_part_algorithm',
+ required=False,
+ cli_name='sshfp_algorithm',
+ option_group=u'SSHFP Record',
+ label=_(u'SSHFP Algorithm'),
+ doc=_(u'Algorithm'),
+ ),
+ parameters.Int(
+ 'sshfp_part_fp_type',
+ required=False,
+ cli_name='sshfp_fp_type',
+ option_group=u'SSHFP Record',
+ label=_(u'SSHFP Fingerprint Type'),
+ doc=_(u'Fingerprint Type'),
+ ),
+ parameters.Str(
+ 'sshfp_part_fingerprint',
+ required=False,
+ cli_name='sshfp_fingerprint',
+ option_group=u'SSHFP Record',
+ label=_(u'SSHFP Fingerprint'),
+ doc=_(u'Fingerprint'),
+ ),
+ parameters.Str(
+ 'tlsarecord',
+ required=False,
+ multivalue=True,
+ cli_name='tlsa_rec',
+ option_group=u'TLSA Record',
+ label=_(u'TLSA record'),
+ doc=_(u'Raw TLSA records'),
+ ),
+ parameters.Int(
+ 'tlsa_part_cert_usage',
+ required=False,
+ cli_name='tlsa_cert_usage',
+ option_group=u'TLSA Record',
+ label=_(u'TLSA Certificate Usage'),
+ doc=_(u'Certificate Usage'),
+ ),
+ parameters.Int(
+ 'tlsa_part_selector',
+ required=False,
+ cli_name='tlsa_selector',
+ option_group=u'TLSA Record',
+ label=_(u'TLSA Selector'),
+ doc=_(u'Selector'),
+ ),
+ parameters.Int(
+ 'tlsa_part_matching_type',
+ required=False,
+ cli_name='tlsa_matching_type',
+ option_group=u'TLSA Record',
+ label=_(u'TLSA Matching Type'),
+ doc=_(u'Matching Type'),
+ ),
+ parameters.Str(
+ 'tlsa_part_cert_association_data',
+ required=False,
+ cli_name='tlsa_cert_association_data',
+ option_group=u'TLSA Record',
+ label=_(u'TLSA Certificate Association Data'),
+ doc=_(u'Certificate Association Data'),
+ ),
+ parameters.Str(
+ 'txtrecord',
+ required=False,
+ multivalue=True,
+ cli_name='txt_rec',
+ option_group=u'TXT Record',
+ label=_(u'TXT record'),
+ doc=_(u'Raw TXT records'),
+ ),
+ parameters.Str(
+ 'txt_part_data',
+ required=False,
+ cli_name='txt_data',
+ option_group=u'TXT Record',
+ label=_(u'TXT Text Data'),
+ doc=_(u'Text Data'),
+ ),
+ parameters.Str(
+ 'setattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'addattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
+ exclude=('webui',),
+ ),
+ parameters.Flag(
+ 'force',
+ label=_(u'Force'),
+ doc=_(u'force NS record creation even if its hostname is not in DNS'),
+ exclude=('cli', 'webui'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'structured',
+ label=_(u'Structured'),
+ doc=_(u'Parse all raw DNS records and return them in a structured way'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class dnsrecord_del(Method):
+ __doc__ = _("Delete DNS resource record.")
+
+ takes_args = (
+ parameters.DNSNameParam(
+ 'dnszoneidnsname',
+ cli_name='dnszone',
+ label=_(u'Zone name'),
+ doc=_(u'Zone name (FQDN)'),
+ default_from=DefaultFrom(lambda name_from_ip: None, 'name_from_ip'),
+ # FIXME:
+ # lambda name_from_ip: _reverse_zone_name(name_from_ip)
+ no_convert=True,
+ ),
+ parameters.DNSNameParam(
+ 'idnsname',
+ cli_name='name',
+ label=_(u'Record name'),
+ ),
+ )
+ takes_options = (
+ parameters.Int(
+ 'dnsttl',
+ required=False,
+ cli_name='ttl',
+ label=_(u'Time to live'),
+ ),
+ parameters.Str(
+ 'dnsclass',
+ required=False,
+ cli_name='class',
+ cli_metavar="['IN', 'CS', 'CH', 'HS']",
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'arecord',
+ required=False,
+ multivalue=True,
+ cli_name='a_rec',
+ label=_(u'A record'),
+ doc=_(u'Raw A records'),
+ ),
+ parameters.Str(
+ 'aaaarecord',
+ required=False,
+ multivalue=True,
+ cli_name='aaaa_rec',
+ label=_(u'AAAA record'),
+ doc=_(u'Raw AAAA records'),
+ ),
+ parameters.Str(
+ 'a6record',
+ required=False,
+ multivalue=True,
+ cli_name='a6_rec',
+ label=_(u'A6 record'),
+ doc=_(u'Raw A6 records'),
+ ),
+ parameters.Str(
+ 'afsdbrecord',
+ required=False,
+ multivalue=True,
+ cli_name='afsdb_rec',
+ label=_(u'AFSDB record'),
+ doc=_(u'Raw AFSDB records'),
+ ),
+ parameters.Str(
+ 'aplrecord',
+ required=False,
+ multivalue=True,
+ cli_name='apl_rec',
+ label=_(u'APL record'),
+ doc=_(u'Raw APL records'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'certrecord',
+ required=False,
+ multivalue=True,
+ cli_name='cert_rec',
+ label=_(u'CERT record'),
+ doc=_(u'Raw CERT records'),
+ ),
+ parameters.Str(
+ 'cnamerecord',
+ required=False,
+ multivalue=True,
+ cli_name='cname_rec',
+ label=_(u'CNAME record'),
+ doc=_(u'Raw CNAME records'),
+ ),
+ parameters.Str(
+ 'dhcidrecord',
+ required=False,
+ multivalue=True,
+ cli_name='dhcid_rec',
+ label=_(u'DHCID record'),
+ doc=_(u'Raw DHCID records'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'dlvrecord',
+ required=False,
+ multivalue=True,
+ cli_name='dlv_rec',
+ label=_(u'DLV record'),
+ doc=_(u'Raw DLV records'),
+ ),
+ parameters.Str(
+ 'dnamerecord',
+ required=False,
+ multivalue=True,
+ cli_name='dname_rec',
+ label=_(u'DNAME record'),
+ doc=_(u'Raw DNAME records'),
+ ),
+ parameters.Str(
+ 'dsrecord',
+ required=False,
+ multivalue=True,
+ cli_name='ds_rec',
+ label=_(u'DS record'),
+ doc=_(u'Raw DS records'),
+ ),
+ parameters.Str(
+ 'hiprecord',
+ required=False,
+ multivalue=True,
+ cli_name='hip_rec',
+ label=_(u'HIP record'),
+ doc=_(u'Raw HIP records'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'ipseckeyrecord',
+ required=False,
+ multivalue=True,
+ cli_name='ipseckey_rec',
+ label=_(u'IPSECKEY record'),
+ doc=_(u'Raw IPSECKEY records'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'keyrecord',
+ required=False,
+ multivalue=True,
+ cli_name='key_rec',
+ label=_(u'KEY record'),
+ doc=_(u'Raw KEY records'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'kxrecord',
+ required=False,
+ multivalue=True,
+ cli_name='kx_rec',
+ label=_(u'KX record'),
+ doc=_(u'Raw KX records'),
+ ),
+ parameters.Str(
+ 'locrecord',
+ required=False,
+ multivalue=True,
+ cli_name='loc_rec',
+ label=_(u'LOC record'),
+ doc=_(u'Raw LOC records'),
+ ),
+ parameters.Str(
+ 'mxrecord',
+ required=False,
+ multivalue=True,
+ cli_name='mx_rec',
+ label=_(u'MX record'),
+ doc=_(u'Raw MX records'),
+ ),
+ parameters.Str(
+ 'naptrrecord',
+ required=False,
+ multivalue=True,
+ cli_name='naptr_rec',
+ label=_(u'NAPTR record'),
+ doc=_(u'Raw NAPTR records'),
+ ),
+ parameters.Str(
+ 'nsrecord',
+ required=False,
+ multivalue=True,
+ cli_name='ns_rec',
+ label=_(u'NS record'),
+ doc=_(u'Raw NS records'),
+ ),
+ parameters.Str(
+ 'nsecrecord',
+ required=False,
+ multivalue=True,
+ cli_name='nsec_rec',
+ label=_(u'NSEC record'),
+ doc=_(u'Raw NSEC records'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'ptrrecord',
+ required=False,
+ multivalue=True,
+ cli_name='ptr_rec',
+ label=_(u'PTR record'),
+ doc=_(u'Raw PTR records'),
+ ),
+ parameters.Str(
+ 'rrsigrecord',
+ required=False,
+ multivalue=True,
+ cli_name='rrsig_rec',
+ label=_(u'RRSIG record'),
+ doc=_(u'Raw RRSIG records'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'rprecord',
+ required=False,
+ multivalue=True,
+ cli_name='rp_rec',
+ label=_(u'RP record'),
+ doc=_(u'Raw RP records'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'sigrecord',
+ required=False,
+ multivalue=True,
+ cli_name='sig_rec',
+ label=_(u'SIG record'),
+ doc=_(u'Raw SIG records'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'spfrecord',
+ required=False,
+ multivalue=True,
+ cli_name='spf_rec',
+ label=_(u'SPF record'),
+ doc=_(u'Raw SPF records'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'srvrecord',
+ required=False,
+ multivalue=True,
+ cli_name='srv_rec',
+ label=_(u'SRV record'),
+ doc=_(u'Raw SRV records'),
+ ),
+ parameters.Str(
+ 'sshfprecord',
+ required=False,
+ multivalue=True,
+ cli_name='sshfp_rec',
+ label=_(u'SSHFP record'),
+ doc=_(u'Raw SSHFP records'),
+ ),
+ parameters.Str(
+ 'tlsarecord',
+ required=False,
+ multivalue=True,
+ cli_name='tlsa_rec',
+ label=_(u'TLSA record'),
+ doc=_(u'Raw TLSA records'),
+ ),
+ parameters.Str(
+ 'txtrecord',
+ required=False,
+ multivalue=True,
+ cli_name='txt_rec',
+ label=_(u'TXT record'),
+ doc=_(u'Raw TXT records'),
+ ),
+ parameters.Flag(
+ 'del_all',
+ label=_(u'Delete all associated records'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'structured',
+ label=_(u'Structured'),
+ doc=_(u'Parse all raw DNS records and return them in a structured way'),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Output(
+ 'result',
+ dict,
+ doc=_(u'List of deletions that failed'),
+ ),
+ output.ListOfPrimaryKeys(
+ 'value',
+ ),
+ )
+
+
+@register()
+class dnsrecord_delentry(Method):
+ __doc__ = _("Delete DNS record entry.")
+
+ NO_CLI = True
+
+ takes_args = (
+ parameters.DNSNameParam(
+ 'dnszoneidnsname',
+ cli_name='dnszone',
+ label=_(u'Zone name'),
+ doc=_(u'Zone name (FQDN)'),
+ default_from=DefaultFrom(lambda name_from_ip: None, 'name_from_ip'),
+ # FIXME:
+ # lambda name_from_ip: _reverse_zone_name(name_from_ip)
+ no_convert=True,
+ ),
+ parameters.DNSNameParam(
+ 'idnsname',
+ multivalue=True,
+ cli_name='name',
+ label=_(u'Record name'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'continue',
+ doc=_(u"Continuous mode: Don't stop on errors."),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Output(
+ 'result',
+ dict,
+ doc=_(u'List of deletions that failed'),
+ ),
+ output.ListOfPrimaryKeys(
+ 'value',
+ ),
+ )
+
+
+@register()
+class dnsrecord_find(Method):
+ __doc__ = _("Search for DNS resources.")
+
+ takes_args = (
+ parameters.DNSNameParam(
+ 'dnszoneidnsname',
+ cli_name='dnszone',
+ label=_(u'Zone name'),
+ doc=_(u'Zone name (FQDN)'),
+ default_from=DefaultFrom(lambda name_from_ip: None, 'name_from_ip'),
+ # FIXME:
+ # lambda name_from_ip: _reverse_zone_name(name_from_ip)
+ no_convert=True,
+ ),
+ parameters.Str(
+ 'criteria',
+ required=False,
+ doc=_(u'A string searched in all relevant object attributes'),
+ ),
+ )
+ takes_options = (
+ parameters.DNSNameParam(
+ 'idnsname',
+ required=False,
+ cli_name='name',
+ label=_(u'Record name'),
+ ),
+ parameters.Int(
+ 'dnsttl',
+ required=False,
+ cli_name='ttl',
+ label=_(u'Time to live'),
+ ),
+ parameters.Str(
+ 'dnsclass',
+ required=False,
+ cli_name='class',
+ cli_metavar="['IN', 'CS', 'CH', 'HS']",
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'arecord',
+ required=False,
+ multivalue=True,
+ cli_name='a_rec',
+ label=_(u'A record'),
+ doc=_(u'Raw A records'),
+ ),
+ parameters.Str(
+ 'aaaarecord',
+ required=False,
+ multivalue=True,
+ cli_name='aaaa_rec',
+ label=_(u'AAAA record'),
+ doc=_(u'Raw AAAA records'),
+ ),
+ parameters.Str(
+ 'a6record',
+ required=False,
+ multivalue=True,
+ cli_name='a6_rec',
+ label=_(u'A6 record'),
+ doc=_(u'Raw A6 records'),
+ ),
+ parameters.Str(
+ 'afsdbrecord',
+ required=False,
+ multivalue=True,
+ cli_name='afsdb_rec',
+ label=_(u'AFSDB record'),
+ doc=_(u'Raw AFSDB records'),
+ ),
+ parameters.Str(
+ 'aplrecord',
+ required=False,
+ multivalue=True,
+ cli_name='apl_rec',
+ label=_(u'APL record'),
+ doc=_(u'Raw APL records'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'certrecord',
+ required=False,
+ multivalue=True,
+ cli_name='cert_rec',
+ label=_(u'CERT record'),
+ doc=_(u'Raw CERT records'),
+ ),
+ parameters.Str(
+ 'cnamerecord',
+ required=False,
+ multivalue=True,
+ cli_name='cname_rec',
+ label=_(u'CNAME record'),
+ doc=_(u'Raw CNAME records'),
+ ),
+ parameters.Str(
+ 'dhcidrecord',
+ required=False,
+ multivalue=True,
+ cli_name='dhcid_rec',
+ label=_(u'DHCID record'),
+ doc=_(u'Raw DHCID records'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'dlvrecord',
+ required=False,
+ multivalue=True,
+ cli_name='dlv_rec',
+ label=_(u'DLV record'),
+ doc=_(u'Raw DLV records'),
+ ),
+ parameters.Str(
+ 'dnamerecord',
+ required=False,
+ multivalue=True,
+ cli_name='dname_rec',
+ label=_(u'DNAME record'),
+ doc=_(u'Raw DNAME records'),
+ ),
+ parameters.Str(
+ 'dsrecord',
+ required=False,
+ multivalue=True,
+ cli_name='ds_rec',
+ label=_(u'DS record'),
+ doc=_(u'Raw DS records'),
+ ),
+ parameters.Str(
+ 'hiprecord',
+ required=False,
+ multivalue=True,
+ cli_name='hip_rec',
+ label=_(u'HIP record'),
+ doc=_(u'Raw HIP records'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'ipseckeyrecord',
+ required=False,
+ multivalue=True,
+ cli_name='ipseckey_rec',
+ label=_(u'IPSECKEY record'),
+ doc=_(u'Raw IPSECKEY records'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'keyrecord',
+ required=False,
+ multivalue=True,
+ cli_name='key_rec',
+ label=_(u'KEY record'),
+ doc=_(u'Raw KEY records'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'kxrecord',
+ required=False,
+ multivalue=True,
+ cli_name='kx_rec',
+ label=_(u'KX record'),
+ doc=_(u'Raw KX records'),
+ ),
+ parameters.Str(
+ 'locrecord',
+ required=False,
+ multivalue=True,
+ cli_name='loc_rec',
+ label=_(u'LOC record'),
+ doc=_(u'Raw LOC records'),
+ ),
+ parameters.Str(
+ 'mxrecord',
+ required=False,
+ multivalue=True,
+ cli_name='mx_rec',
+ label=_(u'MX record'),
+ doc=_(u'Raw MX records'),
+ ),
+ parameters.Str(
+ 'naptrrecord',
+ required=False,
+ multivalue=True,
+ cli_name='naptr_rec',
+ label=_(u'NAPTR record'),
+ doc=_(u'Raw NAPTR records'),
+ ),
+ parameters.Str(
+ 'nsrecord',
+ required=False,
+ multivalue=True,
+ cli_name='ns_rec',
+ label=_(u'NS record'),
+ doc=_(u'Raw NS records'),
+ ),
+ parameters.Str(
+ 'nsecrecord',
+ required=False,
+ multivalue=True,
+ cli_name='nsec_rec',
+ label=_(u'NSEC record'),
+ doc=_(u'Raw NSEC records'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'ptrrecord',
+ required=False,
+ multivalue=True,
+ cli_name='ptr_rec',
+ label=_(u'PTR record'),
+ doc=_(u'Raw PTR records'),
+ ),
+ parameters.Str(
+ 'rrsigrecord',
+ required=False,
+ multivalue=True,
+ cli_name='rrsig_rec',
+ label=_(u'RRSIG record'),
+ doc=_(u'Raw RRSIG records'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'rprecord',
+ required=False,
+ multivalue=True,
+ cli_name='rp_rec',
+ label=_(u'RP record'),
+ doc=_(u'Raw RP records'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'sigrecord',
+ required=False,
+ multivalue=True,
+ cli_name='sig_rec',
+ label=_(u'SIG record'),
+ doc=_(u'Raw SIG records'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'spfrecord',
+ required=False,
+ multivalue=True,
+ cli_name='spf_rec',
+ label=_(u'SPF record'),
+ doc=_(u'Raw SPF records'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'srvrecord',
+ required=False,
+ multivalue=True,
+ cli_name='srv_rec',
+ label=_(u'SRV record'),
+ doc=_(u'Raw SRV records'),
+ ),
+ parameters.Str(
+ 'sshfprecord',
+ required=False,
+ multivalue=True,
+ cli_name='sshfp_rec',
+ label=_(u'SSHFP record'),
+ doc=_(u'Raw SSHFP records'),
+ ),
+ parameters.Str(
+ 'tlsarecord',
+ required=False,
+ multivalue=True,
+ cli_name='tlsa_rec',
+ label=_(u'TLSA record'),
+ doc=_(u'Raw TLSA records'),
+ ),
+ parameters.Str(
+ 'txtrecord',
+ required=False,
+ multivalue=True,
+ cli_name='txt_rec',
+ label=_(u'TXT record'),
+ doc=_(u'Raw TXT records'),
+ ),
+ parameters.Int(
+ 'timelimit',
+ required=False,
+ label=_(u'Time Limit'),
+ doc=_(u'Time limit of search in seconds (0 is unlimited)'),
+ ),
+ parameters.Int(
+ 'sizelimit',
+ required=False,
+ label=_(u'Size Limit'),
+ doc=_(u'Maximum number of entries returned (0 is unlimited)'),
+ ),
+ parameters.Flag(
+ 'structured',
+ label=_(u'Structured'),
+ doc=_(u'Parse all raw DNS records and return them in a structured way'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'pkey_only',
+ required=False,
+ label=_(u'Primary key only'),
+ doc=_(u'Results should contain primary key attribute only ("name")'),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.ListOfEntries(
+ 'result',
+ ),
+ output.Output(
+ 'count',
+ int,
+ doc=_(u'Number of entries returned'),
+ ),
+ output.Output(
+ 'truncated',
+ bool,
+ doc=_(u'True if not all results were returned'),
+ ),
+ )
+
+
+@register()
+class dnsrecord_mod(Method):
+ __doc__ = _("Modify a DNS resource record.")
+
+ takes_args = (
+ parameters.DNSNameParam(
+ 'dnszoneidnsname',
+ cli_name='dnszone',
+ label=_(u'Zone name'),
+ doc=_(u'Zone name (FQDN)'),
+ default_from=DefaultFrom(lambda name_from_ip: None, 'name_from_ip'),
+ # FIXME:
+ # lambda name_from_ip: _reverse_zone_name(name_from_ip)
+ no_convert=True,
+ ),
+ parameters.DNSNameParam(
+ 'idnsname',
+ cli_name='name',
+ label=_(u'Record name'),
+ ),
+ )
+ takes_options = (
+ parameters.Int(
+ 'dnsttl',
+ required=False,
+ cli_name='ttl',
+ label=_(u'Time to live'),
+ ),
+ parameters.Str(
+ 'dnsclass',
+ required=False,
+ cli_name='class',
+ cli_metavar="['IN', 'CS', 'CH', 'HS']",
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'arecord',
+ required=False,
+ multivalue=True,
+ cli_name='a_rec',
+ option_group=u'A Record',
+ label=_(u'A record'),
+ doc=_(u'Raw A records'),
+ ),
+ parameters.Str(
+ 'a_part_ip_address',
+ required=False,
+ cli_name='a_ip_address',
+ option_group=u'A Record',
+ label=_(u'A IP Address'),
+ doc=_(u'IP Address'),
+ ),
+ parameters.Str(
+ 'aaaarecord',
+ required=False,
+ multivalue=True,
+ cli_name='aaaa_rec',
+ option_group=u'AAAA Record',
+ label=_(u'AAAA record'),
+ doc=_(u'Raw AAAA records'),
+ ),
+ parameters.Str(
+ 'aaaa_part_ip_address',
+ required=False,
+ cli_name='aaaa_ip_address',
+ option_group=u'AAAA Record',
+ label=_(u'AAAA IP Address'),
+ doc=_(u'IP Address'),
+ ),
+ parameters.Str(
+ 'a6record',
+ required=False,
+ multivalue=True,
+ cli_name='a6_rec',
+ option_group=u'A6 Record',
+ label=_(u'A6 record'),
+ doc=_(u'Raw A6 records'),
+ ),
+ parameters.Str(
+ 'a6_part_data',
+ required=False,
+ cli_name='a6_data',
+ option_group=u'A6 Record',
+ label=_(u'A6 Record data'),
+ doc=_(u'Record data'),
+ ),
+ parameters.Str(
+ 'afsdbrecord',
+ required=False,
+ multivalue=True,
+ cli_name='afsdb_rec',
+ option_group=u'AFSDB Record',
+ label=_(u'AFSDB record'),
+ doc=_(u'Raw AFSDB records'),
+ ),
+ parameters.Int(
+ 'afsdb_part_subtype',
+ required=False,
+ cli_name='afsdb_subtype',
+ option_group=u'AFSDB Record',
+ label=_(u'AFSDB Subtype'),
+ doc=_(u'Subtype'),
+ ),
+ parameters.DNSNameParam(
+ 'afsdb_part_hostname',
+ required=False,
+ cli_name='afsdb_hostname',
+ option_group=u'AFSDB Record',
+ label=_(u'AFSDB Hostname'),
+ doc=_(u'Hostname'),
+ ),
+ parameters.Str(
+ 'aplrecord',
+ required=False,
+ multivalue=True,
+ cli_name='apl_rec',
+ option_group=u'APL Record',
+ label=_(u'APL record'),
+ doc=_(u'Raw APL records'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'certrecord',
+ required=False,
+ multivalue=True,
+ cli_name='cert_rec',
+ option_group=u'CERT Record',
+ label=_(u'CERT record'),
+ doc=_(u'Raw CERT records'),
+ ),
+ parameters.Int(
+ 'cert_part_type',
+ required=False,
+ cli_name='cert_type',
+ option_group=u'CERT Record',
+ label=_(u'CERT Certificate Type'),
+ doc=_(u'Certificate Type'),
+ ),
+ parameters.Int(
+ 'cert_part_key_tag',
+ required=False,
+ cli_name='cert_key_tag',
+ option_group=u'CERT Record',
+ label=_(u'CERT Key Tag'),
+ doc=_(u'Key Tag'),
+ ),
+ parameters.Int(
+ 'cert_part_algorithm',
+ required=False,
+ cli_name='cert_algorithm',
+ option_group=u'CERT Record',
+ label=_(u'CERT Algorithm'),
+ doc=_(u'Algorithm'),
+ ),
+ parameters.Str(
+ 'cert_part_certificate_or_crl',
+ required=False,
+ cli_name='cert_certificate_or_crl',
+ option_group=u'CERT Record',
+ label=_(u'CERT Certificate/CRL'),
+ doc=_(u'Certificate/CRL'),
+ ),
+ parameters.Str(
+ 'cnamerecord',
+ required=False,
+ multivalue=True,
+ cli_name='cname_rec',
+ option_group=u'CNAME Record',
+ label=_(u'CNAME record'),
+ doc=_(u'Raw CNAME records'),
+ ),
+ parameters.DNSNameParam(
+ 'cname_part_hostname',
+ required=False,
+ cli_name='cname_hostname',
+ option_group=u'CNAME Record',
+ label=_(u'CNAME Hostname'),
+ doc=_(u'A hostname which this alias hostname points to'),
+ ),
+ parameters.Str(
+ 'dhcidrecord',
+ required=False,
+ multivalue=True,
+ cli_name='dhcid_rec',
+ option_group=u'DHCID Record',
+ label=_(u'DHCID record'),
+ doc=_(u'Raw DHCID records'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'dlvrecord',
+ required=False,
+ multivalue=True,
+ cli_name='dlv_rec',
+ option_group=u'DLV Record',
+ label=_(u'DLV record'),
+ doc=_(u'Raw DLV records'),
+ ),
+ parameters.Int(
+ 'dlv_part_key_tag',
+ required=False,
+ cli_name='dlv_key_tag',
+ option_group=u'DLV Record',
+ label=_(u'DLV Key Tag'),
+ doc=_(u'Key Tag'),
+ ),
+ parameters.Int(
+ 'dlv_part_algorithm',
+ required=False,
+ cli_name='dlv_algorithm',
+ option_group=u'DLV Record',
+ label=_(u'DLV Algorithm'),
+ doc=_(u'Algorithm'),
+ ),
+ parameters.Int(
+ 'dlv_part_digest_type',
+ required=False,
+ cli_name='dlv_digest_type',
+ option_group=u'DLV Record',
+ label=_(u'DLV Digest Type'),
+ doc=_(u'Digest Type'),
+ ),
+ parameters.Str(
+ 'dlv_part_digest',
+ required=False,
+ cli_name='dlv_digest',
+ option_group=u'DLV Record',
+ label=_(u'DLV Digest'),
+ doc=_(u'Digest'),
+ ),
+ parameters.Str(
+ 'dnamerecord',
+ required=False,
+ multivalue=True,
+ cli_name='dname_rec',
+ option_group=u'DNAME Record',
+ label=_(u'DNAME record'),
+ doc=_(u'Raw DNAME records'),
+ ),
+ parameters.DNSNameParam(
+ 'dname_part_target',
+ required=False,
+ cli_name='dname_target',
+ option_group=u'DNAME Record',
+ label=_(u'DNAME Target'),
+ doc=_(u'Target'),
+ ),
+ parameters.Str(
+ 'dsrecord',
+ required=False,
+ multivalue=True,
+ cli_name='ds_rec',
+ option_group=u'DS Record',
+ label=_(u'DS record'),
+ doc=_(u'Raw DS records'),
+ ),
+ parameters.Int(
+ 'ds_part_key_tag',
+ required=False,
+ cli_name='ds_key_tag',
+ option_group=u'DS Record',
+ label=_(u'DS Key Tag'),
+ doc=_(u'Key Tag'),
+ ),
+ parameters.Int(
+ 'ds_part_algorithm',
+ required=False,
+ cli_name='ds_algorithm',
+ option_group=u'DS Record',
+ label=_(u'DS Algorithm'),
+ doc=_(u'Algorithm'),
+ ),
+ parameters.Int(
+ 'ds_part_digest_type',
+ required=False,
+ cli_name='ds_digest_type',
+ option_group=u'DS Record',
+ label=_(u'DS Digest Type'),
+ doc=_(u'Digest Type'),
+ ),
+ parameters.Str(
+ 'ds_part_digest',
+ required=False,
+ cli_name='ds_digest',
+ option_group=u'DS Record',
+ label=_(u'DS Digest'),
+ doc=_(u'Digest'),
+ ),
+ parameters.Str(
+ 'hiprecord',
+ required=False,
+ multivalue=True,
+ cli_name='hip_rec',
+ option_group=u'HIP Record',
+ label=_(u'HIP record'),
+ doc=_(u'Raw HIP records'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'ipseckeyrecord',
+ required=False,
+ multivalue=True,
+ cli_name='ipseckey_rec',
+ option_group=u'IPSECKEY Record',
+ label=_(u'IPSECKEY record'),
+ doc=_(u'Raw IPSECKEY records'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'keyrecord',
+ required=False,
+ multivalue=True,
+ cli_name='key_rec',
+ option_group=u'KEY Record',
+ label=_(u'KEY record'),
+ doc=_(u'Raw KEY records'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'kxrecord',
+ required=False,
+ multivalue=True,
+ cli_name='kx_rec',
+ option_group=u'KX Record',
+ label=_(u'KX record'),
+ doc=_(u'Raw KX records'),
+ ),
+ parameters.Int(
+ 'kx_part_preference',
+ required=False,
+ cli_name='kx_preference',
+ option_group=u'KX Record',
+ label=_(u'KX Preference'),
+ doc=_(u'Preference given to this exchanger. Lower values are more preferred'),
+ ),
+ parameters.DNSNameParam(
+ 'kx_part_exchanger',
+ required=False,
+ cli_name='kx_exchanger',
+ option_group=u'KX Record',
+ label=_(u'KX Exchanger'),
+ doc=_(u'A host willing to act as a key exchanger'),
+ ),
+ parameters.Str(
+ 'locrecord',
+ required=False,
+ multivalue=True,
+ cli_name='loc_rec',
+ option_group=u'LOC Record',
+ label=_(u'LOC record'),
+ doc=_(u'Raw LOC records'),
+ ),
+ parameters.Int(
+ 'loc_part_lat_deg',
+ required=False,
+ cli_name='loc_lat_deg',
+ option_group=u'LOC Record',
+ label=_(u'LOC Degrees Latitude'),
+ doc=_(u'Degrees Latitude'),
+ ),
+ parameters.Int(
+ 'loc_part_lat_min',
+ required=False,
+ cli_name='loc_lat_min',
+ option_group=u'LOC Record',
+ label=_(u'LOC Minutes Latitude'),
+ doc=_(u'Minutes Latitude'),
+ ),
+ parameters.Decimal(
+ 'loc_part_lat_sec',
+ required=False,
+ cli_name='loc_lat_sec',
+ option_group=u'LOC Record',
+ label=_(u'LOC Seconds Latitude'),
+ doc=_(u'Seconds Latitude'),
+ no_convert=True,
+ ),
+ parameters.Str(
+ 'loc_part_lat_dir',
+ required=False,
+ cli_name='loc_lat_dir',
+ option_group=u'LOC Record',
+ cli_metavar="['N', 'S']",
+ label=_(u'LOC Direction Latitude'),
+ doc=_(u'Direction Latitude'),
+ ),
+ parameters.Int(
+ 'loc_part_lon_deg',
+ required=False,
+ cli_name='loc_lon_deg',
+ option_group=u'LOC Record',
+ label=_(u'LOC Degrees Longitude'),
+ doc=_(u'Degrees Longitude'),
+ ),
+ parameters.Int(
+ 'loc_part_lon_min',
+ required=False,
+ cli_name='loc_lon_min',
+ option_group=u'LOC Record',
+ label=_(u'LOC Minutes Longitude'),
+ doc=_(u'Minutes Longitude'),
+ ),
+ parameters.Decimal(
+ 'loc_part_lon_sec',
+ required=False,
+ cli_name='loc_lon_sec',
+ option_group=u'LOC Record',
+ label=_(u'LOC Seconds Longitude'),
+ doc=_(u'Seconds Longitude'),
+ no_convert=True,
+ ),
+ parameters.Str(
+ 'loc_part_lon_dir',
+ required=False,
+ cli_name='loc_lon_dir',
+ option_group=u'LOC Record',
+ cli_metavar="['E', 'W']",
+ label=_(u'LOC Direction Longitude'),
+ doc=_(u'Direction Longitude'),
+ ),
+ parameters.Decimal(
+ 'loc_part_altitude',
+ required=False,
+ cli_name='loc_altitude',
+ option_group=u'LOC Record',
+ label=_(u'LOC Altitude'),
+ doc=_(u'Altitude'),
+ no_convert=True,
+ ),
+ parameters.Decimal(
+ 'loc_part_size',
+ required=False,
+ cli_name='loc_size',
+ option_group=u'LOC Record',
+ label=_(u'LOC Size'),
+ doc=_(u'Size'),
+ no_convert=True,
+ ),
+ parameters.Decimal(
+ 'loc_part_h_precision',
+ required=False,
+ cli_name='loc_h_precision',
+ option_group=u'LOC Record',
+ label=_(u'LOC Horizontal Precision'),
+ doc=_(u'Horizontal Precision'),
+ no_convert=True,
+ ),
+ parameters.Decimal(
+ 'loc_part_v_precision',
+ required=False,
+ cli_name='loc_v_precision',
+ option_group=u'LOC Record',
+ label=_(u'LOC Vertical Precision'),
+ doc=_(u'Vertical Precision'),
+ no_convert=True,
+ ),
+ parameters.Str(
+ 'mxrecord',
+ required=False,
+ multivalue=True,
+ cli_name='mx_rec',
+ option_group=u'MX Record',
+ label=_(u'MX record'),
+ doc=_(u'Raw MX records'),
+ ),
+ parameters.Int(
+ 'mx_part_preference',
+ required=False,
+ cli_name='mx_preference',
+ option_group=u'MX Record',
+ label=_(u'MX Preference'),
+ doc=_(u'Preference given to this exchanger. Lower values are more preferred'),
+ ),
+ parameters.DNSNameParam(
+ 'mx_part_exchanger',
+ required=False,
+ cli_name='mx_exchanger',
+ option_group=u'MX Record',
+ label=_(u'MX Exchanger'),
+ doc=_(u'A host willing to act as a mail exchanger'),
+ ),
+ parameters.Str(
+ 'naptrrecord',
+ required=False,
+ multivalue=True,
+ cli_name='naptr_rec',
+ option_group=u'NAPTR Record',
+ label=_(u'NAPTR record'),
+ doc=_(u'Raw NAPTR records'),
+ ),
+ parameters.Int(
+ 'naptr_part_order',
+ required=False,
+ cli_name='naptr_order',
+ option_group=u'NAPTR Record',
+ label=_(u'NAPTR Order'),
+ doc=_(u'Order'),
+ ),
+ parameters.Int(
+ 'naptr_part_preference',
+ required=False,
+ cli_name='naptr_preference',
+ option_group=u'NAPTR Record',
+ label=_(u'NAPTR Preference'),
+ doc=_(u'Preference'),
+ ),
+ parameters.Str(
+ 'naptr_part_flags',
+ required=False,
+ cli_name='naptr_flags',
+ option_group=u'NAPTR Record',
+ label=_(u'NAPTR Flags'),
+ doc=_(u'Flags'),
+ no_convert=True,
+ ),
+ parameters.Str(
+ 'naptr_part_service',
+ required=False,
+ cli_name='naptr_service',
+ option_group=u'NAPTR Record',
+ label=_(u'NAPTR Service'),
+ doc=_(u'Service'),
+ ),
+ parameters.Str(
+ 'naptr_part_regexp',
+ required=False,
+ cli_name='naptr_regexp',
+ option_group=u'NAPTR Record',
+ label=_(u'NAPTR Regular Expression'),
+ doc=_(u'Regular Expression'),
+ ),
+ parameters.Str(
+ 'naptr_part_replacement',
+ required=False,
+ cli_name='naptr_replacement',
+ option_group=u'NAPTR Record',
+ label=_(u'NAPTR Replacement'),
+ doc=_(u'Replacement'),
+ ),
+ parameters.Str(
+ 'nsrecord',
+ required=False,
+ multivalue=True,
+ cli_name='ns_rec',
+ option_group=u'NS Record',
+ label=_(u'NS record'),
+ doc=_(u'Raw NS records'),
+ ),
+ parameters.DNSNameParam(
+ 'ns_part_hostname',
+ required=False,
+ cli_name='ns_hostname',
+ option_group=u'NS Record',
+ label=_(u'NS Hostname'),
+ doc=_(u'Hostname'),
+ ),
+ parameters.Str(
+ 'nsecrecord',
+ required=False,
+ multivalue=True,
+ cli_name='nsec_rec',
+ option_group=u'NSEC Record',
+ label=_(u'NSEC record'),
+ doc=_(u'Raw NSEC records'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'ptrrecord',
+ required=False,
+ multivalue=True,
+ cli_name='ptr_rec',
+ option_group=u'PTR Record',
+ label=_(u'PTR record'),
+ doc=_(u'Raw PTR records'),
+ ),
+ parameters.DNSNameParam(
+ 'ptr_part_hostname',
+ required=False,
+ cli_name='ptr_hostname',
+ option_group=u'PTR Record',
+ label=_(u'PTR Hostname'),
+ doc=_(u'The hostname this reverse record points to'),
+ ),
+ parameters.Str(
+ 'rrsigrecord',
+ required=False,
+ multivalue=True,
+ cli_name='rrsig_rec',
+ option_group=u'RRSIG Record',
+ label=_(u'RRSIG record'),
+ doc=_(u'Raw RRSIG records'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'rprecord',
+ required=False,
+ multivalue=True,
+ cli_name='rp_rec',
+ option_group=u'RP Record',
+ label=_(u'RP record'),
+ doc=_(u'Raw RP records'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'sigrecord',
+ required=False,
+ multivalue=True,
+ cli_name='sig_rec',
+ option_group=u'SIG Record',
+ label=_(u'SIG record'),
+ doc=_(u'Raw SIG records'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'spfrecord',
+ required=False,
+ multivalue=True,
+ cli_name='spf_rec',
+ option_group=u'SPF Record',
+ label=_(u'SPF record'),
+ doc=_(u'Raw SPF records'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'srvrecord',
+ required=False,
+ multivalue=True,
+ cli_name='srv_rec',
+ option_group=u'SRV Record',
+ label=_(u'SRV record'),
+ doc=_(u'Raw SRV records'),
+ ),
+ parameters.Int(
+ 'srv_part_priority',
+ required=False,
+ cli_name='srv_priority',
+ option_group=u'SRV Record',
+ label=_(u'SRV Priority'),
+ doc=_(u'Priority'),
+ ),
+ parameters.Int(
+ 'srv_part_weight',
+ required=False,
+ cli_name='srv_weight',
+ option_group=u'SRV Record',
+ label=_(u'SRV Weight'),
+ doc=_(u'Weight'),
+ ),
+ parameters.Int(
+ 'srv_part_port',
+ required=False,
+ cli_name='srv_port',
+ option_group=u'SRV Record',
+ label=_(u'SRV Port'),
+ doc=_(u'Port'),
+ ),
+ parameters.DNSNameParam(
+ 'srv_part_target',
+ required=False,
+ cli_name='srv_target',
+ option_group=u'SRV Record',
+ label=_(u'SRV Target'),
+ doc=_(u"The domain name of the target host or '.' if the service is decidedly not available at this domain"),
+ ),
+ parameters.Str(
+ 'sshfprecord',
+ required=False,
+ multivalue=True,
+ cli_name='sshfp_rec',
+ option_group=u'SSHFP Record',
+ label=_(u'SSHFP record'),
+ doc=_(u'Raw SSHFP records'),
+ ),
+ parameters.Int(
+ 'sshfp_part_algorithm',
+ required=False,
+ cli_name='sshfp_algorithm',
+ option_group=u'SSHFP Record',
+ label=_(u'SSHFP Algorithm'),
+ doc=_(u'Algorithm'),
+ ),
+ parameters.Int(
+ 'sshfp_part_fp_type',
+ required=False,
+ cli_name='sshfp_fp_type',
+ option_group=u'SSHFP Record',
+ label=_(u'SSHFP Fingerprint Type'),
+ doc=_(u'Fingerprint Type'),
+ ),
+ parameters.Str(
+ 'sshfp_part_fingerprint',
+ required=False,
+ cli_name='sshfp_fingerprint',
+ option_group=u'SSHFP Record',
+ label=_(u'SSHFP Fingerprint'),
+ doc=_(u'Fingerprint'),
+ ),
+ parameters.Str(
+ 'tlsarecord',
+ required=False,
+ multivalue=True,
+ cli_name='tlsa_rec',
+ option_group=u'TLSA Record',
+ label=_(u'TLSA record'),
+ doc=_(u'Raw TLSA records'),
+ ),
+ parameters.Int(
+ 'tlsa_part_cert_usage',
+ required=False,
+ cli_name='tlsa_cert_usage',
+ option_group=u'TLSA Record',
+ label=_(u'TLSA Certificate Usage'),
+ doc=_(u'Certificate Usage'),
+ ),
+ parameters.Int(
+ 'tlsa_part_selector',
+ required=False,
+ cli_name='tlsa_selector',
+ option_group=u'TLSA Record',
+ label=_(u'TLSA Selector'),
+ doc=_(u'Selector'),
+ ),
+ parameters.Int(
+ 'tlsa_part_matching_type',
+ required=False,
+ cli_name='tlsa_matching_type',
+ option_group=u'TLSA Record',
+ label=_(u'TLSA Matching Type'),
+ doc=_(u'Matching Type'),
+ ),
+ parameters.Str(
+ 'tlsa_part_cert_association_data',
+ required=False,
+ cli_name='tlsa_cert_association_data',
+ option_group=u'TLSA Record',
+ label=_(u'TLSA Certificate Association Data'),
+ doc=_(u'Certificate Association Data'),
+ ),
+ parameters.Str(
+ 'txtrecord',
+ required=False,
+ multivalue=True,
+ cli_name='txt_rec',
+ option_group=u'TXT Record',
+ label=_(u'TXT record'),
+ doc=_(u'Raw TXT records'),
+ ),
+ parameters.Str(
+ 'txt_part_data',
+ required=False,
+ cli_name='txt_data',
+ option_group=u'TXT Record',
+ label=_(u'TXT Text Data'),
+ doc=_(u'Text Data'),
+ ),
+ parameters.Str(
+ 'setattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'addattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'delattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'),
+ exclude=('webui',),
+ ),
+ parameters.Flag(
+ 'rights',
+ label=_(u'Rights'),
+ doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'structured',
+ label=_(u'Structured'),
+ doc=_(u'Parse all raw DNS records and return them in a structured way'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.DNSNameParam(
+ 'rename',
+ required=False,
+ label=_(u'Rename'),
+ doc=_(u'Rename the DNS resource record object'),
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class dnsrecord_show(Method):
+ __doc__ = _("Display DNS resource.")
+
+ takes_args = (
+ parameters.DNSNameParam(
+ 'dnszoneidnsname',
+ cli_name='dnszone',
+ label=_(u'Zone name'),
+ doc=_(u'Zone name (FQDN)'),
+ default_from=DefaultFrom(lambda name_from_ip: None, 'name_from_ip'),
+ # FIXME:
+ # lambda name_from_ip: _reverse_zone_name(name_from_ip)
+ no_convert=True,
+ ),
+ parameters.DNSNameParam(
+ 'idnsname',
+ cli_name='name',
+ label=_(u'Record name'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'rights',
+ label=_(u'Rights'),
+ doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'structured',
+ label=_(u'Structured'),
+ doc=_(u'Parse all raw DNS records and return them in a structured way'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class dnszone_add(Method):
+ __doc__ = _("Create new DNS zone (SOA record).")
+
+ takes_args = (
+ parameters.DNSNameParam(
+ 'idnsname',
+ cli_name='name',
+ label=_(u'Zone name'),
+ doc=_(u'Zone name (FQDN)'),
+ default_from=DefaultFrom(lambda name_from_ip: None, 'name_from_ip'),
+ # FIXME:
+ # lambda name_from_ip: _reverse_zone_name(name_from_ip)
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'name_from_ip',
+ required=False,
+ label=_(u'Reverse zone IP network'),
+ doc=_(u'IP network to create reverse zone name from'),
+ ),
+ parameters.Str(
+ 'idnsforwarders',
+ required=False,
+ multivalue=True,
+ cli_name='forwarder',
+ label=_(u'Zone forwarders'),
+ doc=_(u'Per-zone forwarders. A custom port can be specified for each forwarder using a standard format "IP_ADDRESS port PORT"'),
+ ),
+ parameters.Str(
+ 'idnsforwardpolicy',
+ required=False,
+ cli_name='forward_policy',
+ cli_metavar="['only', 'first', 'none']",
+ label=_(u'Forward policy'),
+ doc=_(u'Per-zone conditional forwarding policy. Set to "none" to disable forwarding to global forwarder for this zone. In that case, conditional zone forwarders are disregarded.'),
+ ),
+ parameters.DNSNameParam(
+ 'idnssoamname',
+ required=False,
+ cli_name='name_server',
+ label=_(u'Authoritative nameserver'),
+ doc=_(u'Authoritative nameserver domain name'),
+ ),
+ parameters.DNSNameParam(
+ 'idnssoarname',
+ cli_name='admin_email',
+ label=_(u'Administrator e-mail address'),
+ default=DNSName(u'hostmaster'),
+ autofill=True,
+ no_convert=True,
+ ),
+ parameters.Int(
+ 'idnssoaserial',
+ cli_name='serial',
+ label=_(u'SOA serial'),
+ doc=_(u'SOA record serial number'),
+ default_from=DefaultFrom(lambda : None),
+ # FIXME:
+ # def _create_zone_serial():
+ # """
+ # Generate serial number for zones. bind-dyndb-ldap expects unix time in
+ # to be used for SOA serial.
+ #
+ # SOA serial in a date format would also work, but it may be set to far
+ # future when many DNS updates are done per day (more than 100). Unix
+ # timestamp is more resilient to this issue.
+ # """
+ # return int(time.time())
+ autofill=True,
+ ),
+ parameters.Int(
+ 'idnssoarefresh',
+ cli_name='refresh',
+ label=_(u'SOA refresh'),
+ doc=_(u'SOA record refresh time'),
+ default=3600,
+ autofill=True,
+ ),
+ parameters.Int(
+ 'idnssoaretry',
+ cli_name='retry',
+ label=_(u'SOA retry'),
+ doc=_(u'SOA record retry time'),
+ default=900,
+ autofill=True,
+ ),
+ parameters.Int(
+ 'idnssoaexpire',
+ cli_name='expire',
+ label=_(u'SOA expire'),
+ doc=_(u'SOA record expire time'),
+ default=1209600,
+ autofill=True,
+ ),
+ parameters.Int(
+ 'idnssoaminimum',
+ cli_name='minimum',
+ label=_(u'SOA minimum'),
+ doc=_(u'How long should negative responses be cached'),
+ default=3600,
+ autofill=True,
+ ),
+ parameters.Int(
+ 'dnsttl',
+ required=False,
+ cli_name='ttl',
+ label=_(u'Time to live'),
+ doc=_(u'Time to live for records at zone apex'),
+ ),
+ parameters.Str(
+ 'dnsclass',
+ required=False,
+ cli_name='class',
+ cli_metavar="['IN', 'CS', 'CH', 'HS']",
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'idnsupdatepolicy',
+ required=False,
+ cli_name='update_policy',
+ label=_(u'BIND update policy'),
+ default_from=DefaultFrom(lambda idnsname: None, 'idnsname'),
+ # FIXME:
+ # lambda idnsname: default_zone_update_policy(idnsname)
+ autofill=True,
+ ),
+ parameters.Bool(
+ 'idnsallowdynupdate',
+ required=False,
+ cli_name='dynamic_update',
+ label=_(u'Dynamic update'),
+ doc=_(u'Allow dynamic updates.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'idnsallowquery',
+ required=False,
+ cli_name='allow_query',
+ label=_(u'Allow query'),
+ doc=_(u'Semicolon separated list of IP addresses or networks which are allowed to issue queries'),
+ default=u'any;',
+ autofill=True,
+ no_convert=True,
+ ),
+ parameters.Str(
+ 'idnsallowtransfer',
+ required=False,
+ cli_name='allow_transfer',
+ label=_(u'Allow transfer'),
+ doc=_(u'Semicolon separated list of IP addresses or networks which are allowed to transfer the zone'),
+ default=u'none;',
+ autofill=True,
+ no_convert=True,
+ ),
+ parameters.Bool(
+ 'idnsallowsyncptr',
+ required=False,
+ cli_name='allow_sync_ptr',
+ label=_(u'Allow PTR sync'),
+ doc=_(u'Allow synchronization of forward (A, AAAA) and reverse (PTR) records in the zone'),
+ ),
+ parameters.Bool(
+ 'idnssecinlinesigning',
+ required=False,
+ cli_name='dnssec',
+ label=_(u'Allow in-line DNSSEC signing'),
+ doc=_(u'Allow inline DNSSEC signing of records in the zone'),
+ default=False,
+ ),
+ parameters.Str(
+ 'nsec3paramrecord',
+ required=False,
+ cli_name='nsec3param_rec',
+ label=_(u'NSEC3PARAM record'),
+ doc=_(u'NSEC3PARAM record for zone in format: hash_algorithm flags iterations salt'),
+ ),
+ parameters.Str(
+ 'setattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'addattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
+ exclude=('webui',),
+ ),
+ parameters.Flag(
+ 'skip_overlap_check',
+ doc=_(u'Force DNS zone creation even if it will overlap with an existing zone.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'force',
+ doc=_(u'Force DNS zone creation even if nameserver is not resolvable. (Deprecated)'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'skip_nameserver_check',
+ doc=_(u'Force DNS zone creation even if nameserver is not resolvable.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'ip_address',
+ required=False,
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class dnszone_add_permission(Method):
+ __doc__ = _("Add a permission for per-zone access delegation.")
+
+ takes_args = (
+ parameters.DNSNameParam(
+ 'idnsname',
+ cli_name='name',
+ label=_(u'Zone name'),
+ doc=_(u'Zone name (FQDN)'),
+ default_from=DefaultFrom(lambda name_from_ip: None, 'name_from_ip'),
+ # FIXME:
+ # lambda name_from_ip: _reverse_zone_name(name_from_ip)
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Output(
+ 'result',
+ bool,
+ doc=_(u'True means the operation was successful'),
+ ),
+ output.Output(
+ 'value',
+ unicode,
+ doc=_(u'Permission value'),
+ ),
+ )
+
+
+@register()
+class dnszone_del(Method):
+ __doc__ = _("Delete DNS zone (SOA record).")
+
+ takes_args = (
+ parameters.DNSNameParam(
+ 'idnsname',
+ multivalue=True,
+ cli_name='name',
+ label=_(u'Zone name'),
+ doc=_(u'Zone name (FQDN)'),
+ default_from=DefaultFrom(lambda name_from_ip: None, 'name_from_ip'),
+ # FIXME:
+ # lambda name_from_ip: _reverse_zone_name(name_from_ip)
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'continue',
+ doc=_(u"Continuous mode: Don't stop on errors."),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Output(
+ 'result',
+ dict,
+ doc=_(u'List of deletions that failed'),
+ ),
+ output.ListOfPrimaryKeys(
+ 'value',
+ ),
+ )
+
+
+@register()
+class dnszone_disable(Method):
+ __doc__ = _("Disable DNS Zone.")
+
+ takes_args = (
+ parameters.DNSNameParam(
+ 'idnsname',
+ cli_name='name',
+ label=_(u'Zone name'),
+ doc=_(u'Zone name (FQDN)'),
+ default_from=DefaultFrom(lambda name_from_ip: None, 'name_from_ip'),
+ # FIXME:
+ # lambda name_from_ip: _reverse_zone_name(name_from_ip)
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Output(
+ 'result',
+ bool,
+ doc=_(u'True means the operation was successful'),
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class dnszone_enable(Method):
+ __doc__ = _("Enable DNS Zone.")
+
+ takes_args = (
+ parameters.DNSNameParam(
+ 'idnsname',
+ cli_name='name',
+ label=_(u'Zone name'),
+ doc=_(u'Zone name (FQDN)'),
+ default_from=DefaultFrom(lambda name_from_ip: None, 'name_from_ip'),
+ # FIXME:
+ # lambda name_from_ip: _reverse_zone_name(name_from_ip)
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Output(
+ 'result',
+ bool,
+ doc=_(u'True means the operation was successful'),
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class dnszone_find(Method):
+ __doc__ = _("Search for DNS zones (SOA records).")
+
+ takes_args = (
+ parameters.Str(
+ 'criteria',
+ required=False,
+ doc=_(u'A string searched in all relevant object attributes'),
+ ),
+ )
+ takes_options = (
+ parameters.DNSNameParam(
+ 'idnsname',
+ required=False,
+ cli_name='name',
+ label=_(u'Zone name'),
+ doc=_(u'Zone name (FQDN)'),
+ default_from=DefaultFrom(lambda name_from_ip: None, 'name_from_ip'),
+ # FIXME:
+ # lambda name_from_ip: _reverse_zone_name(name_from_ip)
+ no_convert=True,
+ ),
+ parameters.Str(
+ 'name_from_ip',
+ required=False,
+ label=_(u'Reverse zone IP network'),
+ doc=_(u'IP network to create reverse zone name from'),
+ ),
+ parameters.Bool(
+ 'idnszoneactive',
+ required=False,
+ cli_name='zone_active',
+ label=_(u'Active zone'),
+ doc=_(u'Is zone active?'),
+ ),
+ parameters.Str(
+ 'idnsforwarders',
+ required=False,
+ multivalue=True,
+ cli_name='forwarder',
+ label=_(u'Zone forwarders'),
+ doc=_(u'Per-zone forwarders. A custom port can be specified for each forwarder using a standard format "IP_ADDRESS port PORT"'),
+ ),
+ parameters.Str(
+ 'idnsforwardpolicy',
+ required=False,
+ cli_name='forward_policy',
+ cli_metavar="['only', 'first', 'none']",
+ label=_(u'Forward policy'),
+ doc=_(u'Per-zone conditional forwarding policy. Set to "none" to disable forwarding to global forwarder for this zone. In that case, conditional zone forwarders are disregarded.'),
+ ),
+ parameters.DNSNameParam(
+ 'idnssoamname',
+ required=False,
+ cli_name='name_server',
+ label=_(u'Authoritative nameserver'),
+ doc=_(u'Authoritative nameserver domain name'),
+ ),
+ parameters.DNSNameParam(
+ 'idnssoarname',
+ required=False,
+ cli_name='admin_email',
+ label=_(u'Administrator e-mail address'),
+ default=DNSName(u'hostmaster'),
+ no_convert=True,
+ ),
+ parameters.Int(
+ 'idnssoaserial',
+ required=False,
+ cli_name='serial',
+ label=_(u'SOA serial'),
+ doc=_(u'SOA record serial number'),
+ default_from=DefaultFrom(lambda : None),
+ # FIXME:
+ # def _create_zone_serial():
+ # """
+ # Generate serial number for zones. bind-dyndb-ldap expects unix time in
+ # to be used for SOA serial.
+ #
+ # SOA serial in a date format would also work, but it may be set to far
+ # future when many DNS updates are done per day (more than 100). Unix
+ # timestamp is more resilient to this issue.
+ # """
+ # return int(time.time())
+ ),
+ parameters.Int(
+ 'idnssoarefresh',
+ required=False,
+ cli_name='refresh',
+ label=_(u'SOA refresh'),
+ doc=_(u'SOA record refresh time'),
+ default=3600,
+ ),
+ parameters.Int(
+ 'idnssoaretry',
+ required=False,
+ cli_name='retry',
+ label=_(u'SOA retry'),
+ doc=_(u'SOA record retry time'),
+ default=900,
+ ),
+ parameters.Int(
+ 'idnssoaexpire',
+ required=False,
+ cli_name='expire',
+ label=_(u'SOA expire'),
+ doc=_(u'SOA record expire time'),
+ default=1209600,
+ ),
+ parameters.Int(
+ 'idnssoaminimum',
+ required=False,
+ cli_name='minimum',
+ label=_(u'SOA minimum'),
+ doc=_(u'How long should negative responses be cached'),
+ default=3600,
+ ),
+ parameters.Int(
+ 'dnsttl',
+ required=False,
+ cli_name='ttl',
+ label=_(u'Time to live'),
+ doc=_(u'Time to live for records at zone apex'),
+ ),
+ parameters.Str(
+ 'dnsclass',
+ required=False,
+ cli_name='class',
+ cli_metavar="['IN', 'CS', 'CH', 'HS']",
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'idnsupdatepolicy',
+ required=False,
+ cli_name='update_policy',
+ label=_(u'BIND update policy'),
+ default_from=DefaultFrom(lambda idnsname: None, 'idnsname'),
+ # FIXME:
+ # lambda idnsname: default_zone_update_policy(idnsname)
+ ),
+ parameters.Bool(
+ 'idnsallowdynupdate',
+ required=False,
+ cli_name='dynamic_update',
+ label=_(u'Dynamic update'),
+ doc=_(u'Allow dynamic updates.'),
+ default=False,
+ ),
+ parameters.Str(
+ 'idnsallowquery',
+ required=False,
+ cli_name='allow_query',
+ label=_(u'Allow query'),
+ doc=_(u'Semicolon separated list of IP addresses or networks which are allowed to issue queries'),
+ default=u'any;',
+ no_convert=True,
+ ),
+ parameters.Str(
+ 'idnsallowtransfer',
+ required=False,
+ cli_name='allow_transfer',
+ label=_(u'Allow transfer'),
+ doc=_(u'Semicolon separated list of IP addresses or networks which are allowed to transfer the zone'),
+ default=u'none;',
+ no_convert=True,
+ ),
+ parameters.Bool(
+ 'idnsallowsyncptr',
+ required=False,
+ cli_name='allow_sync_ptr',
+ label=_(u'Allow PTR sync'),
+ doc=_(u'Allow synchronization of forward (A, AAAA) and reverse (PTR) records in the zone'),
+ ),
+ parameters.Bool(
+ 'idnssecinlinesigning',
+ required=False,
+ cli_name='dnssec',
+ label=_(u'Allow in-line DNSSEC signing'),
+ doc=_(u'Allow inline DNSSEC signing of records in the zone'),
+ default=False,
+ ),
+ parameters.Str(
+ 'nsec3paramrecord',
+ required=False,
+ cli_name='nsec3param_rec',
+ label=_(u'NSEC3PARAM record'),
+ doc=_(u'NSEC3PARAM record for zone in format: hash_algorithm flags iterations salt'),
+ ),
+ parameters.Int(
+ 'timelimit',
+ required=False,
+ label=_(u'Time Limit'),
+ doc=_(u'Time limit of search in seconds (0 is unlimited)'),
+ ),
+ parameters.Int(
+ 'sizelimit',
+ required=False,
+ label=_(u'Size Limit'),
+ doc=_(u'Maximum number of entries returned (0 is unlimited)'),
+ ),
+ parameters.Flag(
+ 'forward_only',
+ label=_(u'Forward zones only'),
+ doc=_(u'Search for forward zones only'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'pkey_only',
+ required=False,
+ label=_(u'Primary key only'),
+ doc=_(u'Results should contain primary key attribute only ("name")'),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.ListOfEntries(
+ 'result',
+ ),
+ output.Output(
+ 'count',
+ int,
+ doc=_(u'Number of entries returned'),
+ ),
+ output.Output(
+ 'truncated',
+ bool,
+ doc=_(u'True if not all results were returned'),
+ ),
+ )
+
+
+@register()
+class dnszone_mod(Method):
+ __doc__ = _("Modify DNS zone (SOA record).")
+
+ takes_args = (
+ parameters.DNSNameParam(
+ 'idnsname',
+ cli_name='name',
+ label=_(u'Zone name'),
+ doc=_(u'Zone name (FQDN)'),
+ default_from=DefaultFrom(lambda name_from_ip: None, 'name_from_ip'),
+ # FIXME:
+ # lambda name_from_ip: _reverse_zone_name(name_from_ip)
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'name_from_ip',
+ required=False,
+ label=_(u'Reverse zone IP network'),
+ doc=_(u'IP network to create reverse zone name from'),
+ ),
+ parameters.Str(
+ 'idnsforwarders',
+ required=False,
+ multivalue=True,
+ cli_name='forwarder',
+ label=_(u'Zone forwarders'),
+ doc=_(u'Per-zone forwarders. A custom port can be specified for each forwarder using a standard format "IP_ADDRESS port PORT"'),
+ ),
+ parameters.Str(
+ 'idnsforwardpolicy',
+ required=False,
+ cli_name='forward_policy',
+ cli_metavar="['only', 'first', 'none']",
+ label=_(u'Forward policy'),
+ doc=_(u'Per-zone conditional forwarding policy. Set to "none" to disable forwarding to global forwarder for this zone. In that case, conditional zone forwarders are disregarded.'),
+ ),
+ parameters.DNSNameParam(
+ 'idnssoamname',
+ required=False,
+ cli_name='name_server',
+ label=_(u'Authoritative nameserver'),
+ doc=_(u'Authoritative nameserver domain name'),
+ ),
+ parameters.DNSNameParam(
+ 'idnssoarname',
+ required=False,
+ cli_name='admin_email',
+ label=_(u'Administrator e-mail address'),
+ default=DNSName(u'hostmaster'),
+ no_convert=True,
+ ),
+ parameters.Int(
+ 'idnssoaserial',
+ required=False,
+ cli_name='serial',
+ label=_(u'SOA serial'),
+ doc=_(u'SOA record serial number'),
+ default_from=DefaultFrom(lambda : None),
+ # FIXME:
+ # def _create_zone_serial():
+ # """
+ # Generate serial number for zones. bind-dyndb-ldap expects unix time in
+ # to be used for SOA serial.
+ #
+ # SOA serial in a date format would also work, but it may be set to far
+ # future when many DNS updates are done per day (more than 100). Unix
+ # timestamp is more resilient to this issue.
+ # """
+ # return int(time.time())
+ ),
+ parameters.Int(
+ 'idnssoarefresh',
+ required=False,
+ cli_name='refresh',
+ label=_(u'SOA refresh'),
+ doc=_(u'SOA record refresh time'),
+ default=3600,
+ ),
+ parameters.Int(
+ 'idnssoaretry',
+ required=False,
+ cli_name='retry',
+ label=_(u'SOA retry'),
+ doc=_(u'SOA record retry time'),
+ default=900,
+ ),
+ parameters.Int(
+ 'idnssoaexpire',
+ required=False,
+ cli_name='expire',
+ label=_(u'SOA expire'),
+ doc=_(u'SOA record expire time'),
+ default=1209600,
+ ),
+ parameters.Int(
+ 'idnssoaminimum',
+ required=False,
+ cli_name='minimum',
+ label=_(u'SOA minimum'),
+ doc=_(u'How long should negative responses be cached'),
+ default=3600,
+ ),
+ parameters.Int(
+ 'dnsttl',
+ required=False,
+ cli_name='ttl',
+ label=_(u'Time to live'),
+ doc=_(u'Time to live for records at zone apex'),
+ ),
+ parameters.Str(
+ 'dnsclass',
+ required=False,
+ cli_name='class',
+ cli_metavar="['IN', 'CS', 'CH', 'HS']",
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'idnsupdatepolicy',
+ required=False,
+ cli_name='update_policy',
+ label=_(u'BIND update policy'),
+ default_from=DefaultFrom(lambda idnsname: None, 'idnsname'),
+ # FIXME:
+ # lambda idnsname: default_zone_update_policy(idnsname)
+ ),
+ parameters.Bool(
+ 'idnsallowdynupdate',
+ required=False,
+ cli_name='dynamic_update',
+ label=_(u'Dynamic update'),
+ doc=_(u'Allow dynamic updates.'),
+ default=False,
+ ),
+ parameters.Str(
+ 'idnsallowquery',
+ required=False,
+ cli_name='allow_query',
+ label=_(u'Allow query'),
+ doc=_(u'Semicolon separated list of IP addresses or networks which are allowed to issue queries'),
+ default=u'any;',
+ no_convert=True,
+ ),
+ parameters.Str(
+ 'idnsallowtransfer',
+ required=False,
+ cli_name='allow_transfer',
+ label=_(u'Allow transfer'),
+ doc=_(u'Semicolon separated list of IP addresses or networks which are allowed to transfer the zone'),
+ default=u'none;',
+ no_convert=True,
+ ),
+ parameters.Bool(
+ 'idnsallowsyncptr',
+ required=False,
+ cli_name='allow_sync_ptr',
+ label=_(u'Allow PTR sync'),
+ doc=_(u'Allow synchronization of forward (A, AAAA) and reverse (PTR) records in the zone'),
+ ),
+ parameters.Bool(
+ 'idnssecinlinesigning',
+ required=False,
+ cli_name='dnssec',
+ label=_(u'Allow in-line DNSSEC signing'),
+ doc=_(u'Allow inline DNSSEC signing of records in the zone'),
+ default=False,
+ ),
+ parameters.Str(
+ 'nsec3paramrecord',
+ required=False,
+ cli_name='nsec3param_rec',
+ label=_(u'NSEC3PARAM record'),
+ doc=_(u'NSEC3PARAM record for zone in format: hash_algorithm flags iterations salt'),
+ ),
+ parameters.Str(
+ 'setattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'addattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'delattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'),
+ exclude=('webui',),
+ ),
+ parameters.Flag(
+ 'rights',
+ label=_(u'Rights'),
+ doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'force',
+ label=_(u'Force'),
+ doc=_(u'Force nameserver change even if nameserver not in DNS'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class dnszone_remove_permission(Method):
+ __doc__ = _("Remove a permission for per-zone access delegation.")
+
+ takes_args = (
+ parameters.DNSNameParam(
+ 'idnsname',
+ cli_name='name',
+ label=_(u'Zone name'),
+ doc=_(u'Zone name (FQDN)'),
+ default_from=DefaultFrom(lambda name_from_ip: None, 'name_from_ip'),
+ # FIXME:
+ # lambda name_from_ip: _reverse_zone_name(name_from_ip)
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Output(
+ 'result',
+ bool,
+ doc=_(u'True means the operation was successful'),
+ ),
+ output.Output(
+ 'value',
+ unicode,
+ doc=_(u'Permission value'),
+ ),
+ )
+
+
+@register()
+class dnszone_show(Method):
+ __doc__ = _("Display information about a DNS zone (SOA record).")
+
+ takes_args = (
+ parameters.DNSNameParam(
+ 'idnsname',
+ cli_name='name',
+ label=_(u'Zone name'),
+ doc=_(u'Zone name (FQDN)'),
+ default_from=DefaultFrom(lambda name_from_ip: None, 'name_from_ip'),
+ # FIXME:
+ # lambda name_from_ip: _reverse_zone_name(name_from_ip)
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'rights',
+ label=_(u'Rights'),
+ doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
diff --git a/ipaclient/remote_plugins/2_164/domainlevel.py b/ipaclient/remote_plugins/2_164/domainlevel.py
new file mode 100644
index 000000000..bca5262ba
--- /dev/null
+++ b/ipaclient/remote_plugins/2_164/domainlevel.py
@@ -0,0 +1,60 @@
+#
+# Copyright (C) 2016 FreeIPA Contributors see COPYING for license
+#
+
+# pylint: disable=unused-import
+import six
+
+from . import Command, Method, Object
+from ipalib import api, parameters, output
+from ipalib.parameters import DefaultFrom
+from ipalib.plugable import Registry
+from ipalib.text import _
+from ipapython.dn import DN
+from ipapython.dnsutil import DNSName
+
+if six.PY3:
+ unicode = str
+
+__doc__ = _("""
+Raise the IPA Domain Level.
+""")
+
+register = Registry()
+
+
+@register()
+class domainlevel_get(Command):
+ __doc__ = _("Query current Domain Level.")
+
+ takes_options = (
+ )
+ has_output = (
+ output.Output(
+ 'result',
+ int,
+ doc=_(u'Current domain level:'),
+ ),
+ )
+
+
+@register()
+class domainlevel_set(Command):
+ __doc__ = _("Change current Domain Level.")
+
+ takes_args = (
+ parameters.Int(
+ 'ipadomainlevel',
+ cli_name='level',
+ label=_(u'Domain Level'),
+ ),
+ )
+ takes_options = (
+ )
+ has_output = (
+ output.Output(
+ 'result',
+ int,
+ doc=_(u'Current domain level:'),
+ ),
+ )
diff --git a/ipaclient/remote_plugins/2_164/group.py b/ipaclient/remote_plugins/2_164/group.py
new file mode 100644
index 000000000..ed57c4caa
--- /dev/null
+++ b/ipaclient/remote_plugins/2_164/group.py
@@ -0,0 +1,912 @@
+#
+# Copyright (C) 2016 FreeIPA Contributors see COPYING for license
+#
+
+# pylint: disable=unused-import
+import six
+
+from . import Command, Method, Object
+from ipalib import api, parameters, output
+from ipalib.parameters import DefaultFrom
+from ipalib.plugable import Registry
+from ipalib.text import _
+from ipapython.dn import DN
+from ipapython.dnsutil import DNSName
+
+if six.PY3:
+ unicode = str
+
+__doc__ = _("""
+Groups of users
+
+Manage groups of users. By default, new groups are POSIX groups. You
+can add the --nonposix option to the group-add command to mark a new group
+as non-POSIX. You can use the --posix argument with the group-mod command
+to convert a non-POSIX group into a POSIX group. POSIX groups cannot be
+converted to non-POSIX groups.
+
+Every group must have a description.
+
+POSIX groups must have a Group ID (GID) number. Changing a GID is
+supported but can have an impact on your file permissions. It is not necessary
+to supply a GID when creating a group. IPA will generate one automatically
+if it is not provided.
+
+EXAMPLES:
+
+ Add a new group:
+ ipa group-add --desc='local administrators' localadmins
+
+ Add a new non-POSIX group:
+ ipa group-add --nonposix --desc='remote administrators' remoteadmins
+
+ Convert a non-POSIX group to posix:
+ ipa group-mod --posix remoteadmins
+
+ Add a new POSIX group with a specific Group ID number:
+ ipa group-add --gid=500 --desc='unix admins' unixadmins
+
+ Add a new POSIX group and let IPA assign a Group ID number:
+ ipa group-add --desc='printer admins' printeradmins
+
+ Remove a group:
+ ipa group-del unixadmins
+
+ To add the "remoteadmins" group to the "localadmins" group:
+ ipa group-add-member --groups=remoteadmins localadmins
+
+ Add multiple users to the "localadmins" group:
+ ipa group-add-member --users=test1 --users=test2 localadmins
+
+ Remove a user from the "localadmins" group:
+ ipa group-remove-member --users=test2 localadmins
+
+ Display information about a named group.
+ ipa group-show localadmins
+
+External group membership is designed to allow users from trusted domains
+to be mapped to local POSIX groups in order to actually use IPA resources.
+External members should be added to groups that specifically created as
+external and non-POSIX. Such group later should be included into one of POSIX
+groups.
+
+An external group member is currently a Security Identifier (SID) as defined by
+the trusted domain. When adding external group members, it is possible to
+specify them in either SID, or DOM\name, or name@domain format. IPA will attempt
+to resolve passed name to SID with the use of Global Catalog of the trusted domain.
+
+Example:
+
+1. Create group for the trusted domain admins' mapping and their local POSIX group:
+
+ ipa group-add --desc='<ad.domain> admins external map' ad_admins_external --external
+ ipa group-add --desc='<ad.domain> admins' ad_admins
+
+2. Add security identifier of Domain Admins of the <ad.domain> to the ad_admins_external
+ group:
+
+ ipa group-add-member ad_admins_external --external 'AD\Domain Admins'
+
+3. Allow members of ad_admins_external group to be associated with ad_admins POSIX group:
+
+ ipa group-add-member ad_admins --groups ad_admins_external
+
+4. List members of external members of ad_admins_external group to see their SIDs:
+
+ ipa group-show ad_admins_external
+""")
+
+register = Registry()
+
+
+@register()
+class group(Object):
+ takes_params = (
+ parameters.Str(
+ 'cn',
+ primary_key=True,
+ label=_(u'Group name'),
+ ),
+ parameters.Str(
+ 'description',
+ required=False,
+ label=_(u'Description'),
+ doc=_(u'Group description'),
+ ),
+ parameters.Int(
+ 'gidnumber',
+ required=False,
+ label=_(u'GID'),
+ doc=_(u'GID (use this option to set it manually)'),
+ ),
+ parameters.Str(
+ 'member_user',
+ required=False,
+ label=_(u'Member users'),
+ ),
+ parameters.Str(
+ 'member_group',
+ required=False,
+ label=_(u'Member groups'),
+ ),
+ parameters.Str(
+ 'memberof_group',
+ required=False,
+ label=_(u'Member of groups'),
+ ),
+ parameters.Str(
+ 'memberof_role',
+ required=False,
+ label=_(u'Roles'),
+ ),
+ parameters.Str(
+ 'memberof_netgroup',
+ required=False,
+ label=_(u'Member of netgroups'),
+ ),
+ parameters.Str(
+ 'memberof_sudorule',
+ required=False,
+ label=_(u'Member of Sudo rule'),
+ ),
+ parameters.Str(
+ 'memberof_hbacrule',
+ required=False,
+ label=_(u'Member of HBAC rule'),
+ ),
+ parameters.Str(
+ 'memberindirect_user',
+ required=False,
+ label=_(u'Indirect Member users'),
+ ),
+ parameters.Str(
+ 'memberindirect_group',
+ required=False,
+ label=_(u'Indirect Member groups'),
+ ),
+ parameters.Str(
+ 'memberofindirect_group',
+ required=False,
+ label=_(u'Indirect Member of group'),
+ ),
+ parameters.Str(
+ 'memberofindirect_netgroup',
+ required=False,
+ label=_(u'Indirect Member of netgroup'),
+ ),
+ parameters.Str(
+ 'memberofindirect_role',
+ required=False,
+ label=_(u'Indirect Member of role'),
+ ),
+ parameters.Str(
+ 'memberofindirect_sudorule',
+ required=False,
+ label=_(u'Indirect Member of Sudo rule'),
+ ),
+ parameters.Str(
+ 'memberofindirect_hbacrule',
+ required=False,
+ label=_(u'Indirect Member of HBAC rule'),
+ ),
+ )
+
+
+@register()
+class group_add(Method):
+ __doc__ = _("Create a new group.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='group_name',
+ label=_(u'Group name'),
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'description',
+ required=False,
+ cli_name='desc',
+ label=_(u'Description'),
+ doc=_(u'Group description'),
+ ),
+ parameters.Int(
+ 'gidnumber',
+ required=False,
+ cli_name='gid',
+ label=_(u'GID'),
+ doc=_(u'GID (use this option to set it manually)'),
+ ),
+ parameters.Str(
+ 'setattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'addattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
+ exclude=('webui',),
+ ),
+ parameters.Flag(
+ 'nonposix',
+ doc=_(u'Create as a non-POSIX group'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'external',
+ doc=_(u'Allow adding external non-IPA members from trusted domains'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class group_add_member(Method):
+ __doc__ = _("Add members to a group.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='group_name',
+ label=_(u'Group name'),
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'ipaexternalmember',
+ required=False,
+ multivalue=True,
+ cli_name='external',
+ label=_(u'External member'),
+ doc=_(u'Members of a trusted domain in DOM\\name or name@domain form'),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'user',
+ required=False,
+ multivalue=True,
+ cli_name='users',
+ label=_(u'member user'),
+ doc=_(u'users to add'),
+ alwaysask=True,
+ ),
+ parameters.Str(
+ 'group',
+ required=False,
+ multivalue=True,
+ cli_name='groups',
+ label=_(u'member group'),
+ doc=_(u'groups to add'),
+ alwaysask=True,
+ ),
+ )
+ has_output = (
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'failed',
+ dict,
+ doc=_(u'Members that could not be added'),
+ ),
+ output.Output(
+ 'completed',
+ int,
+ doc=_(u'Number of members added'),
+ ),
+ )
+
+
+@register()
+class group_del(Method):
+ __doc__ = _("Delete group.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ multivalue=True,
+ cli_name='group_name',
+ label=_(u'Group name'),
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'continue',
+ doc=_(u"Continuous mode: Don't stop on errors."),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Output(
+ 'result',
+ dict,
+ doc=_(u'List of deletions that failed'),
+ ),
+ output.ListOfPrimaryKeys(
+ 'value',
+ ),
+ )
+
+
+@register()
+class group_detach(Method):
+ __doc__ = _("Detach a managed group from a user.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='group_name',
+ label=_(u'Group name'),
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Output(
+ 'result',
+ bool,
+ doc=_(u'True means the operation was successful'),
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class group_find(Method):
+ __doc__ = _("Search for groups.")
+
+ takes_args = (
+ parameters.Str(
+ 'criteria',
+ required=False,
+ doc=_(u'A string searched in all relevant object attributes'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'cn',
+ required=False,
+ cli_name='group_name',
+ label=_(u'Group name'),
+ no_convert=True,
+ ),
+ parameters.Str(
+ 'description',
+ required=False,
+ cli_name='desc',
+ label=_(u'Description'),
+ doc=_(u'Group description'),
+ ),
+ parameters.Int(
+ 'gidnumber',
+ required=False,
+ cli_name='gid',
+ label=_(u'GID'),
+ doc=_(u'GID (use this option to set it manually)'),
+ ),
+ parameters.Int(
+ 'timelimit',
+ required=False,
+ label=_(u'Time Limit'),
+ doc=_(u'Time limit of search in seconds (0 is unlimited)'),
+ ),
+ parameters.Int(
+ 'sizelimit',
+ required=False,
+ label=_(u'Size Limit'),
+ doc=_(u'Maximum number of entries returned (0 is unlimited)'),
+ ),
+ parameters.Flag(
+ 'private',
+ doc=_(u'search for private groups'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'posix',
+ doc=_(u'search for POSIX groups'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'external',
+ doc=_(u'search for groups with support of external non-IPA members from trusted domains'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'nonposix',
+ doc=_(u'search for non-POSIX groups'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'pkey_only',
+ required=False,
+ label=_(u'Primary key only'),
+ doc=_(u'Results should contain primary key attribute only ("group-name")'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'user',
+ required=False,
+ multivalue=True,
+ cli_name='users',
+ label=_(u'user'),
+ doc=_(u'Search for groups with these member users.'),
+ ),
+ parameters.Str(
+ 'no_user',
+ required=False,
+ multivalue=True,
+ cli_name='no_users',
+ label=_(u'user'),
+ doc=_(u'Search for groups without these member users.'),
+ ),
+ parameters.Str(
+ 'group',
+ required=False,
+ multivalue=True,
+ cli_name='groups',
+ label=_(u'group'),
+ doc=_(u'Search for groups with these member groups.'),
+ ),
+ parameters.Str(
+ 'no_group',
+ required=False,
+ multivalue=True,
+ cli_name='no_groups',
+ label=_(u'group'),
+ doc=_(u'Search for groups without these member groups.'),
+ ),
+ parameters.Str(
+ 'in_group',
+ required=False,
+ multivalue=True,
+ cli_name='in_groups',
+ label=_(u'group'),
+ doc=_(u'Search for groups with these member of groups.'),
+ ),
+ parameters.Str(
+ 'not_in_group',
+ required=False,
+ multivalue=True,
+ cli_name='not_in_groups',
+ label=_(u'group'),
+ doc=_(u'Search for groups without these member of groups.'),
+ ),
+ parameters.Str(
+ 'in_netgroup',
+ required=False,
+ multivalue=True,
+ cli_name='in_netgroups',
+ label=_(u'netgroup'),
+ doc=_(u'Search for groups with these member of netgroups.'),
+ ),
+ parameters.Str(
+ 'not_in_netgroup',
+ required=False,
+ multivalue=True,
+ cli_name='not_in_netgroups',
+ label=_(u'netgroup'),
+ doc=_(u'Search for groups without these member of netgroups.'),
+ ),
+ parameters.Str(
+ 'in_role',
+ required=False,
+ multivalue=True,
+ cli_name='in_roles',
+ label=_(u'role'),
+ doc=_(u'Search for groups with these member of roles.'),
+ ),
+ parameters.Str(
+ 'not_in_role',
+ required=False,
+ multivalue=True,
+ cli_name='not_in_roles',
+ label=_(u'role'),
+ doc=_(u'Search for groups without these member of roles.'),
+ ),
+ parameters.Str(
+ 'in_hbacrule',
+ required=False,
+ multivalue=True,
+ cli_name='in_hbacrules',
+ label=_(u'HBAC rule'),
+ doc=_(u'Search for groups with these member of HBAC rules.'),
+ ),
+ parameters.Str(
+ 'not_in_hbacrule',
+ required=False,
+ multivalue=True,
+ cli_name='not_in_hbacrules',
+ label=_(u'HBAC rule'),
+ doc=_(u'Search for groups without these member of HBAC rules.'),
+ ),
+ parameters.Str(
+ 'in_sudorule',
+ required=False,
+ multivalue=True,
+ cli_name='in_sudorules',
+ label=_(u'sudo rule'),
+ doc=_(u'Search for groups with these member of sudo rules.'),
+ ),
+ parameters.Str(
+ 'not_in_sudorule',
+ required=False,
+ multivalue=True,
+ cli_name='not_in_sudorules',
+ label=_(u'sudo rule'),
+ doc=_(u'Search for groups without these member of sudo rules.'),
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.ListOfEntries(
+ 'result',
+ ),
+ output.Output(
+ 'count',
+ int,
+ doc=_(u'Number of entries returned'),
+ ),
+ output.Output(
+ 'truncated',
+ bool,
+ doc=_(u'True if not all results were returned'),
+ ),
+ )
+
+
+@register()
+class group_mod(Method):
+ __doc__ = _("Modify a group.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='group_name',
+ label=_(u'Group name'),
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'description',
+ required=False,
+ cli_name='desc',
+ label=_(u'Description'),
+ doc=_(u'Group description'),
+ ),
+ parameters.Int(
+ 'gidnumber',
+ required=False,
+ cli_name='gid',
+ label=_(u'GID'),
+ doc=_(u'GID (use this option to set it manually)'),
+ ),
+ parameters.Str(
+ 'setattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'addattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'delattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'),
+ exclude=('webui',),
+ ),
+ parameters.Flag(
+ 'rights',
+ label=_(u'Rights'),
+ doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'posix',
+ doc=_(u'change to a POSIX group'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'external',
+ doc=_(u'change to support external non-IPA members from trusted domains'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'rename',
+ required=False,
+ label=_(u'Rename'),
+ doc=_(u'Rename the group object'),
+ no_convert=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class group_remove_member(Method):
+ __doc__ = _("Remove members from a group.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='group_name',
+ label=_(u'Group name'),
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'ipaexternalmember',
+ required=False,
+ multivalue=True,
+ cli_name='external',
+ label=_(u'External member'),
+ doc=_(u'Members of a trusted domain in DOM\\name or name@domain form'),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'user',
+ required=False,
+ multivalue=True,
+ cli_name='users',
+ label=_(u'member user'),
+ doc=_(u'users to remove'),
+ alwaysask=True,
+ ),
+ parameters.Str(
+ 'group',
+ required=False,
+ multivalue=True,
+ cli_name='groups',
+ label=_(u'member group'),
+ doc=_(u'groups to remove'),
+ alwaysask=True,
+ ),
+ )
+ has_output = (
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'failed',
+ dict,
+ doc=_(u'Members that could not be removed'),
+ ),
+ output.Output(
+ 'completed',
+ int,
+ doc=_(u'Number of members removed'),
+ ),
+ )
+
+
+@register()
+class group_show(Method):
+ __doc__ = _("Display information about a named group.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='group_name',
+ label=_(u'Group name'),
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'rights',
+ label=_(u'Rights'),
+ doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
diff --git a/ipaclient/remote_plugins/2_164/hbacrule.py b/ipaclient/remote_plugins/2_164/hbacrule.py
new file mode 100644
index 000000000..567a1bb02
--- /dev/null
+++ b/ipaclient/remote_plugins/2_164/hbacrule.py
@@ -0,0 +1,1305 @@
+#
+# Copyright (C) 2016 FreeIPA Contributors see COPYING for license
+#
+
+# pylint: disable=unused-import
+import six
+
+from . import Command, Method, Object
+from ipalib import api, parameters, output
+from ipalib.parameters import DefaultFrom
+from ipalib.plugable import Registry
+from ipalib.text import _
+from ipapython.dn import DN
+from ipapython.dnsutil import DNSName
+
+if six.PY3:
+ unicode = str
+
+__doc__ = _("""
+Host-based access control
+
+Control who can access what services on what hosts. You
+can use HBAC to control which users or groups can
+access a service, or group of services, on a target host.
+
+You can also specify a category of users and target hosts.
+This is currently limited to "all", but might be expanded in the
+future.
+
+Target hosts in HBAC rules must be hosts managed by IPA.
+
+The available services and groups of services are controlled by the
+hbacsvc and hbacsvcgroup plug-ins respectively.
+
+EXAMPLES:
+
+ Create a rule, "test1", that grants all users access to the host "server" from
+ anywhere:
+ ipa hbacrule-add --usercat=all test1
+ ipa hbacrule-add-host --hosts=server.example.com test1
+
+ Display the properties of a named HBAC rule:
+ ipa hbacrule-show test1
+
+ Create a rule for a specific service. This lets the user john access
+ the sshd service on any machine from any machine:
+ ipa hbacrule-add --hostcat=all john_sshd
+ ipa hbacrule-add-user --users=john john_sshd
+ ipa hbacrule-add-service --hbacsvcs=sshd john_sshd
+
+ Create a rule for a new service group. This lets the user john access
+ the FTP service on any machine from any machine:
+ ipa hbacsvcgroup-add ftpers
+ ipa hbacsvc-add sftp
+ ipa hbacsvcgroup-add-member --hbacsvcs=ftp --hbacsvcs=sftp ftpers
+ ipa hbacrule-add --hostcat=all john_ftp
+ ipa hbacrule-add-user --users=john john_ftp
+ ipa hbacrule-add-service --hbacsvcgroups=ftpers john_ftp
+
+ Disable a named HBAC rule:
+ ipa hbacrule-disable test1
+
+ Remove a named HBAC rule:
+ ipa hbacrule-del allow_server
+""")
+
+register = Registry()
+
+
+@register()
+class hbacrule(Object):
+ takes_params = (
+ parameters.Str(
+ 'cn',
+ primary_key=True,
+ label=_(u'Rule name'),
+ ),
+ parameters.Str(
+ 'accessruletype',
+ label=_(u'Rule type'),
+ doc=_(u'Rule type (allow)'),
+ exclude=('webui', 'cli'),
+ ),
+ parameters.Str(
+ 'usercategory',
+ required=False,
+ label=_(u'User category'),
+ doc=_(u'User category the rule applies to'),
+ ),
+ parameters.Str(
+ 'hostcategory',
+ required=False,
+ label=_(u'Host category'),
+ doc=_(u'Host category the rule applies to'),
+ ),
+ parameters.Str(
+ 'sourcehostcategory',
+ required=False,
+ ),
+ parameters.Str(
+ 'servicecategory',
+ required=False,
+ label=_(u'Service category'),
+ doc=_(u'Service category the rule applies to'),
+ ),
+ parameters.Str(
+ 'description',
+ required=False,
+ label=_(u'Description'),
+ ),
+ parameters.Bool(
+ 'ipaenabledflag',
+ required=False,
+ label=_(u'Enabled'),
+ ),
+ parameters.Str(
+ 'memberuser_user',
+ required=False,
+ label=_(u'Users'),
+ ),
+ parameters.Str(
+ 'memberuser_group',
+ required=False,
+ label=_(u'User Groups'),
+ ),
+ parameters.Str(
+ 'memberhost_host',
+ required=False,
+ label=_(u'Hosts'),
+ ),
+ parameters.Str(
+ 'memberhost_hostgroup',
+ required=False,
+ label=_(u'Host Groups'),
+ ),
+ parameters.Str(
+ 'sourcehost_host',
+ required=False,
+ ),
+ parameters.Str(
+ 'sourcehost_hostgroup',
+ required=False,
+ ),
+ parameters.Str(
+ 'memberservice_hbacsvc',
+ required=False,
+ label=_(u'Services'),
+ ),
+ parameters.Str(
+ 'memberservice_hbacsvcgroup',
+ required=False,
+ label=_(u'Service Groups'),
+ ),
+ parameters.Str(
+ 'externalhost',
+ required=False,
+ multivalue=True,
+ label=_(u'External host'),
+ ),
+ )
+
+
+@register()
+class hbacrule_add(Method):
+ __doc__ = _("Create a new HBAC rule.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='name',
+ label=_(u'Rule name'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'accessruletype',
+ cli_name='type',
+ cli_metavar="['allow', 'deny']",
+ label=_(u'Rule type'),
+ doc=_(u'Rule type (allow)'),
+ exclude=('webui', 'cli'),
+ default=u'allow',
+ autofill=True,
+ ),
+ parameters.Str(
+ 'usercategory',
+ required=False,
+ cli_name='usercat',
+ cli_metavar="['all']",
+ label=_(u'User category'),
+ doc=_(u'User category the rule applies to'),
+ ),
+ parameters.Str(
+ 'hostcategory',
+ required=False,
+ cli_name='hostcat',
+ cli_metavar="['all']",
+ label=_(u'Host category'),
+ doc=_(u'Host category the rule applies to'),
+ ),
+ parameters.Str(
+ 'sourcehostcategory',
+ required=False,
+ deprecated=True,
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'servicecategory',
+ required=False,
+ cli_name='servicecat',
+ cli_metavar="['all']",
+ label=_(u'Service category'),
+ doc=_(u'Service category the rule applies to'),
+ ),
+ parameters.Str(
+ 'description',
+ required=False,
+ cli_name='desc',
+ label=_(u'Description'),
+ ),
+ parameters.Bool(
+ 'ipaenabledflag',
+ required=False,
+ label=_(u'Enabled'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'sourcehost_host',
+ required=False,
+ deprecated=True,
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'sourcehost_hostgroup',
+ required=False,
+ deprecated=True,
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'externalhost',
+ required=False,
+ multivalue=True,
+ label=_(u'External host'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'setattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'addattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
+ exclude=('webui',),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class hbacrule_add_host(Method):
+ __doc__ = _("Add target hosts and hostgroups to an HBAC rule.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='name',
+ label=_(u'Rule name'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'host',
+ required=False,
+ multivalue=True,
+ cli_name='hosts',
+ label=_(u'member host'),
+ doc=_(u'hosts to add'),
+ alwaysask=True,
+ ),
+ parameters.Str(
+ 'hostgroup',
+ required=False,
+ multivalue=True,
+ cli_name='hostgroups',
+ label=_(u'member host group'),
+ doc=_(u'host groups to add'),
+ alwaysask=True,
+ ),
+ )
+ has_output = (
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'failed',
+ dict,
+ doc=_(u'Members that could not be added'),
+ ),
+ output.Output(
+ 'completed',
+ int,
+ doc=_(u'Number of members added'),
+ ),
+ )
+
+
+@register()
+class hbacrule_add_service(Method):
+ __doc__ = _("Add services to an HBAC rule.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='name',
+ label=_(u'Rule name'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'hbacsvc',
+ required=False,
+ multivalue=True,
+ cli_name='hbacsvcs',
+ label=_(u'member HBAC service'),
+ doc=_(u'HBAC services to add'),
+ alwaysask=True,
+ ),
+ parameters.Str(
+ 'hbacsvcgroup',
+ required=False,
+ multivalue=True,
+ cli_name='hbacsvcgroups',
+ label=_(u'member HBAC service group'),
+ doc=_(u'HBAC service groups to add'),
+ alwaysask=True,
+ ),
+ )
+ has_output = (
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'failed',
+ dict,
+ doc=_(u'Members that could not be added'),
+ ),
+ output.Output(
+ 'completed',
+ int,
+ doc=_(u'Number of members added'),
+ ),
+ )
+
+
+@register()
+class hbacrule_add_sourcehost(Method):
+ NO_CLI = True
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='name',
+ label=_(u'Rule name'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'host',
+ required=False,
+ multivalue=True,
+ cli_name='hosts',
+ label=_(u'member host'),
+ doc=_(u'hosts to add'),
+ alwaysask=True,
+ ),
+ parameters.Str(
+ 'hostgroup',
+ required=False,
+ multivalue=True,
+ cli_name='hostgroups',
+ label=_(u'member host group'),
+ doc=_(u'host groups to add'),
+ alwaysask=True,
+ ),
+ )
+ has_output = (
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'failed',
+ dict,
+ doc=_(u'Members that could not be added'),
+ ),
+ output.Output(
+ 'completed',
+ int,
+ doc=_(u'Number of members added'),
+ ),
+ )
+
+
+@register()
+class hbacrule_add_user(Method):
+ __doc__ = _("Add users and groups to an HBAC rule.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='name',
+ label=_(u'Rule name'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'user',
+ required=False,
+ multivalue=True,
+ cli_name='users',
+ label=_(u'member user'),
+ doc=_(u'users to add'),
+ alwaysask=True,
+ ),
+ parameters.Str(
+ 'group',
+ required=False,
+ multivalue=True,
+ cli_name='groups',
+ label=_(u'member group'),
+ doc=_(u'groups to add'),
+ alwaysask=True,
+ ),
+ )
+ has_output = (
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'failed',
+ dict,
+ doc=_(u'Members that could not be added'),
+ ),
+ output.Output(
+ 'completed',
+ int,
+ doc=_(u'Number of members added'),
+ ),
+ )
+
+
+@register()
+class hbacrule_del(Method):
+ __doc__ = _("Delete an HBAC rule.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ multivalue=True,
+ cli_name='name',
+ label=_(u'Rule name'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'continue',
+ doc=_(u"Continuous mode: Don't stop on errors."),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Output(
+ 'result',
+ dict,
+ doc=_(u'List of deletions that failed'),
+ ),
+ output.ListOfPrimaryKeys(
+ 'value',
+ ),
+ )
+
+
+@register()
+class hbacrule_disable(Method):
+ __doc__ = _("Disable an HBAC rule.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='name',
+ label=_(u'Rule name'),
+ ),
+ )
+ takes_options = (
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Output(
+ 'result',
+ bool,
+ doc=_(u'True means the operation was successful'),
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class hbacrule_enable(Method):
+ __doc__ = _("Enable an HBAC rule.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='name',
+ label=_(u'Rule name'),
+ ),
+ )
+ takes_options = (
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Output(
+ 'result',
+ bool,
+ doc=_(u'True means the operation was successful'),
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class hbacrule_find(Method):
+ __doc__ = _("Search for HBAC rules.")
+
+ takes_args = (
+ parameters.Str(
+ 'criteria',
+ required=False,
+ doc=_(u'A string searched in all relevant object attributes'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'cn',
+ required=False,
+ cli_name='name',
+ label=_(u'Rule name'),
+ ),
+ parameters.Str(
+ 'accessruletype',
+ required=False,
+ cli_name='type',
+ cli_metavar="['allow', 'deny']",
+ label=_(u'Rule type'),
+ doc=_(u'Rule type (allow)'),
+ exclude=('webui', 'cli'),
+ default=u'allow',
+ ),
+ parameters.Str(
+ 'usercategory',
+ required=False,
+ cli_name='usercat',
+ cli_metavar="['all']",
+ label=_(u'User category'),
+ doc=_(u'User category the rule applies to'),
+ ),
+ parameters.Str(
+ 'hostcategory',
+ required=False,
+ cli_name='hostcat',
+ cli_metavar="['all']",
+ label=_(u'Host category'),
+ doc=_(u'Host category the rule applies to'),
+ ),
+ parameters.Str(
+ 'sourcehostcategory',
+ required=False,
+ deprecated=True,
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'servicecategory',
+ required=False,
+ cli_name='servicecat',
+ cli_metavar="['all']",
+ label=_(u'Service category'),
+ doc=_(u'Service category the rule applies to'),
+ ),
+ parameters.Str(
+ 'description',
+ required=False,
+ cli_name='desc',
+ label=_(u'Description'),
+ ),
+ parameters.Bool(
+ 'ipaenabledflag',
+ required=False,
+ label=_(u'Enabled'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'sourcehost_host',
+ required=False,
+ deprecated=True,
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'sourcehost_hostgroup',
+ required=False,
+ deprecated=True,
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'externalhost',
+ required=False,
+ multivalue=True,
+ label=_(u'External host'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Int(
+ 'timelimit',
+ required=False,
+ label=_(u'Time Limit'),
+ doc=_(u'Time limit of search in seconds (0 is unlimited)'),
+ ),
+ parameters.Int(
+ 'sizelimit',
+ required=False,
+ label=_(u'Size Limit'),
+ doc=_(u'Maximum number of entries returned (0 is unlimited)'),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'pkey_only',
+ required=False,
+ label=_(u'Primary key only'),
+ doc=_(u'Results should contain primary key attribute only ("name")'),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.ListOfEntries(
+ 'result',
+ ),
+ output.Output(
+ 'count',
+ int,
+ doc=_(u'Number of entries returned'),
+ ),
+ output.Output(
+ 'truncated',
+ bool,
+ doc=_(u'True if not all results were returned'),
+ ),
+ )
+
+
+@register()
+class hbacrule_mod(Method):
+ __doc__ = _("Modify an HBAC rule.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='name',
+ label=_(u'Rule name'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'accessruletype',
+ required=False,
+ cli_name='type',
+ cli_metavar="['allow', 'deny']",
+ label=_(u'Rule type'),
+ doc=_(u'Rule type (allow)'),
+ exclude=('webui', 'cli'),
+ default=u'allow',
+ ),
+ parameters.Str(
+ 'usercategory',
+ required=False,
+ cli_name='usercat',
+ cli_metavar="['all']",
+ label=_(u'User category'),
+ doc=_(u'User category the rule applies to'),
+ ),
+ parameters.Str(
+ 'hostcategory',
+ required=False,
+ cli_name='hostcat',
+ cli_metavar="['all']",
+ label=_(u'Host category'),
+ doc=_(u'Host category the rule applies to'),
+ ),
+ parameters.Str(
+ 'sourcehostcategory',
+ required=False,
+ deprecated=True,
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'servicecategory',
+ required=False,
+ cli_name='servicecat',
+ cli_metavar="['all']",
+ label=_(u'Service category'),
+ doc=_(u'Service category the rule applies to'),
+ ),
+ parameters.Str(
+ 'description',
+ required=False,
+ cli_name='desc',
+ label=_(u'Description'),
+ ),
+ parameters.Bool(
+ 'ipaenabledflag',
+ required=False,
+ label=_(u'Enabled'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'sourcehost_host',
+ required=False,
+ deprecated=True,
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'sourcehost_hostgroup',
+ required=False,
+ deprecated=True,
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'externalhost',
+ required=False,
+ multivalue=True,
+ label=_(u'External host'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'setattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'addattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'delattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'),
+ exclude=('webui',),
+ ),
+ parameters.Flag(
+ 'rights',
+ label=_(u'Rights'),
+ doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class hbacrule_remove_host(Method):
+ __doc__ = _("Remove target hosts and hostgroups from an HBAC rule.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='name',
+ label=_(u'Rule name'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'host',
+ required=False,
+ multivalue=True,
+ cli_name='hosts',
+ label=_(u'member host'),
+ doc=_(u'hosts to remove'),
+ alwaysask=True,
+ ),
+ parameters.Str(
+ 'hostgroup',
+ required=False,
+ multivalue=True,
+ cli_name='hostgroups',
+ label=_(u'member host group'),
+ doc=_(u'host groups to remove'),
+ alwaysask=True,
+ ),
+ )
+ has_output = (
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'failed',
+ dict,
+ doc=_(u'Members that could not be removed'),
+ ),
+ output.Output(
+ 'completed',
+ int,
+ doc=_(u'Number of members removed'),
+ ),
+ )
+
+
+@register()
+class hbacrule_remove_service(Method):
+ __doc__ = _("Remove service and service groups from an HBAC rule.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='name',
+ label=_(u'Rule name'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'hbacsvc',
+ required=False,
+ multivalue=True,
+ cli_name='hbacsvcs',
+ label=_(u'member HBAC service'),
+ doc=_(u'HBAC services to remove'),
+ alwaysask=True,
+ ),
+ parameters.Str(
+ 'hbacsvcgroup',
+ required=False,
+ multivalue=True,
+ cli_name='hbacsvcgroups',
+ label=_(u'member HBAC service group'),
+ doc=_(u'HBAC service groups to remove'),
+ alwaysask=True,
+ ),
+ )
+ has_output = (
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'failed',
+ dict,
+ doc=_(u'Members that could not be removed'),
+ ),
+ output.Output(
+ 'completed',
+ int,
+ doc=_(u'Number of members removed'),
+ ),
+ )
+
+
+@register()
+class hbacrule_remove_sourcehost(Method):
+ NO_CLI = True
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='name',
+ label=_(u'Rule name'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'host',
+ required=False,
+ multivalue=True,
+ cli_name='hosts',
+ label=_(u'member host'),
+ doc=_(u'hosts to remove'),
+ alwaysask=True,
+ ),
+ parameters.Str(
+ 'hostgroup',
+ required=False,
+ multivalue=True,
+ cli_name='hostgroups',
+ label=_(u'member host group'),
+ doc=_(u'host groups to remove'),
+ alwaysask=True,
+ ),
+ )
+ has_output = (
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'failed',
+ dict,
+ doc=_(u'Members that could not be removed'),
+ ),
+ output.Output(
+ 'completed',
+ int,
+ doc=_(u'Number of members removed'),
+ ),
+ )
+
+
+@register()
+class hbacrule_remove_user(Method):
+ __doc__ = _("Remove users and groups from an HBAC rule.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='name',
+ label=_(u'Rule name'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'user',
+ required=False,
+ multivalue=True,
+ cli_name='users',
+ label=_(u'member user'),
+ doc=_(u'users to remove'),
+ alwaysask=True,
+ ),
+ parameters.Str(
+ 'group',
+ required=False,
+ multivalue=True,
+ cli_name='groups',
+ label=_(u'member group'),
+ doc=_(u'groups to remove'),
+ alwaysask=True,
+ ),
+ )
+ has_output = (
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'failed',
+ dict,
+ doc=_(u'Members that could not be removed'),
+ ),
+ output.Output(
+ 'completed',
+ int,
+ doc=_(u'Number of members removed'),
+ ),
+ )
+
+
+@register()
+class hbacrule_show(Method):
+ __doc__ = _("Display the properties of an HBAC rule.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='name',
+ label=_(u'Rule name'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'rights',
+ label=_(u'Rights'),
+ doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
diff --git a/ipaclient/remote_plugins/2_164/hbacsvc.py b/ipaclient/remote_plugins/2_164/hbacsvc.py
new file mode 100644
index 000000000..0de241935
--- /dev/null
+++ b/ipaclient/remote_plugins/2_164/hbacsvc.py
@@ -0,0 +1,413 @@
+#
+# Copyright (C) 2016 FreeIPA Contributors see COPYING for license
+#
+
+# pylint: disable=unused-import
+import six
+
+from . import Command, Method, Object
+from ipalib import api, parameters, output
+from ipalib.parameters import DefaultFrom
+from ipalib.plugable import Registry
+from ipalib.text import _
+from ipapython.dn import DN
+from ipapython.dnsutil import DNSName
+
+if six.PY3:
+ unicode = str
+
+__doc__ = _("""
+HBAC Services
+
+The PAM services that HBAC can control access to. The name used here
+must match the service name that PAM is evaluating.
+
+EXAMPLES:
+
+ Add a new HBAC service:
+ ipa hbacsvc-add tftp
+
+ Modify an existing HBAC service:
+ ipa hbacsvc-mod --desc="TFTP service" tftp
+
+ Search for HBAC services. This example will return two results, the FTP
+ service and the newly-added tftp service:
+ ipa hbacsvc-find ftp
+
+ Delete an HBAC service:
+ ipa hbacsvc-del tftp
+""")
+
+register = Registry()
+
+
+@register()
+class hbacsvc(Object):
+ takes_params = (
+ parameters.Str(
+ 'cn',
+ primary_key=True,
+ label=_(u'Service name'),
+ doc=_(u'HBAC service'),
+ ),
+ parameters.Str(
+ 'description',
+ required=False,
+ label=_(u'Description'),
+ doc=_(u'HBAC service description'),
+ ),
+ parameters.Str(
+ 'memberof_hbacsvcgroup',
+ required=False,
+ label=_(u'Member of HBAC service groups'),
+ ),
+ )
+
+
+@register()
+class hbacsvc_add(Method):
+ __doc__ = _("Add a new HBAC service.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='service',
+ label=_(u'Service name'),
+ doc=_(u'HBAC service'),
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'description',
+ required=False,
+ cli_name='desc',
+ label=_(u'Description'),
+ doc=_(u'HBAC service description'),
+ ),
+ parameters.Str(
+ 'setattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'addattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
+ exclude=('webui',),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class hbacsvc_del(Method):
+ __doc__ = _("Delete an existing HBAC service.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ multivalue=True,
+ cli_name='service',
+ label=_(u'Service name'),
+ doc=_(u'HBAC service'),
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'continue',
+ doc=_(u"Continuous mode: Don't stop on errors."),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Output(
+ 'result',
+ dict,
+ doc=_(u'List of deletions that failed'),
+ ),
+ output.ListOfPrimaryKeys(
+ 'value',
+ ),
+ )
+
+
+@register()
+class hbacsvc_find(Method):
+ __doc__ = _("Search for HBAC services.")
+
+ takes_args = (
+ parameters.Str(
+ 'criteria',
+ required=False,
+ doc=_(u'A string searched in all relevant object attributes'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'cn',
+ required=False,
+ cli_name='service',
+ label=_(u'Service name'),
+ doc=_(u'HBAC service'),
+ no_convert=True,
+ ),
+ parameters.Str(
+ 'description',
+ required=False,
+ cli_name='desc',
+ label=_(u'Description'),
+ doc=_(u'HBAC service description'),
+ ),
+ parameters.Int(
+ 'timelimit',
+ required=False,
+ label=_(u'Time Limit'),
+ doc=_(u'Time limit of search in seconds (0 is unlimited)'),
+ ),
+ parameters.Int(
+ 'sizelimit',
+ required=False,
+ label=_(u'Size Limit'),
+ doc=_(u'Maximum number of entries returned (0 is unlimited)'),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'pkey_only',
+ required=False,
+ label=_(u'Primary key only'),
+ doc=_(u'Results should contain primary key attribute only ("service")'),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.ListOfEntries(
+ 'result',
+ ),
+ output.Output(
+ 'count',
+ int,
+ doc=_(u'Number of entries returned'),
+ ),
+ output.Output(
+ 'truncated',
+ bool,
+ doc=_(u'True if not all results were returned'),
+ ),
+ )
+
+
+@register()
+class hbacsvc_mod(Method):
+ __doc__ = _("Modify an HBAC service.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='service',
+ label=_(u'Service name'),
+ doc=_(u'HBAC service'),
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'description',
+ required=False,
+ cli_name='desc',
+ label=_(u'Description'),
+ doc=_(u'HBAC service description'),
+ ),
+ parameters.Str(
+ 'setattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'addattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'delattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'),
+ exclude=('webui',),
+ ),
+ parameters.Flag(
+ 'rights',
+ label=_(u'Rights'),
+ doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class hbacsvc_show(Method):
+ __doc__ = _("Display information about an HBAC service.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='service',
+ label=_(u'Service name'),
+ doc=_(u'HBAC service'),
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'rights',
+ label=_(u'Rights'),
+ doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
diff --git a/ipaclient/remote_plugins/2_164/hbacsvcgroup.py b/ipaclient/remote_plugins/2_164/hbacsvcgroup.py
new file mode 100644
index 000000000..f713b2fe8
--- /dev/null
+++ b/ipaclient/remote_plugins/2_164/hbacsvcgroup.py
@@ -0,0 +1,528 @@
+#
+# Copyright (C) 2016 FreeIPA Contributors see COPYING for license
+#
+
+# pylint: disable=unused-import
+import six
+
+from . import Command, Method, Object
+from ipalib import api, parameters, output
+from ipalib.parameters import DefaultFrom
+from ipalib.plugable import Registry
+from ipalib.text import _
+from ipapython.dn import DN
+from ipapython.dnsutil import DNSName
+
+if six.PY3:
+ unicode = str
+
+__doc__ = _("""
+HBAC Service Groups
+
+HBAC service groups can contain any number of individual services,
+or "members". Every group must have a description.
+
+EXAMPLES:
+
+ Add a new HBAC service group:
+ ipa hbacsvcgroup-add --desc="login services" login
+
+ Add members to an HBAC service group:
+ ipa hbacsvcgroup-add-member --hbacsvcs=sshd --hbacsvcs=login login
+
+ Display information about a named group:
+ ipa hbacsvcgroup-show login
+
+ Delete an HBAC service group:
+ ipa hbacsvcgroup-del login
+""")
+
+register = Registry()
+
+
+@register()
+class hbacsvcgroup(Object):
+ takes_params = (
+ parameters.Str(
+ 'cn',
+ primary_key=True,
+ label=_(u'Service group name'),
+ ),
+ parameters.Str(
+ 'description',
+ required=False,
+ label=_(u'Description'),
+ doc=_(u'HBAC service group description'),
+ ),
+ parameters.Str(
+ 'member_hbacsvc',
+ required=False,
+ label=_(u'Member HBAC service'),
+ ),
+ )
+
+
+@register()
+class hbacsvcgroup_add(Method):
+ __doc__ = _("Add a new HBAC service group.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='name',
+ label=_(u'Service group name'),
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'description',
+ required=False,
+ cli_name='desc',
+ label=_(u'Description'),
+ doc=_(u'HBAC service group description'),
+ ),
+ parameters.Str(
+ 'setattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'addattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
+ exclude=('webui',),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class hbacsvcgroup_add_member(Method):
+ __doc__ = _("Add members to an HBAC service group.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='name',
+ label=_(u'Service group name'),
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'hbacsvc',
+ required=False,
+ multivalue=True,
+ cli_name='hbacsvcs',
+ label=_(u'member HBAC service'),
+ doc=_(u'HBAC services to add'),
+ alwaysask=True,
+ ),
+ )
+ has_output = (
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'failed',
+ dict,
+ doc=_(u'Members that could not be added'),
+ ),
+ output.Output(
+ 'completed',
+ int,
+ doc=_(u'Number of members added'),
+ ),
+ )
+
+
+@register()
+class hbacsvcgroup_del(Method):
+ __doc__ = _("Delete an HBAC service group.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ multivalue=True,
+ cli_name='name',
+ label=_(u'Service group name'),
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'continue',
+ doc=_(u"Continuous mode: Don't stop on errors."),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Output(
+ 'result',
+ dict,
+ doc=_(u'List of deletions that failed'),
+ ),
+ output.ListOfPrimaryKeys(
+ 'value',
+ ),
+ )
+
+
+@register()
+class hbacsvcgroup_find(Method):
+ __doc__ = _("Search for an HBAC service group.")
+
+ takes_args = (
+ parameters.Str(
+ 'criteria',
+ required=False,
+ doc=_(u'A string searched in all relevant object attributes'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'cn',
+ required=False,
+ cli_name='name',
+ label=_(u'Service group name'),
+ no_convert=True,
+ ),
+ parameters.Str(
+ 'description',
+ required=False,
+ cli_name='desc',
+ label=_(u'Description'),
+ doc=_(u'HBAC service group description'),
+ ),
+ parameters.Int(
+ 'timelimit',
+ required=False,
+ label=_(u'Time Limit'),
+ doc=_(u'Time limit of search in seconds (0 is unlimited)'),
+ ),
+ parameters.Int(
+ 'sizelimit',
+ required=False,
+ label=_(u'Size Limit'),
+ doc=_(u'Maximum number of entries returned (0 is unlimited)'),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'pkey_only',
+ required=False,
+ label=_(u'Primary key only'),
+ doc=_(u'Results should contain primary key attribute only ("name")'),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.ListOfEntries(
+ 'result',
+ ),
+ output.Output(
+ 'count',
+ int,
+ doc=_(u'Number of entries returned'),
+ ),
+ output.Output(
+ 'truncated',
+ bool,
+ doc=_(u'True if not all results were returned'),
+ ),
+ )
+
+
+@register()
+class hbacsvcgroup_mod(Method):
+ __doc__ = _("Modify an HBAC service group.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='name',
+ label=_(u'Service group name'),
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'description',
+ required=False,
+ cli_name='desc',
+ label=_(u'Description'),
+ doc=_(u'HBAC service group description'),
+ ),
+ parameters.Str(
+ 'setattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'addattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'delattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'),
+ exclude=('webui',),
+ ),
+ parameters.Flag(
+ 'rights',
+ label=_(u'Rights'),
+ doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class hbacsvcgroup_remove_member(Method):
+ __doc__ = _("Remove members from an HBAC service group.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='name',
+ label=_(u'Service group name'),
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'hbacsvc',
+ required=False,
+ multivalue=True,
+ cli_name='hbacsvcs',
+ label=_(u'member HBAC service'),
+ doc=_(u'HBAC services to remove'),
+ alwaysask=True,
+ ),
+ )
+ has_output = (
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'failed',
+ dict,
+ doc=_(u'Members that could not be removed'),
+ ),
+ output.Output(
+ 'completed',
+ int,
+ doc=_(u'Number of members removed'),
+ ),
+ )
+
+
+@register()
+class hbacsvcgroup_show(Method):
+ __doc__ = _("Display information about an HBAC service group.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='name',
+ label=_(u'Service group name'),
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'rights',
+ label=_(u'Rights'),
+ doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
diff --git a/ipaclient/remote_plugins/2_164/hbactest.py b/ipaclient/remote_plugins/2_164/hbactest.py
new file mode 100644
index 000000000..b0c49b71b
--- /dev/null
+++ b/ipaclient/remote_plugins/2_164/hbactest.py
@@ -0,0 +1,284 @@
+#
+# Copyright (C) 2016 FreeIPA Contributors see COPYING for license
+#
+
+# pylint: disable=unused-import
+import six
+
+from . import Command, Method, Object
+from ipalib import api, parameters, output
+from ipalib.parameters import DefaultFrom
+from ipalib.plugable import Registry
+from ipalib.text import _
+from ipapython.dn import DN
+from ipapython.dnsutil import DNSName
+
+if six.PY3:
+ unicode = str
+
+__doc__ = _("""
+Simulate use of Host-based access controls
+
+HBAC rules control who can access what services on what hosts.
+You can use HBAC to control which users or groups can access a service,
+or group of services, on a target host.
+
+Since applying HBAC rules implies use of a production environment,
+this plugin aims to provide simulation of HBAC rules evaluation without
+having access to the production environment.
+
+ Test user coming to a service on a named host against
+ existing enabled rules.
+
+ ipa hbactest --user= --host= --service=
+ [--rules=rules-list] [--nodetail] [--enabled] [--disabled]
+ [--sizelimit= ]
+
+ --user, --host, and --service are mandatory, others are optional.
+
+ If --rules is specified simulate enabling of the specified rules and test
+ the login of the user using only these rules.
+
+ If --enabled is specified, all enabled HBAC rules will be added to simulation
+
+ If --disabled is specified, all disabled HBAC rules will be added to simulation
+
+ If --nodetail is specified, do not return information about rules matched/not matched.
+
+ If both --rules and --enabled are specified, apply simulation to --rules _and_
+ all IPA enabled rules.
+
+ If no --rules specified, simulation is run against all IPA enabled rules.
+ By default there is a IPA-wide limit to number of entries fetched, you can change it
+ with --sizelimit option.
+
+EXAMPLES:
+
+ 1. Use all enabled HBAC rules in IPA database to simulate:
+ $ ipa hbactest --user=a1a --host=bar --service=sshd
+ --------------------
+ Access granted: True
+ --------------------
+ Not matched rules: my-second-rule
+ Not matched rules: my-third-rule
+ Not matched rules: myrule
+ Matched rules: allow_all
+
+ 2. Disable detailed summary of how rules were applied:
+ $ ipa hbactest --user=a1a --host=bar --service=sshd --nodetail
+ --------------------
+ Access granted: True
+ --------------------
+
+ 3. Test explicitly specified HBAC rules:
+ $ ipa hbactest --user=a1a --host=bar --service=sshd \
+ --rules=myrule --rules=my-second-rule
+ ---------------------
+ Access granted: False
+ ---------------------
+ Not matched rules: my-second-rule
+ Not matched rules: myrule
+
+ 4. Use all enabled HBAC rules in IPA database + explicitly specified rules:
+ $ ipa hbactest --user=a1a --host=bar --service=sshd \
+ --rules=myrule --rules=my-second-rule --enabled
+ --------------------
+ Access granted: True
+ --------------------
+ Not matched rules: my-second-rule
+ Not matched rules: my-third-rule
+ Not matched rules: myrule
+ Matched rules: allow_all
+
+ 5. Test all disabled HBAC rules in IPA database:
+ $ ipa hbactest --user=a1a --host=bar --service=sshd --disabled
+ ---------------------
+ Access granted: False
+ ---------------------
+ Not matched rules: new-rule
+
+ 6. Test all disabled HBAC rules in IPA database + explicitly specified rules:
+ $ ipa hbactest --user=a1a --host=bar --service=sshd \
+ --rules=myrule --rules=my-second-rule --disabled
+ ---------------------
+ Access granted: False
+ ---------------------
+ Not matched rules: my-second-rule
+ Not matched rules: my-third-rule
+ Not matched rules: myrule
+
+ 7. Test all (enabled and disabled) HBAC rules in IPA database:
+ $ ipa hbactest --user=a1a --host=bar --service=sshd \
+ --enabled --disabled
+ --------------------
+ Access granted: True
+ --------------------
+ Not matched rules: my-second-rule
+ Not matched rules: my-third-rule
+ Not matched rules: myrule
+ Not matched rules: new-rule
+ Matched rules: allow_all
+
+
+HBACTEST AND TRUSTED DOMAINS
+
+When an external trusted domain is configured in IPA, HBAC rules are also applied
+on users accessing IPA resources from the trusted domain. Trusted domain users and
+groups (and their SIDs) can be then assigned to external groups which can be
+members of POSIX groups in IPA which can be used in HBAC rules and thus allowing
+access to resources protected by the HBAC system.
+
+hbactest plugin is capable of testing access for both local IPA users and users
+from the trusted domains, either by a fully qualified user name or by user SID.
+Such user names need to have a trusted domain specified as a short name
+(DOMAIN\Administrator) or with a user principal name (UPN), Administrator@ad.test.
+
+Please note that hbactest executed with a trusted domain user as --user parameter
+can be only run by members of "trust admins" group.
+
+EXAMPLES:
+
+ 1. Test if a user from a trusted domain specified by its shortname matches any
+ rule:
+
+ $ ipa hbactest --user 'DOMAIN\Administrator' --host `hostname` --service sshd
+ --------------------
+ Access granted: True
+ --------------------
+ Matched rules: allow_all
+ Matched rules: can_login
+
+ 2. Test if a user from a trusted domain specified by its domain name matches
+ any rule:
+
+ $ ipa hbactest --user 'Administrator@domain.com' --host `hostname` --service sshd
+ --------------------
+ Access granted: True
+ --------------------
+ Matched rules: allow_all
+ Matched rules: can_login
+
+ 3. Test if a user from a trusted domain specified by its SID matches any rule:
+
+ $ ipa hbactest --user S-1-5-21-3035198329-144811719-1378114514-500 \
+ --host `hostname` --service sshd
+ --------------------
+ Access granted: True
+ --------------------
+ Matched rules: allow_all
+ Matched rules: can_login
+
+ 4. Test if other user from a trusted domain specified by its SID matches any rule:
+
+ $ ipa hbactest --user S-1-5-21-3035198329-144811719-1378114514-1203 \
+ --host `hostname` --service sshd
+ --------------------
+ Access granted: True
+ --------------------
+ Matched rules: allow_all
+ Not matched rules: can_login
+
+ 5. Test if other user from a trusted domain specified by its shortname matches
+ any rule:
+
+ $ ipa hbactest --user 'DOMAIN\Otheruser' --host `hostname` --service sshd
+ --------------------
+ Access granted: True
+ --------------------
+ Matched rules: allow_all
+ Not matched rules: can_login
+""")
+
+register = Registry()
+
+
+@register()
+class hbactest(Command):
+ __doc__ = _("Simulate use of Host-based access controls")
+
+ takes_options = (
+ parameters.Str(
+ 'user',
+ label=_(u'User name'),
+ ),
+ parameters.Str(
+ 'sourcehost',
+ required=False,
+ deprecated=True,
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'targethost',
+ cli_name='host',
+ label=_(u'Target host'),
+ ),
+ parameters.Str(
+ 'service',
+ label=_(u'Service'),
+ ),
+ parameters.Str(
+ 'rules',
+ required=False,
+ multivalue=True,
+ label=_(u'Rules to test. If not specified, --enabled is assumed'),
+ ),
+ parameters.Flag(
+ 'nodetail',
+ required=False,
+ label=_(u'Hide details which rules are matched, not matched, or invalid'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'enabled',
+ required=False,
+ label=_(u'Include all enabled IPA rules into test [default]'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'disabled',
+ required=False,
+ label=_(u'Include all disabled IPA rules into test'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Int(
+ 'sizelimit',
+ required=False,
+ label=_(u'Size Limit'),
+ doc=_(u'Maximum number of rules to process when no --rules is specified'),
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Output(
+ 'warning',
+ (list, tuple, type(None)),
+ doc=_(u'Warning'),
+ ),
+ output.Output(
+ 'matched',
+ (list, tuple, type(None)),
+ doc=_(u'Matched rules'),
+ ),
+ output.Output(
+ 'notmatched',
+ (list, tuple, type(None)),
+ doc=_(u'Not matched rules'),
+ ),
+ output.Output(
+ 'error',
+ (list, tuple, type(None)),
+ doc=_(u'Non-existent or invalid rules'),
+ ),
+ output.Output(
+ 'value',
+ bool,
+ doc=_(u'Result of simulation'),
+ ),
+ )
diff --git a/ipaclient/remote_plugins/2_164/host.py b/ipaclient/remote_plugins/2_164/host.py
new file mode 100644
index 000000000..72b6ef881
--- /dev/null
+++ b/ipaclient/remote_plugins/2_164/host.py
@@ -0,0 +1,1680 @@
+#
+# Copyright (C) 2016 FreeIPA Contributors see COPYING for license
+#
+
+# pylint: disable=unused-import
+import six
+
+from . import Command, Method, Object
+from ipalib import api, parameters, output
+from ipalib.parameters import DefaultFrom
+from ipalib.plugable import Registry
+from ipalib.text import _
+from ipapython.dn import DN
+from ipapython.dnsutil import DNSName
+
+if six.PY3:
+ unicode = str
+
+__doc__ = _("""
+Hosts/Machines
+
+A host represents a machine. It can be used in a number of contexts:
+- service entries are associated with a host
+- a host stores the host/ service principal
+- a host can be used in Host-based Access Control (HBAC) rules
+- every enrolled client generates a host entry
+
+ENROLLMENT:
+
+There are three enrollment scenarios when enrolling a new client:
+
+1. You are enrolling as a full administrator. The host entry may exist
+ or not. A full administrator is a member of the hostadmin role
+ or the admins group.
+2. You are enrolling as a limited administrator. The host must already
+ exist. A limited administrator is a member a role with the
+ Host Enrollment privilege.
+3. The host has been created with a one-time password.
+
+RE-ENROLLMENT:
+
+Host that has been enrolled at some point, and lost its configuration (e.g. VM
+destroyed) can be re-enrolled.
+
+For more information, consult the manual pages for ipa-client-install.
+
+A host can optionally store information such as where it is located,
+the OS that it runs, etc.
+
+EXAMPLES:
+
+ Add a new host:
+ ipa host-add --location="3rd floor lab" --locality=Dallas test.example.com
+
+ Delete a host:
+ ipa host-del test.example.com
+
+ Add a new host with a one-time password:
+ ipa host-add --os='Fedora 12' --password=Secret123 test.example.com
+
+ Add a new host with a random one-time password:
+ ipa host-add --os='Fedora 12' --random test.example.com
+
+ Modify information about a host:
+ ipa host-mod --os='Fedora 12' test.example.com
+
+ Remove SSH public keys of a host and update DNS to reflect this change:
+ ipa host-mod --sshpubkey= --updatedns test.example.com
+
+ Disable the host Kerberos key, SSL certificate and all of its services:
+ ipa host-disable test.example.com
+
+ Add a host that can manage this host's keytab and certificate:
+ ipa host-add-managedby --hosts=test2 test
+
+ Allow user to create a keytab:
+ ipa host-allow-create-keytab test2 --users=tuser1
+""")
+
+register = Registry()
+
+
+@register()
+class host(Object):
+ takes_params = (
+ parameters.Str(
+ 'fqdn',
+ primary_key=True,
+ label=_(u'Host name'),
+ ),
+ parameters.Str(
+ 'description',
+ required=False,
+ label=_(u'Description'),
+ doc=_(u'A description of this host'),
+ ),
+ parameters.Str(
+ 'l',
+ required=False,
+ label=_(u'Locality'),
+ doc=_(u'Host locality (e.g. "Baltimore, MD")'),
+ ),
+ parameters.Str(
+ 'nshostlocation',
+ required=False,
+ label=_(u'Location'),
+ doc=_(u'Host location (e.g. "Lab 2")'),
+ ),
+ parameters.Str(
+ 'nshardwareplatform',
+ required=False,
+ label=_(u'Platform'),
+ doc=_(u'Host hardware platform (e.g. "Lenovo T61")'),
+ ),
+ parameters.Str(
+ 'nsosversion',
+ required=False,
+ label=_(u'Operating system'),
+ doc=_(u'Host operating system and version (e.g. "Fedora 9")'),
+ ),
+ parameters.Str(
+ 'userpassword',
+ required=False,
+ label=_(u'User password'),
+ doc=_(u'Password used in bulk enrollment'),
+ ),
+ parameters.Flag(
+ 'random',
+ required=False,
+ doc=_(u'Generate a random password to be used in bulk enrollment'),
+ ),
+ parameters.Str(
+ 'randompassword',
+ required=False,
+ label=_(u'Random password'),
+ ),
+ parameters.Bytes(
+ 'usercertificate',
+ required=False,
+ multivalue=True,
+ label=_(u'Certificate'),
+ doc=_(u'Base-64 encoded server certificate'),
+ ),
+ parameters.Str(
+ 'krbprincipalname',
+ required=False,
+ label=_(u'Principal name'),
+ ),
+ parameters.Str(
+ 'macaddress',
+ required=False,
+ multivalue=True,
+ label=_(u'MAC address'),
+ doc=_(u'Hardware MAC address(es) on this host'),
+ ),
+ parameters.Str(
+ 'ipasshpubkey',
+ required=False,
+ multivalue=True,
+ label=_(u'SSH public key'),
+ ),
+ parameters.Str(
+ 'userclass',
+ required=False,
+ multivalue=True,
+ label=_(u'Class'),
+ doc=_(u'Host category (semantics placed on this attribute are for local interpretation)'),
+ ),
+ parameters.Str(
+ 'ipaassignedidview',
+ required=False,
+ label=_(u'Assigned ID View'),
+ ),
+ parameters.Bool(
+ 'ipakrbrequirespreauth',
+ required=False,
+ label=_(u'Requires pre-authentication'),
+ doc=_(u'Pre-authentication is required for the service'),
+ ),
+ parameters.Bool(
+ 'ipakrbokasdelegate',
+ required=False,
+ label=_(u'Trusted for delegation'),
+ doc=_(u'Client credentials may be delegated to the service'),
+ ),
+ parameters.Flag(
+ 'has_password',
+ label=_(u'Password'),
+ ),
+ parameters.Str(
+ 'memberof_hostgroup',
+ required=False,
+ label=_(u'Member of host-groups'),
+ ),
+ parameters.Str(
+ 'memberof_role',
+ required=False,
+ label=_(u'Roles'),
+ ),
+ parameters.Str(
+ 'memberof_netgroup',
+ required=False,
+ label=_(u'Member of netgroups'),
+ ),
+ parameters.Str(
+ 'memberof_sudorule',
+ required=False,
+ label=_(u'Member of Sudo rule'),
+ ),
+ parameters.Str(
+ 'memberof_hbacrule',
+ required=False,
+ label=_(u'Member of HBAC rule'),
+ ),
+ parameters.Str(
+ 'memberofindirect_netgroup',
+ required=False,
+ label=_(u'Indirect Member of netgroup'),
+ ),
+ parameters.Str(
+ 'memberofindirect_hostgroup',
+ required=False,
+ label=_(u'Indirect Member of host-group'),
+ ),
+ parameters.Str(
+ 'memberofindirect_role',
+ required=False,
+ label=_(u'Indirect Member of role'),
+ ),
+ parameters.Str(
+ 'memberofindirect_sudorule',
+ required=False,
+ label=_(u'Indirect Member of Sudo rule'),
+ ),
+ parameters.Str(
+ 'memberofindirect_hbacrule',
+ required=False,
+ label=_(u'Indirect Member of HBAC rule'),
+ ),
+ parameters.Flag(
+ 'has_keytab',
+ label=_(u'Keytab'),
+ ),
+ parameters.Str(
+ 'managedby_host',
+ label=_(u'Managed by'),
+ ),
+ parameters.Str(
+ 'managing_host',
+ label=_(u'Managing'),
+ ),
+ parameters.Str(
+ 'ipaallowedtoperform_read_keys_user',
+ label=_(u'Users allowed to retrieve keytab'),
+ ),
+ parameters.Str(
+ 'ipaallowedtoperform_read_keys_group',
+ label=_(u'Groups allowed to retrieve keytab'),
+ ),
+ parameters.Str(
+ 'ipaallowedtoperform_read_keys_host',
+ label=_(u'Hosts allowed to retrieve keytab'),
+ ),
+ parameters.Str(
+ 'ipaallowedtoperform_read_keys_hostgroup',
+ label=_(u'Host Groups allowed to retrieve keytab'),
+ ),
+ parameters.Str(
+ 'ipaallowedtoperform_write_keys_user',
+ label=_(u'Users allowed to create keytab'),
+ ),
+ parameters.Str(
+ 'ipaallowedtoperform_write_keys_group',
+ label=_(u'Groups allowed to create keytab'),
+ ),
+ parameters.Str(
+ 'ipaallowedtoperform_write_keys_host',
+ label=_(u'Hosts allowed to create keytab'),
+ ),
+ parameters.Str(
+ 'ipaallowedtoperform_write_keys_hostgroup',
+ label=_(u'Host Groups allowed to create keytab'),
+ ),
+ )
+
+
+@register()
+class host_add(Method):
+ __doc__ = _("Add a new host.")
+
+ takes_args = (
+ parameters.Str(
+ 'fqdn',
+ cli_name='hostname',
+ label=_(u'Host name'),
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'description',
+ required=False,
+ cli_name='desc',
+ label=_(u'Description'),
+ doc=_(u'A description of this host'),
+ ),
+ parameters.Str(
+ 'l',
+ required=False,
+ cli_name='locality',
+ label=_(u'Locality'),
+ doc=_(u'Host locality (e.g. "Baltimore, MD")'),
+ ),
+ parameters.Str(
+ 'nshostlocation',
+ required=False,
+ cli_name='location',
+ label=_(u'Location'),
+ doc=_(u'Host location (e.g. "Lab 2")'),
+ ),
+ parameters.Str(
+ 'nshardwareplatform',
+ required=False,
+ cli_name='platform',
+ label=_(u'Platform'),
+ doc=_(u'Host hardware platform (e.g. "Lenovo T61")'),
+ ),
+ parameters.Str(
+ 'nsosversion',
+ required=False,
+ cli_name='os',
+ label=_(u'Operating system'),
+ doc=_(u'Host operating system and version (e.g. "Fedora 9")'),
+ ),
+ parameters.Str(
+ 'userpassword',
+ required=False,
+ cli_name='password',
+ label=_(u'User password'),
+ doc=_(u'Password used in bulk enrollment'),
+ ),
+ parameters.Flag(
+ 'random',
+ required=False,
+ doc=_(u'Generate a random password to be used in bulk enrollment'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Bytes(
+ 'usercertificate',
+ required=False,
+ multivalue=True,
+ cli_name='certificate',
+ label=_(u'Certificate'),
+ doc=_(u'Base-64 encoded server certificate'),
+ ),
+ parameters.Str(
+ 'macaddress',
+ required=False,
+ multivalue=True,
+ label=_(u'MAC address'),
+ doc=_(u'Hardware MAC address(es) on this host'),
+ no_convert=True,
+ ),
+ parameters.Str(
+ 'ipasshpubkey',
+ required=False,
+ multivalue=True,
+ cli_name='sshpubkey',
+ label=_(u'SSH public key'),
+ no_convert=True,
+ ),
+ parameters.Str(
+ 'userclass',
+ required=False,
+ multivalue=True,
+ cli_name='class',
+ label=_(u'Class'),
+ doc=_(u'Host category (semantics placed on this attribute are for local interpretation)'),
+ ),
+ parameters.Str(
+ 'ipaassignedidview',
+ required=False,
+ label=_(u'Assigned ID View'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Bool(
+ 'ipakrbrequirespreauth',
+ required=False,
+ cli_name='requires_pre_auth',
+ label=_(u'Requires pre-authentication'),
+ doc=_(u'Pre-authentication is required for the service'),
+ ),
+ parameters.Bool(
+ 'ipakrbokasdelegate',
+ required=False,
+ cli_name='ok_as_delegate',
+ label=_(u'Trusted for delegation'),
+ doc=_(u'Client credentials may be delegated to the service'),
+ ),
+ parameters.Str(
+ 'setattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'addattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
+ exclude=('webui',),
+ ),
+ parameters.Flag(
+ 'force',
+ label=_(u'Force'),
+ doc=_(u'force host name even if not in DNS'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_reverse',
+ doc=_(u'skip reverse DNS detection'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'ip_address',
+ required=False,
+ label=_(u'IP Address'),
+ doc=_(u'Add the host to DNS with this IP address'),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class host_add_cert(Method):
+ __doc__ = _("Add certificates to host entry")
+
+ takes_args = (
+ parameters.Str(
+ 'fqdn',
+ cli_name='hostname',
+ label=_(u'Host name'),
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Bytes(
+ 'usercertificate',
+ required=False,
+ multivalue=True,
+ cli_name='certificate',
+ label=_(u'Certificate'),
+ doc=_(u'Base-64 encoded server certificate'),
+ alwaysask=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class host_add_managedby(Method):
+ __doc__ = _("Add hosts that can manage this host.")
+
+ takes_args = (
+ parameters.Str(
+ 'fqdn',
+ cli_name='hostname',
+ label=_(u'Host name'),
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'host',
+ required=False,
+ multivalue=True,
+ cli_name='hosts',
+ label=_(u'member host'),
+ doc=_(u'hosts to add'),
+ alwaysask=True,
+ ),
+ )
+ has_output = (
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'failed',
+ dict,
+ doc=_(u'Members that could not be added'),
+ ),
+ output.Output(
+ 'completed',
+ int,
+ doc=_(u'Number of members added'),
+ ),
+ )
+
+
+@register()
+class host_allow_create_keytab(Method):
+ __doc__ = _("Allow users, groups, hosts or host groups to create a keytab of this host.")
+
+ takes_args = (
+ parameters.Str(
+ 'fqdn',
+ cli_name='hostname',
+ label=_(u'Host name'),
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'user',
+ required=False,
+ multivalue=True,
+ cli_name='users',
+ label=_(u'member user'),
+ doc=_(u'users to add'),
+ alwaysask=True,
+ ),
+ parameters.Str(
+ 'group',
+ required=False,
+ multivalue=True,
+ cli_name='groups',
+ label=_(u'member group'),
+ doc=_(u'groups to add'),
+ alwaysask=True,
+ ),
+ parameters.Str(
+ 'host',
+ required=False,
+ multivalue=True,
+ cli_name='hosts',
+ label=_(u'member host'),
+ doc=_(u'hosts to add'),
+ alwaysask=True,
+ ),
+ parameters.Str(
+ 'hostgroup',
+ required=False,
+ multivalue=True,
+ cli_name='hostgroups',
+ label=_(u'member host group'),
+ doc=_(u'host groups to add'),
+ alwaysask=True,
+ ),
+ )
+ has_output = (
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'failed',
+ dict,
+ doc=_(u'Members that could not be added'),
+ ),
+ output.Output(
+ 'completed',
+ int,
+ doc=_(u'Number of members added'),
+ ),
+ )
+
+
+@register()
+class host_allow_retrieve_keytab(Method):
+ __doc__ = _("Allow users, groups, hosts or host groups to retrieve a keytab of this host.")
+
+ takes_args = (
+ parameters.Str(
+ 'fqdn',
+ cli_name='hostname',
+ label=_(u'Host name'),
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'user',
+ required=False,
+ multivalue=True,
+ cli_name='users',
+ label=_(u'member user'),
+ doc=_(u'users to add'),
+ alwaysask=True,
+ ),
+ parameters.Str(
+ 'group',
+ required=False,
+ multivalue=True,
+ cli_name='groups',
+ label=_(u'member group'),
+ doc=_(u'groups to add'),
+ alwaysask=True,
+ ),
+ parameters.Str(
+ 'host',
+ required=False,
+ multivalue=True,
+ cli_name='hosts',
+ label=_(u'member host'),
+ doc=_(u'hosts to add'),
+ alwaysask=True,
+ ),
+ parameters.Str(
+ 'hostgroup',
+ required=False,
+ multivalue=True,
+ cli_name='hostgroups',
+ label=_(u'member host group'),
+ doc=_(u'host groups to add'),
+ alwaysask=True,
+ ),
+ )
+ has_output = (
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'failed',
+ dict,
+ doc=_(u'Members that could not be added'),
+ ),
+ output.Output(
+ 'completed',
+ int,
+ doc=_(u'Number of members added'),
+ ),
+ )
+
+
+@register()
+class host_del(Method):
+ __doc__ = _("Delete a host.")
+
+ takes_args = (
+ parameters.Str(
+ 'fqdn',
+ multivalue=True,
+ cli_name='hostname',
+ label=_(u'Host name'),
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'continue',
+ doc=_(u"Continuous mode: Don't stop on errors."),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'updatedns',
+ required=False,
+ doc=_(u'Remove entries from DNS'),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Output(
+ 'result',
+ dict,
+ doc=_(u'List of deletions that failed'),
+ ),
+ output.ListOfPrimaryKeys(
+ 'value',
+ ),
+ )
+
+
+@register()
+class host_disable(Method):
+ __doc__ = _("Disable the Kerberos key, SSL certificate and all services of a host.")
+
+ takes_args = (
+ parameters.Str(
+ 'fqdn',
+ cli_name='hostname',
+ label=_(u'Host name'),
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Output(
+ 'result',
+ bool,
+ doc=_(u'True means the operation was successful'),
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class host_disallow_create_keytab(Method):
+ __doc__ = _("Disallow users, groups, hosts or host groups to create a keytab of this host.")
+
+ takes_args = (
+ parameters.Str(
+ 'fqdn',
+ cli_name='hostname',
+ label=_(u'Host name'),
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'user',
+ required=False,
+ multivalue=True,
+ cli_name='users',
+ label=_(u'member user'),
+ doc=_(u'users to remove'),
+ alwaysask=True,
+ ),
+ parameters.Str(
+ 'group',
+ required=False,
+ multivalue=True,
+ cli_name='groups',
+ label=_(u'member group'),
+ doc=_(u'groups to remove'),
+ alwaysask=True,
+ ),
+ parameters.Str(
+ 'host',
+ required=False,
+ multivalue=True,
+ cli_name='hosts',
+ label=_(u'member host'),
+ doc=_(u'hosts to remove'),
+ alwaysask=True,
+ ),
+ parameters.Str(
+ 'hostgroup',
+ required=False,
+ multivalue=True,
+ cli_name='hostgroups',
+ label=_(u'member host group'),
+ doc=_(u'host groups to remove'),
+ alwaysask=True,
+ ),
+ )
+ has_output = (
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'failed',
+ dict,
+ doc=_(u'Members that could not be removed'),
+ ),
+ output.Output(
+ 'completed',
+ int,
+ doc=_(u'Number of members removed'),
+ ),
+ )
+
+
+@register()
+class host_disallow_retrieve_keytab(Method):
+ __doc__ = _("Disallow users, groups, hosts or host groups to retrieve a keytab of this host.")
+
+ takes_args = (
+ parameters.Str(
+ 'fqdn',
+ cli_name='hostname',
+ label=_(u'Host name'),
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'user',
+ required=False,
+ multivalue=True,
+ cli_name='users',
+ label=_(u'member user'),
+ doc=_(u'users to remove'),
+ alwaysask=True,
+ ),
+ parameters.Str(
+ 'group',
+ required=False,
+ multivalue=True,
+ cli_name='groups',
+ label=_(u'member group'),
+ doc=_(u'groups to remove'),
+ alwaysask=True,
+ ),
+ parameters.Str(
+ 'host',
+ required=False,
+ multivalue=True,
+ cli_name='hosts',
+ label=_(u'member host'),
+ doc=_(u'hosts to remove'),
+ alwaysask=True,
+ ),
+ parameters.Str(
+ 'hostgroup',
+ required=False,
+ multivalue=True,
+ cli_name='hostgroups',
+ label=_(u'member host group'),
+ doc=_(u'host groups to remove'),
+ alwaysask=True,
+ ),
+ )
+ has_output = (
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'failed',
+ dict,
+ doc=_(u'Members that could not be removed'),
+ ),
+ output.Output(
+ 'completed',
+ int,
+ doc=_(u'Number of members removed'),
+ ),
+ )
+
+
+@register()
+class host_find(Method):
+ __doc__ = _("Search for hosts.")
+
+ takes_args = (
+ parameters.Str(
+ 'criteria',
+ required=False,
+ doc=_(u'A string searched in all relevant object attributes'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'fqdn',
+ required=False,
+ cli_name='hostname',
+ label=_(u'Host name'),
+ no_convert=True,
+ ),
+ parameters.Str(
+ 'description',
+ required=False,
+ cli_name='desc',
+ label=_(u'Description'),
+ doc=_(u'A description of this host'),
+ ),
+ parameters.Str(
+ 'l',
+ required=False,
+ cli_name='locality',
+ label=_(u'Locality'),
+ doc=_(u'Host locality (e.g. "Baltimore, MD")'),
+ ),
+ parameters.Str(
+ 'nshostlocation',
+ required=False,
+ cli_name='location',
+ label=_(u'Location'),
+ doc=_(u'Host location (e.g. "Lab 2")'),
+ ),
+ parameters.Str(
+ 'nshardwareplatform',
+ required=False,
+ cli_name='platform',
+ label=_(u'Platform'),
+ doc=_(u'Host hardware platform (e.g. "Lenovo T61")'),
+ ),
+ parameters.Str(
+ 'nsosversion',
+ required=False,
+ cli_name='os',
+ label=_(u'Operating system'),
+ doc=_(u'Host operating system and version (e.g. "Fedora 9")'),
+ ),
+ parameters.Str(
+ 'userpassword',
+ required=False,
+ cli_name='password',
+ label=_(u'User password'),
+ doc=_(u'Password used in bulk enrollment'),
+ ),
+ parameters.Bytes(
+ 'usercertificate',
+ required=False,
+ multivalue=True,
+ cli_name='certificate',
+ label=_(u'Certificate'),
+ doc=_(u'Base-64 encoded server certificate'),
+ ),
+ parameters.Str(
+ 'macaddress',
+ required=False,
+ multivalue=True,
+ label=_(u'MAC address'),
+ doc=_(u'Hardware MAC address(es) on this host'),
+ no_convert=True,
+ ),
+ parameters.Str(
+ 'userclass',
+ required=False,
+ multivalue=True,
+ cli_name='class',
+ label=_(u'Class'),
+ doc=_(u'Host category (semantics placed on this attribute are for local interpretation)'),
+ ),
+ parameters.Str(
+ 'ipaassignedidview',
+ required=False,
+ label=_(u'Assigned ID View'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Int(
+ 'timelimit',
+ required=False,
+ label=_(u'Time Limit'),
+ doc=_(u'Time limit of search in seconds (0 is unlimited)'),
+ ),
+ parameters.Int(
+ 'sizelimit',
+ required=False,
+ label=_(u'Size Limit'),
+ doc=_(u'Maximum number of entries returned (0 is unlimited)'),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'pkey_only',
+ required=False,
+ label=_(u'Primary key only'),
+ doc=_(u'Results should contain primary key attribute only ("hostname")'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'in_hostgroup',
+ required=False,
+ multivalue=True,
+ cli_name='in_hostgroups',
+ label=_(u'host group'),
+ doc=_(u'Search for hosts with these member of host groups.'),
+ ),
+ parameters.Str(
+ 'not_in_hostgroup',
+ required=False,
+ multivalue=True,
+ cli_name='not_in_hostgroups',
+ label=_(u'host group'),
+ doc=_(u'Search for hosts without these member of host groups.'),
+ ),
+ parameters.Str(
+ 'in_netgroup',
+ required=False,
+ multivalue=True,
+ cli_name='in_netgroups',
+ label=_(u'netgroup'),
+ doc=_(u'Search for hosts with these member of netgroups.'),
+ ),
+ parameters.Str(
+ 'not_in_netgroup',
+ required=False,
+ multivalue=True,
+ cli_name='not_in_netgroups',
+ label=_(u'netgroup'),
+ doc=_(u'Search for hosts without these member of netgroups.'),
+ ),
+ parameters.Str(
+ 'in_role',
+ required=False,
+ multivalue=True,
+ cli_name='in_roles',
+ label=_(u'role'),
+ doc=_(u'Search for hosts with these member of roles.'),
+ ),
+ parameters.Str(
+ 'not_in_role',
+ required=False,
+ multivalue=True,
+ cli_name='not_in_roles',
+ label=_(u'role'),
+ doc=_(u'Search for hosts without these member of roles.'),
+ ),
+ parameters.Str(
+ 'in_hbacrule',
+ required=False,
+ multivalue=True,
+ cli_name='in_hbacrules',
+ label=_(u'HBAC rule'),
+ doc=_(u'Search for hosts with these member of HBAC rules.'),
+ ),
+ parameters.Str(
+ 'not_in_hbacrule',
+ required=False,
+ multivalue=True,
+ cli_name='not_in_hbacrules',
+ label=_(u'HBAC rule'),
+ doc=_(u'Search for hosts without these member of HBAC rules.'),
+ ),
+ parameters.Str(
+ 'in_sudorule',
+ required=False,
+ multivalue=True,
+ cli_name='in_sudorules',
+ label=_(u'sudo rule'),
+ doc=_(u'Search for hosts with these member of sudo rules.'),
+ ),
+ parameters.Str(
+ 'not_in_sudorule',
+ required=False,
+ multivalue=True,
+ cli_name='not_in_sudorules',
+ label=_(u'sudo rule'),
+ doc=_(u'Search for hosts without these member of sudo rules.'),
+ ),
+ parameters.Str(
+ 'enroll_by_user',
+ required=False,
+ multivalue=True,
+ cli_name='enroll_by_users',
+ label=_(u'user'),
+ doc=_(u'Search for hosts with these enrolled by users.'),
+ ),
+ parameters.Str(
+ 'not_enroll_by_user',
+ required=False,
+ multivalue=True,
+ cli_name='not_enroll_by_users',
+ label=_(u'user'),
+ doc=_(u'Search for hosts without these enrolled by users.'),
+ ),
+ parameters.Str(
+ 'man_by_host',
+ required=False,
+ multivalue=True,
+ cli_name='man_by_hosts',
+ label=_(u'host'),
+ doc=_(u'Search for hosts with these managed by hosts.'),
+ ),
+ parameters.Str(
+ 'not_man_by_host',
+ required=False,
+ multivalue=True,
+ cli_name='not_man_by_hosts',
+ label=_(u'host'),
+ doc=_(u'Search for hosts without these managed by hosts.'),
+ ),
+ parameters.Str(
+ 'man_host',
+ required=False,
+ multivalue=True,
+ cli_name='man_hosts',
+ label=_(u'host'),
+ doc=_(u'Search for hosts with these managing hosts.'),
+ ),
+ parameters.Str(
+ 'not_man_host',
+ required=False,
+ multivalue=True,
+ cli_name='not_man_hosts',
+ label=_(u'host'),
+ doc=_(u'Search for hosts without these managing hosts.'),
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.ListOfEntries(
+ 'result',
+ ),
+ output.Output(
+ 'count',
+ int,
+ doc=_(u'Number of entries returned'),
+ ),
+ output.Output(
+ 'truncated',
+ bool,
+ doc=_(u'True if not all results were returned'),
+ ),
+ )
+
+
+@register()
+class host_mod(Method):
+ __doc__ = _("Modify information about a host.")
+
+ takes_args = (
+ parameters.Str(
+ 'fqdn',
+ cli_name='hostname',
+ label=_(u'Host name'),
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'description',
+ required=False,
+ cli_name='desc',
+ label=_(u'Description'),
+ doc=_(u'A description of this host'),
+ ),
+ parameters.Str(
+ 'l',
+ required=False,
+ cli_name='locality',
+ label=_(u'Locality'),
+ doc=_(u'Host locality (e.g. "Baltimore, MD")'),
+ ),
+ parameters.Str(
+ 'nshostlocation',
+ required=False,
+ cli_name='location',
+ label=_(u'Location'),
+ doc=_(u'Host location (e.g. "Lab 2")'),
+ ),
+ parameters.Str(
+ 'nshardwareplatform',
+ required=False,
+ cli_name='platform',
+ label=_(u'Platform'),
+ doc=_(u'Host hardware platform (e.g. "Lenovo T61")'),
+ ),
+ parameters.Str(
+ 'nsosversion',
+ required=False,
+ cli_name='os',
+ label=_(u'Operating system'),
+ doc=_(u'Host operating system and version (e.g. "Fedora 9")'),
+ ),
+ parameters.Str(
+ 'userpassword',
+ required=False,
+ cli_name='password',
+ label=_(u'User password'),
+ doc=_(u'Password used in bulk enrollment'),
+ ),
+ parameters.Flag(
+ 'random',
+ required=False,
+ doc=_(u'Generate a random password to be used in bulk enrollment'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Bytes(
+ 'usercertificate',
+ required=False,
+ multivalue=True,
+ cli_name='certificate',
+ label=_(u'Certificate'),
+ doc=_(u'Base-64 encoded server certificate'),
+ ),
+ parameters.Str(
+ 'macaddress',
+ required=False,
+ multivalue=True,
+ label=_(u'MAC address'),
+ doc=_(u'Hardware MAC address(es) on this host'),
+ no_convert=True,
+ ),
+ parameters.Str(
+ 'ipasshpubkey',
+ required=False,
+ multivalue=True,
+ cli_name='sshpubkey',
+ label=_(u'SSH public key'),
+ no_convert=True,
+ ),
+ parameters.Str(
+ 'userclass',
+ required=False,
+ multivalue=True,
+ cli_name='class',
+ label=_(u'Class'),
+ doc=_(u'Host category (semantics placed on this attribute are for local interpretation)'),
+ ),
+ parameters.Str(
+ 'ipaassignedidview',
+ required=False,
+ label=_(u'Assigned ID View'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Bool(
+ 'ipakrbrequirespreauth',
+ required=False,
+ cli_name='requires_pre_auth',
+ label=_(u'Requires pre-authentication'),
+ doc=_(u'Pre-authentication is required for the service'),
+ ),
+ parameters.Bool(
+ 'ipakrbokasdelegate',
+ required=False,
+ cli_name='ok_as_delegate',
+ label=_(u'Trusted for delegation'),
+ doc=_(u'Client credentials may be delegated to the service'),
+ ),
+ parameters.Str(
+ 'setattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'addattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'delattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'),
+ exclude=('webui',),
+ ),
+ parameters.Flag(
+ 'rights',
+ label=_(u'Rights'),
+ doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'krbprincipalname',
+ required=False,
+ cli_name='principalname',
+ label=_(u'Principal name'),
+ doc=_(u'Kerberos principal name for this host'),
+ ),
+ parameters.Flag(
+ 'updatedns',
+ required=False,
+ doc=_(u'Update DNS entries'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class host_remove_cert(Method):
+ __doc__ = _("Remove certificates from host entry")
+
+ takes_args = (
+ parameters.Str(
+ 'fqdn',
+ cli_name='hostname',
+ label=_(u'Host name'),
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Bytes(
+ 'usercertificate',
+ required=False,
+ multivalue=True,
+ cli_name='certificate',
+ label=_(u'Certificate'),
+ doc=_(u'Base-64 encoded server certificate'),
+ alwaysask=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class host_remove_managedby(Method):
+ __doc__ = _("Remove hosts that can manage this host.")
+
+ takes_args = (
+ parameters.Str(
+ 'fqdn',
+ cli_name='hostname',
+ label=_(u'Host name'),
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'host',
+ required=False,
+ multivalue=True,
+ cli_name='hosts',
+ label=_(u'member host'),
+ doc=_(u'hosts to remove'),
+ alwaysask=True,
+ ),
+ )
+ has_output = (
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'failed',
+ dict,
+ doc=_(u'Members that could not be removed'),
+ ),
+ output.Output(
+ 'completed',
+ int,
+ doc=_(u'Number of members removed'),
+ ),
+ )
+
+
+@register()
+class host_show(Method):
+ __doc__ = _("Display information about a host.")
+
+ takes_args = (
+ parameters.Str(
+ 'fqdn',
+ cli_name='hostname',
+ label=_(u'Host name'),
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'rights',
+ label=_(u'Rights'),
+ doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'out',
+ required=False,
+ doc=_(u'file to store certificate in'),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
diff --git a/ipaclient/remote_plugins/2_164/hostgroup.py b/ipaclient/remote_plugins/2_164/hostgroup.py
new file mode 100644
index 000000000..afda19d78
--- /dev/null
+++ b/ipaclient/remote_plugins/2_164/hostgroup.py
@@ -0,0 +1,709 @@
+#
+# Copyright (C) 2016 FreeIPA Contributors see COPYING for license
+#
+
+# pylint: disable=unused-import
+import six
+
+from . import Command, Method, Object
+from ipalib import api, parameters, output
+from ipalib.parameters import DefaultFrom
+from ipalib.plugable import Registry
+from ipalib.text import _
+from ipapython.dn import DN
+from ipapython.dnsutil import DNSName
+
+if six.PY3:
+ unicode = str
+
+__doc__ = _("""
+Groups of hosts.
+
+Manage groups of hosts. This is useful for applying access control to a
+number of hosts by using Host-based Access Control.
+
+EXAMPLES:
+
+ Add a new host group:
+ ipa hostgroup-add --desc="Baltimore hosts" baltimore
+
+ Add another new host group:
+ ipa hostgroup-add --desc="Maryland hosts" maryland
+
+ Add members to the hostgroup (using Bash brace expansion):
+ ipa hostgroup-add-member --hosts={box1,box2,box3} baltimore
+
+ Add a hostgroup as a member of another hostgroup:
+ ipa hostgroup-add-member --hostgroups=baltimore maryland
+
+ Remove a host from the hostgroup:
+ ipa hostgroup-remove-member --hosts=box2 baltimore
+
+ Display a host group:
+ ipa hostgroup-show baltimore
+
+ Delete a hostgroup:
+ ipa hostgroup-del baltimore
+""")
+
+register = Registry()
+
+
+@register()
+class hostgroup(Object):
+ takes_params = (
+ parameters.Str(
+ 'cn',
+ primary_key=True,
+ label=_(u'Host-group'),
+ doc=_(u'Name of host-group'),
+ ),
+ parameters.Str(
+ 'description',
+ required=False,
+ label=_(u'Description'),
+ doc=_(u'A description of this host-group'),
+ ),
+ parameters.Str(
+ 'member_host',
+ required=False,
+ label=_(u'Member hosts'),
+ ),
+ parameters.Str(
+ 'member_hostgroup',
+ required=False,
+ label=_(u'Member host-groups'),
+ ),
+ parameters.Str(
+ 'memberof_hostgroup',
+ required=False,
+ label=_(u'Member of host-groups'),
+ ),
+ parameters.Str(
+ 'memberof_netgroup',
+ required=False,
+ label=_(u'Member of netgroups'),
+ ),
+ parameters.Str(
+ 'memberof_sudorule',
+ required=False,
+ label=_(u'Member of Sudo rule'),
+ ),
+ parameters.Str(
+ 'memberof_hbacrule',
+ required=False,
+ label=_(u'Member of HBAC rule'),
+ ),
+ parameters.Str(
+ 'memberindirect_host',
+ required=False,
+ label=_(u'Indirect Member hosts'),
+ ),
+ parameters.Str(
+ 'memberindirect_hostgroup',
+ required=False,
+ label=_(u'Indirect Member host-groups'),
+ ),
+ parameters.Str(
+ 'memberofindirect_hostgroup',
+ required=False,
+ label=_(u'Indirect Member of host-group'),
+ ),
+ parameters.Str(
+ 'memberofindirect_sudorule',
+ required=False,
+ label=_(u'Indirect Member of Sudo rule'),
+ ),
+ parameters.Str(
+ 'memberofindirect_hbacrule',
+ required=False,
+ label=_(u'Indirect Member of HBAC rule'),
+ ),
+ )
+
+
+@register()
+class hostgroup_add(Method):
+ __doc__ = _("Add a new hostgroup.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='hostgroup_name',
+ label=_(u'Host-group'),
+ doc=_(u'Name of host-group'),
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'description',
+ required=False,
+ cli_name='desc',
+ label=_(u'Description'),
+ doc=_(u'A description of this host-group'),
+ ),
+ parameters.Str(
+ 'setattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'addattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
+ exclude=('webui',),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class hostgroup_add_member(Method):
+ __doc__ = _("Add members to a hostgroup.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='hostgroup_name',
+ label=_(u'Host-group'),
+ doc=_(u'Name of host-group'),
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'host',
+ required=False,
+ multivalue=True,
+ cli_name='hosts',
+ label=_(u'member host'),
+ doc=_(u'hosts to add'),
+ alwaysask=True,
+ ),
+ parameters.Str(
+ 'hostgroup',
+ required=False,
+ multivalue=True,
+ cli_name='hostgroups',
+ label=_(u'member host group'),
+ doc=_(u'host groups to add'),
+ alwaysask=True,
+ ),
+ )
+ has_output = (
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'failed',
+ dict,
+ doc=_(u'Members that could not be added'),
+ ),
+ output.Output(
+ 'completed',
+ int,
+ doc=_(u'Number of members added'),
+ ),
+ )
+
+
+@register()
+class hostgroup_del(Method):
+ __doc__ = _("Delete a hostgroup.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ multivalue=True,
+ cli_name='hostgroup_name',
+ label=_(u'Host-group'),
+ doc=_(u'Name of host-group'),
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'continue',
+ doc=_(u"Continuous mode: Don't stop on errors."),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Output(
+ 'result',
+ dict,
+ doc=_(u'List of deletions that failed'),
+ ),
+ output.ListOfPrimaryKeys(
+ 'value',
+ ),
+ )
+
+
+@register()
+class hostgroup_find(Method):
+ __doc__ = _("Search for hostgroups.")
+
+ takes_args = (
+ parameters.Str(
+ 'criteria',
+ required=False,
+ doc=_(u'A string searched in all relevant object attributes'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'cn',
+ required=False,
+ cli_name='hostgroup_name',
+ label=_(u'Host-group'),
+ doc=_(u'Name of host-group'),
+ no_convert=True,
+ ),
+ parameters.Str(
+ 'description',
+ required=False,
+ cli_name='desc',
+ label=_(u'Description'),
+ doc=_(u'A description of this host-group'),
+ ),
+ parameters.Int(
+ 'timelimit',
+ required=False,
+ label=_(u'Time Limit'),
+ doc=_(u'Time limit of search in seconds (0 is unlimited)'),
+ ),
+ parameters.Int(
+ 'sizelimit',
+ required=False,
+ label=_(u'Size Limit'),
+ doc=_(u'Maximum number of entries returned (0 is unlimited)'),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'pkey_only',
+ required=False,
+ label=_(u'Primary key only'),
+ doc=_(u'Results should contain primary key attribute only ("hostgroup-name")'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'host',
+ required=False,
+ multivalue=True,
+ cli_name='hosts',
+ label=_(u'host'),
+ doc=_(u'Search for host groups with these member hosts.'),
+ ),
+ parameters.Str(
+ 'no_host',
+ required=False,
+ multivalue=True,
+ cli_name='no_hosts',
+ label=_(u'host'),
+ doc=_(u'Search for host groups without these member hosts.'),
+ ),
+ parameters.Str(
+ 'hostgroup',
+ required=False,
+ multivalue=True,
+ cli_name='hostgroups',
+ label=_(u'host group'),
+ doc=_(u'Search for host groups with these member host groups.'),
+ ),
+ parameters.Str(
+ 'no_hostgroup',
+ required=False,
+ multivalue=True,
+ cli_name='no_hostgroups',
+ label=_(u'host group'),
+ doc=_(u'Search for host groups without these member host groups.'),
+ ),
+ parameters.Str(
+ 'in_hostgroup',
+ required=False,
+ multivalue=True,
+ cli_name='in_hostgroups',
+ label=_(u'host group'),
+ doc=_(u'Search for host groups with these member of host groups.'),
+ ),
+ parameters.Str(
+ 'not_in_hostgroup',
+ required=False,
+ multivalue=True,
+ cli_name='not_in_hostgroups',
+ label=_(u'host group'),
+ doc=_(u'Search for host groups without these member of host groups.'),
+ ),
+ parameters.Str(
+ 'in_netgroup',
+ required=False,
+ multivalue=True,
+ cli_name='in_netgroups',
+ label=_(u'netgroup'),
+ doc=_(u'Search for host groups with these member of netgroups.'),
+ ),
+ parameters.Str(
+ 'not_in_netgroup',
+ required=False,
+ multivalue=True,
+ cli_name='not_in_netgroups',
+ label=_(u'netgroup'),
+ doc=_(u'Search for host groups without these member of netgroups.'),
+ ),
+ parameters.Str(
+ 'in_hbacrule',
+ required=False,
+ multivalue=True,
+ cli_name='in_hbacrules',
+ label=_(u'HBAC rule'),
+ doc=_(u'Search for host groups with these member of HBAC rules.'),
+ ),
+ parameters.Str(
+ 'not_in_hbacrule',
+ required=False,
+ multivalue=True,
+ cli_name='not_in_hbacrules',
+ label=_(u'HBAC rule'),
+ doc=_(u'Search for host groups without these member of HBAC rules.'),
+ ),
+ parameters.Str(
+ 'in_sudorule',
+ required=False,
+ multivalue=True,
+ cli_name='in_sudorules',
+ label=_(u'sudo rule'),
+ doc=_(u'Search for host groups with these member of sudo rules.'),
+ ),
+ parameters.Str(
+ 'not_in_sudorule',
+ required=False,
+ multivalue=True,
+ cli_name='not_in_sudorules',
+ label=_(u'sudo rule'),
+ doc=_(u'Search for host groups without these member of sudo rules.'),
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.ListOfEntries(
+ 'result',
+ ),
+ output.Output(
+ 'count',
+ int,
+ doc=_(u'Number of entries returned'),
+ ),
+ output.Output(
+ 'truncated',
+ bool,
+ doc=_(u'True if not all results were returned'),
+ ),
+ )
+
+
+@register()
+class hostgroup_mod(Method):
+ __doc__ = _("Modify a hostgroup.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='hostgroup_name',
+ label=_(u'Host-group'),
+ doc=_(u'Name of host-group'),
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'description',
+ required=False,
+ cli_name='desc',
+ label=_(u'Description'),
+ doc=_(u'A description of this host-group'),
+ ),
+ parameters.Str(
+ 'setattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'addattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'delattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'),
+ exclude=('webui',),
+ ),
+ parameters.Flag(
+ 'rights',
+ label=_(u'Rights'),
+ doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class hostgroup_remove_member(Method):
+ __doc__ = _("Remove members from a hostgroup.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='hostgroup_name',
+ label=_(u'Host-group'),
+ doc=_(u'Name of host-group'),
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'host',
+ required=False,
+ multivalue=True,
+ cli_name='hosts',
+ label=_(u'member host'),
+ doc=_(u'hosts to remove'),
+ alwaysask=True,
+ ),
+ parameters.Str(
+ 'hostgroup',
+ required=False,
+ multivalue=True,
+ cli_name='hostgroups',
+ label=_(u'member host group'),
+ doc=_(u'host groups to remove'),
+ alwaysask=True,
+ ),
+ )
+ has_output = (
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'failed',
+ dict,
+ doc=_(u'Members that could not be removed'),
+ ),
+ output.Output(
+ 'completed',
+ int,
+ doc=_(u'Number of members removed'),
+ ),
+ )
+
+
+@register()
+class hostgroup_show(Method):
+ __doc__ = _("Display information about a hostgroup.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='hostgroup_name',
+ label=_(u'Host-group'),
+ doc=_(u'Name of host-group'),
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'rights',
+ label=_(u'Rights'),
+ doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
diff --git a/ipaclient/remote_plugins/2_164/idrange.py b/ipaclient/remote_plugins/2_164/idrange.py
new file mode 100644
index 000000000..e4f4728ac
--- /dev/null
+++ b/ipaclient/remote_plugins/2_164/idrange.py
@@ -0,0 +1,639 @@
+#
+# Copyright (C) 2016 FreeIPA Contributors see COPYING for license
+#
+
+# pylint: disable=unused-import
+import six
+
+from . import Command, Method, Object
+from ipalib import api, parameters, output
+from ipalib.parameters import DefaultFrom
+from ipalib.plugable import Registry
+from ipalib.text import _
+from ipapython.dn import DN
+from ipapython.dnsutil import DNSName
+
+if six.PY3:
+ unicode = str
+
+__doc__ = _("""
+ID ranges
+
+Manage ID ranges used to map Posix IDs to SIDs and back.
+
+There are two type of ID ranges which are both handled by this utility:
+
+ - the ID ranges of the local domain
+ - the ID ranges of trusted remote domains
+
+Both types have the following attributes in common:
+
+ - base-id: the first ID of the Posix ID range
+ - range-size: the size of the range
+
+With those two attributes a range object can reserve the Posix IDs starting
+with base-id up to but not including base-id+range-size exclusively.
+
+Additionally an ID range of the local domain may set
+ - rid-base: the first RID(*) of the corresponding RID range
+ - secondary-rid-base: first RID of the secondary RID range
+
+and an ID range of a trusted domain must set
+ - rid-base: the first RID of the corresponding RID range
+ - sid: domain SID of the trusted domain
+
+
+
+EXAMPLE: Add a new ID range for a trusted domain
+
+Since there might be more than one trusted domain the domain SID must be given
+while creating the ID range.
+
+ ipa idrange-add --base-id=1200000 --range-size=200000 --rid-base=0 \
+ --dom-sid=S-1-5-21-123-456-789 trusted_dom_range
+
+This ID range is then used by the IPA server and the SSSD IPA provider to
+assign Posix UIDs to users from the trusted domain.
+
+If e.g a range for a trusted domain is configured with the following values:
+ base-id = 1200000
+ range-size = 200000
+ rid-base = 0
+the RIDs 0 to 199999 are mapped to the Posix ID from 1200000 to 13999999. So
+RID 1000 <-> Posix ID 1201000
+
+
+
+EXAMPLE: Add a new ID range for the local domain
+
+To create an ID range for the local domain it is not necessary to specify a
+domain SID. But since it is possible that a user and a group can have the same
+value as Posix ID a second RID interval is needed to handle conflicts.
+
+ ipa idrange-add --base-id=1200000 --range-size=200000 --rid-base=1000 \
+ --secondary-rid-base=1000000 local_range
+
+The data from the ID ranges of the local domain are used by the IPA server
+internally to assign SIDs to IPA users and groups. The SID will then be stored
+in the user or group objects.
+
+If e.g. the ID range for the local domain is configured with the values from
+the example above then a new user with the UID 1200007 will get the RID 1007.
+If this RID is already used by a group the RID will be 1000007. This can only
+happen if a user or a group object was created with a fixed ID because the
+automatic assignment will not assign the same ID twice. Since there are only
+users and groups sharing the same ID namespace it is sufficient to have only
+one fallback range to handle conflicts.
+
+To find the Posix ID for a given RID from the local domain it has to be
+checked first if the RID falls in the primary or secondary RID range and
+the rid-base or the secondary-rid-base has to be subtracted, respectively,
+and the base-id has to be added to get the Posix ID.
+
+Typically the creation of ID ranges happens behind the scenes and this CLI
+must not be used at all. The ID range for the local domain will be created
+during installation or upgrade from an older version. The ID range for a
+trusted domain will be created together with the trust by 'ipa trust-add ...'.
+
+USE CASES:
+
+ Add an ID range from a transitively trusted domain
+
+ If the trusted domain (A) trusts another domain (B) as well and this trust
+ is transitive 'ipa trust-add domain-A' will only create a range for
+ domain A. The ID range for domain B must be added manually.
+
+ Add an additional ID range for the local domain
+
+ If the ID range of the local domain is exhausted, i.e. no new IDs can be
+ assigned to Posix users or groups by the DNA plugin, a new range has to be
+ created to allow new users and groups to be added. (Currently there is no
+ connection between this range CLI and the DNA plugin, but a future version
+ might be able to modify the configuration of the DNS plugin as well)
+
+In general it is not necessary to modify or delete ID ranges. If there is no
+other way to achieve a certain configuration than to modify or delete an ID
+range it should be done with great care. Because UIDs are stored in the file
+system and are used for access control it might be possible that users are
+allowed to access files of other users if an ID range got deleted and reused
+for a different domain.
+
+(*) The RID is typically the last integer of a user or group SID which follows
+the domain SID. E.g. if the domain SID is S-1-5-21-123-456-789 and a user from
+this domain has the SID S-1-5-21-123-456-789-1010 then 1010 id the RID of the
+user. RIDs are unique in a domain, 32bit values and are used for users and
+groups.
+
+=======
+WARNING:
+
+DNA plugin in 389-ds will allocate IDs based on the ranges configured for the
+local domain. Currently the DNA plugin *cannot* be reconfigured itself based
+on the local ranges set via this family of commands.
+
+Manual configuration change has to be done in the DNA plugin configuration for
+the new local range. Specifically, The dnaNextRange attribute of 'cn=Posix
+IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config' has to be
+modified to match the new range.
+=======
+""")
+
+register = Registry()
+
+
+@register()
+class idrange(Object):
+ takes_params = (
+ parameters.Str(
+ 'cn',
+ primary_key=True,
+ label=_(u'Range name'),
+ ),
+ parameters.Int(
+ 'ipabaseid',
+ label=_(u'First Posix ID of the range'),
+ ),
+ parameters.Int(
+ 'ipaidrangesize',
+ label=_(u'Number of IDs in the range'),
+ ),
+ parameters.Int(
+ 'ipabaserid',
+ required=False,
+ label=_(u'First RID of the corresponding RID range'),
+ ),
+ parameters.Int(
+ 'ipasecondarybaserid',
+ required=False,
+ label=_(u'First RID of the secondary RID range'),
+ ),
+ parameters.Str(
+ 'ipanttrusteddomainsid',
+ required=False,
+ label=_(u'Domain SID of the trusted domain'),
+ ),
+ parameters.Str(
+ 'ipanttrusteddomainname',
+ required=False,
+ label=_(u'Name of the trusted domain'),
+ ),
+ parameters.Str(
+ 'iparangetype',
+ required=False,
+ label=_(u'Range type'),
+ doc=_(u'ID range type, one of ipa-ad-trust-posix, ipa-ad-trust, ipa-local'),
+ ),
+ )
+
+
+@register()
+class idrange_add(Method):
+ __doc__ = _("""
+Add new ID range.
+
+ To add a new ID range you always have to specify
+
+ --base-id
+ --range-size
+
+ Additionally
+
+ --rid-base
+ --secondary-rid-base
+
+ may be given for a new ID range for the local domain while
+
+ --rid-base
+ --dom-sid
+
+ must be given to add a new range for a trusted AD domain.
+
+=======
+WARNING:
+
+DNA plugin in 389-ds will allocate IDs based on the ranges configured for the
+local domain. Currently the DNA plugin *cannot* be reconfigured itself based
+on the local ranges set via this family of commands.
+
+Manual configuration change has to be done in the DNA plugin configuration for
+the new local range. Specifically, The dnaNextRange attribute of 'cn=Posix
+IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config' has to be
+modified to match the new range.
+=======
+ """)
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='name',
+ label=_(u'Range name'),
+ ),
+ )
+ takes_options = (
+ parameters.Int(
+ 'ipabaseid',
+ cli_name='base_id',
+ label=_(u'First Posix ID of the range'),
+ ),
+ parameters.Int(
+ 'ipaidrangesize',
+ cli_name='range_size',
+ label=_(u'Number of IDs in the range'),
+ ),
+ parameters.Int(
+ 'ipabaserid',
+ required=False,
+ cli_name='rid_base',
+ label=_(u'First RID of the corresponding RID range'),
+ ),
+ parameters.Int(
+ 'ipasecondarybaserid',
+ required=False,
+ cli_name='secondary_rid_base',
+ label=_(u'First RID of the secondary RID range'),
+ ),
+ parameters.Str(
+ 'ipanttrusteddomainsid',
+ required=False,
+ cli_name='dom_sid',
+ label=_(u'Domain SID of the trusted domain'),
+ ),
+ parameters.Str(
+ 'ipanttrusteddomainname',
+ required=False,
+ cli_name='dom_name',
+ label=_(u'Name of the trusted domain'),
+ ),
+ parameters.Str(
+ 'iparangetype',
+ required=False,
+ cli_name='type',
+ cli_metavar="['ipa-ad-trust-posix', 'ipa-ad-trust', 'ipa-local']",
+ label=_(u'Range type'),
+ doc=_(u'ID range type, one of ipa-ad-trust-posix, ipa-ad-trust, ipa-local'),
+ ),
+ parameters.Str(
+ 'setattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'addattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
+ exclude=('webui',),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class idrange_del(Method):
+ __doc__ = _("Delete an ID range.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ multivalue=True,
+ cli_name='name',
+ label=_(u'Range name'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'continue',
+ doc=_(u"Continuous mode: Don't stop on errors."),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Output(
+ 'result',
+ dict,
+ doc=_(u'List of deletions that failed'),
+ ),
+ output.ListOfPrimaryKeys(
+ 'value',
+ ),
+ )
+
+
+@register()
+class idrange_find(Method):
+ __doc__ = _("Search for ranges.")
+
+ takes_args = (
+ parameters.Str(
+ 'criteria',
+ required=False,
+ doc=_(u'A string searched in all relevant object attributes'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'cn',
+ required=False,
+ cli_name='name',
+ label=_(u'Range name'),
+ ),
+ parameters.Int(
+ 'ipabaseid',
+ required=False,
+ cli_name='base_id',
+ label=_(u'First Posix ID of the range'),
+ ),
+ parameters.Int(
+ 'ipaidrangesize',
+ required=False,
+ cli_name='range_size',
+ label=_(u'Number of IDs in the range'),
+ ),
+ parameters.Int(
+ 'ipabaserid',
+ required=False,
+ cli_name='rid_base',
+ label=_(u'First RID of the corresponding RID range'),
+ ),
+ parameters.Int(
+ 'ipasecondarybaserid',
+ required=False,
+ cli_name='secondary_rid_base',
+ label=_(u'First RID of the secondary RID range'),
+ ),
+ parameters.Str(
+ 'ipanttrusteddomainsid',
+ required=False,
+ cli_name='dom_sid',
+ label=_(u'Domain SID of the trusted domain'),
+ ),
+ parameters.Str(
+ 'iparangetype',
+ required=False,
+ cli_name='type',
+ cli_metavar="['ipa-ad-trust-posix', 'ipa-ad-trust', 'ipa-local']",
+ label=_(u'Range type'),
+ doc=_(u'ID range type, one of ipa-ad-trust-posix, ipa-ad-trust, ipa-local'),
+ ),
+ parameters.Int(
+ 'timelimit',
+ required=False,
+ label=_(u'Time Limit'),
+ doc=_(u'Time limit of search in seconds (0 is unlimited)'),
+ ),
+ parameters.Int(
+ 'sizelimit',
+ required=False,
+ label=_(u'Size Limit'),
+ doc=_(u'Maximum number of entries returned (0 is unlimited)'),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'pkey_only',
+ required=False,
+ label=_(u'Primary key only'),
+ doc=_(u'Results should contain primary key attribute only ("name")'),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.ListOfEntries(
+ 'result',
+ ),
+ output.Output(
+ 'count',
+ int,
+ doc=_(u'Number of entries returned'),
+ ),
+ output.Output(
+ 'truncated',
+ bool,
+ doc=_(u'True if not all results were returned'),
+ ),
+ )
+
+
+@register()
+class idrange_mod(Method):
+ __doc__ = _("""
+Modify ID range.
+
+=======
+WARNING:
+
+DNA plugin in 389-ds will allocate IDs based on the ranges configured for the
+local domain. Currently the DNA plugin *cannot* be reconfigured itself based
+on the local ranges set via this family of commands.
+
+Manual configuration change has to be done in the DNA plugin configuration for
+the new local range. Specifically, The dnaNextRange attribute of 'cn=Posix
+IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config' has to be
+modified to match the new range.
+=======
+ """)
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='name',
+ label=_(u'Range name'),
+ ),
+ )
+ takes_options = (
+ parameters.Int(
+ 'ipabaseid',
+ required=False,
+ cli_name='base_id',
+ label=_(u'First Posix ID of the range'),
+ ),
+ parameters.Int(
+ 'ipaidrangesize',
+ required=False,
+ cli_name='range_size',
+ label=_(u'Number of IDs in the range'),
+ ),
+ parameters.Int(
+ 'ipabaserid',
+ required=False,
+ cli_name='rid_base',
+ label=_(u'First RID of the corresponding RID range'),
+ ),
+ parameters.Int(
+ 'ipasecondarybaserid',
+ required=False,
+ cli_name='secondary_rid_base',
+ label=_(u'First RID of the secondary RID range'),
+ ),
+ parameters.Str(
+ 'setattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'addattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'delattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'),
+ exclude=('webui',),
+ ),
+ parameters.Flag(
+ 'rights',
+ label=_(u'Rights'),
+ doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'ipanttrusteddomainsid',
+ required=False,
+ deprecated=True,
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'ipanttrusteddomainname',
+ required=False,
+ deprecated=True,
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class idrange_show(Method):
+ __doc__ = _("Display information about a range.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='name',
+ label=_(u'Range name'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'rights',
+ label=_(u'Rights'),
+ doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
diff --git a/ipaclient/remote_plugins/2_164/idviews.py b/ipaclient/remote_plugins/2_164/idviews.py
new file mode 100644
index 000000000..2b34cba46
--- /dev/null
+++ b/ipaclient/remote_plugins/2_164/idviews.py
@@ -0,0 +1,1491 @@
+#
+# Copyright (C) 2016 FreeIPA Contributors see COPYING for license
+#
+
+# pylint: disable=unused-import
+import six
+
+from . import Command, Method, Object
+from ipalib import api, parameters, output
+from ipalib.parameters import DefaultFrom
+from ipalib.plugable import Registry
+from ipalib.text import _
+from ipapython.dn import DN
+from ipapython.dnsutil import DNSName
+
+if six.PY3:
+ unicode = str
+
+__doc__ = _("""
+ID Views
+Manage ID Views
+IPA allows to override certain properties of users and groups per each host.
+This functionality is primarily used to allow migration from older systems or
+other Identity Management solutions.
+""")
+
+register = Registry()
+
+
+@register()
+class idoverridegroup(Object):
+ takes_params = (
+ parameters.Str(
+ 'ipaanchoruuid',
+ primary_key=True,
+ label=_(u'Anchor to override'),
+ ),
+ parameters.Str(
+ 'description',
+ required=False,
+ label=_(u'Description'),
+ ),
+ parameters.Str(
+ 'cn',
+ required=False,
+ label=_(u'Group name'),
+ ),
+ parameters.Int(
+ 'gidnumber',
+ required=False,
+ label=_(u'GID'),
+ doc=_(u'Group ID Number'),
+ ),
+ )
+
+
+@register()
+class idoverrideuser(Object):
+ takes_params = (
+ parameters.Str(
+ 'ipaanchoruuid',
+ primary_key=True,
+ label=_(u'Anchor to override'),
+ ),
+ parameters.Str(
+ 'description',
+ required=False,
+ label=_(u'Description'),
+ ),
+ parameters.Str(
+ 'uid',
+ required=False,
+ label=_(u'User login'),
+ ),
+ parameters.Int(
+ 'uidnumber',
+ required=False,
+ label=_(u'UID'),
+ doc=_(u'User ID Number'),
+ ),
+ parameters.Str(
+ 'gecos',
+ required=False,
+ label=_(u'GECOS'),
+ ),
+ parameters.Int(
+ 'gidnumber',
+ required=False,
+ label=_(u'GID'),
+ doc=_(u'Group ID Number'),
+ ),
+ parameters.Str(
+ 'homedirectory',
+ required=False,
+ label=_(u'Home directory'),
+ ),
+ parameters.Str(
+ 'loginshell',
+ required=False,
+ label=_(u'Login shell'),
+ ),
+ parameters.Str(
+ 'ipaoriginaluid',
+ required=False,
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'ipasshpubkey',
+ required=False,
+ multivalue=True,
+ label=_(u'SSH public key'),
+ ),
+ )
+
+
+@register()
+class idview(Object):
+ takes_params = (
+ parameters.Str(
+ 'cn',
+ primary_key=True,
+ label=_(u'ID View Name'),
+ ),
+ parameters.Str(
+ 'description',
+ required=False,
+ label=_(u'Description'),
+ ),
+ )
+
+
+@register()
+class idoverridegroup_add(Method):
+ __doc__ = _("Add a new Group ID override.")
+
+ takes_args = (
+ parameters.Str(
+ 'idviewcn',
+ cli_name='idview',
+ label=_(u'ID View Name'),
+ ),
+ parameters.Str(
+ 'ipaanchoruuid',
+ cli_name='anchor',
+ label=_(u'Anchor to override'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'description',
+ required=False,
+ cli_name='desc',
+ label=_(u'Description'),
+ ),
+ parameters.Str(
+ 'cn',
+ required=False,
+ cli_name='group_name',
+ label=_(u'Group name'),
+ no_convert=True,
+ ),
+ parameters.Int(
+ 'gidnumber',
+ required=False,
+ cli_name='gid',
+ label=_(u'GID'),
+ doc=_(u'Group ID Number'),
+ ),
+ parameters.Str(
+ 'setattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'addattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
+ exclude=('webui',),
+ ),
+ parameters.Flag(
+ 'fallback_to_ldap',
+ required=False,
+ label=_(u'Fallback to AD DC LDAP'),
+ doc=_(u'Allow falling back to AD DC LDAP when resolving AD trusted objects. For two-way trusts only.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class idoverridegroup_del(Method):
+ __doc__ = _("Delete an Group ID override.")
+
+ takes_args = (
+ parameters.Str(
+ 'idviewcn',
+ cli_name='idview',
+ label=_(u'ID View Name'),
+ ),
+ parameters.Str(
+ 'ipaanchoruuid',
+ multivalue=True,
+ cli_name='anchor',
+ label=_(u'Anchor to override'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'continue',
+ doc=_(u"Continuous mode: Don't stop on errors."),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'fallback_to_ldap',
+ required=False,
+ label=_(u'Fallback to AD DC LDAP'),
+ doc=_(u'Allow falling back to AD DC LDAP when resolving AD trusted objects. For two-way trusts only.'),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Output(
+ 'result',
+ dict,
+ doc=_(u'List of deletions that failed'),
+ ),
+ output.ListOfPrimaryKeys(
+ 'value',
+ ),
+ )
+
+
+@register()
+class idoverridegroup_find(Method):
+ __doc__ = _("Search for an Group ID override.")
+
+ takes_args = (
+ parameters.Str(
+ 'idviewcn',
+ cli_name='idview',
+ label=_(u'ID View Name'),
+ ),
+ parameters.Str(
+ 'criteria',
+ required=False,
+ doc=_(u'A string searched in all relevant object attributes'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'ipaanchoruuid',
+ required=False,
+ cli_name='anchor',
+ label=_(u'Anchor to override'),
+ ),
+ parameters.Str(
+ 'description',
+ required=False,
+ cli_name='desc',
+ label=_(u'Description'),
+ ),
+ parameters.Str(
+ 'cn',
+ required=False,
+ cli_name='group_name',
+ label=_(u'Group name'),
+ no_convert=True,
+ ),
+ parameters.Int(
+ 'gidnumber',
+ required=False,
+ cli_name='gid',
+ label=_(u'GID'),
+ doc=_(u'Group ID Number'),
+ ),
+ parameters.Int(
+ 'timelimit',
+ required=False,
+ label=_(u'Time Limit'),
+ doc=_(u'Time limit of search in seconds (0 is unlimited)'),
+ ),
+ parameters.Int(
+ 'sizelimit',
+ required=False,
+ label=_(u'Size Limit'),
+ doc=_(u'Maximum number of entries returned (0 is unlimited)'),
+ ),
+ parameters.Flag(
+ 'fallback_to_ldap',
+ required=False,
+ label=_(u'Fallback to AD DC LDAP'),
+ doc=_(u'Allow falling back to AD DC LDAP when resolving AD trusted objects. For two-way trusts only.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'pkey_only',
+ required=False,
+ label=_(u'Primary key only'),
+ doc=_(u'Results should contain primary key attribute only ("anchor")'),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.ListOfEntries(
+ 'result',
+ ),
+ output.Output(
+ 'count',
+ int,
+ doc=_(u'Number of entries returned'),
+ ),
+ output.Output(
+ 'truncated',
+ bool,
+ doc=_(u'True if not all results were returned'),
+ ),
+ )
+
+
+@register()
+class idoverridegroup_mod(Method):
+ __doc__ = _("Modify an Group ID override.")
+
+ takes_args = (
+ parameters.Str(
+ 'idviewcn',
+ cli_name='idview',
+ label=_(u'ID View Name'),
+ ),
+ parameters.Str(
+ 'ipaanchoruuid',
+ cli_name='anchor',
+ label=_(u'Anchor to override'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'description',
+ required=False,
+ cli_name='desc',
+ label=_(u'Description'),
+ ),
+ parameters.Str(
+ 'cn',
+ required=False,
+ cli_name='group_name',
+ label=_(u'Group name'),
+ no_convert=True,
+ ),
+ parameters.Int(
+ 'gidnumber',
+ required=False,
+ cli_name='gid',
+ label=_(u'GID'),
+ doc=_(u'Group ID Number'),
+ ),
+ parameters.Str(
+ 'setattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'addattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'delattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'),
+ exclude=('webui',),
+ ),
+ parameters.Flag(
+ 'rights',
+ label=_(u'Rights'),
+ doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'fallback_to_ldap',
+ required=False,
+ label=_(u'Fallback to AD DC LDAP'),
+ doc=_(u'Allow falling back to AD DC LDAP when resolving AD trusted objects. For two-way trusts only.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'rename',
+ required=False,
+ label=_(u'Rename'),
+ doc=_(u'Rename the Group ID override object'),
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class idoverridegroup_show(Method):
+ __doc__ = _("Display information about an Group ID override.")
+
+ takes_args = (
+ parameters.Str(
+ 'idviewcn',
+ cli_name='idview',
+ label=_(u'ID View Name'),
+ ),
+ parameters.Str(
+ 'ipaanchoruuid',
+ cli_name='anchor',
+ label=_(u'Anchor to override'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'rights',
+ label=_(u'Rights'),
+ doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'fallback_to_ldap',
+ required=False,
+ label=_(u'Fallback to AD DC LDAP'),
+ doc=_(u'Allow falling back to AD DC LDAP when resolving AD trusted objects. For two-way trusts only.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class idoverrideuser_add(Method):
+ __doc__ = _("Add a new User ID override.")
+
+ takes_args = (
+ parameters.Str(
+ 'idviewcn',
+ cli_name='idview',
+ label=_(u'ID View Name'),
+ ),
+ parameters.Str(
+ 'ipaanchoruuid',
+ cli_name='anchor',
+ label=_(u'Anchor to override'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'description',
+ required=False,
+ cli_name='desc',
+ label=_(u'Description'),
+ ),
+ parameters.Str(
+ 'uid',
+ required=False,
+ cli_name='login',
+ label=_(u'User login'),
+ no_convert=True,
+ ),
+ parameters.Int(
+ 'uidnumber',
+ required=False,
+ cli_name='uid',
+ label=_(u'UID'),
+ doc=_(u'User ID Number'),
+ ),
+ parameters.Str(
+ 'gecos',
+ required=False,
+ label=_(u'GECOS'),
+ ),
+ parameters.Int(
+ 'gidnumber',
+ required=False,
+ label=_(u'GID'),
+ doc=_(u'Group ID Number'),
+ ),
+ parameters.Str(
+ 'homedirectory',
+ required=False,
+ cli_name='homedir',
+ label=_(u'Home directory'),
+ ),
+ parameters.Str(
+ 'loginshell',
+ required=False,
+ cli_name='shell',
+ label=_(u'Login shell'),
+ ),
+ parameters.Str(
+ 'ipaoriginaluid',
+ required=False,
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'ipasshpubkey',
+ required=False,
+ multivalue=True,
+ cli_name='sshpubkey',
+ label=_(u'SSH public key'),
+ no_convert=True,
+ ),
+ parameters.Str(
+ 'setattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'addattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
+ exclude=('webui',),
+ ),
+ parameters.Flag(
+ 'fallback_to_ldap',
+ required=False,
+ label=_(u'Fallback to AD DC LDAP'),
+ doc=_(u'Allow falling back to AD DC LDAP when resolving AD trusted objects. For two-way trusts only.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class idoverrideuser_del(Method):
+ __doc__ = _("Delete an User ID override.")
+
+ takes_args = (
+ parameters.Str(
+ 'idviewcn',
+ cli_name='idview',
+ label=_(u'ID View Name'),
+ ),
+ parameters.Str(
+ 'ipaanchoruuid',
+ multivalue=True,
+ cli_name='anchor',
+ label=_(u'Anchor to override'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'continue',
+ doc=_(u"Continuous mode: Don't stop on errors."),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'fallback_to_ldap',
+ required=False,
+ label=_(u'Fallback to AD DC LDAP'),
+ doc=_(u'Allow falling back to AD DC LDAP when resolving AD trusted objects. For two-way trusts only.'),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Output(
+ 'result',
+ dict,
+ doc=_(u'List of deletions that failed'),
+ ),
+ output.ListOfPrimaryKeys(
+ 'value',
+ ),
+ )
+
+
+@register()
+class idoverrideuser_find(Method):
+ __doc__ = _("Search for an User ID override.")
+
+ takes_args = (
+ parameters.Str(
+ 'idviewcn',
+ cli_name='idview',
+ label=_(u'ID View Name'),
+ ),
+ parameters.Str(
+ 'criteria',
+ required=False,
+ doc=_(u'A string searched in all relevant object attributes'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'ipaanchoruuid',
+ required=False,
+ cli_name='anchor',
+ label=_(u'Anchor to override'),
+ ),
+ parameters.Str(
+ 'description',
+ required=False,
+ cli_name='desc',
+ label=_(u'Description'),
+ ),
+ parameters.Str(
+ 'uid',
+ required=False,
+ cli_name='login',
+ label=_(u'User login'),
+ no_convert=True,
+ ),
+ parameters.Int(
+ 'uidnumber',
+ required=False,
+ cli_name='uid',
+ label=_(u'UID'),
+ doc=_(u'User ID Number'),
+ ),
+ parameters.Str(
+ 'gecos',
+ required=False,
+ label=_(u'GECOS'),
+ ),
+ parameters.Int(
+ 'gidnumber',
+ required=False,
+ label=_(u'GID'),
+ doc=_(u'Group ID Number'),
+ ),
+ parameters.Str(
+ 'homedirectory',
+ required=False,
+ cli_name='homedir',
+ label=_(u'Home directory'),
+ ),
+ parameters.Str(
+ 'loginshell',
+ required=False,
+ cli_name='shell',
+ label=_(u'Login shell'),
+ ),
+ parameters.Str(
+ 'ipaoriginaluid',
+ required=False,
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Int(
+ 'timelimit',
+ required=False,
+ label=_(u'Time Limit'),
+ doc=_(u'Time limit of search in seconds (0 is unlimited)'),
+ ),
+ parameters.Int(
+ 'sizelimit',
+ required=False,
+ label=_(u'Size Limit'),
+ doc=_(u'Maximum number of entries returned (0 is unlimited)'),
+ ),
+ parameters.Flag(
+ 'fallback_to_ldap',
+ required=False,
+ label=_(u'Fallback to AD DC LDAP'),
+ doc=_(u'Allow falling back to AD DC LDAP when resolving AD trusted objects. For two-way trusts only.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'pkey_only',
+ required=False,
+ label=_(u'Primary key only'),
+ doc=_(u'Results should contain primary key attribute only ("anchor")'),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.ListOfEntries(
+ 'result',
+ ),
+ output.Output(
+ 'count',
+ int,
+ doc=_(u'Number of entries returned'),
+ ),
+ output.Output(
+ 'truncated',
+ bool,
+ doc=_(u'True if not all results were returned'),
+ ),
+ )
+
+
+@register()
+class idoverrideuser_mod(Method):
+ __doc__ = _("Modify an User ID override.")
+
+ takes_args = (
+ parameters.Str(
+ 'idviewcn',
+ cli_name='idview',
+ label=_(u'ID View Name'),
+ ),
+ parameters.Str(
+ 'ipaanchoruuid',
+ cli_name='anchor',
+ label=_(u'Anchor to override'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'description',
+ required=False,
+ cli_name='desc',
+ label=_(u'Description'),
+ ),
+ parameters.Str(
+ 'uid',
+ required=False,
+ cli_name='login',
+ label=_(u'User login'),
+ no_convert=True,
+ ),
+ parameters.Int(
+ 'uidnumber',
+ required=False,
+ cli_name='uid',
+ label=_(u'UID'),
+ doc=_(u'User ID Number'),
+ ),
+ parameters.Str(
+ 'gecos',
+ required=False,
+ label=_(u'GECOS'),
+ ),
+ parameters.Int(
+ 'gidnumber',
+ required=False,
+ label=_(u'GID'),
+ doc=_(u'Group ID Number'),
+ ),
+ parameters.Str(
+ 'homedirectory',
+ required=False,
+ cli_name='homedir',
+ label=_(u'Home directory'),
+ ),
+ parameters.Str(
+ 'loginshell',
+ required=False,
+ cli_name='shell',
+ label=_(u'Login shell'),
+ ),
+ parameters.Str(
+ 'ipaoriginaluid',
+ required=False,
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'ipasshpubkey',
+ required=False,
+ multivalue=True,
+ cli_name='sshpubkey',
+ label=_(u'SSH public key'),
+ no_convert=True,
+ ),
+ parameters.Str(
+ 'setattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'addattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'delattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'),
+ exclude=('webui',),
+ ),
+ parameters.Flag(
+ 'rights',
+ label=_(u'Rights'),
+ doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'fallback_to_ldap',
+ required=False,
+ label=_(u'Fallback to AD DC LDAP'),
+ doc=_(u'Allow falling back to AD DC LDAP when resolving AD trusted objects. For two-way trusts only.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'rename',
+ required=False,
+ label=_(u'Rename'),
+ doc=_(u'Rename the User ID override object'),
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class idoverrideuser_show(Method):
+ __doc__ = _("Display information about an User ID override.")
+
+ takes_args = (
+ parameters.Str(
+ 'idviewcn',
+ cli_name='idview',
+ label=_(u'ID View Name'),
+ ),
+ parameters.Str(
+ 'ipaanchoruuid',
+ cli_name='anchor',
+ label=_(u'Anchor to override'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'rights',
+ label=_(u'Rights'),
+ doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'fallback_to_ldap',
+ required=False,
+ label=_(u'Fallback to AD DC LDAP'),
+ doc=_(u'Allow falling back to AD DC LDAP when resolving AD trusted objects. For two-way trusts only.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class idview_add(Method):
+ __doc__ = _("Add a new ID View.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='name',
+ label=_(u'ID View Name'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'description',
+ required=False,
+ cli_name='desc',
+ label=_(u'Description'),
+ ),
+ parameters.Str(
+ 'setattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'addattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
+ exclude=('webui',),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class idview_apply(Method):
+ __doc__ = _("Applies ID View to specified hosts or current members of specified hostgroups. If any other ID View is applied to the host, it is overridden.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='name',
+ label=_(u'ID View Name'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'host',
+ required=False,
+ multivalue=True,
+ cli_name='hosts',
+ label=_(u'hosts'),
+ doc=_(u'Hosts to apply the ID View to'),
+ ),
+ parameters.Str(
+ 'hostgroup',
+ required=False,
+ multivalue=True,
+ cli_name='hostgroups',
+ label=_(u'hostgroups'),
+ doc=_(u'Hostgroups to whose hosts apply the ID View to. Please note that view is not applied automatically to any hosts added to the hostgroup after running the idview-apply command.'),
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Output(
+ 'succeeded',
+ dict,
+ doc=_(u'Hosts that this ID View was applied to.'),
+ ),
+ output.Output(
+ 'failed',
+ dict,
+ doc=_(u'Hosts or hostgroups that this ID View could not be applied to.'),
+ ),
+ output.Output(
+ 'completed',
+ int,
+ doc=_(u'Number of hosts the ID View was applied to:'),
+ ),
+ )
+
+
+@register()
+class idview_del(Method):
+ __doc__ = _("Delete an ID View.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ multivalue=True,
+ cli_name='name',
+ label=_(u'ID View Name'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'continue',
+ doc=_(u"Continuous mode: Don't stop on errors."),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Output(
+ 'result',
+ dict,
+ doc=_(u'List of deletions that failed'),
+ ),
+ output.ListOfPrimaryKeys(
+ 'value',
+ ),
+ )
+
+
+@register()
+class idview_find(Method):
+ __doc__ = _("Search for an ID View.")
+
+ takes_args = (
+ parameters.Str(
+ 'criteria',
+ required=False,
+ doc=_(u'A string searched in all relevant object attributes'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'cn',
+ required=False,
+ cli_name='name',
+ label=_(u'ID View Name'),
+ ),
+ parameters.Str(
+ 'description',
+ required=False,
+ cli_name='desc',
+ label=_(u'Description'),
+ ),
+ parameters.Int(
+ 'timelimit',
+ required=False,
+ label=_(u'Time Limit'),
+ doc=_(u'Time limit of search in seconds (0 is unlimited)'),
+ ),
+ parameters.Int(
+ 'sizelimit',
+ required=False,
+ label=_(u'Size Limit'),
+ doc=_(u'Maximum number of entries returned (0 is unlimited)'),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'pkey_only',
+ required=False,
+ label=_(u'Primary key only'),
+ doc=_(u'Results should contain primary key attribute only ("name")'),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.ListOfEntries(
+ 'result',
+ ),
+ output.Output(
+ 'count',
+ int,
+ doc=_(u'Number of entries returned'),
+ ),
+ output.Output(
+ 'truncated',
+ bool,
+ doc=_(u'True if not all results were returned'),
+ ),
+ )
+
+
+@register()
+class idview_mod(Method):
+ __doc__ = _("Modify an ID View.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='name',
+ label=_(u'ID View Name'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'description',
+ required=False,
+ cli_name='desc',
+ label=_(u'Description'),
+ ),
+ parameters.Str(
+ 'setattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'addattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'delattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'),
+ exclude=('webui',),
+ ),
+ parameters.Flag(
+ 'rights',
+ label=_(u'Rights'),
+ doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'rename',
+ required=False,
+ label=_(u'Rename'),
+ doc=_(u'Rename the ID View object'),
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class idview_show(Method):
+ __doc__ = _("Display information about an ID View.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='name',
+ label=_(u'ID View Name'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'rights',
+ label=_(u'Rights'),
+ doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'show_hosts',
+ required=False,
+ doc=_(u'Enumerate all the hosts the view applies to.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class idview_unapply(Method):
+ __doc__ = _("Clears ID View from specified hosts or current members of specified hostgroups.")
+
+ takes_options = (
+ parameters.Str(
+ 'host',
+ required=False,
+ multivalue=True,
+ cli_name='hosts',
+ label=_(u'hosts'),
+ doc=_(u'Hosts to clear (any) ID View from.'),
+ ),
+ parameters.Str(
+ 'hostgroup',
+ required=False,
+ multivalue=True,
+ cli_name='hostgroups',
+ label=_(u'hostgroups'),
+ doc=_(u'Hostgroups whose hosts should have ID Views cleared. Note that view is not cleared automatically from any host added to the hostgroup after running idview-unapply command.'),
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Output(
+ 'succeeded',
+ dict,
+ doc=_(u'Hosts that ID View was cleared from.'),
+ ),
+ output.Output(
+ 'failed',
+ dict,
+ doc=_(u'Hosts or hostgroups that ID View could not be cleared from.'),
+ ),
+ output.Output(
+ 'completed',
+ int,
+ doc=_(u'Number of hosts that had a ID View was unset:'),
+ ),
+ )
diff --git a/ipaclient/remote_plugins/2_164/internal.py b/ipaclient/remote_plugins/2_164/internal.py
new file mode 100644
index 000000000..7fec8d26f
--- /dev/null
+++ b/ipaclient/remote_plugins/2_164/internal.py
@@ -0,0 +1,92 @@
+#
+# Copyright (C) 2016 FreeIPA Contributors see COPYING for license
+#
+
+# pylint: disable=unused-import
+import six
+
+from . import Command, Method, Object
+from ipalib import api, parameters, output
+from ipalib.parameters import DefaultFrom
+from ipalib.plugable import Registry
+from ipalib.text import _
+from ipapython.dn import DN
+from ipapython.dnsutil import DNSName
+
+if six.PY3:
+ unicode = str
+
+__doc__ = _("""
+Plugins not accessible directly through the CLI, commands used internally
+""")
+
+register = Registry()
+
+
+@register()
+class i18n_messages(Command):
+ NO_CLI = True
+
+ takes_options = (
+ )
+ has_output = (
+ output.Output(
+ 'texts',
+ dict,
+ doc=_(u'Dict of I18N messages'),
+ ),
+ )
+
+
+@register()
+class json_metadata(Command):
+ __doc__ = _("Export plugin meta-data for the webUI.")
+
+ NO_CLI = True
+
+ takes_args = (
+ parameters.Str(
+ 'objname',
+ required=False,
+ doc=_(u'Name of object to export'),
+ ),
+ parameters.Str(
+ 'methodname',
+ required=False,
+ doc=_(u'Name of method to export'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'object',
+ required=False,
+ doc=_(u'Name of object to export'),
+ ),
+ parameters.Str(
+ 'method',
+ required=False,
+ doc=_(u'Name of method to export'),
+ ),
+ parameters.Str(
+ 'command',
+ required=False,
+ doc=_(u'Name of command to export'),
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'objects',
+ dict,
+ doc=_(u'Dict of JSON encoded IPA Objects'),
+ ),
+ output.Output(
+ 'methods',
+ dict,
+ doc=_(u'Dict of JSON encoded IPA Methods'),
+ ),
+ output.Output(
+ 'commands',
+ dict,
+ doc=_(u'Dict of JSON encoded IPA Commands'),
+ ),
+ )
diff --git a/ipaclient/remote_plugins/2_164/join.py b/ipaclient/remote_plugins/2_164/join.py
new file mode 100644
index 000000000..07403510b
--- /dev/null
+++ b/ipaclient/remote_plugins/2_164/join.py
@@ -0,0 +1,62 @@
+#
+# Copyright (C) 2016 FreeIPA Contributors see COPYING for license
+#
+
+# pylint: disable=unused-import
+import six
+
+from . import Command, Method, Object
+from ipalib import api, parameters, output
+from ipalib.parameters import DefaultFrom
+from ipalib.plugable import Registry
+from ipalib.text import _
+from ipapython.dn import DN
+from ipapython.dnsutil import DNSName
+
+if six.PY3:
+ unicode = str
+
+__doc__ = _("""
+Joining an IPA domain
+""")
+
+register = Registry()
+
+
+@register()
+class join(Command):
+ __doc__ = _("Join an IPA domain")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='hostname',
+ doc=_(u'The hostname to register as'),
+ default_from=DefaultFrom(lambda : None),
+ # FIXME:
+ # lambda: unicode(installutils.get_fqdn())
+ autofill=True,
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'realm',
+ doc=_(u'The IPA realm'),
+ default_from=DefaultFrom(lambda: api.env.realm),
+ autofill=True,
+ ),
+ parameters.Str(
+ 'nshardwareplatform',
+ required=False,
+ cli_name='platform',
+ doc=_(u'Hardware platform of the host (e.g. Lenovo T61)'),
+ ),
+ parameters.Str(
+ 'nsosversion',
+ required=False,
+ cli_name='os',
+ doc=_(u'Operating System and version of the host (e.g. Fedora 9)'),
+ ),
+ )
+ has_output = (
+ )
diff --git a/ipaclient/remote_plugins/2_164/krbtpolicy.py b/ipaclient/remote_plugins/2_164/krbtpolicy.py
new file mode 100644
index 000000000..42a4b2bc7
--- /dev/null
+++ b/ipaclient/remote_plugins/2_164/krbtpolicy.py
@@ -0,0 +1,266 @@
+#
+# Copyright (C) 2016 FreeIPA Contributors see COPYING for license
+#
+
+# pylint: disable=unused-import
+import six
+
+from . import Command, Method, Object
+from ipalib import api, parameters, output
+from ipalib.parameters import DefaultFrom
+from ipalib.plugable import Registry
+from ipalib.text import _
+from ipapython.dn import DN
+from ipapython.dnsutil import DNSName
+
+if six.PY3:
+ unicode = str
+
+__doc__ = _("""
+Kerberos ticket policy
+
+There is a single Kerberos ticket policy. This policy defines the
+maximum ticket lifetime and the maximum renewal age, the period during
+which the ticket is renewable.
+
+You can also create a per-user ticket policy by specifying the user login.
+
+For changes to the global policy to take effect, restarting the KDC service
+is required, which can be achieved using:
+
+service krb5kdc restart
+
+Changes to per-user policies take effect immediately for newly requested
+tickets (e.g. when the user next runs kinit).
+
+EXAMPLES:
+
+ Display the current Kerberos ticket policy:
+ ipa krbtpolicy-show
+
+ Reset the policy to the default:
+ ipa krbtpolicy-reset
+
+ Modify the policy to 8 hours max life, 1-day max renewal:
+ ipa krbtpolicy-mod --maxlife=28800 --maxrenew=86400
+
+ Display effective Kerberos ticket policy for user 'admin':
+ ipa krbtpolicy-show admin
+
+ Reset per-user policy for user 'admin':
+ ipa krbtpolicy-reset admin
+
+ Modify per-user policy for user 'admin':
+ ipa krbtpolicy-mod admin --maxlife=3600
+""")
+
+register = Registry()
+
+
+@register()
+class krbtpolicy(Object):
+ takes_params = (
+ parameters.Str(
+ 'uid',
+ required=False,
+ primary_key=True,
+ label=_(u'User name'),
+ doc=_(u'Manage ticket policy for specific user'),
+ ),
+ parameters.Int(
+ 'krbmaxticketlife',
+ required=False,
+ label=_(u'Max life'),
+ doc=_(u'Maximum ticket life (seconds)'),
+ ),
+ parameters.Int(
+ 'krbmaxrenewableage',
+ required=False,
+ label=_(u'Max renew'),
+ doc=_(u'Maximum renewable age (seconds)'),
+ ),
+ )
+
+
+@register()
+class krbtpolicy_mod(Method):
+ __doc__ = _("Modify Kerberos ticket policy.")
+
+ takes_args = (
+ parameters.Str(
+ 'uid',
+ required=False,
+ cli_name='user',
+ label=_(u'User name'),
+ doc=_(u'Manage ticket policy for specific user'),
+ ),
+ )
+ takes_options = (
+ parameters.Int(
+ 'krbmaxticketlife',
+ required=False,
+ cli_name='maxlife',
+ label=_(u'Max life'),
+ doc=_(u'Maximum ticket life (seconds)'),
+ ),
+ parameters.Int(
+ 'krbmaxrenewableage',
+ required=False,
+ cli_name='maxrenew',
+ label=_(u'Max renew'),
+ doc=_(u'Maximum renewable age (seconds)'),
+ ),
+ parameters.Str(
+ 'setattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'addattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'delattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'),
+ exclude=('webui',),
+ ),
+ parameters.Flag(
+ 'rights',
+ label=_(u'Rights'),
+ doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class krbtpolicy_reset(Method):
+ __doc__ = _("Reset Kerberos ticket policy to the default values.")
+
+ takes_args = (
+ parameters.Str(
+ 'uid',
+ required=False,
+ cli_name='user',
+ label=_(u'User name'),
+ doc=_(u'Manage ticket policy for specific user'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class krbtpolicy_show(Method):
+ __doc__ = _("Display the current Kerberos ticket policy.")
+
+ takes_args = (
+ parameters.Str(
+ 'uid',
+ required=False,
+ cli_name='user',
+ label=_(u'User name'),
+ doc=_(u'Manage ticket policy for specific user'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'rights',
+ label=_(u'Rights'),
+ doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
diff --git a/ipaclient/remote_plugins/2_164/migration.py b/ipaclient/remote_plugins/2_164/migration.py
new file mode 100644
index 000000000..89049f257
--- /dev/null
+++ b/ipaclient/remote_plugins/2_164/migration.py
@@ -0,0 +1,319 @@
+#
+# Copyright (C) 2016 FreeIPA Contributors see COPYING for license
+#
+
+# pylint: disable=unused-import
+import six
+
+from . import Command, Method, Object
+from ipalib import api, parameters, output
+from ipalib.parameters import DefaultFrom
+from ipalib.plugable import Registry
+from ipalib.text import _
+from ipapython.dn import DN
+from ipapython.dnsutil import DNSName
+
+if six.PY3:
+ unicode = str
+
+__doc__ = _("""
+Migration to IPA
+
+Migrate users and groups from an LDAP server to IPA.
+
+This performs an LDAP query against the remote server searching for
+users and groups in a container. In order to migrate passwords you need
+to bind as a user that can read the userPassword attribute on the remote
+server. This is generally restricted to high-level admins such as
+cn=Directory Manager in 389-ds (this is the default bind user).
+
+The default user container is ou=People.
+
+The default group container is ou=Groups.
+
+Users and groups that already exist on the IPA server are skipped.
+
+Two LDAP schemas define how group members are stored: RFC2307 and
+RFC2307bis. RFC2307bis uses member and uniquemember to specify group
+members, RFC2307 uses memberUid. The default schema is RFC2307bis.
+
+The schema compat feature allows IPA to reformat data for systems that
+do not support RFC2307bis. It is recommended that this feature is disabled
+during migration to reduce system overhead. It can be re-enabled after
+migration. To migrate with it enabled use the "--with-compat" option.
+
+Migrated users do not have Kerberos credentials, they have only their
+LDAP password. To complete the migration process, users need to go
+to http://ipa.example.com/ipa/migration and authenticate using their
+LDAP password in order to generate their Kerberos credentials.
+
+Migration is disabled by default. Use the command ipa config-mod to
+enable it:
+
+ ipa config-mod --enable-migration=TRUE
+
+If a base DN is not provided with --basedn then IPA will use either
+the value of defaultNamingContext if it is set or the first value
+in namingContexts set in the root of the remote LDAP server.
+
+Users are added as members to the default user group. This can be a
+time-intensive task so during migration this is done in a batch
+mode for every 100 users. As a result there will be a window in which
+users will be added to IPA but will not be members of the default
+user group.
+
+EXAMPLES:
+
+ The simplest migration, accepting all defaults:
+ ipa migrate-ds ldap://ds.example.com:389
+
+ Specify the user and group container. This can be used to migrate user
+ and group data from an IPA v1 server:
+ ipa migrate-ds --user-container='cn=users,cn=accounts' \
+ --group-container='cn=groups,cn=accounts' \
+ ldap://ds.example.com:389
+
+ Since IPA v2 server already contain predefined groups that may collide with
+ groups in migrated (IPA v1) server (for example admins, ipausers), users
+ having colliding group as their primary group may happen to belong to
+ an unknown group on new IPA v2 server.
+ Use --group-overwrite-gid option to overwrite GID of already existing groups
+ to prevent this issue:
+ ipa migrate-ds --group-overwrite-gid \
+ --user-container='cn=users,cn=accounts' \
+ --group-container='cn=groups,cn=accounts' \
+ ldap://ds.example.com:389
+
+ Migrated users or groups may have object class and accompanied attributes
+ unknown to the IPA v2 server. These object classes and attributes may be
+ left out of the migration process:
+ ipa migrate-ds --user-container='cn=users,cn=accounts' \
+ --group-container='cn=groups,cn=accounts' \
+ --user-ignore-objectclass=radiusprofile \
+ --user-ignore-attribute=radiusgroupname \
+ ldap://ds.example.com:389
+
+LOGGING
+
+Migration will log warnings and errors to the Apache error log. This
+file should be evaluated post-migration to correct or investigate any
+issues that were discovered.
+
+For every 100 users migrated an info-level message will be displayed to
+give the current progress and duration to make it possible to track
+the progress of migration.
+
+If the log level is debug, either by setting debug = True in
+/etc/ipa/default.conf or /etc/ipa/server.conf, then an entry will be printed
+for each user added plus a summary when the default user group is
+updated.
+""")
+
+register = Registry()
+
+
+@register()
+class migrate_ds(Command):
+ __doc__ = _("Migrate users and groups from DS to IPA.")
+
+ takes_args = (
+ parameters.Str(
+ 'ldapuri',
+ cli_name='ldap_uri',
+ label=_(u'LDAP URI'),
+ doc=_(u'LDAP URI of DS server to migrate from'),
+ ),
+ parameters.Password(
+ 'bindpw',
+ cli_name='password',
+ label=_(u'Password'),
+ doc=_(u'bind password'),
+ ),
+ )
+ takes_options = (
+ parameters.DNParam(
+ 'binddn',
+ required=False,
+ cli_name='bind_dn',
+ label=_(u'Bind DN'),
+ default=DN(u'cn=directory manager'),
+ autofill=True,
+ ),
+ parameters.DNParam(
+ 'usercontainer',
+ cli_name='user_container',
+ label=_(u'User container'),
+ doc=_(u'DN of container for users in DS relative to base DN'),
+ default=DN(u'ou=people'),
+ autofill=True,
+ ),
+ parameters.DNParam(
+ 'groupcontainer',
+ cli_name='group_container',
+ label=_(u'Group container'),
+ doc=_(u'DN of container for groups in DS relative to base DN'),
+ default=DN(u'ou=groups'),
+ autofill=True,
+ ),
+ parameters.Str(
+ 'userobjectclass',
+ multivalue=True,
+ cli_name='user_objectclass',
+ label=_(u'User object class'),
+ doc=_(u'Objectclasses used to search for user entries in DS'),
+ default=(u'person',),
+ autofill=True,
+ ),
+ parameters.Str(
+ 'groupobjectclass',
+ multivalue=True,
+ cli_name='group_objectclass',
+ label=_(u'Group object class'),
+ doc=_(u'Objectclasses used to search for group entries in DS'),
+ default=(u'groupOfUniqueNames', u'groupOfNames'),
+ autofill=True,
+ ),
+ parameters.Str(
+ 'userignoreobjectclass',
+ required=False,
+ multivalue=True,
+ cli_name='user_ignore_objectclass',
+ label=_(u'Ignore user object class'),
+ doc=_(u'Objectclasses to be ignored for user entries in DS'),
+ default=(),
+ autofill=True,
+ ),
+ parameters.Str(
+ 'userignoreattribute',
+ required=False,
+ multivalue=True,
+ cli_name='user_ignore_attribute',
+ label=_(u'Ignore user attribute'),
+ doc=_(u'Attributes to be ignored for user entries in DS'),
+ default=(),
+ autofill=True,
+ ),
+ parameters.Str(
+ 'groupignoreobjectclass',
+ required=False,
+ multivalue=True,
+ cli_name='group_ignore_objectclass',
+ label=_(u'Ignore group object class'),
+ doc=_(u'Objectclasses to be ignored for group entries in DS'),
+ default=(),
+ autofill=True,
+ ),
+ parameters.Str(
+ 'groupignoreattribute',
+ required=False,
+ multivalue=True,
+ cli_name='group_ignore_attribute',
+ label=_(u'Ignore group attribute'),
+ doc=_(u'Attributes to be ignored for group entries in DS'),
+ default=(),
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'groupoverwritegid',
+ cli_name='group_overwrite_gid',
+ label=_(u'Overwrite GID'),
+ doc=_(u'When migrating a group already existing in IPA domain overwrite the group GID and report as success'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'schema',
+ required=False,
+ cli_metavar="['RFC2307bis', 'RFC2307']",
+ label=_(u'LDAP schema'),
+ doc=_(u'The schema used on the LDAP server. Supported values are RFC2307 and RFC2307bis. The default is RFC2307bis'),
+ default=u'RFC2307bis',
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'continue',
+ required=False,
+ label=_(u'Continue'),
+ doc=_(u'Continuous operation mode. Errors are reported but the process continues'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.DNParam(
+ 'basedn',
+ required=False,
+ cli_name='base_dn',
+ label=_(u'Base DN'),
+ doc=_(u'Base DN on remote LDAP server'),
+ ),
+ parameters.Flag(
+ 'compat',
+ required=False,
+ cli_name='with_compat',
+ label=_(u'Ignore compat plugin'),
+ doc=_(u'Allows migration despite the usage of compat plugin'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'cacertfile',
+ required=False,
+ cli_name='ca_cert_file',
+ label=_(u'CA certificate'),
+ doc=_(u'Load CA certificate of LDAP server from FILE'),
+ ),
+ parameters.Bool(
+ 'use_def_group',
+ required=False,
+ cli_name='use_default_group',
+ label=_(u'Add to default group'),
+ doc=_(u'Add migrated users without a group to a default group (default: true)'),
+ default=True,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'scope',
+ cli_metavar="['base', 'subtree', 'onelevel']",
+ label=_(u'Search scope'),
+ doc=_(u'LDAP search scope for users and groups: base, onelevel, or subtree. Defaults to onelevel'),
+ default=u'onelevel',
+ autofill=True,
+ ),
+ parameters.Str(
+ 'exclude_groups',
+ required=False,
+ multivalue=True,
+ doc=_(u'groups to exclude from migration'),
+ default=(),
+ autofill=True,
+ ),
+ parameters.Str(
+ 'exclude_users',
+ required=False,
+ multivalue=True,
+ doc=_(u'users to exclude from migration'),
+ default=(),
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'result',
+ dict,
+ doc=_(u'Lists of objects migrated; categorized by type.'),
+ ),
+ output.Output(
+ 'failed',
+ dict,
+ doc=_(u'Lists of objects that could not be migrated; categorized by type.'),
+ ),
+ output.Output(
+ 'enabled',
+ bool,
+ doc=_(u'False if migration mode was disabled.'),
+ ),
+ output.Output(
+ 'compat',
+ bool,
+ doc=_(u'False if migration fails because the compatibility plug-in is enabled.'),
+ ),
+ )
diff --git a/ipaclient/remote_plugins/2_164/misc.py b/ipaclient/remote_plugins/2_164/misc.py
new file mode 100644
index 000000000..4889e666b
--- /dev/null
+++ b/ipaclient/remote_plugins/2_164/misc.py
@@ -0,0 +1,113 @@
+#
+# Copyright (C) 2016 FreeIPA Contributors see COPYING for license
+#
+
+# pylint: disable=unused-import
+import six
+
+from . import Command, Method, Object
+from ipalib import api, parameters, output
+from ipalib.parameters import DefaultFrom
+from ipalib.plugable import Registry
+from ipalib.text import _
+from ipapython.dn import DN
+from ipapython.dnsutil import DNSName
+
+if six.PY3:
+ unicode = str
+
+__doc__ = _("""
+Misc plug-ins
+""")
+
+register = Registry()
+
+
+@register()
+class env(Command):
+ __doc__ = _("Show environment variables.")
+
+ takes_args = (
+ parameters.Str(
+ 'variables',
+ required=False,
+ multivalue=True,
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'server',
+ required=False,
+ doc=_(u'Forward to server instead of running locally'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=True,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'result',
+ dict,
+ doc=_(u'Dictionary mapping variable name to value'),
+ ),
+ output.Output(
+ 'total',
+ int,
+ doc=_(u'Total number of variables env (>= count)'),
+ ),
+ output.Output(
+ 'count',
+ int,
+ doc=_(u'Number of variables returned (<= total)'),
+ ),
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ )
+
+
+@register()
+class plugins(Command):
+ __doc__ = _("Show all loaded plugins.")
+
+ takes_options = (
+ parameters.Flag(
+ 'server',
+ required=False,
+ doc=_(u'Forward to server instead of running locally'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=True,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'result',
+ dict,
+ doc=_(u'Dictionary mapping plugin names to bases'),
+ ),
+ output.Output(
+ 'count',
+ int,
+ doc=_(u'Number of plugins loaded'),
+ ),
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ )
diff --git a/ipaclient/remote_plugins/2_164/netgroup.py b/ipaclient/remote_plugins/2_164/netgroup.py
new file mode 100644
index 000000000..a04d99276
--- /dev/null
+++ b/ipaclient/remote_plugins/2_164/netgroup.py
@@ -0,0 +1,865 @@
+#
+# Copyright (C) 2016 FreeIPA Contributors see COPYING for license
+#
+
+# pylint: disable=unused-import
+import six
+
+from . import Command, Method, Object
+from ipalib import api, parameters, output
+from ipalib.parameters import DefaultFrom
+from ipalib.plugable import Registry
+from ipalib.text import _
+from ipapython.dn import DN
+from ipapython.dnsutil import DNSName
+
+if six.PY3:
+ unicode = str
+
+__doc__ = _("""
+Netgroups
+
+A netgroup is a group used for permission checking. It can contain both
+user and host values.
+
+EXAMPLES:
+
+ Add a new netgroup:
+ ipa netgroup-add --desc="NFS admins" admins
+
+ Add members to the netgroup:
+ ipa netgroup-add-member --users=tuser1 --users=tuser2 admins
+
+ Remove a member from the netgroup:
+ ipa netgroup-remove-member --users=tuser2 admins
+
+ Display information about a netgroup:
+ ipa netgroup-show admins
+
+ Delete a netgroup:
+ ipa netgroup-del admins
+""")
+
+register = Registry()
+
+
+@register()
+class netgroup(Object):
+ takes_params = (
+ parameters.Str(
+ 'cn',
+ primary_key=True,
+ label=_(u'Netgroup name'),
+ ),
+ parameters.Str(
+ 'description',
+ required=False,
+ label=_(u'Description'),
+ doc=_(u'Netgroup description'),
+ ),
+ parameters.Str(
+ 'nisdomainname',
+ required=False,
+ label=_(u'NIS domain name'),
+ ),
+ parameters.Str(
+ 'ipauniqueid',
+ required=False,
+ label=_(u'IPA unique ID'),
+ doc=_(u'IPA unique ID'),
+ ),
+ parameters.Str(
+ 'usercategory',
+ required=False,
+ label=_(u'User category'),
+ doc=_(u'User category the rule applies to'),
+ ),
+ parameters.Str(
+ 'hostcategory',
+ required=False,
+ label=_(u'Host category'),
+ doc=_(u'Host category the rule applies to'),
+ ),
+ parameters.Str(
+ 'externalhost',
+ required=False,
+ multivalue=True,
+ label=_(u'External host'),
+ ),
+ parameters.Str(
+ 'member_netgroup',
+ required=False,
+ label=_(u'Member netgroups'),
+ ),
+ parameters.Str(
+ 'memberof_netgroup',
+ required=False,
+ label=_(u'Member of netgroups'),
+ ),
+ parameters.Str(
+ 'memberindirect_netgroup',
+ required=False,
+ label=_(u'Indirect Member netgroups'),
+ ),
+ parameters.Str(
+ 'memberuser_user',
+ required=False,
+ label=_(u'Member User'),
+ ),
+ parameters.Str(
+ 'memberuser_group',
+ required=False,
+ label=_(u'Member Group'),
+ ),
+ parameters.Str(
+ 'memberhost_host',
+ required=False,
+ label=_(u'Member Host'),
+ ),
+ parameters.Str(
+ 'memberhost_hostgroup',
+ required=False,
+ label=_(u'Member Hostgroup'),
+ ),
+ )
+
+
+@register()
+class netgroup_add(Method):
+ __doc__ = _("Add a new netgroup.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='name',
+ label=_(u'Netgroup name'),
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'description',
+ required=False,
+ cli_name='desc',
+ label=_(u'Description'),
+ doc=_(u'Netgroup description'),
+ ),
+ parameters.Str(
+ 'nisdomainname',
+ required=False,
+ cli_name='nisdomain',
+ label=_(u'NIS domain name'),
+ ),
+ parameters.Str(
+ 'usercategory',
+ required=False,
+ cli_name='usercat',
+ cli_metavar="['all']",
+ label=_(u'User category'),
+ doc=_(u'User category the rule applies to'),
+ ),
+ parameters.Str(
+ 'hostcategory',
+ required=False,
+ cli_name='hostcat',
+ cli_metavar="['all']",
+ label=_(u'Host category'),
+ doc=_(u'Host category the rule applies to'),
+ ),
+ parameters.Str(
+ 'externalhost',
+ required=False,
+ multivalue=True,
+ label=_(u'External host'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'setattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'addattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
+ exclude=('webui',),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class netgroup_add_member(Method):
+ __doc__ = _("Add members to a netgroup.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='name',
+ label=_(u'Netgroup name'),
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'user',
+ required=False,
+ multivalue=True,
+ cli_name='users',
+ label=_(u'member user'),
+ doc=_(u'users to add'),
+ alwaysask=True,
+ ),
+ parameters.Str(
+ 'group',
+ required=False,
+ multivalue=True,
+ cli_name='groups',
+ label=_(u'member group'),
+ doc=_(u'groups to add'),
+ alwaysask=True,
+ ),
+ parameters.Str(
+ 'host',
+ required=False,
+ multivalue=True,
+ cli_name='hosts',
+ label=_(u'member host'),
+ doc=_(u'hosts to add'),
+ alwaysask=True,
+ ),
+ parameters.Str(
+ 'hostgroup',
+ required=False,
+ multivalue=True,
+ cli_name='hostgroups',
+ label=_(u'member host group'),
+ doc=_(u'host groups to add'),
+ alwaysask=True,
+ ),
+ parameters.Str(
+ 'netgroup',
+ required=False,
+ multivalue=True,
+ cli_name='netgroups',
+ label=_(u'member netgroup'),
+ doc=_(u'netgroups to add'),
+ alwaysask=True,
+ ),
+ )
+ has_output = (
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'failed',
+ dict,
+ doc=_(u'Members that could not be added'),
+ ),
+ output.Output(
+ 'completed',
+ int,
+ doc=_(u'Number of members added'),
+ ),
+ )
+
+
+@register()
+class netgroup_del(Method):
+ __doc__ = _("Delete a netgroup.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ multivalue=True,
+ cli_name='name',
+ label=_(u'Netgroup name'),
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'continue',
+ doc=_(u"Continuous mode: Don't stop on errors."),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Output(
+ 'result',
+ dict,
+ doc=_(u'List of deletions that failed'),
+ ),
+ output.ListOfPrimaryKeys(
+ 'value',
+ ),
+ )
+
+
+@register()
+class netgroup_find(Method):
+ __doc__ = _("Search for a netgroup.")
+
+ takes_args = (
+ parameters.Str(
+ 'criteria',
+ required=False,
+ doc=_(u'A string searched in all relevant object attributes'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'cn',
+ required=False,
+ cli_name='name',
+ label=_(u'Netgroup name'),
+ no_convert=True,
+ ),
+ parameters.Str(
+ 'description',
+ required=False,
+ cli_name='desc',
+ label=_(u'Description'),
+ doc=_(u'Netgroup description'),
+ ),
+ parameters.Str(
+ 'nisdomainname',
+ required=False,
+ cli_name='nisdomain',
+ label=_(u'NIS domain name'),
+ ),
+ parameters.Str(
+ 'ipauniqueid',
+ required=False,
+ cli_name='uuid',
+ label=_(u'IPA unique ID'),
+ doc=_(u'IPA unique ID'),
+ ),
+ parameters.Str(
+ 'usercategory',
+ required=False,
+ cli_name='usercat',
+ cli_metavar="['all']",
+ label=_(u'User category'),
+ doc=_(u'User category the rule applies to'),
+ ),
+ parameters.Str(
+ 'hostcategory',
+ required=False,
+ cli_name='hostcat',
+ cli_metavar="['all']",
+ label=_(u'Host category'),
+ doc=_(u'Host category the rule applies to'),
+ ),
+ parameters.Str(
+ 'externalhost',
+ required=False,
+ multivalue=True,
+ label=_(u'External host'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Int(
+ 'timelimit',
+ required=False,
+ label=_(u'Time Limit'),
+ doc=_(u'Time limit of search in seconds (0 is unlimited)'),
+ ),
+ parameters.Int(
+ 'sizelimit',
+ required=False,
+ label=_(u'Size Limit'),
+ doc=_(u'Maximum number of entries returned (0 is unlimited)'),
+ ),
+ parameters.Flag(
+ 'private',
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'managed',
+ doc=_(u'search for managed groups'),
+ default=False,
+ default_from=DefaultFrom(lambda private: private),
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'pkey_only',
+ required=False,
+ label=_(u'Primary key only'),
+ doc=_(u'Results should contain primary key attribute only ("name")'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'netgroup',
+ required=False,
+ multivalue=True,
+ cli_name='netgroups',
+ label=_(u'netgroup'),
+ doc=_(u'Search for netgroups with these member netgroups.'),
+ ),
+ parameters.Str(
+ 'no_netgroup',
+ required=False,
+ multivalue=True,
+ cli_name='no_netgroups',
+ label=_(u'netgroup'),
+ doc=_(u'Search for netgroups without these member netgroups.'),
+ ),
+ parameters.Str(
+ 'user',
+ required=False,
+ multivalue=True,
+ cli_name='users',
+ label=_(u'user'),
+ doc=_(u'Search for netgroups with these member users.'),
+ ),
+ parameters.Str(
+ 'no_user',
+ required=False,
+ multivalue=True,
+ cli_name='no_users',
+ label=_(u'user'),
+ doc=_(u'Search for netgroups without these member users.'),
+ ),
+ parameters.Str(
+ 'group',
+ required=False,
+ multivalue=True,
+ cli_name='groups',
+ label=_(u'group'),
+ doc=_(u'Search for netgroups with these member groups.'),
+ ),
+ parameters.Str(
+ 'no_group',
+ required=False,
+ multivalue=True,
+ cli_name='no_groups',
+ label=_(u'group'),
+ doc=_(u'Search for netgroups without these member groups.'),
+ ),
+ parameters.Str(
+ 'host',
+ required=False,
+ multivalue=True,
+ cli_name='hosts',
+ label=_(u'host'),
+ doc=_(u'Search for netgroups with these member hosts.'),
+ ),
+ parameters.Str(
+ 'no_host',
+ required=False,
+ multivalue=True,
+ cli_name='no_hosts',
+ label=_(u'host'),
+ doc=_(u'Search for netgroups without these member hosts.'),
+ ),
+ parameters.Str(
+ 'hostgroup',
+ required=False,
+ multivalue=True,
+ cli_name='hostgroups',
+ label=_(u'host group'),
+ doc=_(u'Search for netgroups with these member host groups.'),
+ ),
+ parameters.Str(
+ 'no_hostgroup',
+ required=False,
+ multivalue=True,
+ cli_name='no_hostgroups',
+ label=_(u'host group'),
+ doc=_(u'Search for netgroups without these member host groups.'),
+ ),
+ parameters.Str(
+ 'in_netgroup',
+ required=False,
+ multivalue=True,
+ cli_name='in_netgroups',
+ label=_(u'netgroup'),
+ doc=_(u'Search for netgroups with these member of netgroups.'),
+ ),
+ parameters.Str(
+ 'not_in_netgroup',
+ required=False,
+ multivalue=True,
+ cli_name='not_in_netgroups',
+ label=_(u'netgroup'),
+ doc=_(u'Search for netgroups without these member of netgroups.'),
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.ListOfEntries(
+ 'result',
+ ),
+ output.Output(
+ 'count',
+ int,
+ doc=_(u'Number of entries returned'),
+ ),
+ output.Output(
+ 'truncated',
+ bool,
+ doc=_(u'True if not all results were returned'),
+ ),
+ )
+
+
+@register()
+class netgroup_mod(Method):
+ __doc__ = _("Modify a netgroup.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='name',
+ label=_(u'Netgroup name'),
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'description',
+ required=False,
+ cli_name='desc',
+ label=_(u'Description'),
+ doc=_(u'Netgroup description'),
+ ),
+ parameters.Str(
+ 'nisdomainname',
+ required=False,
+ cli_name='nisdomain',
+ label=_(u'NIS domain name'),
+ ),
+ parameters.Str(
+ 'usercategory',
+ required=False,
+ cli_name='usercat',
+ cli_metavar="['all']",
+ label=_(u'User category'),
+ doc=_(u'User category the rule applies to'),
+ ),
+ parameters.Str(
+ 'hostcategory',
+ required=False,
+ cli_name='hostcat',
+ cli_metavar="['all']",
+ label=_(u'Host category'),
+ doc=_(u'Host category the rule applies to'),
+ ),
+ parameters.Str(
+ 'externalhost',
+ required=False,
+ multivalue=True,
+ label=_(u'External host'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'setattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'addattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'delattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'),
+ exclude=('webui',),
+ ),
+ parameters.Flag(
+ 'rights',
+ label=_(u'Rights'),
+ doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class netgroup_remove_member(Method):
+ __doc__ = _("Remove members from a netgroup.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='name',
+ label=_(u'Netgroup name'),
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'user',
+ required=False,
+ multivalue=True,
+ cli_name='users',
+ label=_(u'member user'),
+ doc=_(u'users to remove'),
+ alwaysask=True,
+ ),
+ parameters.Str(
+ 'group',
+ required=False,
+ multivalue=True,
+ cli_name='groups',
+ label=_(u'member group'),
+ doc=_(u'groups to remove'),
+ alwaysask=True,
+ ),
+ parameters.Str(
+ 'host',
+ required=False,
+ multivalue=True,
+ cli_name='hosts',
+ label=_(u'member host'),
+ doc=_(u'hosts to remove'),
+ alwaysask=True,
+ ),
+ parameters.Str(
+ 'hostgroup',
+ required=False,
+ multivalue=True,
+ cli_name='hostgroups',
+ label=_(u'member host group'),
+ doc=_(u'host groups to remove'),
+ alwaysask=True,
+ ),
+ parameters.Str(
+ 'netgroup',
+ required=False,
+ multivalue=True,
+ cli_name='netgroups',
+ label=_(u'member netgroup'),
+ doc=_(u'netgroups to remove'),
+ alwaysask=True,
+ ),
+ )
+ has_output = (
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'failed',
+ dict,
+ doc=_(u'Members that could not be removed'),
+ ),
+ output.Output(
+ 'completed',
+ int,
+ doc=_(u'Number of members removed'),
+ ),
+ )
+
+
+@register()
+class netgroup_show(Method):
+ __doc__ = _("Display information about a netgroup.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='name',
+ label=_(u'Netgroup name'),
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'rights',
+ label=_(u'Rights'),
+ doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
diff --git a/ipaclient/remote_plugins/2_164/otpconfig.py b/ipaclient/remote_plugins/2_164/otpconfig.py
new file mode 100644
index 000000000..1aceb903e
--- /dev/null
+++ b/ipaclient/remote_plugins/2_164/otpconfig.py
@@ -0,0 +1,206 @@
+#
+# Copyright (C) 2016 FreeIPA Contributors see COPYING for license
+#
+
+# pylint: disable=unused-import
+import six
+
+from . import Command, Method, Object
+from ipalib import api, parameters, output
+from ipalib.parameters import DefaultFrom
+from ipalib.plugable import Registry
+from ipalib.text import _
+from ipapython.dn import DN
+from ipapython.dnsutil import DNSName
+
+if six.PY3:
+ unicode = str
+
+__doc__ = _("""
+OTP configuration
+
+Manage the default values that IPA uses for OTP tokens.
+
+EXAMPLES:
+
+ Show basic OTP configuration:
+ ipa otpconfig-show
+
+ Show all OTP configuration options:
+ ipa otpconfig-show --all
+
+ Change maximum TOTP authentication window to 10 minutes:
+ ipa otpconfig-mod --totp-auth-window=600
+
+ Change maximum TOTP synchronization window to 12 hours:
+ ipa otpconfig-mod --totp-sync-window=43200
+
+ Change maximum HOTP authentication window to 5:
+ ipa hotpconfig-mod --hotp-auth-window=5
+
+ Change maximum HOTP synchronization window to 50:
+ ipa hotpconfig-mod --hotp-sync-window=50
+""")
+
+register = Registry()
+
+
+@register()
+class otpconfig(Object):
+ takes_params = (
+ parameters.Int(
+ 'ipatokentotpauthwindow',
+ label=_(u'TOTP authentication Window'),
+ doc=_(u'TOTP authentication time variance (seconds)'),
+ ),
+ parameters.Int(
+ 'ipatokentotpsyncwindow',
+ label=_(u'TOTP Synchronization Window'),
+ doc=_(u'TOTP synchronization time variance (seconds)'),
+ ),
+ parameters.Int(
+ 'ipatokenhotpauthwindow',
+ label=_(u'HOTP Authentication Window'),
+ doc=_(u'HOTP authentication skip-ahead'),
+ ),
+ parameters.Int(
+ 'ipatokenhotpsyncwindow',
+ label=_(u'HOTP Synchronization Window'),
+ doc=_(u'HOTP synchronization skip-ahead'),
+ ),
+ )
+
+
+@register()
+class otpconfig_mod(Method):
+ __doc__ = _("Modify OTP configuration options.")
+
+ takes_options = (
+ parameters.Int(
+ 'ipatokentotpauthwindow',
+ required=False,
+ cli_name='totp_auth_window',
+ label=_(u'TOTP authentication Window'),
+ doc=_(u'TOTP authentication time variance (seconds)'),
+ ),
+ parameters.Int(
+ 'ipatokentotpsyncwindow',
+ required=False,
+ cli_name='totp_sync_window',
+ label=_(u'TOTP Synchronization Window'),
+ doc=_(u'TOTP synchronization time variance (seconds)'),
+ ),
+ parameters.Int(
+ 'ipatokenhotpauthwindow',
+ required=False,
+ cli_name='hotp_auth_window',
+ label=_(u'HOTP Authentication Window'),
+ doc=_(u'HOTP authentication skip-ahead'),
+ ),
+ parameters.Int(
+ 'ipatokenhotpsyncwindow',
+ required=False,
+ cli_name='hotp_sync_window',
+ label=_(u'HOTP Synchronization Window'),
+ doc=_(u'HOTP synchronization skip-ahead'),
+ ),
+ parameters.Str(
+ 'setattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'addattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'delattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'),
+ exclude=('webui',),
+ ),
+ parameters.Flag(
+ 'rights',
+ label=_(u'Rights'),
+ doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class otpconfig_show(Method):
+ __doc__ = _("Show the current OTP configuration.")
+
+ takes_options = (
+ parameters.Flag(
+ 'rights',
+ label=_(u'Rights'),
+ doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
diff --git a/ipaclient/remote_plugins/2_164/otptoken.py b/ipaclient/remote_plugins/2_164/otptoken.py
new file mode 100644
index 000000000..0b2b54c6e
--- /dev/null
+++ b/ipaclient/remote_plugins/2_164/otptoken.py
@@ -0,0 +1,893 @@
+#
+# Copyright (C) 2016 FreeIPA Contributors see COPYING for license
+#
+
+# pylint: disable=unused-import
+import six
+
+from . import Command, Method, Object
+from ipalib import api, parameters, output
+from ipalib.parameters import DefaultFrom
+from ipalib.plugable import Registry
+from ipalib.text import _
+from ipapython.dn import DN
+from ipapython.dnsutil import DNSName
+
+if six.PY3:
+ unicode = str
+
+__doc__ = _("""
+OTP Tokens
+
+Manage OTP tokens.
+
+IPA supports the use of OTP tokens for multi-factor authentication. This
+code enables the management of OTP tokens.
+
+EXAMPLES:
+
+ Add a new token:
+ ipa otptoken-add --type=totp --owner=jdoe --desc="My soft token"
+
+ Examine the token:
+ ipa otptoken-show a93db710-a31a-4639-8647-f15b2c70b78a
+
+ Change the vendor:
+ ipa otptoken-mod a93db710-a31a-4639-8647-f15b2c70b78a --vendor="Red Hat"
+
+ Delete a token:
+ ipa otptoken-del a93db710-a31a-4639-8647-f15b2c70b78a
+""")
+
+register = Registry()
+
+
+@register()
+class otptoken(Object):
+ takes_params = (
+ parameters.Str(
+ 'ipatokenuniqueid',
+ primary_key=True,
+ label=_(u'Unique ID'),
+ ),
+ parameters.Str(
+ 'type',
+ required=False,
+ label=_(u'Type'),
+ doc=_(u'Type of the token'),
+ ),
+ parameters.Str(
+ 'description',
+ required=False,
+ label=_(u'Description'),
+ doc=_(u'Token description (informational only)'),
+ ),
+ parameters.Str(
+ 'ipatokenowner',
+ required=False,
+ label=_(u'Owner'),
+ doc=_(u'Assigned user of the token (default: self)'),
+ ),
+ parameters.Str(
+ 'managedby_user',
+ required=False,
+ label=_(u'Manager'),
+ doc=_(u'Assigned manager of the token (default: self)'),
+ ),
+ parameters.Bool(
+ 'ipatokendisabled',
+ required=False,
+ label=_(u'Disabled'),
+ doc=_(u'Mark the token as disabled (default: false)'),
+ ),
+ parameters.DateTime(
+ 'ipatokennotbefore',
+ required=False,
+ label=_(u'Validity start'),
+ doc=_(u'First date/time the token can be used'),
+ ),
+ parameters.DateTime(
+ 'ipatokennotafter',
+ required=False,
+ label=_(u'Validity end'),
+ doc=_(u'Last date/time the token can be used'),
+ ),
+ parameters.Str(
+ 'ipatokenvendor',
+ required=False,
+ label=_(u'Vendor'),
+ doc=_(u'Token vendor name (informational only)'),
+ ),
+ parameters.Str(
+ 'ipatokenmodel',
+ required=False,
+ label=_(u'Model'),
+ doc=_(u'Token model (informational only)'),
+ ),
+ parameters.Str(
+ 'ipatokenserial',
+ required=False,
+ label=_(u'Serial'),
+ doc=_(u'Token serial (informational only)'),
+ ),
+ parameters.Bytes(
+ 'ipatokenotpkey',
+ required=False,
+ label=_(u'Key'),
+ doc=_(u'Token secret (Base32; default: random)'),
+ ),
+ parameters.Str(
+ 'ipatokenotpalgorithm',
+ required=False,
+ label=_(u'Algorithm'),
+ doc=_(u'Token hash algorithm'),
+ ),
+ parameters.Int(
+ 'ipatokenotpdigits',
+ required=False,
+ label=_(u'Digits'),
+ doc=_(u'Number of digits each token code will have'),
+ ),
+ parameters.Int(
+ 'ipatokentotpclockoffset',
+ required=False,
+ label=_(u'Clock offset'),
+ doc=_(u'TOTP token / FreeIPA server time difference'),
+ ),
+ parameters.Int(
+ 'ipatokentotptimestep',
+ required=False,
+ label=_(u'Clock interval'),
+ doc=_(u'Length of TOTP token code validity'),
+ ),
+ parameters.Int(
+ 'ipatokenhotpcounter',
+ required=False,
+ label=_(u'Counter'),
+ doc=_(u'Initial counter for the HOTP token'),
+ ),
+ )
+
+
+@register()
+class otptoken_add(Method):
+ __doc__ = _("Add a new OTP token.")
+
+ takes_args = (
+ parameters.Str(
+ 'ipatokenuniqueid',
+ required=False,
+ cli_name='id',
+ label=_(u'Unique ID'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'type',
+ required=False,
+ cli_metavar="['totp', 'hotp', 'TOTP', 'HOTP']",
+ label=_(u'Type'),
+ doc=_(u'Type of the token'),
+ default=u'totp',
+ autofill=True,
+ ),
+ parameters.Str(
+ 'description',
+ required=False,
+ cli_name='desc',
+ label=_(u'Description'),
+ doc=_(u'Token description (informational only)'),
+ ),
+ parameters.Str(
+ 'ipatokenowner',
+ required=False,
+ cli_name='owner',
+ label=_(u'Owner'),
+ doc=_(u'Assigned user of the token (default: self)'),
+ ),
+ parameters.Bool(
+ 'ipatokendisabled',
+ required=False,
+ cli_name='disabled',
+ label=_(u'Disabled'),
+ doc=_(u'Mark the token as disabled (default: false)'),
+ ),
+ parameters.DateTime(
+ 'ipatokennotbefore',
+ required=False,
+ cli_name='not_before',
+ label=_(u'Validity start'),
+ doc=_(u'First date/time the token can be used'),
+ ),
+ parameters.DateTime(
+ 'ipatokennotafter',
+ required=False,
+ cli_name='not_after',
+ label=_(u'Validity end'),
+ doc=_(u'Last date/time the token can be used'),
+ ),
+ parameters.Str(
+ 'ipatokenvendor',
+ required=False,
+ cli_name='vendor',
+ label=_(u'Vendor'),
+ doc=_(u'Token vendor name (informational only)'),
+ ),
+ parameters.Str(
+ 'ipatokenmodel',
+ required=False,
+ cli_name='model',
+ label=_(u'Model'),
+ doc=_(u'Token model (informational only)'),
+ ),
+ parameters.Str(
+ 'ipatokenserial',
+ required=False,
+ cli_name='serial',
+ label=_(u'Serial'),
+ doc=_(u'Token serial (informational only)'),
+ ),
+ parameters.Bytes(
+ 'ipatokenotpkey',
+ required=False,
+ cli_name='key',
+ label=_(u'Key'),
+ doc=_(u'Token secret (Base32; default: random)'),
+ default_from=DefaultFrom(lambda : None),
+ # FIXME:
+ # lambda: os.urandom(KEY_LENGTH)
+ autofill=True,
+ ),
+ parameters.Str(
+ 'ipatokenotpalgorithm',
+ required=False,
+ cli_name='algo',
+ cli_metavar="['sha1', 'sha256', 'sha384', 'sha512']",
+ label=_(u'Algorithm'),
+ doc=_(u'Token hash algorithm'),
+ default=u'sha1',
+ autofill=True,
+ ),
+ parameters.Int(
+ 'ipatokenotpdigits',
+ required=False,
+ cli_name='digits',
+ cli_metavar="['6', '8']",
+ label=_(u'Digits'),
+ doc=_(u'Number of digits each token code will have'),
+ default=6,
+ autofill=True,
+ ),
+ parameters.Int(
+ 'ipatokentotpclockoffset',
+ required=False,
+ cli_name='offset',
+ label=_(u'Clock offset'),
+ doc=_(u'TOTP token / FreeIPA server time difference'),
+ default=0,
+ autofill=True,
+ ),
+ parameters.Int(
+ 'ipatokentotptimestep',
+ required=False,
+ cli_name='interval',
+ label=_(u'Clock interval'),
+ doc=_(u'Length of TOTP token code validity'),
+ default=30,
+ autofill=True,
+ ),
+ parameters.Int(
+ 'ipatokenhotpcounter',
+ required=False,
+ cli_name='counter',
+ label=_(u'Counter'),
+ doc=_(u'Initial counter for the HOTP token'),
+ default=0,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'setattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'addattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
+ exclude=('webui',),
+ ),
+ parameters.Flag(
+ 'qrcode',
+ required=False,
+ label=_(u'(deprecated)'),
+ exclude=('cli', 'webui'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_qrcode',
+ label=_(u'Do not display QR code'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class otptoken_add_managedby(Method):
+ __doc__ = _("Add users that can manage this token.")
+
+ takes_args = (
+ parameters.Str(
+ 'ipatokenuniqueid',
+ cli_name='id',
+ label=_(u'Unique ID'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'user',
+ required=False,
+ multivalue=True,
+ cli_name='users',
+ label=_(u'member user'),
+ doc=_(u'users to add'),
+ alwaysask=True,
+ ),
+ )
+ has_output = (
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'failed',
+ dict,
+ doc=_(u'Members that could not be added'),
+ ),
+ output.Output(
+ 'completed',
+ int,
+ doc=_(u'Number of members added'),
+ ),
+ )
+
+
+@register()
+class otptoken_del(Method):
+ __doc__ = _("Delete an OTP token.")
+
+ takes_args = (
+ parameters.Str(
+ 'ipatokenuniqueid',
+ multivalue=True,
+ cli_name='id',
+ label=_(u'Unique ID'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'continue',
+ doc=_(u"Continuous mode: Don't stop on errors."),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Output(
+ 'result',
+ dict,
+ doc=_(u'List of deletions that failed'),
+ ),
+ output.ListOfPrimaryKeys(
+ 'value',
+ ),
+ )
+
+
+@register()
+class otptoken_find(Method):
+ __doc__ = _("Search for OTP token.")
+
+ takes_args = (
+ parameters.Str(
+ 'criteria',
+ required=False,
+ doc=_(u'A string searched in all relevant object attributes'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'ipatokenuniqueid',
+ required=False,
+ cli_name='id',
+ label=_(u'Unique ID'),
+ ),
+ parameters.Str(
+ 'type',
+ required=False,
+ cli_metavar="['totp', 'hotp', 'TOTP', 'HOTP']",
+ label=_(u'Type'),
+ doc=_(u'Type of the token'),
+ default=u'totp',
+ ),
+ parameters.Str(
+ 'description',
+ required=False,
+ cli_name='desc',
+ label=_(u'Description'),
+ doc=_(u'Token description (informational only)'),
+ ),
+ parameters.Str(
+ 'ipatokenowner',
+ required=False,
+ cli_name='owner',
+ label=_(u'Owner'),
+ doc=_(u'Assigned user of the token (default: self)'),
+ ),
+ parameters.Bool(
+ 'ipatokendisabled',
+ required=False,
+ cli_name='disabled',
+ label=_(u'Disabled'),
+ doc=_(u'Mark the token as disabled (default: false)'),
+ ),
+ parameters.DateTime(
+ 'ipatokennotbefore',
+ required=False,
+ cli_name='not_before',
+ label=_(u'Validity start'),
+ doc=_(u'First date/time the token can be used'),
+ ),
+ parameters.DateTime(
+ 'ipatokennotafter',
+ required=False,
+ cli_name='not_after',
+ label=_(u'Validity end'),
+ doc=_(u'Last date/time the token can be used'),
+ ),
+ parameters.Str(
+ 'ipatokenvendor',
+ required=False,
+ cli_name='vendor',
+ label=_(u'Vendor'),
+ doc=_(u'Token vendor name (informational only)'),
+ ),
+ parameters.Str(
+ 'ipatokenmodel',
+ required=False,
+ cli_name='model',
+ label=_(u'Model'),
+ doc=_(u'Token model (informational only)'),
+ ),
+ parameters.Str(
+ 'ipatokenserial',
+ required=False,
+ cli_name='serial',
+ label=_(u'Serial'),
+ doc=_(u'Token serial (informational only)'),
+ ),
+ parameters.Str(
+ 'ipatokenotpalgorithm',
+ required=False,
+ cli_name='algo',
+ cli_metavar="['sha1', 'sha256', 'sha384', 'sha512']",
+ label=_(u'Algorithm'),
+ doc=_(u'Token hash algorithm'),
+ default=u'sha1',
+ ),
+ parameters.Int(
+ 'ipatokenotpdigits',
+ required=False,
+ cli_name='digits',
+ cli_metavar="['6', '8']",
+ label=_(u'Digits'),
+ doc=_(u'Number of digits each token code will have'),
+ default=6,
+ ),
+ parameters.Int(
+ 'ipatokentotpclockoffset',
+ required=False,
+ cli_name='offset',
+ label=_(u'Clock offset'),
+ doc=_(u'TOTP token / FreeIPA server time difference'),
+ default=0,
+ ),
+ parameters.Int(
+ 'ipatokentotptimestep',
+ required=False,
+ cli_name='interval',
+ label=_(u'Clock interval'),
+ doc=_(u'Length of TOTP token code validity'),
+ default=30,
+ ),
+ parameters.Int(
+ 'ipatokenhotpcounter',
+ required=False,
+ cli_name='counter',
+ label=_(u'Counter'),
+ doc=_(u'Initial counter for the HOTP token'),
+ default=0,
+ ),
+ parameters.Int(
+ 'timelimit',
+ required=False,
+ label=_(u'Time Limit'),
+ doc=_(u'Time limit of search in seconds (0 is unlimited)'),
+ ),
+ parameters.Int(
+ 'sizelimit',
+ required=False,
+ label=_(u'Size Limit'),
+ doc=_(u'Maximum number of entries returned (0 is unlimited)'),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'pkey_only',
+ required=False,
+ label=_(u'Primary key only'),
+ doc=_(u'Results should contain primary key attribute only ("id")'),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.ListOfEntries(
+ 'result',
+ ),
+ output.Output(
+ 'count',
+ int,
+ doc=_(u'Number of entries returned'),
+ ),
+ output.Output(
+ 'truncated',
+ bool,
+ doc=_(u'True if not all results were returned'),
+ ),
+ )
+
+
+@register()
+class otptoken_mod(Method):
+ __doc__ = _("Modify a OTP token.")
+
+ takes_args = (
+ parameters.Str(
+ 'ipatokenuniqueid',
+ cli_name='id',
+ label=_(u'Unique ID'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'description',
+ required=False,
+ cli_name='desc',
+ label=_(u'Description'),
+ doc=_(u'Token description (informational only)'),
+ ),
+ parameters.Str(
+ 'ipatokenowner',
+ required=False,
+ cli_name='owner',
+ label=_(u'Owner'),
+ doc=_(u'Assigned user of the token (default: self)'),
+ ),
+ parameters.Bool(
+ 'ipatokendisabled',
+ required=False,
+ cli_name='disabled',
+ label=_(u'Disabled'),
+ doc=_(u'Mark the token as disabled (default: false)'),
+ ),
+ parameters.DateTime(
+ 'ipatokennotbefore',
+ required=False,
+ cli_name='not_before',
+ label=_(u'Validity start'),
+ doc=_(u'First date/time the token can be used'),
+ ),
+ parameters.DateTime(
+ 'ipatokennotafter',
+ required=False,
+ cli_name='not_after',
+ label=_(u'Validity end'),
+ doc=_(u'Last date/time the token can be used'),
+ ),
+ parameters.Str(
+ 'ipatokenvendor',
+ required=False,
+ cli_name='vendor',
+ label=_(u'Vendor'),
+ doc=_(u'Token vendor name (informational only)'),
+ ),
+ parameters.Str(
+ 'ipatokenmodel',
+ required=False,
+ cli_name='model',
+ label=_(u'Model'),
+ doc=_(u'Token model (informational only)'),
+ ),
+ parameters.Str(
+ 'ipatokenserial',
+ required=False,
+ cli_name='serial',
+ label=_(u'Serial'),
+ doc=_(u'Token serial (informational only)'),
+ ),
+ parameters.Str(
+ 'setattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'addattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'delattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'),
+ exclude=('webui',),
+ ),
+ parameters.Flag(
+ 'rights',
+ label=_(u'Rights'),
+ doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'rename',
+ required=False,
+ label=_(u'Rename'),
+ doc=_(u'Rename the OTP token object'),
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class otptoken_remove_managedby(Method):
+ __doc__ = _("Remove users that can manage this token.")
+
+ takes_args = (
+ parameters.Str(
+ 'ipatokenuniqueid',
+ cli_name='id',
+ label=_(u'Unique ID'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'user',
+ required=False,
+ multivalue=True,
+ cli_name='users',
+ label=_(u'member user'),
+ doc=_(u'users to remove'),
+ alwaysask=True,
+ ),
+ )
+ has_output = (
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'failed',
+ dict,
+ doc=_(u'Members that could not be removed'),
+ ),
+ output.Output(
+ 'completed',
+ int,
+ doc=_(u'Number of members removed'),
+ ),
+ )
+
+
+@register()
+class otptoken_show(Method):
+ __doc__ = _("Display information about an OTP token.")
+
+ takes_args = (
+ parameters.Str(
+ 'ipatokenuniqueid',
+ cli_name='id',
+ label=_(u'Unique ID'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'rights',
+ label=_(u'Rights'),
+ doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
diff --git a/ipaclient/remote_plugins/2_164/otptoken_yubikey.py b/ipaclient/remote_plugins/2_164/otptoken_yubikey.py
new file mode 100644
index 000000000..61fe1b484
--- /dev/null
+++ b/ipaclient/remote_plugins/2_164/otptoken_yubikey.py
@@ -0,0 +1,33 @@
+#
+# Copyright (C) 2016 FreeIPA Contributors see COPYING for license
+#
+
+# pylint: disable=unused-import
+import six
+
+from . import Command, Method, Object
+from ipalib import api, parameters, output
+from ipalib.parameters import DefaultFrom
+from ipalib.plugable import Registry
+from ipalib.text import _
+from ipapython.dn import DN
+from ipapython.dnsutil import DNSName
+
+if six.PY3:
+ unicode = str
+
+__doc__ = _("""
+YubiKey Tokens
+
+Manage YubiKey tokens.
+
+This code is an extension to the otptoken plugin and provides support for
+reading/writing YubiKey tokens directly.
+
+EXAMPLES:
+
+ Add a new token:
+ ipa otptoken-add-yubikey --owner=jdoe --desc="My YubiKey"
+""")
+
+register = Registry()
diff --git a/ipaclient/remote_plugins/2_164/passwd.py b/ipaclient/remote_plugins/2_164/passwd.py
new file mode 100644
index 000000000..4476cf1ec
--- /dev/null
+++ b/ipaclient/remote_plugins/2_164/passwd.py
@@ -0,0 +1,93 @@
+#
+# Copyright (C) 2016 FreeIPA Contributors see COPYING for license
+#
+
+# pylint: disable=unused-import
+import six
+
+from . import Command, Method, Object
+from ipalib import api, parameters, output
+from ipalib.parameters import DefaultFrom
+from ipalib.plugable import Registry
+from ipalib.text import _
+from ipapython.dn import DN
+from ipapython.dnsutil import DNSName
+
+if six.PY3:
+ unicode = str
+
+__doc__ = _("""
+Set a user's password
+
+If someone other than a user changes that user's password (e.g., Helpdesk
+resets it) then the password will need to be changed the first time it
+is used. This is so the end-user is the only one who knows the password.
+
+The IPA password policy controls how often a password may be changed,
+what strength requirements exist, and the length of the password history.
+
+EXAMPLES:
+
+ To reset your own password:
+ ipa passwd
+
+ To change another user's password:
+ ipa passwd tuser1
+""")
+
+register = Registry()
+
+
+@register()
+class passwd(Command):
+ __doc__ = _("Set a user's password.")
+
+ takes_args = (
+ parameters.Str(
+ 'principal',
+ cli_name='user',
+ label=_(u'User name'),
+ default_from=DefaultFrom(lambda : None),
+ # FIXME:
+ # lambda: krb_utils.get_principal()
+ autofill=True,
+ no_convert=True,
+ ),
+ parameters.Password(
+ 'password',
+ label=_(u'New Password'),
+ confirm=True,
+ ),
+ parameters.Password(
+ 'current_password',
+ label=_(u'Current Password'),
+ default_from=DefaultFrom(lambda principal: None, 'principal'),
+ # FIXME:
+ # lambda principal: get_current_password(principal)
+ autofill=True,
+ ),
+ )
+ takes_options = (
+ parameters.Password(
+ 'otp',
+ required=False,
+ label=_(u'OTP'),
+ doc=_(u'One Time Password'),
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Output(
+ 'result',
+ bool,
+ doc=_(u'True means the operation was successful'),
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
diff --git a/ipaclient/remote_plugins/2_164/permission.py b/ipaclient/remote_plugins/2_164/permission.py
new file mode 100644
index 000000000..94cd1bbaa
--- /dev/null
+++ b/ipaclient/remote_plugins/2_164/permission.py
@@ -0,0 +1,1099 @@
+#
+# Copyright (C) 2016 FreeIPA Contributors see COPYING for license
+#
+
+# pylint: disable=unused-import
+import six
+
+from . import Command, Method, Object
+from ipalib import api, parameters, output
+from ipalib.parameters import DefaultFrom
+from ipalib.plugable import Registry
+from ipalib.text import _
+from ipapython.dn import DN
+from ipapython.dnsutil import DNSName
+
+if six.PY3:
+ unicode = str
+
+__doc__ = _("""
+Permissions
+
+A permission enables fine-grained delegation of rights. A permission is
+a human-readable wrapper around a 389-ds Access Control Rule,
+or instruction (ACI).
+A permission grants the right to perform a specific task such as adding a
+user, modifying a group, etc.
+
+A permission may not contain other permissions.
+
+* A permission grants access to read, write, add, delete, read, search,
+ or compare.
+* A privilege combines similar permissions (for example all the permissions
+ needed to add a user).
+* A role grants a set of privileges to users, groups, hosts or hostgroups.
+
+A permission is made up of a number of different parts:
+
+1. The name of the permission.
+2. The target of the permission.
+3. The rights granted by the permission.
+
+Rights define what operations are allowed, and may be one or more
+of the following:
+1. write - write one or more attributes
+2. read - read one or more attributes
+3. search - search on one or more attributes
+4. compare - compare one or more attributes
+5. add - add a new entry to the tree
+6. delete - delete an existing entry
+7. all - all permissions are granted
+
+Note the distinction between attributes and entries. The permissions are
+independent, so being able to add a user does not mean that the user will
+be editable.
+
+There are a number of allowed targets:
+1. subtree: a DN; the permission applies to the subtree under this DN
+2. target filter: an LDAP filter
+3. target: DN with possible wildcards, specifies entries permission applies to
+
+Additionally, there are the following convenience options.
+Setting one of these options will set the corresponding attribute(s).
+1. type: a type of object (user, group, etc); sets subtree and target filter.
+2. memberof: apply to members of a group; sets target filter
+3. targetgroup: grant access to modify a specific group (such as granting
+ the rights to manage group membership); sets target.
+
+Managed permissions
+
+Permissions that come with IPA by default can be so-called "managed"
+permissions. These have a default set of attributes they apply to,
+but the administrator can add/remove individual attributes to/from the set.
+
+Deleting or renaming a managed permission, as well as changing its target,
+is not allowed.
+
+EXAMPLES:
+
+ Add a permission that grants the creation of users:
+ ipa permission-add --type=user --permissions=add "Add Users"
+
+ Add a permission that grants the ability to manage group membership:
+ ipa permission-add --attrs=member --permissions=write --type=group "Manage Group Members"
+""")
+
+register = Registry()
+
+
+@register()
+class permission(Object):
+ takes_params = (
+ parameters.Str(
+ 'cn',
+ primary_key=True,
+ label=_(u'Permission name'),
+ ),
+ parameters.Str(
+ 'ipapermright',
+ required=False,
+ multivalue=True,
+ label=_(u'Granted rights'),
+ doc=_(u'Rights to grant (read, search, compare, write, add, delete, all)'),
+ ),
+ parameters.Str(
+ 'attrs',
+ required=False,
+ multivalue=True,
+ label=_(u'Effective attributes'),
+ doc=_(u'All attributes to which the permission applies'),
+ ),
+ parameters.Str(
+ 'ipapermincludedattr',
+ required=False,
+ multivalue=True,
+ label=_(u'Included attributes'),
+ doc=_(u'User-specified attributes to which the permission applies'),
+ ),
+ parameters.Str(
+ 'ipapermexcludedattr',
+ required=False,
+ multivalue=True,
+ label=_(u'Excluded attributes'),
+ doc=_(u'User-specified attributes to which the permission explicitly does not apply'),
+ ),
+ parameters.Str(
+ 'ipapermdefaultattr',
+ required=False,
+ multivalue=True,
+ label=_(u'Default attributes'),
+ doc=_(u'Attributes to which the permission applies by default'),
+ ),
+ parameters.Str(
+ 'ipapermbindruletype',
+ label=_(u'Bind rule type'),
+ ),
+ parameters.Str(
+ 'ipapermlocation',
+ required=False,
+ label=_(u'Subtree'),
+ doc=_(u'Subtree to apply permissions to'),
+ ),
+ parameters.Str(
+ 'extratargetfilter',
+ required=False,
+ multivalue=True,
+ label=_(u'Extra target filter'),
+ ),
+ parameters.Str(
+ 'ipapermtargetfilter',
+ required=False,
+ multivalue=True,
+ label=_(u'Raw target filter'),
+ doc=_(u'All target filters, including those implied by type and memberof'),
+ ),
+ parameters.DNParam(
+ 'ipapermtarget',
+ required=False,
+ label=_(u'Target DN'),
+ doc=_(u'Optional DN to apply the permission to (must be in the subtree, but may not yet exist)'),
+ ),
+ parameters.DNParam(
+ 'ipapermtargetto',
+ required=False,
+ label=_(u'Target DN subtree'),
+ doc=_(u'Optional DN subtree where an entry can be moved to (must be in the subtree, but may not yet exist)'),
+ ),
+ parameters.DNParam(
+ 'ipapermtargetfrom',
+ required=False,
+ label=_(u'Origin DN subtree'),
+ doc=_(u'Optional DN subtree from where an entry can be moved (must be in the subtree, but may not yet exist)'),
+ ),
+ parameters.Str(
+ 'memberof',
+ required=False,
+ multivalue=True,
+ label=_(u'Member of group'),
+ doc=_(u'Target members of a group (sets memberOf targetfilter)'),
+ ),
+ parameters.Str(
+ 'targetgroup',
+ required=False,
+ label=_(u'Target group'),
+ doc=_(u'User group to apply permissions to (sets target)'),
+ ),
+ parameters.Str(
+ 'type',
+ required=False,
+ label=_(u'Type'),
+ doc=_(u'Type of IPA object (sets subtree and objectClass targetfilter)'),
+ ),
+ parameters.Str(
+ 'filter',
+ required=False,
+ multivalue=True,
+ doc=_(u'Deprecated; use extratargetfilter'),
+ ),
+ parameters.Str(
+ 'subtree',
+ required=False,
+ multivalue=True,
+ doc=_(u'Deprecated; use ipapermlocation'),
+ ),
+ parameters.Str(
+ 'permissions',
+ required=False,
+ multivalue=True,
+ doc=_(u'Deprecated; use ipapermright'),
+ ),
+ parameters.Str(
+ 'member_privilege',
+ required=False,
+ label=_(u'Granted to Privilege'),
+ ),
+ parameters.Str(
+ 'memberindirect_role',
+ required=False,
+ label=_(u'Indirect Member of roles'),
+ ),
+ )
+
+
+@register()
+class permission_add(Method):
+ __doc__ = _("Add a new permission.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='name',
+ label=_(u'Permission name'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'ipapermright',
+ required=False,
+ multivalue=True,
+ cli_name='right',
+ cli_metavar="['read', 'search', 'compare', 'write', 'add', 'delete', 'all']",
+ label=_(u'Granted rights'),
+ doc=_(u'Rights to grant (read, search, compare, write, add, delete, all)'),
+ alwaysask=True,
+ ),
+ parameters.Str(
+ 'attrs',
+ required=False,
+ multivalue=True,
+ label=_(u'Effective attributes'),
+ doc=_(u'All attributes to which the permission applies'),
+ ),
+ parameters.Str(
+ 'ipapermbindruletype',
+ cli_name='bindtype',
+ cli_metavar="['permission', 'all', 'anonymous']",
+ label=_(u'Bind rule type'),
+ default=u'permission',
+ autofill=True,
+ ),
+ parameters.Str(
+ 'ipapermlocation',
+ required=False,
+ cli_name='subtree',
+ label=_(u'Subtree'),
+ doc=_(u'Subtree to apply permissions to'),
+ alwaysask=True,
+ ),
+ parameters.Str(
+ 'extratargetfilter',
+ required=False,
+ multivalue=True,
+ cli_name='filter',
+ label=_(u'Extra target filter'),
+ ),
+ parameters.Str(
+ 'ipapermtargetfilter',
+ required=False,
+ multivalue=True,
+ cli_name='rawfilter',
+ label=_(u'Raw target filter'),
+ doc=_(u'All target filters, including those implied by type and memberof'),
+ ),
+ parameters.DNParam(
+ 'ipapermtarget',
+ required=False,
+ cli_name='target',
+ label=_(u'Target DN'),
+ doc=_(u'Optional DN to apply the permission to (must be in the subtree, but may not yet exist)'),
+ ),
+ parameters.DNParam(
+ 'ipapermtargetto',
+ required=False,
+ cli_name='targetto',
+ label=_(u'Target DN subtree'),
+ doc=_(u'Optional DN subtree where an entry can be moved to (must be in the subtree, but may not yet exist)'),
+ ),
+ parameters.DNParam(
+ 'ipapermtargetfrom',
+ required=False,
+ cli_name='targetfrom',
+ label=_(u'Origin DN subtree'),
+ doc=_(u'Optional DN subtree from where an entry can be moved (must be in the subtree, but may not yet exist)'),
+ ),
+ parameters.Str(
+ 'memberof',
+ required=False,
+ multivalue=True,
+ label=_(u'Member of group'),
+ doc=_(u'Target members of a group (sets memberOf targetfilter)'),
+ alwaysask=True,
+ ),
+ parameters.Str(
+ 'targetgroup',
+ required=False,
+ label=_(u'Target group'),
+ doc=_(u'User group to apply permissions to (sets target)'),
+ alwaysask=True,
+ ),
+ parameters.Str(
+ 'type',
+ required=False,
+ label=_(u'Type'),
+ doc=_(u'Type of IPA object (sets subtree and objectClass targetfilter)'),
+ alwaysask=True,
+ ),
+ parameters.Str(
+ 'filter',
+ required=False,
+ multivalue=True,
+ doc=_(u'Deprecated; use extratargetfilter'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'subtree',
+ required=False,
+ multivalue=True,
+ doc=_(u'Deprecated; use ipapermlocation'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'permissions',
+ required=False,
+ multivalue=True,
+ doc=_(u'Deprecated; use ipapermright'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'setattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'addattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
+ exclude=('webui',),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class permission_add_member(Method):
+ __doc__ = _("Add members to a permission.")
+
+ NO_CLI = True
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='name',
+ label=_(u'Permission name'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'privilege',
+ required=False,
+ multivalue=True,
+ cli_name='privileges',
+ label=_(u'member privilege'),
+ doc=_(u'privileges to add'),
+ alwaysask=True,
+ ),
+ )
+ has_output = (
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'failed',
+ dict,
+ doc=_(u'Members that could not be added'),
+ ),
+ output.Output(
+ 'completed',
+ int,
+ doc=_(u'Number of members added'),
+ ),
+ )
+
+
+@register()
+class permission_add_noaci(Method):
+ __doc__ = _("Add a system permission without an ACI (internal command)")
+
+ NO_CLI = True
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='name',
+ label=_(u'Permission name'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'ipapermissiontype',
+ multivalue=True,
+ label=_(u'Permission flags'),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class permission_del(Method):
+ __doc__ = _("Delete a permission.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ multivalue=True,
+ cli_name='name',
+ label=_(u'Permission name'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'continue',
+ doc=_(u"Continuous mode: Don't stop on errors."),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'force',
+ label=_(u'Force'),
+ doc=_(u'force delete of SYSTEM permissions'),
+ exclude=('cli', 'webui'),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Output(
+ 'result',
+ dict,
+ doc=_(u'List of deletions that failed'),
+ ),
+ output.ListOfPrimaryKeys(
+ 'value',
+ ),
+ )
+
+
+@register()
+class permission_find(Method):
+ __doc__ = _("Search for permissions.")
+
+ takes_args = (
+ parameters.Str(
+ 'criteria',
+ required=False,
+ doc=_(u'A string searched in all relevant object attributes'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'cn',
+ required=False,
+ cli_name='name',
+ label=_(u'Permission name'),
+ ),
+ parameters.Str(
+ 'ipapermright',
+ required=False,
+ multivalue=True,
+ cli_name='right',
+ cli_metavar="['read', 'search', 'compare', 'write', 'add', 'delete', 'all']",
+ label=_(u'Granted rights'),
+ doc=_(u'Rights to grant (read, search, compare, write, add, delete, all)'),
+ ),
+ parameters.Str(
+ 'attrs',
+ required=False,
+ multivalue=True,
+ label=_(u'Effective attributes'),
+ doc=_(u'All attributes to which the permission applies'),
+ ),
+ parameters.Str(
+ 'ipapermincludedattr',
+ required=False,
+ multivalue=True,
+ cli_name='includedattrs',
+ label=_(u'Included attributes'),
+ doc=_(u'User-specified attributes to which the permission applies'),
+ ),
+ parameters.Str(
+ 'ipapermexcludedattr',
+ required=False,
+ multivalue=True,
+ cli_name='excludedattrs',
+ label=_(u'Excluded attributes'),
+ doc=_(u'User-specified attributes to which the permission explicitly does not apply'),
+ ),
+ parameters.Str(
+ 'ipapermdefaultattr',
+ required=False,
+ multivalue=True,
+ cli_name='defaultattrs',
+ label=_(u'Default attributes'),
+ doc=_(u'Attributes to which the permission applies by default'),
+ ),
+ parameters.Str(
+ 'ipapermbindruletype',
+ required=False,
+ cli_name='bindtype',
+ cli_metavar="['permission', 'all', 'anonymous']",
+ label=_(u'Bind rule type'),
+ default=u'permission',
+ ),
+ parameters.Str(
+ 'ipapermlocation',
+ required=False,
+ cli_name='subtree',
+ label=_(u'Subtree'),
+ doc=_(u'Subtree to apply permissions to'),
+ ),
+ parameters.Str(
+ 'extratargetfilter',
+ required=False,
+ multivalue=True,
+ cli_name='filter',
+ label=_(u'Extra target filter'),
+ ),
+ parameters.Str(
+ 'ipapermtargetfilter',
+ required=False,
+ multivalue=True,
+ cli_name='rawfilter',
+ label=_(u'Raw target filter'),
+ doc=_(u'All target filters, including those implied by type and memberof'),
+ ),
+ parameters.DNParam(
+ 'ipapermtarget',
+ required=False,
+ cli_name='target',
+ label=_(u'Target DN'),
+ doc=_(u'Optional DN to apply the permission to (must be in the subtree, but may not yet exist)'),
+ ),
+ parameters.DNParam(
+ 'ipapermtargetto',
+ required=False,
+ cli_name='targetto',
+ label=_(u'Target DN subtree'),
+ doc=_(u'Optional DN subtree where an entry can be moved to (must be in the subtree, but may not yet exist)'),
+ ),
+ parameters.DNParam(
+ 'ipapermtargetfrom',
+ required=False,
+ cli_name='targetfrom',
+ label=_(u'Origin DN subtree'),
+ doc=_(u'Optional DN subtree from where an entry can be moved (must be in the subtree, but may not yet exist)'),
+ ),
+ parameters.Str(
+ 'memberof',
+ required=False,
+ multivalue=True,
+ label=_(u'Member of group'),
+ doc=_(u'Target members of a group (sets memberOf targetfilter)'),
+ ),
+ parameters.Str(
+ 'targetgroup',
+ required=False,
+ label=_(u'Target group'),
+ doc=_(u'User group to apply permissions to (sets target)'),
+ ),
+ parameters.Str(
+ 'type',
+ required=False,
+ label=_(u'Type'),
+ doc=_(u'Type of IPA object (sets subtree and objectClass targetfilter)'),
+ ),
+ parameters.Str(
+ 'filter',
+ required=False,
+ multivalue=True,
+ doc=_(u'Deprecated; use extratargetfilter'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'subtree',
+ required=False,
+ multivalue=True,
+ doc=_(u'Deprecated; use ipapermlocation'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'permissions',
+ required=False,
+ multivalue=True,
+ doc=_(u'Deprecated; use ipapermright'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Int(
+ 'timelimit',
+ required=False,
+ label=_(u'Time Limit'),
+ doc=_(u'Time limit of search in seconds (0 is unlimited)'),
+ ),
+ parameters.Int(
+ 'sizelimit',
+ required=False,
+ label=_(u'Size Limit'),
+ doc=_(u'Maximum number of entries returned (0 is unlimited)'),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'pkey_only',
+ required=False,
+ label=_(u'Primary key only'),
+ doc=_(u'Results should contain primary key attribute only ("name")'),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.ListOfEntries(
+ 'result',
+ ),
+ output.Output(
+ 'count',
+ int,
+ doc=_(u'Number of entries returned'),
+ ),
+ output.Output(
+ 'truncated',
+ bool,
+ doc=_(u'True if not all results were returned'),
+ ),
+ )
+
+
+@register()
+class permission_mod(Method):
+ __doc__ = _("Modify a permission.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='name',
+ label=_(u'Permission name'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'ipapermright',
+ required=False,
+ multivalue=True,
+ cli_name='right',
+ cli_metavar="['read', 'search', 'compare', 'write', 'add', 'delete', 'all']",
+ label=_(u'Granted rights'),
+ doc=_(u'Rights to grant (read, search, compare, write, add, delete, all)'),
+ ),
+ parameters.Str(
+ 'attrs',
+ required=False,
+ multivalue=True,
+ label=_(u'Effective attributes'),
+ doc=_(u'All attributes to which the permission applies'),
+ ),
+ parameters.Str(
+ 'ipapermincludedattr',
+ required=False,
+ multivalue=True,
+ cli_name='includedattrs',
+ label=_(u'Included attributes'),
+ doc=_(u'User-specified attributes to which the permission applies'),
+ ),
+ parameters.Str(
+ 'ipapermexcludedattr',
+ required=False,
+ multivalue=True,
+ cli_name='excludedattrs',
+ label=_(u'Excluded attributes'),
+ doc=_(u'User-specified attributes to which the permission explicitly does not apply'),
+ ),
+ parameters.Str(
+ 'ipapermbindruletype',
+ required=False,
+ cli_name='bindtype',
+ cli_metavar="['permission', 'all', 'anonymous']",
+ label=_(u'Bind rule type'),
+ default=u'permission',
+ ),
+ parameters.Str(
+ 'ipapermlocation',
+ required=False,
+ cli_name='subtree',
+ label=_(u'Subtree'),
+ doc=_(u'Subtree to apply permissions to'),
+ ),
+ parameters.Str(
+ 'extratargetfilter',
+ required=False,
+ multivalue=True,
+ cli_name='filter',
+ label=_(u'Extra target filter'),
+ ),
+ parameters.Str(
+ 'ipapermtargetfilter',
+ required=False,
+ multivalue=True,
+ cli_name='rawfilter',
+ label=_(u'Raw target filter'),
+ doc=_(u'All target filters, including those implied by type and memberof'),
+ ),
+ parameters.DNParam(
+ 'ipapermtarget',
+ required=False,
+ cli_name='target',
+ label=_(u'Target DN'),
+ doc=_(u'Optional DN to apply the permission to (must be in the subtree, but may not yet exist)'),
+ ),
+ parameters.DNParam(
+ 'ipapermtargetto',
+ required=False,
+ cli_name='targetto',
+ label=_(u'Target DN subtree'),
+ doc=_(u'Optional DN subtree where an entry can be moved to (must be in the subtree, but may not yet exist)'),
+ ),
+ parameters.DNParam(
+ 'ipapermtargetfrom',
+ required=False,
+ cli_name='targetfrom',
+ label=_(u'Origin DN subtree'),
+ doc=_(u'Optional DN subtree from where an entry can be moved (must be in the subtree, but may not yet exist)'),
+ ),
+ parameters.Str(
+ 'memberof',
+ required=False,
+ multivalue=True,
+ label=_(u'Member of group'),
+ doc=_(u'Target members of a group (sets memberOf targetfilter)'),
+ ),
+ parameters.Str(
+ 'targetgroup',
+ required=False,
+ label=_(u'Target group'),
+ doc=_(u'User group to apply permissions to (sets target)'),
+ ),
+ parameters.Str(
+ 'type',
+ required=False,
+ label=_(u'Type'),
+ doc=_(u'Type of IPA object (sets subtree and objectClass targetfilter)'),
+ ),
+ parameters.Str(
+ 'filter',
+ required=False,
+ multivalue=True,
+ doc=_(u'Deprecated; use extratargetfilter'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'subtree',
+ required=False,
+ multivalue=True,
+ doc=_(u'Deprecated; use ipapermlocation'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'permissions',
+ required=False,
+ multivalue=True,
+ doc=_(u'Deprecated; use ipapermright'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'setattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'addattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'delattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'),
+ exclude=('webui',),
+ ),
+ parameters.Flag(
+ 'rights',
+ label=_(u'Rights'),
+ doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'rename',
+ required=False,
+ label=_(u'Rename'),
+ doc=_(u'Rename the permission object'),
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class permission_remove_member(Method):
+ __doc__ = _("Remove members from a permission.")
+
+ NO_CLI = True
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='name',
+ label=_(u'Permission name'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'privilege',
+ required=False,
+ multivalue=True,
+ cli_name='privileges',
+ label=_(u'member privilege'),
+ doc=_(u'privileges to remove'),
+ alwaysask=True,
+ ),
+ )
+ has_output = (
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'failed',
+ dict,
+ doc=_(u'Members that could not be removed'),
+ ),
+ output.Output(
+ 'completed',
+ int,
+ doc=_(u'Number of members removed'),
+ ),
+ )
+
+
+@register()
+class permission_show(Method):
+ __doc__ = _("Display information about a permission.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='name',
+ label=_(u'Permission name'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'rights',
+ label=_(u'Rights'),
+ doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
diff --git a/ipaclient/remote_plugins/2_164/ping.py b/ipaclient/remote_plugins/2_164/ping.py
new file mode 100644
index 000000000..e9344127c
--- /dev/null
+++ b/ipaclient/remote_plugins/2_164/ping.py
@@ -0,0 +1,62 @@
+#
+# Copyright (C) 2016 FreeIPA Contributors see COPYING for license
+#
+
+# pylint: disable=unused-import
+import six
+
+from . import Command, Method, Object
+from ipalib import api, parameters, output
+from ipalib.parameters import DefaultFrom
+from ipalib.plugable import Registry
+from ipalib.text import _
+from ipapython.dn import DN
+from ipapython.dnsutil import DNSName
+
+if six.PY3:
+ unicode = str
+
+__doc__ = _("""
+Ping the remote IPA server to ensure it is running.
+
+The ping command sends an echo request to an IPA server. The server
+returns its version information. This is used by an IPA client
+to confirm that the server is available and accepting requests.
+
+The server from xmlrpc_uri in /etc/ipa/default.conf is contacted first.
+If it does not respond then the client will contact any servers defined
+by ldap SRV records in DNS.
+
+EXAMPLES:
+
+ Ping an IPA server:
+ ipa ping
+ ------------------------------------------
+ IPA server version 2.1.9. API version 2.20
+ ------------------------------------------
+
+ Ping an IPA server verbosely:
+ ipa -v ping
+ ipa: INFO: trying https://ipa.example.com/ipa/xml
+ ipa: INFO: Forwarding 'ping' to server 'https://ipa.example.com/ipa/xml'
+ -----------------------------------------------------
+ IPA server version 2.1.9. API version 2.20
+ -----------------------------------------------------
+""")
+
+register = Registry()
+
+
+@register()
+class ping(Command):
+ __doc__ = _("Ping a remote server.")
+
+ takes_options = (
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ )
diff --git a/ipaclient/remote_plugins/2_164/pkinit.py b/ipaclient/remote_plugins/2_164/pkinit.py
new file mode 100644
index 000000000..fcb4c6b6b
--- /dev/null
+++ b/ipaclient/remote_plugins/2_164/pkinit.py
@@ -0,0 +1,63 @@
+#
+# Copyright (C) 2016 FreeIPA Contributors see COPYING for license
+#
+
+# pylint: disable=unused-import
+import six
+
+from . import Command, Method, Object
+from ipalib import api, parameters, output
+from ipalib.parameters import DefaultFrom
+from ipalib.plugable import Registry
+from ipalib.text import _
+from ipapython.dn import DN
+from ipapython.dnsutil import DNSName
+
+if six.PY3:
+ unicode = str
+
+__doc__ = _("""
+Kerberos pkinit options
+
+Enable or disable anonymous pkinit using the principal
+WELLKNOWN/ANONYMOUS@REALM. The server must have been installed with
+pkinit support.
+
+EXAMPLES:
+
+ Enable anonymous pkinit:
+ ipa pkinit-anonymous enable
+
+ Disable anonymous pkinit:
+ ipa pkinit-anonymous disable
+
+For more information on anonymous pkinit see:
+
+http://k5wiki.kerberos.org/wiki/Projects/Anonymous_pkinit
+""")
+
+register = Registry()
+
+
+@register()
+class pkinit(Object):
+ takes_params = (
+ )
+
+
+@register()
+class pkinit_anonymous(Command):
+ __doc__ = _("Enable or Disable Anonymous PKINIT.")
+
+ takes_args = (
+ parameters.Str(
+ 'action',
+ ),
+ )
+ takes_options = (
+ )
+ has_output = (
+ output.Output(
+ 'result',
+ ),
+ )
diff --git a/ipaclient/remote_plugins/2_164/privilege.py b/ipaclient/remote_plugins/2_164/privilege.py
new file mode 100644
index 000000000..9fb436a92
--- /dev/null
+++ b/ipaclient/remote_plugins/2_164/privilege.py
@@ -0,0 +1,656 @@
+#
+# Copyright (C) 2016 FreeIPA Contributors see COPYING for license
+#
+
+# pylint: disable=unused-import
+import six
+
+from . import Command, Method, Object
+from ipalib import api, parameters, output
+from ipalib.parameters import DefaultFrom
+from ipalib.plugable import Registry
+from ipalib.text import _
+from ipapython.dn import DN
+from ipapython.dnsutil import DNSName
+
+if six.PY3:
+ unicode = str
+
+__doc__ = _("""
+Privileges
+
+A privilege combines permissions into a logical task. A permission provides
+the rights to do a single task. There are some IPA operations that require
+multiple permissions to succeed. A privilege is where permissions are
+combined in order to perform a specific task.
+
+For example, adding a user requires the following permissions:
+ * Creating a new user entry
+ * Resetting a user password
+ * Adding the new user to the default IPA users group
+
+Combining these three low-level tasks into a higher level task in the
+form of a privilege named "Add User" makes it easier to manage Roles.
+
+A privilege may not contain other privileges.
+
+See role and permission for additional information.
+""")
+
+register = Registry()
+
+
+@register()
+class privilege(Object):
+ takes_params = (
+ parameters.Str(
+ 'cn',
+ primary_key=True,
+ label=_(u'Privilege name'),
+ ),
+ parameters.Str(
+ 'description',
+ required=False,
+ label=_(u'Description'),
+ doc=_(u'Privilege description'),
+ ),
+ parameters.Str(
+ 'memberof_permission',
+ required=False,
+ label=_(u'Permissions'),
+ ),
+ parameters.Str(
+ 'member_role',
+ required=False,
+ label=_(u'Granting privilege to roles'),
+ ),
+ )
+
+
+@register()
+class privilege_add(Method):
+ __doc__ = _("Add a new privilege.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='name',
+ label=_(u'Privilege name'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'description',
+ required=False,
+ cli_name='desc',
+ label=_(u'Description'),
+ doc=_(u'Privilege description'),
+ ),
+ parameters.Str(
+ 'setattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'addattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
+ exclude=('webui',),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class privilege_add_member(Method):
+ __doc__ = _("Add members to a privilege.")
+
+ NO_CLI = True
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='name',
+ label=_(u'Privilege name'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'role',
+ required=False,
+ multivalue=True,
+ cli_name='roles',
+ label=_(u'member role'),
+ doc=_(u'roles to add'),
+ alwaysask=True,
+ ),
+ )
+ has_output = (
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'failed',
+ dict,
+ doc=_(u'Members that could not be added'),
+ ),
+ output.Output(
+ 'completed',
+ int,
+ doc=_(u'Number of members added'),
+ ),
+ )
+
+
+@register()
+class privilege_add_permission(Method):
+ __doc__ = _("Add permissions to a privilege.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='name',
+ label=_(u'Privilege name'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'permission',
+ required=False,
+ multivalue=True,
+ cli_name='permissions',
+ label=_(u'permission'),
+ doc=_(u'permissions'),
+ alwaysask=True,
+ ),
+ )
+ has_output = (
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'failed',
+ dict,
+ doc=_(u'Members that could not be added'),
+ ),
+ output.Output(
+ 'completed',
+ int,
+ doc=_(u'Number of permissions added'),
+ ),
+ )
+
+
+@register()
+class privilege_del(Method):
+ __doc__ = _("Delete a privilege.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ multivalue=True,
+ cli_name='name',
+ label=_(u'Privilege name'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'continue',
+ doc=_(u"Continuous mode: Don't stop on errors."),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Output(
+ 'result',
+ dict,
+ doc=_(u'List of deletions that failed'),
+ ),
+ output.ListOfPrimaryKeys(
+ 'value',
+ ),
+ )
+
+
+@register()
+class privilege_find(Method):
+ __doc__ = _("Search for privileges.")
+
+ takes_args = (
+ parameters.Str(
+ 'criteria',
+ required=False,
+ doc=_(u'A string searched in all relevant object attributes'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'cn',
+ required=False,
+ cli_name='name',
+ label=_(u'Privilege name'),
+ ),
+ parameters.Str(
+ 'description',
+ required=False,
+ cli_name='desc',
+ label=_(u'Description'),
+ doc=_(u'Privilege description'),
+ ),
+ parameters.Int(
+ 'timelimit',
+ required=False,
+ label=_(u'Time Limit'),
+ doc=_(u'Time limit of search in seconds (0 is unlimited)'),
+ ),
+ parameters.Int(
+ 'sizelimit',
+ required=False,
+ label=_(u'Size Limit'),
+ doc=_(u'Maximum number of entries returned (0 is unlimited)'),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'pkey_only',
+ required=False,
+ label=_(u'Primary key only'),
+ doc=_(u'Results should contain primary key attribute only ("name")'),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.ListOfEntries(
+ 'result',
+ ),
+ output.Output(
+ 'count',
+ int,
+ doc=_(u'Number of entries returned'),
+ ),
+ output.Output(
+ 'truncated',
+ bool,
+ doc=_(u'True if not all results were returned'),
+ ),
+ )
+
+
+@register()
+class privilege_mod(Method):
+ __doc__ = _("Modify a privilege.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='name',
+ label=_(u'Privilege name'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'description',
+ required=False,
+ cli_name='desc',
+ label=_(u'Description'),
+ doc=_(u'Privilege description'),
+ ),
+ parameters.Str(
+ 'setattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'addattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'delattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'),
+ exclude=('webui',),
+ ),
+ parameters.Flag(
+ 'rights',
+ label=_(u'Rights'),
+ doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'rename',
+ required=False,
+ label=_(u'Rename'),
+ doc=_(u'Rename the privilege object'),
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class privilege_remove_member(Method):
+ __doc__ = _("Remove members from a privilege")
+
+ NO_CLI = True
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='name',
+ label=_(u'Privilege name'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'role',
+ required=False,
+ multivalue=True,
+ cli_name='roles',
+ label=_(u'member role'),
+ doc=_(u'roles to remove'),
+ alwaysask=True,
+ ),
+ )
+ has_output = (
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'failed',
+ dict,
+ doc=_(u'Members that could not be removed'),
+ ),
+ output.Output(
+ 'completed',
+ int,
+ doc=_(u'Number of members removed'),
+ ),
+ )
+
+
+@register()
+class privilege_remove_permission(Method):
+ __doc__ = _("Remove permissions from a privilege.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='name',
+ label=_(u'Privilege name'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'permission',
+ required=False,
+ multivalue=True,
+ cli_name='permissions',
+ label=_(u'permission'),
+ doc=_(u'permissions'),
+ alwaysask=True,
+ ),
+ )
+ has_output = (
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'failed',
+ dict,
+ doc=_(u'Members that could not be added'),
+ ),
+ output.Output(
+ 'completed',
+ int,
+ doc=_(u'Number of permissions removed'),
+ ),
+ )
+
+
+@register()
+class privilege_show(Method):
+ __doc__ = _("Display information about a privilege.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='name',
+ label=_(u'Privilege name'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'rights',
+ label=_(u'Rights'),
+ doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
diff --git a/ipaclient/remote_plugins/2_164/pwpolicy.py b/ipaclient/remote_plugins/2_164/pwpolicy.py
new file mode 100644
index 000000000..6010579d3
--- /dev/null
+++ b/ipaclient/remote_plugins/2_164/pwpolicy.py
@@ -0,0 +1,937 @@
+#
+# Copyright (C) 2016 FreeIPA Contributors see COPYING for license
+#
+
+# pylint: disable=unused-import
+import six
+
+from . import Command, Method, Object
+from ipalib import api, parameters, output
+from ipalib.parameters import DefaultFrom
+from ipalib.plugable import Registry
+from ipalib.text import _
+from ipapython.dn import DN
+from ipapython.dnsutil import DNSName
+
+if six.PY3:
+ unicode = str
+
+__doc__ = _("""
+Password policy
+
+A password policy sets limitations on IPA passwords, including maximum
+lifetime, minimum lifetime, the number of passwords to save in
+history, the number of character classes required (for stronger passwords)
+and the minimum password length.
+
+By default there is a single, global policy for all users. You can also
+create a password policy to apply to a group. Each user is only subject
+to one password policy, either the group policy or the global policy. A
+group policy stands alone; it is not a super-set of the global policy plus
+custom settings.
+
+Each group password policy requires a unique priority setting. If a user
+is in multiple groups that have password policies, this priority determines
+which password policy is applied. A lower value indicates a higher priority
+policy.
+
+Group password policies are automatically removed when the groups they
+are associated with are removed.
+
+EXAMPLES:
+
+ Modify the global policy:
+ ipa pwpolicy-mod --minlength=10
+
+ Add a new group password policy:
+ ipa pwpolicy-add --maxlife=90 --minlife=1 --history=10 --minclasses=3 --minlength=8 --priority=10 localadmins
+
+ Display the global password policy:
+ ipa pwpolicy-show
+
+ Display a group password policy:
+ ipa pwpolicy-show localadmins
+
+ Display the policy that would be applied to a given user:
+ ipa pwpolicy-show --user=tuser1
+
+ Modify a group password policy:
+ ipa pwpolicy-mod --minclasses=2 localadmins
+""")
+
+register = Registry()
+
+
+@register()
+class cosentry(Object):
+ takes_params = (
+ parameters.Str(
+ 'cn',
+ primary_key=True,
+ ),
+ parameters.DNParam(
+ 'krbpwdpolicyreference',
+ ),
+ parameters.Int(
+ 'cospriority',
+ ),
+ )
+
+
+@register()
+class pwpolicy(Object):
+ takes_params = (
+ parameters.Str(
+ 'cn',
+ required=False,
+ primary_key=True,
+ label=_(u'Group'),
+ doc=_(u'Manage password policy for specific group'),
+ ),
+ parameters.Int(
+ 'krbmaxpwdlife',
+ required=False,
+ label=_(u'Max lifetime (days)'),
+ doc=_(u'Maximum password lifetime (in days)'),
+ ),
+ parameters.Int(
+ 'krbminpwdlife',
+ required=False,
+ label=_(u'Min lifetime (hours)'),
+ doc=_(u'Minimum password lifetime (in hours)'),
+ ),
+ parameters.Int(
+ 'krbpwdhistorylength',
+ required=False,
+ label=_(u'History size'),
+ doc=_(u'Password history size'),
+ ),
+ parameters.Int(
+ 'krbpwdmindiffchars',
+ required=False,
+ label=_(u'Character classes'),
+ doc=_(u'Minimum number of character classes'),
+ ),
+ parameters.Int(
+ 'krbpwdminlength',
+ required=False,
+ label=_(u'Min length'),
+ doc=_(u'Minimum length of password'),
+ ),
+ parameters.Int(
+ 'cospriority',
+ label=_(u'Priority'),
+ doc=_(u'Priority of the policy (higher number means lower priority'),
+ ),
+ parameters.Int(
+ 'krbpwdmaxfailure',
+ required=False,
+ label=_(u'Max failures'),
+ doc=_(u'Consecutive failures before lockout'),
+ ),
+ parameters.Int(
+ 'krbpwdfailurecountinterval',
+ required=False,
+ label=_(u'Failure reset interval'),
+ doc=_(u'Period after which failure count will be reset (seconds)'),
+ ),
+ parameters.Int(
+ 'krbpwdlockoutduration',
+ required=False,
+ label=_(u'Lockout duration'),
+ doc=_(u'Period for which lockout is enforced (seconds)'),
+ ),
+ )
+
+
+@register()
+class cosentry_add(Method):
+ NO_CLI = True
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ ),
+ )
+ takes_options = (
+ parameters.DNParam(
+ 'krbpwdpolicyreference',
+ ),
+ parameters.Int(
+ 'cospriority',
+ ),
+ parameters.Str(
+ 'setattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'addattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
+ exclude=('webui',),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class cosentry_del(Method):
+ NO_CLI = True
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ multivalue=True,
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'continue',
+ doc=_(u"Continuous mode: Don't stop on errors."),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Output(
+ 'result',
+ dict,
+ doc=_(u'List of deletions that failed'),
+ ),
+ output.ListOfPrimaryKeys(
+ 'value',
+ ),
+ )
+
+
+@register()
+class cosentry_find(Method):
+ NO_CLI = True
+
+ takes_args = (
+ parameters.Str(
+ 'criteria',
+ required=False,
+ doc=_(u'A string searched in all relevant object attributes'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'cn',
+ required=False,
+ ),
+ parameters.DNParam(
+ 'krbpwdpolicyreference',
+ required=False,
+ ),
+ parameters.Int(
+ 'cospriority',
+ required=False,
+ ),
+ parameters.Int(
+ 'timelimit',
+ required=False,
+ label=_(u'Time Limit'),
+ doc=_(u'Time limit of search in seconds (0 is unlimited)'),
+ ),
+ parameters.Int(
+ 'sizelimit',
+ required=False,
+ label=_(u'Size Limit'),
+ doc=_(u'Maximum number of entries returned (0 is unlimited)'),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'pkey_only',
+ required=False,
+ label=_(u'Primary key only'),
+ doc=_(u'Results should contain primary key attribute only ("cn")'),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.ListOfEntries(
+ 'result',
+ ),
+ output.Output(
+ 'count',
+ int,
+ doc=_(u'Number of entries returned'),
+ ),
+ output.Output(
+ 'truncated',
+ bool,
+ doc=_(u'True if not all results were returned'),
+ ),
+ )
+
+
+@register()
+class cosentry_mod(Method):
+ NO_CLI = True
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ ),
+ )
+ takes_options = (
+ parameters.DNParam(
+ 'krbpwdpolicyreference',
+ required=False,
+ ),
+ parameters.Int(
+ 'cospriority',
+ required=False,
+ ),
+ parameters.Str(
+ 'setattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'addattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'delattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'),
+ exclude=('webui',),
+ ),
+ parameters.Flag(
+ 'rights',
+ label=_(u'Rights'),
+ doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class cosentry_show(Method):
+ NO_CLI = True
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'rights',
+ label=_(u'Rights'),
+ doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class pwpolicy_add(Method):
+ __doc__ = _("Add a new group password policy.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='group',
+ label=_(u'Group'),
+ doc=_(u'Manage password policy for specific group'),
+ ),
+ )
+ takes_options = (
+ parameters.Int(
+ 'krbmaxpwdlife',
+ required=False,
+ cli_name='maxlife',
+ label=_(u'Max lifetime (days)'),
+ doc=_(u'Maximum password lifetime (in days)'),
+ ),
+ parameters.Int(
+ 'krbminpwdlife',
+ required=False,
+ cli_name='minlife',
+ label=_(u'Min lifetime (hours)'),
+ doc=_(u'Minimum password lifetime (in hours)'),
+ ),
+ parameters.Int(
+ 'krbpwdhistorylength',
+ required=False,
+ cli_name='history',
+ label=_(u'History size'),
+ doc=_(u'Password history size'),
+ ),
+ parameters.Int(
+ 'krbpwdmindiffchars',
+ required=False,
+ cli_name='minclasses',
+ label=_(u'Character classes'),
+ doc=_(u'Minimum number of character classes'),
+ ),
+ parameters.Int(
+ 'krbpwdminlength',
+ required=False,
+ cli_name='minlength',
+ label=_(u'Min length'),
+ doc=_(u'Minimum length of password'),
+ ),
+ parameters.Int(
+ 'cospriority',
+ cli_name='priority',
+ label=_(u'Priority'),
+ doc=_(u'Priority of the policy (higher number means lower priority'),
+ ),
+ parameters.Int(
+ 'krbpwdmaxfailure',
+ required=False,
+ cli_name='maxfail',
+ label=_(u'Max failures'),
+ doc=_(u'Consecutive failures before lockout'),
+ ),
+ parameters.Int(
+ 'krbpwdfailurecountinterval',
+ required=False,
+ cli_name='failinterval',
+ label=_(u'Failure reset interval'),
+ doc=_(u'Period after which failure count will be reset (seconds)'),
+ ),
+ parameters.Int(
+ 'krbpwdlockoutduration',
+ required=False,
+ cli_name='lockouttime',
+ label=_(u'Lockout duration'),
+ doc=_(u'Period for which lockout is enforced (seconds)'),
+ ),
+ parameters.Str(
+ 'setattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'addattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
+ exclude=('webui',),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class pwpolicy_del(Method):
+ __doc__ = _("Delete a group password policy.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ multivalue=True,
+ cli_name='group',
+ label=_(u'Group'),
+ doc=_(u'Manage password policy for specific group'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'continue',
+ doc=_(u"Continuous mode: Don't stop on errors."),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Output(
+ 'result',
+ dict,
+ doc=_(u'List of deletions that failed'),
+ ),
+ output.ListOfPrimaryKeys(
+ 'value',
+ ),
+ )
+
+
+@register()
+class pwpolicy_find(Method):
+ __doc__ = _("Search for group password policies.")
+
+ takes_args = (
+ parameters.Str(
+ 'criteria',
+ required=False,
+ doc=_(u'A string searched in all relevant object attributes'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'cn',
+ required=False,
+ cli_name='group',
+ label=_(u'Group'),
+ doc=_(u'Manage password policy for specific group'),
+ ),
+ parameters.Int(
+ 'krbmaxpwdlife',
+ required=False,
+ cli_name='maxlife',
+ label=_(u'Max lifetime (days)'),
+ doc=_(u'Maximum password lifetime (in days)'),
+ ),
+ parameters.Int(
+ 'krbminpwdlife',
+ required=False,
+ cli_name='minlife',
+ label=_(u'Min lifetime (hours)'),
+ doc=_(u'Minimum password lifetime (in hours)'),
+ ),
+ parameters.Int(
+ 'krbpwdhistorylength',
+ required=False,
+ cli_name='history',
+ label=_(u'History size'),
+ doc=_(u'Password history size'),
+ ),
+ parameters.Int(
+ 'krbpwdmindiffchars',
+ required=False,
+ cli_name='minclasses',
+ label=_(u'Character classes'),
+ doc=_(u'Minimum number of character classes'),
+ ),
+ parameters.Int(
+ 'krbpwdminlength',
+ required=False,
+ cli_name='minlength',
+ label=_(u'Min length'),
+ doc=_(u'Minimum length of password'),
+ ),
+ parameters.Int(
+ 'cospriority',
+ required=False,
+ cli_name='priority',
+ label=_(u'Priority'),
+ doc=_(u'Priority of the policy (higher number means lower priority'),
+ ),
+ parameters.Int(
+ 'krbpwdmaxfailure',
+ required=False,
+ cli_name='maxfail',
+ label=_(u'Max failures'),
+ doc=_(u'Consecutive failures before lockout'),
+ ),
+ parameters.Int(
+ 'krbpwdfailurecountinterval',
+ required=False,
+ cli_name='failinterval',
+ label=_(u'Failure reset interval'),
+ doc=_(u'Period after which failure count will be reset (seconds)'),
+ ),
+ parameters.Int(
+ 'krbpwdlockoutduration',
+ required=False,
+ cli_name='lockouttime',
+ label=_(u'Lockout duration'),
+ doc=_(u'Period for which lockout is enforced (seconds)'),
+ ),
+ parameters.Int(
+ 'timelimit',
+ required=False,
+ label=_(u'Time Limit'),
+ doc=_(u'Time limit of search in seconds (0 is unlimited)'),
+ ),
+ parameters.Int(
+ 'sizelimit',
+ required=False,
+ label=_(u'Size Limit'),
+ doc=_(u'Maximum number of entries returned (0 is unlimited)'),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'pkey_only',
+ required=False,
+ label=_(u'Primary key only'),
+ doc=_(u'Results should contain primary key attribute only ("group")'),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.ListOfEntries(
+ 'result',
+ ),
+ output.Output(
+ 'count',
+ int,
+ doc=_(u'Number of entries returned'),
+ ),
+ output.Output(
+ 'truncated',
+ bool,
+ doc=_(u'True if not all results were returned'),
+ ),
+ )
+
+
+@register()
+class pwpolicy_mod(Method):
+ __doc__ = _("Modify a group password policy.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ required=False,
+ cli_name='group',
+ label=_(u'Group'),
+ doc=_(u'Manage password policy for specific group'),
+ ),
+ )
+ takes_options = (
+ parameters.Int(
+ 'krbmaxpwdlife',
+ required=False,
+ cli_name='maxlife',
+ label=_(u'Max lifetime (days)'),
+ doc=_(u'Maximum password lifetime (in days)'),
+ ),
+ parameters.Int(
+ 'krbminpwdlife',
+ required=False,
+ cli_name='minlife',
+ label=_(u'Min lifetime (hours)'),
+ doc=_(u'Minimum password lifetime (in hours)'),
+ ),
+ parameters.Int(
+ 'krbpwdhistorylength',
+ required=False,
+ cli_name='history',
+ label=_(u'History size'),
+ doc=_(u'Password history size'),
+ ),
+ parameters.Int(
+ 'krbpwdmindiffchars',
+ required=False,
+ cli_name='minclasses',
+ label=_(u'Character classes'),
+ doc=_(u'Minimum number of character classes'),
+ ),
+ parameters.Int(
+ 'krbpwdminlength',
+ required=False,
+ cli_name='minlength',
+ label=_(u'Min length'),
+ doc=_(u'Minimum length of password'),
+ ),
+ parameters.Int(
+ 'cospriority',
+ required=False,
+ cli_name='priority',
+ label=_(u'Priority'),
+ doc=_(u'Priority of the policy (higher number means lower priority'),
+ ),
+ parameters.Int(
+ 'krbpwdmaxfailure',
+ required=False,
+ cli_name='maxfail',
+ label=_(u'Max failures'),
+ doc=_(u'Consecutive failures before lockout'),
+ ),
+ parameters.Int(
+ 'krbpwdfailurecountinterval',
+ required=False,
+ cli_name='failinterval',
+ label=_(u'Failure reset interval'),
+ doc=_(u'Period after which failure count will be reset (seconds)'),
+ ),
+ parameters.Int(
+ 'krbpwdlockoutduration',
+ required=False,
+ cli_name='lockouttime',
+ label=_(u'Lockout duration'),
+ doc=_(u'Period for which lockout is enforced (seconds)'),
+ ),
+ parameters.Str(
+ 'setattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'addattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'delattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'),
+ exclude=('webui',),
+ ),
+ parameters.Flag(
+ 'rights',
+ label=_(u'Rights'),
+ doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class pwpolicy_show(Method):
+ __doc__ = _("Display information about password policy.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ required=False,
+ cli_name='group',
+ label=_(u'Group'),
+ doc=_(u'Manage password policy for specific group'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'rights',
+ label=_(u'Rights'),
+ doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'user',
+ required=False,
+ label=_(u'User'),
+ doc=_(u'Display effective policy for a specific user'),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
diff --git a/ipaclient/remote_plugins/2_164/radiusproxy.py b/ipaclient/remote_plugins/2_164/radiusproxy.py
new file mode 100644
index 000000000..9bc020b5d
--- /dev/null
+++ b/ipaclient/remote_plugins/2_164/radiusproxy.py
@@ -0,0 +1,521 @@
+#
+# Copyright (C) 2016 FreeIPA Contributors see COPYING for license
+#
+
+# pylint: disable=unused-import
+import six
+
+from . import Command, Method, Object
+from ipalib import api, parameters, output
+from ipalib.parameters import DefaultFrom
+from ipalib.plugable import Registry
+from ipalib.text import _
+from ipapython.dn import DN
+from ipapython.dnsutil import DNSName
+
+if six.PY3:
+ unicode = str
+
+__doc__ = _("""
+RADIUS Proxy Servers
+
+Manage RADIUS Proxy Servers.
+
+IPA supports the use of an external RADIUS proxy server for krb5 OTP
+authentications. This permits a great deal of flexibility when
+integrating with third-party authentication services.
+
+EXAMPLES:
+
+ Add a new server:
+ ipa radiusproxy-add MyRADIUS --server=radius.example.com:1812
+
+ Find all servers whose entries include the string "example.com":
+ ipa radiusproxy-find example.com
+
+ Examine the configuration:
+ ipa radiusproxy-show MyRADIUS
+
+ Change the secret:
+ ipa radiusproxy-mod MyRADIUS --secret
+
+ Delete a configuration:
+ ipa radiusproxy-del MyRADIUS
+""")
+
+register = Registry()
+
+
+@register()
+class radiusproxy(Object):
+ takes_params = (
+ parameters.Str(
+ 'cn',
+ primary_key=True,
+ label=_(u'RADIUS proxy server name'),
+ ),
+ parameters.Str(
+ 'description',
+ required=False,
+ label=_(u'Description'),
+ doc=_(u'A description of this RADIUS proxy server'),
+ ),
+ parameters.Str(
+ 'ipatokenradiusserver',
+ multivalue=True,
+ label=_(u'Server'),
+ doc=_(u'The hostname or IP (with or without port)'),
+ ),
+ parameters.Password(
+ 'ipatokenradiussecret',
+ label=_(u'Secret'),
+ doc=_(u'The secret used to encrypt data'),
+ ),
+ parameters.Int(
+ 'ipatokenradiustimeout',
+ required=False,
+ label=_(u'Timeout'),
+ doc=_(u'The total timeout across all retries (in seconds)'),
+ ),
+ parameters.Int(
+ 'ipatokenradiusretries',
+ required=False,
+ label=_(u'Retries'),
+ doc=_(u'The number of times to retry authentication'),
+ ),
+ parameters.Str(
+ 'ipatokenusermapattribute',
+ required=False,
+ label=_(u'User attribute'),
+ doc=_(u'The username attribute on the user object'),
+ ),
+ )
+
+
+@register()
+class radiusproxy_add(Method):
+ __doc__ = _("Add a new RADIUS proxy server.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='name',
+ label=_(u'RADIUS proxy server name'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'description',
+ required=False,
+ cli_name='desc',
+ label=_(u'Description'),
+ doc=_(u'A description of this RADIUS proxy server'),
+ ),
+ parameters.Str(
+ 'ipatokenradiusserver',
+ multivalue=True,
+ cli_name='server',
+ label=_(u'Server'),
+ doc=_(u'The hostname or IP (with or without port)'),
+ ),
+ parameters.Password(
+ 'ipatokenradiussecret',
+ cli_name='secret',
+ label=_(u'Secret'),
+ doc=_(u'The secret used to encrypt data'),
+ exclude=('cli', 'webui'),
+ confirm=True,
+ ),
+ parameters.Int(
+ 'ipatokenradiustimeout',
+ required=False,
+ cli_name='timeout',
+ label=_(u'Timeout'),
+ doc=_(u'The total timeout across all retries (in seconds)'),
+ ),
+ parameters.Int(
+ 'ipatokenradiusretries',
+ required=False,
+ cli_name='retries',
+ label=_(u'Retries'),
+ doc=_(u'The number of times to retry authentication'),
+ ),
+ parameters.Str(
+ 'ipatokenusermapattribute',
+ required=False,
+ cli_name='userattr',
+ label=_(u'User attribute'),
+ doc=_(u'The username attribute on the user object'),
+ ),
+ parameters.Str(
+ 'setattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'addattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
+ exclude=('webui',),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class radiusproxy_del(Method):
+ __doc__ = _("Delete a RADIUS proxy server.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ multivalue=True,
+ cli_name='name',
+ label=_(u'RADIUS proxy server name'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'continue',
+ doc=_(u"Continuous mode: Don't stop on errors."),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Output(
+ 'result',
+ dict,
+ doc=_(u'List of deletions that failed'),
+ ),
+ output.ListOfPrimaryKeys(
+ 'value',
+ ),
+ )
+
+
+@register()
+class radiusproxy_find(Method):
+ __doc__ = _("Search for RADIUS proxy servers.")
+
+ takes_args = (
+ parameters.Str(
+ 'criteria',
+ required=False,
+ doc=_(u'A string searched in all relevant object attributes'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'cn',
+ required=False,
+ cli_name='name',
+ label=_(u'RADIUS proxy server name'),
+ ),
+ parameters.Str(
+ 'description',
+ required=False,
+ cli_name='desc',
+ label=_(u'Description'),
+ doc=_(u'A description of this RADIUS proxy server'),
+ ),
+ parameters.Str(
+ 'ipatokenradiusserver',
+ required=False,
+ multivalue=True,
+ cli_name='server',
+ label=_(u'Server'),
+ doc=_(u'The hostname or IP (with or without port)'),
+ ),
+ parameters.Password(
+ 'ipatokenradiussecret',
+ required=False,
+ cli_name='secret',
+ label=_(u'Secret'),
+ doc=_(u'The secret used to encrypt data'),
+ exclude=('cli', 'webui'),
+ confirm=True,
+ ),
+ parameters.Int(
+ 'ipatokenradiustimeout',
+ required=False,
+ cli_name='timeout',
+ label=_(u'Timeout'),
+ doc=_(u'The total timeout across all retries (in seconds)'),
+ ),
+ parameters.Int(
+ 'ipatokenradiusretries',
+ required=False,
+ cli_name='retries',
+ label=_(u'Retries'),
+ doc=_(u'The number of times to retry authentication'),
+ ),
+ parameters.Str(
+ 'ipatokenusermapattribute',
+ required=False,
+ cli_name='userattr',
+ label=_(u'User attribute'),
+ doc=_(u'The username attribute on the user object'),
+ ),
+ parameters.Int(
+ 'timelimit',
+ required=False,
+ label=_(u'Time Limit'),
+ doc=_(u'Time limit of search in seconds (0 is unlimited)'),
+ ),
+ parameters.Int(
+ 'sizelimit',
+ required=False,
+ label=_(u'Size Limit'),
+ doc=_(u'Maximum number of entries returned (0 is unlimited)'),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'pkey_only',
+ required=False,
+ label=_(u'Primary key only'),
+ doc=_(u'Results should contain primary key attribute only ("name")'),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.ListOfEntries(
+ 'result',
+ ),
+ output.Output(
+ 'count',
+ int,
+ doc=_(u'Number of entries returned'),
+ ),
+ output.Output(
+ 'truncated',
+ bool,
+ doc=_(u'True if not all results were returned'),
+ ),
+ )
+
+
+@register()
+class radiusproxy_mod(Method):
+ __doc__ = _("Modify a RADIUS proxy server.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='name',
+ label=_(u'RADIUS proxy server name'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'description',
+ required=False,
+ cli_name='desc',
+ label=_(u'Description'),
+ doc=_(u'A description of this RADIUS proxy server'),
+ ),
+ parameters.Str(
+ 'ipatokenradiusserver',
+ required=False,
+ multivalue=True,
+ cli_name='server',
+ label=_(u'Server'),
+ doc=_(u'The hostname or IP (with or without port)'),
+ ),
+ parameters.Password(
+ 'ipatokenradiussecret',
+ required=False,
+ cli_name='secret',
+ label=_(u'Secret'),
+ doc=_(u'The secret used to encrypt data'),
+ exclude=('cli', 'webui'),
+ confirm=True,
+ ),
+ parameters.Int(
+ 'ipatokenradiustimeout',
+ required=False,
+ cli_name='timeout',
+ label=_(u'Timeout'),
+ doc=_(u'The total timeout across all retries (in seconds)'),
+ ),
+ parameters.Int(
+ 'ipatokenradiusretries',
+ required=False,
+ cli_name='retries',
+ label=_(u'Retries'),
+ doc=_(u'The number of times to retry authentication'),
+ ),
+ parameters.Str(
+ 'ipatokenusermapattribute',
+ required=False,
+ cli_name='userattr',
+ label=_(u'User attribute'),
+ doc=_(u'The username attribute on the user object'),
+ ),
+ parameters.Str(
+ 'setattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'addattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'delattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'),
+ exclude=('webui',),
+ ),
+ parameters.Flag(
+ 'rights',
+ label=_(u'Rights'),
+ doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'rename',
+ required=False,
+ label=_(u'Rename'),
+ doc=_(u'Rename the RADIUS proxy server object'),
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class radiusproxy_show(Method):
+ __doc__ = _("Display information about a RADIUS proxy server.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='name',
+ label=_(u'RADIUS proxy server name'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'rights',
+ label=_(u'Rights'),
+ doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
diff --git a/ipaclient/remote_plugins/2_164/realmdomains.py b/ipaclient/remote_plugins/2_164/realmdomains.py
new file mode 100644
index 000000000..f8f563a45
--- /dev/null
+++ b/ipaclient/remote_plugins/2_164/realmdomains.py
@@ -0,0 +1,195 @@
+#
+# Copyright (C) 2016 FreeIPA Contributors see COPYING for license
+#
+
+# pylint: disable=unused-import
+import six
+
+from . import Command, Method, Object
+from ipalib import api, parameters, output
+from ipalib.parameters import DefaultFrom
+from ipalib.plugable import Registry
+from ipalib.text import _
+from ipapython.dn import DN
+from ipapython.dnsutil import DNSName
+
+if six.PY3:
+ unicode = str
+
+__doc__ = _("""
+Realm domains
+
+Manage the list of domains associated with IPA realm.
+
+EXAMPLES:
+
+ Display the current list of realm domains:
+ ipa realmdomains-show
+
+ Replace the list of realm domains:
+ ipa realmdomains-mod --domain=example.com
+ ipa realmdomains-mod --domain={example1.com,example2.com,example3.com}
+
+ Add a domain to the list of realm domains:
+ ipa realmdomains-mod --add-domain=newdomain.com
+
+ Delete a domain from the list of realm domains:
+ ipa realmdomains-mod --del-domain=olddomain.com
+""")
+
+register = Registry()
+
+
+@register()
+class realmdomains(Object):
+ takes_params = (
+ parameters.Str(
+ 'associateddomain',
+ multivalue=True,
+ label=_(u'Domain'),
+ ),
+ parameters.Str(
+ 'add_domain',
+ required=False,
+ label=_(u'Add domain'),
+ ),
+ parameters.Str(
+ 'del_domain',
+ required=False,
+ label=_(u'Delete domain'),
+ ),
+ )
+
+
+@register()
+class realmdomains_mod(Method):
+ __doc__ = _("Modify realm domains.")
+
+ takes_options = (
+ parameters.Str(
+ 'associateddomain',
+ required=False,
+ multivalue=True,
+ cli_name='domain',
+ label=_(u'Domain'),
+ no_convert=True,
+ ),
+ parameters.Str(
+ 'add_domain',
+ required=False,
+ label=_(u'Add domain'),
+ no_convert=True,
+ ),
+ parameters.Str(
+ 'del_domain',
+ required=False,
+ label=_(u'Delete domain'),
+ no_convert=True,
+ ),
+ parameters.Str(
+ 'setattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'addattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'delattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'),
+ exclude=('webui',),
+ ),
+ parameters.Flag(
+ 'rights',
+ label=_(u'Rights'),
+ doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'force',
+ label=_(u'Force'),
+ doc=_(u'Force adding domain even if not in DNS'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class realmdomains_show(Method):
+ __doc__ = _("Display the list of realm domains.")
+
+ takes_options = (
+ parameters.Flag(
+ 'rights',
+ label=_(u'Rights'),
+ doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
diff --git a/ipaclient/remote_plugins/2_164/role.py b/ipaclient/remote_plugins/2_164/role.py
new file mode 100644
index 000000000..122d4cdee
--- /dev/null
+++ b/ipaclient/remote_plugins/2_164/role.py
@@ -0,0 +1,758 @@
+#
+# Copyright (C) 2016 FreeIPA Contributors see COPYING for license
+#
+
+# pylint: disable=unused-import
+import six
+
+from . import Command, Method, Object
+from ipalib import api, parameters, output
+from ipalib.parameters import DefaultFrom
+from ipalib.plugable import Registry
+from ipalib.text import _
+from ipapython.dn import DN
+from ipapython.dnsutil import DNSName
+
+if six.PY3:
+ unicode = str
+
+__doc__ = _("""
+Roles
+
+A role is used for fine-grained delegation. A permission grants the ability
+to perform given low-level tasks (add a user, modify a group, etc.). A
+privilege combines one or more permissions into a higher-level abstraction
+such as useradmin. A useradmin would be able to add, delete and modify users.
+
+Privileges are assigned to Roles.
+
+Users, groups, hosts and hostgroups may be members of a Role.
+
+Roles can not contain other roles.
+
+EXAMPLES:
+
+ Add a new role:
+ ipa role-add --desc="Junior-level admin" junioradmin
+
+ Add some privileges to this role:
+ ipa role-add-privilege --privileges=addusers junioradmin
+ ipa role-add-privilege --privileges=change_password junioradmin
+ ipa role-add-privilege --privileges=add_user_to_default_group junioradmin
+
+ Add a group of users to this role:
+ ipa group-add --desc="User admins" useradmins
+ ipa role-add-member --groups=useradmins junioradmin
+
+ Display information about a role:
+ ipa role-show junioradmin
+
+ The result of this is that any users in the group 'junioradmin' can
+ add users, reset passwords or add a user to the default IPA user group.
+""")
+
+register = Registry()
+
+
+@register()
+class role(Object):
+ takes_params = (
+ parameters.Str(
+ 'cn',
+ primary_key=True,
+ label=_(u'Role name'),
+ ),
+ parameters.Str(
+ 'description',
+ required=False,
+ label=_(u'Description'),
+ doc=_(u'A description of this role-group'),
+ ),
+ parameters.Str(
+ 'member_user',
+ required=False,
+ label=_(u'Member users'),
+ ),
+ parameters.Str(
+ 'member_group',
+ required=False,
+ label=_(u'Member groups'),
+ ),
+ parameters.Str(
+ 'member_host',
+ required=False,
+ label=_(u'Member hosts'),
+ ),
+ parameters.Str(
+ 'member_hostgroup',
+ required=False,
+ label=_(u'Member host-groups'),
+ ),
+ parameters.Str(
+ 'memberof_privilege',
+ required=False,
+ label=_(u'Privileges'),
+ ),
+ parameters.Str(
+ 'member_service',
+ required=False,
+ label=_(u'Member services'),
+ ),
+ )
+
+
+@register()
+class role_add(Method):
+ __doc__ = _("Add a new role.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='name',
+ label=_(u'Role name'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'description',
+ required=False,
+ cli_name='desc',
+ label=_(u'Description'),
+ doc=_(u'A description of this role-group'),
+ ),
+ parameters.Str(
+ 'setattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'addattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
+ exclude=('webui',),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class role_add_member(Method):
+ __doc__ = _("Add members to a role.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='name',
+ label=_(u'Role name'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'user',
+ required=False,
+ multivalue=True,
+ cli_name='users',
+ label=_(u'member user'),
+ doc=_(u'users to add'),
+ alwaysask=True,
+ ),
+ parameters.Str(
+ 'group',
+ required=False,
+ multivalue=True,
+ cli_name='groups',
+ label=_(u'member group'),
+ doc=_(u'groups to add'),
+ alwaysask=True,
+ ),
+ parameters.Str(
+ 'host',
+ required=False,
+ multivalue=True,
+ cli_name='hosts',
+ label=_(u'member host'),
+ doc=_(u'hosts to add'),
+ alwaysask=True,
+ ),
+ parameters.Str(
+ 'hostgroup',
+ required=False,
+ multivalue=True,
+ cli_name='hostgroups',
+ label=_(u'member host group'),
+ doc=_(u'host groups to add'),
+ alwaysask=True,
+ ),
+ parameters.Str(
+ 'service',
+ required=False,
+ multivalue=True,
+ cli_name='services',
+ label=_(u'member service'),
+ doc=_(u'services to add'),
+ alwaysask=True,
+ ),
+ )
+ has_output = (
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'failed',
+ dict,
+ doc=_(u'Members that could not be added'),
+ ),
+ output.Output(
+ 'completed',
+ int,
+ doc=_(u'Number of members added'),
+ ),
+ )
+
+
+@register()
+class role_add_privilege(Method):
+ __doc__ = _("Add privileges to a role.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='name',
+ label=_(u'Role name'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'privilege',
+ required=False,
+ multivalue=True,
+ cli_name='privileges',
+ label=_(u'privilege'),
+ doc=_(u'privileges'),
+ alwaysask=True,
+ ),
+ )
+ has_output = (
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'failed',
+ dict,
+ doc=_(u'Members that could not be added'),
+ ),
+ output.Output(
+ 'completed',
+ int,
+ doc=_(u'Number of privileges added'),
+ ),
+ )
+
+
+@register()
+class role_del(Method):
+ __doc__ = _("Delete a role.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ multivalue=True,
+ cli_name='name',
+ label=_(u'Role name'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'continue',
+ doc=_(u"Continuous mode: Don't stop on errors."),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Output(
+ 'result',
+ dict,
+ doc=_(u'List of deletions that failed'),
+ ),
+ output.ListOfPrimaryKeys(
+ 'value',
+ ),
+ )
+
+
+@register()
+class role_find(Method):
+ __doc__ = _("Search for roles.")
+
+ takes_args = (
+ parameters.Str(
+ 'criteria',
+ required=False,
+ doc=_(u'A string searched in all relevant object attributes'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'cn',
+ required=False,
+ cli_name='name',
+ label=_(u'Role name'),
+ ),
+ parameters.Str(
+ 'description',
+ required=False,
+ cli_name='desc',
+ label=_(u'Description'),
+ doc=_(u'A description of this role-group'),
+ ),
+ parameters.Int(
+ 'timelimit',
+ required=False,
+ label=_(u'Time Limit'),
+ doc=_(u'Time limit of search in seconds (0 is unlimited)'),
+ ),
+ parameters.Int(
+ 'sizelimit',
+ required=False,
+ label=_(u'Size Limit'),
+ doc=_(u'Maximum number of entries returned (0 is unlimited)'),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'pkey_only',
+ required=False,
+ label=_(u'Primary key only'),
+ doc=_(u'Results should contain primary key attribute only ("name")'),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.ListOfEntries(
+ 'result',
+ ),
+ output.Output(
+ 'count',
+ int,
+ doc=_(u'Number of entries returned'),
+ ),
+ output.Output(
+ 'truncated',
+ bool,
+ doc=_(u'True if not all results were returned'),
+ ),
+ )
+
+
+@register()
+class role_mod(Method):
+ __doc__ = _("Modify a role.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='name',
+ label=_(u'Role name'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'description',
+ required=False,
+ cli_name='desc',
+ label=_(u'Description'),
+ doc=_(u'A description of this role-group'),
+ ),
+ parameters.Str(
+ 'setattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'addattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'delattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'),
+ exclude=('webui',),
+ ),
+ parameters.Flag(
+ 'rights',
+ label=_(u'Rights'),
+ doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'rename',
+ required=False,
+ label=_(u'Rename'),
+ doc=_(u'Rename the role object'),
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class role_remove_member(Method):
+ __doc__ = _("Remove members from a role.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='name',
+ label=_(u'Role name'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'user',
+ required=False,
+ multivalue=True,
+ cli_name='users',
+ label=_(u'member user'),
+ doc=_(u'users to remove'),
+ alwaysask=True,
+ ),
+ parameters.Str(
+ 'group',
+ required=False,
+ multivalue=True,
+ cli_name='groups',
+ label=_(u'member group'),
+ doc=_(u'groups to remove'),
+ alwaysask=True,
+ ),
+ parameters.Str(
+ 'host',
+ required=False,
+ multivalue=True,
+ cli_name='hosts',
+ label=_(u'member host'),
+ doc=_(u'hosts to remove'),
+ alwaysask=True,
+ ),
+ parameters.Str(
+ 'hostgroup',
+ required=False,
+ multivalue=True,
+ cli_name='hostgroups',
+ label=_(u'member host group'),
+ doc=_(u'host groups to remove'),
+ alwaysask=True,
+ ),
+ parameters.Str(
+ 'service',
+ required=False,
+ multivalue=True,
+ cli_name='services',
+ label=_(u'member service'),
+ doc=_(u'services to remove'),
+ alwaysask=True,
+ ),
+ )
+ has_output = (
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'failed',
+ dict,
+ doc=_(u'Members that could not be removed'),
+ ),
+ output.Output(
+ 'completed',
+ int,
+ doc=_(u'Number of members removed'),
+ ),
+ )
+
+
+@register()
+class role_remove_privilege(Method):
+ __doc__ = _("Remove privileges from a role.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='name',
+ label=_(u'Role name'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'privilege',
+ required=False,
+ multivalue=True,
+ cli_name='privileges',
+ label=_(u'privilege'),
+ doc=_(u'privileges'),
+ alwaysask=True,
+ ),
+ )
+ has_output = (
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'failed',
+ dict,
+ doc=_(u'Members that could not be added'),
+ ),
+ output.Output(
+ 'completed',
+ int,
+ doc=_(u'Number of privileges removed'),
+ ),
+ )
+
+
+@register()
+class role_show(Method):
+ __doc__ = _("Display information about a role.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='name',
+ label=_(u'Role name'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'rights',
+ label=_(u'Rights'),
+ doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
diff --git a/ipaclient/remote_plugins/2_164/selfservice.py b/ipaclient/remote_plugins/2_164/selfservice.py
new file mode 100644
index 000000000..5d7e36f30
--- /dev/null
+++ b/ipaclient/remote_plugins/2_164/selfservice.py
@@ -0,0 +1,338 @@
+#
+# Copyright (C) 2016 FreeIPA Contributors see COPYING for license
+#
+
+# pylint: disable=unused-import
+import six
+
+from . import Command, Method, Object
+from ipalib import api, parameters, output
+from ipalib.parameters import DefaultFrom
+from ipalib.plugable import Registry
+from ipalib.text import _
+from ipapython.dn import DN
+from ipapython.dnsutil import DNSName
+
+if six.PY3:
+ unicode = str
+
+__doc__ = _("""
+Self-service Permissions
+
+A permission enables fine-grained delegation of permissions. Access Control
+Rules, or instructions (ACIs), grant permission to permissions to perform
+given tasks such as adding a user, modifying a group, etc.
+
+A Self-service permission defines what an object can change in its own entry.
+
+
+EXAMPLES:
+
+ Add a self-service rule to allow users to manage their address (using Bash
+ brace expansion):
+ ipa selfservice-add --permissions=write --attrs={street,postalCode,l,c,st} "Users manage their own address"
+
+ When managing the list of attributes you need to include all attributes
+ in the list, including existing ones.
+ Add telephoneNumber to the list (using Bash brace expansion):
+ ipa selfservice-mod --attrs={street,postalCode,l,c,st,telephoneNumber} "Users manage their own address"
+
+ Display our updated rule:
+ ipa selfservice-show "Users manage their own address"
+
+ Delete a rule:
+ ipa selfservice-del "Users manage their own address"
+""")
+
+register = Registry()
+
+
+@register()
+class selfservice(Object):
+ takes_params = (
+ parameters.Str(
+ 'aciname',
+ primary_key=True,
+ label=_(u'Self-service name'),
+ ),
+ parameters.Str(
+ 'permissions',
+ required=False,
+ multivalue=True,
+ label=_(u'Permissions'),
+ doc=_(u'Permissions to grant (read, write). Default is write.'),
+ ),
+ parameters.Str(
+ 'attrs',
+ multivalue=True,
+ label=_(u'Attributes'),
+ doc=_(u'Attributes to which the permission applies.'),
+ ),
+ )
+
+
+@register()
+class selfservice_add(Method):
+ __doc__ = _("Add a new self-service permission.")
+
+ takes_args = (
+ parameters.Str(
+ 'aciname',
+ cli_name='name',
+ label=_(u'Self-service name'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'permissions',
+ required=False,
+ multivalue=True,
+ label=_(u'Permissions'),
+ doc=_(u'Permissions to grant (read, write). Default is write.'),
+ ),
+ parameters.Str(
+ 'attrs',
+ multivalue=True,
+ label=_(u'Attributes'),
+ doc=_(u'Attributes to which the permission applies.'),
+ no_convert=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class selfservice_del(Method):
+ __doc__ = _("Delete a self-service permission.")
+
+ takes_args = (
+ parameters.Str(
+ 'aciname',
+ cli_name='name',
+ label=_(u'Self-service name'),
+ ),
+ )
+ takes_options = (
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Output(
+ 'result',
+ bool,
+ doc=_(u'True means the operation was successful'),
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class selfservice_find(Method):
+ __doc__ = _("Search for a self-service permission.")
+
+ takes_args = (
+ parameters.Str(
+ 'criteria',
+ required=False,
+ doc=_(u'A string searched in all relevant object attributes'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'aciname',
+ required=False,
+ cli_name='name',
+ label=_(u'Self-service name'),
+ ),
+ parameters.Str(
+ 'permissions',
+ required=False,
+ multivalue=True,
+ label=_(u'Permissions'),
+ doc=_(u'Permissions to grant (read, write). Default is write.'),
+ ),
+ parameters.Str(
+ 'attrs',
+ required=False,
+ multivalue=True,
+ label=_(u'Attributes'),
+ doc=_(u'Attributes to which the permission applies.'),
+ no_convert=True,
+ ),
+ parameters.Flag(
+ 'pkey_only',
+ required=False,
+ label=_(u'Primary key only'),
+ doc=_(u'Results should contain primary key attribute only ("name")'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.ListOfEntries(
+ 'result',
+ ),
+ output.Output(
+ 'count',
+ int,
+ doc=_(u'Number of entries returned'),
+ ),
+ output.Output(
+ 'truncated',
+ bool,
+ doc=_(u'True if not all results were returned'),
+ ),
+ )
+
+
+@register()
+class selfservice_mod(Method):
+ __doc__ = _("Modify a self-service permission.")
+
+ takes_args = (
+ parameters.Str(
+ 'aciname',
+ cli_name='name',
+ label=_(u'Self-service name'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'permissions',
+ required=False,
+ multivalue=True,
+ label=_(u'Permissions'),
+ doc=_(u'Permissions to grant (read, write). Default is write.'),
+ ),
+ parameters.Str(
+ 'attrs',
+ required=False,
+ multivalue=True,
+ label=_(u'Attributes'),
+ doc=_(u'Attributes to which the permission applies.'),
+ no_convert=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class selfservice_show(Method):
+ __doc__ = _("Display information about a self-service permission.")
+
+ takes_args = (
+ parameters.Str(
+ 'aciname',
+ cli_name='name',
+ label=_(u'Self-service name'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
diff --git a/ipaclient/remote_plugins/2_164/selinuxusermap.py b/ipaclient/remote_plugins/2_164/selinuxusermap.py
new file mode 100644
index 000000000..cf572f9c7
--- /dev/null
+++ b/ipaclient/remote_plugins/2_164/selinuxusermap.py
@@ -0,0 +1,905 @@
+#
+# Copyright (C) 2016 FreeIPA Contributors see COPYING for license
+#
+
+# pylint: disable=unused-import
+import six
+
+from . import Command, Method, Object
+from ipalib import api, parameters, output
+from ipalib.parameters import DefaultFrom
+from ipalib.plugable import Registry
+from ipalib.text import _
+from ipapython.dn import DN
+from ipapython.dnsutil import DNSName
+
+if six.PY3:
+ unicode = str
+
+__doc__ = _("""
+SELinux User Mapping
+
+Map IPA users to SELinux users by host.
+
+Hosts, hostgroups, users and groups can be either defined within
+the rule or it may point to an existing HBAC rule. When using
+--hbacrule option to selinuxusermap-find an exact match is made on the
+HBAC rule name, so only one or zero entries will be returned.
+
+EXAMPLES:
+
+ Create a rule, "test1", that sets all users to xguest_u:s0 on the host "server":
+ ipa selinuxusermap-add --usercat=all --selinuxuser=xguest_u:s0 test1
+ ipa selinuxusermap-add-host --hosts=server.example.com test1
+
+ Create a rule, "test2", that sets all users to guest_u:s0 and uses an existing HBAC rule for users and hosts:
+ ipa selinuxusermap-add --usercat=all --hbacrule=webserver --selinuxuser=guest_u:s0 test2
+
+ Display the properties of a rule:
+ ipa selinuxusermap-show test2
+
+ Create a rule for a specific user. This sets the SELinux context for
+ user john to unconfined_u:s0-s0:c0.c1023 on any machine:
+ ipa selinuxusermap-add --hostcat=all --selinuxuser=unconfined_u:s0-s0:c0.c1023 john_unconfined
+ ipa selinuxusermap-add-user --users=john john_unconfined
+
+ Disable a rule:
+ ipa selinuxusermap-disable test1
+
+ Enable a rule:
+ ipa selinuxusermap-enable test1
+
+ Find a rule referencing a specific HBAC rule:
+ ipa selinuxusermap-find --hbacrule=allow_some
+
+ Remove a rule:
+ ipa selinuxusermap-del john_unconfined
+
+SEEALSO:
+
+ The list controlling the order in which the SELinux user map is applied
+ and the default SELinux user are available in the config-show command.
+""")
+
+register = Registry()
+
+
+@register()
+class selinuxusermap(Object):
+ takes_params = (
+ parameters.Str(
+ 'cn',
+ primary_key=True,
+ label=_(u'Rule name'),
+ ),
+ parameters.Str(
+ 'ipaselinuxuser',
+ label=_(u'SELinux User'),
+ ),
+ parameters.Str(
+ 'seealso',
+ required=False,
+ label=_(u'HBAC Rule'),
+ doc=_(u'HBAC Rule that defines the users, groups and hostgroups'),
+ ),
+ parameters.Str(
+ 'usercategory',
+ required=False,
+ label=_(u'User category'),
+ doc=_(u'User category the rule applies to'),
+ ),
+ parameters.Str(
+ 'hostcategory',
+ required=False,
+ label=_(u'Host category'),
+ doc=_(u'Host category the rule applies to'),
+ ),
+ parameters.Str(
+ 'description',
+ required=False,
+ label=_(u'Description'),
+ ),
+ parameters.Bool(
+ 'ipaenabledflag',
+ required=False,
+ label=_(u'Enabled'),
+ ),
+ parameters.Str(
+ 'memberuser_user',
+ required=False,
+ label=_(u'Users'),
+ ),
+ parameters.Str(
+ 'memberuser_group',
+ required=False,
+ label=_(u'User Groups'),
+ ),
+ parameters.Str(
+ 'memberhost_host',
+ required=False,
+ label=_(u'Hosts'),
+ ),
+ parameters.Str(
+ 'memberhost_hostgroup',
+ required=False,
+ label=_(u'Host Groups'),
+ ),
+ )
+
+
+@register()
+class selinuxusermap_add(Method):
+ __doc__ = _("Create a new SELinux User Map.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='name',
+ label=_(u'Rule name'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'ipaselinuxuser',
+ cli_name='selinuxuser',
+ label=_(u'SELinux User'),
+ ),
+ parameters.Str(
+ 'seealso',
+ required=False,
+ cli_name='hbacrule',
+ label=_(u'HBAC Rule'),
+ doc=_(u'HBAC Rule that defines the users, groups and hostgroups'),
+ ),
+ parameters.Str(
+ 'usercategory',
+ required=False,
+ cli_name='usercat',
+ cli_metavar="['all']",
+ label=_(u'User category'),
+ doc=_(u'User category the rule applies to'),
+ ),
+ parameters.Str(
+ 'hostcategory',
+ required=False,
+ cli_name='hostcat',
+ cli_metavar="['all']",
+ label=_(u'Host category'),
+ doc=_(u'Host category the rule applies to'),
+ ),
+ parameters.Str(
+ 'description',
+ required=False,
+ cli_name='desc',
+ label=_(u'Description'),
+ ),
+ parameters.Bool(
+ 'ipaenabledflag',
+ required=False,
+ label=_(u'Enabled'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'setattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'addattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
+ exclude=('webui',),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class selinuxusermap_add_host(Method):
+ __doc__ = _("Add target hosts and hostgroups to an SELinux User Map rule.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='name',
+ label=_(u'Rule name'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'host',
+ required=False,
+ multivalue=True,
+ cli_name='hosts',
+ label=_(u'member host'),
+ doc=_(u'hosts to add'),
+ alwaysask=True,
+ ),
+ parameters.Str(
+ 'hostgroup',
+ required=False,
+ multivalue=True,
+ cli_name='hostgroups',
+ label=_(u'member host group'),
+ doc=_(u'host groups to add'),
+ alwaysask=True,
+ ),
+ )
+ has_output = (
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'failed',
+ dict,
+ doc=_(u'Members that could not be added'),
+ ),
+ output.Output(
+ 'completed',
+ int,
+ doc=_(u'Number of members added'),
+ ),
+ )
+
+
+@register()
+class selinuxusermap_add_user(Method):
+ __doc__ = _("Add users and groups to an SELinux User Map rule.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='name',
+ label=_(u'Rule name'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'user',
+ required=False,
+ multivalue=True,
+ cli_name='users',
+ label=_(u'member user'),
+ doc=_(u'users to add'),
+ alwaysask=True,
+ ),
+ parameters.Str(
+ 'group',
+ required=False,
+ multivalue=True,
+ cli_name='groups',
+ label=_(u'member group'),
+ doc=_(u'groups to add'),
+ alwaysask=True,
+ ),
+ )
+ has_output = (
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'failed',
+ dict,
+ doc=_(u'Members that could not be added'),
+ ),
+ output.Output(
+ 'completed',
+ int,
+ doc=_(u'Number of members added'),
+ ),
+ )
+
+
+@register()
+class selinuxusermap_del(Method):
+ __doc__ = _("Delete a SELinux User Map.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ multivalue=True,
+ cli_name='name',
+ label=_(u'Rule name'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'continue',
+ doc=_(u"Continuous mode: Don't stop on errors."),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Output(
+ 'result',
+ dict,
+ doc=_(u'List of deletions that failed'),
+ ),
+ output.ListOfPrimaryKeys(
+ 'value',
+ ),
+ )
+
+
+@register()
+class selinuxusermap_disable(Method):
+ __doc__ = _("Disable an SELinux User Map rule.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='name',
+ label=_(u'Rule name'),
+ ),
+ )
+ takes_options = (
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Output(
+ 'result',
+ bool,
+ doc=_(u'True means the operation was successful'),
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class selinuxusermap_enable(Method):
+ __doc__ = _("Enable an SELinux User Map rule.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='name',
+ label=_(u'Rule name'),
+ ),
+ )
+ takes_options = (
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Output(
+ 'result',
+ bool,
+ doc=_(u'True means the operation was successful'),
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class selinuxusermap_find(Method):
+ __doc__ = _("Search for SELinux User Maps.")
+
+ takes_args = (
+ parameters.Str(
+ 'criteria',
+ required=False,
+ doc=_(u'A string searched in all relevant object attributes'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'cn',
+ required=False,
+ cli_name='name',
+ label=_(u'Rule name'),
+ ),
+ parameters.Str(
+ 'ipaselinuxuser',
+ required=False,
+ cli_name='selinuxuser',
+ label=_(u'SELinux User'),
+ ),
+ parameters.Str(
+ 'seealso',
+ required=False,
+ cli_name='hbacrule',
+ label=_(u'HBAC Rule'),
+ doc=_(u'HBAC Rule that defines the users, groups and hostgroups'),
+ ),
+ parameters.Str(
+ 'usercategory',
+ required=False,
+ cli_name='usercat',
+ cli_metavar="['all']",
+ label=_(u'User category'),
+ doc=_(u'User category the rule applies to'),
+ ),
+ parameters.Str(
+ 'hostcategory',
+ required=False,
+ cli_name='hostcat',
+ cli_metavar="['all']",
+ label=_(u'Host category'),
+ doc=_(u'Host category the rule applies to'),
+ ),
+ parameters.Str(
+ 'description',
+ required=False,
+ cli_name='desc',
+ label=_(u'Description'),
+ ),
+ parameters.Bool(
+ 'ipaenabledflag',
+ required=False,
+ label=_(u'Enabled'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Int(
+ 'timelimit',
+ required=False,
+ label=_(u'Time Limit'),
+ doc=_(u'Time limit of search in seconds (0 is unlimited)'),
+ ),
+ parameters.Int(
+ 'sizelimit',
+ required=False,
+ label=_(u'Size Limit'),
+ doc=_(u'Maximum number of entries returned (0 is unlimited)'),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'pkey_only',
+ required=False,
+ label=_(u'Primary key only'),
+ doc=_(u'Results should contain primary key attribute only ("name")'),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.ListOfEntries(
+ 'result',
+ ),
+ output.Output(
+ 'count',
+ int,
+ doc=_(u'Number of entries returned'),
+ ),
+ output.Output(
+ 'truncated',
+ bool,
+ doc=_(u'True if not all results were returned'),
+ ),
+ )
+
+
+@register()
+class selinuxusermap_mod(Method):
+ __doc__ = _("Modify a SELinux User Map.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='name',
+ label=_(u'Rule name'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'ipaselinuxuser',
+ required=False,
+ cli_name='selinuxuser',
+ label=_(u'SELinux User'),
+ ),
+ parameters.Str(
+ 'seealso',
+ required=False,
+ cli_name='hbacrule',
+ label=_(u'HBAC Rule'),
+ doc=_(u'HBAC Rule that defines the users, groups and hostgroups'),
+ ),
+ parameters.Str(
+ 'usercategory',
+ required=False,
+ cli_name='usercat',
+ cli_metavar="['all']",
+ label=_(u'User category'),
+ doc=_(u'User category the rule applies to'),
+ ),
+ parameters.Str(
+ 'hostcategory',
+ required=False,
+ cli_name='hostcat',
+ cli_metavar="['all']",
+ label=_(u'Host category'),
+ doc=_(u'Host category the rule applies to'),
+ ),
+ parameters.Str(
+ 'description',
+ required=False,
+ cli_name='desc',
+ label=_(u'Description'),
+ ),
+ parameters.Bool(
+ 'ipaenabledflag',
+ required=False,
+ label=_(u'Enabled'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'setattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'addattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'delattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'),
+ exclude=('webui',),
+ ),
+ parameters.Flag(
+ 'rights',
+ label=_(u'Rights'),
+ doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class selinuxusermap_remove_host(Method):
+ __doc__ = _("Remove target hosts and hostgroups from an SELinux User Map rule.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='name',
+ label=_(u'Rule name'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'host',
+ required=False,
+ multivalue=True,
+ cli_name='hosts',
+ label=_(u'member host'),
+ doc=_(u'hosts to remove'),
+ alwaysask=True,
+ ),
+ parameters.Str(
+ 'hostgroup',
+ required=False,
+ multivalue=True,
+ cli_name='hostgroups',
+ label=_(u'member host group'),
+ doc=_(u'host groups to remove'),
+ alwaysask=True,
+ ),
+ )
+ has_output = (
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'failed',
+ dict,
+ doc=_(u'Members that could not be removed'),
+ ),
+ output.Output(
+ 'completed',
+ int,
+ doc=_(u'Number of members removed'),
+ ),
+ )
+
+
+@register()
+class selinuxusermap_remove_user(Method):
+ __doc__ = _("Remove users and groups from an SELinux User Map rule.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='name',
+ label=_(u'Rule name'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'user',
+ required=False,
+ multivalue=True,
+ cli_name='users',
+ label=_(u'member user'),
+ doc=_(u'users to remove'),
+ alwaysask=True,
+ ),
+ parameters.Str(
+ 'group',
+ required=False,
+ multivalue=True,
+ cli_name='groups',
+ label=_(u'member group'),
+ doc=_(u'groups to remove'),
+ alwaysask=True,
+ ),
+ )
+ has_output = (
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'failed',
+ dict,
+ doc=_(u'Members that could not be removed'),
+ ),
+ output.Output(
+ 'completed',
+ int,
+ doc=_(u'Number of members removed'),
+ ),
+ )
+
+
+@register()
+class selinuxusermap_show(Method):
+ __doc__ = _("Display the properties of a SELinux User Map rule.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='name',
+ label=_(u'Rule name'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'rights',
+ label=_(u'Rights'),
+ doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
diff --git a/ipaclient/remote_plugins/2_164/server.py b/ipaclient/remote_plugins/2_164/server.py
new file mode 100644
index 000000000..249b6a476
--- /dev/null
+++ b/ipaclient/remote_plugins/2_164/server.py
@@ -0,0 +1,317 @@
+#
+# Copyright (C) 2016 FreeIPA Contributors see COPYING for license
+#
+
+# pylint: disable=unused-import
+import six
+
+from . import Command, Method, Object
+from ipalib import api, parameters, output
+from ipalib.parameters import DefaultFrom
+from ipalib.plugable import Registry
+from ipalib.text import _
+from ipapython.dn import DN
+from ipapython.dnsutil import DNSName
+
+if six.PY3:
+ unicode = str
+
+__doc__ = _("""
+IPA servers
+
+Get information about installed IPA servers.
+
+EXAMPLES:
+
+ Find all servers:
+ ipa server-find
+
+ Show specific server:
+ ipa server-show ipa.example.com
+""")
+
+register = Registry()
+
+
+@register()
+class server(Object):
+ takes_params = (
+ parameters.Str(
+ 'cn',
+ primary_key=True,
+ label=_(u'Server name'),
+ doc=_(u'IPA server hostname'),
+ ),
+ parameters.Str(
+ 'iparepltopomanagedsuffix',
+ required=False,
+ multivalue=True,
+ ),
+ parameters.Str(
+ 'iparepltopomanagedsuffix_topologysuffix',
+ required=False,
+ multivalue=True,
+ label=_(u'Managed suffixes'),
+ ),
+ parameters.Int(
+ 'ipamindomainlevel',
+ label=_(u'Min domain level'),
+ doc=_(u'Minimum domain level'),
+ ),
+ parameters.Int(
+ 'ipamaxdomainlevel',
+ label=_(u'Max domain level'),
+ doc=_(u'Maximum domain level'),
+ ),
+ )
+
+
+@register()
+class server_conncheck(Method):
+ __doc__ = _("Check connection to remote IPA server.")
+
+ NO_CLI = True
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='name',
+ label=_(u'Server name'),
+ doc=_(u'IPA server hostname'),
+ ),
+ parameters.Str(
+ 'remote_cn',
+ cli_name='remote_name',
+ label=_(u'Remote server name'),
+ doc=_(u'Remote IPA server hostname'),
+ ),
+ )
+ takes_options = (
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Output(
+ 'result',
+ bool,
+ doc=_(u'True means the operation was successful'),
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class server_del(Method):
+ __doc__ = _("Delete IPA server.")
+
+ NO_CLI = True
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ multivalue=True,
+ cli_name='name',
+ label=_(u'Server name'),
+ doc=_(u'IPA server hostname'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'continue',
+ doc=_(u"Continuous mode: Don't stop on errors."),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Output(
+ 'result',
+ dict,
+ doc=_(u'List of deletions that failed'),
+ ),
+ output.ListOfPrimaryKeys(
+ 'value',
+ ),
+ )
+
+
+@register()
+class server_find(Method):
+ __doc__ = _("Search for IPA servers.")
+
+ takes_args = (
+ parameters.Str(
+ 'criteria',
+ required=False,
+ doc=_(u'A string searched in all relevant object attributes'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'cn',
+ required=False,
+ cli_name='name',
+ label=_(u'Server name'),
+ doc=_(u'IPA server hostname'),
+ ),
+ parameters.Int(
+ 'ipamindomainlevel',
+ required=False,
+ cli_name='minlevel',
+ label=_(u'Min domain level'),
+ doc=_(u'Minimum domain level'),
+ ),
+ parameters.Int(
+ 'ipamaxdomainlevel',
+ required=False,
+ cli_name='maxlevel',
+ label=_(u'Max domain level'),
+ doc=_(u'Maximum domain level'),
+ ),
+ parameters.Int(
+ 'timelimit',
+ required=False,
+ label=_(u'Time Limit'),
+ doc=_(u'Time limit of search in seconds (0 is unlimited)'),
+ ),
+ parameters.Int(
+ 'sizelimit',
+ required=False,
+ label=_(u'Size Limit'),
+ doc=_(u'Maximum number of entries returned (0 is unlimited)'),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'pkey_only',
+ required=False,
+ label=_(u'Primary key only'),
+ doc=_(u'Results should contain primary key attribute only ("name")'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'topologysuffix',
+ required=False,
+ multivalue=True,
+ cli_name='topologysuffixes',
+ label=_(u'suffix'),
+ doc=_(u'Search for servers with these managed suffixes.'),
+ ),
+ parameters.Str(
+ 'no_topologysuffix',
+ required=False,
+ multivalue=True,
+ cli_name='no_topologysuffixes',
+ label=_(u'suffix'),
+ doc=_(u'Search for servers without these managed suffixes.'),
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.ListOfEntries(
+ 'result',
+ ),
+ output.Output(
+ 'count',
+ int,
+ doc=_(u'Number of entries returned'),
+ ),
+ output.Output(
+ 'truncated',
+ bool,
+ doc=_(u'True if not all results were returned'),
+ ),
+ )
+
+
+@register()
+class server_show(Method):
+ __doc__ = _("Show IPA server.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='name',
+ label=_(u'Server name'),
+ doc=_(u'IPA server hostname'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'rights',
+ label=_(u'Rights'),
+ doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
diff --git a/ipaclient/remote_plugins/2_164/service.py b/ipaclient/remote_plugins/2_164/service.py
new file mode 100644
index 000000000..0c7b9d803
--- /dev/null
+++ b/ipaclient/remote_plugins/2_164/service.py
@@ -0,0 +1,1225 @@
+#
+# Copyright (C) 2016 FreeIPA Contributors see COPYING for license
+#
+
+# pylint: disable=unused-import
+import six
+
+from . import Command, Method, Object
+from ipalib import api, parameters, output
+from ipalib.parameters import DefaultFrom
+from ipalib.plugable import Registry
+from ipalib.text import _
+from ipapython.dn import DN
+from ipapython.dnsutil import DNSName
+
+if six.PY3:
+ unicode = str
+
+__doc__ = _("""
+Services
+
+A IPA service represents a service that runs on a host. The IPA service
+record can store a Kerberos principal, an SSL certificate, or both.
+
+An IPA service can be managed directly from a machine, provided that
+machine has been given the correct permission. This is true even for
+machines other than the one the service is associated with. For example,
+requesting an SSL certificate using the host service principal credentials
+of the host. To manage a service using host credentials you need to
+kinit as the host:
+
+ # kinit -kt /etc/krb5.keytab host/ipa.example.com@EXAMPLE.COM
+
+Adding an IPA service allows the associated service to request an SSL
+certificate or keytab, but this is performed as a separate step; they
+are not produced as a result of adding the service.
+
+Only the public aspect of a certificate is stored in a service record;
+the private key is not stored.
+
+EXAMPLES:
+
+ Add a new IPA service:
+ ipa service-add HTTP/web.example.com
+
+ Allow a host to manage an IPA service certificate:
+ ipa service-add-host --hosts=web.example.com HTTP/web.example.com
+ ipa role-add-member --hosts=web.example.com certadmin
+
+ Override a default list of supported PAC types for the service:
+ ipa service-mod HTTP/web.example.com --pac-type=MS-PAC
+
+ A typical use case where overriding the PAC type is needed is NFS.
+ Currently the related code in the Linux kernel can only handle Kerberos
+ tickets up to a maximal size. Since the PAC data can become quite large it
+ is recommended to set --pac-type=NONE for NFS services.
+
+ Delete an IPA service:
+ ipa service-del HTTP/web.example.com
+
+ Find all IPA services associated with a host:
+ ipa service-find web.example.com
+
+ Find all HTTP services:
+ ipa service-find HTTP
+
+ Disable the service Kerberos key and SSL certificate:
+ ipa service-disable HTTP/web.example.com
+
+ Request a certificate for an IPA service:
+ ipa cert-request --principal=HTTP/web.example.com example.csr
+
+ Allow user to create a keytab:
+ ipa service-allow-create-keytab HTTP/web.example.com --users=tuser1
+
+ Generate and retrieve a keytab for an IPA service:
+ ipa-getkeytab -s ipa.example.com -p HTTP/web.example.com -k /etc/httpd/httpd.keytab
+""")
+
+register = Registry()
+
+
+@register()
+class service(Object):
+ takes_params = (
+ parameters.Str(
+ 'krbprincipalname',
+ primary_key=True,
+ label=_(u'Principal'),
+ doc=_(u'Service principal'),
+ ),
+ parameters.Bytes(
+ 'usercertificate',
+ required=False,
+ multivalue=True,
+ label=_(u'Certificate'),
+ doc=_(u'Base-64 encoded server certificate'),
+ ),
+ parameters.Str(
+ 'ipakrbauthzdata',
+ required=False,
+ multivalue=True,
+ label=_(u'PAC type'),
+ doc=_(u"Override default list of supported PAC types. Use 'NONE' to disable PAC support for this service, e.g. this might be necessary for NFS services."),
+ ),
+ parameters.Bool(
+ 'ipakrbrequirespreauth',
+ required=False,
+ label=_(u'Requires pre-authentication'),
+ doc=_(u'Pre-authentication is required for the service'),
+ ),
+ parameters.Bool(
+ 'ipakrbokasdelegate',
+ required=False,
+ label=_(u'Trusted for delegation'),
+ doc=_(u'Client credentials may be delegated to the service'),
+ ),
+ parameters.Str(
+ 'memberof_role',
+ required=False,
+ label=_(u'Roles'),
+ ),
+ parameters.Flag(
+ 'has_keytab',
+ label=_(u'Keytab'),
+ ),
+ parameters.Str(
+ 'managedby_host',
+ label=_(u'Managed by'),
+ ),
+ parameters.Str(
+ 'ipaallowedtoperform_read_keys_user',
+ label=_(u'Users allowed to retrieve keytab'),
+ ),
+ parameters.Str(
+ 'ipaallowedtoperform_read_keys_group',
+ label=_(u'Groups allowed to retrieve keytab'),
+ ),
+ parameters.Str(
+ 'ipaallowedtoperform_read_keys_host',
+ label=_(u'Hosts allowed to retrieve keytab'),
+ ),
+ parameters.Str(
+ 'ipaallowedtoperform_read_keys_hostgroup',
+ label=_(u'Host Groups allowed to retrieve keytab'),
+ ),
+ parameters.Str(
+ 'ipaallowedtoperform_write_keys_user',
+ label=_(u'Users allowed to create keytab'),
+ ),
+ parameters.Str(
+ 'ipaallowedtoperform_write_keys_group',
+ label=_(u'Groups allowed to create keytab'),
+ ),
+ parameters.Str(
+ 'ipaallowedtoperform_write_keys_host',
+ label=_(u'Hosts allowed to create keytab'),
+ ),
+ parameters.Str(
+ 'ipaallowedtoperform_write_keys_hostgroup',
+ label=_(u'Host Groups allowed to create keytab'),
+ ),
+ )
+
+
+@register()
+class service_add(Method):
+ __doc__ = _("Add a new IPA new service.")
+
+ takes_args = (
+ parameters.Str(
+ 'krbprincipalname',
+ cli_name='principal',
+ label=_(u'Principal'),
+ doc=_(u'Service principal'),
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Bytes(
+ 'usercertificate',
+ required=False,
+ multivalue=True,
+ cli_name='certificate',
+ label=_(u'Certificate'),
+ doc=_(u'Base-64 encoded server certificate'),
+ ),
+ parameters.Str(
+ 'ipakrbauthzdata',
+ required=False,
+ multivalue=True,
+ cli_name='pac_type',
+ cli_metavar="['MS-PAC', 'PAD', 'NONE']",
+ label=_(u'PAC type'),
+ doc=_(u"Override default list of supported PAC types. Use 'NONE' to disable PAC support for this service, e.g. this might be necessary for NFS services."),
+ ),
+ parameters.Bool(
+ 'ipakrbrequirespreauth',
+ required=False,
+ cli_name='requires_pre_auth',
+ label=_(u'Requires pre-authentication'),
+ doc=_(u'Pre-authentication is required for the service'),
+ ),
+ parameters.Bool(
+ 'ipakrbokasdelegate',
+ required=False,
+ cli_name='ok_as_delegate',
+ label=_(u'Trusted for delegation'),
+ doc=_(u'Client credentials may be delegated to the service'),
+ ),
+ parameters.Str(
+ 'setattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'addattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
+ exclude=('webui',),
+ ),
+ parameters.Flag(
+ 'force',
+ label=_(u'Force'),
+ doc=_(u'force principal name even if not in DNS'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class service_add_cert(Method):
+ __doc__ = _("Add new certificates to a service")
+
+ takes_args = (
+ parameters.Str(
+ 'krbprincipalname',
+ cli_name='principal',
+ label=_(u'Principal'),
+ doc=_(u'Service principal'),
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Bytes(
+ 'usercertificate',
+ required=False,
+ multivalue=True,
+ cli_name='certificate',
+ label=_(u'Certificate'),
+ doc=_(u'Base-64 encoded server certificate'),
+ alwaysask=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class service_add_host(Method):
+ __doc__ = _("Add hosts that can manage this service.")
+
+ takes_args = (
+ parameters.Str(
+ 'krbprincipalname',
+ cli_name='principal',
+ label=_(u'Principal'),
+ doc=_(u'Service principal'),
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'host',
+ required=False,
+ multivalue=True,
+ cli_name='hosts',
+ label=_(u'member host'),
+ doc=_(u'hosts to add'),
+ alwaysask=True,
+ ),
+ )
+ has_output = (
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'failed',
+ dict,
+ doc=_(u'Members that could not be added'),
+ ),
+ output.Output(
+ 'completed',
+ int,
+ doc=_(u'Number of members added'),
+ ),
+ )
+
+
+@register()
+class service_allow_create_keytab(Method):
+ __doc__ = _("Allow users, groups, hosts or host groups to create a keytab of this service.")
+
+ takes_args = (
+ parameters.Str(
+ 'krbprincipalname',
+ cli_name='principal',
+ label=_(u'Principal'),
+ doc=_(u'Service principal'),
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'user',
+ required=False,
+ multivalue=True,
+ cli_name='users',
+ label=_(u'member user'),
+ doc=_(u'users to add'),
+ alwaysask=True,
+ ),
+ parameters.Str(
+ 'group',
+ required=False,
+ multivalue=True,
+ cli_name='groups',
+ label=_(u'member group'),
+ doc=_(u'groups to add'),
+ alwaysask=True,
+ ),
+ parameters.Str(
+ 'host',
+ required=False,
+ multivalue=True,
+ cli_name='hosts',
+ label=_(u'member host'),
+ doc=_(u'hosts to add'),
+ alwaysask=True,
+ ),
+ parameters.Str(
+ 'hostgroup',
+ required=False,
+ multivalue=True,
+ cli_name='hostgroups',
+ label=_(u'member host group'),
+ doc=_(u'host groups to add'),
+ alwaysask=True,
+ ),
+ )
+ has_output = (
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'failed',
+ dict,
+ doc=_(u'Members that could not be added'),
+ ),
+ output.Output(
+ 'completed',
+ int,
+ doc=_(u'Number of members added'),
+ ),
+ )
+
+
+@register()
+class service_allow_retrieve_keytab(Method):
+ __doc__ = _("Allow users, groups, hosts or host groups to retrieve a keytab of this service.")
+
+ takes_args = (
+ parameters.Str(
+ 'krbprincipalname',
+ cli_name='principal',
+ label=_(u'Principal'),
+ doc=_(u'Service principal'),
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'user',
+ required=False,
+ multivalue=True,
+ cli_name='users',
+ label=_(u'member user'),
+ doc=_(u'users to add'),
+ alwaysask=True,
+ ),
+ parameters.Str(
+ 'group',
+ required=False,
+ multivalue=True,
+ cli_name='groups',
+ label=_(u'member group'),
+ doc=_(u'groups to add'),
+ alwaysask=True,
+ ),
+ parameters.Str(
+ 'host',
+ required=False,
+ multivalue=True,
+ cli_name='hosts',
+ label=_(u'member host'),
+ doc=_(u'hosts to add'),
+ alwaysask=True,
+ ),
+ parameters.Str(
+ 'hostgroup',
+ required=False,
+ multivalue=True,
+ cli_name='hostgroups',
+ label=_(u'member host group'),
+ doc=_(u'host groups to add'),
+ alwaysask=True,
+ ),
+ )
+ has_output = (
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'failed',
+ dict,
+ doc=_(u'Members that could not be added'),
+ ),
+ output.Output(
+ 'completed',
+ int,
+ doc=_(u'Number of members added'),
+ ),
+ )
+
+
+@register()
+class service_del(Method):
+ __doc__ = _("Delete an IPA service.")
+
+ takes_args = (
+ parameters.Str(
+ 'krbprincipalname',
+ multivalue=True,
+ cli_name='principal',
+ label=_(u'Principal'),
+ doc=_(u'Service principal'),
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'continue',
+ doc=_(u"Continuous mode: Don't stop on errors."),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Output(
+ 'result',
+ dict,
+ doc=_(u'List of deletions that failed'),
+ ),
+ output.ListOfPrimaryKeys(
+ 'value',
+ ),
+ )
+
+
+@register()
+class service_disable(Method):
+ __doc__ = _("Disable the Kerberos key and SSL certificate of a service.")
+
+ takes_args = (
+ parameters.Str(
+ 'krbprincipalname',
+ cli_name='principal',
+ label=_(u'Principal'),
+ doc=_(u'Service principal'),
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Output(
+ 'result',
+ bool,
+ doc=_(u'True means the operation was successful'),
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class service_disallow_create_keytab(Method):
+ __doc__ = _("Disallow users, groups, hosts or host groups to create a keytab of this service.")
+
+ takes_args = (
+ parameters.Str(
+ 'krbprincipalname',
+ cli_name='principal',
+ label=_(u'Principal'),
+ doc=_(u'Service principal'),
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'user',
+ required=False,
+ multivalue=True,
+ cli_name='users',
+ label=_(u'member user'),
+ doc=_(u'users to remove'),
+ alwaysask=True,
+ ),
+ parameters.Str(
+ 'group',
+ required=False,
+ multivalue=True,
+ cli_name='groups',
+ label=_(u'member group'),
+ doc=_(u'groups to remove'),
+ alwaysask=True,
+ ),
+ parameters.Str(
+ 'host',
+ required=False,
+ multivalue=True,
+ cli_name='hosts',
+ label=_(u'member host'),
+ doc=_(u'hosts to remove'),
+ alwaysask=True,
+ ),
+ parameters.Str(
+ 'hostgroup',
+ required=False,
+ multivalue=True,
+ cli_name='hostgroups',
+ label=_(u'member host group'),
+ doc=_(u'host groups to remove'),
+ alwaysask=True,
+ ),
+ )
+ has_output = (
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'failed',
+ dict,
+ doc=_(u'Members that could not be removed'),
+ ),
+ output.Output(
+ 'completed',
+ int,
+ doc=_(u'Number of members removed'),
+ ),
+ )
+
+
+@register()
+class service_disallow_retrieve_keytab(Method):
+ __doc__ = _("Disallow users, groups, hosts or host groups to retrieve a keytab of this service.")
+
+ takes_args = (
+ parameters.Str(
+ 'krbprincipalname',
+ cli_name='principal',
+ label=_(u'Principal'),
+ doc=_(u'Service principal'),
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'user',
+ required=False,
+ multivalue=True,
+ cli_name='users',
+ label=_(u'member user'),
+ doc=_(u'users to remove'),
+ alwaysask=True,
+ ),
+ parameters.Str(
+ 'group',
+ required=False,
+ multivalue=True,
+ cli_name='groups',
+ label=_(u'member group'),
+ doc=_(u'groups to remove'),
+ alwaysask=True,
+ ),
+ parameters.Str(
+ 'host',
+ required=False,
+ multivalue=True,
+ cli_name='hosts',
+ label=_(u'member host'),
+ doc=_(u'hosts to remove'),
+ alwaysask=True,
+ ),
+ parameters.Str(
+ 'hostgroup',
+ required=False,
+ multivalue=True,
+ cli_name='hostgroups',
+ label=_(u'member host group'),
+ doc=_(u'host groups to remove'),
+ alwaysask=True,
+ ),
+ )
+ has_output = (
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'failed',
+ dict,
+ doc=_(u'Members that could not be removed'),
+ ),
+ output.Output(
+ 'completed',
+ int,
+ doc=_(u'Number of members removed'),
+ ),
+ )
+
+
+@register()
+class service_find(Method):
+ __doc__ = _("Search for IPA services.")
+
+ takes_args = (
+ parameters.Str(
+ 'criteria',
+ required=False,
+ doc=_(u'A string searched in all relevant object attributes'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'krbprincipalname',
+ required=False,
+ cli_name='principal',
+ label=_(u'Principal'),
+ doc=_(u'Service principal'),
+ no_convert=True,
+ ),
+ parameters.Str(
+ 'ipakrbauthzdata',
+ required=False,
+ multivalue=True,
+ cli_name='pac_type',
+ cli_metavar="['MS-PAC', 'PAD', 'NONE']",
+ label=_(u'PAC type'),
+ doc=_(u"Override default list of supported PAC types. Use 'NONE' to disable PAC support for this service, e.g. this might be necessary for NFS services."),
+ ),
+ parameters.Int(
+ 'timelimit',
+ required=False,
+ label=_(u'Time Limit'),
+ doc=_(u'Time limit of search in seconds (0 is unlimited)'),
+ ),
+ parameters.Int(
+ 'sizelimit',
+ required=False,
+ label=_(u'Size Limit'),
+ doc=_(u'Maximum number of entries returned (0 is unlimited)'),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'pkey_only',
+ required=False,
+ label=_(u'Primary key only'),
+ doc=_(u'Results should contain primary key attribute only ("principal")'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'man_by_host',
+ required=False,
+ multivalue=True,
+ cli_name='man_by_hosts',
+ label=_(u'host'),
+ doc=_(u'Search for services with these managed by hosts.'),
+ ),
+ parameters.Str(
+ 'not_man_by_host',
+ required=False,
+ multivalue=True,
+ cli_name='not_man_by_hosts',
+ label=_(u'host'),
+ doc=_(u'Search for services without these managed by hosts.'),
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.ListOfEntries(
+ 'result',
+ ),
+ output.Output(
+ 'count',
+ int,
+ doc=_(u'Number of entries returned'),
+ ),
+ output.Output(
+ 'truncated',
+ bool,
+ doc=_(u'True if not all results were returned'),
+ ),
+ )
+
+
+@register()
+class service_mod(Method):
+ __doc__ = _("Modify an existing IPA service.")
+
+ takes_args = (
+ parameters.Str(
+ 'krbprincipalname',
+ cli_name='principal',
+ label=_(u'Principal'),
+ doc=_(u'Service principal'),
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Bytes(
+ 'usercertificate',
+ required=False,
+ multivalue=True,
+ cli_name='certificate',
+ label=_(u'Certificate'),
+ doc=_(u'Base-64 encoded server certificate'),
+ ),
+ parameters.Str(
+ 'ipakrbauthzdata',
+ required=False,
+ multivalue=True,
+ cli_name='pac_type',
+ cli_metavar="['MS-PAC', 'PAD', 'NONE']",
+ label=_(u'PAC type'),
+ doc=_(u"Override default list of supported PAC types. Use 'NONE' to disable PAC support for this service, e.g. this might be necessary for NFS services."),
+ ),
+ parameters.Bool(
+ 'ipakrbrequirespreauth',
+ required=False,
+ cli_name='requires_pre_auth',
+ label=_(u'Requires pre-authentication'),
+ doc=_(u'Pre-authentication is required for the service'),
+ ),
+ parameters.Bool(
+ 'ipakrbokasdelegate',
+ required=False,
+ cli_name='ok_as_delegate',
+ label=_(u'Trusted for delegation'),
+ doc=_(u'Client credentials may be delegated to the service'),
+ ),
+ parameters.Str(
+ 'setattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'addattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'delattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'),
+ exclude=('webui',),
+ ),
+ parameters.Flag(
+ 'rights',
+ label=_(u'Rights'),
+ doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class service_remove_cert(Method):
+ __doc__ = _("Remove certificates from a service")
+
+ takes_args = (
+ parameters.Str(
+ 'krbprincipalname',
+ cli_name='principal',
+ label=_(u'Principal'),
+ doc=_(u'Service principal'),
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Bytes(
+ 'usercertificate',
+ required=False,
+ multivalue=True,
+ cli_name='certificate',
+ label=_(u'Certificate'),
+ doc=_(u'Base-64 encoded server certificate'),
+ alwaysask=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class service_remove_host(Method):
+ __doc__ = _("Remove hosts that can manage this service.")
+
+ takes_args = (
+ parameters.Str(
+ 'krbprincipalname',
+ cli_name='principal',
+ label=_(u'Principal'),
+ doc=_(u'Service principal'),
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'host',
+ required=False,
+ multivalue=True,
+ cli_name='hosts',
+ label=_(u'member host'),
+ doc=_(u'hosts to remove'),
+ alwaysask=True,
+ ),
+ )
+ has_output = (
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'failed',
+ dict,
+ doc=_(u'Members that could not be removed'),
+ ),
+ output.Output(
+ 'completed',
+ int,
+ doc=_(u'Number of members removed'),
+ ),
+ )
+
+
+@register()
+class service_show(Method):
+ __doc__ = _("Display information about an IPA service.")
+
+ takes_args = (
+ parameters.Str(
+ 'krbprincipalname',
+ cli_name='principal',
+ label=_(u'Principal'),
+ doc=_(u'Service principal'),
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'rights',
+ label=_(u'Rights'),
+ doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'out',
+ required=False,
+ doc=_(u'file to store certificate in'),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
diff --git a/ipaclient/remote_plugins/2_164/servicedelegation.py b/ipaclient/remote_plugins/2_164/servicedelegation.py
new file mode 100644
index 000000000..d96462d91
--- /dev/null
+++ b/ipaclient/remote_plugins/2_164/servicedelegation.py
@@ -0,0 +1,907 @@
+#
+# Copyright (C) 2016 FreeIPA Contributors see COPYING for license
+#
+
+# pylint: disable=unused-import
+import six
+
+from . import Command, Method, Object
+from ipalib import api, parameters, output
+from ipalib.parameters import DefaultFrom
+from ipalib.plugable import Registry
+from ipalib.text import _
+from ipapython.dn import DN
+from ipapython.dnsutil import DNSName
+
+if six.PY3:
+ unicode = str
+
+__doc__ = _("""
+Service Constrained Delegation
+
+Manage rules to allow constrained delegation of credentials so
+that a service can impersonate a user when communicating with another
+service without requiring the user to actually forward their TGT.
+This makes for a much better method of delegating credentials as it
+prevents exposure of the short term secret of the user.
+
+The naming convention is to append the word "target" or "targets" to
+a matching rule name. This is not mandatory but helps conceptually
+to associate rules and targets.
+
+A rule consists of two things:
+ - A list of targets the rule applies to
+ - A list of memberPrincipals that are allowed to delegate for
+ those targets
+
+A target consists of a list of principals that can be delegated.
+
+In English, a rule says that this principal can delegate as this
+list of principals, as defined by these targets.
+
+EXAMPLES:
+
+ Add a new constrained delegation rule:
+ ipa servicedelegationrule-add ftp-delegation
+
+ Add a new constrained delegation target:
+ ipa servicedelegationtarget-add ftp-delegation-target
+
+ Add a principal to the rule:
+ ipa servicedelegationrule-add-member --principals=ftp/ipa.example.com ftp-delegation
+
+ Add our target to the rule:
+ ipa servicedelegationrule-add-target --servicedelegationtargets=ftp-delegation-target ftp-delegation
+
+ Add a principal to the target:
+ ipa servicedelegationtarget-add-member --principals=ldap/ipa.example.com ftp-delegation-target
+
+ Display information about a named delegation rule and target:
+ ipa servicedelegationrule_show ftp-delegation
+ ipa servicedelegationtarget_show ftp-delegation-target
+
+ Remove a constrained delegation:
+ ipa servicedelegationrule-del ftp-delegation-target
+ ipa servicedelegationtarget-del ftp-delegation
+
+In this example the ftp service can get a TGT for the ldap service on
+the bound user's behalf.
+
+It is strongly discouraged to modify the delegations that ship with
+IPA, ipa-http-delegation and its targets ipa-cifs-delegation-targets and
+ipa-ldap-delegation-targets. Incorrect changes can remove the ability
+to delegate, causing the framework to stop functioning.
+""")
+
+register = Registry()
+
+
+@register()
+class servicedelegationrule(Object):
+ takes_params = (
+ parameters.Str(
+ 'cn',
+ primary_key=True,
+ label=_(u'Delegation name'),
+ ),
+ parameters.Str(
+ 'ipaallowedtarget_servicedelegationtarget',
+ label=_(u'Allowed Target'),
+ ),
+ )
+
+
+@register()
+class servicedelegationtarget(Object):
+ takes_params = (
+ parameters.Str(
+ 'cn',
+ primary_key=True,
+ label=_(u'Delegation name'),
+ ),
+ )
+
+
+@register()
+class servicedelegationrule_add(Method):
+ __doc__ = _("Create a new service delegation rule.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='delegation_name',
+ label=_(u'Delegation name'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'setattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'addattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
+ exclude=('webui',),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class servicedelegationrule_add_member(Method):
+ __doc__ = _("Add member to a named service delegation rule.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='delegation_name',
+ label=_(u'Delegation name'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'principal',
+ required=False,
+ multivalue=True,
+ cli_name='principals',
+ label=_(u'member principal'),
+ doc=_(u'principal to add'),
+ alwaysask=True,
+ ),
+ )
+ has_output = (
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'failed',
+ dict,
+ doc=_(u'Members that could not be added'),
+ ),
+ output.Output(
+ 'completed',
+ int,
+ doc=_(u'Number of members added'),
+ ),
+ )
+
+
+@register()
+class servicedelegationrule_add_target(Method):
+ __doc__ = _("Add target to a named service delegation rule.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='delegation_name',
+ label=_(u'Delegation name'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'servicedelegationtarget',
+ required=False,
+ multivalue=True,
+ cli_name='servicedelegationtargets',
+ label=_(u'member service delegation target'),
+ doc=_(u'service delegation targets to add'),
+ alwaysask=True,
+ ),
+ )
+ has_output = (
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'failed',
+ dict,
+ doc=_(u'Members that could not be added'),
+ ),
+ output.Output(
+ 'completed',
+ int,
+ doc=_(u'Number of members added'),
+ ),
+ )
+
+
+@register()
+class servicedelegationrule_del(Method):
+ __doc__ = _("Delete service delegation.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ multivalue=True,
+ cli_name='delegation_name',
+ label=_(u'Delegation name'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'continue',
+ doc=_(u"Continuous mode: Don't stop on errors."),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Output(
+ 'result',
+ dict,
+ doc=_(u'List of deletions that failed'),
+ ),
+ output.ListOfPrimaryKeys(
+ 'value',
+ ),
+ )
+
+
+@register()
+class servicedelegationrule_find(Method):
+ __doc__ = _("Search for service delegations rule.")
+
+ takes_args = (
+ parameters.Str(
+ 'criteria',
+ required=False,
+ doc=_(u'A string searched in all relevant object attributes'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'cn',
+ required=False,
+ cli_name='delegation_name',
+ label=_(u'Delegation name'),
+ ),
+ parameters.Int(
+ 'timelimit',
+ required=False,
+ label=_(u'Time Limit'),
+ doc=_(u'Time limit of search in seconds (0 is unlimited)'),
+ ),
+ parameters.Int(
+ 'sizelimit',
+ required=False,
+ label=_(u'Size Limit'),
+ doc=_(u'Maximum number of entries returned (0 is unlimited)'),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'pkey_only',
+ required=False,
+ label=_(u'Primary key only'),
+ doc=_(u'Results should contain primary key attribute only ("delegation-name")'),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.ListOfEntries(
+ 'result',
+ ),
+ output.Output(
+ 'count',
+ int,
+ doc=_(u'Number of entries returned'),
+ ),
+ output.Output(
+ 'truncated',
+ bool,
+ doc=_(u'True if not all results were returned'),
+ ),
+ )
+
+
+@register()
+class servicedelegationrule_remove_member(Method):
+ __doc__ = _("Remove member from a named service delegation rule.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='delegation_name',
+ label=_(u'Delegation name'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'principal',
+ required=False,
+ multivalue=True,
+ cli_name='principals',
+ label=_(u'member principal'),
+ doc=_(u'principal to remove'),
+ alwaysask=True,
+ ),
+ )
+ has_output = (
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'failed',
+ dict,
+ doc=_(u'Members that could not be removed'),
+ ),
+ output.Output(
+ 'completed',
+ int,
+ doc=_(u'Number of members removed'),
+ ),
+ )
+
+
+@register()
+class servicedelegationrule_remove_target(Method):
+ __doc__ = _("Remove target from a named service delegation rule.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='delegation_name',
+ label=_(u'Delegation name'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'servicedelegationtarget',
+ required=False,
+ multivalue=True,
+ cli_name='servicedelegationtargets',
+ label=_(u'member service delegation target'),
+ doc=_(u'service delegation targets to remove'),
+ alwaysask=True,
+ ),
+ )
+ has_output = (
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'failed',
+ dict,
+ doc=_(u'Members that could not be removed'),
+ ),
+ output.Output(
+ 'completed',
+ int,
+ doc=_(u'Number of members removed'),
+ ),
+ )
+
+
+@register()
+class servicedelegationrule_show(Method):
+ __doc__ = _("Display information about a named service delegation rule.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='delegation_name',
+ label=_(u'Delegation name'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'rights',
+ label=_(u'Rights'),
+ doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class servicedelegationtarget_add(Method):
+ __doc__ = _("Create a new service delegation target.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='delegation_name',
+ label=_(u'Delegation name'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'setattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'addattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
+ exclude=('webui',),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class servicedelegationtarget_add_member(Method):
+ __doc__ = _("Add member to a named service delegation target.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='delegation_name',
+ label=_(u'Delegation name'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'principal',
+ required=False,
+ multivalue=True,
+ cli_name='principals',
+ label=_(u'member principal'),
+ doc=_(u'principal to add'),
+ alwaysask=True,
+ ),
+ )
+ has_output = (
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'failed',
+ dict,
+ doc=_(u'Members that could not be added'),
+ ),
+ output.Output(
+ 'completed',
+ int,
+ doc=_(u'Number of members added'),
+ ),
+ )
+
+
+@register()
+class servicedelegationtarget_del(Method):
+ __doc__ = _("Delete service delegation target.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ multivalue=True,
+ cli_name='delegation_name',
+ label=_(u'Delegation name'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'continue',
+ doc=_(u"Continuous mode: Don't stop on errors."),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Output(
+ 'result',
+ dict,
+ doc=_(u'List of deletions that failed'),
+ ),
+ output.ListOfPrimaryKeys(
+ 'value',
+ ),
+ )
+
+
+@register()
+class servicedelegationtarget_find(Method):
+ __doc__ = _("Search for service delegation target.")
+
+ takes_args = (
+ parameters.Str(
+ 'criteria',
+ required=False,
+ doc=_(u'A string searched in all relevant object attributes'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'cn',
+ required=False,
+ cli_name='delegation_name',
+ label=_(u'Delegation name'),
+ ),
+ parameters.Int(
+ 'timelimit',
+ required=False,
+ label=_(u'Time Limit'),
+ doc=_(u'Time limit of search in seconds (0 is unlimited)'),
+ ),
+ parameters.Int(
+ 'sizelimit',
+ required=False,
+ label=_(u'Size Limit'),
+ doc=_(u'Maximum number of entries returned (0 is unlimited)'),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'pkey_only',
+ required=False,
+ label=_(u'Primary key only'),
+ doc=_(u'Results should contain primary key attribute only ("delegation-name")'),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.ListOfEntries(
+ 'result',
+ ),
+ output.Output(
+ 'count',
+ int,
+ doc=_(u'Number of entries returned'),
+ ),
+ output.Output(
+ 'truncated',
+ bool,
+ doc=_(u'True if not all results were returned'),
+ ),
+ )
+
+
+@register()
+class servicedelegationtarget_remove_member(Method):
+ __doc__ = _("Remove member from a named service delegation target.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='delegation_name',
+ label=_(u'Delegation name'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'principal',
+ required=False,
+ multivalue=True,
+ cli_name='principals',
+ label=_(u'member principal'),
+ doc=_(u'principal to remove'),
+ alwaysask=True,
+ ),
+ )
+ has_output = (
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'failed',
+ dict,
+ doc=_(u'Members that could not be removed'),
+ ),
+ output.Output(
+ 'completed',
+ int,
+ doc=_(u'Number of members removed'),
+ ),
+ )
+
+
+@register()
+class servicedelegationtarget_show(Method):
+ __doc__ = _("Display information about a named service delegation target.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='delegation_name',
+ label=_(u'Delegation name'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'rights',
+ label=_(u'Rights'),
+ doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
diff --git a/ipaclient/remote_plugins/2_164/session.py b/ipaclient/remote_plugins/2_164/session.py
new file mode 100644
index 000000000..7b30c92a0
--- /dev/null
+++ b/ipaclient/remote_plugins/2_164/session.py
@@ -0,0 +1,34 @@
+#
+# Copyright (C) 2016 FreeIPA Contributors see COPYING for license
+#
+
+# pylint: disable=unused-import
+import six
+
+from . import Command, Method, Object
+from ipalib import api, parameters, output
+from ipalib.parameters import DefaultFrom
+from ipalib.plugable import Registry
+from ipalib.text import _
+from ipapython.dn import DN
+from ipapython.dnsutil import DNSName
+
+if six.PY3:
+ unicode = str
+
+register = Registry()
+
+
+@register()
+class session_logout(Command):
+ __doc__ = _("RPC command used to log the current user out of their session.")
+
+ NO_CLI = True
+
+ takes_options = (
+ )
+ has_output = (
+ output.Output(
+ 'result',
+ ),
+ )
diff --git a/ipaclient/remote_plugins/2_164/stageuser.py b/ipaclient/remote_plugins/2_164/stageuser.py
new file mode 100644
index 000000000..37ccb28c9
--- /dev/null
+++ b/ipaclient/remote_plugins/2_164/stageuser.py
@@ -0,0 +1,1616 @@
+#
+# Copyright (C) 2016 FreeIPA Contributors see COPYING for license
+#
+
+# pylint: disable=unused-import
+import six
+
+from . import Command, Method, Object
+from ipalib import api, parameters, output
+from ipalib.parameters import DefaultFrom
+from ipalib.plugable import Registry
+from ipalib.text import _
+from ipapython.dn import DN
+from ipapython.dnsutil import DNSName
+
+if six.PY3:
+ unicode = str
+
+__doc__ = _("""
+Stageusers
+
+Manage stage user entries.
+
+Stage user entries are directly under the container: "cn=stage users,
+cn=accounts, cn=provisioning, SUFFIX".
+User can not authenticate with those entries (even if the entries
+contain credentials) and are candidate to become Active entries.
+
+Active user entries are Posix users directly under the container: "cn=accounts, SUFFIX".
+User can authenticate with Active entries, at the condition they have
+credentials
+
+Delete user entries are Posix users directly under the container: "cn=deleted users,
+cn=accounts, cn=provisioning, SUFFIX".
+User can not authenticate with those entries (even if the entries contain credentials)
+
+The stage user container contains entries
+ - created by 'stageuser-add' commands that are Posix users
+ - created by external provisioning system
+
+A valid stage user entry MUST:
+ - entry RDN is 'uid'
+ - ipaUniqueID is 'autogenerate'
+
+IPA supports a wide range of username formats, but you need to be aware of any
+restrictions that may apply to your particular environment. For example,
+usernames that start with a digit or usernames that exceed a certain length
+may cause problems for some UNIX systems.
+Use 'ipa config-mod' to change the username format allowed by IPA tools.
+
+
+EXAMPLES:
+
+ Add a new stageuser:
+ ipa stageuser-add --first=Tim --last=User --password tuser1
+
+ Add a stageuser from the Delete container
+ ipa stageuser-add --first=Tim --last=User --from-delete tuser1
+""")
+
+register = Registry()
+
+
+@register()
+class stageuser(Object):
+ takes_params = (
+ parameters.Str(
+ 'uid',
+ primary_key=True,
+ label=_(u'User login'),
+ ),
+ parameters.Str(
+ 'givenname',
+ label=_(u'First name'),
+ ),
+ parameters.Str(
+ 'sn',
+ label=_(u'Last name'),
+ ),
+ parameters.Str(
+ 'cn',
+ label=_(u'Full name'),
+ ),
+ parameters.Str(
+ 'displayname',
+ required=False,
+ label=_(u'Display name'),
+ ),
+ parameters.Str(
+ 'initials',
+ required=False,
+ label=_(u'Initials'),
+ ),
+ parameters.Str(
+ 'homedirectory',
+ required=False,
+ label=_(u'Home directory'),
+ ),
+ parameters.Str(
+ 'gecos',
+ required=False,
+ label=_(u'GECOS'),
+ ),
+ parameters.Str(
+ 'loginshell',
+ required=False,
+ label=_(u'Login shell'),
+ ),
+ parameters.Str(
+ 'krbprincipalname',
+ required=False,
+ label=_(u'Kerberos principal'),
+ ),
+ parameters.DateTime(
+ 'krbprincipalexpiration',
+ required=False,
+ label=_(u'Kerberos principal expiration'),
+ ),
+ parameters.Str(
+ 'mail',
+ required=False,
+ multivalue=True,
+ label=_(u'Email address'),
+ ),
+ parameters.Password(
+ 'userpassword',
+ required=False,
+ label=_(u'Password'),
+ doc=_(u'Prompt to set the user password'),
+ exclude=('webui',),
+ ),
+ parameters.Flag(
+ 'random',
+ required=False,
+ doc=_(u'Generate a random user password'),
+ ),
+ parameters.Str(
+ 'randompassword',
+ required=False,
+ label=_(u'Random password'),
+ ),
+ parameters.Int(
+ 'uidnumber',
+ required=False,
+ label=_(u'UID'),
+ doc=_(u'User ID Number (system will assign one if not provided)'),
+ ),
+ parameters.Int(
+ 'gidnumber',
+ required=False,
+ label=_(u'GID'),
+ doc=_(u'Group ID Number'),
+ ),
+ parameters.Str(
+ 'street',
+ required=False,
+ label=_(u'Street address'),
+ ),
+ parameters.Str(
+ 'l',
+ required=False,
+ label=_(u'City'),
+ ),
+ parameters.Str(
+ 'st',
+ required=False,
+ label=_(u'State/Province'),
+ ),
+ parameters.Str(
+ 'postalcode',
+ required=False,
+ label=_(u'ZIP'),
+ ),
+ parameters.Str(
+ 'telephonenumber',
+ required=False,
+ multivalue=True,
+ label=_(u'Telephone Number'),
+ ),
+ parameters.Str(
+ 'mobile',
+ required=False,
+ multivalue=True,
+ label=_(u'Mobile Telephone Number'),
+ ),
+ parameters.Str(
+ 'pager',
+ required=False,
+ multivalue=True,
+ label=_(u'Pager Number'),
+ ),
+ parameters.Str(
+ 'facsimiletelephonenumber',
+ required=False,
+ multivalue=True,
+ label=_(u'Fax Number'),
+ ),
+ parameters.Str(
+ 'ou',
+ required=False,
+ label=_(u'Org. Unit'),
+ ),
+ parameters.Str(
+ 'title',
+ required=False,
+ label=_(u'Job Title'),
+ ),
+ parameters.Str(
+ 'manager',
+ required=False,
+ label=_(u'Manager'),
+ ),
+ parameters.Str(
+ 'carlicense',
+ required=False,
+ multivalue=True,
+ label=_(u'Car License'),
+ ),
+ parameters.Str(
+ 'ipasshpubkey',
+ required=False,
+ multivalue=True,
+ label=_(u'SSH public key'),
+ ),
+ parameters.Str(
+ 'ipauserauthtype',
+ required=False,
+ multivalue=True,
+ label=_(u'User authentication types'),
+ doc=_(u'Types of supported user authentication'),
+ ),
+ parameters.Str(
+ 'userclass',
+ required=False,
+ multivalue=True,
+ label=_(u'Class'),
+ doc=_(u'User category (semantics placed on this attribute are for local interpretation)'),
+ ),
+ parameters.Str(
+ 'ipatokenradiusconfiglink',
+ required=False,
+ label=_(u'RADIUS proxy configuration'),
+ ),
+ parameters.Str(
+ 'ipatokenradiususername',
+ required=False,
+ label=_(u'RADIUS proxy username'),
+ ),
+ parameters.Str(
+ 'departmentnumber',
+ required=False,
+ multivalue=True,
+ label=_(u'Department Number'),
+ ),
+ parameters.Str(
+ 'employeenumber',
+ required=False,
+ label=_(u'Employee Number'),
+ ),
+ parameters.Str(
+ 'employeetype',
+ required=False,
+ label=_(u'Employee Type'),
+ ),
+ parameters.Str(
+ 'preferredlanguage',
+ required=False,
+ label=_(u'Preferred Language'),
+ ),
+ parameters.Bytes(
+ 'usercertificate',
+ required=False,
+ multivalue=True,
+ label=_(u'Certificate'),
+ doc=_(u'Base-64 encoded server certificate'),
+ ),
+ parameters.Flag(
+ 'has_password',
+ label=_(u'Password'),
+ ),
+ parameters.Str(
+ 'memberof_group',
+ required=False,
+ label=_(u'Member of groups'),
+ ),
+ parameters.Str(
+ 'memberof_role',
+ required=False,
+ label=_(u'Roles'),
+ ),
+ parameters.Str(
+ 'memberof_netgroup',
+ required=False,
+ label=_(u'Member of netgroups'),
+ ),
+ parameters.Str(
+ 'memberof_sudorule',
+ required=False,
+ label=_(u'Member of Sudo rule'),
+ ),
+ parameters.Str(
+ 'memberof_hbacrule',
+ required=False,
+ label=_(u'Member of HBAC rule'),
+ ),
+ parameters.Str(
+ 'memberofindirect_group',
+ required=False,
+ label=_(u'Indirect Member of group'),
+ ),
+ parameters.Str(
+ 'memberofindirect_netgroup',
+ required=False,
+ label=_(u'Indirect Member of netgroup'),
+ ),
+ parameters.Str(
+ 'memberofindirect_role',
+ required=False,
+ label=_(u'Indirect Member of role'),
+ ),
+ parameters.Str(
+ 'memberofindirect_sudorule',
+ required=False,
+ label=_(u'Indirect Member of Sudo rule'),
+ ),
+ parameters.Str(
+ 'memberofindirect_hbacrule',
+ required=False,
+ label=_(u'Indirect Member of HBAC rule'),
+ ),
+ parameters.Flag(
+ 'has_keytab',
+ label=_(u'Kerberos keys available'),
+ ),
+ )
+
+
+@register()
+class stageuser_activate(Method):
+ __doc__ = _("Activate a stage user.")
+
+ takes_args = (
+ parameters.Str(
+ 'uid',
+ cli_name='login',
+ label=_(u'User login'),
+ default_from=DefaultFrom(lambda givenname, sn: givenname[0] + sn, 'principal'),
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class stageuser_add(Method):
+ __doc__ = _("Add a new stage user.")
+
+ takes_args = (
+ parameters.Str(
+ 'uid',
+ cli_name='login',
+ label=_(u'User login'),
+ default_from=DefaultFrom(lambda givenname, sn: givenname[0] + sn, 'principal'),
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'givenname',
+ cli_name='first',
+ label=_(u'First name'),
+ ),
+ parameters.Str(
+ 'sn',
+ cli_name='last',
+ label=_(u'Last name'),
+ ),
+ parameters.Str(
+ 'cn',
+ label=_(u'Full name'),
+ default_from=DefaultFrom(lambda givenname, sn: '%s %s' % (givenname, sn), 'principal'),
+ autofill=True,
+ ),
+ parameters.Str(
+ 'displayname',
+ required=False,
+ label=_(u'Display name'),
+ default_from=DefaultFrom(lambda givenname, sn: '%s %s' % (givenname, sn), 'principal'),
+ autofill=True,
+ ),
+ parameters.Str(
+ 'initials',
+ required=False,
+ label=_(u'Initials'),
+ default_from=DefaultFrom(lambda givenname, sn: '%c%c' % (givenname[0], sn[0]), 'principal'),
+ autofill=True,
+ ),
+ parameters.Str(
+ 'homedirectory',
+ required=False,
+ cli_name='homedir',
+ label=_(u'Home directory'),
+ ),
+ parameters.Str(
+ 'gecos',
+ required=False,
+ label=_(u'GECOS'),
+ default_from=DefaultFrom(lambda givenname, sn: '%s %s' % (givenname, sn), 'principal'),
+ autofill=True,
+ ),
+ parameters.Str(
+ 'loginshell',
+ required=False,
+ cli_name='shell',
+ label=_(u'Login shell'),
+ ),
+ parameters.Str(
+ 'krbprincipalname',
+ required=False,
+ cli_name='principal',
+ label=_(u'Kerberos principal'),
+ default_from=DefaultFrom(lambda uid: '%s@%s' % (uid.lower(), api.env.realm), 'principal'),
+ autofill=True,
+ no_convert=True,
+ ),
+ parameters.DateTime(
+ 'krbprincipalexpiration',
+ required=False,
+ cli_name='principal_expiration',
+ label=_(u'Kerberos principal expiration'),
+ ),
+ parameters.Str(
+ 'mail',
+ required=False,
+ multivalue=True,
+ cli_name='email',
+ label=_(u'Email address'),
+ ),
+ parameters.Password(
+ 'userpassword',
+ required=False,
+ cli_name='password',
+ label=_(u'Password'),
+ doc=_(u'Prompt to set the user password'),
+ exclude=('webui',),
+ confirm=True,
+ ),
+ parameters.Flag(
+ 'random',
+ required=False,
+ doc=_(u'Generate a random user password'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Int(
+ 'uidnumber',
+ required=False,
+ cli_name='uid',
+ label=_(u'UID'),
+ doc=_(u'User ID Number (system will assign one if not provided)'),
+ ),
+ parameters.Int(
+ 'gidnumber',
+ required=False,
+ label=_(u'GID'),
+ doc=_(u'Group ID Number'),
+ ),
+ parameters.Str(
+ 'street',
+ required=False,
+ label=_(u'Street address'),
+ ),
+ parameters.Str(
+ 'l',
+ required=False,
+ cli_name='city',
+ label=_(u'City'),
+ ),
+ parameters.Str(
+ 'st',
+ required=False,
+ cli_name='state',
+ label=_(u'State/Province'),
+ ),
+ parameters.Str(
+ 'postalcode',
+ required=False,
+ label=_(u'ZIP'),
+ ),
+ parameters.Str(
+ 'telephonenumber',
+ required=False,
+ multivalue=True,
+ cli_name='phone',
+ label=_(u'Telephone Number'),
+ ),
+ parameters.Str(
+ 'mobile',
+ required=False,
+ multivalue=True,
+ label=_(u'Mobile Telephone Number'),
+ ),
+ parameters.Str(
+ 'pager',
+ required=False,
+ multivalue=True,
+ label=_(u'Pager Number'),
+ ),
+ parameters.Str(
+ 'facsimiletelephonenumber',
+ required=False,
+ multivalue=True,
+ cli_name='fax',
+ label=_(u'Fax Number'),
+ ),
+ parameters.Str(
+ 'ou',
+ required=False,
+ cli_name='orgunit',
+ label=_(u'Org. Unit'),
+ ),
+ parameters.Str(
+ 'title',
+ required=False,
+ label=_(u'Job Title'),
+ ),
+ parameters.Str(
+ 'manager',
+ required=False,
+ label=_(u'Manager'),
+ ),
+ parameters.Str(
+ 'carlicense',
+ required=False,
+ multivalue=True,
+ label=_(u'Car License'),
+ ),
+ parameters.Str(
+ 'ipasshpubkey',
+ required=False,
+ multivalue=True,
+ cli_name='sshpubkey',
+ label=_(u'SSH public key'),
+ no_convert=True,
+ ),
+ parameters.Str(
+ 'ipauserauthtype',
+ required=False,
+ multivalue=True,
+ cli_name='user_auth_type',
+ cli_metavar="['password', 'radius', 'otp']",
+ label=_(u'User authentication types'),
+ doc=_(u'Types of supported user authentication'),
+ ),
+ parameters.Str(
+ 'userclass',
+ required=False,
+ multivalue=True,
+ cli_name='class',
+ label=_(u'Class'),
+ doc=_(u'User category (semantics placed on this attribute are for local interpretation)'),
+ ),
+ parameters.Str(
+ 'ipatokenradiusconfiglink',
+ required=False,
+ cli_name='radius',
+ label=_(u'RADIUS proxy configuration'),
+ ),
+ parameters.Str(
+ 'ipatokenradiususername',
+ required=False,
+ cli_name='radius_username',
+ label=_(u'RADIUS proxy username'),
+ ),
+ parameters.Str(
+ 'departmentnumber',
+ required=False,
+ multivalue=True,
+ label=_(u'Department Number'),
+ ),
+ parameters.Str(
+ 'employeenumber',
+ required=False,
+ label=_(u'Employee Number'),
+ ),
+ parameters.Str(
+ 'employeetype',
+ required=False,
+ label=_(u'Employee Type'),
+ ),
+ parameters.Str(
+ 'preferredlanguage',
+ required=False,
+ label=_(u'Preferred Language'),
+ ),
+ parameters.Bytes(
+ 'usercertificate',
+ required=False,
+ multivalue=True,
+ cli_name='certificate',
+ label=_(u'Certificate'),
+ doc=_(u'Base-64 encoded server certificate'),
+ ),
+ parameters.Str(
+ 'setattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'addattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
+ exclude=('webui',),
+ ),
+ parameters.Bool(
+ 'from_delete',
+ required=False,
+ deprecated=True,
+ doc=_(u'Create Stage user in from a delete user'),
+ exclude=('cli', 'webui'),
+ default=False,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class stageuser_add_manager(Method):
+ __doc__ = _("Add a manager to the stage user entry")
+
+ takes_args = (
+ parameters.Str(
+ 'uid',
+ cli_name='login',
+ label=_(u'User login'),
+ default_from=DefaultFrom(lambda givenname, sn: givenname[0] + sn, 'principal'),
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'user',
+ required=False,
+ multivalue=True,
+ cli_name='users',
+ label=_(u'member user'),
+ doc=_(u'users to add'),
+ alwaysask=True,
+ ),
+ )
+ has_output = (
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'failed',
+ dict,
+ doc=_(u'Members that could not be added'),
+ ),
+ output.Output(
+ 'completed',
+ int,
+ doc=_(u'Number of members added'),
+ ),
+ )
+
+
+@register()
+class stageuser_del(Method):
+ __doc__ = _("Delete a stage user.")
+
+ takes_args = (
+ parameters.Str(
+ 'uid',
+ multivalue=True,
+ cli_name='login',
+ label=_(u'User login'),
+ default_from=DefaultFrom(lambda givenname, sn: givenname[0] + sn, 'principal'),
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'continue',
+ doc=_(u"Continuous mode: Don't stop on errors."),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Output(
+ 'result',
+ dict,
+ doc=_(u'List of deletions that failed'),
+ ),
+ output.ListOfPrimaryKeys(
+ 'value',
+ ),
+ )
+
+
+@register()
+class stageuser_find(Method):
+ __doc__ = _("Search for stage users.")
+
+ takes_args = (
+ parameters.Str(
+ 'criteria',
+ required=False,
+ doc=_(u'A string searched in all relevant object attributes'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'uid',
+ required=False,
+ cli_name='login',
+ label=_(u'User login'),
+ default_from=DefaultFrom(lambda givenname, sn: givenname[0] + sn, 'principal'),
+ no_convert=True,
+ ),
+ parameters.Str(
+ 'givenname',
+ required=False,
+ cli_name='first',
+ label=_(u'First name'),
+ ),
+ parameters.Str(
+ 'sn',
+ required=False,
+ cli_name='last',
+ label=_(u'Last name'),
+ ),
+ parameters.Str(
+ 'cn',
+ required=False,
+ label=_(u'Full name'),
+ default_from=DefaultFrom(lambda givenname, sn: '%s %s' % (givenname, sn), 'principal'),
+ ),
+ parameters.Str(
+ 'displayname',
+ required=False,
+ label=_(u'Display name'),
+ default_from=DefaultFrom(lambda givenname, sn: '%s %s' % (givenname, sn), 'principal'),
+ ),
+ parameters.Str(
+ 'initials',
+ required=False,
+ label=_(u'Initials'),
+ default_from=DefaultFrom(lambda givenname, sn: '%c%c' % (givenname[0], sn[0]), 'principal'),
+ ),
+ parameters.Str(
+ 'homedirectory',
+ required=False,
+ cli_name='homedir',
+ label=_(u'Home directory'),
+ ),
+ parameters.Str(
+ 'gecos',
+ required=False,
+ label=_(u'GECOS'),
+ default_from=DefaultFrom(lambda givenname, sn: '%s %s' % (givenname, sn), 'principal'),
+ ),
+ parameters.Str(
+ 'loginshell',
+ required=False,
+ cli_name='shell',
+ label=_(u'Login shell'),
+ ),
+ parameters.Str(
+ 'krbprincipalname',
+ required=False,
+ cli_name='principal',
+ label=_(u'Kerberos principal'),
+ default_from=DefaultFrom(lambda uid: '%s@%s' % (uid.lower(), api.env.realm), 'principal'),
+ no_convert=True,
+ ),
+ parameters.DateTime(
+ 'krbprincipalexpiration',
+ required=False,
+ cli_name='principal_expiration',
+ label=_(u'Kerberos principal expiration'),
+ ),
+ parameters.Str(
+ 'mail',
+ required=False,
+ multivalue=True,
+ cli_name='email',
+ label=_(u'Email address'),
+ ),
+ parameters.Password(
+ 'userpassword',
+ required=False,
+ cli_name='password',
+ label=_(u'Password'),
+ doc=_(u'Prompt to set the user password'),
+ exclude=('webui',),
+ confirm=True,
+ ),
+ parameters.Int(
+ 'uidnumber',
+ required=False,
+ cli_name='uid',
+ label=_(u'UID'),
+ doc=_(u'User ID Number (system will assign one if not provided)'),
+ ),
+ parameters.Int(
+ 'gidnumber',
+ required=False,
+ label=_(u'GID'),
+ doc=_(u'Group ID Number'),
+ ),
+ parameters.Str(
+ 'street',
+ required=False,
+ label=_(u'Street address'),
+ ),
+ parameters.Str(
+ 'l',
+ required=False,
+ cli_name='city',
+ label=_(u'City'),
+ ),
+ parameters.Str(
+ 'st',
+ required=False,
+ cli_name='state',
+ label=_(u'State/Province'),
+ ),
+ parameters.Str(
+ 'postalcode',
+ required=False,
+ label=_(u'ZIP'),
+ ),
+ parameters.Str(
+ 'telephonenumber',
+ required=False,
+ multivalue=True,
+ cli_name='phone',
+ label=_(u'Telephone Number'),
+ ),
+ parameters.Str(
+ 'mobile',
+ required=False,
+ multivalue=True,
+ label=_(u'Mobile Telephone Number'),
+ ),
+ parameters.Str(
+ 'pager',
+ required=False,
+ multivalue=True,
+ label=_(u'Pager Number'),
+ ),
+ parameters.Str(
+ 'facsimiletelephonenumber',
+ required=False,
+ multivalue=True,
+ cli_name='fax',
+ label=_(u'Fax Number'),
+ ),
+ parameters.Str(
+ 'ou',
+ required=False,
+ cli_name='orgunit',
+ label=_(u'Org. Unit'),
+ ),
+ parameters.Str(
+ 'title',
+ required=False,
+ label=_(u'Job Title'),
+ ),
+ parameters.Str(
+ 'manager',
+ required=False,
+ label=_(u'Manager'),
+ ),
+ parameters.Str(
+ 'carlicense',
+ required=False,
+ multivalue=True,
+ label=_(u'Car License'),
+ ),
+ parameters.Str(
+ 'ipauserauthtype',
+ required=False,
+ multivalue=True,
+ cli_name='user_auth_type',
+ cli_metavar="['password', 'radius', 'otp']",
+ label=_(u'User authentication types'),
+ doc=_(u'Types of supported user authentication'),
+ ),
+ parameters.Str(
+ 'userclass',
+ required=False,
+ multivalue=True,
+ cli_name='class',
+ label=_(u'Class'),
+ doc=_(u'User category (semantics placed on this attribute are for local interpretation)'),
+ ),
+ parameters.Str(
+ 'ipatokenradiusconfiglink',
+ required=False,
+ cli_name='radius',
+ label=_(u'RADIUS proxy configuration'),
+ ),
+ parameters.Str(
+ 'ipatokenradiususername',
+ required=False,
+ cli_name='radius_username',
+ label=_(u'RADIUS proxy username'),
+ ),
+ parameters.Str(
+ 'departmentnumber',
+ required=False,
+ multivalue=True,
+ label=_(u'Department Number'),
+ ),
+ parameters.Str(
+ 'employeenumber',
+ required=False,
+ label=_(u'Employee Number'),
+ ),
+ parameters.Str(
+ 'employeetype',
+ required=False,
+ label=_(u'Employee Type'),
+ ),
+ parameters.Str(
+ 'preferredlanguage',
+ required=False,
+ label=_(u'Preferred Language'),
+ ),
+ parameters.Bytes(
+ 'usercertificate',
+ required=False,
+ multivalue=True,
+ cli_name='certificate',
+ label=_(u'Certificate'),
+ doc=_(u'Base-64 encoded server certificate'),
+ ),
+ parameters.Int(
+ 'timelimit',
+ required=False,
+ label=_(u'Time Limit'),
+ doc=_(u'Time limit of search in seconds (0 is unlimited)'),
+ ),
+ parameters.Int(
+ 'sizelimit',
+ required=False,
+ label=_(u'Size Limit'),
+ doc=_(u'Maximum number of entries returned (0 is unlimited)'),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'pkey_only',
+ required=False,
+ label=_(u'Primary key only'),
+ doc=_(u'Results should contain primary key attribute only ("login")'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'in_group',
+ required=False,
+ multivalue=True,
+ cli_name='in_groups',
+ label=_(u'group'),
+ doc=_(u'Search for stage users with these member of groups.'),
+ ),
+ parameters.Str(
+ 'not_in_group',
+ required=False,
+ multivalue=True,
+ cli_name='not_in_groups',
+ label=_(u'group'),
+ doc=_(u'Search for stage users without these member of groups.'),
+ ),
+ parameters.Str(
+ 'in_netgroup',
+ required=False,
+ multivalue=True,
+ cli_name='in_netgroups',
+ label=_(u'netgroup'),
+ doc=_(u'Search for stage users with these member of netgroups.'),
+ ),
+ parameters.Str(
+ 'not_in_netgroup',
+ required=False,
+ multivalue=True,
+ cli_name='not_in_netgroups',
+ label=_(u'netgroup'),
+ doc=_(u'Search for stage users without these member of netgroups.'),
+ ),
+ parameters.Str(
+ 'in_role',
+ required=False,
+ multivalue=True,
+ cli_name='in_roles',
+ label=_(u'role'),
+ doc=_(u'Search for stage users with these member of roles.'),
+ ),
+ parameters.Str(
+ 'not_in_role',
+ required=False,
+ multivalue=True,
+ cli_name='not_in_roles',
+ label=_(u'role'),
+ doc=_(u'Search for stage users without these member of roles.'),
+ ),
+ parameters.Str(
+ 'in_hbacrule',
+ required=False,
+ multivalue=True,
+ cli_name='in_hbacrules',
+ label=_(u'HBAC rule'),
+ doc=_(u'Search for stage users with these member of HBAC rules.'),
+ ),
+ parameters.Str(
+ 'not_in_hbacrule',
+ required=False,
+ multivalue=True,
+ cli_name='not_in_hbacrules',
+ label=_(u'HBAC rule'),
+ doc=_(u'Search for stage users without these member of HBAC rules.'),
+ ),
+ parameters.Str(
+ 'in_sudorule',
+ required=False,
+ multivalue=True,
+ cli_name='in_sudorules',
+ label=_(u'sudo rule'),
+ doc=_(u'Search for stage users with these member of sudo rules.'),
+ ),
+ parameters.Str(
+ 'not_in_sudorule',
+ required=False,
+ multivalue=True,
+ cli_name='not_in_sudorules',
+ label=_(u'sudo rule'),
+ doc=_(u'Search for stage users without these member of sudo rules.'),
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.ListOfEntries(
+ 'result',
+ ),
+ output.Output(
+ 'count',
+ int,
+ doc=_(u'Number of entries returned'),
+ ),
+ output.Output(
+ 'truncated',
+ bool,
+ doc=_(u'True if not all results were returned'),
+ ),
+ )
+
+
+@register()
+class stageuser_mod(Method):
+ __doc__ = _("Modify a stage user.")
+
+ takes_args = (
+ parameters.Str(
+ 'uid',
+ cli_name='login',
+ label=_(u'User login'),
+ default_from=DefaultFrom(lambda givenname, sn: givenname[0] + sn, 'principal'),
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'givenname',
+ required=False,
+ cli_name='first',
+ label=_(u'First name'),
+ ),
+ parameters.Str(
+ 'sn',
+ required=False,
+ cli_name='last',
+ label=_(u'Last name'),
+ ),
+ parameters.Str(
+ 'cn',
+ required=False,
+ label=_(u'Full name'),
+ default_from=DefaultFrom(lambda givenname, sn: '%s %s' % (givenname, sn), 'principal'),
+ ),
+ parameters.Str(
+ 'displayname',
+ required=False,
+ label=_(u'Display name'),
+ default_from=DefaultFrom(lambda givenname, sn: '%s %s' % (givenname, sn), 'principal'),
+ ),
+ parameters.Str(
+ 'initials',
+ required=False,
+ label=_(u'Initials'),
+ default_from=DefaultFrom(lambda givenname, sn: '%c%c' % (givenname[0], sn[0]), 'principal'),
+ ),
+ parameters.Str(
+ 'homedirectory',
+ required=False,
+ cli_name='homedir',
+ label=_(u'Home directory'),
+ ),
+ parameters.Str(
+ 'gecos',
+ required=False,
+ label=_(u'GECOS'),
+ default_from=DefaultFrom(lambda givenname, sn: '%s %s' % (givenname, sn), 'principal'),
+ ),
+ parameters.Str(
+ 'loginshell',
+ required=False,
+ cli_name='shell',
+ label=_(u'Login shell'),
+ ),
+ parameters.DateTime(
+ 'krbprincipalexpiration',
+ required=False,
+ cli_name='principal_expiration',
+ label=_(u'Kerberos principal expiration'),
+ ),
+ parameters.Str(
+ 'mail',
+ required=False,
+ multivalue=True,
+ cli_name='email',
+ label=_(u'Email address'),
+ ),
+ parameters.Password(
+ 'userpassword',
+ required=False,
+ cli_name='password',
+ label=_(u'Password'),
+ doc=_(u'Prompt to set the user password'),
+ exclude=('webui',),
+ confirm=True,
+ ),
+ parameters.Flag(
+ 'random',
+ required=False,
+ doc=_(u'Generate a random user password'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Int(
+ 'uidnumber',
+ required=False,
+ cli_name='uid',
+ label=_(u'UID'),
+ doc=_(u'User ID Number (system will assign one if not provided)'),
+ ),
+ parameters.Int(
+ 'gidnumber',
+ required=False,
+ label=_(u'GID'),
+ doc=_(u'Group ID Number'),
+ ),
+ parameters.Str(
+ 'street',
+ required=False,
+ label=_(u'Street address'),
+ ),
+ parameters.Str(
+ 'l',
+ required=False,
+ cli_name='city',
+ label=_(u'City'),
+ ),
+ parameters.Str(
+ 'st',
+ required=False,
+ cli_name='state',
+ label=_(u'State/Province'),
+ ),
+ parameters.Str(
+ 'postalcode',
+ required=False,
+ label=_(u'ZIP'),
+ ),
+ parameters.Str(
+ 'telephonenumber',
+ required=False,
+ multivalue=True,
+ cli_name='phone',
+ label=_(u'Telephone Number'),
+ ),
+ parameters.Str(
+ 'mobile',
+ required=False,
+ multivalue=True,
+ label=_(u'Mobile Telephone Number'),
+ ),
+ parameters.Str(
+ 'pager',
+ required=False,
+ multivalue=True,
+ label=_(u'Pager Number'),
+ ),
+ parameters.Str(
+ 'facsimiletelephonenumber',
+ required=False,
+ multivalue=True,
+ cli_name='fax',
+ label=_(u'Fax Number'),
+ ),
+ parameters.Str(
+ 'ou',
+ required=False,
+ cli_name='orgunit',
+ label=_(u'Org. Unit'),
+ ),
+ parameters.Str(
+ 'title',
+ required=False,
+ label=_(u'Job Title'),
+ ),
+ parameters.Str(
+ 'manager',
+ required=False,
+ label=_(u'Manager'),
+ ),
+ parameters.Str(
+ 'carlicense',
+ required=False,
+ multivalue=True,
+ label=_(u'Car License'),
+ ),
+ parameters.Str(
+ 'ipasshpubkey',
+ required=False,
+ multivalue=True,
+ cli_name='sshpubkey',
+ label=_(u'SSH public key'),
+ no_convert=True,
+ ),
+ parameters.Str(
+ 'ipauserauthtype',
+ required=False,
+ multivalue=True,
+ cli_name='user_auth_type',
+ cli_metavar="['password', 'radius', 'otp']",
+ label=_(u'User authentication types'),
+ doc=_(u'Types of supported user authentication'),
+ ),
+ parameters.Str(
+ 'userclass',
+ required=False,
+ multivalue=True,
+ cli_name='class',
+ label=_(u'Class'),
+ doc=_(u'User category (semantics placed on this attribute are for local interpretation)'),
+ ),
+ parameters.Str(
+ 'ipatokenradiusconfiglink',
+ required=False,
+ cli_name='radius',
+ label=_(u'RADIUS proxy configuration'),
+ ),
+ parameters.Str(
+ 'ipatokenradiususername',
+ required=False,
+ cli_name='radius_username',
+ label=_(u'RADIUS proxy username'),
+ ),
+ parameters.Str(
+ 'departmentnumber',
+ required=False,
+ multivalue=True,
+ label=_(u'Department Number'),
+ ),
+ parameters.Str(
+ 'employeenumber',
+ required=False,
+ label=_(u'Employee Number'),
+ ),
+ parameters.Str(
+ 'employeetype',
+ required=False,
+ label=_(u'Employee Type'),
+ ),
+ parameters.Str(
+ 'preferredlanguage',
+ required=False,
+ label=_(u'Preferred Language'),
+ ),
+ parameters.Bytes(
+ 'usercertificate',
+ required=False,
+ multivalue=True,
+ cli_name='certificate',
+ label=_(u'Certificate'),
+ doc=_(u'Base-64 encoded server certificate'),
+ ),
+ parameters.Str(
+ 'setattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'addattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'delattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'),
+ exclude=('webui',),
+ ),
+ parameters.Flag(
+ 'rights',
+ label=_(u'Rights'),
+ doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'rename',
+ required=False,
+ label=_(u'Rename'),
+ doc=_(u'Rename the stage user object'),
+ default_from=DefaultFrom(lambda givenname, sn: givenname[0] + sn, 'principal'),
+ no_convert=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class stageuser_remove_manager(Method):
+ __doc__ = _("Remove a manager to the stage user entry")
+
+ takes_args = (
+ parameters.Str(
+ 'uid',
+ cli_name='login',
+ label=_(u'User login'),
+ default_from=DefaultFrom(lambda givenname, sn: givenname[0] + sn, 'principal'),
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'user',
+ required=False,
+ multivalue=True,
+ cli_name='users',
+ label=_(u'member user'),
+ doc=_(u'users to remove'),
+ alwaysask=True,
+ ),
+ )
+ has_output = (
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'failed',
+ dict,
+ doc=_(u'Members that could not be removed'),
+ ),
+ output.Output(
+ 'completed',
+ int,
+ doc=_(u'Number of members removed'),
+ ),
+ )
+
+
+@register()
+class stageuser_show(Method):
+ __doc__ = _("Display information about a stage user.")
+
+ takes_args = (
+ parameters.Str(
+ 'uid',
+ cli_name='login',
+ label=_(u'User login'),
+ default_from=DefaultFrom(lambda givenname, sn: givenname[0] + sn, 'principal'),
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'rights',
+ label=_(u'Rights'),
+ doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
diff --git a/ipaclient/remote_plugins/2_164/sudocmd.py b/ipaclient/remote_plugins/2_164/sudocmd.py
new file mode 100644
index 000000000..ccc78a77a
--- /dev/null
+++ b/ipaclient/remote_plugins/2_164/sudocmd.py
@@ -0,0 +1,394 @@
+#
+# Copyright (C) 2016 FreeIPA Contributors see COPYING for license
+#
+
+# pylint: disable=unused-import
+import six
+
+from . import Command, Method, Object
+from ipalib import api, parameters, output
+from ipalib.parameters import DefaultFrom
+from ipalib.plugable import Registry
+from ipalib.text import _
+from ipapython.dn import DN
+from ipapython.dnsutil import DNSName
+
+if six.PY3:
+ unicode = str
+
+__doc__ = _("""
+Sudo Commands
+
+Commands used as building blocks for sudo
+
+EXAMPLES:
+
+ Create a new command
+ ipa sudocmd-add --desc='For reading log files' /usr/bin/less
+
+ Remove a command
+ ipa sudocmd-del /usr/bin/less
+""")
+
+register = Registry()
+
+
+@register()
+class sudocmd(Object):
+ takes_params = (
+ parameters.Str(
+ 'sudocmd',
+ primary_key=True,
+ label=_(u'Sudo Command'),
+ ),
+ parameters.Str(
+ 'description',
+ required=False,
+ label=_(u'Description'),
+ doc=_(u'A description of this command'),
+ ),
+ parameters.Str(
+ 'memberof_sudocmdgroup',
+ required=False,
+ label=_(u'Sudo Command Groups'),
+ ),
+ )
+
+
+@register()
+class sudocmd_add(Method):
+ __doc__ = _("Create new Sudo Command.")
+
+ takes_args = (
+ parameters.Str(
+ 'sudocmd',
+ cli_name='command',
+ label=_(u'Sudo Command'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'description',
+ required=False,
+ cli_name='desc',
+ label=_(u'Description'),
+ doc=_(u'A description of this command'),
+ ),
+ parameters.Str(
+ 'setattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'addattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
+ exclude=('webui',),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class sudocmd_del(Method):
+ __doc__ = _("Delete Sudo Command.")
+
+ takes_args = (
+ parameters.Str(
+ 'sudocmd',
+ multivalue=True,
+ cli_name='command',
+ label=_(u'Sudo Command'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'continue',
+ doc=_(u"Continuous mode: Don't stop on errors."),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Output(
+ 'result',
+ dict,
+ doc=_(u'List of deletions that failed'),
+ ),
+ output.ListOfPrimaryKeys(
+ 'value',
+ ),
+ )
+
+
+@register()
+class sudocmd_find(Method):
+ __doc__ = _("Search for Sudo Commands.")
+
+ takes_args = (
+ parameters.Str(
+ 'criteria',
+ required=False,
+ doc=_(u'A string searched in all relevant object attributes'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'sudocmd',
+ required=False,
+ cli_name='command',
+ label=_(u'Sudo Command'),
+ ),
+ parameters.Str(
+ 'description',
+ required=False,
+ cli_name='desc',
+ label=_(u'Description'),
+ doc=_(u'A description of this command'),
+ ),
+ parameters.Int(
+ 'timelimit',
+ required=False,
+ label=_(u'Time Limit'),
+ doc=_(u'Time limit of search in seconds (0 is unlimited)'),
+ ),
+ parameters.Int(
+ 'sizelimit',
+ required=False,
+ label=_(u'Size Limit'),
+ doc=_(u'Maximum number of entries returned (0 is unlimited)'),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'pkey_only',
+ required=False,
+ label=_(u'Primary key only'),
+ doc=_(u'Results should contain primary key attribute only ("command")'),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.ListOfEntries(
+ 'result',
+ ),
+ output.Output(
+ 'count',
+ int,
+ doc=_(u'Number of entries returned'),
+ ),
+ output.Output(
+ 'truncated',
+ bool,
+ doc=_(u'True if not all results were returned'),
+ ),
+ )
+
+
+@register()
+class sudocmd_mod(Method):
+ __doc__ = _("Modify Sudo Command.")
+
+ takes_args = (
+ parameters.Str(
+ 'sudocmd',
+ cli_name='command',
+ label=_(u'Sudo Command'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'description',
+ required=False,
+ cli_name='desc',
+ label=_(u'Description'),
+ doc=_(u'A description of this command'),
+ ),
+ parameters.Str(
+ 'setattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'addattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'delattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'),
+ exclude=('webui',),
+ ),
+ parameters.Flag(
+ 'rights',
+ label=_(u'Rights'),
+ doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class sudocmd_show(Method):
+ __doc__ = _("Display Sudo Command.")
+
+ takes_args = (
+ parameters.Str(
+ 'sudocmd',
+ cli_name='command',
+ label=_(u'Sudo Command'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'rights',
+ label=_(u'Rights'),
+ doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
diff --git a/ipaclient/remote_plugins/2_164/sudocmdgroup.py b/ipaclient/remote_plugins/2_164/sudocmdgroup.py
new file mode 100644
index 000000000..747213d93
--- /dev/null
+++ b/ipaclient/remote_plugins/2_164/sudocmdgroup.py
@@ -0,0 +1,540 @@
+#
+# Copyright (C) 2016 FreeIPA Contributors see COPYING for license
+#
+
+# pylint: disable=unused-import
+import six
+
+from . import Command, Method, Object
+from ipalib import api, parameters, output
+from ipalib.parameters import DefaultFrom
+from ipalib.plugable import Registry
+from ipalib.text import _
+from ipapython.dn import DN
+from ipapython.dnsutil import DNSName
+
+if six.PY3:
+ unicode = str
+
+__doc__ = _("""
+Groups of Sudo Commands
+
+Manage groups of Sudo Commands.
+
+EXAMPLES:
+
+ Add a new Sudo Command Group:
+ ipa sudocmdgroup-add --desc='administrators commands' admincmds
+
+ Remove a Sudo Command Group:
+ ipa sudocmdgroup-del admincmds
+
+ Manage Sudo Command Group membership, commands:
+ ipa sudocmdgroup-add-member --sudocmds=/usr/bin/less --sudocmds=/usr/bin/vim admincmds
+
+ Manage Sudo Command Group membership, commands:
+ ipa group-remove-member --sudocmds=/usr/bin/less admincmds
+
+ Show a Sudo Command Group:
+ ipa group-show localadmins
+""")
+
+register = Registry()
+
+
+@register()
+class sudocmdgroup(Object):
+ takes_params = (
+ parameters.Str(
+ 'cn',
+ primary_key=True,
+ label=_(u'Sudo Command Group'),
+ ),
+ parameters.Str(
+ 'description',
+ required=False,
+ label=_(u'Description'),
+ doc=_(u'Group description'),
+ ),
+ parameters.Str(
+ 'membercmd_sudocmd',
+ required=False,
+ label=_(u'Commands'),
+ ),
+ parameters.Str(
+ 'membercmd_sudocmdgroup',
+ required=False,
+ label=_(u'Sudo Command Groups'),
+ ),
+ parameters.Str(
+ 'member_sudocmd',
+ required=False,
+ label=_(u'Member Sudo commands'),
+ ),
+ )
+
+
+@register()
+class sudocmdgroup_add(Method):
+ __doc__ = _("Create new Sudo Command Group.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='sudocmdgroup_name',
+ label=_(u'Sudo Command Group'),
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'description',
+ required=False,
+ cli_name='desc',
+ label=_(u'Description'),
+ doc=_(u'Group description'),
+ ),
+ parameters.Str(
+ 'setattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'addattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
+ exclude=('webui',),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class sudocmdgroup_add_member(Method):
+ __doc__ = _("Add members to Sudo Command Group.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='sudocmdgroup_name',
+ label=_(u'Sudo Command Group'),
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'sudocmd',
+ required=False,
+ multivalue=True,
+ cli_name='sudocmds',
+ label=_(u'member sudo command'),
+ doc=_(u'sudo commands to add'),
+ alwaysask=True,
+ ),
+ )
+ has_output = (
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'failed',
+ dict,
+ doc=_(u'Members that could not be added'),
+ ),
+ output.Output(
+ 'completed',
+ int,
+ doc=_(u'Number of members added'),
+ ),
+ )
+
+
+@register()
+class sudocmdgroup_del(Method):
+ __doc__ = _("Delete Sudo Command Group.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ multivalue=True,
+ cli_name='sudocmdgroup_name',
+ label=_(u'Sudo Command Group'),
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'continue',
+ doc=_(u"Continuous mode: Don't stop on errors."),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Output(
+ 'result',
+ dict,
+ doc=_(u'List of deletions that failed'),
+ ),
+ output.ListOfPrimaryKeys(
+ 'value',
+ ),
+ )
+
+
+@register()
+class sudocmdgroup_find(Method):
+ __doc__ = _("Search for Sudo Command Groups.")
+
+ takes_args = (
+ parameters.Str(
+ 'criteria',
+ required=False,
+ doc=_(u'A string searched in all relevant object attributes'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'cn',
+ required=False,
+ cli_name='sudocmdgroup_name',
+ label=_(u'Sudo Command Group'),
+ no_convert=True,
+ ),
+ parameters.Str(
+ 'description',
+ required=False,
+ cli_name='desc',
+ label=_(u'Description'),
+ doc=_(u'Group description'),
+ ),
+ parameters.Int(
+ 'timelimit',
+ required=False,
+ label=_(u'Time Limit'),
+ doc=_(u'Time limit of search in seconds (0 is unlimited)'),
+ ),
+ parameters.Int(
+ 'sizelimit',
+ required=False,
+ label=_(u'Size Limit'),
+ doc=_(u'Maximum number of entries returned (0 is unlimited)'),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'pkey_only',
+ required=False,
+ label=_(u'Primary key only'),
+ doc=_(u'Results should contain primary key attribute only ("sudocmdgroup-name")'),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.ListOfEntries(
+ 'result',
+ ),
+ output.Output(
+ 'count',
+ int,
+ doc=_(u'Number of entries returned'),
+ ),
+ output.Output(
+ 'truncated',
+ bool,
+ doc=_(u'True if not all results were returned'),
+ ),
+ )
+
+
+@register()
+class sudocmdgroup_mod(Method):
+ __doc__ = _("Modify Sudo Command Group.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='sudocmdgroup_name',
+ label=_(u'Sudo Command Group'),
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'description',
+ required=False,
+ cli_name='desc',
+ label=_(u'Description'),
+ doc=_(u'Group description'),
+ ),
+ parameters.Str(
+ 'setattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'addattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'delattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'),
+ exclude=('webui',),
+ ),
+ parameters.Flag(
+ 'rights',
+ label=_(u'Rights'),
+ doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class sudocmdgroup_remove_member(Method):
+ __doc__ = _("Remove members from Sudo Command Group.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='sudocmdgroup_name',
+ label=_(u'Sudo Command Group'),
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'sudocmd',
+ required=False,
+ multivalue=True,
+ cli_name='sudocmds',
+ label=_(u'member sudo command'),
+ doc=_(u'sudo commands to remove'),
+ alwaysask=True,
+ ),
+ )
+ has_output = (
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'failed',
+ dict,
+ doc=_(u'Members that could not be removed'),
+ ),
+ output.Output(
+ 'completed',
+ int,
+ doc=_(u'Number of members removed'),
+ ),
+ )
+
+
+@register()
+class sudocmdgroup_show(Method):
+ __doc__ = _("Display Sudo Command Group.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='sudocmdgroup_name',
+ label=_(u'Sudo Command Group'),
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'rights',
+ label=_(u'Rights'),
+ doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
diff --git a/ipaclient/remote_plugins/2_164/sudorule.py b/ipaclient/remote_plugins/2_164/sudorule.py
new file mode 100644
index 000000000..5d185ed31
--- /dev/null
+++ b/ipaclient/remote_plugins/2_164/sudorule.py
@@ -0,0 +1,1774 @@
+#
+# Copyright (C) 2016 FreeIPA Contributors see COPYING for license
+#
+
+# pylint: disable=unused-import
+import six
+
+from . import Command, Method, Object
+from ipalib import api, parameters, output
+from ipalib.parameters import DefaultFrom
+from ipalib.plugable import Registry
+from ipalib.text import _
+from ipapython.dn import DN
+from ipapython.dnsutil import DNSName
+
+if six.PY3:
+ unicode = str
+
+__doc__ = _("""
+Sudo Rules
+
+Sudo (su "do") allows a system administrator to delegate authority to
+give certain users (or groups of users) the ability to run some (or all)
+commands as root or another user while providing an audit trail of the
+commands and their arguments.
+
+FreeIPA provides a means to configure the various aspects of Sudo:
+ Users: The user(s)/group(s) allowed to invoke Sudo.
+ Hosts: The host(s)/hostgroup(s) which the user is allowed to to invoke Sudo.
+ Allow Command: The specific command(s) permitted to be run via Sudo.
+ Deny Command: The specific command(s) prohibited to be run via Sudo.
+ RunAsUser: The user(s) or group(s) of users whose rights Sudo will be invoked with.
+ RunAsGroup: The group(s) whose gid rights Sudo will be invoked with.
+ Options: The various Sudoers Options that can modify Sudo's behavior.
+
+An order can be added to a sudorule to control the order in which they
+are evaluated (if the client supports it). This order is an integer and
+must be unique.
+
+FreeIPA provides a designated binddn to use with Sudo located at:
+uid=sudo,cn=sysaccounts,cn=etc,dc=example,dc=com
+
+To enable the binddn run the following command to set the password:
+LDAPTLS_CACERT=/etc/ipa/ca.crt /usr/bin/ldappasswd -S -W -h ipa.example.com -ZZ -D "cn=Directory Manager" uid=sudo,cn=sysaccounts,cn=etc,dc=example,dc=com
+
+EXAMPLES:
+
+ Create a new rule:
+ ipa sudorule-add readfiles
+
+ Add sudo command object and add it as allowed command in the rule:
+ ipa sudocmd-add /usr/bin/less
+ ipa sudorule-add-allow-command readfiles --sudocmds /usr/bin/less
+
+ Add a host to the rule:
+ ipa sudorule-add-host readfiles --hosts server.example.com
+
+ Add a user to the rule:
+ ipa sudorule-add-user readfiles --users jsmith
+
+ Add a special Sudo rule for default Sudo server configuration:
+ ipa sudorule-add defaults
+
+ Set a default Sudo option:
+ ipa sudorule-add-option defaults --sudooption '!authenticate'
+""")
+
+register = Registry()
+
+
+@register()
+class sudorule(Object):
+ takes_params = (
+ parameters.Str(
+ 'cn',
+ primary_key=True,
+ label=_(u'Rule name'),
+ ),
+ parameters.Str(
+ 'description',
+ required=False,
+ label=_(u'Description'),
+ ),
+ parameters.Bool(
+ 'ipaenabledflag',
+ required=False,
+ label=_(u'Enabled'),
+ ),
+ parameters.Str(
+ 'usercategory',
+ required=False,
+ label=_(u'User category'),
+ doc=_(u'User category the rule applies to'),
+ ),
+ parameters.Str(
+ 'hostcategory',
+ required=False,
+ label=_(u'Host category'),
+ doc=_(u'Host category the rule applies to'),
+ ),
+ parameters.Str(
+ 'cmdcategory',
+ required=False,
+ label=_(u'Command category'),
+ doc=_(u'Command category the rule applies to'),
+ ),
+ parameters.Str(
+ 'ipasudorunasusercategory',
+ required=False,
+ label=_(u'RunAs User category'),
+ doc=_(u'RunAs User category the rule applies to'),
+ ),
+ parameters.Str(
+ 'ipasudorunasgroupcategory',
+ required=False,
+ label=_(u'RunAs Group category'),
+ doc=_(u'RunAs Group category the rule applies to'),
+ ),
+ parameters.Int(
+ 'sudoorder',
+ required=False,
+ label=_(u'Sudo order'),
+ doc=_(u'integer to order the Sudo rules'),
+ ),
+ parameters.Str(
+ 'memberuser_user',
+ required=False,
+ label=_(u'Users'),
+ ),
+ parameters.Str(
+ 'memberuser_group',
+ required=False,
+ label=_(u'User Groups'),
+ ),
+ parameters.Str(
+ 'externaluser',
+ required=False,
+ label=_(u'External User'),
+ doc=_(u'External User the rule applies to (sudorule-find only)'),
+ ),
+ parameters.Str(
+ 'memberhost_host',
+ required=False,
+ label=_(u'Hosts'),
+ ),
+ parameters.Str(
+ 'memberhost_hostgroup',
+ required=False,
+ label=_(u'Host Groups'),
+ ),
+ parameters.Str(
+ 'hostmask',
+ multivalue=True,
+ label=_(u'Host Masks'),
+ ),
+ parameters.Str(
+ 'externalhost',
+ required=False,
+ multivalue=True,
+ label=_(u'External host'),
+ ),
+ parameters.Str(
+ 'memberallowcmd_sudocmd',
+ required=False,
+ label=_(u'Sudo Allow Commands'),
+ ),
+ parameters.Str(
+ 'memberdenycmd_sudocmd',
+ required=False,
+ label=_(u'Sudo Deny Commands'),
+ ),
+ parameters.Str(
+ 'memberallowcmd_sudocmdgroup',
+ required=False,
+ label=_(u'Sudo Allow Command Groups'),
+ ),
+ parameters.Str(
+ 'memberdenycmd_sudocmdgroup',
+ required=False,
+ label=_(u'Sudo Deny Command Groups'),
+ ),
+ parameters.Str(
+ 'ipasudorunas_user',
+ required=False,
+ label=_(u'RunAs Users'),
+ doc=_(u'Run as a user'),
+ ),
+ parameters.Str(
+ 'ipasudorunas_group',
+ required=False,
+ label=_(u'Groups of RunAs Users'),
+ doc=_(u'Run as any user within a specified group'),
+ ),
+ parameters.Str(
+ 'ipasudorunasextuser',
+ required=False,
+ label=_(u'RunAs External User'),
+ doc=_(u'External User the commands can run as (sudorule-find only)'),
+ ),
+ parameters.Str(
+ 'ipasudorunasextusergroup',
+ required=False,
+ label=_(u'External Groups of RunAs Users'),
+ doc=_(u'External Groups of users that the command can run as'),
+ ),
+ parameters.Str(
+ 'ipasudorunasgroup_group',
+ required=False,
+ label=_(u'RunAs Groups'),
+ doc=_(u'Run with the gid of a specified POSIX group'),
+ ),
+ parameters.Str(
+ 'ipasudorunasextgroup',
+ required=False,
+ label=_(u'RunAs External Group'),
+ doc=_(u'External Group the commands can run as (sudorule-find only)'),
+ ),
+ parameters.Str(
+ 'ipasudoopt',
+ required=False,
+ label=_(u'Sudo Option'),
+ ),
+ )
+
+
+@register()
+class sudorule_add(Method):
+ __doc__ = _("Create new Sudo Rule.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='sudorule_name',
+ label=_(u'Rule name'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'description',
+ required=False,
+ cli_name='desc',
+ label=_(u'Description'),
+ ),
+ parameters.Bool(
+ 'ipaenabledflag',
+ required=False,
+ label=_(u'Enabled'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'usercategory',
+ required=False,
+ cli_name='usercat',
+ cli_metavar="['all']",
+ label=_(u'User category'),
+ doc=_(u'User category the rule applies to'),
+ ),
+ parameters.Str(
+ 'hostcategory',
+ required=False,
+ cli_name='hostcat',
+ cli_metavar="['all']",
+ label=_(u'Host category'),
+ doc=_(u'Host category the rule applies to'),
+ ),
+ parameters.Str(
+ 'cmdcategory',
+ required=False,
+ cli_name='cmdcat',
+ cli_metavar="['all']",
+ label=_(u'Command category'),
+ doc=_(u'Command category the rule applies to'),
+ ),
+ parameters.Str(
+ 'ipasudorunasusercategory',
+ required=False,
+ cli_name='runasusercat',
+ cli_metavar="['all']",
+ label=_(u'RunAs User category'),
+ doc=_(u'RunAs User category the rule applies to'),
+ ),
+ parameters.Str(
+ 'ipasudorunasgroupcategory',
+ required=False,
+ cli_name='runasgroupcat',
+ cli_metavar="['all']",
+ label=_(u'RunAs Group category'),
+ doc=_(u'RunAs Group category the rule applies to'),
+ ),
+ parameters.Int(
+ 'sudoorder',
+ required=False,
+ cli_name='order',
+ label=_(u'Sudo order'),
+ doc=_(u'integer to order the Sudo rules'),
+ default=0,
+ ),
+ parameters.Str(
+ 'externaluser',
+ required=False,
+ label=_(u'External User'),
+ doc=_(u'External User the rule applies to (sudorule-find only)'),
+ ),
+ parameters.Str(
+ 'externalhost',
+ required=False,
+ multivalue=True,
+ label=_(u'External host'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'ipasudorunasextuser',
+ required=False,
+ cli_name='runasexternaluser',
+ label=_(u'RunAs External User'),
+ doc=_(u'External User the commands can run as (sudorule-find only)'),
+ ),
+ parameters.Str(
+ 'ipasudorunasextgroup',
+ required=False,
+ cli_name='runasexternalgroup',
+ label=_(u'RunAs External Group'),
+ doc=_(u'External Group the commands can run as (sudorule-find only)'),
+ ),
+ parameters.Str(
+ 'setattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'addattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
+ exclude=('webui',),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class sudorule_add_allow_command(Method):
+ __doc__ = _("Add commands and sudo command groups affected by Sudo Rule.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='sudorule_name',
+ label=_(u'Rule name'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'sudocmd',
+ required=False,
+ multivalue=True,
+ cli_name='sudocmds',
+ label=_(u'member sudo command'),
+ doc=_(u'sudo commands to add'),
+ alwaysask=True,
+ ),
+ parameters.Str(
+ 'sudocmdgroup',
+ required=False,
+ multivalue=True,
+ cli_name='sudocmdgroups',
+ label=_(u'member sudo command group'),
+ doc=_(u'sudo command groups to add'),
+ alwaysask=True,
+ ),
+ )
+ has_output = (
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'failed',
+ dict,
+ doc=_(u'Members that could not be added'),
+ ),
+ output.Output(
+ 'completed',
+ int,
+ doc=_(u'Number of members added'),
+ ),
+ )
+
+
+@register()
+class sudorule_add_deny_command(Method):
+ __doc__ = _("Add commands and sudo command groups affected by Sudo Rule.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='sudorule_name',
+ label=_(u'Rule name'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'sudocmd',
+ required=False,
+ multivalue=True,
+ cli_name='sudocmds',
+ label=_(u'member sudo command'),
+ doc=_(u'sudo commands to add'),
+ alwaysask=True,
+ ),
+ parameters.Str(
+ 'sudocmdgroup',
+ required=False,
+ multivalue=True,
+ cli_name='sudocmdgroups',
+ label=_(u'member sudo command group'),
+ doc=_(u'sudo command groups to add'),
+ alwaysask=True,
+ ),
+ )
+ has_output = (
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'failed',
+ dict,
+ doc=_(u'Members that could not be added'),
+ ),
+ output.Output(
+ 'completed',
+ int,
+ doc=_(u'Number of members added'),
+ ),
+ )
+
+
+@register()
+class sudorule_add_host(Method):
+ __doc__ = _("Add hosts and hostgroups affected by Sudo Rule.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='sudorule_name',
+ label=_(u'Rule name'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'host',
+ required=False,
+ multivalue=True,
+ cli_name='hosts',
+ label=_(u'member host'),
+ doc=_(u'hosts to add'),
+ alwaysask=True,
+ ),
+ parameters.Str(
+ 'hostgroup',
+ required=False,
+ multivalue=True,
+ cli_name='hostgroups',
+ label=_(u'member host group'),
+ doc=_(u'host groups to add'),
+ alwaysask=True,
+ ),
+ parameters.Str(
+ 'hostmask',
+ required=False,
+ multivalue=True,
+ label=_(u'host masks of allowed hosts'),
+ ),
+ )
+ has_output = (
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'failed',
+ dict,
+ doc=_(u'Members that could not be added'),
+ ),
+ output.Output(
+ 'completed',
+ int,
+ doc=_(u'Number of members added'),
+ ),
+ )
+
+
+@register()
+class sudorule_add_option(Method):
+ __doc__ = _("Add an option to the Sudo Rule.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='sudorule_name',
+ label=_(u'Rule name'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'ipasudoopt',
+ cli_name='sudooption',
+ label=_(u'Sudo Option'),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class sudorule_add_runasgroup(Method):
+ __doc__ = _("Add group for Sudo to execute as.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='sudorule_name',
+ label=_(u'Rule name'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'group',
+ required=False,
+ multivalue=True,
+ cli_name='groups',
+ label=_(u'member group'),
+ doc=_(u'groups to add'),
+ alwaysask=True,
+ ),
+ )
+ has_output = (
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'failed',
+ dict,
+ doc=_(u'Members that could not be added'),
+ ),
+ output.Output(
+ 'completed',
+ int,
+ doc=_(u'Number of members added'),
+ ),
+ )
+
+
+@register()
+class sudorule_add_runasuser(Method):
+ __doc__ = _("Add users and groups for Sudo to execute as.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='sudorule_name',
+ label=_(u'Rule name'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'user',
+ required=False,
+ multivalue=True,
+ cli_name='users',
+ label=_(u'member user'),
+ doc=_(u'users to add'),
+ alwaysask=True,
+ ),
+ parameters.Str(
+ 'group',
+ required=False,
+ multivalue=True,
+ cli_name='groups',
+ label=_(u'member group'),
+ doc=_(u'groups to add'),
+ alwaysask=True,
+ ),
+ )
+ has_output = (
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'failed',
+ dict,
+ doc=_(u'Members that could not be added'),
+ ),
+ output.Output(
+ 'completed',
+ int,
+ doc=_(u'Number of members added'),
+ ),
+ )
+
+
+@register()
+class sudorule_add_user(Method):
+ __doc__ = _("Add users and groups affected by Sudo Rule.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='sudorule_name',
+ label=_(u'Rule name'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'user',
+ required=False,
+ multivalue=True,
+ cli_name='users',
+ label=_(u'member user'),
+ doc=_(u'users to add'),
+ alwaysask=True,
+ ),
+ parameters.Str(
+ 'group',
+ required=False,
+ multivalue=True,
+ cli_name='groups',
+ label=_(u'member group'),
+ doc=_(u'groups to add'),
+ alwaysask=True,
+ ),
+ )
+ has_output = (
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'failed',
+ dict,
+ doc=_(u'Members that could not be added'),
+ ),
+ output.Output(
+ 'completed',
+ int,
+ doc=_(u'Number of members added'),
+ ),
+ )
+
+
+@register()
+class sudorule_del(Method):
+ __doc__ = _("Delete Sudo Rule.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ multivalue=True,
+ cli_name='sudorule_name',
+ label=_(u'Rule name'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'continue',
+ doc=_(u"Continuous mode: Don't stop on errors."),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Output(
+ 'result',
+ dict,
+ doc=_(u'List of deletions that failed'),
+ ),
+ output.ListOfPrimaryKeys(
+ 'value',
+ ),
+ )
+
+
+@register()
+class sudorule_disable(Method):
+ __doc__ = _("Disable a Sudo Rule.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='sudorule_name',
+ label=_(u'Rule name'),
+ ),
+ )
+ takes_options = (
+ )
+ has_output = (
+ output.Output(
+ 'result',
+ ),
+ )
+
+
+@register()
+class sudorule_enable(Method):
+ __doc__ = _("Enable a Sudo Rule.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='sudorule_name',
+ label=_(u'Rule name'),
+ ),
+ )
+ takes_options = (
+ )
+ has_output = (
+ output.Output(
+ 'result',
+ ),
+ )
+
+
+@register()
+class sudorule_find(Method):
+ __doc__ = _("Search for Sudo Rule.")
+
+ takes_args = (
+ parameters.Str(
+ 'criteria',
+ required=False,
+ doc=_(u'A string searched in all relevant object attributes'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'cn',
+ required=False,
+ cli_name='sudorule_name',
+ label=_(u'Rule name'),
+ ),
+ parameters.Str(
+ 'description',
+ required=False,
+ cli_name='desc',
+ label=_(u'Description'),
+ ),
+ parameters.Bool(
+ 'ipaenabledflag',
+ required=False,
+ label=_(u'Enabled'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'usercategory',
+ required=False,
+ cli_name='usercat',
+ cli_metavar="['all']",
+ label=_(u'User category'),
+ doc=_(u'User category the rule applies to'),
+ ),
+ parameters.Str(
+ 'hostcategory',
+ required=False,
+ cli_name='hostcat',
+ cli_metavar="['all']",
+ label=_(u'Host category'),
+ doc=_(u'Host category the rule applies to'),
+ ),
+ parameters.Str(
+ 'cmdcategory',
+ required=False,
+ cli_name='cmdcat',
+ cli_metavar="['all']",
+ label=_(u'Command category'),
+ doc=_(u'Command category the rule applies to'),
+ ),
+ parameters.Str(
+ 'ipasudorunasusercategory',
+ required=False,
+ cli_name='runasusercat',
+ cli_metavar="['all']",
+ label=_(u'RunAs User category'),
+ doc=_(u'RunAs User category the rule applies to'),
+ ),
+ parameters.Str(
+ 'ipasudorunasgroupcategory',
+ required=False,
+ cli_name='runasgroupcat',
+ cli_metavar="['all']",
+ label=_(u'RunAs Group category'),
+ doc=_(u'RunAs Group category the rule applies to'),
+ ),
+ parameters.Int(
+ 'sudoorder',
+ required=False,
+ cli_name='order',
+ label=_(u'Sudo order'),
+ doc=_(u'integer to order the Sudo rules'),
+ default=0,
+ ),
+ parameters.Str(
+ 'externaluser',
+ required=False,
+ label=_(u'External User'),
+ doc=_(u'External User the rule applies to (sudorule-find only)'),
+ ),
+ parameters.Str(
+ 'externalhost',
+ required=False,
+ multivalue=True,
+ label=_(u'External host'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'ipasudorunasextuser',
+ required=False,
+ cli_name='runasexternaluser',
+ label=_(u'RunAs External User'),
+ doc=_(u'External User the commands can run as (sudorule-find only)'),
+ ),
+ parameters.Str(
+ 'ipasudorunasextgroup',
+ required=False,
+ cli_name='runasexternalgroup',
+ label=_(u'RunAs External Group'),
+ doc=_(u'External Group the commands can run as (sudorule-find only)'),
+ ),
+ parameters.Int(
+ 'timelimit',
+ required=False,
+ label=_(u'Time Limit'),
+ doc=_(u'Time limit of search in seconds (0 is unlimited)'),
+ ),
+ parameters.Int(
+ 'sizelimit',
+ required=False,
+ label=_(u'Size Limit'),
+ doc=_(u'Maximum number of entries returned (0 is unlimited)'),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'pkey_only',
+ required=False,
+ label=_(u'Primary key only'),
+ doc=_(u'Results should contain primary key attribute only ("sudorule-name")'),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.ListOfEntries(
+ 'result',
+ ),
+ output.Output(
+ 'count',
+ int,
+ doc=_(u'Number of entries returned'),
+ ),
+ output.Output(
+ 'truncated',
+ bool,
+ doc=_(u'True if not all results were returned'),
+ ),
+ )
+
+
+@register()
+class sudorule_mod(Method):
+ __doc__ = _("Modify Sudo Rule.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='sudorule_name',
+ label=_(u'Rule name'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'description',
+ required=False,
+ cli_name='desc',
+ label=_(u'Description'),
+ ),
+ parameters.Bool(
+ 'ipaenabledflag',
+ required=False,
+ label=_(u'Enabled'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'usercategory',
+ required=False,
+ cli_name='usercat',
+ cli_metavar="['all']",
+ label=_(u'User category'),
+ doc=_(u'User category the rule applies to'),
+ ),
+ parameters.Str(
+ 'hostcategory',
+ required=False,
+ cli_name='hostcat',
+ cli_metavar="['all']",
+ label=_(u'Host category'),
+ doc=_(u'Host category the rule applies to'),
+ ),
+ parameters.Str(
+ 'cmdcategory',
+ required=False,
+ cli_name='cmdcat',
+ cli_metavar="['all']",
+ label=_(u'Command category'),
+ doc=_(u'Command category the rule applies to'),
+ ),
+ parameters.Str(
+ 'ipasudorunasusercategory',
+ required=False,
+ cli_name='runasusercat',
+ cli_metavar="['all']",
+ label=_(u'RunAs User category'),
+ doc=_(u'RunAs User category the rule applies to'),
+ ),
+ parameters.Str(
+ 'ipasudorunasgroupcategory',
+ required=False,
+ cli_name='runasgroupcat',
+ cli_metavar="['all']",
+ label=_(u'RunAs Group category'),
+ doc=_(u'RunAs Group category the rule applies to'),
+ ),
+ parameters.Int(
+ 'sudoorder',
+ required=False,
+ cli_name='order',
+ label=_(u'Sudo order'),
+ doc=_(u'integer to order the Sudo rules'),
+ default=0,
+ ),
+ parameters.Str(
+ 'externaluser',
+ required=False,
+ label=_(u'External User'),
+ doc=_(u'External User the rule applies to (sudorule-find only)'),
+ ),
+ parameters.Str(
+ 'externalhost',
+ required=False,
+ multivalue=True,
+ label=_(u'External host'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'ipasudorunasextuser',
+ required=False,
+ cli_name='runasexternaluser',
+ label=_(u'RunAs External User'),
+ doc=_(u'External User the commands can run as (sudorule-find only)'),
+ ),
+ parameters.Str(
+ 'ipasudorunasextgroup',
+ required=False,
+ cli_name='runasexternalgroup',
+ label=_(u'RunAs External Group'),
+ doc=_(u'External Group the commands can run as (sudorule-find only)'),
+ ),
+ parameters.Str(
+ 'setattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'addattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'delattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'),
+ exclude=('webui',),
+ ),
+ parameters.Flag(
+ 'rights',
+ label=_(u'Rights'),
+ doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class sudorule_remove_allow_command(Method):
+ __doc__ = _("Remove commands and sudo command groups affected by Sudo Rule.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='sudorule_name',
+ label=_(u'Rule name'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'sudocmd',
+ required=False,
+ multivalue=True,
+ cli_name='sudocmds',
+ label=_(u'member sudo command'),
+ doc=_(u'sudo commands to remove'),
+ alwaysask=True,
+ ),
+ parameters.Str(
+ 'sudocmdgroup',
+ required=False,
+ multivalue=True,
+ cli_name='sudocmdgroups',
+ label=_(u'member sudo command group'),
+ doc=_(u'sudo command groups to remove'),
+ alwaysask=True,
+ ),
+ )
+ has_output = (
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'failed',
+ dict,
+ doc=_(u'Members that could not be removed'),
+ ),
+ output.Output(
+ 'completed',
+ int,
+ doc=_(u'Number of members removed'),
+ ),
+ )
+
+
+@register()
+class sudorule_remove_deny_command(Method):
+ __doc__ = _("Remove commands and sudo command groups affected by Sudo Rule.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='sudorule_name',
+ label=_(u'Rule name'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'sudocmd',
+ required=False,
+ multivalue=True,
+ cli_name='sudocmds',
+ label=_(u'member sudo command'),
+ doc=_(u'sudo commands to remove'),
+ alwaysask=True,
+ ),
+ parameters.Str(
+ 'sudocmdgroup',
+ required=False,
+ multivalue=True,
+ cli_name='sudocmdgroups',
+ label=_(u'member sudo command group'),
+ doc=_(u'sudo command groups to remove'),
+ alwaysask=True,
+ ),
+ )
+ has_output = (
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'failed',
+ dict,
+ doc=_(u'Members that could not be removed'),
+ ),
+ output.Output(
+ 'completed',
+ int,
+ doc=_(u'Number of members removed'),
+ ),
+ )
+
+
+@register()
+class sudorule_remove_host(Method):
+ __doc__ = _("Remove hosts and hostgroups affected by Sudo Rule.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='sudorule_name',
+ label=_(u'Rule name'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'host',
+ required=False,
+ multivalue=True,
+ cli_name='hosts',
+ label=_(u'member host'),
+ doc=_(u'hosts to remove'),
+ alwaysask=True,
+ ),
+ parameters.Str(
+ 'hostgroup',
+ required=False,
+ multivalue=True,
+ cli_name='hostgroups',
+ label=_(u'member host group'),
+ doc=_(u'host groups to remove'),
+ alwaysask=True,
+ ),
+ parameters.Str(
+ 'hostmask',
+ required=False,
+ multivalue=True,
+ label=_(u'host masks of allowed hosts'),
+ ),
+ )
+ has_output = (
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'failed',
+ dict,
+ doc=_(u'Members that could not be removed'),
+ ),
+ output.Output(
+ 'completed',
+ int,
+ doc=_(u'Number of members removed'),
+ ),
+ )
+
+
+@register()
+class sudorule_remove_option(Method):
+ __doc__ = _("Remove an option from Sudo Rule.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='sudorule_name',
+ label=_(u'Rule name'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'ipasudoopt',
+ cli_name='sudooption',
+ label=_(u'Sudo Option'),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class sudorule_remove_runasgroup(Method):
+ __doc__ = _("Remove group for Sudo to execute as.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='sudorule_name',
+ label=_(u'Rule name'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'group',
+ required=False,
+ multivalue=True,
+ cli_name='groups',
+ label=_(u'member group'),
+ doc=_(u'groups to remove'),
+ alwaysask=True,
+ ),
+ )
+ has_output = (
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'failed',
+ dict,
+ doc=_(u'Members that could not be removed'),
+ ),
+ output.Output(
+ 'completed',
+ int,
+ doc=_(u'Number of members removed'),
+ ),
+ )
+
+
+@register()
+class sudorule_remove_runasuser(Method):
+ __doc__ = _("Remove users and groups for Sudo to execute as.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='sudorule_name',
+ label=_(u'Rule name'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'user',
+ required=False,
+ multivalue=True,
+ cli_name='users',
+ label=_(u'member user'),
+ doc=_(u'users to remove'),
+ alwaysask=True,
+ ),
+ parameters.Str(
+ 'group',
+ required=False,
+ multivalue=True,
+ cli_name='groups',
+ label=_(u'member group'),
+ doc=_(u'groups to remove'),
+ alwaysask=True,
+ ),
+ )
+ has_output = (
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'failed',
+ dict,
+ doc=_(u'Members that could not be removed'),
+ ),
+ output.Output(
+ 'completed',
+ int,
+ doc=_(u'Number of members removed'),
+ ),
+ )
+
+
+@register()
+class sudorule_remove_user(Method):
+ __doc__ = _("Remove users and groups affected by Sudo Rule.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='sudorule_name',
+ label=_(u'Rule name'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'user',
+ required=False,
+ multivalue=True,
+ cli_name='users',
+ label=_(u'member user'),
+ doc=_(u'users to remove'),
+ alwaysask=True,
+ ),
+ parameters.Str(
+ 'group',
+ required=False,
+ multivalue=True,
+ cli_name='groups',
+ label=_(u'member group'),
+ doc=_(u'groups to remove'),
+ alwaysask=True,
+ ),
+ )
+ has_output = (
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'failed',
+ dict,
+ doc=_(u'Members that could not be removed'),
+ ),
+ output.Output(
+ 'completed',
+ int,
+ doc=_(u'Number of members removed'),
+ ),
+ )
+
+
+@register()
+class sudorule_show(Method):
+ __doc__ = _("Display Sudo Rule.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='sudorule_name',
+ label=_(u'Rule name'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'rights',
+ label=_(u'Rights'),
+ doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
diff --git a/ipaclient/remote_plugins/2_164/topology.py b/ipaclient/remote_plugins/2_164/topology.py
new file mode 100644
index 000000000..6347fb9ea
--- /dev/null
+++ b/ipaclient/remote_plugins/2_164/topology.py
@@ -0,0 +1,1055 @@
+#
+# Copyright (C) 2016 FreeIPA Contributors see COPYING for license
+#
+
+# pylint: disable=unused-import
+import six
+
+from . import Command, Method, Object
+from ipalib import api, parameters, output
+from ipalib.parameters import DefaultFrom
+from ipalib.plugable import Registry
+from ipalib.text import _
+from ipapython.dn import DN
+from ipapython.dnsutil import DNSName
+
+if six.PY3:
+ unicode = str
+
+__doc__ = _("""
+Topology
+
+Management of a replication topology at domain level 1.
+
+IPA server's data is stored in LDAP server in two suffixes:
+* domain suffix, e.g., 'dc=example,dc=com', contains all domain related data
+* ca suffix, 'o=ipaca', is present only on server with CA installed. It
+ contains data for Certificate Server component
+
+Data stored on IPA servers is replicated to other IPA servers. The way it is
+replicated is defined by replication agreements. Replication agreements needs
+to be set for both suffixes separately. On domain level 0 they are managed
+using ipa-replica-manage and ipa-csreplica-manage tools. With domain level 1
+they are managed centrally using `ipa topology*` commands.
+
+Agreements are represented by topology segments. By default topology segment
+represents 2 replication agreements - one for each direction, e.g., A to B and
+B to A. Creation of unidirectional segments is not allowed.
+
+To verify that no server is disconnected in the topology of the given suffix,
+use:
+ ipa topologysuffix-verify $suffix
+
+
+Examples:
+ Find all IPA servers:
+ ipa server-find
+
+ Find all suffixes:
+ ipa topologysuffix-find
+
+ Add topology segment to 'domain' suffix:
+ ipa topologysegment-add domain --left IPA_SERVER_A --right IPA_SERVER_B
+
+ Add topology segment to 'ca' suffix:
+ ipa topologysegment-add ca --left IPA_SERVER_A --right IPA_SERVER_B
+
+ List all topology segments in 'domain' suffix:
+ ipa topologysegment-find domain
+
+ List all topology segments in 'ca' suffix:
+ ipa topologysegment-find ca
+
+ Delete topology segment in 'domain' suffix:
+ ipa topologysegment-del domain segment_name
+
+ Delete topology segment in 'ca' suffix:
+ ipa topologysegment-del ca segment_name
+
+ Verify topology of 'domain' suffix:
+ ipa topologysuffix-verify domain
+
+ Verify topology of 'ca' suffix:
+ ipa topologysuffix-verify ca
+""")
+
+register = Registry()
+
+
+@register()
+class topologysegment(Object):
+ takes_params = (
+ parameters.Str(
+ 'cn',
+ primary_key=True,
+ label=_(u'Segment name'),
+ doc=_(u'Arbitrary string identifying the segment'),
+ ),
+ parameters.Str(
+ 'iparepltoposegmentleftnode',
+ label=_(u'Left node'),
+ doc=_(u'Left replication node - an IPA server'),
+ ),
+ parameters.Str(
+ 'iparepltoposegmentrightnode',
+ label=_(u'Right node'),
+ doc=_(u'Right replication node - an IPA server'),
+ ),
+ parameters.Str(
+ 'iparepltoposegmentdirection',
+ label=_(u'Connectivity'),
+ doc=_(u'Direction of replication between left and right replication node'),
+ ),
+ parameters.Str(
+ 'nsds5replicastripattrs',
+ required=False,
+ label=_(u'Attributes to strip'),
+ doc=_(u'A space separated list of attributes which are removed from replication updates.'),
+ ),
+ parameters.Str(
+ 'nsds5replicatedattributelist',
+ required=False,
+ label=_(u'Attributes to replicate'),
+ doc=_(u'Attributes that are not replicated to a consumer server during a fractional update. E.g., `(objectclass=*) $ EXCLUDE accountlockout memberof'),
+ ),
+ parameters.Str(
+ 'nsds5replicatedattributelisttotal',
+ required=False,
+ label=_(u'Attributes for total update'),
+ doc=_(u'Attributes that are not replicated to a consumer server during a total update. E.g. (objectclass=*) $ EXCLUDE accountlockout'),
+ ),
+ parameters.Int(
+ 'nsds5replicatimeout',
+ required=False,
+ label=_(u'Session timeout'),
+ doc=_(u'Number of seconds outbound LDAP operations waits for a response from the remote replica before timing out and failing'),
+ ),
+ parameters.Str(
+ 'nsds5replicaenabled',
+ required=False,
+ label=_(u'Replication agreement enabled'),
+ doc=_(u'Whether a replication agreement is active, meaning whether replication is occurring per that agreement'),
+ ),
+ )
+
+
+@register()
+class topologysuffix(Object):
+ takes_params = (
+ parameters.Str(
+ 'cn',
+ primary_key=True,
+ label=_(u'Suffix name'),
+ ),
+ parameters.DNParam(
+ 'iparepltopoconfroot',
+ label=_(u'Managed LDAP suffix DN'),
+ ),
+ )
+
+
+@register()
+class topologysegment_add(Method):
+ __doc__ = _("Add a new segment.")
+
+ takes_args = (
+ parameters.Str(
+ 'topologysuffixcn',
+ cli_name='topologysuffix',
+ label=_(u'Suffix name'),
+ ),
+ parameters.Str(
+ 'cn',
+ cli_name='name',
+ label=_(u'Segment name'),
+ doc=_(u'Arbitrary string identifying the segment'),
+ default_from=DefaultFrom(lambda iparepltoposegmentleftnode, iparepltoposegmentrightnode: None, 'iparepltoposegmentleftnode', 'iparepltoposegmentrightnode'),
+ # FIXME:
+ # lambda iparepltoposegmentleftnode, iparepltoposegmentrightnode:
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'iparepltoposegmentleftnode',
+ cli_name='leftnode',
+ label=_(u'Left node'),
+ doc=_(u'Left replication node - an IPA server'),
+ no_convert=True,
+ ),
+ parameters.Str(
+ 'iparepltoposegmentrightnode',
+ cli_name='rightnode',
+ label=_(u'Right node'),
+ doc=_(u'Right replication node - an IPA server'),
+ no_convert=True,
+ ),
+ parameters.Str(
+ 'iparepltoposegmentdirection',
+ cli_name='direction',
+ cli_metavar="['both', 'left-right', 'right-left']",
+ label=_(u'Connectivity'),
+ doc=_(u'Direction of replication between left and right replication node'),
+ exclude=('cli', 'webui'),
+ default=u'both',
+ autofill=True,
+ ),
+ parameters.Str(
+ 'nsds5replicastripattrs',
+ required=False,
+ cli_name='stripattrs',
+ label=_(u'Attributes to strip'),
+ doc=_(u'A space separated list of attributes which are removed from replication updates.'),
+ no_convert=True,
+ ),
+ parameters.Str(
+ 'nsds5replicatedattributelist',
+ required=False,
+ cli_name='replattrs',
+ label=_(u'Attributes to replicate'),
+ doc=_(u'Attributes that are not replicated to a consumer server during a fractional update. E.g., `(objectclass=*) $ EXCLUDE accountlockout memberof'),
+ ),
+ parameters.Str(
+ 'nsds5replicatedattributelisttotal',
+ required=False,
+ cli_name='replattrstotal',
+ label=_(u'Attributes for total update'),
+ doc=_(u'Attributes that are not replicated to a consumer server during a total update. E.g. (objectclass=*) $ EXCLUDE accountlockout'),
+ ),
+ parameters.Int(
+ 'nsds5replicatimeout',
+ required=False,
+ cli_name='timeout',
+ label=_(u'Session timeout'),
+ doc=_(u'Number of seconds outbound LDAP operations waits for a response from the remote replica before timing out and failing'),
+ ),
+ parameters.Str(
+ 'nsds5replicaenabled',
+ required=False,
+ cli_name='enabled',
+ cli_metavar="['on', 'off']",
+ label=_(u'Replication agreement enabled'),
+ doc=_(u'Whether a replication agreement is active, meaning whether replication is occurring per that agreement'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'setattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'addattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
+ exclude=('webui',),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class topologysegment_del(Method):
+ __doc__ = _("Delete a segment.")
+
+ takes_args = (
+ parameters.Str(
+ 'topologysuffixcn',
+ cli_name='topologysuffix',
+ label=_(u'Suffix name'),
+ ),
+ parameters.Str(
+ 'cn',
+ multivalue=True,
+ cli_name='name',
+ label=_(u'Segment name'),
+ doc=_(u'Arbitrary string identifying the segment'),
+ default_from=DefaultFrom(lambda iparepltoposegmentleftnode, iparepltoposegmentrightnode: None, 'iparepltoposegmentleftnode', 'iparepltoposegmentrightnode'),
+ # FIXME:
+ # lambda iparepltoposegmentleftnode, iparepltoposegmentrightnode:
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'continue',
+ doc=_(u"Continuous mode: Don't stop on errors."),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Output(
+ 'result',
+ dict,
+ doc=_(u'List of deletions that failed'),
+ ),
+ output.ListOfPrimaryKeys(
+ 'value',
+ ),
+ )
+
+
+@register()
+class topologysegment_find(Method):
+ __doc__ = _("Search for topology segments.")
+
+ takes_args = (
+ parameters.Str(
+ 'topologysuffixcn',
+ cli_name='topologysuffix',
+ label=_(u'Suffix name'),
+ ),
+ parameters.Str(
+ 'criteria',
+ required=False,
+ doc=_(u'A string searched in all relevant object attributes'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'cn',
+ required=False,
+ cli_name='name',
+ label=_(u'Segment name'),
+ doc=_(u'Arbitrary string identifying the segment'),
+ default_from=DefaultFrom(lambda iparepltoposegmentleftnode, iparepltoposegmentrightnode: None, 'iparepltoposegmentleftnode', 'iparepltoposegmentrightnode'),
+ # FIXME:
+ # lambda iparepltoposegmentleftnode, iparepltoposegmentrightnode:
+ no_convert=True,
+ ),
+ parameters.Str(
+ 'iparepltoposegmentleftnode',
+ required=False,
+ cli_name='leftnode',
+ label=_(u'Left node'),
+ doc=_(u'Left replication node - an IPA server'),
+ no_convert=True,
+ ),
+ parameters.Str(
+ 'iparepltoposegmentrightnode',
+ required=False,
+ cli_name='rightnode',
+ label=_(u'Right node'),
+ doc=_(u'Right replication node - an IPA server'),
+ no_convert=True,
+ ),
+ parameters.Str(
+ 'iparepltoposegmentdirection',
+ required=False,
+ cli_name='direction',
+ cli_metavar="['both', 'left-right', 'right-left']",
+ label=_(u'Connectivity'),
+ doc=_(u'Direction of replication between left and right replication node'),
+ exclude=('cli', 'webui'),
+ default=u'both',
+ ),
+ parameters.Str(
+ 'nsds5replicastripattrs',
+ required=False,
+ cli_name='stripattrs',
+ label=_(u'Attributes to strip'),
+ doc=_(u'A space separated list of attributes which are removed from replication updates.'),
+ no_convert=True,
+ ),
+ parameters.Str(
+ 'nsds5replicatedattributelist',
+ required=False,
+ cli_name='replattrs',
+ label=_(u'Attributes to replicate'),
+ doc=_(u'Attributes that are not replicated to a consumer server during a fractional update. E.g., `(objectclass=*) $ EXCLUDE accountlockout memberof'),
+ ),
+ parameters.Str(
+ 'nsds5replicatedattributelisttotal',
+ required=False,
+ cli_name='replattrstotal',
+ label=_(u'Attributes for total update'),
+ doc=_(u'Attributes that are not replicated to a consumer server during a total update. E.g. (objectclass=*) $ EXCLUDE accountlockout'),
+ ),
+ parameters.Int(
+ 'nsds5replicatimeout',
+ required=False,
+ cli_name='timeout',
+ label=_(u'Session timeout'),
+ doc=_(u'Number of seconds outbound LDAP operations waits for a response from the remote replica before timing out and failing'),
+ ),
+ parameters.Str(
+ 'nsds5replicaenabled',
+ required=False,
+ cli_name='enabled',
+ cli_metavar="['on', 'off']",
+ label=_(u'Replication agreement enabled'),
+ doc=_(u'Whether a replication agreement is active, meaning whether replication is occurring per that agreement'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Int(
+ 'timelimit',
+ required=False,
+ label=_(u'Time Limit'),
+ doc=_(u'Time limit of search in seconds (0 is unlimited)'),
+ ),
+ parameters.Int(
+ 'sizelimit',
+ required=False,
+ label=_(u'Size Limit'),
+ doc=_(u'Maximum number of entries returned (0 is unlimited)'),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'pkey_only',
+ required=False,
+ label=_(u'Primary key only'),
+ doc=_(u'Results should contain primary key attribute only ("name")'),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.ListOfEntries(
+ 'result',
+ ),
+ output.Output(
+ 'count',
+ int,
+ doc=_(u'Number of entries returned'),
+ ),
+ output.Output(
+ 'truncated',
+ bool,
+ doc=_(u'True if not all results were returned'),
+ ),
+ )
+
+
+@register()
+class topologysegment_mod(Method):
+ __doc__ = _("Modify a segment.")
+
+ takes_args = (
+ parameters.Str(
+ 'topologysuffixcn',
+ cli_name='topologysuffix',
+ label=_(u'Suffix name'),
+ ),
+ parameters.Str(
+ 'cn',
+ cli_name='name',
+ label=_(u'Segment name'),
+ doc=_(u'Arbitrary string identifying the segment'),
+ default_from=DefaultFrom(lambda iparepltoposegmentleftnode, iparepltoposegmentrightnode: None, 'iparepltoposegmentleftnode', 'iparepltoposegmentrightnode'),
+ # FIXME:
+ # lambda iparepltoposegmentleftnode, iparepltoposegmentrightnode:
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'nsds5replicastripattrs',
+ required=False,
+ cli_name='stripattrs',
+ label=_(u'Attributes to strip'),
+ doc=_(u'A space separated list of attributes which are removed from replication updates.'),
+ no_convert=True,
+ ),
+ parameters.Str(
+ 'nsds5replicatedattributelist',
+ required=False,
+ cli_name='replattrs',
+ label=_(u'Attributes to replicate'),
+ doc=_(u'Attributes that are not replicated to a consumer server during a fractional update. E.g., `(objectclass=*) $ EXCLUDE accountlockout memberof'),
+ ),
+ parameters.Str(
+ 'nsds5replicatedattributelisttotal',
+ required=False,
+ cli_name='replattrstotal',
+ label=_(u'Attributes for total update'),
+ doc=_(u'Attributes that are not replicated to a consumer server during a total update. E.g. (objectclass=*) $ EXCLUDE accountlockout'),
+ ),
+ parameters.Int(
+ 'nsds5replicatimeout',
+ required=False,
+ cli_name='timeout',
+ label=_(u'Session timeout'),
+ doc=_(u'Number of seconds outbound LDAP operations waits for a response from the remote replica before timing out and failing'),
+ ),
+ parameters.Str(
+ 'nsds5replicaenabled',
+ required=False,
+ cli_name='enabled',
+ cli_metavar="['on', 'off']",
+ label=_(u'Replication agreement enabled'),
+ doc=_(u'Whether a replication agreement is active, meaning whether replication is occurring per that agreement'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'setattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'addattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'delattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'),
+ exclude=('webui',),
+ ),
+ parameters.Flag(
+ 'rights',
+ label=_(u'Rights'),
+ doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class topologysegment_reinitialize(Method):
+ __doc__ = _("Request a full re-initialization of the node retrieving data from the other node.")
+
+ takes_args = (
+ parameters.Str(
+ 'topologysuffixcn',
+ cli_name='topologysuffix',
+ label=_(u'Suffix name'),
+ ),
+ parameters.Str(
+ 'cn',
+ cli_name='name',
+ label=_(u'Segment name'),
+ doc=_(u'Arbitrary string identifying the segment'),
+ default_from=DefaultFrom(lambda iparepltoposegmentleftnode, iparepltoposegmentrightnode: None, 'iparepltoposegmentleftnode', 'iparepltoposegmentrightnode'),
+ # FIXME:
+ # lambda iparepltoposegmentleftnode, iparepltoposegmentrightnode:
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'left',
+ required=False,
+ doc=_(u'Initialize left node'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'right',
+ required=False,
+ doc=_(u'Initialize right node'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'stop',
+ required=False,
+ doc=_(u'Stop already started refresh of chosen node(s)'),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Output(
+ 'result',
+ bool,
+ doc=_(u'True means the operation was successful'),
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class topologysegment_show(Method):
+ __doc__ = _("Display a segment.")
+
+ takes_args = (
+ parameters.Str(
+ 'topologysuffixcn',
+ cli_name='topologysuffix',
+ label=_(u'Suffix name'),
+ ),
+ parameters.Str(
+ 'cn',
+ cli_name='name',
+ label=_(u'Segment name'),
+ doc=_(u'Arbitrary string identifying the segment'),
+ default_from=DefaultFrom(lambda iparepltoposegmentleftnode, iparepltoposegmentrightnode: None, 'iparepltoposegmentleftnode', 'iparepltoposegmentrightnode'),
+ # FIXME:
+ # lambda iparepltoposegmentleftnode, iparepltoposegmentrightnode:
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'rights',
+ label=_(u'Rights'),
+ doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class topologysuffix_add(Method):
+ __doc__ = _("Add a new topology suffix to be managed.")
+
+ NO_CLI = True
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='name',
+ label=_(u'Suffix name'),
+ ),
+ )
+ takes_options = (
+ parameters.DNParam(
+ 'iparepltopoconfroot',
+ cli_name='suffix_dn',
+ label=_(u'Managed LDAP suffix DN'),
+ ),
+ parameters.Str(
+ 'setattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'addattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
+ exclude=('webui',),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class topologysuffix_del(Method):
+ __doc__ = _("Delete a topology suffix.")
+
+ NO_CLI = True
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ multivalue=True,
+ cli_name='name',
+ label=_(u'Suffix name'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'continue',
+ doc=_(u"Continuous mode: Don't stop on errors."),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Output(
+ 'result',
+ dict,
+ doc=_(u'List of deletions that failed'),
+ ),
+ output.ListOfPrimaryKeys(
+ 'value',
+ ),
+ )
+
+
+@register()
+class topologysuffix_find(Method):
+ __doc__ = _("Search for topology suffixes.")
+
+ takes_args = (
+ parameters.Str(
+ 'criteria',
+ required=False,
+ doc=_(u'A string searched in all relevant object attributes'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'cn',
+ required=False,
+ cli_name='name',
+ label=_(u'Suffix name'),
+ ),
+ parameters.DNParam(
+ 'iparepltopoconfroot',
+ required=False,
+ cli_name='suffix_dn',
+ label=_(u'Managed LDAP suffix DN'),
+ ),
+ parameters.Int(
+ 'timelimit',
+ required=False,
+ label=_(u'Time Limit'),
+ doc=_(u'Time limit of search in seconds (0 is unlimited)'),
+ ),
+ parameters.Int(
+ 'sizelimit',
+ required=False,
+ label=_(u'Size Limit'),
+ doc=_(u'Maximum number of entries returned (0 is unlimited)'),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'pkey_only',
+ required=False,
+ label=_(u'Primary key only'),
+ doc=_(u'Results should contain primary key attribute only ("name")'),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.ListOfEntries(
+ 'result',
+ ),
+ output.Output(
+ 'count',
+ int,
+ doc=_(u'Number of entries returned'),
+ ),
+ output.Output(
+ 'truncated',
+ bool,
+ doc=_(u'True if not all results were returned'),
+ ),
+ )
+
+
+@register()
+class topologysuffix_mod(Method):
+ __doc__ = _("Modify a topology suffix.")
+
+ NO_CLI = True
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='name',
+ label=_(u'Suffix name'),
+ ),
+ )
+ takes_options = (
+ parameters.DNParam(
+ 'iparepltopoconfroot',
+ required=False,
+ cli_name='suffix_dn',
+ label=_(u'Managed LDAP suffix DN'),
+ ),
+ parameters.Str(
+ 'setattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'addattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'delattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'),
+ exclude=('webui',),
+ ),
+ parameters.Flag(
+ 'rights',
+ label=_(u'Rights'),
+ doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class topologysuffix_show(Method):
+ __doc__ = _("Show managed suffix.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='name',
+ label=_(u'Suffix name'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'rights',
+ label=_(u'Rights'),
+ doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class topologysuffix_verify(Method):
+ __doc__ = _("""
+Verify replication topology for suffix.
+
+Checks done:
+ 1. check if a topology is not disconnected. In other words if there are
+ replication paths between all servers.
+ 2. check if servers don't have more than the recommended number of
+ replication agreements
+ """)
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='name',
+ label=_(u'Suffix name'),
+ ),
+ )
+ takes_options = (
+ )
+ has_output = (
+ output.Output(
+ 'result',
+ ),
+ )
diff --git a/ipaclient/remote_plugins/2_164/trust.py b/ipaclient/remote_plugins/2_164/trust.py
new file mode 100644
index 000000000..369ffcd18
--- /dev/null
+++ b/ipaclient/remote_plugins/2_164/trust.py
@@ -0,0 +1,1264 @@
+#
+# Copyright (C) 2016 FreeIPA Contributors see COPYING for license
+#
+
+# pylint: disable=unused-import
+import six
+
+from . import Command, Method, Object
+from ipalib import api, parameters, output
+from ipalib.parameters import DefaultFrom
+from ipalib.plugable import Registry
+from ipalib.text import _
+from ipapython.dn import DN
+from ipapython.dnsutil import DNSName
+
+if six.PY3:
+ unicode = str
+
+__doc__ = _("""
+Cross-realm trusts
+
+Manage trust relationship between IPA and Active Directory domains.
+
+In order to allow users from a remote domain to access resources in IPA
+domain, trust relationship needs to be established. Currently IPA supports
+only trusts between IPA and Active Directory domains under control of Windows
+Server 2008 or later, with functional level 2008 or later.
+
+Please note that DNS on both IPA and Active Directory domain sides should be
+configured properly to discover each other. Trust relationship relies on
+ability to discover special resources in the other domain via DNS records.
+
+Examples:
+
+1. Establish cross-realm trust with Active Directory using AD administrator
+ credentials:
+
+ ipa trust-add --type=ad <ad.domain> --admin <AD domain administrator> --password
+
+2. List all existing trust relationships:
+
+ ipa trust-find
+
+3. Show details of the specific trust relationship:
+
+ ipa trust-show <ad.domain>
+
+4. Delete existing trust relationship:
+
+ ipa trust-del <ad.domain>
+
+Once trust relationship is established, remote users will need to be mapped
+to local POSIX groups in order to actually use IPA resources. The mapping should
+be done via use of external membership of non-POSIX group and then this group
+should be included into one of local POSIX groups.
+
+Example:
+
+1. Create group for the trusted domain admins' mapping and their local POSIX group:
+
+ ipa group-add --desc='<ad.domain> admins external map' ad_admins_external --external
+ ipa group-add --desc='<ad.domain> admins' ad_admins
+
+2. Add security identifier of Domain Admins of the <ad.domain> to the ad_admins_external
+ group:
+
+ ipa group-add-member ad_admins_external --external 'AD\Domain Admins'
+
+3. Allow members of ad_admins_external group to be associated with ad_admins POSIX group:
+
+ ipa group-add-member ad_admins --groups ad_admins_external
+
+4. List members of external members of ad_admins_external group to see their SIDs:
+
+ ipa group-show ad_admins_external
+
+
+GLOBAL TRUST CONFIGURATION
+
+When IPA AD trust subpackage is installed and ipa-adtrust-install is run,
+a local domain configuration (SID, GUID, NetBIOS name) is generated. These
+identifiers are then used when communicating with a trusted domain of the
+particular type.
+
+1. Show global trust configuration for Active Directory type of trusts:
+
+ ipa trustconfig-show --type ad
+
+2. Modify global configuration for all trusts of Active Directory type and set
+ a different fallback primary group (fallback primary group GID is used as
+ a primary user GID if user authenticating to IPA domain does not have any other
+ primary GID already set):
+
+ ipa trustconfig-mod --type ad --fallback-primary-group "alternative AD group"
+
+3. Change primary fallback group back to default hidden group (any group with
+ posixGroup object class is allowed):
+
+ ipa trustconfig-mod --type ad --fallback-primary-group "Default SMB Group"
+""")
+
+register = Registry()
+
+
+@register()
+class trust(Object):
+ takes_params = (
+ parameters.Str(
+ 'cn',
+ primary_key=True,
+ label=_(u'Realm name'),
+ ),
+ parameters.Str(
+ 'ipantflatname',
+ label=_(u'Domain NetBIOS name'),
+ ),
+ parameters.Str(
+ 'ipanttrusteddomainsid',
+ label=_(u'Domain Security Identifier'),
+ ),
+ parameters.Str(
+ 'ipantsidblacklistincoming',
+ required=False,
+ multivalue=True,
+ label=_(u'SID blacklist incoming'),
+ ),
+ parameters.Str(
+ 'ipantsidblacklistoutgoing',
+ required=False,
+ multivalue=True,
+ label=_(u'SID blacklist outgoing'),
+ ),
+ )
+
+
+@register()
+class trustconfig(Object):
+ takes_params = (
+ parameters.Str(
+ 'cn',
+ label=_(u'Domain'),
+ ),
+ parameters.Str(
+ 'ipantsecurityidentifier',
+ label=_(u'Security Identifier'),
+ ),
+ parameters.Str(
+ 'ipantflatname',
+ label=_(u'NetBIOS name'),
+ ),
+ parameters.Str(
+ 'ipantdomainguid',
+ label=_(u'Domain GUID'),
+ ),
+ parameters.Str(
+ 'ipantfallbackprimarygroup',
+ label=_(u'Fallback primary group'),
+ ),
+ )
+
+
+@register()
+class trustdomain(Object):
+ takes_params = (
+ parameters.Str(
+ 'cn',
+ primary_key=True,
+ label=_(u'Domain name'),
+ ),
+ parameters.Str(
+ 'ipantflatname',
+ required=False,
+ label=_(u'Domain NetBIOS name'),
+ ),
+ parameters.Str(
+ 'ipanttrusteddomainsid',
+ required=False,
+ label=_(u'Domain Security Identifier'),
+ ),
+ parameters.Str(
+ 'ipanttrustpartner',
+ required=False,
+ label=_(u'Trusted domain partner'),
+ ),
+ )
+
+
+@register()
+class adtrust_is_enabled(Command):
+ __doc__ = _("Determine whether ipa-adtrust-install has been run on this system")
+
+ NO_CLI = True
+
+ takes_options = (
+ )
+ has_output = (
+ output.Output(
+ 'result',
+ ),
+ )
+
+
+@register()
+class compat_is_enabled(Command):
+ __doc__ = _("Determine whether Schema Compatibility plugin is configured to serve trusted domain users and groups")
+
+ NO_CLI = True
+
+ takes_options = (
+ )
+ has_output = (
+ output.Output(
+ 'result',
+ ),
+ )
+
+
+@register()
+class sidgen_was_run(Command):
+ __doc__ = _("Determine whether ipa-adtrust-install has been run with sidgen task")
+
+ NO_CLI = True
+
+ takes_options = (
+ )
+ has_output = (
+ output.Output(
+ 'result',
+ ),
+ )
+
+
+@register()
+class trust_add(Method):
+ __doc__ = _("""
+Add new trust to use.
+
+This command establishes trust relationship to another domain
+which becomes 'trusted'. As result, users of the trusted domain
+may access resources of this domain.
+
+Only trusts to Active Directory domains are supported right now.
+
+The command can be safely run multiple times against the same domain,
+this will cause change to trust relationship credentials on both
+sides.
+ """)
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='realm',
+ label=_(u'Realm name'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'setattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'addattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'trust_type',
+ cli_name='type',
+ cli_metavar="['ad']",
+ label=_(u'Trust type (ad for Active Directory, default)'),
+ default=u'ad',
+ autofill=True,
+ ),
+ parameters.Str(
+ 'realm_admin',
+ required=False,
+ cli_name='admin',
+ label=_(u'Active Directory domain administrator'),
+ ),
+ parameters.Password(
+ 'realm_passwd',
+ required=False,
+ cli_name='password',
+ label=_(u"Active Directory domain administrator's password"),
+ ),
+ parameters.Str(
+ 'realm_server',
+ required=False,
+ cli_name='server',
+ label=_(u'Domain controller for the Active Directory domain (optional)'),
+ ),
+ parameters.Password(
+ 'trust_secret',
+ required=False,
+ label=_(u'Shared secret for the trust'),
+ ),
+ parameters.Int(
+ 'base_id',
+ required=False,
+ label=_(u'First Posix ID of the range reserved for the trusted domain'),
+ ),
+ parameters.Int(
+ 'range_size',
+ required=False,
+ label=_(u'Size of the ID range reserved for the trusted domain'),
+ ),
+ parameters.Str(
+ 'range_type',
+ required=False,
+ cli_metavar="['ipa-ad-trust-posix', 'ipa-ad-trust']",
+ label=_(u'Range type'),
+ doc=_(u'Type of trusted domain ID range, one of ipa-ad-trust-posix, ipa-ad-trust'),
+ ),
+ parameters.Bool(
+ 'bidirectional',
+ required=False,
+ cli_name='two_way',
+ label=_(u'Two-way trust'),
+ doc=_(u'Establish bi-directional trust. By default trust is inbound one-way only.'),
+ default=False,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class trust_del(Method):
+ __doc__ = _("Delete a trust.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ multivalue=True,
+ cli_name='realm',
+ label=_(u'Realm name'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'continue',
+ doc=_(u"Continuous mode: Don't stop on errors."),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Output(
+ 'result',
+ dict,
+ doc=_(u'List of deletions that failed'),
+ ),
+ output.ListOfPrimaryKeys(
+ 'value',
+ ),
+ )
+
+
+@register()
+class trust_fetch_domains(Method):
+ __doc__ = _("Refresh list of the domains associated with the trust")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='realm',
+ label=_(u'Realm name'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'rights',
+ label=_(u'Rights'),
+ doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'realm_server',
+ required=False,
+ cli_name='server',
+ label=_(u'Domain controller for the Active Directory domain (optional)'),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.ListOfEntries(
+ 'result',
+ ),
+ output.Output(
+ 'count',
+ int,
+ doc=_(u'Number of entries returned'),
+ ),
+ output.Output(
+ 'truncated',
+ bool,
+ doc=_(u'True if not all results were returned'),
+ ),
+ )
+
+
+@register()
+class trust_find(Method):
+ __doc__ = _("Search for trusts.")
+
+ takes_args = (
+ parameters.Str(
+ 'criteria',
+ required=False,
+ doc=_(u'A string searched in all relevant object attributes'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'cn',
+ required=False,
+ cli_name='realm',
+ label=_(u'Realm name'),
+ ),
+ parameters.Str(
+ 'ipantflatname',
+ required=False,
+ cli_name='flat_name',
+ label=_(u'Domain NetBIOS name'),
+ ),
+ parameters.Str(
+ 'ipanttrusteddomainsid',
+ required=False,
+ cli_name='sid',
+ label=_(u'Domain Security Identifier'),
+ ),
+ parameters.Str(
+ 'ipantsidblacklistincoming',
+ required=False,
+ multivalue=True,
+ cli_name='sid_blacklist_incoming',
+ label=_(u'SID blacklist incoming'),
+ ),
+ parameters.Str(
+ 'ipantsidblacklistoutgoing',
+ required=False,
+ multivalue=True,
+ cli_name='sid_blacklist_outgoing',
+ label=_(u'SID blacklist outgoing'),
+ ),
+ parameters.Int(
+ 'timelimit',
+ required=False,
+ label=_(u'Time Limit'),
+ doc=_(u'Time limit of search in seconds (0 is unlimited)'),
+ ),
+ parameters.Int(
+ 'sizelimit',
+ required=False,
+ label=_(u'Size Limit'),
+ doc=_(u'Maximum number of entries returned (0 is unlimited)'),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'pkey_only',
+ required=False,
+ label=_(u'Primary key only'),
+ doc=_(u'Results should contain primary key attribute only ("realm")'),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.ListOfEntries(
+ 'result',
+ ),
+ output.Output(
+ 'count',
+ int,
+ doc=_(u'Number of entries returned'),
+ ),
+ output.Output(
+ 'truncated',
+ bool,
+ doc=_(u'True if not all results were returned'),
+ ),
+ )
+
+
+@register()
+class trust_mod(Method):
+ __doc__ = _("""
+Modify a trust (for future use).
+
+ Currently only the default option to modify the LDAP attributes is
+ available. More specific options will be added in coming releases.
+ """)
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='realm',
+ label=_(u'Realm name'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'ipantsidblacklistincoming',
+ required=False,
+ multivalue=True,
+ cli_name='sid_blacklist_incoming',
+ label=_(u'SID blacklist incoming'),
+ ),
+ parameters.Str(
+ 'ipantsidblacklistoutgoing',
+ required=False,
+ multivalue=True,
+ cli_name='sid_blacklist_outgoing',
+ label=_(u'SID blacklist outgoing'),
+ ),
+ parameters.Str(
+ 'setattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'addattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'delattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'),
+ exclude=('webui',),
+ ),
+ parameters.Flag(
+ 'rights',
+ label=_(u'Rights'),
+ doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class trust_resolve(Command):
+ __doc__ = _("Resolve security identifiers of users and groups in trusted domains")
+
+ NO_CLI = True
+
+ takes_options = (
+ parameters.Str(
+ 'sids',
+ multivalue=True,
+ label=_(u'Security Identifiers (SIDs)'),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.ListOfEntries(
+ 'result',
+ ),
+ )
+
+
+@register()
+class trust_show(Method):
+ __doc__ = _("Display information about a trust.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='realm',
+ label=_(u'Realm name'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'rights',
+ label=_(u'Rights'),
+ doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class trustconfig_mod(Method):
+ __doc__ = _("Modify global trust configuration.")
+
+ takes_options = (
+ parameters.Str(
+ 'ipantfallbackprimarygroup',
+ required=False,
+ cli_name='fallback_primary_group',
+ label=_(u'Fallback primary group'),
+ ),
+ parameters.Str(
+ 'setattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'addattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'delattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'),
+ exclude=('webui',),
+ ),
+ parameters.Flag(
+ 'rights',
+ label=_(u'Rights'),
+ doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'trust_type',
+ cli_name='type',
+ cli_metavar="['ad']",
+ label=_(u'Trust type (ad for Active Directory, default)'),
+ default=u'ad',
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class trustconfig_show(Method):
+ __doc__ = _("Show global trust configuration.")
+
+ takes_options = (
+ parameters.Flag(
+ 'rights',
+ label=_(u'Rights'),
+ doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'trust_type',
+ cli_name='type',
+ cli_metavar="['ad']",
+ label=_(u'Trust type (ad for Active Directory, default)'),
+ default=u'ad',
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class trustdomain_add(Method):
+ __doc__ = _("Allow access from the trusted domain")
+
+ NO_CLI = True
+
+ takes_args = (
+ parameters.Str(
+ 'trustcn',
+ cli_name='trust',
+ label=_(u'Realm name'),
+ ),
+ parameters.Str(
+ 'cn',
+ cli_name='domain',
+ label=_(u'Domain name'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'ipantflatname',
+ required=False,
+ cli_name='flat_name',
+ label=_(u'Domain NetBIOS name'),
+ ),
+ parameters.Str(
+ 'ipanttrusteddomainsid',
+ required=False,
+ cli_name='sid',
+ label=_(u'Domain Security Identifier'),
+ ),
+ parameters.Str(
+ 'ipanttrustpartner',
+ required=False,
+ label=_(u'Trusted domain partner'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'setattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'addattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'trust_type',
+ cli_name='type',
+ cli_metavar="['ad']",
+ label=_(u'Trust type (ad for Active Directory, default)'),
+ default=u'ad',
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class trustdomain_del(Method):
+ __doc__ = _("Remove infromation about the domain associated with the trust.")
+
+ takes_args = (
+ parameters.Str(
+ 'trustcn',
+ cli_name='trust',
+ label=_(u'Realm name'),
+ ),
+ parameters.Str(
+ 'cn',
+ multivalue=True,
+ cli_name='domain',
+ label=_(u'Domain name'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'continue',
+ doc=_(u"Continuous mode: Don't stop on errors."),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Output(
+ 'result',
+ dict,
+ doc=_(u'List of deletions that failed'),
+ ),
+ output.ListOfPrimaryKeys(
+ 'value',
+ ),
+ )
+
+
+@register()
+class trustdomain_disable(Method):
+ __doc__ = _("Disable use of IPA resources by the domain of the trust")
+
+ takes_args = (
+ parameters.Str(
+ 'trustcn',
+ cli_name='trust',
+ label=_(u'Realm name'),
+ ),
+ parameters.Str(
+ 'cn',
+ cli_name='domain',
+ label=_(u'Domain name'),
+ ),
+ )
+ takes_options = (
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Output(
+ 'result',
+ bool,
+ doc=_(u'True means the operation was successful'),
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class trustdomain_enable(Method):
+ __doc__ = _("Allow use of IPA resources by the domain of the trust")
+
+ takes_args = (
+ parameters.Str(
+ 'trustcn',
+ cli_name='trust',
+ label=_(u'Realm name'),
+ ),
+ parameters.Str(
+ 'cn',
+ cli_name='domain',
+ label=_(u'Domain name'),
+ ),
+ )
+ takes_options = (
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Output(
+ 'result',
+ bool,
+ doc=_(u'True means the operation was successful'),
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class trustdomain_find(Method):
+ __doc__ = _("Search domains of the trust")
+
+ takes_args = (
+ parameters.Str(
+ 'trustcn',
+ cli_name='trust',
+ label=_(u'Realm name'),
+ ),
+ parameters.Str(
+ 'criteria',
+ required=False,
+ doc=_(u'A string searched in all relevant object attributes'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'cn',
+ required=False,
+ cli_name='domain',
+ label=_(u'Domain name'),
+ ),
+ parameters.Str(
+ 'ipantflatname',
+ required=False,
+ cli_name='flat_name',
+ label=_(u'Domain NetBIOS name'),
+ ),
+ parameters.Str(
+ 'ipanttrusteddomainsid',
+ required=False,
+ cli_name='sid',
+ label=_(u'Domain Security Identifier'),
+ ),
+ parameters.Str(
+ 'ipanttrustpartner',
+ required=False,
+ label=_(u'Trusted domain partner'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Int(
+ 'timelimit',
+ required=False,
+ label=_(u'Time Limit'),
+ doc=_(u'Time limit of search in seconds (0 is unlimited)'),
+ ),
+ parameters.Int(
+ 'sizelimit',
+ required=False,
+ label=_(u'Size Limit'),
+ doc=_(u'Maximum number of entries returned (0 is unlimited)'),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'pkey_only',
+ required=False,
+ label=_(u'Primary key only'),
+ doc=_(u'Results should contain primary key attribute only ("domain")'),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.ListOfEntries(
+ 'result',
+ ),
+ output.Output(
+ 'count',
+ int,
+ doc=_(u'Number of entries returned'),
+ ),
+ output.Output(
+ 'truncated',
+ bool,
+ doc=_(u'True if not all results were returned'),
+ ),
+ )
+
+
+@register()
+class trustdomain_mod(Method):
+ __doc__ = _("Modify trustdomain of the trust")
+
+ NO_CLI = True
+
+ takes_args = (
+ parameters.Str(
+ 'trustcn',
+ cli_name='trust',
+ label=_(u'Realm name'),
+ ),
+ parameters.Str(
+ 'cn',
+ cli_name='domain',
+ label=_(u'Domain name'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'ipantflatname',
+ required=False,
+ cli_name='flat_name',
+ label=_(u'Domain NetBIOS name'),
+ ),
+ parameters.Str(
+ 'ipanttrusteddomainsid',
+ required=False,
+ cli_name='sid',
+ label=_(u'Domain Security Identifier'),
+ ),
+ parameters.Str(
+ 'ipanttrustpartner',
+ required=False,
+ label=_(u'Trusted domain partner'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'setattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'addattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'delattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'),
+ exclude=('webui',),
+ ),
+ parameters.Flag(
+ 'rights',
+ label=_(u'Rights'),
+ doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'trust_type',
+ cli_name='type',
+ cli_metavar="['ad']",
+ label=_(u'Trust type (ad for Active Directory, default)'),
+ default=u'ad',
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
diff --git a/ipaclient/remote_plugins/2_164/user.py b/ipaclient/remote_plugins/2_164/user.py
new file mode 100644
index 000000000..8b8b850c0
--- /dev/null
+++ b/ipaclient/remote_plugins/2_164/user.py
@@ -0,0 +1,1993 @@
+#
+# Copyright (C) 2016 FreeIPA Contributors see COPYING for license
+#
+
+# pylint: disable=unused-import
+import six
+
+from . import Command, Method, Object
+from ipalib import api, parameters, output
+from ipalib.parameters import DefaultFrom
+from ipalib.plugable import Registry
+from ipalib.text import _
+from ipapython.dn import DN
+from ipapython.dnsutil import DNSName
+
+if six.PY3:
+ unicode = str
+
+__doc__ = _("""
+Users
+
+Manage user entries. All users are POSIX users.
+
+IPA supports a wide range of username formats, but you need to be aware of any
+restrictions that may apply to your particular environment. For example,
+usernames that start with a digit or usernames that exceed a certain length
+may cause problems for some UNIX systems.
+Use 'ipa config-mod' to change the username format allowed by IPA tools.
+
+Disabling a user account prevents that user from obtaining new Kerberos
+credentials. It does not invalidate any credentials that have already
+been issued.
+
+Password management is not a part of this module. For more information
+about this topic please see: ipa help passwd
+
+Account lockout on password failure happens per IPA master. The user-status
+command can be used to identify which master the user is locked out on.
+It is on that master the administrator must unlock the user.
+
+EXAMPLES:
+
+ Add a new user:
+ ipa user-add --first=Tim --last=User --password tuser1
+
+ Find all users whose entries include the string "Tim":
+ ipa user-find Tim
+
+ Find all users with "Tim" as the first name:
+ ipa user-find --first=Tim
+
+ Disable a user account:
+ ipa user-disable tuser1
+
+ Enable a user account:
+ ipa user-enable tuser1
+
+ Delete a user:
+ ipa user-del tuser1
+""")
+
+register = Registry()
+
+
+@register()
+class user(Object):
+ takes_params = (
+ parameters.Str(
+ 'uid',
+ primary_key=True,
+ label=_(u'User login'),
+ ),
+ parameters.Str(
+ 'givenname',
+ label=_(u'First name'),
+ ),
+ parameters.Str(
+ 'sn',
+ label=_(u'Last name'),
+ ),
+ parameters.Str(
+ 'cn',
+ label=_(u'Full name'),
+ ),
+ parameters.Str(
+ 'displayname',
+ required=False,
+ label=_(u'Display name'),
+ ),
+ parameters.Str(
+ 'initials',
+ required=False,
+ label=_(u'Initials'),
+ ),
+ parameters.Str(
+ 'homedirectory',
+ required=False,
+ label=_(u'Home directory'),
+ ),
+ parameters.Str(
+ 'gecos',
+ required=False,
+ label=_(u'GECOS'),
+ ),
+ parameters.Str(
+ 'loginshell',
+ required=False,
+ label=_(u'Login shell'),
+ ),
+ parameters.Str(
+ 'krbprincipalname',
+ required=False,
+ label=_(u'Kerberos principal'),
+ ),
+ parameters.DateTime(
+ 'krbprincipalexpiration',
+ required=False,
+ label=_(u'Kerberos principal expiration'),
+ ),
+ parameters.Str(
+ 'mail',
+ required=False,
+ multivalue=True,
+ label=_(u'Email address'),
+ ),
+ parameters.Password(
+ 'userpassword',
+ required=False,
+ label=_(u'Password'),
+ doc=_(u'Prompt to set the user password'),
+ exclude=('webui',),
+ ),
+ parameters.Flag(
+ 'random',
+ required=False,
+ doc=_(u'Generate a random user password'),
+ ),
+ parameters.Str(
+ 'randompassword',
+ required=False,
+ label=_(u'Random password'),
+ ),
+ parameters.Int(
+ 'uidnumber',
+ required=False,
+ label=_(u'UID'),
+ doc=_(u'User ID Number (system will assign one if not provided)'),
+ ),
+ parameters.Int(
+ 'gidnumber',
+ required=False,
+ label=_(u'GID'),
+ doc=_(u'Group ID Number'),
+ ),
+ parameters.Str(
+ 'street',
+ required=False,
+ label=_(u'Street address'),
+ ),
+ parameters.Str(
+ 'l',
+ required=False,
+ label=_(u'City'),
+ ),
+ parameters.Str(
+ 'st',
+ required=False,
+ label=_(u'State/Province'),
+ ),
+ parameters.Str(
+ 'postalcode',
+ required=False,
+ label=_(u'ZIP'),
+ ),
+ parameters.Str(
+ 'telephonenumber',
+ required=False,
+ multivalue=True,
+ label=_(u'Telephone Number'),
+ ),
+ parameters.Str(
+ 'mobile',
+ required=False,
+ multivalue=True,
+ label=_(u'Mobile Telephone Number'),
+ ),
+ parameters.Str(
+ 'pager',
+ required=False,
+ multivalue=True,
+ label=_(u'Pager Number'),
+ ),
+ parameters.Str(
+ 'facsimiletelephonenumber',
+ required=False,
+ multivalue=True,
+ label=_(u'Fax Number'),
+ ),
+ parameters.Str(
+ 'ou',
+ required=False,
+ label=_(u'Org. Unit'),
+ ),
+ parameters.Str(
+ 'title',
+ required=False,
+ label=_(u'Job Title'),
+ ),
+ parameters.Str(
+ 'manager',
+ required=False,
+ label=_(u'Manager'),
+ ),
+ parameters.Str(
+ 'carlicense',
+ required=False,
+ multivalue=True,
+ label=_(u'Car License'),
+ ),
+ parameters.Str(
+ 'ipasshpubkey',
+ required=False,
+ multivalue=True,
+ label=_(u'SSH public key'),
+ ),
+ parameters.Str(
+ 'ipauserauthtype',
+ required=False,
+ multivalue=True,
+ label=_(u'User authentication types'),
+ doc=_(u'Types of supported user authentication'),
+ ),
+ parameters.Str(
+ 'userclass',
+ required=False,
+ multivalue=True,
+ label=_(u'Class'),
+ doc=_(u'User category (semantics placed on this attribute are for local interpretation)'),
+ ),
+ parameters.Str(
+ 'ipatokenradiusconfiglink',
+ required=False,
+ label=_(u'RADIUS proxy configuration'),
+ ),
+ parameters.Str(
+ 'ipatokenradiususername',
+ required=False,
+ label=_(u'RADIUS proxy username'),
+ ),
+ parameters.Str(
+ 'departmentnumber',
+ required=False,
+ multivalue=True,
+ label=_(u'Department Number'),
+ ),
+ parameters.Str(
+ 'employeenumber',
+ required=False,
+ label=_(u'Employee Number'),
+ ),
+ parameters.Str(
+ 'employeetype',
+ required=False,
+ label=_(u'Employee Type'),
+ ),
+ parameters.Str(
+ 'preferredlanguage',
+ required=False,
+ label=_(u'Preferred Language'),
+ ),
+ parameters.Bytes(
+ 'usercertificate',
+ required=False,
+ multivalue=True,
+ label=_(u'Certificate'),
+ doc=_(u'Base-64 encoded server certificate'),
+ ),
+ parameters.Bool(
+ 'nsaccountlock',
+ required=False,
+ label=_(u'Account disabled'),
+ ),
+ parameters.Bool(
+ 'preserved',
+ required=False,
+ label=_(u'Preserved user'),
+ ),
+ parameters.Flag(
+ 'has_password',
+ label=_(u'Password'),
+ ),
+ parameters.Str(
+ 'memberof_group',
+ required=False,
+ label=_(u'Member of groups'),
+ ),
+ parameters.Str(
+ 'memberof_role',
+ required=False,
+ label=_(u'Roles'),
+ ),
+ parameters.Str(
+ 'memberof_netgroup',
+ required=False,
+ label=_(u'Member of netgroups'),
+ ),
+ parameters.Str(
+ 'memberof_sudorule',
+ required=False,
+ label=_(u'Member of Sudo rule'),
+ ),
+ parameters.Str(
+ 'memberof_hbacrule',
+ required=False,
+ label=_(u'Member of HBAC rule'),
+ ),
+ parameters.Str(
+ 'memberofindirect_group',
+ required=False,
+ label=_(u'Indirect Member of group'),
+ ),
+ parameters.Str(
+ 'memberofindirect_netgroup',
+ required=False,
+ label=_(u'Indirect Member of netgroup'),
+ ),
+ parameters.Str(
+ 'memberofindirect_role',
+ required=False,
+ label=_(u'Indirect Member of role'),
+ ),
+ parameters.Str(
+ 'memberofindirect_sudorule',
+ required=False,
+ label=_(u'Indirect Member of Sudo rule'),
+ ),
+ parameters.Str(
+ 'memberofindirect_hbacrule',
+ required=False,
+ label=_(u'Indirect Member of HBAC rule'),
+ ),
+ parameters.Flag(
+ 'has_keytab',
+ label=_(u'Kerberos keys available'),
+ ),
+ )
+
+
+@register()
+class user_add(Method):
+ __doc__ = _("Add a new user.")
+
+ takes_args = (
+ parameters.Str(
+ 'uid',
+ cli_name='login',
+ label=_(u'User login'),
+ default_from=DefaultFrom(lambda givenname, sn: givenname[0] + sn, 'iparepltoposegmentleftnode', 'iparepltoposegmentrightnode'),
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'givenname',
+ cli_name='first',
+ label=_(u'First name'),
+ ),
+ parameters.Str(
+ 'sn',
+ cli_name='last',
+ label=_(u'Last name'),
+ ),
+ parameters.Str(
+ 'cn',
+ label=_(u'Full name'),
+ default_from=DefaultFrom(lambda givenname, sn: '%s %s' % (givenname, sn), 'iparepltoposegmentleftnode', 'iparepltoposegmentrightnode'),
+ autofill=True,
+ ),
+ parameters.Str(
+ 'displayname',
+ required=False,
+ label=_(u'Display name'),
+ default_from=DefaultFrom(lambda givenname, sn: '%s %s' % (givenname, sn), 'iparepltoposegmentleftnode', 'iparepltoposegmentrightnode'),
+ autofill=True,
+ ),
+ parameters.Str(
+ 'initials',
+ required=False,
+ label=_(u'Initials'),
+ default_from=DefaultFrom(lambda givenname, sn: '%c%c' % (givenname[0], sn[0]), 'iparepltoposegmentleftnode', 'iparepltoposegmentrightnode'),
+ autofill=True,
+ ),
+ parameters.Str(
+ 'homedirectory',
+ required=False,
+ cli_name='homedir',
+ label=_(u'Home directory'),
+ ),
+ parameters.Str(
+ 'gecos',
+ required=False,
+ label=_(u'GECOS'),
+ default_from=DefaultFrom(lambda givenname, sn: '%s %s' % (givenname, sn), 'iparepltoposegmentleftnode', 'iparepltoposegmentrightnode'),
+ autofill=True,
+ ),
+ parameters.Str(
+ 'loginshell',
+ required=False,
+ cli_name='shell',
+ label=_(u'Login shell'),
+ ),
+ parameters.Str(
+ 'krbprincipalname',
+ required=False,
+ cli_name='principal',
+ label=_(u'Kerberos principal'),
+ default_from=DefaultFrom(lambda uid: '%s@%s' % (uid.lower(), api.env.realm), 'iparepltoposegmentleftnode', 'iparepltoposegmentrightnode'),
+ autofill=True,
+ no_convert=True,
+ ),
+ parameters.DateTime(
+ 'krbprincipalexpiration',
+ required=False,
+ cli_name='principal_expiration',
+ label=_(u'Kerberos principal expiration'),
+ ),
+ parameters.Str(
+ 'mail',
+ required=False,
+ multivalue=True,
+ cli_name='email',
+ label=_(u'Email address'),
+ ),
+ parameters.Password(
+ 'userpassword',
+ required=False,
+ cli_name='password',
+ label=_(u'Password'),
+ doc=_(u'Prompt to set the user password'),
+ exclude=('webui',),
+ confirm=True,
+ ),
+ parameters.Flag(
+ 'random',
+ required=False,
+ doc=_(u'Generate a random user password'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Int(
+ 'uidnumber',
+ required=False,
+ cli_name='uid',
+ label=_(u'UID'),
+ doc=_(u'User ID Number (system will assign one if not provided)'),
+ ),
+ parameters.Int(
+ 'gidnumber',
+ required=False,
+ label=_(u'GID'),
+ doc=_(u'Group ID Number'),
+ ),
+ parameters.Str(
+ 'street',
+ required=False,
+ label=_(u'Street address'),
+ ),
+ parameters.Str(
+ 'l',
+ required=False,
+ cli_name='city',
+ label=_(u'City'),
+ ),
+ parameters.Str(
+ 'st',
+ required=False,
+ cli_name='state',
+ label=_(u'State/Province'),
+ ),
+ parameters.Str(
+ 'postalcode',
+ required=False,
+ label=_(u'ZIP'),
+ ),
+ parameters.Str(
+ 'telephonenumber',
+ required=False,
+ multivalue=True,
+ cli_name='phone',
+ label=_(u'Telephone Number'),
+ ),
+ parameters.Str(
+ 'mobile',
+ required=False,
+ multivalue=True,
+ label=_(u'Mobile Telephone Number'),
+ ),
+ parameters.Str(
+ 'pager',
+ required=False,
+ multivalue=True,
+ label=_(u'Pager Number'),
+ ),
+ parameters.Str(
+ 'facsimiletelephonenumber',
+ required=False,
+ multivalue=True,
+ cli_name='fax',
+ label=_(u'Fax Number'),
+ ),
+ parameters.Str(
+ 'ou',
+ required=False,
+ cli_name='orgunit',
+ label=_(u'Org. Unit'),
+ ),
+ parameters.Str(
+ 'title',
+ required=False,
+ label=_(u'Job Title'),
+ ),
+ parameters.Str(
+ 'manager',
+ required=False,
+ label=_(u'Manager'),
+ ),
+ parameters.Str(
+ 'carlicense',
+ required=False,
+ multivalue=True,
+ label=_(u'Car License'),
+ ),
+ parameters.Str(
+ 'ipasshpubkey',
+ required=False,
+ multivalue=True,
+ cli_name='sshpubkey',
+ label=_(u'SSH public key'),
+ no_convert=True,
+ ),
+ parameters.Str(
+ 'ipauserauthtype',
+ required=False,
+ multivalue=True,
+ cli_name='user_auth_type',
+ cli_metavar="['password', 'radius', 'otp']",
+ label=_(u'User authentication types'),
+ doc=_(u'Types of supported user authentication'),
+ ),
+ parameters.Str(
+ 'userclass',
+ required=False,
+ multivalue=True,
+ cli_name='class',
+ label=_(u'Class'),
+ doc=_(u'User category (semantics placed on this attribute are for local interpretation)'),
+ ),
+ parameters.Str(
+ 'ipatokenradiusconfiglink',
+ required=False,
+ cli_name='radius',
+ label=_(u'RADIUS proxy configuration'),
+ ),
+ parameters.Str(
+ 'ipatokenradiususername',
+ required=False,
+ cli_name='radius_username',
+ label=_(u'RADIUS proxy username'),
+ ),
+ parameters.Str(
+ 'departmentnumber',
+ required=False,
+ multivalue=True,
+ label=_(u'Department Number'),
+ ),
+ parameters.Str(
+ 'employeenumber',
+ required=False,
+ label=_(u'Employee Number'),
+ ),
+ parameters.Str(
+ 'employeetype',
+ required=False,
+ label=_(u'Employee Type'),
+ ),
+ parameters.Str(
+ 'preferredlanguage',
+ required=False,
+ label=_(u'Preferred Language'),
+ ),
+ parameters.Bytes(
+ 'usercertificate',
+ required=False,
+ multivalue=True,
+ cli_name='certificate',
+ label=_(u'Certificate'),
+ doc=_(u'Base-64 encoded server certificate'),
+ ),
+ parameters.Bool(
+ 'nsaccountlock',
+ required=False,
+ label=_(u'Account disabled'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'setattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'addattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
+ exclude=('webui',),
+ ),
+ parameters.Flag(
+ 'noprivate',
+ doc=_(u"Don't create user private group"),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class user_add_cert(Method):
+ __doc__ = _("Add one or more certificates to the user entry")
+
+ takes_args = (
+ parameters.Str(
+ 'uid',
+ cli_name='login',
+ label=_(u'User login'),
+ default_from=DefaultFrom(lambda givenname, sn: givenname[0] + sn, 'iparepltoposegmentleftnode', 'iparepltoposegmentrightnode'),
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Bytes(
+ 'usercertificate',
+ required=False,
+ multivalue=True,
+ cli_name='certificate',
+ label=_(u'Certificate'),
+ doc=_(u'Base-64 encoded server certificate'),
+ alwaysask=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class user_add_manager(Method):
+ __doc__ = _("Add a manager to the user entry")
+
+ takes_args = (
+ parameters.Str(
+ 'uid',
+ cli_name='login',
+ label=_(u'User login'),
+ default_from=DefaultFrom(lambda givenname, sn: givenname[0] + sn, 'iparepltoposegmentleftnode', 'iparepltoposegmentrightnode'),
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'user',
+ required=False,
+ multivalue=True,
+ cli_name='users',
+ label=_(u'member user'),
+ doc=_(u'users to add'),
+ alwaysask=True,
+ ),
+ )
+ has_output = (
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'failed',
+ dict,
+ doc=_(u'Members that could not be added'),
+ ),
+ output.Output(
+ 'completed',
+ int,
+ doc=_(u'Number of members added'),
+ ),
+ )
+
+
+@register()
+class user_del(Method):
+ __doc__ = _("Delete a user.")
+
+ takes_args = (
+ parameters.Str(
+ 'uid',
+ multivalue=True,
+ cli_name='login',
+ label=_(u'User login'),
+ default_from=DefaultFrom(lambda givenname, sn: givenname[0] + sn, 'iparepltoposegmentleftnode', 'iparepltoposegmentrightnode'),
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'continue',
+ doc=_(u"Continuous mode: Don't stop on errors."),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Bool(
+ 'preserve',
+ required=False,
+ exclude=('cli',),
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Output(
+ 'result',
+ dict,
+ doc=_(u'List of deletions that failed'),
+ ),
+ output.ListOfPrimaryKeys(
+ 'value',
+ ),
+ )
+
+
+@register()
+class user_disable(Method):
+ __doc__ = _("Disable a user account.")
+
+ takes_args = (
+ parameters.Str(
+ 'uid',
+ cli_name='login',
+ label=_(u'User login'),
+ default_from=DefaultFrom(lambda givenname, sn: givenname[0] + sn, 'iparepltoposegmentleftnode', 'iparepltoposegmentrightnode'),
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Output(
+ 'result',
+ bool,
+ doc=_(u'True means the operation was successful'),
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class user_enable(Method):
+ __doc__ = _("Enable a user account.")
+
+ takes_args = (
+ parameters.Str(
+ 'uid',
+ cli_name='login',
+ label=_(u'User login'),
+ default_from=DefaultFrom(lambda givenname, sn: givenname[0] + sn, 'iparepltoposegmentleftnode', 'iparepltoposegmentrightnode'),
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Output(
+ 'result',
+ bool,
+ doc=_(u'True means the operation was successful'),
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class user_find(Method):
+ __doc__ = _("Search for users.")
+
+ takes_args = (
+ parameters.Str(
+ 'criteria',
+ required=False,
+ doc=_(u'A string searched in all relevant object attributes'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'uid',
+ required=False,
+ cli_name='login',
+ label=_(u'User login'),
+ default_from=DefaultFrom(lambda givenname, sn: givenname[0] + sn, 'iparepltoposegmentleftnode', 'iparepltoposegmentrightnode'),
+ no_convert=True,
+ ),
+ parameters.Str(
+ 'givenname',
+ required=False,
+ cli_name='first',
+ label=_(u'First name'),
+ ),
+ parameters.Str(
+ 'sn',
+ required=False,
+ cli_name='last',
+ label=_(u'Last name'),
+ ),
+ parameters.Str(
+ 'cn',
+ required=False,
+ label=_(u'Full name'),
+ default_from=DefaultFrom(lambda givenname, sn: '%s %s' % (givenname, sn), 'iparepltoposegmentleftnode', 'iparepltoposegmentrightnode'),
+ ),
+ parameters.Str(
+ 'displayname',
+ required=False,
+ label=_(u'Display name'),
+ default_from=DefaultFrom(lambda givenname, sn: '%s %s' % (givenname, sn), 'iparepltoposegmentleftnode', 'iparepltoposegmentrightnode'),
+ ),
+ parameters.Str(
+ 'initials',
+ required=False,
+ label=_(u'Initials'),
+ default_from=DefaultFrom(lambda givenname, sn: '%c%c' % (givenname[0], sn[0]), 'iparepltoposegmentleftnode', 'iparepltoposegmentrightnode'),
+ ),
+ parameters.Str(
+ 'homedirectory',
+ required=False,
+ cli_name='homedir',
+ label=_(u'Home directory'),
+ ),
+ parameters.Str(
+ 'gecos',
+ required=False,
+ label=_(u'GECOS'),
+ default_from=DefaultFrom(lambda givenname, sn: '%s %s' % (givenname, sn), 'iparepltoposegmentleftnode', 'iparepltoposegmentrightnode'),
+ ),
+ parameters.Str(
+ 'loginshell',
+ required=False,
+ cli_name='shell',
+ label=_(u'Login shell'),
+ ),
+ parameters.Str(
+ 'krbprincipalname',
+ required=False,
+ cli_name='principal',
+ label=_(u'Kerberos principal'),
+ default_from=DefaultFrom(lambda uid: '%s@%s' % (uid.lower(), api.env.realm), 'iparepltoposegmentleftnode', 'iparepltoposegmentrightnode'),
+ no_convert=True,
+ ),
+ parameters.DateTime(
+ 'krbprincipalexpiration',
+ required=False,
+ cli_name='principal_expiration',
+ label=_(u'Kerberos principal expiration'),
+ ),
+ parameters.Str(
+ 'mail',
+ required=False,
+ multivalue=True,
+ cli_name='email',
+ label=_(u'Email address'),
+ ),
+ parameters.Password(
+ 'userpassword',
+ required=False,
+ cli_name='password',
+ label=_(u'Password'),
+ doc=_(u'Prompt to set the user password'),
+ exclude=('webui',),
+ confirm=True,
+ ),
+ parameters.Int(
+ 'uidnumber',
+ required=False,
+ cli_name='uid',
+ label=_(u'UID'),
+ doc=_(u'User ID Number (system will assign one if not provided)'),
+ ),
+ parameters.Int(
+ 'gidnumber',
+ required=False,
+ label=_(u'GID'),
+ doc=_(u'Group ID Number'),
+ ),
+ parameters.Str(
+ 'street',
+ required=False,
+ label=_(u'Street address'),
+ ),
+ parameters.Str(
+ 'l',
+ required=False,
+ cli_name='city',
+ label=_(u'City'),
+ ),
+ parameters.Str(
+ 'st',
+ required=False,
+ cli_name='state',
+ label=_(u'State/Province'),
+ ),
+ parameters.Str(
+ 'postalcode',
+ required=False,
+ label=_(u'ZIP'),
+ ),
+ parameters.Str(
+ 'telephonenumber',
+ required=False,
+ multivalue=True,
+ cli_name='phone',
+ label=_(u'Telephone Number'),
+ ),
+ parameters.Str(
+ 'mobile',
+ required=False,
+ multivalue=True,
+ label=_(u'Mobile Telephone Number'),
+ ),
+ parameters.Str(
+ 'pager',
+ required=False,
+ multivalue=True,
+ label=_(u'Pager Number'),
+ ),
+ parameters.Str(
+ 'facsimiletelephonenumber',
+ required=False,
+ multivalue=True,
+ cli_name='fax',
+ label=_(u'Fax Number'),
+ ),
+ parameters.Str(
+ 'ou',
+ required=False,
+ cli_name='orgunit',
+ label=_(u'Org. Unit'),
+ ),
+ parameters.Str(
+ 'title',
+ required=False,
+ label=_(u'Job Title'),
+ ),
+ parameters.Str(
+ 'manager',
+ required=False,
+ label=_(u'Manager'),
+ ),
+ parameters.Str(
+ 'carlicense',
+ required=False,
+ multivalue=True,
+ label=_(u'Car License'),
+ ),
+ parameters.Str(
+ 'ipauserauthtype',
+ required=False,
+ multivalue=True,
+ cli_name='user_auth_type',
+ cli_metavar="['password', 'radius', 'otp']",
+ label=_(u'User authentication types'),
+ doc=_(u'Types of supported user authentication'),
+ ),
+ parameters.Str(
+ 'userclass',
+ required=False,
+ multivalue=True,
+ cli_name='class',
+ label=_(u'Class'),
+ doc=_(u'User category (semantics placed on this attribute are for local interpretation)'),
+ ),
+ parameters.Str(
+ 'ipatokenradiusconfiglink',
+ required=False,
+ cli_name='radius',
+ label=_(u'RADIUS proxy configuration'),
+ ),
+ parameters.Str(
+ 'ipatokenradiususername',
+ required=False,
+ cli_name='radius_username',
+ label=_(u'RADIUS proxy username'),
+ ),
+ parameters.Str(
+ 'departmentnumber',
+ required=False,
+ multivalue=True,
+ label=_(u'Department Number'),
+ ),
+ parameters.Str(
+ 'employeenumber',
+ required=False,
+ label=_(u'Employee Number'),
+ ),
+ parameters.Str(
+ 'employeetype',
+ required=False,
+ label=_(u'Employee Type'),
+ ),
+ parameters.Str(
+ 'preferredlanguage',
+ required=False,
+ label=_(u'Preferred Language'),
+ ),
+ parameters.Bytes(
+ 'usercertificate',
+ required=False,
+ multivalue=True,
+ cli_name='certificate',
+ label=_(u'Certificate'),
+ doc=_(u'Base-64 encoded server certificate'),
+ ),
+ parameters.Bool(
+ 'nsaccountlock',
+ required=False,
+ label=_(u'Account disabled'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Bool(
+ 'preserved',
+ required=False,
+ label=_(u'Preserved user'),
+ default=False,
+ ),
+ parameters.Int(
+ 'timelimit',
+ required=False,
+ label=_(u'Time Limit'),
+ doc=_(u'Time limit of search in seconds (0 is unlimited)'),
+ ),
+ parameters.Int(
+ 'sizelimit',
+ required=False,
+ label=_(u'Size Limit'),
+ doc=_(u'Maximum number of entries returned (0 is unlimited)'),
+ ),
+ parameters.Flag(
+ 'whoami',
+ label=_(u'Self'),
+ doc=_(u'Display user record for current Kerberos principal'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'pkey_only',
+ required=False,
+ label=_(u'Primary key only'),
+ doc=_(u'Results should contain primary key attribute only ("login")'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'in_group',
+ required=False,
+ multivalue=True,
+ cli_name='in_groups',
+ label=_(u'group'),
+ doc=_(u'Search for users with these member of groups.'),
+ ),
+ parameters.Str(
+ 'not_in_group',
+ required=False,
+ multivalue=True,
+ cli_name='not_in_groups',
+ label=_(u'group'),
+ doc=_(u'Search for users without these member of groups.'),
+ ),
+ parameters.Str(
+ 'in_netgroup',
+ required=False,
+ multivalue=True,
+ cli_name='in_netgroups',
+ label=_(u'netgroup'),
+ doc=_(u'Search for users with these member of netgroups.'),
+ ),
+ parameters.Str(
+ 'not_in_netgroup',
+ required=False,
+ multivalue=True,
+ cli_name='not_in_netgroups',
+ label=_(u'netgroup'),
+ doc=_(u'Search for users without these member of netgroups.'),
+ ),
+ parameters.Str(
+ 'in_role',
+ required=False,
+ multivalue=True,
+ cli_name='in_roles',
+ label=_(u'role'),
+ doc=_(u'Search for users with these member of roles.'),
+ ),
+ parameters.Str(
+ 'not_in_role',
+ required=False,
+ multivalue=True,
+ cli_name='not_in_roles',
+ label=_(u'role'),
+ doc=_(u'Search for users without these member of roles.'),
+ ),
+ parameters.Str(
+ 'in_hbacrule',
+ required=False,
+ multivalue=True,
+ cli_name='in_hbacrules',
+ label=_(u'HBAC rule'),
+ doc=_(u'Search for users with these member of HBAC rules.'),
+ ),
+ parameters.Str(
+ 'not_in_hbacrule',
+ required=False,
+ multivalue=True,
+ cli_name='not_in_hbacrules',
+ label=_(u'HBAC rule'),
+ doc=_(u'Search for users without these member of HBAC rules.'),
+ ),
+ parameters.Str(
+ 'in_sudorule',
+ required=False,
+ multivalue=True,
+ cli_name='in_sudorules',
+ label=_(u'sudo rule'),
+ doc=_(u'Search for users with these member of sudo rules.'),
+ ),
+ parameters.Str(
+ 'not_in_sudorule',
+ required=False,
+ multivalue=True,
+ cli_name='not_in_sudorules',
+ label=_(u'sudo rule'),
+ doc=_(u'Search for users without these member of sudo rules.'),
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.ListOfEntries(
+ 'result',
+ ),
+ output.Output(
+ 'count',
+ int,
+ doc=_(u'Number of entries returned'),
+ ),
+ output.Output(
+ 'truncated',
+ bool,
+ doc=_(u'True if not all results were returned'),
+ ),
+ )
+
+
+@register()
+class user_mod(Method):
+ __doc__ = _("Modify a user.")
+
+ takes_args = (
+ parameters.Str(
+ 'uid',
+ cli_name='login',
+ label=_(u'User login'),
+ default_from=DefaultFrom(lambda givenname, sn: givenname[0] + sn, 'iparepltoposegmentleftnode', 'iparepltoposegmentrightnode'),
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'givenname',
+ required=False,
+ cli_name='first',
+ label=_(u'First name'),
+ ),
+ parameters.Str(
+ 'sn',
+ required=False,
+ cli_name='last',
+ label=_(u'Last name'),
+ ),
+ parameters.Str(
+ 'cn',
+ required=False,
+ label=_(u'Full name'),
+ default_from=DefaultFrom(lambda givenname, sn: '%s %s' % (givenname, sn), 'iparepltoposegmentleftnode', 'iparepltoposegmentrightnode'),
+ ),
+ parameters.Str(
+ 'displayname',
+ required=False,
+ label=_(u'Display name'),
+ default_from=DefaultFrom(lambda givenname, sn: '%s %s' % (givenname, sn), 'iparepltoposegmentleftnode', 'iparepltoposegmentrightnode'),
+ ),
+ parameters.Str(
+ 'initials',
+ required=False,
+ label=_(u'Initials'),
+ default_from=DefaultFrom(lambda givenname, sn: '%c%c' % (givenname[0], sn[0]), 'iparepltoposegmentleftnode', 'iparepltoposegmentrightnode'),
+ ),
+ parameters.Str(
+ 'homedirectory',
+ required=False,
+ cli_name='homedir',
+ label=_(u'Home directory'),
+ ),
+ parameters.Str(
+ 'gecos',
+ required=False,
+ label=_(u'GECOS'),
+ default_from=DefaultFrom(lambda givenname, sn: '%s %s' % (givenname, sn), 'iparepltoposegmentleftnode', 'iparepltoposegmentrightnode'),
+ ),
+ parameters.Str(
+ 'loginshell',
+ required=False,
+ cli_name='shell',
+ label=_(u'Login shell'),
+ ),
+ parameters.DateTime(
+ 'krbprincipalexpiration',
+ required=False,
+ cli_name='principal_expiration',
+ label=_(u'Kerberos principal expiration'),
+ ),
+ parameters.Str(
+ 'mail',
+ required=False,
+ multivalue=True,
+ cli_name='email',
+ label=_(u'Email address'),
+ ),
+ parameters.Password(
+ 'userpassword',
+ required=False,
+ cli_name='password',
+ label=_(u'Password'),
+ doc=_(u'Prompt to set the user password'),
+ exclude=('webui',),
+ confirm=True,
+ ),
+ parameters.Flag(
+ 'random',
+ required=False,
+ doc=_(u'Generate a random user password'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Int(
+ 'uidnumber',
+ required=False,
+ cli_name='uid',
+ label=_(u'UID'),
+ doc=_(u'User ID Number (system will assign one if not provided)'),
+ ),
+ parameters.Int(
+ 'gidnumber',
+ required=False,
+ label=_(u'GID'),
+ doc=_(u'Group ID Number'),
+ ),
+ parameters.Str(
+ 'street',
+ required=False,
+ label=_(u'Street address'),
+ ),
+ parameters.Str(
+ 'l',
+ required=False,
+ cli_name='city',
+ label=_(u'City'),
+ ),
+ parameters.Str(
+ 'st',
+ required=False,
+ cli_name='state',
+ label=_(u'State/Province'),
+ ),
+ parameters.Str(
+ 'postalcode',
+ required=False,
+ label=_(u'ZIP'),
+ ),
+ parameters.Str(
+ 'telephonenumber',
+ required=False,
+ multivalue=True,
+ cli_name='phone',
+ label=_(u'Telephone Number'),
+ ),
+ parameters.Str(
+ 'mobile',
+ required=False,
+ multivalue=True,
+ label=_(u'Mobile Telephone Number'),
+ ),
+ parameters.Str(
+ 'pager',
+ required=False,
+ multivalue=True,
+ label=_(u'Pager Number'),
+ ),
+ parameters.Str(
+ 'facsimiletelephonenumber',
+ required=False,
+ multivalue=True,
+ cli_name='fax',
+ label=_(u'Fax Number'),
+ ),
+ parameters.Str(
+ 'ou',
+ required=False,
+ cli_name='orgunit',
+ label=_(u'Org. Unit'),
+ ),
+ parameters.Str(
+ 'title',
+ required=False,
+ label=_(u'Job Title'),
+ ),
+ parameters.Str(
+ 'manager',
+ required=False,
+ label=_(u'Manager'),
+ ),
+ parameters.Str(
+ 'carlicense',
+ required=False,
+ multivalue=True,
+ label=_(u'Car License'),
+ ),
+ parameters.Str(
+ 'ipasshpubkey',
+ required=False,
+ multivalue=True,
+ cli_name='sshpubkey',
+ label=_(u'SSH public key'),
+ no_convert=True,
+ ),
+ parameters.Str(
+ 'ipauserauthtype',
+ required=False,
+ multivalue=True,
+ cli_name='user_auth_type',
+ cli_metavar="['password', 'radius', 'otp']",
+ label=_(u'User authentication types'),
+ doc=_(u'Types of supported user authentication'),
+ ),
+ parameters.Str(
+ 'userclass',
+ required=False,
+ multivalue=True,
+ cli_name='class',
+ label=_(u'Class'),
+ doc=_(u'User category (semantics placed on this attribute are for local interpretation)'),
+ ),
+ parameters.Str(
+ 'ipatokenradiusconfiglink',
+ required=False,
+ cli_name='radius',
+ label=_(u'RADIUS proxy configuration'),
+ ),
+ parameters.Str(
+ 'ipatokenradiususername',
+ required=False,
+ cli_name='radius_username',
+ label=_(u'RADIUS proxy username'),
+ ),
+ parameters.Str(
+ 'departmentnumber',
+ required=False,
+ multivalue=True,
+ label=_(u'Department Number'),
+ ),
+ parameters.Str(
+ 'employeenumber',
+ required=False,
+ label=_(u'Employee Number'),
+ ),
+ parameters.Str(
+ 'employeetype',
+ required=False,
+ label=_(u'Employee Type'),
+ ),
+ parameters.Str(
+ 'preferredlanguage',
+ required=False,
+ label=_(u'Preferred Language'),
+ ),
+ parameters.Bytes(
+ 'usercertificate',
+ required=False,
+ multivalue=True,
+ cli_name='certificate',
+ label=_(u'Certificate'),
+ doc=_(u'Base-64 encoded server certificate'),
+ ),
+ parameters.Bool(
+ 'nsaccountlock',
+ required=False,
+ label=_(u'Account disabled'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'setattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'addattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'delattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'),
+ exclude=('webui',),
+ ),
+ parameters.Flag(
+ 'rights',
+ label=_(u'Rights'),
+ doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'rename',
+ required=False,
+ label=_(u'Rename'),
+ doc=_(u'Rename the user object'),
+ default_from=DefaultFrom(lambda givenname, sn: givenname[0] + sn, 'iparepltoposegmentleftnode', 'iparepltoposegmentrightnode'),
+ no_convert=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class user_remove_cert(Method):
+ __doc__ = _("Remove one or more certificates to the user entry")
+
+ takes_args = (
+ parameters.Str(
+ 'uid',
+ cli_name='login',
+ label=_(u'User login'),
+ default_from=DefaultFrom(lambda givenname, sn: givenname[0] + sn, 'iparepltoposegmentleftnode', 'iparepltoposegmentrightnode'),
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Bytes(
+ 'usercertificate',
+ required=False,
+ multivalue=True,
+ cli_name='certificate',
+ label=_(u'Certificate'),
+ doc=_(u'Base-64 encoded server certificate'),
+ alwaysask=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class user_remove_manager(Method):
+ __doc__ = _("Remove a manager to the user entry")
+
+ takes_args = (
+ parameters.Str(
+ 'uid',
+ cli_name='login',
+ label=_(u'User login'),
+ default_from=DefaultFrom(lambda givenname, sn: givenname[0] + sn, 'iparepltoposegmentleftnode', 'iparepltoposegmentrightnode'),
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'user',
+ required=False,
+ multivalue=True,
+ cli_name='users',
+ label=_(u'member user'),
+ doc=_(u'users to remove'),
+ alwaysask=True,
+ ),
+ )
+ has_output = (
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'failed',
+ dict,
+ doc=_(u'Members that could not be removed'),
+ ),
+ output.Output(
+ 'completed',
+ int,
+ doc=_(u'Number of members removed'),
+ ),
+ )
+
+
+@register()
+class user_show(Method):
+ __doc__ = _("Display information about a user.")
+
+ takes_args = (
+ parameters.Str(
+ 'uid',
+ cli_name='login',
+ label=_(u'User login'),
+ default_from=DefaultFrom(lambda givenname, sn: givenname[0] + sn, 'iparepltoposegmentleftnode', 'iparepltoposegmentrightnode'),
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'rights',
+ label=_(u'Rights'),
+ doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'out',
+ required=False,
+ doc=_(u'file to store certificate in'),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class user_stage(Method):
+ __doc__ = _("Move deleted user into staged area")
+
+ takes_args = (
+ parameters.Str(
+ 'uid',
+ multivalue=True,
+ cli_name='login',
+ label=_(u'User login'),
+ default_from=DefaultFrom(lambda givenname, sn: givenname[0] + sn, 'iparepltoposegmentleftnode', 'iparepltoposegmentrightnode'),
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'continue',
+ doc=_(u"Continuous mode: Don't stop on errors."),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Output(
+ 'result',
+ dict,
+ doc=_(u'List of deletions that failed'),
+ ),
+ output.ListOfPrimaryKeys(
+ 'value',
+ ),
+ )
+
+
+@register()
+class user_status(Method):
+ __doc__ = _("""
+Lockout status of a user account
+
+ An account may become locked if the password is entered incorrectly too
+ many times within a specific time period as controlled by password
+ policy. A locked account is a temporary condition and may be unlocked by
+ an administrator.
+
+ This connects to each IPA master and displays the lockout status on
+ each one.
+
+ To determine whether an account is locked on a given server you need
+ to compare the number of failed logins and the time of the last failure.
+ For an account to be locked it must exceed the maxfail failures within
+ the failinterval duration as specified in the password policy associated
+ with the user.
+
+ The failed login counter is modified only when a user attempts a log in
+ so it is possible that an account may appear locked but the last failed
+ login attempt is older than the lockouttime of the password policy. This
+ means that the user may attempt a login again.
+ """)
+
+ takes_args = (
+ parameters.Str(
+ 'uid',
+ cli_name='login',
+ label=_(u'User login'),
+ default_from=DefaultFrom(lambda givenname, sn: givenname[0] + sn, 'iparepltoposegmentleftnode', 'iparepltoposegmentrightnode'),
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.ListOfEntries(
+ 'result',
+ ),
+ output.Output(
+ 'count',
+ int,
+ doc=_(u'Number of entries returned'),
+ ),
+ output.Output(
+ 'truncated',
+ bool,
+ doc=_(u'True if not all results were returned'),
+ ),
+ )
+
+
+@register()
+class user_undel(Method):
+ __doc__ = _("Undelete a delete user account.")
+
+ takes_args = (
+ parameters.Str(
+ 'uid',
+ cli_name='login',
+ label=_(u'User login'),
+ default_from=DefaultFrom(lambda givenname, sn: givenname[0] + sn, 'iparepltoposegmentleftnode', 'iparepltoposegmentrightnode'),
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Output(
+ 'result',
+ bool,
+ doc=_(u'True means the operation was successful'),
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class user_unlock(Method):
+ __doc__ = _("""
+Unlock a user account
+
+ An account may become locked if the password is entered incorrectly too
+ many times within a specific time period as controlled by password
+ policy. A locked account is a temporary condition and may be unlocked by
+ an administrator.
+ """)
+
+ takes_args = (
+ parameters.Str(
+ 'uid',
+ cli_name='login',
+ label=_(u'User login'),
+ default_from=DefaultFrom(lambda givenname, sn: givenname[0] + sn, 'iparepltoposegmentleftnode', 'iparepltoposegmentrightnode'),
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Output(
+ 'result',
+ bool,
+ doc=_(u'True means the operation was successful'),
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
diff --git a/ipaclient/remote_plugins/2_164/vault.py b/ipaclient/remote_plugins/2_164/vault.py
new file mode 100644
index 000000000..8da030cf3
--- /dev/null
+++ b/ipaclient/remote_plugins/2_164/vault.py
@@ -0,0 +1,1680 @@
+#
+# Copyright (C) 2016 FreeIPA Contributors see COPYING for license
+#
+
+# pylint: disable=unused-import
+import six
+
+from . import Command, Method, Object
+from ipalib import api, parameters, output
+from ipalib.parameters import DefaultFrom
+from ipalib.plugable import Registry
+from ipalib.text import _
+from ipapython.dn import DN
+from ipapython.dnsutil import DNSName
+
+if six.PY3:
+ unicode = str
+
+__doc__ = _("""
+Vaults
+
+Manage vaults.
+
+Vault is a secure place to store a secret.
+
+Based on the ownership there are three vault categories:
+* user/private vault
+* service vault
+* shared vault
+
+User vaults are vaults owned used by a particular user. Private
+vaults are vaults owned the current user. Service vaults are
+vaults owned by a service. Shared vaults are owned by the admin
+but they can be used by other users or services.
+
+Based on the security mechanism there are three types of
+vaults:
+* standard vault
+* symmetric vault
+* asymmetric vault
+
+Standard vault uses a secure mechanism to transport and
+store the secret. The secret can only be retrieved by users
+that have access to the vault.
+
+Symmetric vault is similar to the standard vault, but it
+pre-encrypts the secret using a password before transport.
+The secret can only be retrieved using the same password.
+
+Asymmetric vault is similar to the standard vault, but it
+pre-encrypts the secret using a public key before transport.
+The secret can only be retrieved using the private key.
+
+EXAMPLES:
+
+ List vaults:
+ ipa vault-find
+ [--user <user>|--service <service>|--shared]
+
+ Add a standard vault:
+ ipa vault-add <name>
+ [--user <user>|--service <service>|--shared]
+ --type standard
+
+ Add a symmetric vault:
+ ipa vault-add <name>
+ [--user <user>|--service <service>|--shared]
+ --type symmetric --password-file password.txt
+
+ Add an asymmetric vault:
+ ipa vault-add <name>
+ [--user <user>|--service <service>|--shared]
+ --type asymmetric --public-key-file public.pem
+
+ Show a vault:
+ ipa vault-show <name>
+ [--user <user>|--service <service>|--shared]
+
+ Modify vault description:
+ ipa vault-mod <name>
+ [--user <user>|--service <service>|--shared]
+ --desc <description>
+
+ Modify vault type:
+ ipa vault-mod <name>
+ [--user <user>|--service <service>|--shared]
+ --type <type>
+ [old password/private key]
+ [new password/public key]
+
+ Modify symmetric vault password:
+ ipa vault-mod <name>
+ [--user <user>|--service <service>|--shared]
+ --change-password
+ ipa vault-mod <name>
+ [--user <user>|--service <service>|--shared]
+ --old-password <old password>
+ --new-password <new password>
+ ipa vault-mod <name>
+ [--user <user>|--service <service>|--shared]
+ --old-password-file <old password file>
+ --new-password-file <new password file>
+
+ Modify asymmetric vault keys:
+ ipa vault-mod <name>
+ [--user <user>|--service <service>|--shared]
+ --private-key-file <old private key file>
+ --public-key-file <new public key file>
+
+ Delete a vault:
+ ipa vault-del <name>
+ [--user <user>|--service <service>|--shared]
+
+ Display vault configuration:
+ ipa vaultconfig-show
+
+ Archive data into standard vault:
+ ipa vault-archive <name>
+ [--user <user>|--service <service>|--shared]
+ --in <input file>
+
+ Archive data into symmetric vault:
+ ipa vault-archive <name>
+ [--user <user>|--service <service>|--shared]
+ --in <input file>
+ --password-file password.txt
+
+ Archive data into asymmetric vault:
+ ipa vault-archive <name>
+ [--user <user>|--service <service>|--shared]
+ --in <input file>
+
+ Retrieve data from standard vault:
+ ipa vault-retrieve <name>
+ [--user <user>|--service <service>|--shared]
+ --out <output file>
+
+ Retrieve data from symmetric vault:
+ ipa vault-retrieve <name>
+ [--user <user>|--service <service>|--shared]
+ --out <output file>
+ --password-file password.txt
+
+ Retrieve data from asymmetric vault:
+ ipa vault-retrieve <name>
+ [--user <user>|--service <service>|--shared]
+ --out <output file> --private-key-file private.pem
+
+ Add vault owners:
+ ipa vault-add-owner <name>
+ [--user <user>|--service <service>|--shared]
+ [--users <users>] [--groups <groups>] [--services <services>]
+
+ Delete vault owners:
+ ipa vault-remove-owner <name>
+ [--user <user>|--service <service>|--shared]
+ [--users <users>] [--groups <groups>] [--services <services>]
+
+ Add vault members:
+ ipa vault-add-member <name>
+ [--user <user>|--service <service>|--shared]
+ [--users <users>] [--groups <groups>] [--services <services>]
+
+ Delete vault members:
+ ipa vault-remove-member <name>
+ [--user <user>|--service <service>|--shared]
+ [--users <users>] [--groups <groups>] [--services <services>]
+""")
+
+register = Registry()
+
+
+@register()
+class vault(Object):
+ takes_params = (
+ parameters.Str(
+ 'cn',
+ primary_key=True,
+ label=_(u'Vault name'),
+ ),
+ parameters.Str(
+ 'description',
+ required=False,
+ label=_(u'Description'),
+ doc=_(u'Vault description'),
+ ),
+ parameters.Str(
+ 'ipavaulttype',
+ required=False,
+ label=_(u'Type'),
+ doc=_(u'Vault type'),
+ ),
+ parameters.Bytes(
+ 'ipavaultsalt',
+ required=False,
+ label=_(u'Salt'),
+ doc=_(u'Vault salt'),
+ ),
+ parameters.Bytes(
+ 'ipavaultpublickey',
+ required=False,
+ label=_(u'Public key'),
+ doc=_(u'Vault public key'),
+ ),
+ parameters.Str(
+ 'owner_user',
+ required=False,
+ label=_(u'Owner users'),
+ ),
+ parameters.Str(
+ 'owner_group',
+ required=False,
+ label=_(u'Owner groups'),
+ ),
+ parameters.Str(
+ 'owner_service',
+ required=False,
+ label=_(u'Owner services'),
+ ),
+ parameters.Str(
+ 'owner',
+ required=False,
+ label=_(u'Failed owners'),
+ ),
+ parameters.Str(
+ 'service',
+ required=False,
+ label=_(u'Vault service'),
+ ),
+ parameters.Flag(
+ 'shared',
+ required=False,
+ label=_(u'Shared vault'),
+ ),
+ parameters.Str(
+ 'username',
+ required=False,
+ label=_(u'Vault user'),
+ ),
+ parameters.Str(
+ 'member_user',
+ required=False,
+ label=_(u'Member users'),
+ ),
+ parameters.Str(
+ 'member_group',
+ required=False,
+ label=_(u'Member groups'),
+ ),
+ parameters.Str(
+ 'member_service',
+ required=False,
+ label=_(u'Member services'),
+ ),
+ )
+
+
+@register()
+class vaultconfig(Object):
+ takes_params = (
+ parameters.Bytes(
+ 'transport_cert',
+ label=_(u'Transport Certificate'),
+ ),
+ )
+
+
+@register()
+class vaultcontainer(Object):
+ takes_params = (
+ parameters.Str(
+ 'owner_user',
+ required=False,
+ label=_(u'Owner users'),
+ ),
+ parameters.Str(
+ 'owner_group',
+ required=False,
+ label=_(u'Owner groups'),
+ ),
+ parameters.Str(
+ 'owner_service',
+ required=False,
+ label=_(u'Owner services'),
+ ),
+ parameters.Str(
+ 'owner',
+ required=False,
+ label=_(u'Failed owners'),
+ ),
+ parameters.Str(
+ 'service',
+ required=False,
+ label=_(u'Vault service'),
+ ),
+ parameters.Flag(
+ 'shared',
+ required=False,
+ label=_(u'Shared vault'),
+ ),
+ parameters.Str(
+ 'username',
+ required=False,
+ label=_(u'Vault user'),
+ ),
+ )
+
+
+@register()
+class kra_is_enabled(Command):
+ NO_CLI = True
+
+ takes_options = (
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Output(
+ 'result',
+ bool,
+ doc=_(u'True means the operation was successful'),
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class vault_add_internal(Method):
+ NO_CLI = True
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='name',
+ label=_(u'Vault name'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'description',
+ required=False,
+ cli_name='desc',
+ label=_(u'Description'),
+ doc=_(u'Vault description'),
+ ),
+ parameters.Str(
+ 'ipavaulttype',
+ required=False,
+ cli_name='type',
+ cli_metavar="['standard', 'symmetric', 'asymmetric']",
+ label=_(u'Type'),
+ doc=_(u'Vault type'),
+ default=u'symmetric',
+ autofill=True,
+ ),
+ parameters.Bytes(
+ 'ipavaultsalt',
+ required=False,
+ cli_name='salt',
+ label=_(u'Salt'),
+ doc=_(u'Vault salt'),
+ ),
+ parameters.Bytes(
+ 'ipavaultpublickey',
+ required=False,
+ cli_name='public_key',
+ label=_(u'Public key'),
+ doc=_(u'Vault public key'),
+ ),
+ parameters.Str(
+ 'service',
+ required=False,
+ doc=_(u'Service name of the service vault'),
+ no_convert=True,
+ ),
+ parameters.Flag(
+ 'shared',
+ required=False,
+ doc=_(u'Shared vault'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'username',
+ required=False,
+ cli_name='user',
+ doc=_(u'Username of the user vault'),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class vault_add_member(Method):
+ __doc__ = _("Add members to a vault.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='name',
+ label=_(u'Vault name'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'service',
+ required=False,
+ doc=_(u'Service name of the service vault'),
+ no_convert=True,
+ ),
+ parameters.Flag(
+ 'shared',
+ required=False,
+ doc=_(u'Shared vault'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'username',
+ required=False,
+ cli_name='user',
+ doc=_(u'Username of the user vault'),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'user',
+ required=False,
+ multivalue=True,
+ cli_name='users',
+ label=_(u'member user'),
+ doc=_(u'users to add'),
+ alwaysask=True,
+ ),
+ parameters.Str(
+ 'group',
+ required=False,
+ multivalue=True,
+ cli_name='groups',
+ label=_(u'member group'),
+ doc=_(u'groups to add'),
+ alwaysask=True,
+ ),
+ parameters.Str(
+ 'services',
+ required=False,
+ multivalue=True,
+ label=_(u'member service'),
+ doc=_(u'services to add'),
+ alwaysask=True,
+ ),
+ )
+ has_output = (
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'failed',
+ dict,
+ doc=_(u'Members that could not be added'),
+ ),
+ output.Output(
+ 'completed',
+ int,
+ doc=_(u'Number of members added'),
+ ),
+ )
+
+
+@register()
+class vault_add_owner(Method):
+ __doc__ = _("Add owners to a vault.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='name',
+ label=_(u'Vault name'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'service',
+ required=False,
+ doc=_(u'Service name of the service vault'),
+ no_convert=True,
+ ),
+ parameters.Flag(
+ 'shared',
+ required=False,
+ doc=_(u'Shared vault'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'username',
+ required=False,
+ cli_name='user',
+ doc=_(u'Username of the user vault'),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'user',
+ required=False,
+ multivalue=True,
+ cli_name='users',
+ label=_(u'owner user'),
+ doc=_(u'users to add'),
+ alwaysask=True,
+ ),
+ parameters.Str(
+ 'group',
+ required=False,
+ multivalue=True,
+ cli_name='groups',
+ label=_(u'owner group'),
+ doc=_(u'groups to add'),
+ alwaysask=True,
+ ),
+ parameters.Str(
+ 'services',
+ required=False,
+ multivalue=True,
+ label=_(u'owner service'),
+ doc=_(u'services to add'),
+ alwaysask=True,
+ ),
+ )
+ has_output = (
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'failed',
+ dict,
+ doc=_(u'Owners that could not be added'),
+ ),
+ output.Output(
+ 'completed',
+ int,
+ doc=_(u'Number of owners added'),
+ ),
+ )
+
+
+@register()
+class vault_archive_internal(Method):
+ NO_CLI = True
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='name',
+ label=_(u'Vault name'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'service',
+ required=False,
+ doc=_(u'Service name of the service vault'),
+ no_convert=True,
+ ),
+ parameters.Flag(
+ 'shared',
+ required=False,
+ doc=_(u'Shared vault'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'username',
+ required=False,
+ cli_name='user',
+ doc=_(u'Username of the user vault'),
+ ),
+ parameters.Bytes(
+ 'session_key',
+ doc=_(u'Session key wrapped with transport certificate'),
+ ),
+ parameters.Bytes(
+ 'vault_data',
+ doc=_(u'Vault data encrypted with session key'),
+ ),
+ parameters.Bytes(
+ 'nonce',
+ doc=_(u'Nonce'),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class vault_del(Method):
+ __doc__ = _("Delete a vault.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ multivalue=True,
+ cli_name='name',
+ label=_(u'Vault name'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'continue',
+ doc=_(u"Continuous mode: Don't stop on errors."),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'service',
+ required=False,
+ doc=_(u'Service name of the service vault'),
+ no_convert=True,
+ ),
+ parameters.Flag(
+ 'shared',
+ required=False,
+ doc=_(u'Shared vault'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'username',
+ required=False,
+ cli_name='user',
+ doc=_(u'Username of the user vault'),
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Output(
+ 'result',
+ dict,
+ doc=_(u'List of deletions that failed'),
+ ),
+ output.ListOfPrimaryKeys(
+ 'value',
+ ),
+ )
+
+
+@register()
+class vault_find(Method):
+ __doc__ = _("Search for vaults.")
+
+ takes_args = (
+ parameters.Str(
+ 'criteria',
+ required=False,
+ doc=_(u'A string searched in all relevant object attributes'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'cn',
+ required=False,
+ cli_name='name',
+ label=_(u'Vault name'),
+ ),
+ parameters.Str(
+ 'description',
+ required=False,
+ cli_name='desc',
+ label=_(u'Description'),
+ doc=_(u'Vault description'),
+ ),
+ parameters.Str(
+ 'ipavaulttype',
+ required=False,
+ cli_name='type',
+ cli_metavar="['standard', 'symmetric', 'asymmetric']",
+ label=_(u'Type'),
+ doc=_(u'Vault type'),
+ default=u'symmetric',
+ ),
+ parameters.Int(
+ 'timelimit',
+ required=False,
+ label=_(u'Time Limit'),
+ doc=_(u'Time limit of search in seconds (0 is unlimited)'),
+ ),
+ parameters.Int(
+ 'sizelimit',
+ required=False,
+ label=_(u'Size Limit'),
+ doc=_(u'Maximum number of entries returned (0 is unlimited)'),
+ ),
+ parameters.Str(
+ 'service',
+ required=False,
+ doc=_(u'Service name of the service vault'),
+ no_convert=True,
+ ),
+ parameters.Flag(
+ 'shared',
+ required=False,
+ doc=_(u'Shared vault'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'username',
+ required=False,
+ cli_name='user',
+ doc=_(u'Username of the user vault'),
+ ),
+ parameters.Flag(
+ 'services',
+ required=False,
+ doc=_(u'List all service vaults'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'users',
+ required=False,
+ doc=_(u'List all user vaults'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'pkey_only',
+ required=False,
+ label=_(u'Primary key only'),
+ doc=_(u'Results should contain primary key attribute only ("name")'),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.ListOfEntries(
+ 'result',
+ ),
+ output.Output(
+ 'count',
+ int,
+ doc=_(u'Number of entries returned'),
+ ),
+ output.Output(
+ 'truncated',
+ bool,
+ doc=_(u'True if not all results were returned'),
+ ),
+ )
+
+
+@register()
+class vault_mod_internal(Method):
+ NO_CLI = True
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='name',
+ label=_(u'Vault name'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'description',
+ required=False,
+ cli_name='desc',
+ label=_(u'Description'),
+ doc=_(u'Vault description'),
+ ),
+ parameters.Str(
+ 'ipavaulttype',
+ required=False,
+ cli_name='type',
+ cli_metavar="['standard', 'symmetric', 'asymmetric']",
+ label=_(u'Type'),
+ doc=_(u'Vault type'),
+ default=u'symmetric',
+ ),
+ parameters.Bytes(
+ 'ipavaultsalt',
+ required=False,
+ cli_name='salt',
+ label=_(u'Salt'),
+ doc=_(u'Vault salt'),
+ ),
+ parameters.Bytes(
+ 'ipavaultpublickey',
+ required=False,
+ cli_name='public_key',
+ label=_(u'Public key'),
+ doc=_(u'Vault public key'),
+ ),
+ parameters.Str(
+ 'setattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'addattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'delattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'),
+ exclude=('webui',),
+ ),
+ parameters.Flag(
+ 'rights',
+ label=_(u'Rights'),
+ doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'service',
+ required=False,
+ doc=_(u'Service name of the service vault'),
+ no_convert=True,
+ ),
+ parameters.Flag(
+ 'shared',
+ required=False,
+ doc=_(u'Shared vault'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'username',
+ required=False,
+ cli_name='user',
+ doc=_(u'Username of the user vault'),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class vault_remove_member(Method):
+ __doc__ = _("Remove members from a vault.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='name',
+ label=_(u'Vault name'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'service',
+ required=False,
+ doc=_(u'Service name of the service vault'),
+ no_convert=True,
+ ),
+ parameters.Flag(
+ 'shared',
+ required=False,
+ doc=_(u'Shared vault'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'username',
+ required=False,
+ cli_name='user',
+ doc=_(u'Username of the user vault'),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'user',
+ required=False,
+ multivalue=True,
+ cli_name='users',
+ label=_(u'member user'),
+ doc=_(u'users to remove'),
+ alwaysask=True,
+ ),
+ parameters.Str(
+ 'group',
+ required=False,
+ multivalue=True,
+ cli_name='groups',
+ label=_(u'member group'),
+ doc=_(u'groups to remove'),
+ alwaysask=True,
+ ),
+ parameters.Str(
+ 'services',
+ required=False,
+ multivalue=True,
+ label=_(u'member service'),
+ doc=_(u'services to remove'),
+ alwaysask=True,
+ ),
+ )
+ has_output = (
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'failed',
+ dict,
+ doc=_(u'Members that could not be removed'),
+ ),
+ output.Output(
+ 'completed',
+ int,
+ doc=_(u'Number of members removed'),
+ ),
+ )
+
+
+@register()
+class vault_remove_owner(Method):
+ __doc__ = _("Remove owners from a vault.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='name',
+ label=_(u'Vault name'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'service',
+ required=False,
+ doc=_(u'Service name of the service vault'),
+ no_convert=True,
+ ),
+ parameters.Flag(
+ 'shared',
+ required=False,
+ doc=_(u'Shared vault'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'username',
+ required=False,
+ cli_name='user',
+ doc=_(u'Username of the user vault'),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'user',
+ required=False,
+ multivalue=True,
+ cli_name='users',
+ label=_(u'owner user'),
+ doc=_(u'users to remove'),
+ alwaysask=True,
+ ),
+ parameters.Str(
+ 'group',
+ required=False,
+ multivalue=True,
+ cli_name='groups',
+ label=_(u'owner group'),
+ doc=_(u'groups to remove'),
+ alwaysask=True,
+ ),
+ parameters.Str(
+ 'services',
+ required=False,
+ multivalue=True,
+ label=_(u'owner service'),
+ doc=_(u'services to remove'),
+ alwaysask=True,
+ ),
+ )
+ has_output = (
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'failed',
+ dict,
+ doc=_(u'Owners that could not be removed'),
+ ),
+ output.Output(
+ 'completed',
+ int,
+ doc=_(u'Number of owners removed'),
+ ),
+ )
+
+
+@register()
+class vault_retrieve_internal(Method):
+ NO_CLI = True
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='name',
+ label=_(u'Vault name'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'service',
+ required=False,
+ doc=_(u'Service name of the service vault'),
+ no_convert=True,
+ ),
+ parameters.Flag(
+ 'shared',
+ required=False,
+ doc=_(u'Shared vault'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'username',
+ required=False,
+ cli_name='user',
+ doc=_(u'Username of the user vault'),
+ ),
+ parameters.Bytes(
+ 'session_key',
+ doc=_(u'Session key wrapped with transport certificate'),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class vault_show(Method):
+ __doc__ = _("Display information about a vault.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='name',
+ label=_(u'Vault name'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'rights',
+ label=_(u'Rights'),
+ doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'service',
+ required=False,
+ doc=_(u'Service name of the service vault'),
+ no_convert=True,
+ ),
+ parameters.Flag(
+ 'shared',
+ required=False,
+ doc=_(u'Shared vault'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'username',
+ required=False,
+ cli_name='user',
+ doc=_(u'Username of the user vault'),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class vaultconfig_show(Method):
+ __doc__ = _("Show vault configuration.")
+
+ takes_options = (
+ parameters.Str(
+ 'transport_out',
+ required=False,
+ doc=_(u'Output file to store the transport certificate'),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class vaultcontainer_add_owner(Method):
+ __doc__ = _("Add owners to a vault container.")
+
+ takes_options = (
+ parameters.Str(
+ 'service',
+ required=False,
+ doc=_(u'Service name of the service vault'),
+ no_convert=True,
+ ),
+ parameters.Flag(
+ 'shared',
+ required=False,
+ doc=_(u'Shared vault'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'username',
+ required=False,
+ cli_name='user',
+ doc=_(u'Username of the user vault'),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'user',
+ required=False,
+ multivalue=True,
+ cli_name='users',
+ label=_(u'owner user'),
+ doc=_(u'users to add'),
+ alwaysask=True,
+ ),
+ parameters.Str(
+ 'group',
+ required=False,
+ multivalue=True,
+ cli_name='groups',
+ label=_(u'owner group'),
+ doc=_(u'groups to add'),
+ alwaysask=True,
+ ),
+ parameters.Str(
+ 'services',
+ required=False,
+ multivalue=True,
+ label=_(u'owner service'),
+ doc=_(u'services to add'),
+ alwaysask=True,
+ ),
+ )
+ has_output = (
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'failed',
+ dict,
+ doc=_(u'Owners that could not be added'),
+ ),
+ output.Output(
+ 'completed',
+ int,
+ doc=_(u'Number of owners added'),
+ ),
+ )
+
+
+@register()
+class vaultcontainer_del(Method):
+ __doc__ = _("Delete a vault container.")
+
+ takes_options = (
+ parameters.Flag(
+ 'continue',
+ doc=_(u"Continuous mode: Don't stop on errors."),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'service',
+ required=False,
+ doc=_(u'Service name of the service vault'),
+ no_convert=True,
+ ),
+ parameters.Flag(
+ 'shared',
+ required=False,
+ doc=_(u'Shared vault'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'username',
+ required=False,
+ cli_name='user',
+ doc=_(u'Username of the user vault'),
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Output(
+ 'result',
+ dict,
+ doc=_(u'List of deletions that failed'),
+ ),
+ output.ListOfPrimaryKeys(
+ 'value',
+ ),
+ )
+
+
+@register()
+class vaultcontainer_remove_owner(Method):
+ __doc__ = _("Remove owners from a vault container.")
+
+ takes_options = (
+ parameters.Str(
+ 'service',
+ required=False,
+ doc=_(u'Service name of the service vault'),
+ no_convert=True,
+ ),
+ parameters.Flag(
+ 'shared',
+ required=False,
+ doc=_(u'Shared vault'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'username',
+ required=False,
+ cli_name='user',
+ doc=_(u'Username of the user vault'),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'user',
+ required=False,
+ multivalue=True,
+ cli_name='users',
+ label=_(u'owner user'),
+ doc=_(u'users to remove'),
+ alwaysask=True,
+ ),
+ parameters.Str(
+ 'group',
+ required=False,
+ multivalue=True,
+ cli_name='groups',
+ label=_(u'owner group'),
+ doc=_(u'groups to remove'),
+ alwaysask=True,
+ ),
+ parameters.Str(
+ 'services',
+ required=False,
+ multivalue=True,
+ label=_(u'owner service'),
+ doc=_(u'services to remove'),
+ alwaysask=True,
+ ),
+ )
+ has_output = (
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'failed',
+ dict,
+ doc=_(u'Owners that could not be removed'),
+ ),
+ output.Output(
+ 'completed',
+ int,
+ doc=_(u'Number of owners removed'),
+ ),
+ )
+
+
+@register()
+class vaultcontainer_show(Method):
+ __doc__ = _("Display information about a vault container.")
+
+ takes_options = (
+ parameters.Flag(
+ 'rights',
+ label=_(u'Rights'),
+ doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'service',
+ required=False,
+ doc=_(u'Service name of the service vault'),
+ no_convert=True,
+ ),
+ parameters.Flag(
+ 'shared',
+ required=False,
+ doc=_(u'Shared vault'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'username',
+ required=False,
+ cli_name='user',
+ doc=_(u'Username of the user vault'),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_members',
+ doc=_(u'Suppress processing of membership attributes.'),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.PrimaryKey(
+ 'value',
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
diff --git a/ipaclient/remote_plugins/2_49/__init__.py b/ipaclient/remote_plugins/2_49/__init__.py
new file mode 100644
index 000000000..4ef04a772
--- /dev/null
+++ b/ipaclient/remote_plugins/2_49/__init__.py
@@ -0,0 +1,15 @@
+#
+# Copyright (C) 2016 FreeIPA Contributors see COPYING for license
+#
+
+from ..compat import CompatCommand, CompatMethod, CompatObject
+
+Object = CompatObject
+
+
+class Command(CompatCommand):
+ api_version = u'2.49'
+
+
+class Method(Command, CompatMethod):
+ pass
diff --git a/ipaclient/remote_plugins/2_49/aci.py b/ipaclient/remote_plugins/2_49/aci.py
new file mode 100644
index 000000000..b2d6d88a7
--- /dev/null
+++ b/ipaclient/remote_plugins/2_49/aci.py
@@ -0,0 +1,811 @@
+#
+# Copyright (C) 2016 FreeIPA Contributors see COPYING for license
+#
+
+# pylint: disable=unused-import
+import six
+
+from . import Command, Method, Object
+from ipalib import api, parameters, output
+from ipalib.parameters import DefaultFrom
+from ipalib.plugable import Registry
+from ipalib.text import _
+from ipapython.dn import DN
+from ipapython.dnsutil import DNSName
+
+if six.PY3:
+ unicode = str
+
+__doc__ = _("""
+Directory Server Access Control Instructions (ACIs)
+
+ACIs are used to allow or deny access to information. This module is
+currently designed to allow, not deny, access.
+
+The aci commands are designed to grant permissions that allow updating
+existing entries or adding or deleting new ones. The goal of the ACIs
+that ship with IPA is to provide a set of low-level permissions that
+grant access to special groups called taskgroups. These low-level
+permissions can be combined into roles that grant broader access. These
+roles are another type of group, roles.
+
+For example, if you have taskgroups that allow adding and modifying users you
+could create a role, useradmin. You would assign users to the useradmin
+role to allow them to do the operations defined by the taskgroups.
+
+You can create ACIs that delegate permission so users in group A can write
+attributes on group B.
+
+The type option is a map that applies to all entries in the users, groups or
+host location. It is primarily designed to be used when granting add
+permissions (to write new entries).
+
+An ACI consists of three parts:
+1. target
+2. permissions
+3. bind rules
+
+The target is a set of rules that define which LDAP objects are being
+targeted. This can include a list of attributes, an area of that LDAP
+tree or an LDAP filter.
+
+The targets include:
+- attrs: list of attributes affected
+- type: an object type (user, group, host, service, etc)
+- memberof: members of a group
+- targetgroup: grant access to modify a specific group. This is primarily
+ designed to enable users to add or remove members of a specific group.
+- filter: A legal LDAP filter used to narrow the scope of the target.
+- subtree: Used to apply a rule across an entire set of objects. For example,
+ to allow adding users you need to grant "add" permission to the subtree
+ ldap://uid=*,cn=users,cn=accounts,dc=example,dc=com. The subtree option
+ is a fail-safe for objects that may not be covered by the type option.
+
+The permissions define what the ACI is allowed to do, and are one or
+more of:
+1. write - write one or more attributes
+2. read - read one or more attributes
+3. add - add a new entry to the tree
+4. delete - delete an existing entry
+5. all - all permissions are granted
+
+Note the distinction between attributes and entries. The permissions are
+independent, so being able to add a user does not mean that the user will
+be editable.
+
+The bind rule defines who this ACI grants permissions to. The LDAP server
+allows this to be any valid LDAP entry but we encourage the use of
+taskgroups so that the rights can be easily shared through roles.
+
+For a more thorough description of access controls see
+http://www.redhat.com/docs/manuals/dir-server/ag/8.0/Managing_Access_Control.html
+
+EXAMPLES:
+
+NOTE: ACIs are now added via the permission plugin. These examples are to
+demonstrate how the various options work but this is done via the permission
+command-line now (see last example).
+
+ Add an ACI so that the group "secretaries" can update the address on any user:
+ ipa group-add --desc="Office secretaries" secretaries
+ ipa aci-add --attrs=streetAddress --memberof=ipausers --group=secretaries --permissions=write --prefix=none "Secretaries write addresses"
+
+ Show the new ACI:
+ ipa aci-show --prefix=none "Secretaries write addresses"
+
+ Add an ACI that allows members of the "addusers" permission to add new users:
+ ipa aci-add --type=user --permission=addusers --permissions=add --prefix=none "Add new users"
+
+ Add an ACI that allows members of the editors manage members of the admins group:
+ ipa aci-add --permissions=write --attrs=member --targetgroup=admins --group=editors --prefix=none "Editors manage admins"
+
+ Add an ACI that allows members of the admins group to manage the street and zip code of those in the editors group:
+ ipa aci-add --permissions=write --memberof=editors --group=admins --attrs=street,postalcode --prefix=none "admins edit the address of editors"
+
+ Add an ACI that allows the admins group manage the street and zipcode of those who work for the boss:
+ ipa aci-add --permissions=write --group=admins --attrs=street,postalcode --filter="(manager=uid=boss,cn=users,cn=accounts,dc=example,dc=com)" --prefix=none "Edit the address of those who work for the boss"
+
+ Add an entirely new kind of record to IPA that isn't covered by any of the --type options, creating a permission:
+ ipa permission-add --permissions=add --subtree="cn=*,cn=orange,cn=accounts,dc=example,dc=com" --desc="Add Orange Entries" add_orange
+
+
+The show command shows the raw 389-ds ACI.
+
+IMPORTANT: When modifying the target attributes of an existing ACI you
+must include all existing attributes as well. When doing an aci-mod the
+targetattr REPLACES the current attributes, it does not add to them.
+""")
+
+register = Registry()
+
+
+@register()
+class aci(Object):
+ takes_params = (
+ parameters.Str(
+ 'aciname',
+ primary_key=True,
+ label=_(u'ACI name'),
+ ),
+ parameters.Str(
+ 'permission',
+ required=False,
+ label=_(u'Permission'),
+ doc=_(u'Permission ACI grants access to'),
+ ),
+ parameters.Str(
+ 'group',
+ required=False,
+ label=_(u'User group'),
+ doc=_(u'User group ACI grants access to'),
+ ),
+ parameters.Str(
+ 'permissions',
+ multivalue=True,
+ label=_(u'Permissions'),
+ doc=_(u'comma-separated list of permissions to grant(read, write, add, delete, all)'),
+ ),
+ parameters.Str(
+ 'attrs',
+ required=False,
+ multivalue=True,
+ label=_(u'Attributes'),
+ doc=_(u'Comma-separated list of attributes'),
+ ),
+ parameters.Str(
+ 'type',
+ required=False,
+ label=_(u'Type'),
+ doc=_(u'type of IPA object (user, group, host, hostgroup, service, netgroup)'),
+ ),
+ parameters.Str(
+ 'memberof',
+ required=False,
+ label=_(u'Member of'),
+ doc=_(u'Member of a group'),
+ ),
+ parameters.Str(
+ 'filter',
+ required=False,
+ label=_(u'Filter'),
+ doc=_(u'Legal LDAP filter (e.g. ou=Engineering)'),
+ ),
+ parameters.Str(
+ 'subtree',
+ required=False,
+ label=_(u'Subtree'),
+ doc=_(u'Subtree to apply ACI to'),
+ ),
+ parameters.Str(
+ 'targetgroup',
+ required=False,
+ label=_(u'Target group'),
+ doc=_(u'Group to apply ACI to'),
+ ),
+ parameters.Flag(
+ 'selfaci',
+ required=False,
+ label=_(u'Target your own entry (self)'),
+ doc=_(u'Apply ACI to your own entry (self)'),
+ ),
+ )
+
+
+@register()
+class aci_add(Method):
+ __doc__ = _("Create new ACI.")
+
+ NO_CLI = True
+
+ takes_args = (
+ parameters.Str(
+ 'aciname',
+ cli_name='name',
+ label=_(u'ACI name'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'permission',
+ required=False,
+ label=_(u'Permission'),
+ doc=_(u'Permission ACI grants access to'),
+ ),
+ parameters.Str(
+ 'group',
+ required=False,
+ label=_(u'User group'),
+ doc=_(u'User group ACI grants access to'),
+ ),
+ parameters.Str(
+ 'permissions',
+ multivalue=True,
+ label=_(u'Permissions'),
+ doc=_(u'comma-separated list of permissions to grant(read, write, add, delete, all)'),
+ no_convert=True,
+ ),
+ parameters.Str(
+ 'attrs',
+ required=False,
+ multivalue=True,
+ label=_(u'Attributes'),
+ doc=_(u'Comma-separated list of attributes'),
+ ),
+ parameters.Str(
+ 'type',
+ required=False,
+ cli_metavar="['user', 'group', 'host', 'service', 'hostgroup', 'netgroup', 'dnsrecord']",
+ label=_(u'Type'),
+ doc=_(u'type of IPA object (user, group, host, hostgroup, service, netgroup)'),
+ ),
+ parameters.Str(
+ 'memberof',
+ required=False,
+ label=_(u'Member of'),
+ doc=_(u'Member of a group'),
+ ),
+ parameters.Str(
+ 'filter',
+ required=False,
+ label=_(u'Filter'),
+ doc=_(u'Legal LDAP filter (e.g. ou=Engineering)'),
+ ),
+ parameters.Str(
+ 'subtree',
+ required=False,
+ label=_(u'Subtree'),
+ doc=_(u'Subtree to apply ACI to'),
+ ),
+ parameters.Str(
+ 'targetgroup',
+ required=False,
+ label=_(u'Target group'),
+ doc=_(u'Group to apply ACI to'),
+ ),
+ parameters.Flag(
+ 'selfaci',
+ required=False,
+ cli_name='self',
+ label=_(u'Target your own entry (self)'),
+ doc=_(u'Apply ACI to your own entry (self)'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'aciprefix',
+ cli_name='prefix',
+ cli_metavar="['permission', 'delegation', 'selfservice', 'none']",
+ label=_(u'ACI prefix'),
+ doc=_(u'Prefix used to distinguish ACI types (permission, delegation, selfservice, none)'),
+ ),
+ parameters.Flag(
+ 'test',
+ required=False,
+ doc=_(u"Test the ACI syntax but don't write anything"),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'value',
+ unicode,
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class aci_del(Method):
+ __doc__ = _("Delete ACI.")
+
+ NO_CLI = True
+
+ takes_args = (
+ parameters.Str(
+ 'aciname',
+ cli_name='name',
+ label=_(u'ACI name'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'aciprefix',
+ cli_name='prefix',
+ cli_metavar="['permission', 'delegation', 'selfservice', 'none']",
+ label=_(u'ACI prefix'),
+ doc=_(u'Prefix used to distinguish ACI types (permission, delegation, selfservice, none)'),
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Output(
+ 'result',
+ bool,
+ doc=_(u'True means the operation was successful'),
+ ),
+ output.Output(
+ 'value',
+ unicode,
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class aci_find(Method):
+ __doc__ = _("""
+Search for ACIs.
+
+ Returns a list of ACIs
+
+ EXAMPLES:
+
+ To find all ACIs that apply directly to members of the group ipausers:
+ ipa aci-find --memberof=ipausers
+
+ To find all ACIs that grant add access:
+ ipa aci-find --permissions=add
+
+ Note that the find command only looks for the given text in the set of
+ ACIs, it does not evaluate the ACIs to see if something would apply.
+ For example, searching on memberof=ipausers will find all ACIs that
+ have ipausers as a memberof. There may be other ACIs that apply to
+ members of that group indirectly.
+ """)
+
+ NO_CLI = True
+
+ takes_args = (
+ parameters.Str(
+ 'criteria',
+ required=False,
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'aciname',
+ required=False,
+ cli_name='name',
+ label=_(u'ACI name'),
+ ),
+ parameters.Str(
+ 'permission',
+ required=False,
+ label=_(u'Permission'),
+ doc=_(u'Permission ACI grants access to'),
+ ),
+ parameters.Str(
+ 'group',
+ required=False,
+ label=_(u'User group'),
+ doc=_(u'User group ACI grants access to'),
+ ),
+ parameters.Str(
+ 'permissions',
+ required=False,
+ multivalue=True,
+ label=_(u'Permissions'),
+ doc=_(u'comma-separated list of permissions to grant(read, write, add, delete, all)'),
+ no_convert=True,
+ ),
+ parameters.Str(
+ 'attrs',
+ required=False,
+ multivalue=True,
+ label=_(u'Attributes'),
+ doc=_(u'Comma-separated list of attributes'),
+ ),
+ parameters.Str(
+ 'type',
+ required=False,
+ cli_metavar="['user', 'group', 'host', 'service', 'hostgroup', 'netgroup', 'dnsrecord']",
+ label=_(u'Type'),
+ doc=_(u'type of IPA object (user, group, host, hostgroup, service, netgroup)'),
+ ),
+ parameters.Str(
+ 'memberof',
+ required=False,
+ label=_(u'Member of'),
+ doc=_(u'Member of a group'),
+ ),
+ parameters.Str(
+ 'filter',
+ required=False,
+ label=_(u'Filter'),
+ doc=_(u'Legal LDAP filter (e.g. ou=Engineering)'),
+ ),
+ parameters.Str(
+ 'subtree',
+ required=False,
+ label=_(u'Subtree'),
+ doc=_(u'Subtree to apply ACI to'),
+ ),
+ parameters.Str(
+ 'targetgroup',
+ required=False,
+ label=_(u'Target group'),
+ doc=_(u'Group to apply ACI to'),
+ ),
+ parameters.Bool(
+ 'selfaci',
+ required=False,
+ cli_name='self',
+ label=_(u'Target your own entry (self)'),
+ doc=_(u'Apply ACI to your own entry (self)'),
+ default=False,
+ ),
+ parameters.Str(
+ 'aciprefix',
+ required=False,
+ cli_name='prefix',
+ cli_metavar="['permission', 'delegation', 'selfservice', 'none']",
+ label=_(u'ACI prefix'),
+ doc=_(u'Prefix used to distinguish ACI types (permission, delegation, selfservice, none)'),
+ ),
+ parameters.Flag(
+ 'pkey_only',
+ required=False,
+ label=_(u'Primary key only'),
+ doc=_(u'Results should contain primary key attribute only ("name")'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.ListOfEntries(
+ 'result',
+ ),
+ output.Output(
+ 'count',
+ int,
+ doc=_(u'Number of entries returned'),
+ ),
+ output.Output(
+ 'truncated',
+ bool,
+ doc=_(u'True if not all results were returned'),
+ ),
+ )
+
+
+@register()
+class aci_mod(Method):
+ __doc__ = _("Modify ACI.")
+
+ NO_CLI = True
+
+ takes_args = (
+ parameters.Str(
+ 'aciname',
+ cli_name='name',
+ label=_(u'ACI name'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'permission',
+ required=False,
+ label=_(u'Permission'),
+ doc=_(u'Permission ACI grants access to'),
+ ),
+ parameters.Str(
+ 'group',
+ required=False,
+ label=_(u'User group'),
+ doc=_(u'User group ACI grants access to'),
+ ),
+ parameters.Str(
+ 'permissions',
+ required=False,
+ multivalue=True,
+ label=_(u'Permissions'),
+ doc=_(u'comma-separated list of permissions to grant(read, write, add, delete, all)'),
+ no_convert=True,
+ ),
+ parameters.Str(
+ 'attrs',
+ required=False,
+ multivalue=True,
+ label=_(u'Attributes'),
+ doc=_(u'Comma-separated list of attributes'),
+ ),
+ parameters.Str(
+ 'type',
+ required=False,
+ cli_metavar="['user', 'group', 'host', 'service', 'hostgroup', 'netgroup', 'dnsrecord']",
+ label=_(u'Type'),
+ doc=_(u'type of IPA object (user, group, host, hostgroup, service, netgroup)'),
+ ),
+ parameters.Str(
+ 'memberof',
+ required=False,
+ label=_(u'Member of'),
+ doc=_(u'Member of a group'),
+ ),
+ parameters.Str(
+ 'filter',
+ required=False,
+ label=_(u'Filter'),
+ doc=_(u'Legal LDAP filter (e.g. ou=Engineering)'),
+ ),
+ parameters.Str(
+ 'subtree',
+ required=False,
+ label=_(u'Subtree'),
+ doc=_(u'Subtree to apply ACI to'),
+ ),
+ parameters.Str(
+ 'targetgroup',
+ required=False,
+ label=_(u'Target group'),
+ doc=_(u'Group to apply ACI to'),
+ ),
+ parameters.Flag(
+ 'selfaci',
+ required=False,
+ cli_name='self',
+ label=_(u'Target your own entry (self)'),
+ doc=_(u'Apply ACI to your own entry (self)'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'aciprefix',
+ cli_name='prefix',
+ cli_metavar="['permission', 'delegation', 'selfservice', 'none']",
+ label=_(u'ACI prefix'),
+ doc=_(u'Prefix used to distinguish ACI types (permission, delegation, selfservice, none)'),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'value',
+ unicode,
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class aci_rename(Method):
+ __doc__ = _("Rename an ACI.")
+
+ NO_CLI = True
+
+ takes_args = (
+ parameters.Str(
+ 'aciname',
+ cli_name='name',
+ label=_(u'ACI name'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'permission',
+ required=False,
+ label=_(u'Permission'),
+ doc=_(u'Permission ACI grants access to'),
+ ),
+ parameters.Str(
+ 'group',
+ required=False,
+ label=_(u'User group'),
+ doc=_(u'User group ACI grants access to'),
+ ),
+ parameters.Str(
+ 'permissions',
+ required=False,
+ multivalue=True,
+ label=_(u'Permissions'),
+ doc=_(u'comma-separated list of permissions to grant(read, write, add, delete, all)'),
+ no_convert=True,
+ ),
+ parameters.Str(
+ 'attrs',
+ required=False,
+ multivalue=True,
+ label=_(u'Attributes'),
+ doc=_(u'Comma-separated list of attributes'),
+ ),
+ parameters.Str(
+ 'type',
+ required=False,
+ cli_metavar="['user', 'group', 'host', 'service', 'hostgroup', 'netgroup', 'dnsrecord']",
+ label=_(u'Type'),
+ doc=_(u'type of IPA object (user, group, host, hostgroup, service, netgroup)'),
+ ),
+ parameters.Str(
+ 'memberof',
+ required=False,
+ label=_(u'Member of'),
+ doc=_(u'Member of a group'),
+ ),
+ parameters.Str(
+ 'filter',
+ required=False,
+ label=_(u'Filter'),
+ doc=_(u'Legal LDAP filter (e.g. ou=Engineering)'),
+ ),
+ parameters.Str(
+ 'subtree',
+ required=False,
+ label=_(u'Subtree'),
+ doc=_(u'Subtree to apply ACI to'),
+ ),
+ parameters.Str(
+ 'targetgroup',
+ required=False,
+ label=_(u'Target group'),
+ doc=_(u'Group to apply ACI to'),
+ ),
+ parameters.Flag(
+ 'selfaci',
+ required=False,
+ cli_name='self',
+ label=_(u'Target your own entry (self)'),
+ doc=_(u'Apply ACI to your own entry (self)'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'aciprefix',
+ cli_name='prefix',
+ cli_metavar="['permission', 'delegation', 'selfservice', 'none']",
+ label=_(u'ACI prefix'),
+ doc=_(u'Prefix used to distinguish ACI types (permission, delegation, selfservice, none)'),
+ ),
+ parameters.Str(
+ 'newname',
+ doc=_(u'New ACI name'),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'value',
+ unicode,
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class aci_show(Method):
+ __doc__ = _("Display a single ACI given an ACI name.")
+
+ NO_CLI = True
+
+ takes_args = (
+ parameters.Str(
+ 'aciname',
+ cli_name='name',
+ label=_(u'ACI name'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'aciprefix',
+ cli_name='prefix',
+ cli_metavar="['permission', 'delegation', 'selfservice', 'none']",
+ label=_(u'ACI prefix'),
+ doc=_(u'Prefix used to distinguish ACI types (permission, delegation, selfservice, none)'),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'value',
+ unicode,
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
diff --git a/ipaclient/remote_plugins/2_49/automember.py b/ipaclient/remote_plugins/2_49/automember.py
new file mode 100644
index 000000000..39cdac0b4
--- /dev/null
+++ b/ipaclient/remote_plugins/2_49/automember.py
@@ -0,0 +1,758 @@
+#
+# Copyright (C) 2016 FreeIPA Contributors see COPYING for license
+#
+
+# pylint: disable=unused-import
+import six
+
+from . import Command, Method, Object
+from ipalib import api, parameters, output
+from ipalib.parameters import DefaultFrom
+from ipalib.plugable import Registry
+from ipalib.text import _
+from ipapython.dn import DN
+from ipapython.dnsutil import DNSName
+
+if six.PY3:
+ unicode = str
+
+__doc__ = _("""
+Auto Membership Rule.
+
+Bring clarity to the membership of hosts and users by configuring inclusive
+or exclusive regex patterns, you can automatically assign a new entries into
+a group or hostgroup based upon attribute information.
+
+A rule is directly associated with a group by name, so you cannot create
+a rule without an accompanying group or hostgroup.
+
+A condition is a regular expression used by 389-ds to match a new incoming
+entry with an automember rule. If it matches an inclusive rule then the
+entry is added to the appropriate group or hostgroup.
+
+A default group or hostgroup could be specified for entries that do not
+match any rule. In case of user entries this group will be a fallback group
+because all users are by default members of group specified in IPA config.
+
+
+EXAMPLES:
+
+ Add the initial group or hostgroup:
+ ipa hostgroup-add --desc="Web Servers" webservers
+ ipa group-add --desc="Developers" devel
+
+ Add the initial rule:
+ ipa automember-add --type=hostgroup webservers
+ ipa automember-add --type=group devel
+
+ Add a condition to the rule:
+ ipa automember-add-condition --key=fqdn --type=hostgroup --inclusive-regex=^web[1-9]+\.example\.com webservers
+ ipa automember-add-condition --key=manager --type=group --inclusive-regex=^uid=mscott devel
+
+ Add an exclusive condition to the rule to prevent auto assignment:
+ ipa automember-add-condition --key=fqdn --type=hostgroup --exclusive-regex=^web5\.example\.com webservers
+
+ Add a host:
+ ipa host-add web1.example.com
+
+ Add a user:
+ ipa user-add --first=Tim --last=User --password tuser1 --manager=mscott
+
+ Verify automembership:
+ ipa hostgroup-show webservers
+ Host-group: webservers
+ Description: Web Servers
+ Member hosts: web1.example.com
+
+ ipa group-show devel
+ Group name: devel
+ Description: Developers
+ GID: 1004200000
+ Member users: tuser
+
+ Remove a condition from the rule:
+ ipa automember-remove-condition --key=fqdn --type=hostgroup --inclusive-regex=^web[1-9]+\.example\.com webservers
+
+ Modify the automember rule:
+ ipa automember-mod
+
+ Set the default (fallback) target group:
+ ipa automember-default-group-set --default-group=webservers --type=hostgroup
+ ipa automember-default-group-set --default-group=ipausers --type=group
+
+ Remove the default (fallback) target group:
+ ipa automember-default-group-remove --type=hostgroup
+ ipa automember-default-group-remove --type=group
+
+ Show the default (fallback) target group:
+ ipa automember-default-group-show --type=hostgroup
+ ipa automember-default-group-show --type=group
+
+ Find all of the automember rules:
+ ipa automember-find
+
+ Display a automember rule:
+ ipa automember-show --type=hostgroup webservers
+ ipa automember-show --type=group devel
+
+ Delete an automember rule:
+ ipa automember-del --type=hostgroup webservers
+ ipa automember-del --type=group devel
+""")
+
+register = Registry()
+
+
+@register()
+class automember(Object):
+ takes_params = (
+ parameters.Str(
+ 'description',
+ required=False,
+ label=_(u'Description'),
+ doc=_(u'A description of this auto member rule'),
+ ),
+ parameters.Str(
+ 'automemberdefaultgroup',
+ required=False,
+ label=_(u'Default (fallback) Group'),
+ doc=_(u'Default group for entries to land'),
+ ),
+ )
+
+
+@register()
+class automember_add(Method):
+ __doc__ = _("Add an automember rule.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='automember_rule',
+ label=_(u'Automember Rule'),
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'description',
+ required=False,
+ cli_name='desc',
+ label=_(u'Description'),
+ doc=_(u'A description of this auto member rule'),
+ ),
+ parameters.Str(
+ 'setattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'addattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'type',
+ cli_metavar="['group', 'hostgroup']",
+ label=_(u'Grouping Type'),
+ doc=_(u'Grouping to which the rule applies'),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'value',
+ unicode,
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class automember_add_condition(Method):
+ __doc__ = _("Add conditions to an automember rule.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='automember_rule',
+ label=_(u'Automember Rule'),
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'description',
+ required=False,
+ cli_name='desc',
+ label=_(u'Description'),
+ doc=_(u'A description of this auto member rule'),
+ ),
+ parameters.Str(
+ 'automemberinclusiveregex',
+ required=False,
+ multivalue=True,
+ cli_name='inclusive_regex',
+ label=_(u'Inclusive Regex'),
+ alwaysask=True,
+ ),
+ parameters.Str(
+ 'automemberexclusiveregex',
+ required=False,
+ multivalue=True,
+ cli_name='exclusive_regex',
+ label=_(u'Exclusive Regex'),
+ alwaysask=True,
+ ),
+ parameters.Str(
+ 'key',
+ label=_(u'Attribute Key'),
+ doc=_(u'Attribute to filter via regex. For example fqdn for a host, or manager for a user'),
+ ),
+ parameters.Str(
+ 'type',
+ cli_metavar="['group', 'hostgroup']",
+ label=_(u'Grouping Type'),
+ doc=_(u'Grouping to which the rule applies'),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'value',
+ unicode,
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ output.Output(
+ 'failed',
+ dict,
+ doc=_(u'Conditions that could not be added'),
+ ),
+ output.Output(
+ 'completed',
+ int,
+ doc=_(u'Number of conditions added'),
+ ),
+ )
+
+
+@register()
+class automember_default_group_remove(Method):
+ __doc__ = _("Remove default (fallback) group for all unmatched entries.")
+
+ takes_options = (
+ parameters.Str(
+ 'description',
+ required=False,
+ cli_name='desc',
+ label=_(u'Description'),
+ doc=_(u'A description of this auto member rule'),
+ ),
+ parameters.Str(
+ 'type',
+ cli_metavar="['group', 'hostgroup']",
+ label=_(u'Grouping Type'),
+ doc=_(u'Grouping to which the rule applies'),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'value',
+ unicode,
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class automember_default_group_set(Method):
+ __doc__ = _("Set default (fallback) group for all unmatched entries.")
+
+ takes_options = (
+ parameters.Str(
+ 'description',
+ required=False,
+ cli_name='desc',
+ label=_(u'Description'),
+ doc=_(u'A description of this auto member rule'),
+ ),
+ parameters.Str(
+ 'automemberdefaultgroup',
+ cli_name='default_group',
+ label=_(u'Default (fallback) Group'),
+ doc=_(u'Default (fallback) group for entries to land'),
+ ),
+ parameters.Str(
+ 'type',
+ cli_metavar="['group', 'hostgroup']",
+ label=_(u'Grouping Type'),
+ doc=_(u'Grouping to which the rule applies'),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'value',
+ unicode,
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class automember_default_group_show(Method):
+ __doc__ = _("Display information about the default (fallback) automember groups.")
+
+ takes_options = (
+ parameters.Str(
+ 'type',
+ cli_metavar="['group', 'hostgroup']",
+ label=_(u'Grouping Type'),
+ doc=_(u'Grouping to which the rule applies'),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'value',
+ unicode,
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class automember_del(Method):
+ __doc__ = _("Delete an automember rule.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='automember_rule',
+ label=_(u'Automember Rule'),
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'type',
+ cli_metavar="['group', 'hostgroup']",
+ label=_(u'Grouping Type'),
+ doc=_(u'Grouping to which the rule applies'),
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Output(
+ 'result',
+ dict,
+ doc=_(u'List of deletions that failed'),
+ ),
+ output.Output(
+ 'value',
+ unicode,
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class automember_find(Method):
+ __doc__ = _("Search for automember rules.")
+
+ takes_args = (
+ parameters.Str(
+ 'criteria',
+ required=False,
+ doc=_(u'A string searched in all relevant object attributes'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'description',
+ required=False,
+ cli_name='desc',
+ label=_(u'Description'),
+ doc=_(u'A description of this auto member rule'),
+ ),
+ parameters.Str(
+ 'type',
+ cli_metavar="['group', 'hostgroup']",
+ label=_(u'Grouping Type'),
+ doc=_(u'Grouping to which the rule applies'),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.ListOfEntries(
+ 'result',
+ ),
+ output.Output(
+ 'count',
+ int,
+ doc=_(u'Number of entries returned'),
+ ),
+ output.Output(
+ 'truncated',
+ bool,
+ doc=_(u'True if not all results were returned'),
+ ),
+ )
+
+
+@register()
+class automember_mod(Method):
+ __doc__ = _("Modify an automember rule.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='automember_rule',
+ label=_(u'Automember Rule'),
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'description',
+ required=False,
+ cli_name='desc',
+ label=_(u'Description'),
+ doc=_(u'A description of this auto member rule'),
+ ),
+ parameters.Str(
+ 'setattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'addattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'delattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'),
+ exclude=('webui',),
+ ),
+ parameters.Flag(
+ 'rights',
+ label=_(u'Rights'),
+ doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'type',
+ cli_metavar="['group', 'hostgroup']",
+ label=_(u'Grouping Type'),
+ doc=_(u'Grouping to which the rule applies'),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'value',
+ unicode,
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class automember_remove_condition(Method):
+ __doc__ = _("Remove conditions from an automember rule.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='automember_rule',
+ label=_(u'Automember Rule'),
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'description',
+ required=False,
+ cli_name='desc',
+ label=_(u'Description'),
+ doc=_(u'A description of this auto member rule'),
+ ),
+ parameters.Str(
+ 'automemberinclusiveregex',
+ required=False,
+ multivalue=True,
+ cli_name='inclusive_regex',
+ label=_(u'Inclusive Regex'),
+ alwaysask=True,
+ ),
+ parameters.Str(
+ 'automemberexclusiveregex',
+ required=False,
+ multivalue=True,
+ cli_name='exclusive_regex',
+ label=_(u'Exclusive Regex'),
+ alwaysask=True,
+ ),
+ parameters.Str(
+ 'key',
+ label=_(u'Attribute Key'),
+ doc=_(u'Attribute to filter via regex. For example fqdn for a host, or manager for a user'),
+ ),
+ parameters.Str(
+ 'type',
+ cli_metavar="['group', 'hostgroup']",
+ label=_(u'Grouping Type'),
+ doc=_(u'Grouping to which the rule applies'),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'value',
+ unicode,
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ output.Output(
+ 'failed',
+ dict,
+ doc=_(u'Conditions that could not be removed'),
+ ),
+ output.Output(
+ 'completed',
+ int,
+ doc=_(u'Number of conditions removed'),
+ ),
+ )
+
+
+@register()
+class automember_show(Method):
+ __doc__ = _("Display information about an automember rule.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='automember_rule',
+ label=_(u'Automember Rule'),
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'type',
+ cli_metavar="['group', 'hostgroup']",
+ label=_(u'Grouping Type'),
+ doc=_(u'Grouping to which the rule applies'),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'value',
+ unicode,
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
diff --git a/ipaclient/remote_plugins/2_49/automount.py b/ipaclient/remote_plugins/2_49/automount.py
new file mode 100644
index 000000000..4c7a2c65d
--- /dev/null
+++ b/ipaclient/remote_plugins/2_49/automount.py
@@ -0,0 +1,1225 @@
+#
+# Copyright (C) 2016 FreeIPA Contributors see COPYING for license
+#
+
+# pylint: disable=unused-import
+import six
+
+from . import Command, Method, Object
+from ipalib import api, parameters, output
+from ipalib.parameters import DefaultFrom
+from ipalib.plugable import Registry
+from ipalib.text import _
+from ipapython.dn import DN
+from ipapython.dnsutil import DNSName
+
+if six.PY3:
+ unicode = str
+
+__doc__ = _("""
+Automount
+
+Stores automount(8) configuration for autofs(8) in IPA.
+
+The base of an automount configuration is the configuration file auto.master.
+This is also the base location in IPA. Multiple auto.master configurations
+can be stored in separate locations. A location is implementation-specific
+with the default being a location named 'default'. For example, you can have
+locations by geographic region, by floor, by type, etc.
+
+Automount has three basic object types: locations, maps and keys.
+
+A location defines a set of maps anchored in auto.master. This allows you
+to store multiple automount configurations. A location in itself isn't
+very interesting, it is just a point to start a new automount map.
+
+A map is roughly equivalent to a discrete automount file and provides
+storage for keys.
+
+A key is a mount point associated with a map.
+
+When a new location is created, two maps are automatically created for
+it: auto.master and auto.direct. auto.master is the root map for all
+automount maps for the location. auto.direct is the default map for
+direct mounts and is mounted on /-.
+
+An automount map may contain a submount key. This key defines a mount
+location within the map that references another map. This can be done
+either using automountmap-add-indirect --parentmap or manually
+with automountkey-add and setting info to "-type=autofs :<mapname>".
+
+EXAMPLES:
+
+Locations:
+
+ Create a named location, "Baltimore":
+ ipa automountlocation-add baltimore
+
+ Display the new location:
+ ipa automountlocation-show baltimore
+
+ Find available locations:
+ ipa automountlocation-find
+
+ Remove a named automount location:
+ ipa automountlocation-del baltimore
+
+ Show what the automount maps would look like if they were in the filesystem:
+ ipa automountlocation-tofiles baltimore
+
+ Import an existing configuration into a location:
+ ipa automountlocation-import baltimore /etc/auto.master
+
+ The import will fail if any duplicate entries are found. For
+ continuous operation where errors are ignored, use the --continue
+ option.
+
+Maps:
+
+ Create a new map, "auto.share":
+ ipa automountmap-add baltimore auto.share
+
+ Display the new map:
+ ipa automountmap-show baltimore auto.share
+
+ Find maps in the location baltimore:
+ ipa automountmap-find baltimore
+
+ Create an indirect map with auto.share as a submount:
+ ipa automountmap-add-indirect baltimore --parentmap=auto.share --mount=sub auto.man
+
+ This is equivalent to:
+
+ ipa automountmap-add-indirect baltimore --mount=/man auto.man
+ ipa automountkey-add baltimore auto.man --key=sub --info="-fstype=autofs ldap:auto.share"
+
+ Remove the auto.share map:
+ ipa automountmap-del baltimore auto.share
+
+Keys:
+
+ Create a new key for the auto.share map in location baltimore. This ties
+ the map we previously created to auto.master:
+ ipa automountkey-add baltimore auto.master --key=/share --info=auto.share
+
+ Create a new key for our auto.share map, an NFS mount for man pages:
+ ipa automountkey-add baltimore auto.share --key=man --info="-ro,soft,rsize=8192,wsize=8192 ipa.example.com:/shared/man"
+
+ Find all keys for the auto.share map:
+ ipa automountkey-find baltimore auto.share
+
+ Find all direct automount keys:
+ ipa automountkey-find baltimore --key=/-
+
+ Remove the man key from the auto.share map:
+ ipa automountkey-del baltimore auto.share --key=man
+""")
+
+register = Registry()
+
+
+@register()
+class automountkey(Object):
+ takes_params = (
+ parameters.Str(
+ 'automountkey',
+ label=_(u'Key'),
+ doc=_(u'Automount key name.'),
+ ),
+ parameters.Str(
+ 'automountinformation',
+ label=_(u'Mount information'),
+ ),
+ parameters.Str(
+ 'description',
+ required=False,
+ primary_key=True,
+ label=_(u'description'),
+ exclude=('webui', 'cli'),
+ ),
+ )
+
+
+@register()
+class automountlocation(Object):
+ takes_params = (
+ parameters.Str(
+ 'cn',
+ primary_key=True,
+ label=_(u'Location'),
+ doc=_(u'Automount location name.'),
+ ),
+ )
+
+
+@register()
+class automountmap(Object):
+ takes_params = (
+ parameters.Str(
+ 'automountmapname',
+ primary_key=True,
+ label=_(u'Map'),
+ doc=_(u'Automount map name.'),
+ ),
+ parameters.Str(
+ 'description',
+ required=False,
+ label=_(u'Description'),
+ ),
+ )
+
+
+@register()
+class automountkey_add(Method):
+ __doc__ = _("Create a new automount key.")
+
+ takes_args = (
+ parameters.Str(
+ 'automountlocationcn',
+ cli_name='automountlocation',
+ label=_(u'Location'),
+ ),
+ parameters.Str(
+ 'automountmapautomountmapname',
+ cli_name='automountmap',
+ label=_(u'Map'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'automountkey',
+ cli_name='key',
+ label=_(u'Key'),
+ doc=_(u'Automount key name.'),
+ ),
+ parameters.Str(
+ 'automountinformation',
+ cli_name='info',
+ label=_(u'Mount information'),
+ ),
+ parameters.Str(
+ 'setattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'addattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
+ exclude=('webui',),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'value',
+ unicode,
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class automountkey_del(Method):
+ __doc__ = _("Delete an automount key.")
+
+ takes_args = (
+ parameters.Str(
+ 'automountlocationcn',
+ cli_name='automountlocation',
+ label=_(u'Location'),
+ ),
+ parameters.Str(
+ 'automountmapautomountmapname',
+ cli_name='automountmap',
+ label=_(u'Map'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'continue',
+ doc=_(u"Continuous mode: Don't stop on errors."),
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'automountkey',
+ cli_name='key',
+ label=_(u'Key'),
+ doc=_(u'Automount key name.'),
+ ),
+ parameters.Str(
+ 'automountinformation',
+ required=False,
+ cli_name='info',
+ label=_(u'Mount information'),
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Output(
+ 'result',
+ dict,
+ doc=_(u'List of deletions that failed'),
+ ),
+ output.Output(
+ 'value',
+ unicode,
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class automountkey_find(Method):
+ __doc__ = _("Search for an automount key.")
+
+ takes_args = (
+ parameters.Str(
+ 'automountlocationcn',
+ cli_name='automountlocation',
+ label=_(u'Location'),
+ ),
+ parameters.Str(
+ 'automountmapautomountmapname',
+ cli_name='automountmap',
+ label=_(u'Map'),
+ ),
+ parameters.Str(
+ 'criteria',
+ required=False,
+ doc=_(u'A string searched in all relevant object attributes'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'automountkey',
+ required=False,
+ cli_name='key',
+ label=_(u'Key'),
+ doc=_(u'Automount key name.'),
+ ),
+ parameters.Str(
+ 'automountinformation',
+ required=False,
+ cli_name='info',
+ label=_(u'Mount information'),
+ ),
+ parameters.Int(
+ 'timelimit',
+ required=False,
+ label=_(u'Time Limit'),
+ doc=_(u'Time limit of search in seconds'),
+ ),
+ parameters.Int(
+ 'sizelimit',
+ required=False,
+ label=_(u'Size Limit'),
+ doc=_(u'Maximum number of entries returned'),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.ListOfEntries(
+ 'result',
+ ),
+ output.Output(
+ 'count',
+ int,
+ doc=_(u'Number of entries returned'),
+ ),
+ output.Output(
+ 'truncated',
+ bool,
+ doc=_(u'True if not all results were returned'),
+ ),
+ )
+
+
+@register()
+class automountkey_mod(Method):
+ __doc__ = _("Modify an automount key.")
+
+ takes_args = (
+ parameters.Str(
+ 'automountlocationcn',
+ cli_name='automountlocation',
+ label=_(u'Location'),
+ ),
+ parameters.Str(
+ 'automountmapautomountmapname',
+ cli_name='automountmap',
+ label=_(u'Map'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'automountkey',
+ cli_name='key',
+ label=_(u'Key'),
+ doc=_(u'Automount key name.'),
+ ),
+ parameters.Str(
+ 'automountinformation',
+ required=False,
+ cli_name='info',
+ label=_(u'Mount information'),
+ ),
+ parameters.Str(
+ 'setattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'addattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'delattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'),
+ exclude=('webui',),
+ ),
+ parameters.Flag(
+ 'rights',
+ label=_(u'Rights'),
+ doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'newautomountinformation',
+ required=False,
+ cli_name='newinfo',
+ label=_(u'New mount information'),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'rename',
+ required=False,
+ label=_(u'Rename'),
+ doc=_(u'Rename the automount key object'),
+ exclude=('webui',),
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'value',
+ unicode,
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class automountkey_show(Method):
+ __doc__ = _("Display an automount key.")
+
+ takes_args = (
+ parameters.Str(
+ 'automountlocationcn',
+ cli_name='automountlocation',
+ label=_(u'Location'),
+ ),
+ parameters.Str(
+ 'automountmapautomountmapname',
+ cli_name='automountmap',
+ label=_(u'Map'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'rights',
+ label=_(u'Rights'),
+ doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'automountkey',
+ cli_name='key',
+ label=_(u'Key'),
+ doc=_(u'Automount key name.'),
+ ),
+ parameters.Str(
+ 'automountinformation',
+ required=False,
+ cli_name='info',
+ label=_(u'Mount information'),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'value',
+ unicode,
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class automountlocation_add(Method):
+ __doc__ = _("Create a new automount location.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='location',
+ label=_(u'Location'),
+ doc=_(u'Automount location name.'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'setattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'addattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
+ exclude=('webui',),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'value',
+ unicode,
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class automountlocation_del(Method):
+ __doc__ = _("Delete an automount location.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ multivalue=True,
+ cli_name='location',
+ label=_(u'Location'),
+ doc=_(u'Automount location name.'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'continue',
+ doc=_(u"Continuous mode: Don't stop on errors."),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Output(
+ 'result',
+ dict,
+ doc=_(u'List of deletions that failed'),
+ ),
+ output.Output(
+ 'value',
+ unicode,
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class automountlocation_find(Method):
+ __doc__ = _("Search for an automount location.")
+
+ takes_args = (
+ parameters.Str(
+ 'criteria',
+ required=False,
+ doc=_(u'A string searched in all relevant object attributes'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'cn',
+ required=False,
+ cli_name='location',
+ label=_(u'Location'),
+ doc=_(u'Automount location name.'),
+ ),
+ parameters.Int(
+ 'timelimit',
+ required=False,
+ label=_(u'Time Limit'),
+ doc=_(u'Time limit of search in seconds'),
+ ),
+ parameters.Int(
+ 'sizelimit',
+ required=False,
+ label=_(u'Size Limit'),
+ doc=_(u'Maximum number of entries returned'),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'pkey_only',
+ required=False,
+ label=_(u'Primary key only'),
+ doc=_(u'Results should contain primary key attribute only ("location")'),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.ListOfEntries(
+ 'result',
+ ),
+ output.Output(
+ 'count',
+ int,
+ doc=_(u'Number of entries returned'),
+ ),
+ output.Output(
+ 'truncated',
+ bool,
+ doc=_(u'True if not all results were returned'),
+ ),
+ )
+
+
+@register()
+class automountlocation_show(Method):
+ __doc__ = _("Display an automount location.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='location',
+ label=_(u'Location'),
+ doc=_(u'Automount location name.'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'rights',
+ label=_(u'Rights'),
+ doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'value',
+ unicode,
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class automountlocation_tofiles(Method):
+ __doc__ = _("Generate automount files for a specific location.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='location',
+ label=_(u'Location'),
+ doc=_(u'Automount location name.'),
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'result',
+ ),
+ )
+
+
+@register()
+class automountmap_add(Method):
+ __doc__ = _("Create a new automount map.")
+
+ takes_args = (
+ parameters.Str(
+ 'automountlocationcn',
+ cli_name='automountlocation',
+ label=_(u'Location'),
+ ),
+ parameters.Str(
+ 'automountmapname',
+ cli_name='map',
+ label=_(u'Map'),
+ doc=_(u'Automount map name.'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'description',
+ required=False,
+ cli_name='desc',
+ label=_(u'Description'),
+ ),
+ parameters.Str(
+ 'setattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'addattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
+ exclude=('webui',),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'value',
+ unicode,
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class automountmap_add_indirect(Method):
+ __doc__ = _("Create a new indirect mount point.")
+
+ takes_args = (
+ parameters.Str(
+ 'automountlocationcn',
+ cli_name='automountlocation',
+ label=_(u'Location'),
+ ),
+ parameters.Str(
+ 'automountmapname',
+ cli_name='map',
+ label=_(u'Map'),
+ doc=_(u'Automount map name.'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'description',
+ required=False,
+ cli_name='desc',
+ label=_(u'Description'),
+ ),
+ parameters.Str(
+ 'setattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'addattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'key',
+ cli_name='mount',
+ label=_(u'Mount point'),
+ ),
+ parameters.Str(
+ 'parentmap',
+ required=False,
+ label=_(u'Parent map'),
+ doc=_(u'Name of parent automount map (default: auto.master).'),
+ default=u'auto.master',
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'value',
+ unicode,
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class automountmap_del(Method):
+ __doc__ = _("Delete an automount map.")
+
+ takes_args = (
+ parameters.Str(
+ 'automountlocationcn',
+ cli_name='automountlocation',
+ label=_(u'Location'),
+ ),
+ parameters.Str(
+ 'automountmapname',
+ multivalue=True,
+ cli_name='map',
+ label=_(u'Map'),
+ doc=_(u'Automount map name.'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'continue',
+ doc=_(u"Continuous mode: Don't stop on errors."),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Output(
+ 'result',
+ dict,
+ doc=_(u'List of deletions that failed'),
+ ),
+ output.Output(
+ 'value',
+ unicode,
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class automountmap_find(Method):
+ __doc__ = _("Search for an automount map.")
+
+ takes_args = (
+ parameters.Str(
+ 'automountlocationcn',
+ cli_name='automountlocation',
+ label=_(u'Location'),
+ ),
+ parameters.Str(
+ 'criteria',
+ required=False,
+ doc=_(u'A string searched in all relevant object attributes'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'automountmapname',
+ required=False,
+ cli_name='map',
+ label=_(u'Map'),
+ doc=_(u'Automount map name.'),
+ ),
+ parameters.Str(
+ 'description',
+ required=False,
+ cli_name='desc',
+ label=_(u'Description'),
+ ),
+ parameters.Int(
+ 'timelimit',
+ required=False,
+ label=_(u'Time Limit'),
+ doc=_(u'Time limit of search in seconds'),
+ ),
+ parameters.Int(
+ 'sizelimit',
+ required=False,
+ label=_(u'Size Limit'),
+ doc=_(u'Maximum number of entries returned'),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'pkey_only',
+ required=False,
+ label=_(u'Primary key only'),
+ doc=_(u'Results should contain primary key attribute only ("map")'),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.ListOfEntries(
+ 'result',
+ ),
+ output.Output(
+ 'count',
+ int,
+ doc=_(u'Number of entries returned'),
+ ),
+ output.Output(
+ 'truncated',
+ bool,
+ doc=_(u'True if not all results were returned'),
+ ),
+ )
+
+
+@register()
+class automountmap_mod(Method):
+ __doc__ = _("Modify an automount map.")
+
+ takes_args = (
+ parameters.Str(
+ 'automountlocationcn',
+ cli_name='automountlocation',
+ label=_(u'Location'),
+ ),
+ parameters.Str(
+ 'automountmapname',
+ cli_name='map',
+ label=_(u'Map'),
+ doc=_(u'Automount map name.'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'description',
+ required=False,
+ cli_name='desc',
+ label=_(u'Description'),
+ ),
+ parameters.Str(
+ 'setattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'addattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'delattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'),
+ exclude=('webui',),
+ ),
+ parameters.Flag(
+ 'rights',
+ label=_(u'Rights'),
+ doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'value',
+ unicode,
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class automountmap_show(Method):
+ __doc__ = _("Display an automount map.")
+
+ takes_args = (
+ parameters.Str(
+ 'automountlocationcn',
+ cli_name='automountlocation',
+ label=_(u'Location'),
+ ),
+ parameters.Str(
+ 'automountmapname',
+ cli_name='map',
+ label=_(u'Map'),
+ doc=_(u'Automount map name.'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'rights',
+ label=_(u'Rights'),
+ doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'value',
+ unicode,
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
diff --git a/ipaclient/remote_plugins/2_49/batch.py b/ipaclient/remote_plugins/2_49/batch.py
new file mode 100644
index 000000000..a1f351d33
--- /dev/null
+++ b/ipaclient/remote_plugins/2_49/batch.py
@@ -0,0 +1,69 @@
+#
+# Copyright (C) 2016 FreeIPA Contributors see COPYING for license
+#
+
+# pylint: disable=unused-import
+import six
+
+from . import Command, Method, Object
+from ipalib import api, parameters, output
+from ipalib.parameters import DefaultFrom
+from ipalib.plugable import Registry
+from ipalib.text import _
+from ipapython.dn import DN
+from ipapython.dnsutil import DNSName
+
+if six.PY3:
+ unicode = str
+
+__doc__ = _("""
+Plugin to make multiple ipa calls via one remote procedure call
+
+To run this code in the lite-server
+
+curl -H "Content-Type:application/json" -H "Accept:application/json" -H "Accept-Language:en" --negotiate -u : --cacert /etc/ipa/ca.crt -d @batch_request.json -X POST http://localhost:8888/ipa/json
+
+where the contents of the file batch_request.json follow the below example
+
+{"method":"batch","params":[[
+ {"method":"group_find","params":[[],{}]},
+ {"method":"user_find","params":[[],{"whoami":"true","all":"true"}]},
+ {"method":"user_show","params":[["admin"],{"all":true}]}
+ ],{}],"id":1}
+
+The format of the response is nested the same way. At the top you will see
+ "error": null,
+ "id": 1,
+ "result": {
+ "count": 3,
+ "results": [
+
+
+And then a nested response for each IPA command method sent in the request
+""")
+
+register = Registry()
+
+
+@register()
+class batch(Command):
+ NO_CLI = True
+
+ takes_args = (
+ parameters.Str(
+ 'methods',
+ required=False,
+ multivalue=True,
+ doc=_(u'Nested Methods to execute'),
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'count',
+ int,
+ ),
+ output.Output(
+ 'results',
+ (list, tuple),
+ ),
+ )
diff --git a/ipaclient/remote_plugins/2_49/cert.py b/ipaclient/remote_plugins/2_49/cert.py
new file mode 100644
index 000000000..0e029ff19
--- /dev/null
+++ b/ipaclient/remote_plugins/2_49/cert.py
@@ -0,0 +1,209 @@
+#
+# Copyright (C) 2016 FreeIPA Contributors see COPYING for license
+#
+
+# pylint: disable=unused-import
+import six
+
+from . import Command, Method, Object
+from ipalib import api, parameters, output
+from ipalib.parameters import DefaultFrom
+from ipalib.plugable import Registry
+from ipalib.text import _
+from ipapython.dn import DN
+from ipapython.dnsutil import DNSName
+
+if six.PY3:
+ unicode = str
+
+__doc__ = _("""
+IPA certificate operations
+
+Implements a set of commands for managing server SSL certificates.
+
+Certificate requests exist in the form of a Certificate Signing Request (CSR)
+in PEM format.
+
+If using the selfsign back end then the subject in the CSR needs to match
+the subject configured in the server. The dogtag CA uses just the CN
+value of the CSR and forces the rest of the subject.
+
+A certificate is stored with a service principal and a service principal
+needs a host.
+
+In order to request a certificate:
+
+* The host must exist
+* The service must exist (or you use the --add option to automatically add it)
+
+EXAMPLES:
+
+ Request a new certificate and add the principal:
+ ipa cert-request --add --principal=HTTP/lion.example.com example.csr
+
+ Retrieve an existing certificate:
+ ipa cert-show 1032
+
+ Revoke a certificate (see RFC 5280 for reason details):
+ ipa cert-revoke --revocation-reason=6 1032
+
+ Remove a certificate from revocation hold status:
+ ipa cert-remove-hold 1032
+
+ Check the status of a signing request:
+ ipa cert-status 10
+
+IPA currently immediately issues (or declines) all certificate requests so
+the status of a request is not normally useful. This is for future use
+or the case where a CA does not immediately issue a certificate.
+
+The following revocation reasons are supported:
+
+ * 0 - unspecified
+ * 1 - keyCompromise
+ * 2 - cACompromise
+ * 3 - affiliationChanged
+ * 4 - superseded
+ * 5 - cessationOfOperation
+ * 6 - certificateHold
+ * 8 - removeFromCRL
+ * 9 - privilegeWithdrawn
+ * 10 - aACompromise
+
+Note that reason code 7 is not used. See RFC 5280 for more details:
+
+http://www.ietf.org/rfc/rfc5280.txt
+""")
+
+register = Registry()
+
+
+@register()
+class cert_remove_hold(Command):
+ __doc__ = _("Take a revoked certificate off hold.")
+
+ takes_args = (
+ parameters.Str(
+ 'serial_number',
+ label=_(u'Serial number'),
+ doc=_(u'Serial number in decimal or if prefixed with 0x in hexadecimal'),
+ no_convert=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'result',
+ ),
+ )
+
+
+@register()
+class cert_request(Command):
+ __doc__ = _("Submit a certificate signing request.")
+
+ takes_args = (
+ parameters.Str(
+ 'csr',
+ cli_name='csr_file',
+ label=_(u'CSR'),
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'principal',
+ label=_(u'Principal'),
+ doc=_(u'Service principal for this certificate (e.g. HTTP/test.example.com)'),
+ ),
+ parameters.Str(
+ 'request_type',
+ default=u'pkcs10',
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'add',
+ doc=_(u"automatically add the principal if it doesn't exist"),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'result',
+ dict,
+ doc=_(u'Dictionary mapping variable name to value'),
+ ),
+ )
+
+
+@register()
+class cert_revoke(Command):
+ __doc__ = _("Revoke a certificate.")
+
+ takes_args = (
+ parameters.Str(
+ 'serial_number',
+ label=_(u'Serial number'),
+ doc=_(u'Serial number in decimal or if prefixed with 0x in hexadecimal'),
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Int(
+ 'revocation_reason',
+ label=_(u'Reason'),
+ doc=_(u'Reason for revoking the certificate (0-10)'),
+ default=0,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'result',
+ ),
+ )
+
+
+@register()
+class cert_show(Command):
+ __doc__ = _("Retrieve an existing certificate.")
+
+ takes_args = (
+ parameters.Str(
+ 'serial_number',
+ label=_(u'Serial number'),
+ doc=_(u'Serial number in decimal or if prefixed with 0x in hexadecimal'),
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'out',
+ required=False,
+ label=_(u'Output filename'),
+ doc=_(u'File to store the certificate in.'),
+ exclude=('webui',),
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'result',
+ ),
+ )
+
+
+@register()
+class cert_status(Command):
+ __doc__ = _("Check the status of a certificate signing request.")
+
+ takes_args = (
+ parameters.Str(
+ 'request_id',
+ label=_(u'Request id'),
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'result',
+ ),
+ )
diff --git a/ipaclient/remote_plugins/2_49/config.py b/ipaclient/remote_plugins/2_49/config.py
new file mode 100644
index 000000000..41abee8fe
--- /dev/null
+++ b/ipaclient/remote_plugins/2_49/config.py
@@ -0,0 +1,394 @@
+#
+# Copyright (C) 2016 FreeIPA Contributors see COPYING for license
+#
+
+# pylint: disable=unused-import
+import six
+
+from . import Command, Method, Object
+from ipalib import api, parameters, output
+from ipalib.parameters import DefaultFrom
+from ipalib.plugable import Registry
+from ipalib.text import _
+from ipapython.dn import DN
+from ipapython.dnsutil import DNSName
+
+if six.PY3:
+ unicode = str
+
+__doc__ = _("""
+Server configuration
+
+Manage the default values that IPA uses and some of its tuning parameters.
+
+NOTES:
+
+The password notification value (--pwdexpnotify) is stored here so it will
+be replicated. It is not currently used to notify users in advance of an
+expiring password.
+
+Some attributes are read-only, provided only for information purposes. These
+include:
+
+Certificate Subject base: the configured certificate subject base,
+ e.g. O=EXAMPLE.COM. This is configurable only at install time.
+Password plug-in features: currently defines additional hashes that the
+ password will generate (there may be other conditions).
+
+When setting the order list for mapping SELinux users you may need to
+quote the value so it isn't interpreted by the shell.
+
+EXAMPLES:
+
+ Show basic server configuration:
+ ipa config-show
+
+ Show all configuration options:
+ ipa config-show --all
+
+ Change maximum username length to 99 characters:
+ ipa config-mod --maxusername=99
+
+ Increase default time and size limits for maximum IPA server search:
+ ipa config-mod --searchtimelimit=10 --searchrecordslimit=2000
+
+ Set default user e-mail domain:
+ ipa config-mod --emaildomain=example.com
+
+ Enable migration mode to make "ipa migrate-ds" command operational:
+ ipa config-mod --enable-migration=TRUE
+
+ Define SELinux user map order:
+ ipa config-mod --ipaselinuxusermaporder='guest_u:s0$xguest_u:s0$user_u:s0-s0:c0.c1023$staff_u:s0-s0:c0.c1023$unconfined_u:s0-s0:c0.c1023'
+""")
+
+register = Registry()
+
+
+@register()
+class config(Object):
+ takes_params = (
+ parameters.Int(
+ 'ipamaxusernamelength',
+ label=_(u'Maximum username length'),
+ ),
+ parameters.Str(
+ 'ipahomesrootdir',
+ label=_(u'Home directory base'),
+ doc=_(u'Default location of home directories'),
+ ),
+ parameters.Str(
+ 'ipadefaultloginshell',
+ label=_(u'Default shell'),
+ doc=_(u'Default shell for new users'),
+ ),
+ parameters.Str(
+ 'ipadefaultprimarygroup',
+ label=_(u'Default users group'),
+ doc=_(u'Default group for new users'),
+ ),
+ parameters.Str(
+ 'ipadefaultemaildomain',
+ required=False,
+ label=_(u'Default e-mail domain'),
+ ),
+ parameters.Int(
+ 'ipasearchtimelimit',
+ label=_(u'Search time limit'),
+ doc=_(u'Maximum amount of time (seconds) for a search (> 0, or -1 for unlimited)'),
+ ),
+ parameters.Int(
+ 'ipasearchrecordslimit',
+ label=_(u'Search size limit'),
+ doc=_(u'Maximum number of records to search (-1 is unlimited)'),
+ ),
+ parameters.Str(
+ 'ipausersearchfields',
+ label=_(u'User search fields'),
+ doc=_(u'A comma-separated list of fields to search in when searching for users'),
+ ),
+ parameters.Str(
+ 'ipagroupsearchfields',
+ label=_(u'Group search fields'),
+ doc=_(u'A comma-separated list of fields to search in when searching for groups'),
+ ),
+ parameters.Bool(
+ 'ipamigrationenabled',
+ label=_(u'Enable migration mode'),
+ ),
+ parameters.DNParam(
+ 'ipacertificatesubjectbase',
+ label=_(u'Certificate Subject base'),
+ doc=_(u'Base for certificate subjects (OU=Test,O=Example)'),
+ ),
+ parameters.Str(
+ 'ipagroupobjectclasses',
+ multivalue=True,
+ label=_(u'Default group objectclasses'),
+ doc=_(u'Default group objectclasses (comma-separated list)'),
+ ),
+ parameters.Str(
+ 'ipauserobjectclasses',
+ multivalue=True,
+ label=_(u'Default user objectclasses'),
+ doc=_(u'Default user objectclasses (comma-separated list)'),
+ ),
+ parameters.Int(
+ 'ipapwdexpadvnotify',
+ label=_(u'Password Expiration Notification (days)'),
+ doc=_(u"Number of days's notice of impending password expiration"),
+ ),
+ parameters.Str(
+ 'ipaconfigstring',
+ required=False,
+ multivalue=True,
+ label=_(u'Password plugin features'),
+ doc=_(u'Extra hashes to generate in password plug-in'),
+ ),
+ parameters.Str(
+ 'ipaselinuxusermaporder',
+ label=_(u'SELinux user map order'),
+ doc=_(u'Order in increasing priority of SELinux users, delimited by $'),
+ ),
+ parameters.Str(
+ 'ipaselinuxusermapdefault',
+ required=False,
+ label=_(u'Default SELinux user'),
+ doc=_(u'Default SELinux user when no match is found in SELinux map rule'),
+ ),
+ parameters.Str(
+ 'ipakrbauthzdata',
+ required=False,
+ multivalue=True,
+ label=_(u'Default PAC types'),
+ doc=_(u'Default types of PAC supported for services'),
+ ),
+ )
+
+
+@register()
+class config_mod(Method):
+ __doc__ = _("Modify configuration options.")
+
+ takes_options = (
+ parameters.Int(
+ 'ipamaxusernamelength',
+ required=False,
+ cli_name='maxusername',
+ label=_(u'Maximum username length'),
+ ),
+ parameters.Str(
+ 'ipahomesrootdir',
+ required=False,
+ cli_name='homedirectory',
+ label=_(u'Home directory base'),
+ doc=_(u'Default location of home directories'),
+ ),
+ parameters.Str(
+ 'ipadefaultloginshell',
+ required=False,
+ cli_name='defaultshell',
+ label=_(u'Default shell'),
+ doc=_(u'Default shell for new users'),
+ ),
+ parameters.Str(
+ 'ipadefaultprimarygroup',
+ required=False,
+ cli_name='defaultgroup',
+ label=_(u'Default users group'),
+ doc=_(u'Default group for new users'),
+ ),
+ parameters.Str(
+ 'ipadefaultemaildomain',
+ required=False,
+ cli_name='emaildomain',
+ label=_(u'Default e-mail domain'),
+ ),
+ parameters.Int(
+ 'ipasearchtimelimit',
+ required=False,
+ cli_name='searchtimelimit',
+ label=_(u'Search time limit'),
+ doc=_(u'Maximum amount of time (seconds) for a search (> 0, or -1 for unlimited)'),
+ ),
+ parameters.Int(
+ 'ipasearchrecordslimit',
+ required=False,
+ cli_name='searchrecordslimit',
+ label=_(u'Search size limit'),
+ doc=_(u'Maximum number of records to search (-1 is unlimited)'),
+ ),
+ parameters.Str(
+ 'ipausersearchfields',
+ required=False,
+ cli_name='usersearch',
+ label=_(u'User search fields'),
+ doc=_(u'A comma-separated list of fields to search in when searching for users'),
+ ),
+ parameters.Str(
+ 'ipagroupsearchfields',
+ required=False,
+ cli_name='groupsearch',
+ label=_(u'Group search fields'),
+ doc=_(u'A comma-separated list of fields to search in when searching for groups'),
+ ),
+ parameters.Bool(
+ 'ipamigrationenabled',
+ required=False,
+ cli_name='enable_migration',
+ label=_(u'Enable migration mode'),
+ ),
+ parameters.Str(
+ 'ipagroupobjectclasses',
+ required=False,
+ multivalue=True,
+ cli_name='groupobjectclasses',
+ label=_(u'Default group objectclasses'),
+ doc=_(u'Default group objectclasses (comma-separated list)'),
+ ),
+ parameters.Str(
+ 'ipauserobjectclasses',
+ required=False,
+ multivalue=True,
+ cli_name='userobjectclasses',
+ label=_(u'Default user objectclasses'),
+ doc=_(u'Default user objectclasses (comma-separated list)'),
+ ),
+ parameters.Int(
+ 'ipapwdexpadvnotify',
+ required=False,
+ cli_name='pwdexpnotify',
+ label=_(u'Password Expiration Notification (days)'),
+ doc=_(u"Number of days's notice of impending password expiration"),
+ ),
+ parameters.Str(
+ 'ipaconfigstring',
+ required=False,
+ multivalue=True,
+ cli_metavar="['AllowLMhash', 'AllowNThash', 'KDC:Disable Last Success', 'KDC:Disable Lockout']",
+ label=_(u'Password plugin features'),
+ doc=_(u'Extra hashes to generate in password plug-in'),
+ ),
+ parameters.Str(
+ 'ipaselinuxusermaporder',
+ required=False,
+ label=_(u'SELinux user map order'),
+ doc=_(u'Order in increasing priority of SELinux users, delimited by $'),
+ ),
+ parameters.Str(
+ 'ipaselinuxusermapdefault',
+ required=False,
+ label=_(u'Default SELinux user'),
+ doc=_(u'Default SELinux user when no match is found in SELinux map rule'),
+ ),
+ parameters.Str(
+ 'ipakrbauthzdata',
+ required=False,
+ multivalue=True,
+ cli_name='pac_type',
+ cli_metavar="['MS-PAC', 'PAD']",
+ label=_(u'Default PAC types'),
+ doc=_(u'Default types of PAC supported for services'),
+ ),
+ parameters.Str(
+ 'setattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'addattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'delattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'),
+ exclude=('webui',),
+ ),
+ parameters.Flag(
+ 'rights',
+ label=_(u'Rights'),
+ doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'value',
+ unicode,
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class config_show(Method):
+ __doc__ = _("Show the current configuration.")
+
+ takes_options = (
+ parameters.Flag(
+ 'rights',
+ label=_(u'Rights'),
+ doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'value',
+ unicode,
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
diff --git a/ipaclient/remote_plugins/2_49/delegation.py b/ipaclient/remote_plugins/2_49/delegation.py
new file mode 100644
index 000000000..352f6350e
--- /dev/null
+++ b/ipaclient/remote_plugins/2_49/delegation.py
@@ -0,0 +1,384 @@
+#
+# Copyright (C) 2016 FreeIPA Contributors see COPYING for license
+#
+
+# pylint: disable=unused-import
+import six
+
+from . import Command, Method, Object
+from ipalib import api, parameters, output
+from ipalib.parameters import DefaultFrom
+from ipalib.plugable import Registry
+from ipalib.text import _
+from ipapython.dn import DN
+from ipapython.dnsutil import DNSName
+
+if six.PY3:
+ unicode = str
+
+__doc__ = _("""
+Group to Group Delegation
+
+A permission enables fine-grained delegation of permissions. Access Control
+Rules, or instructions (ACIs), grant permission to permissions to perform
+given tasks such as adding a user, modifying a group, etc.
+
+Group to Group Delegations grants the members of one group to update a set
+of attributes of members of another group.
+
+EXAMPLES:
+
+ Add a delegation rule to allow managers to edit employee's addresses:
+ ipa delegation-add --attrs=street --group=managers --membergroup=employees "managers edit employees' street"
+
+ When managing the list of attributes you need to include all attributes
+ in the list, including existing ones. Add postalCode to the list:
+ ipa delegation-mod --attrs=street,postalCode --group=managers --membergroup=employees "managers edit employees' street"
+
+ Display our updated rule:
+ ipa delegation-show "managers edit employees' street"
+
+ Delete a rule:
+ ipa delegation-del "managers edit employees' street"
+""")
+
+register = Registry()
+
+
+@register()
+class delegation(Object):
+ takes_params = (
+ parameters.Str(
+ 'aciname',
+ primary_key=True,
+ label=_(u'Delegation name'),
+ ),
+ parameters.Str(
+ 'permissions',
+ required=False,
+ multivalue=True,
+ label=_(u'Permissions'),
+ doc=_(u'Comma-separated list of permissions to grant (read, write). Default is write.'),
+ ),
+ parameters.Str(
+ 'attrs',
+ multivalue=True,
+ label=_(u'Attributes'),
+ doc=_(u'Comma-separated list of attributes'),
+ ),
+ parameters.Str(
+ 'memberof',
+ label=_(u'Member user group'),
+ doc=_(u'User group to apply delegation to'),
+ ),
+ parameters.Str(
+ 'group',
+ label=_(u'User group'),
+ doc=_(u'User group ACI grants access to'),
+ ),
+ )
+
+
+@register()
+class delegation_add(Method):
+ __doc__ = _("Add a new delegation.")
+
+ takes_args = (
+ parameters.Str(
+ 'aciname',
+ cli_name='name',
+ label=_(u'Delegation name'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'permissions',
+ required=False,
+ multivalue=True,
+ label=_(u'Permissions'),
+ doc=_(u'Comma-separated list of permissions to grant (read, write). Default is write.'),
+ ),
+ parameters.Str(
+ 'attrs',
+ multivalue=True,
+ label=_(u'Attributes'),
+ doc=_(u'Comma-separated list of attributes'),
+ no_convert=True,
+ ),
+ parameters.Str(
+ 'memberof',
+ cli_name='membergroup',
+ label=_(u'Member user group'),
+ doc=_(u'User group to apply delegation to'),
+ ),
+ parameters.Str(
+ 'group',
+ label=_(u'User group'),
+ doc=_(u'User group ACI grants access to'),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'value',
+ unicode,
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class delegation_del(Method):
+ __doc__ = _("Delete a delegation.")
+
+ takes_args = (
+ parameters.Str(
+ 'aciname',
+ cli_name='name',
+ label=_(u'Delegation name'),
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Output(
+ 'result',
+ bool,
+ doc=_(u'True means the operation was successful'),
+ ),
+ output.Output(
+ 'value',
+ unicode,
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class delegation_find(Method):
+ __doc__ = _("Search for delegations.")
+
+ takes_args = (
+ parameters.Str(
+ 'criteria',
+ required=False,
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'aciname',
+ required=False,
+ cli_name='name',
+ label=_(u'Delegation name'),
+ ),
+ parameters.Str(
+ 'permissions',
+ required=False,
+ multivalue=True,
+ label=_(u'Permissions'),
+ doc=_(u'Comma-separated list of permissions to grant (read, write). Default is write.'),
+ ),
+ parameters.Str(
+ 'attrs',
+ required=False,
+ multivalue=True,
+ label=_(u'Attributes'),
+ doc=_(u'Comma-separated list of attributes'),
+ no_convert=True,
+ ),
+ parameters.Str(
+ 'memberof',
+ required=False,
+ cli_name='membergroup',
+ label=_(u'Member user group'),
+ doc=_(u'User group to apply delegation to'),
+ ),
+ parameters.Str(
+ 'group',
+ required=False,
+ label=_(u'User group'),
+ doc=_(u'User group ACI grants access to'),
+ ),
+ parameters.Flag(
+ 'pkey_only',
+ required=False,
+ label=_(u'Primary key only'),
+ doc=_(u'Results should contain primary key attribute only ("name")'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.ListOfEntries(
+ 'result',
+ ),
+ output.Output(
+ 'count',
+ int,
+ doc=_(u'Number of entries returned'),
+ ),
+ output.Output(
+ 'truncated',
+ bool,
+ doc=_(u'True if not all results were returned'),
+ ),
+ )
+
+
+@register()
+class delegation_mod(Method):
+ __doc__ = _("Modify a delegation.")
+
+ takes_args = (
+ parameters.Str(
+ 'aciname',
+ cli_name='name',
+ label=_(u'Delegation name'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'permissions',
+ required=False,
+ multivalue=True,
+ label=_(u'Permissions'),
+ doc=_(u'Comma-separated list of permissions to grant (read, write). Default is write.'),
+ ),
+ parameters.Str(
+ 'attrs',
+ required=False,
+ multivalue=True,
+ label=_(u'Attributes'),
+ doc=_(u'Comma-separated list of attributes'),
+ no_convert=True,
+ ),
+ parameters.Str(
+ 'memberof',
+ required=False,
+ cli_name='membergroup',
+ label=_(u'Member user group'),
+ doc=_(u'User group to apply delegation to'),
+ ),
+ parameters.Str(
+ 'group',
+ required=False,
+ label=_(u'User group'),
+ doc=_(u'User group ACI grants access to'),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'value',
+ unicode,
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class delegation_show(Method):
+ __doc__ = _("Display information about a delegation.")
+
+ takes_args = (
+ parameters.Str(
+ 'aciname',
+ cli_name='name',
+ label=_(u'Delegation name'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'value',
+ unicode,
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
diff --git a/ipaclient/remote_plugins/2_49/dns.py b/ipaclient/remote_plugins/2_49/dns.py
new file mode 100644
index 000000000..07cef75c2
--- /dev/null
+++ b/ipaclient/remote_plugins/2_49/dns.py
@@ -0,0 +1,5063 @@
+#
+# Copyright (C) 2016 FreeIPA Contributors see COPYING for license
+#
+
+# pylint: disable=unused-import
+import six
+
+from . import Command, Method, Object
+from ipalib import api, parameters, output
+from ipalib.parameters import DefaultFrom
+from ipalib.plugable import Registry
+from ipalib.text import _
+from ipapython.dn import DN
+from ipapython.dnsutil import DNSName
+
+if six.PY3:
+ unicode = str
+
+__doc__ = _("""
+Domain Name System (DNS)
+
+Manage DNS zone and resource records.
+
+
+USING STRUCTURED PER-TYPE OPTIONS
+
+There are many structured DNS RR types where DNS data stored in LDAP server
+is not just a scalar value, for example an IP address or a domain name, but
+a data structure which may be often complex. A good example is a LOC record
+[RFC1876] which consists of many mandatory and optional parts (degrees,
+minutes, seconds of latitude and longitude, altitude or precision).
+
+It may be difficult to manipulate such DNS records without making a mistake
+and entering an invalid value. DNS module provides an abstraction over these
+raw records and allows to manipulate each RR type with specific options. For
+each supported RR type, DNS module provides a standard option to manipulate
+a raw records with format --<rrtype>-rec, e.g. --mx-rec, and special options
+for every part of the RR structure with format --<rrtype>-<partname>, e.g.
+--mx-preference and --mx-exchanger.
+
+When adding a record, either RR specific options or standard option for a raw
+value can be used, they just should not be combined in one add operation. When
+modifying an existing entry, new RR specific options can be used to change
+one part of a DNS record, where the standard option for raw value is used
+to specify the modified value. The following example demonstrates
+a modification of MX record preference from 0 to 1 in a record without
+modifying the exchanger:
+ipa dnsrecord-mod --mx-rec="0 mx.example.com." --mx-preference=1
+
+
+EXAMPLES:
+
+ Add new zone:
+ ipa dnszone-add example.com --name-server=ns \
+ --admin-email=admin@example.com \
+ --ip-address=10.0.0.1
+
+ Add system permission that can be used for per-zone privilege delegation:
+ ipa dnszone-add-permission example.com
+
+ Modify the zone to allow dynamic updates for hosts own records in realm EXAMPLE.COM:
+ ipa dnszone-mod example.com --dynamic-update=TRUE
+
+ This is the equivalent of:
+ ipa dnszone-mod example.com --dynamic-update=TRUE \
+ --update-policy="grant EXAMPLE.COM krb5-self * A; grant EXAMPLE.COM krb5-self * AAAA; grant EXAMPLE.COM krb5-self * SSHFP;"
+
+ Modify the zone to allow zone transfers for local network only:
+ ipa dnszone-mod example.com --allow-transfer=10.0.0.0/8
+
+ Add new reverse zone specified by network IP address:
+ ipa dnszone-add --name-from-ip=80.142.15.0/24 \
+ --name-server=ns.example.com.
+
+ Add second nameserver for example.com:
+ ipa dnsrecord-add example.com @ --ns-rec=nameserver2.example.com
+
+ Add a mail server for example.com:
+ ipa dnsrecord-add example.com @ --mx-rec="10 mail1"
+
+ Add another record using MX record specific options:
+ ipa dnsrecord-add example.com @ --mx-preference=20 --mx-exchanger=mail2
+
+ Add another record using interactive mode (started when dnsrecord-add, dnsrecord-mod,
+ or dnsrecord-del are executed with no options):
+ ipa dnsrecord-add example.com @
+ Please choose a type of DNS resource record to be added
+ The most common types for this type of zone are: NS, MX, LOC
+
+ DNS resource record type: MX
+ MX Preference: 30
+ MX Exchanger: mail3
+ Record name: example.com
+ MX record: 10 mail1, 20 mail2, 30 mail3
+ NS record: nameserver.example.com., nameserver2.example.com.
+
+ Delete previously added nameserver from example.com:
+ ipa dnsrecord-del example.com @ --ns-rec=nameserver2.example.com.
+
+ Add LOC record for example.com:
+ ipa dnsrecord-add example.com @ --loc-rec="49 11 42.4 N 16 36 29.6 E 227.64m"
+
+ Add new A record for www.example.com. Create a reverse record in appropriate
+ reverse zone as well. In this case a PTR record "2" pointing to www.example.com
+ will be created in zone 15.142.80.in-addr.arpa.
+ ipa dnsrecord-add example.com www --a-rec=80.142.15.2 --a-create-reverse
+
+ Add new PTR record for www.example.com
+ ipa dnsrecord-add 15.142.80.in-addr.arpa. 2 --ptr-rec=www.example.com.
+
+ Add new SRV records for LDAP servers. Three quarters of the requests
+ should go to fast.example.com, one quarter to slow.example.com. If neither
+ is available, switch to backup.example.com.
+ ipa dnsrecord-add example.com _ldap._tcp --srv-rec="0 3 389 fast.example.com"
+ ipa dnsrecord-add example.com _ldap._tcp --srv-rec="0 1 389 slow.example.com"
+ ipa dnsrecord-add example.com _ldap._tcp --srv-rec="1 1 389 backup.example.com"
+
+ The interactive mode can be used for easy modification:
+ ipa dnsrecord-mod example.com _ldap._tcp
+ No option to modify specific record provided.
+ Current DNS record contents:
+
+ SRV record: 0 3 389 fast.example.com, 0 1 389 slow.example.com, 1 1 389 backup.example.com
+
+ Modify SRV record '0 3 389 fast.example.com'? Yes/No (default No):
+ Modify SRV record '0 1 389 slow.example.com'? Yes/No (default No): y
+ SRV Priority [0]: (keep the default value)
+ SRV Weight [1]: 2 (modified value)
+ SRV Port [389]: (keep the default value)
+ SRV Target [slow.example.com]: (keep the default value)
+ 1 SRV record skipped. Only one value per DNS record type can be modified at one time.
+ Record name: _ldap._tcp
+ SRV record: 0 3 389 fast.example.com, 1 1 389 backup.example.com, 0 2 389 slow.example.com
+
+ After this modification, three fifths of the requests should go to
+ fast.example.com and two fifths to slow.example.com.
+
+ An example of the interactive mode for dnsrecord-del command:
+ ipa dnsrecord-del example.com www
+ No option to delete specific record provided.
+ Delete all? Yes/No (default No): (do not delete all records)
+ Current DNS record contents:
+
+ A record: 1.2.3.4, 11.22.33.44
+
+ Delete A record '1.2.3.4'? Yes/No (default No):
+ Delete A record '11.22.33.44'? Yes/No (default No): y
+ Record name: www
+ A record: 1.2.3.4 (A record 11.22.33.44 has been deleted)
+
+ Show zone example.com:
+ ipa dnszone-show example.com
+
+ Find zone with "example" in its domain name:
+ ipa dnszone-find example
+
+ Find records for resources with "www" in their name in zone example.com:
+ ipa dnsrecord-find example.com www
+
+ Find A records with value 10.10.0.1 in zone example.com
+ ipa dnsrecord-find example.com --a-rec=10.10.0.1
+
+ Show records for resource www in zone example.com
+ ipa dnsrecord-show example.com www
+
+ Delegate zone sub.example to another nameserver:
+ ipa dnsrecord-add example.com ns.sub --a-rec=10.0.100.5
+ ipa dnsrecord-add example.com sub --ns-rec=ns.sub.example.com.
+
+ If global forwarder is configured, all requests to sub.example.com will be
+ routed through the global forwarder. To change the behavior for example.com
+ zone only and forward the request directly to ns.sub.example.com., global
+ forwarding may be disabled per-zone:
+ ipa dnszone-mod example.com --forward-policy=none
+
+ Forward all requests for the zone external.com to another nameserver using
+ a "first" policy (it will send the queries to the selected forwarder and if
+ not answered it will use global resolvers):
+ ipa dnszone-add external.com
+ ipa dnszone-mod external.com --forwarder=10.20.0.1 \
+ --forward-policy=first
+
+ Delete zone example.com with all resource records:
+ ipa dnszone-del example.com
+
+ Resolve a host name to see if it exists (will add default IPA domain
+ if one is not included):
+ ipa dns-resolve www.example.com
+ ipa dns-resolve www
+
+
+GLOBAL DNS CONFIGURATION
+
+DNS configuration passed to command line install script is stored in a local
+configuration file on each IPA server where DNS service is configured. These
+local settings can be overridden with a common configuration stored in LDAP
+server:
+
+ Show global DNS configuration:
+ ipa dnsconfig-show
+
+ Modify global DNS configuration and set a list of global forwarders:
+ ipa dnsconfig-mod --forwarder=10.0.0.1
+""")
+
+register = Registry()
+
+
+@register()
+class dnsconfig(Object):
+ takes_params = (
+ parameters.Str(
+ 'idnsforwarders',
+ required=False,
+ multivalue=True,
+ label=_(u'Global forwarders'),
+ doc=_(u'A list of global forwarders. A custom port can be specified for each forwarder using a standard format "IP_ADDRESS port PORT"'),
+ ),
+ parameters.Str(
+ 'idnsforwardpolicy',
+ required=False,
+ label=_(u'Forward policy'),
+ doc=_(u'Global forwarding policy. Set to "none" to disable any configured global forwarders.'),
+ ),
+ parameters.Bool(
+ 'idnsallowsyncptr',
+ required=False,
+ label=_(u'Allow PTR sync'),
+ doc=_(u'Allow synchronization of forward (A, AAAA) and reverse (PTR) records'),
+ ),
+ parameters.Int(
+ 'idnszonerefresh',
+ required=False,
+ label=_(u'Zone refresh interval'),
+ doc=_(u'An interval between regular polls of the name server for new DNS zones'),
+ ),
+ )
+
+
+@register()
+class dnsrecord(Object):
+ takes_params = (
+ parameters.Str(
+ 'idnsname',
+ primary_key=True,
+ label=_(u'Record name'),
+ ),
+ parameters.Int(
+ 'dnsttl',
+ required=False,
+ label=_(u'Time to live'),
+ ),
+ parameters.Str(
+ 'dnsclass',
+ required=False,
+ label=_(u'Class'),
+ doc=_(u'DNS class'),
+ ),
+ parameters.Str(
+ 'dnsrecords',
+ required=False,
+ label=_(u'Records'),
+ ),
+ parameters.Str(
+ 'dnstype',
+ required=False,
+ label=_(u'Record type'),
+ ),
+ parameters.Str(
+ 'dnsdata',
+ required=False,
+ label=_(u'Record data'),
+ ),
+ parameters.Str(
+ 'arecord',
+ required=False,
+ multivalue=True,
+ label=_(u'A record'),
+ doc=_(u'Comma-separated list of raw A records'),
+ ),
+ parameters.Str(
+ 'a_part_ip_address',
+ required=False,
+ label=_(u'A IP Address'),
+ doc=_(u'IP Address'),
+ ),
+ parameters.Flag(
+ 'a_extra_create_reverse',
+ required=False,
+ label=_(u'A Create reverse'),
+ doc=_(u'Create reverse record for this IP Address'),
+ ),
+ parameters.Str(
+ 'aaaarecord',
+ required=False,
+ multivalue=True,
+ label=_(u'AAAA record'),
+ doc=_(u'Comma-separated list of raw AAAA records'),
+ ),
+ parameters.Str(
+ 'aaaa_part_ip_address',
+ required=False,
+ label=_(u'AAAA IP Address'),
+ doc=_(u'IP Address'),
+ ),
+ parameters.Flag(
+ 'aaaa_extra_create_reverse',
+ required=False,
+ label=_(u'AAAA Create reverse'),
+ doc=_(u'Create reverse record for this IP Address'),
+ ),
+ parameters.Str(
+ 'a6record',
+ required=False,
+ multivalue=True,
+ label=_(u'A6 record'),
+ doc=_(u'Comma-separated list of raw A6 records'),
+ ),
+ parameters.Str(
+ 'a6_part_data',
+ required=False,
+ label=_(u'A6 Record data'),
+ doc=_(u'Record data'),
+ ),
+ parameters.Str(
+ 'afsdbrecord',
+ required=False,
+ multivalue=True,
+ label=_(u'AFSDB record'),
+ doc=_(u'Comma-separated list of raw AFSDB records'),
+ ),
+ parameters.Int(
+ 'afsdb_part_subtype',
+ required=False,
+ label=_(u'AFSDB Subtype'),
+ doc=_(u'Subtype'),
+ ),
+ parameters.Str(
+ 'afsdb_part_hostname',
+ required=False,
+ label=_(u'AFSDB Hostname'),
+ doc=_(u'Hostname'),
+ ),
+ parameters.Str(
+ 'aplrecord',
+ required=False,
+ multivalue=True,
+ label=_(u'APL record'),
+ doc=_(u'Comma-separated list of raw APL records'),
+ ),
+ parameters.Str(
+ 'certrecord',
+ required=False,
+ multivalue=True,
+ label=_(u'CERT record'),
+ doc=_(u'Comma-separated list of raw CERT records'),
+ ),
+ parameters.Int(
+ 'cert_part_type',
+ required=False,
+ label=_(u'CERT Certificate Type'),
+ doc=_(u'Certificate Type'),
+ ),
+ parameters.Int(
+ 'cert_part_key_tag',
+ required=False,
+ label=_(u'CERT Key Tag'),
+ doc=_(u'Key Tag'),
+ ),
+ parameters.Int(
+ 'cert_part_algorithm',
+ required=False,
+ label=_(u'CERT Algorithm'),
+ doc=_(u'Algorithm'),
+ ),
+ parameters.Str(
+ 'cert_part_certificate_or_crl',
+ required=False,
+ label=_(u'CERT Certificate/CRL'),
+ doc=_(u'Certificate/CRL'),
+ ),
+ parameters.Str(
+ 'cnamerecord',
+ required=False,
+ multivalue=True,
+ label=_(u'CNAME record'),
+ doc=_(u'Comma-separated list of raw CNAME records'),
+ ),
+ parameters.Str(
+ 'cname_part_hostname',
+ required=False,
+ label=_(u'CNAME Hostname'),
+ doc=_(u'A hostname which this alias hostname points to'),
+ ),
+ parameters.Str(
+ 'dhcidrecord',
+ required=False,
+ multivalue=True,
+ label=_(u'DHCID record'),
+ doc=_(u'Comma-separated list of raw DHCID records'),
+ ),
+ parameters.Str(
+ 'dlvrecord',
+ required=False,
+ multivalue=True,
+ label=_(u'DLV record'),
+ doc=_(u'Comma-separated list of raw DLV records'),
+ ),
+ parameters.Str(
+ 'dnamerecord',
+ required=False,
+ multivalue=True,
+ label=_(u'DNAME record'),
+ doc=_(u'Comma-separated list of raw DNAME records'),
+ ),
+ parameters.Str(
+ 'dname_part_target',
+ required=False,
+ label=_(u'DNAME Target'),
+ doc=_(u'Target'),
+ ),
+ parameters.Str(
+ 'dnskeyrecord',
+ required=False,
+ multivalue=True,
+ label=_(u'DNSKEY record'),
+ doc=_(u'Comma-separated list of raw DNSKEY records'),
+ ),
+ parameters.Str(
+ 'dsrecord',
+ required=False,
+ multivalue=True,
+ label=_(u'DS record'),
+ doc=_(u'Comma-separated list of raw DS records'),
+ ),
+ parameters.Int(
+ 'ds_part_key_tag',
+ required=False,
+ label=_(u'DS Key Tag'),
+ doc=_(u'Key Tag'),
+ ),
+ parameters.Int(
+ 'ds_part_algorithm',
+ required=False,
+ label=_(u'DS Algorithm'),
+ doc=_(u'Algorithm'),
+ ),
+ parameters.Int(
+ 'ds_part_digest_type',
+ required=False,
+ label=_(u'DS Digest Type'),
+ doc=_(u'Digest Type'),
+ ),
+ parameters.Str(
+ 'ds_part_digest',
+ required=False,
+ label=_(u'DS Digest'),
+ doc=_(u'Digest'),
+ ),
+ parameters.Str(
+ 'hiprecord',
+ required=False,
+ multivalue=True,
+ label=_(u'HIP record'),
+ doc=_(u'Comma-separated list of raw HIP records'),
+ ),
+ parameters.Str(
+ 'ipseckeyrecord',
+ required=False,
+ multivalue=True,
+ label=_(u'IPSECKEY record'),
+ doc=_(u'Comma-separated list of raw IPSECKEY records'),
+ ),
+ parameters.Str(
+ 'keyrecord',
+ required=False,
+ multivalue=True,
+ label=_(u'KEY record'),
+ doc=_(u'Comma-separated list of raw KEY records'),
+ ),
+ parameters.Int(
+ 'key_part_flags',
+ required=False,
+ label=_(u'KEY Flags'),
+ doc=_(u'Flags'),
+ ),
+ parameters.Int(
+ 'key_part_protocol',
+ required=False,
+ label=_(u'KEY Protocol'),
+ doc=_(u'Protocol'),
+ ),
+ parameters.Int(
+ 'key_part_algorithm',
+ required=False,
+ label=_(u'KEY Algorithm'),
+ doc=_(u'Algorithm'),
+ ),
+ parameters.Str(
+ 'key_part_public_key',
+ required=False,
+ label=_(u'KEY Public Key'),
+ doc=_(u'Public Key'),
+ ),
+ parameters.Str(
+ 'kxrecord',
+ required=False,
+ multivalue=True,
+ label=_(u'KX record'),
+ doc=_(u'Comma-separated list of raw KX records'),
+ ),
+ parameters.Int(
+ 'kx_part_preference',
+ required=False,
+ label=_(u'KX Preference'),
+ doc=_(u'Preference given to this exchanger. Lower values are more preferred'),
+ ),
+ parameters.Str(
+ 'kx_part_exchanger',
+ required=False,
+ label=_(u'KX Exchanger'),
+ doc=_(u'A host willing to act as a key exchanger'),
+ ),
+ parameters.Str(
+ 'locrecord',
+ required=False,
+ multivalue=True,
+ label=_(u'LOC record'),
+ doc=_(u'Comma-separated list of raw LOC records'),
+ ),
+ parameters.Int(
+ 'loc_part_lat_deg',
+ required=False,
+ label=_(u'LOC Degrees Latitude'),
+ doc=_(u'Degrees Latitude'),
+ ),
+ parameters.Int(
+ 'loc_part_lat_min',
+ required=False,
+ label=_(u'LOC Minutes Latitude'),
+ doc=_(u'Minutes Latitude'),
+ ),
+ parameters.Decimal(
+ 'loc_part_lat_sec',
+ required=False,
+ label=_(u'LOC Seconds Latitude'),
+ doc=_(u'Seconds Latitude'),
+ ),
+ parameters.Str(
+ 'loc_part_lat_dir',
+ required=False,
+ label=_(u'LOC Direction Latitude'),
+ doc=_(u'Direction Latitude'),
+ ),
+ parameters.Int(
+ 'loc_part_lon_deg',
+ required=False,
+ label=_(u'LOC Degrees Longitude'),
+ doc=_(u'Degrees Longitude'),
+ ),
+ parameters.Int(
+ 'loc_part_lon_min',
+ required=False,
+ label=_(u'LOC Minutes Longitude'),
+ doc=_(u'Minutes Longitude'),
+ ),
+ parameters.Decimal(
+ 'loc_part_lon_sec',
+ required=False,
+ label=_(u'LOC Seconds Longitude'),
+ doc=_(u'Seconds Longitude'),
+ ),
+ parameters.Str(
+ 'loc_part_lon_dir',
+ required=False,
+ label=_(u'LOC Direction Longitude'),
+ doc=_(u'Direction Longitude'),
+ ),
+ parameters.Decimal(
+ 'loc_part_altitude',
+ required=False,
+ label=_(u'LOC Altitude'),
+ doc=_(u'Altitude'),
+ ),
+ parameters.Decimal(
+ 'loc_part_size',
+ required=False,
+ label=_(u'LOC Size'),
+ doc=_(u'Size'),
+ ),
+ parameters.Decimal(
+ 'loc_part_h_precision',
+ required=False,
+ label=_(u'LOC Horizontal Precision'),
+ doc=_(u'Horizontal Precision'),
+ ),
+ parameters.Decimal(
+ 'loc_part_v_precision',
+ required=False,
+ label=_(u'LOC Vertical Precision'),
+ doc=_(u'Vertical Precision'),
+ ),
+ parameters.Str(
+ 'mxrecord',
+ required=False,
+ multivalue=True,
+ label=_(u'MX record'),
+ doc=_(u'Comma-separated list of raw MX records'),
+ ),
+ parameters.Int(
+ 'mx_part_preference',
+ required=False,
+ label=_(u'MX Preference'),
+ doc=_(u'Preference given to this exchanger. Lower values are more preferred'),
+ ),
+ parameters.Str(
+ 'mx_part_exchanger',
+ required=False,
+ label=_(u'MX Exchanger'),
+ doc=_(u'A host willing to act as a mail exchanger'),
+ ),
+ parameters.Str(
+ 'naptrrecord',
+ required=False,
+ multivalue=True,
+ label=_(u'NAPTR record'),
+ doc=_(u'Comma-separated list of raw NAPTR records'),
+ ),
+ parameters.Int(
+ 'naptr_part_order',
+ required=False,
+ label=_(u'NAPTR Order'),
+ doc=_(u'Order'),
+ ),
+ parameters.Int(
+ 'naptr_part_preference',
+ required=False,
+ label=_(u'NAPTR Preference'),
+ doc=_(u'Preference'),
+ ),
+ parameters.Str(
+ 'naptr_part_flags',
+ required=False,
+ label=_(u'NAPTR Flags'),
+ doc=_(u'Flags'),
+ ),
+ parameters.Str(
+ 'naptr_part_service',
+ required=False,
+ label=_(u'NAPTR Service'),
+ doc=_(u'Service'),
+ ),
+ parameters.Str(
+ 'naptr_part_regexp',
+ required=False,
+ label=_(u'NAPTR Regular Expression'),
+ doc=_(u'Regular Expression'),
+ ),
+ parameters.Str(
+ 'naptr_part_replacement',
+ required=False,
+ label=_(u'NAPTR Replacement'),
+ doc=_(u'Replacement'),
+ ),
+ parameters.Str(
+ 'nsrecord',
+ required=False,
+ multivalue=True,
+ label=_(u'NS record'),
+ doc=_(u'Comma-separated list of raw NS records'),
+ ),
+ parameters.Str(
+ 'ns_part_hostname',
+ required=False,
+ label=_(u'NS Hostname'),
+ doc=_(u'Hostname'),
+ ),
+ parameters.Str(
+ 'nsecrecord',
+ required=False,
+ multivalue=True,
+ label=_(u'NSEC record'),
+ doc=_(u'Comma-separated list of raw NSEC records'),
+ ),
+ parameters.Str(
+ 'nsec_part_next',
+ required=False,
+ label=_(u'NSEC Next Domain Name'),
+ doc=_(u'Next Domain Name'),
+ ),
+ parameters.Str(
+ 'nsec_part_types',
+ required=False,
+ multivalue=True,
+ label=_(u'NSEC Type Map'),
+ doc=_(u'Type Map'),
+ ),
+ parameters.Str(
+ 'nsec3record',
+ required=False,
+ multivalue=True,
+ label=_(u'NSEC3 record'),
+ doc=_(u'Comma-separated list of raw NSEC3 records'),
+ ),
+ parameters.Str(
+ 'nsec3paramrecord',
+ required=False,
+ multivalue=True,
+ label=_(u'NSEC3PARAM record'),
+ doc=_(u'Comma-separated list of raw NSEC3PARAM records'),
+ ),
+ parameters.Str(
+ 'ptrrecord',
+ required=False,
+ multivalue=True,
+ label=_(u'PTR record'),
+ doc=_(u'Comma-separated list of raw PTR records'),
+ ),
+ parameters.Str(
+ 'ptr_part_hostname',
+ required=False,
+ label=_(u'PTR Hostname'),
+ doc=_(u'The hostname this reverse record points to'),
+ ),
+ parameters.Str(
+ 'rrsigrecord',
+ required=False,
+ multivalue=True,
+ label=_(u'RRSIG record'),
+ doc=_(u'Comma-separated list of raw RRSIG records'),
+ ),
+ parameters.Str(
+ 'rrsig_part_type_covered',
+ required=False,
+ label=_(u'RRSIG Type Covered'),
+ doc=_(u'Type Covered'),
+ ),
+ parameters.Int(
+ 'rrsig_part_algorithm',
+ required=False,
+ label=_(u'RRSIG Algorithm'),
+ doc=_(u'Algorithm'),
+ ),
+ parameters.Int(
+ 'rrsig_part_labels',
+ required=False,
+ label=_(u'RRSIG Labels'),
+ doc=_(u'Labels'),
+ ),
+ parameters.Int(
+ 'rrsig_part_original_ttl',
+ required=False,
+ label=_(u'RRSIG Original TTL'),
+ doc=_(u'Original TTL'),
+ ),
+ parameters.Str(
+ 'rrsig_part_signature_expiration',
+ required=False,
+ label=_(u'RRSIG Signature Expiration'),
+ doc=_(u'Signature Expiration'),
+ ),
+ parameters.Str(
+ 'rrsig_part_signature_inception',
+ required=False,
+ label=_(u'RRSIG Signature Inception'),
+ doc=_(u'Signature Inception'),
+ ),
+ parameters.Int(
+ 'rrsig_part_key_tag',
+ required=False,
+ label=_(u'RRSIG Key Tag'),
+ doc=_(u'Key Tag'),
+ ),
+ parameters.Str(
+ 'rrsig_part_signers_name',
+ required=False,
+ label=_(u"RRSIG Signer's Name"),
+ doc=_(u"Signer's Name"),
+ ),
+ parameters.Str(
+ 'rrsig_part_signature',
+ required=False,
+ label=_(u'RRSIG Signature'),
+ doc=_(u'Signature'),
+ ),
+ parameters.Str(
+ 'rprecord',
+ required=False,
+ multivalue=True,
+ label=_(u'RP record'),
+ doc=_(u'Comma-separated list of raw RP records'),
+ ),
+ parameters.Str(
+ 'sigrecord',
+ required=False,
+ multivalue=True,
+ label=_(u'SIG record'),
+ doc=_(u'Comma-separated list of raw SIG records'),
+ ),
+ parameters.Str(
+ 'sig_part_type_covered',
+ required=False,
+ label=_(u'SIG Type Covered'),
+ doc=_(u'Type Covered'),
+ ),
+ parameters.Int(
+ 'sig_part_algorithm',
+ required=False,
+ label=_(u'SIG Algorithm'),
+ doc=_(u'Algorithm'),
+ ),
+ parameters.Int(
+ 'sig_part_labels',
+ required=False,
+ label=_(u'SIG Labels'),
+ doc=_(u'Labels'),
+ ),
+ parameters.Int(
+ 'sig_part_original_ttl',
+ required=False,
+ label=_(u'SIG Original TTL'),
+ doc=_(u'Original TTL'),
+ ),
+ parameters.Str(
+ 'sig_part_signature_expiration',
+ required=False,
+ label=_(u'SIG Signature Expiration'),
+ doc=_(u'Signature Expiration'),
+ ),
+ parameters.Str(
+ 'sig_part_signature_inception',
+ required=False,
+ label=_(u'SIG Signature Inception'),
+ doc=_(u'Signature Inception'),
+ ),
+ parameters.Int(
+ 'sig_part_key_tag',
+ required=False,
+ label=_(u'SIG Key Tag'),
+ doc=_(u'Key Tag'),
+ ),
+ parameters.Str(
+ 'sig_part_signers_name',
+ required=False,
+ label=_(u"SIG Signer's Name"),
+ doc=_(u"Signer's Name"),
+ ),
+ parameters.Str(
+ 'sig_part_signature',
+ required=False,
+ label=_(u'SIG Signature'),
+ doc=_(u'Signature'),
+ ),
+ parameters.Str(
+ 'spfrecord',
+ required=False,
+ multivalue=True,
+ label=_(u'SPF record'),
+ doc=_(u'Comma-separated list of raw SPF records'),
+ ),
+ parameters.Str(
+ 'srvrecord',
+ required=False,
+ multivalue=True,
+ label=_(u'SRV record'),
+ doc=_(u'Comma-separated list of raw SRV records'),
+ ),
+ parameters.Int(
+ 'srv_part_priority',
+ required=False,
+ label=_(u'SRV Priority'),
+ doc=_(u'Priority'),
+ ),
+ parameters.Int(
+ 'srv_part_weight',
+ required=False,
+ label=_(u'SRV Weight'),
+ doc=_(u'Weight'),
+ ),
+ parameters.Int(
+ 'srv_part_port',
+ required=False,
+ label=_(u'SRV Port'),
+ doc=_(u'Port'),
+ ),
+ parameters.Str(
+ 'srv_part_target',
+ required=False,
+ label=_(u'SRV Target'),
+ doc=_(u"The domain name of the target host or '.' if the service is decidedly not available at this domain"),
+ ),
+ parameters.Str(
+ 'sshfprecord',
+ required=False,
+ multivalue=True,
+ label=_(u'SSHFP record'),
+ doc=_(u'Comma-separated list of raw SSHFP records'),
+ ),
+ parameters.Int(
+ 'sshfp_part_algorithm',
+ required=False,
+ label=_(u'SSHFP Algorithm'),
+ doc=_(u'Algorithm'),
+ ),
+ parameters.Int(
+ 'sshfp_part_fp_type',
+ required=False,
+ label=_(u'SSHFP Fingerprint Type'),
+ doc=_(u'Fingerprint Type'),
+ ),
+ parameters.Str(
+ 'sshfp_part_fingerprint',
+ required=False,
+ label=_(u'SSHFP Fingerprint'),
+ doc=_(u'Fingerprint'),
+ ),
+ parameters.Str(
+ 'tarecord',
+ required=False,
+ multivalue=True,
+ label=_(u'TA record'),
+ doc=_(u'Comma-separated list of raw TA records'),
+ ),
+ parameters.Str(
+ 'tkeyrecord',
+ required=False,
+ multivalue=True,
+ label=_(u'TKEY record'),
+ doc=_(u'Comma-separated list of raw TKEY records'),
+ ),
+ parameters.Str(
+ 'tsigrecord',
+ required=False,
+ multivalue=True,
+ label=_(u'TSIG record'),
+ doc=_(u'Comma-separated list of raw TSIG records'),
+ ),
+ parameters.Str(
+ 'txtrecord',
+ required=False,
+ multivalue=True,
+ label=_(u'TXT record'),
+ doc=_(u'Comma-separated list of raw TXT records'),
+ ),
+ parameters.Str(
+ 'txt_part_data',
+ required=False,
+ label=_(u'TXT Text Data'),
+ doc=_(u'Text Data'),
+ ),
+ )
+
+
+@register()
+class dnszone(Object):
+ takes_params = (
+ parameters.Str(
+ 'idnsname',
+ primary_key=True,
+ label=_(u'Zone name'),
+ doc=_(u'Zone name (FQDN)'),
+ ),
+ parameters.Str(
+ 'name_from_ip',
+ required=False,
+ label=_(u'Reverse zone IP network'),
+ doc=_(u'IP network to create reverse zone name from'),
+ ),
+ parameters.Str(
+ 'idnssoamname',
+ label=_(u'Authoritative nameserver'),
+ doc=_(u'Authoritative nameserver domain name'),
+ ),
+ parameters.Str(
+ 'idnssoarname',
+ label=_(u'Administrator e-mail address'),
+ ),
+ parameters.Int(
+ 'idnssoaserial',
+ label=_(u'SOA serial'),
+ doc=_(u'SOA record serial number'),
+ ),
+ parameters.Int(
+ 'idnssoarefresh',
+ label=_(u'SOA refresh'),
+ doc=_(u'SOA record refresh time'),
+ ),
+ parameters.Int(
+ 'idnssoaretry',
+ label=_(u'SOA retry'),
+ doc=_(u'SOA record retry time'),
+ ),
+ parameters.Int(
+ 'idnssoaexpire',
+ label=_(u'SOA expire'),
+ doc=_(u'SOA record expire time'),
+ ),
+ parameters.Int(
+ 'idnssoaminimum',
+ label=_(u'SOA minimum'),
+ doc=_(u'How long should negative responses be cached'),
+ ),
+ parameters.Int(
+ 'dnsttl',
+ required=False,
+ label=_(u'SOA time to live'),
+ doc=_(u'SOA record time to live'),
+ ),
+ parameters.Str(
+ 'dnsclass',
+ required=False,
+ label=_(u'SOA class'),
+ doc=_(u'SOA record class'),
+ ),
+ parameters.Str(
+ 'idnsupdatepolicy',
+ required=False,
+ label=_(u'BIND update policy'),
+ ),
+ parameters.Bool(
+ 'idnszoneactive',
+ required=False,
+ label=_(u'Active zone'),
+ doc=_(u'Is zone active?'),
+ ),
+ parameters.Bool(
+ 'idnsallowdynupdate',
+ required=False,
+ label=_(u'Dynamic update'),
+ doc=_(u'Allow dynamic updates.'),
+ ),
+ parameters.Str(
+ 'idnsallowquery',
+ required=False,
+ label=_(u'Allow query'),
+ doc=_(u'Semicolon separated list of IP addresses or networks which are allowed to issue queries'),
+ ),
+ parameters.Str(
+ 'idnsallowtransfer',
+ required=False,
+ label=_(u'Allow transfer'),
+ doc=_(u'Semicolon separated list of IP addresses or networks which are allowed to transfer the zone'),
+ ),
+ parameters.Str(
+ 'idnsforwarders',
+ required=False,
+ multivalue=True,
+ label=_(u'Zone forwarders'),
+ doc=_(u'A list of per-zone forwarders. A custom port can be specified for each forwarder using a standard format "IP_ADDRESS port PORT"'),
+ ),
+ parameters.Str(
+ 'idnsforwardpolicy',
+ required=False,
+ label=_(u'Forward policy'),
+ doc=_(u'Per-zone conditional forwarding policy. Set to "none" to disable forwarding to global forwarder for this zone. In that case, conditional zone forwarders are disregarded.'),
+ ),
+ parameters.Bool(
+ 'idnsallowsyncptr',
+ required=False,
+ label=_(u'Allow PTR sync'),
+ doc=_(u'Allow synchronization of forward (A, AAAA) and reverse (PTR) records in the zone'),
+ ),
+ )
+
+
+@register()
+class dns_is_enabled(Command):
+ __doc__ = _("Checks if any of the servers has the DNS service enabled.")
+
+ NO_CLI = True
+
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Output(
+ 'result',
+ bool,
+ doc=_(u'True means the operation was successful'),
+ ),
+ output.Output(
+ 'value',
+ unicode,
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class dns_resolve(Command):
+ __doc__ = _("Resolve a host name in DNS.")
+
+ takes_args = (
+ parameters.Str(
+ 'hostname',
+ label=_(u'Hostname'),
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Output(
+ 'result',
+ bool,
+ doc=_(u'True means the operation was successful'),
+ ),
+ output.Output(
+ 'value',
+ unicode,
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class dnsconfig_mod(Method):
+ __doc__ = _("Modify global DNS configuration.")
+
+ takes_options = (
+ parameters.Str(
+ 'idnsforwarders',
+ required=False,
+ multivalue=True,
+ cli_name='forwarder',
+ label=_(u'Global forwarders'),
+ doc=_(u'A list of global forwarders. A custom port can be specified for each forwarder using a standard format "IP_ADDRESS port PORT"'),
+ ),
+ parameters.Str(
+ 'idnsforwardpolicy',
+ required=False,
+ cli_name='forward_policy',
+ cli_metavar="['only', 'first', 'none']",
+ label=_(u'Forward policy'),
+ doc=_(u'Global forwarding policy. Set to "none" to disable any configured global forwarders.'),
+ ),
+ parameters.Bool(
+ 'idnsallowsyncptr',
+ required=False,
+ cli_name='allow_sync_ptr',
+ label=_(u'Allow PTR sync'),
+ doc=_(u'Allow synchronization of forward (A, AAAA) and reverse (PTR) records'),
+ ),
+ parameters.Int(
+ 'idnszonerefresh',
+ required=False,
+ cli_name='zone_refresh',
+ label=_(u'Zone refresh interval'),
+ doc=_(u'An interval between regular polls of the name server for new DNS zones'),
+ ),
+ parameters.Str(
+ 'setattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'addattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'delattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'),
+ exclude=('webui',),
+ ),
+ parameters.Flag(
+ 'rights',
+ label=_(u'Rights'),
+ doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'value',
+ unicode,
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class dnsconfig_show(Method):
+ __doc__ = _("Show the current global DNS configuration.")
+
+ takes_options = (
+ parameters.Flag(
+ 'rights',
+ label=_(u'Rights'),
+ doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'value',
+ unicode,
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class dnsrecord_add(Method):
+ __doc__ = _("Add new DNS resource record.")
+
+ takes_args = (
+ parameters.Str(
+ 'dnszoneidnsname',
+ cli_name='dnszone',
+ label=_(u'Zone name'),
+ ),
+ parameters.Str(
+ 'idnsname',
+ cli_name='name',
+ label=_(u'Record name'),
+ ),
+ )
+ takes_options = (
+ parameters.Int(
+ 'dnsttl',
+ required=False,
+ cli_name='ttl',
+ label=_(u'Time to live'),
+ ),
+ parameters.Str(
+ 'dnsclass',
+ required=False,
+ cli_name='class',
+ cli_metavar="['IN', 'CS', 'CH', 'HS']",
+ label=_(u'Class'),
+ doc=_(u'DNS class'),
+ ),
+ parameters.Str(
+ 'arecord',
+ required=False,
+ multivalue=True,
+ cli_name='a_rec',
+ option_group=u'A Record',
+ label=_(u'A record'),
+ doc=_(u'Comma-separated list of raw A records'),
+ ),
+ parameters.Str(
+ 'a_part_ip_address',
+ required=False,
+ cli_name='a_ip_address',
+ option_group=u'A Record',
+ label=_(u'A IP Address'),
+ doc=_(u'IP Address'),
+ ),
+ parameters.Flag(
+ 'a_extra_create_reverse',
+ required=False,
+ cli_name='a_create_reverse',
+ option_group=u'A Record',
+ label=_(u'A Create reverse'),
+ doc=_(u'Create reverse record for this IP Address'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'aaaarecord',
+ required=False,
+ multivalue=True,
+ cli_name='aaaa_rec',
+ option_group=u'AAAA Record',
+ label=_(u'AAAA record'),
+ doc=_(u'Comma-separated list of raw AAAA records'),
+ ),
+ parameters.Str(
+ 'aaaa_part_ip_address',
+ required=False,
+ cli_name='aaaa_ip_address',
+ option_group=u'AAAA Record',
+ label=_(u'AAAA IP Address'),
+ doc=_(u'IP Address'),
+ ),
+ parameters.Flag(
+ 'aaaa_extra_create_reverse',
+ required=False,
+ cli_name='aaaa_create_reverse',
+ option_group=u'AAAA Record',
+ label=_(u'AAAA Create reverse'),
+ doc=_(u'Create reverse record for this IP Address'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'a6record',
+ required=False,
+ multivalue=True,
+ cli_name='a6_rec',
+ option_group=u'A6 Record',
+ label=_(u'A6 record'),
+ doc=_(u'Comma-separated list of raw A6 records'),
+ ),
+ parameters.Str(
+ 'a6_part_data',
+ required=False,
+ cli_name='a6_data',
+ option_group=u'A6 Record',
+ label=_(u'A6 Record data'),
+ doc=_(u'Record data'),
+ ),
+ parameters.Str(
+ 'afsdbrecord',
+ required=False,
+ multivalue=True,
+ cli_name='afsdb_rec',
+ option_group=u'AFSDB Record',
+ label=_(u'AFSDB record'),
+ doc=_(u'Comma-separated list of raw AFSDB records'),
+ ),
+ parameters.Int(
+ 'afsdb_part_subtype',
+ required=False,
+ cli_name='afsdb_subtype',
+ option_group=u'AFSDB Record',
+ label=_(u'AFSDB Subtype'),
+ doc=_(u'Subtype'),
+ ),
+ parameters.Str(
+ 'afsdb_part_hostname',
+ required=False,
+ cli_name='afsdb_hostname',
+ option_group=u'AFSDB Record',
+ label=_(u'AFSDB Hostname'),
+ doc=_(u'Hostname'),
+ ),
+ parameters.Str(
+ 'aplrecord',
+ required=False,
+ multivalue=True,
+ cli_name='apl_rec',
+ option_group=u'APL Record',
+ label=_(u'APL record'),
+ doc=_(u'Comma-separated list of raw APL records'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'certrecord',
+ required=False,
+ multivalue=True,
+ cli_name='cert_rec',
+ option_group=u'CERT Record',
+ label=_(u'CERT record'),
+ doc=_(u'Comma-separated list of raw CERT records'),
+ ),
+ parameters.Int(
+ 'cert_part_type',
+ required=False,
+ cli_name='cert_type',
+ option_group=u'CERT Record',
+ label=_(u'CERT Certificate Type'),
+ doc=_(u'Certificate Type'),
+ ),
+ parameters.Int(
+ 'cert_part_key_tag',
+ required=False,
+ cli_name='cert_key_tag',
+ option_group=u'CERT Record',
+ label=_(u'CERT Key Tag'),
+ doc=_(u'Key Tag'),
+ ),
+ parameters.Int(
+ 'cert_part_algorithm',
+ required=False,
+ cli_name='cert_algorithm',
+ option_group=u'CERT Record',
+ label=_(u'CERT Algorithm'),
+ doc=_(u'Algorithm'),
+ ),
+ parameters.Str(
+ 'cert_part_certificate_or_crl',
+ required=False,
+ cli_name='cert_certificate_or_crl',
+ option_group=u'CERT Record',
+ label=_(u'CERT Certificate/CRL'),
+ doc=_(u'Certificate/CRL'),
+ ),
+ parameters.Str(
+ 'cnamerecord',
+ required=False,
+ multivalue=True,
+ cli_name='cname_rec',
+ option_group=u'CNAME Record',
+ label=_(u'CNAME record'),
+ doc=_(u'Comma-separated list of raw CNAME records'),
+ ),
+ parameters.Str(
+ 'cname_part_hostname',
+ required=False,
+ cli_name='cname_hostname',
+ option_group=u'CNAME Record',
+ label=_(u'CNAME Hostname'),
+ doc=_(u'A hostname which this alias hostname points to'),
+ ),
+ parameters.Str(
+ 'dhcidrecord',
+ required=False,
+ multivalue=True,
+ cli_name='dhcid_rec',
+ option_group=u'DHCID Record',
+ label=_(u'DHCID record'),
+ doc=_(u'Comma-separated list of raw DHCID records'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'dlvrecord',
+ required=False,
+ multivalue=True,
+ cli_name='dlv_rec',
+ option_group=u'DLV Record',
+ label=_(u'DLV record'),
+ doc=_(u'Comma-separated list of raw DLV records'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'dnamerecord',
+ required=False,
+ multivalue=True,
+ cli_name='dname_rec',
+ option_group=u'DNAME Record',
+ label=_(u'DNAME record'),
+ doc=_(u'Comma-separated list of raw DNAME records'),
+ ),
+ parameters.Str(
+ 'dname_part_target',
+ required=False,
+ cli_name='dname_target',
+ option_group=u'DNAME Record',
+ label=_(u'DNAME Target'),
+ doc=_(u'Target'),
+ ),
+ parameters.Str(
+ 'dnskeyrecord',
+ required=False,
+ multivalue=True,
+ cli_name='dnskey_rec',
+ option_group=u'DNSKEY Record',
+ label=_(u'DNSKEY record'),
+ doc=_(u'Comma-separated list of raw DNSKEY records'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'dsrecord',
+ required=False,
+ multivalue=True,
+ cli_name='ds_rec',
+ option_group=u'DS Record',
+ label=_(u'DS record'),
+ doc=_(u'Comma-separated list of raw DS records'),
+ ),
+ parameters.Int(
+ 'ds_part_key_tag',
+ required=False,
+ cli_name='ds_key_tag',
+ option_group=u'DS Record',
+ label=_(u'DS Key Tag'),
+ doc=_(u'Key Tag'),
+ ),
+ parameters.Int(
+ 'ds_part_algorithm',
+ required=False,
+ cli_name='ds_algorithm',
+ option_group=u'DS Record',
+ label=_(u'DS Algorithm'),
+ doc=_(u'Algorithm'),
+ ),
+ parameters.Int(
+ 'ds_part_digest_type',
+ required=False,
+ cli_name='ds_digest_type',
+ option_group=u'DS Record',
+ label=_(u'DS Digest Type'),
+ doc=_(u'Digest Type'),
+ ),
+ parameters.Str(
+ 'ds_part_digest',
+ required=False,
+ cli_name='ds_digest',
+ option_group=u'DS Record',
+ label=_(u'DS Digest'),
+ doc=_(u'Digest'),
+ ),
+ parameters.Str(
+ 'hiprecord',
+ required=False,
+ multivalue=True,
+ cli_name='hip_rec',
+ option_group=u'HIP Record',
+ label=_(u'HIP record'),
+ doc=_(u'Comma-separated list of raw HIP records'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'ipseckeyrecord',
+ required=False,
+ multivalue=True,
+ cli_name='ipseckey_rec',
+ option_group=u'IPSECKEY Record',
+ label=_(u'IPSECKEY record'),
+ doc=_(u'Comma-separated list of raw IPSECKEY records'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'keyrecord',
+ required=False,
+ multivalue=True,
+ cli_name='key_rec',
+ option_group=u'KEY Record',
+ label=_(u'KEY record'),
+ doc=_(u'Comma-separated list of raw KEY records'),
+ ),
+ parameters.Int(
+ 'key_part_flags',
+ required=False,
+ cli_name='key_flags',
+ option_group=u'KEY Record',
+ label=_(u'KEY Flags'),
+ doc=_(u'Flags'),
+ ),
+ parameters.Int(
+ 'key_part_protocol',
+ required=False,
+ cli_name='key_protocol',
+ option_group=u'KEY Record',
+ label=_(u'KEY Protocol'),
+ doc=_(u'Protocol'),
+ ),
+ parameters.Int(
+ 'key_part_algorithm',
+ required=False,
+ cli_name='key_algorithm',
+ option_group=u'KEY Record',
+ label=_(u'KEY Algorithm'),
+ doc=_(u'Algorithm'),
+ ),
+ parameters.Str(
+ 'key_part_public_key',
+ required=False,
+ cli_name='key_public_key',
+ option_group=u'KEY Record',
+ label=_(u'KEY Public Key'),
+ doc=_(u'Public Key'),
+ ),
+ parameters.Str(
+ 'kxrecord',
+ required=False,
+ multivalue=True,
+ cli_name='kx_rec',
+ option_group=u'KX Record',
+ label=_(u'KX record'),
+ doc=_(u'Comma-separated list of raw KX records'),
+ ),
+ parameters.Int(
+ 'kx_part_preference',
+ required=False,
+ cli_name='kx_preference',
+ option_group=u'KX Record',
+ label=_(u'KX Preference'),
+ doc=_(u'Preference given to this exchanger. Lower values are more preferred'),
+ ),
+ parameters.Str(
+ 'kx_part_exchanger',
+ required=False,
+ cli_name='kx_exchanger',
+ option_group=u'KX Record',
+ label=_(u'KX Exchanger'),
+ doc=_(u'A host willing to act as a key exchanger'),
+ ),
+ parameters.Str(
+ 'locrecord',
+ required=False,
+ multivalue=True,
+ cli_name='loc_rec',
+ option_group=u'LOC Record',
+ label=_(u'LOC record'),
+ doc=_(u'Comma-separated list of raw LOC records'),
+ ),
+ parameters.Int(
+ 'loc_part_lat_deg',
+ required=False,
+ cli_name='loc_lat_deg',
+ option_group=u'LOC Record',
+ label=_(u'LOC Degrees Latitude'),
+ doc=_(u'Degrees Latitude'),
+ ),
+ parameters.Int(
+ 'loc_part_lat_min',
+ required=False,
+ cli_name='loc_lat_min',
+ option_group=u'LOC Record',
+ label=_(u'LOC Minutes Latitude'),
+ doc=_(u'Minutes Latitude'),
+ ),
+ parameters.Decimal(
+ 'loc_part_lat_sec',
+ required=False,
+ cli_name='loc_lat_sec',
+ option_group=u'LOC Record',
+ label=_(u'LOC Seconds Latitude'),
+ doc=_(u'Seconds Latitude'),
+ no_convert=True,
+ ),
+ parameters.Str(
+ 'loc_part_lat_dir',
+ required=False,
+ cli_name='loc_lat_dir',
+ option_group=u'LOC Record',
+ cli_metavar="['N', 'S']",
+ label=_(u'LOC Direction Latitude'),
+ doc=_(u'Direction Latitude'),
+ ),
+ parameters.Int(
+ 'loc_part_lon_deg',
+ required=False,
+ cli_name='loc_lon_deg',
+ option_group=u'LOC Record',
+ label=_(u'LOC Degrees Longitude'),
+ doc=_(u'Degrees Longitude'),
+ ),
+ parameters.Int(
+ 'loc_part_lon_min',
+ required=False,
+ cli_name='loc_lon_min',
+ option_group=u'LOC Record',
+ label=_(u'LOC Minutes Longitude'),
+ doc=_(u'Minutes Longitude'),
+ ),
+ parameters.Decimal(
+ 'loc_part_lon_sec',
+ required=False,
+ cli_name='loc_lon_sec',
+ option_group=u'LOC Record',
+ label=_(u'LOC Seconds Longitude'),
+ doc=_(u'Seconds Longitude'),
+ no_convert=True,
+ ),
+ parameters.Str(
+ 'loc_part_lon_dir',
+ required=False,
+ cli_name='loc_lon_dir',
+ option_group=u'LOC Record',
+ cli_metavar="['E', 'W']",
+ label=_(u'LOC Direction Longitude'),
+ doc=_(u'Direction Longitude'),
+ ),
+ parameters.Decimal(
+ 'loc_part_altitude',
+ required=False,
+ cli_name='loc_altitude',
+ option_group=u'LOC Record',
+ label=_(u'LOC Altitude'),
+ doc=_(u'Altitude'),
+ no_convert=True,
+ ),
+ parameters.Decimal(
+ 'loc_part_size',
+ required=False,
+ cli_name='loc_size',
+ option_group=u'LOC Record',
+ label=_(u'LOC Size'),
+ doc=_(u'Size'),
+ no_convert=True,
+ ),
+ parameters.Decimal(
+ 'loc_part_h_precision',
+ required=False,
+ cli_name='loc_h_precision',
+ option_group=u'LOC Record',
+ label=_(u'LOC Horizontal Precision'),
+ doc=_(u'Horizontal Precision'),
+ no_convert=True,
+ ),
+ parameters.Decimal(
+ 'loc_part_v_precision',
+ required=False,
+ cli_name='loc_v_precision',
+ option_group=u'LOC Record',
+ label=_(u'LOC Vertical Precision'),
+ doc=_(u'Vertical Precision'),
+ no_convert=True,
+ ),
+ parameters.Str(
+ 'mxrecord',
+ required=False,
+ multivalue=True,
+ cli_name='mx_rec',
+ option_group=u'MX Record',
+ label=_(u'MX record'),
+ doc=_(u'Comma-separated list of raw MX records'),
+ ),
+ parameters.Int(
+ 'mx_part_preference',
+ required=False,
+ cli_name='mx_preference',
+ option_group=u'MX Record',
+ label=_(u'MX Preference'),
+ doc=_(u'Preference given to this exchanger. Lower values are more preferred'),
+ ),
+ parameters.Str(
+ 'mx_part_exchanger',
+ required=False,
+ cli_name='mx_exchanger',
+ option_group=u'MX Record',
+ label=_(u'MX Exchanger'),
+ doc=_(u'A host willing to act as a mail exchanger'),
+ ),
+ parameters.Str(
+ 'naptrrecord',
+ required=False,
+ multivalue=True,
+ cli_name='naptr_rec',
+ option_group=u'NAPTR Record',
+ label=_(u'NAPTR record'),
+ doc=_(u'Comma-separated list of raw NAPTR records'),
+ ),
+ parameters.Int(
+ 'naptr_part_order',
+ required=False,
+ cli_name='naptr_order',
+ option_group=u'NAPTR Record',
+ label=_(u'NAPTR Order'),
+ doc=_(u'Order'),
+ ),
+ parameters.Int(
+ 'naptr_part_preference',
+ required=False,
+ cli_name='naptr_preference',
+ option_group=u'NAPTR Record',
+ label=_(u'NAPTR Preference'),
+ doc=_(u'Preference'),
+ ),
+ parameters.Str(
+ 'naptr_part_flags',
+ required=False,
+ cli_name='naptr_flags',
+ option_group=u'NAPTR Record',
+ label=_(u'NAPTR Flags'),
+ doc=_(u'Flags'),
+ no_convert=True,
+ ),
+ parameters.Str(
+ 'naptr_part_service',
+ required=False,
+ cli_name='naptr_service',
+ option_group=u'NAPTR Record',
+ label=_(u'NAPTR Service'),
+ doc=_(u'Service'),
+ ),
+ parameters.Str(
+ 'naptr_part_regexp',
+ required=False,
+ cli_name='naptr_regexp',
+ option_group=u'NAPTR Record',
+ label=_(u'NAPTR Regular Expression'),
+ doc=_(u'Regular Expression'),
+ ),
+ parameters.Str(
+ 'naptr_part_replacement',
+ required=False,
+ cli_name='naptr_replacement',
+ option_group=u'NAPTR Record',
+ label=_(u'NAPTR Replacement'),
+ doc=_(u'Replacement'),
+ ),
+ parameters.Str(
+ 'nsrecord',
+ required=False,
+ multivalue=True,
+ cli_name='ns_rec',
+ option_group=u'NS Record',
+ label=_(u'NS record'),
+ doc=_(u'Comma-separated list of raw NS records'),
+ ),
+ parameters.Str(
+ 'ns_part_hostname',
+ required=False,
+ cli_name='ns_hostname',
+ option_group=u'NS Record',
+ label=_(u'NS Hostname'),
+ doc=_(u'Hostname'),
+ ),
+ parameters.Str(
+ 'nsecrecord',
+ required=False,
+ multivalue=True,
+ cli_name='nsec_rec',
+ option_group=u'NSEC Record',
+ label=_(u'NSEC record'),
+ doc=_(u'Comma-separated list of raw NSEC records'),
+ ),
+ parameters.Str(
+ 'nsec_part_next',
+ required=False,
+ cli_name='nsec_next',
+ option_group=u'NSEC Record',
+ label=_(u'NSEC Next Domain Name'),
+ doc=_(u'Next Domain Name'),
+ ),
+ parameters.Str(
+ 'nsec_part_types',
+ required=False,
+ multivalue=True,
+ cli_name='nsec_types',
+ option_group=u'NSEC Record',
+ cli_metavar="['SOA', 'A', 'AAAA', 'A6', 'AFSDB', 'APL', 'CERT', 'CNAME', 'DHCID', 'DLV', 'DNAME', 'DNSKEY', 'DS', 'HIP', 'IPSECKEY', 'KEY', 'KX', 'LOC', 'MX', 'NAPTR', 'NS', 'NSEC', 'NSEC3', 'NSEC3PARAM', 'PTR', 'RRSIG', 'RP', 'SIG', 'SPF', 'SRV', 'SSHFP', 'TA', 'TKEY', 'TSIG', 'TXT']",
+ label=_(u'NSEC Type Map'),
+ doc=_(u'Type Map'),
+ ),
+ parameters.Str(
+ 'nsec3record',
+ required=False,
+ multivalue=True,
+ cli_name='nsec3_rec',
+ option_group=u'NSEC3 Record',
+ label=_(u'NSEC3 record'),
+ doc=_(u'Comma-separated list of raw NSEC3 records'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'nsec3paramrecord',
+ required=False,
+ multivalue=True,
+ cli_name='nsec3param_rec',
+ option_group=u'NSEC3PARAM Record',
+ label=_(u'NSEC3PARAM record'),
+ doc=_(u'Comma-separated list of raw NSEC3PARAM records'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'ptrrecord',
+ required=False,
+ multivalue=True,
+ cli_name='ptr_rec',
+ option_group=u'PTR Record',
+ label=_(u'PTR record'),
+ doc=_(u'Comma-separated list of raw PTR records'),
+ ),
+ parameters.Str(
+ 'ptr_part_hostname',
+ required=False,
+ cli_name='ptr_hostname',
+ option_group=u'PTR Record',
+ label=_(u'PTR Hostname'),
+ doc=_(u'The hostname this reverse record points to'),
+ no_convert=True,
+ ),
+ parameters.Str(
+ 'rrsigrecord',
+ required=False,
+ multivalue=True,
+ cli_name='rrsig_rec',
+ option_group=u'RRSIG Record',
+ label=_(u'RRSIG record'),
+ doc=_(u'Comma-separated list of raw RRSIG records'),
+ ),
+ parameters.Str(
+ 'rrsig_part_type_covered',
+ required=False,
+ cli_name='rrsig_type_covered',
+ option_group=u'RRSIG Record',
+ cli_metavar="['SOA', 'A', 'AAAA', 'A6', 'AFSDB', 'APL', 'CERT', 'CNAME', 'DHCID', 'DLV', 'DNAME', 'DNSKEY', 'DS', 'HIP', 'IPSECKEY', 'KEY', 'KX', 'LOC', 'MX', 'NAPTR', 'NS', 'NSEC', 'NSEC3', 'NSEC3PARAM', 'PTR', 'RRSIG', 'RP', 'SPF', 'SRV', 'SSHFP', 'TA', 'TKEY', 'TSIG', 'TXT']",
+ label=_(u'RRSIG Type Covered'),
+ doc=_(u'Type Covered'),
+ ),
+ parameters.Int(
+ 'rrsig_part_algorithm',
+ required=False,
+ cli_name='rrsig_algorithm',
+ option_group=u'RRSIG Record',
+ label=_(u'RRSIG Algorithm'),
+ doc=_(u'Algorithm'),
+ ),
+ parameters.Int(
+ 'rrsig_part_labels',
+ required=False,
+ cli_name='rrsig_labels',
+ option_group=u'RRSIG Record',
+ label=_(u'RRSIG Labels'),
+ doc=_(u'Labels'),
+ ),
+ parameters.Int(
+ 'rrsig_part_original_ttl',
+ required=False,
+ cli_name='rrsig_original_ttl',
+ option_group=u'RRSIG Record',
+ label=_(u'RRSIG Original TTL'),
+ doc=_(u'Original TTL'),
+ ),
+ parameters.Str(
+ 'rrsig_part_signature_expiration',
+ required=False,
+ cli_name='rrsig_signature_expiration',
+ option_group=u'RRSIG Record',
+ label=_(u'RRSIG Signature Expiration'),
+ doc=_(u'Signature Expiration'),
+ ),
+ parameters.Str(
+ 'rrsig_part_signature_inception',
+ required=False,
+ cli_name='rrsig_signature_inception',
+ option_group=u'RRSIG Record',
+ label=_(u'RRSIG Signature Inception'),
+ doc=_(u'Signature Inception'),
+ ),
+ parameters.Int(
+ 'rrsig_part_key_tag',
+ required=False,
+ cli_name='rrsig_key_tag',
+ option_group=u'RRSIG Record',
+ label=_(u'RRSIG Key Tag'),
+ doc=_(u'Key Tag'),
+ ),
+ parameters.Str(
+ 'rrsig_part_signers_name',
+ required=False,
+ cli_name='rrsig_signers_name',
+ option_group=u'RRSIG Record',
+ label=_(u"RRSIG Signer's Name"),
+ doc=_(u"Signer's Name"),
+ ),
+ parameters.Str(
+ 'rrsig_part_signature',
+ required=False,
+ cli_name='rrsig_signature',
+ option_group=u'RRSIG Record',
+ label=_(u'RRSIG Signature'),
+ doc=_(u'Signature'),
+ ),
+ parameters.Str(
+ 'rprecord',
+ required=False,
+ multivalue=True,
+ cli_name='rp_rec',
+ option_group=u'RP Record',
+ label=_(u'RP record'),
+ doc=_(u'Comma-separated list of raw RP records'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'sigrecord',
+ required=False,
+ multivalue=True,
+ cli_name='sig_rec',
+ option_group=u'SIG Record',
+ label=_(u'SIG record'),
+ doc=_(u'Comma-separated list of raw SIG records'),
+ ),
+ parameters.Str(
+ 'sig_part_type_covered',
+ required=False,
+ cli_name='sig_type_covered',
+ option_group=u'SIG Record',
+ cli_metavar="['SOA', 'A', 'AAAA', 'A6', 'AFSDB', 'APL', 'CERT', 'CNAME', 'DHCID', 'DLV', 'DNAME', 'DNSKEY', 'DS', 'HIP', 'IPSECKEY', 'KEY', 'KX', 'LOC', 'MX', 'NAPTR', 'NS', 'NSEC', 'NSEC3', 'NSEC3PARAM', 'PTR', 'RRSIG', 'RP', 'SPF', 'SRV', 'SSHFP', 'TA', 'TKEY', 'TSIG', 'TXT']",
+ label=_(u'SIG Type Covered'),
+ doc=_(u'Type Covered'),
+ ),
+ parameters.Int(
+ 'sig_part_algorithm',
+ required=False,
+ cli_name='sig_algorithm',
+ option_group=u'SIG Record',
+ label=_(u'SIG Algorithm'),
+ doc=_(u'Algorithm'),
+ ),
+ parameters.Int(
+ 'sig_part_labels',
+ required=False,
+ cli_name='sig_labels',
+ option_group=u'SIG Record',
+ label=_(u'SIG Labels'),
+ doc=_(u'Labels'),
+ ),
+ parameters.Int(
+ 'sig_part_original_ttl',
+ required=False,
+ cli_name='sig_original_ttl',
+ option_group=u'SIG Record',
+ label=_(u'SIG Original TTL'),
+ doc=_(u'Original TTL'),
+ ),
+ parameters.Str(
+ 'sig_part_signature_expiration',
+ required=False,
+ cli_name='sig_signature_expiration',
+ option_group=u'SIG Record',
+ label=_(u'SIG Signature Expiration'),
+ doc=_(u'Signature Expiration'),
+ ),
+ parameters.Str(
+ 'sig_part_signature_inception',
+ required=False,
+ cli_name='sig_signature_inception',
+ option_group=u'SIG Record',
+ label=_(u'SIG Signature Inception'),
+ doc=_(u'Signature Inception'),
+ ),
+ parameters.Int(
+ 'sig_part_key_tag',
+ required=False,
+ cli_name='sig_key_tag',
+ option_group=u'SIG Record',
+ label=_(u'SIG Key Tag'),
+ doc=_(u'Key Tag'),
+ ),
+ parameters.Str(
+ 'sig_part_signers_name',
+ required=False,
+ cli_name='sig_signers_name',
+ option_group=u'SIG Record',
+ label=_(u"SIG Signer's Name"),
+ doc=_(u"Signer's Name"),
+ ),
+ parameters.Str(
+ 'sig_part_signature',
+ required=False,
+ cli_name='sig_signature',
+ option_group=u'SIG Record',
+ label=_(u'SIG Signature'),
+ doc=_(u'Signature'),
+ ),
+ parameters.Str(
+ 'spfrecord',
+ required=False,
+ multivalue=True,
+ cli_name='spf_rec',
+ option_group=u'SPF Record',
+ label=_(u'SPF record'),
+ doc=_(u'Comma-separated list of raw SPF records'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'srvrecord',
+ required=False,
+ multivalue=True,
+ cli_name='srv_rec',
+ option_group=u'SRV Record',
+ label=_(u'SRV record'),
+ doc=_(u'Comma-separated list of raw SRV records'),
+ ),
+ parameters.Int(
+ 'srv_part_priority',
+ required=False,
+ cli_name='srv_priority',
+ option_group=u'SRV Record',
+ label=_(u'SRV Priority'),
+ doc=_(u'Priority'),
+ ),
+ parameters.Int(
+ 'srv_part_weight',
+ required=False,
+ cli_name='srv_weight',
+ option_group=u'SRV Record',
+ label=_(u'SRV Weight'),
+ doc=_(u'Weight'),
+ ),
+ parameters.Int(
+ 'srv_part_port',
+ required=False,
+ cli_name='srv_port',
+ option_group=u'SRV Record',
+ label=_(u'SRV Port'),
+ doc=_(u'Port'),
+ ),
+ parameters.Str(
+ 'srv_part_target',
+ required=False,
+ cli_name='srv_target',
+ option_group=u'SRV Record',
+ label=_(u'SRV Target'),
+ doc=_(u"The domain name of the target host or '.' if the service is decidedly not available at this domain"),
+ ),
+ parameters.Str(
+ 'sshfprecord',
+ required=False,
+ multivalue=True,
+ cli_name='sshfp_rec',
+ option_group=u'SSHFP Record',
+ label=_(u'SSHFP record'),
+ doc=_(u'Comma-separated list of raw SSHFP records'),
+ ),
+ parameters.Int(
+ 'sshfp_part_algorithm',
+ required=False,
+ cli_name='sshfp_algorithm',
+ option_group=u'SSHFP Record',
+ label=_(u'SSHFP Algorithm'),
+ doc=_(u'Algorithm'),
+ ),
+ parameters.Int(
+ 'sshfp_part_fp_type',
+ required=False,
+ cli_name='sshfp_fp_type',
+ option_group=u'SSHFP Record',
+ label=_(u'SSHFP Fingerprint Type'),
+ doc=_(u'Fingerprint Type'),
+ ),
+ parameters.Str(
+ 'sshfp_part_fingerprint',
+ required=False,
+ cli_name='sshfp_fingerprint',
+ option_group=u'SSHFP Record',
+ label=_(u'SSHFP Fingerprint'),
+ doc=_(u'Fingerprint'),
+ ),
+ parameters.Str(
+ 'tarecord',
+ required=False,
+ multivalue=True,
+ cli_name='ta_rec',
+ option_group=u'TA Record',
+ label=_(u'TA record'),
+ doc=_(u'Comma-separated list of raw TA records'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'tkeyrecord',
+ required=False,
+ multivalue=True,
+ cli_name='tkey_rec',
+ option_group=u'TKEY Record',
+ label=_(u'TKEY record'),
+ doc=_(u'Comma-separated list of raw TKEY records'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'tsigrecord',
+ required=False,
+ multivalue=True,
+ cli_name='tsig_rec',
+ option_group=u'TSIG Record',
+ label=_(u'TSIG record'),
+ doc=_(u'Comma-separated list of raw TSIG records'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'txtrecord',
+ required=False,
+ multivalue=True,
+ cli_name='txt_rec',
+ option_group=u'TXT Record',
+ label=_(u'TXT record'),
+ doc=_(u'Comma-separated list of raw TXT records'),
+ ),
+ parameters.Str(
+ 'txt_part_data',
+ required=False,
+ cli_name='txt_data',
+ option_group=u'TXT Record',
+ label=_(u'TXT Text Data'),
+ doc=_(u'Text Data'),
+ ),
+ parameters.Str(
+ 'setattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'addattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
+ exclude=('webui',),
+ ),
+ parameters.Flag(
+ 'force',
+ label=_(u'Force'),
+ doc=_(u'force NS record creation even if its hostname is not in DNS'),
+ exclude=('cli', 'webui'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'structured',
+ label=_(u'Structured'),
+ doc=_(u'Parse all raw DNS records and return them in a structured way'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'value',
+ unicode,
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class dnsrecord_del(Method):
+ __doc__ = _("Delete DNS resource record.")
+
+ takes_args = (
+ parameters.Str(
+ 'dnszoneidnsname',
+ cli_name='dnszone',
+ label=_(u'Zone name'),
+ ),
+ parameters.Str(
+ 'idnsname',
+ cli_name='name',
+ label=_(u'Record name'),
+ ),
+ )
+ takes_options = (
+ parameters.Int(
+ 'dnsttl',
+ required=False,
+ cli_name='ttl',
+ label=_(u'Time to live'),
+ ),
+ parameters.Str(
+ 'dnsclass',
+ required=False,
+ cli_name='class',
+ cli_metavar="['IN', 'CS', 'CH', 'HS']",
+ label=_(u'Class'),
+ doc=_(u'DNS class'),
+ ),
+ parameters.Str(
+ 'arecord',
+ required=False,
+ multivalue=True,
+ cli_name='a_rec',
+ label=_(u'A record'),
+ doc=_(u'Comma-separated list of raw A records'),
+ ),
+ parameters.Str(
+ 'aaaarecord',
+ required=False,
+ multivalue=True,
+ cli_name='aaaa_rec',
+ label=_(u'AAAA record'),
+ doc=_(u'Comma-separated list of raw AAAA records'),
+ ),
+ parameters.Str(
+ 'a6record',
+ required=False,
+ multivalue=True,
+ cli_name='a6_rec',
+ label=_(u'A6 record'),
+ doc=_(u'Comma-separated list of raw A6 records'),
+ ),
+ parameters.Str(
+ 'afsdbrecord',
+ required=False,
+ multivalue=True,
+ cli_name='afsdb_rec',
+ label=_(u'AFSDB record'),
+ doc=_(u'Comma-separated list of raw AFSDB records'),
+ ),
+ parameters.Str(
+ 'aplrecord',
+ required=False,
+ multivalue=True,
+ cli_name='apl_rec',
+ label=_(u'APL record'),
+ doc=_(u'Comma-separated list of raw APL records'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'certrecord',
+ required=False,
+ multivalue=True,
+ cli_name='cert_rec',
+ label=_(u'CERT record'),
+ doc=_(u'Comma-separated list of raw CERT records'),
+ ),
+ parameters.Str(
+ 'cnamerecord',
+ required=False,
+ multivalue=True,
+ cli_name='cname_rec',
+ label=_(u'CNAME record'),
+ doc=_(u'Comma-separated list of raw CNAME records'),
+ ),
+ parameters.Str(
+ 'dhcidrecord',
+ required=False,
+ multivalue=True,
+ cli_name='dhcid_rec',
+ label=_(u'DHCID record'),
+ doc=_(u'Comma-separated list of raw DHCID records'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'dlvrecord',
+ required=False,
+ multivalue=True,
+ cli_name='dlv_rec',
+ label=_(u'DLV record'),
+ doc=_(u'Comma-separated list of raw DLV records'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'dnamerecord',
+ required=False,
+ multivalue=True,
+ cli_name='dname_rec',
+ label=_(u'DNAME record'),
+ doc=_(u'Comma-separated list of raw DNAME records'),
+ ),
+ parameters.Str(
+ 'dnskeyrecord',
+ required=False,
+ multivalue=True,
+ cli_name='dnskey_rec',
+ label=_(u'DNSKEY record'),
+ doc=_(u'Comma-separated list of raw DNSKEY records'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'dsrecord',
+ required=False,
+ multivalue=True,
+ cli_name='ds_rec',
+ label=_(u'DS record'),
+ doc=_(u'Comma-separated list of raw DS records'),
+ ),
+ parameters.Str(
+ 'hiprecord',
+ required=False,
+ multivalue=True,
+ cli_name='hip_rec',
+ label=_(u'HIP record'),
+ doc=_(u'Comma-separated list of raw HIP records'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'ipseckeyrecord',
+ required=False,
+ multivalue=True,
+ cli_name='ipseckey_rec',
+ label=_(u'IPSECKEY record'),
+ doc=_(u'Comma-separated list of raw IPSECKEY records'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'keyrecord',
+ required=False,
+ multivalue=True,
+ cli_name='key_rec',
+ label=_(u'KEY record'),
+ doc=_(u'Comma-separated list of raw KEY records'),
+ ),
+ parameters.Str(
+ 'kxrecord',
+ required=False,
+ multivalue=True,
+ cli_name='kx_rec',
+ label=_(u'KX record'),
+ doc=_(u'Comma-separated list of raw KX records'),
+ ),
+ parameters.Str(
+ 'locrecord',
+ required=False,
+ multivalue=True,
+ cli_name='loc_rec',
+ label=_(u'LOC record'),
+ doc=_(u'Comma-separated list of raw LOC records'),
+ ),
+ parameters.Str(
+ 'mxrecord',
+ required=False,
+ multivalue=True,
+ cli_name='mx_rec',
+ label=_(u'MX record'),
+ doc=_(u'Comma-separated list of raw MX records'),
+ ),
+ parameters.Str(
+ 'naptrrecord',
+ required=False,
+ multivalue=True,
+ cli_name='naptr_rec',
+ label=_(u'NAPTR record'),
+ doc=_(u'Comma-separated list of raw NAPTR records'),
+ ),
+ parameters.Str(
+ 'nsrecord',
+ required=False,
+ multivalue=True,
+ cli_name='ns_rec',
+ label=_(u'NS record'),
+ doc=_(u'Comma-separated list of raw NS records'),
+ ),
+ parameters.Str(
+ 'nsecrecord',
+ required=False,
+ multivalue=True,
+ cli_name='nsec_rec',
+ label=_(u'NSEC record'),
+ doc=_(u'Comma-separated list of raw NSEC records'),
+ ),
+ parameters.Str(
+ 'nsec3record',
+ required=False,
+ multivalue=True,
+ cli_name='nsec3_rec',
+ label=_(u'NSEC3 record'),
+ doc=_(u'Comma-separated list of raw NSEC3 records'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'nsec3paramrecord',
+ required=False,
+ multivalue=True,
+ cli_name='nsec3param_rec',
+ label=_(u'NSEC3PARAM record'),
+ doc=_(u'Comma-separated list of raw NSEC3PARAM records'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'ptrrecord',
+ required=False,
+ multivalue=True,
+ cli_name='ptr_rec',
+ label=_(u'PTR record'),
+ doc=_(u'Comma-separated list of raw PTR records'),
+ ),
+ parameters.Str(
+ 'rrsigrecord',
+ required=False,
+ multivalue=True,
+ cli_name='rrsig_rec',
+ label=_(u'RRSIG record'),
+ doc=_(u'Comma-separated list of raw RRSIG records'),
+ ),
+ parameters.Str(
+ 'rprecord',
+ required=False,
+ multivalue=True,
+ cli_name='rp_rec',
+ label=_(u'RP record'),
+ doc=_(u'Comma-separated list of raw RP records'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'sigrecord',
+ required=False,
+ multivalue=True,
+ cli_name='sig_rec',
+ label=_(u'SIG record'),
+ doc=_(u'Comma-separated list of raw SIG records'),
+ ),
+ parameters.Str(
+ 'spfrecord',
+ required=False,
+ multivalue=True,
+ cli_name='spf_rec',
+ label=_(u'SPF record'),
+ doc=_(u'Comma-separated list of raw SPF records'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'srvrecord',
+ required=False,
+ multivalue=True,
+ cli_name='srv_rec',
+ label=_(u'SRV record'),
+ doc=_(u'Comma-separated list of raw SRV records'),
+ ),
+ parameters.Str(
+ 'sshfprecord',
+ required=False,
+ multivalue=True,
+ cli_name='sshfp_rec',
+ label=_(u'SSHFP record'),
+ doc=_(u'Comma-separated list of raw SSHFP records'),
+ ),
+ parameters.Str(
+ 'tarecord',
+ required=False,
+ multivalue=True,
+ cli_name='ta_rec',
+ label=_(u'TA record'),
+ doc=_(u'Comma-separated list of raw TA records'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'tkeyrecord',
+ required=False,
+ multivalue=True,
+ cli_name='tkey_rec',
+ label=_(u'TKEY record'),
+ doc=_(u'Comma-separated list of raw TKEY records'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'tsigrecord',
+ required=False,
+ multivalue=True,
+ cli_name='tsig_rec',
+ label=_(u'TSIG record'),
+ doc=_(u'Comma-separated list of raw TSIG records'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'txtrecord',
+ required=False,
+ multivalue=True,
+ cli_name='txt_rec',
+ label=_(u'TXT record'),
+ doc=_(u'Comma-separated list of raw TXT records'),
+ ),
+ parameters.Flag(
+ 'del_all',
+ label=_(u'Delete all associated records'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'structured',
+ label=_(u'Structured'),
+ doc=_(u'Parse all raw DNS records and return them in a structured way'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'value',
+ unicode,
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class dnsrecord_delentry(Method):
+ __doc__ = _("Delete DNS record entry.")
+
+ NO_CLI = True
+
+ takes_args = (
+ parameters.Str(
+ 'dnszoneidnsname',
+ cli_name='dnszone',
+ label=_(u'Zone name'),
+ ),
+ parameters.Str(
+ 'idnsname',
+ multivalue=True,
+ cli_name='name',
+ label=_(u'Record name'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'continue',
+ doc=_(u"Continuous mode: Don't stop on errors."),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Output(
+ 'result',
+ dict,
+ doc=_(u'List of deletions that failed'),
+ ),
+ output.Output(
+ 'value',
+ unicode,
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class dnsrecord_find(Method):
+ __doc__ = _("Search for DNS resources.")
+
+ takes_args = (
+ parameters.Str(
+ 'dnszoneidnsname',
+ cli_name='dnszone',
+ label=_(u'Zone name'),
+ ),
+ parameters.Str(
+ 'criteria',
+ required=False,
+ doc=_(u'A string searched in all relevant object attributes'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'idnsname',
+ required=False,
+ cli_name='name',
+ label=_(u'Record name'),
+ ),
+ parameters.Int(
+ 'dnsttl',
+ required=False,
+ cli_name='ttl',
+ label=_(u'Time to live'),
+ ),
+ parameters.Str(
+ 'dnsclass',
+ required=False,
+ cli_name='class',
+ cli_metavar="['IN', 'CS', 'CH', 'HS']",
+ label=_(u'Class'),
+ doc=_(u'DNS class'),
+ ),
+ parameters.Str(
+ 'arecord',
+ required=False,
+ multivalue=True,
+ cli_name='a_rec',
+ label=_(u'A record'),
+ doc=_(u'Comma-separated list of raw A records'),
+ ),
+ parameters.Str(
+ 'aaaarecord',
+ required=False,
+ multivalue=True,
+ cli_name='aaaa_rec',
+ label=_(u'AAAA record'),
+ doc=_(u'Comma-separated list of raw AAAA records'),
+ ),
+ parameters.Str(
+ 'a6record',
+ required=False,
+ multivalue=True,
+ cli_name='a6_rec',
+ label=_(u'A6 record'),
+ doc=_(u'Comma-separated list of raw A6 records'),
+ ),
+ parameters.Str(
+ 'afsdbrecord',
+ required=False,
+ multivalue=True,
+ cli_name='afsdb_rec',
+ label=_(u'AFSDB record'),
+ doc=_(u'Comma-separated list of raw AFSDB records'),
+ ),
+ parameters.Str(
+ 'aplrecord',
+ required=False,
+ multivalue=True,
+ cli_name='apl_rec',
+ label=_(u'APL record'),
+ doc=_(u'Comma-separated list of raw APL records'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'certrecord',
+ required=False,
+ multivalue=True,
+ cli_name='cert_rec',
+ label=_(u'CERT record'),
+ doc=_(u'Comma-separated list of raw CERT records'),
+ ),
+ parameters.Str(
+ 'cnamerecord',
+ required=False,
+ multivalue=True,
+ cli_name='cname_rec',
+ label=_(u'CNAME record'),
+ doc=_(u'Comma-separated list of raw CNAME records'),
+ ),
+ parameters.Str(
+ 'dhcidrecord',
+ required=False,
+ multivalue=True,
+ cli_name='dhcid_rec',
+ label=_(u'DHCID record'),
+ doc=_(u'Comma-separated list of raw DHCID records'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'dlvrecord',
+ required=False,
+ multivalue=True,
+ cli_name='dlv_rec',
+ label=_(u'DLV record'),
+ doc=_(u'Comma-separated list of raw DLV records'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'dnamerecord',
+ required=False,
+ multivalue=True,
+ cli_name='dname_rec',
+ label=_(u'DNAME record'),
+ doc=_(u'Comma-separated list of raw DNAME records'),
+ ),
+ parameters.Str(
+ 'dnskeyrecord',
+ required=False,
+ multivalue=True,
+ cli_name='dnskey_rec',
+ label=_(u'DNSKEY record'),
+ doc=_(u'Comma-separated list of raw DNSKEY records'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'dsrecord',
+ required=False,
+ multivalue=True,
+ cli_name='ds_rec',
+ label=_(u'DS record'),
+ doc=_(u'Comma-separated list of raw DS records'),
+ ),
+ parameters.Str(
+ 'hiprecord',
+ required=False,
+ multivalue=True,
+ cli_name='hip_rec',
+ label=_(u'HIP record'),
+ doc=_(u'Comma-separated list of raw HIP records'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'ipseckeyrecord',
+ required=False,
+ multivalue=True,
+ cli_name='ipseckey_rec',
+ label=_(u'IPSECKEY record'),
+ doc=_(u'Comma-separated list of raw IPSECKEY records'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'keyrecord',
+ required=False,
+ multivalue=True,
+ cli_name='key_rec',
+ label=_(u'KEY record'),
+ doc=_(u'Comma-separated list of raw KEY records'),
+ ),
+ parameters.Str(
+ 'kxrecord',
+ required=False,
+ multivalue=True,
+ cli_name='kx_rec',
+ label=_(u'KX record'),
+ doc=_(u'Comma-separated list of raw KX records'),
+ ),
+ parameters.Str(
+ 'locrecord',
+ required=False,
+ multivalue=True,
+ cli_name='loc_rec',
+ label=_(u'LOC record'),
+ doc=_(u'Comma-separated list of raw LOC records'),
+ ),
+ parameters.Str(
+ 'mxrecord',
+ required=False,
+ multivalue=True,
+ cli_name='mx_rec',
+ label=_(u'MX record'),
+ doc=_(u'Comma-separated list of raw MX records'),
+ ),
+ parameters.Str(
+ 'naptrrecord',
+ required=False,
+ multivalue=True,
+ cli_name='naptr_rec',
+ label=_(u'NAPTR record'),
+ doc=_(u'Comma-separated list of raw NAPTR records'),
+ ),
+ parameters.Str(
+ 'nsrecord',
+ required=False,
+ multivalue=True,
+ cli_name='ns_rec',
+ label=_(u'NS record'),
+ doc=_(u'Comma-separated list of raw NS records'),
+ ),
+ parameters.Str(
+ 'nsecrecord',
+ required=False,
+ multivalue=True,
+ cli_name='nsec_rec',
+ label=_(u'NSEC record'),
+ doc=_(u'Comma-separated list of raw NSEC records'),
+ ),
+ parameters.Str(
+ 'nsec3record',
+ required=False,
+ multivalue=True,
+ cli_name='nsec3_rec',
+ label=_(u'NSEC3 record'),
+ doc=_(u'Comma-separated list of raw NSEC3 records'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'nsec3paramrecord',
+ required=False,
+ multivalue=True,
+ cli_name='nsec3param_rec',
+ label=_(u'NSEC3PARAM record'),
+ doc=_(u'Comma-separated list of raw NSEC3PARAM records'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'ptrrecord',
+ required=False,
+ multivalue=True,
+ cli_name='ptr_rec',
+ label=_(u'PTR record'),
+ doc=_(u'Comma-separated list of raw PTR records'),
+ ),
+ parameters.Str(
+ 'rrsigrecord',
+ required=False,
+ multivalue=True,
+ cli_name='rrsig_rec',
+ label=_(u'RRSIG record'),
+ doc=_(u'Comma-separated list of raw RRSIG records'),
+ ),
+ parameters.Str(
+ 'rprecord',
+ required=False,
+ multivalue=True,
+ cli_name='rp_rec',
+ label=_(u'RP record'),
+ doc=_(u'Comma-separated list of raw RP records'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'sigrecord',
+ required=False,
+ multivalue=True,
+ cli_name='sig_rec',
+ label=_(u'SIG record'),
+ doc=_(u'Comma-separated list of raw SIG records'),
+ ),
+ parameters.Str(
+ 'spfrecord',
+ required=False,
+ multivalue=True,
+ cli_name='spf_rec',
+ label=_(u'SPF record'),
+ doc=_(u'Comma-separated list of raw SPF records'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'srvrecord',
+ required=False,
+ multivalue=True,
+ cli_name='srv_rec',
+ label=_(u'SRV record'),
+ doc=_(u'Comma-separated list of raw SRV records'),
+ ),
+ parameters.Str(
+ 'sshfprecord',
+ required=False,
+ multivalue=True,
+ cli_name='sshfp_rec',
+ label=_(u'SSHFP record'),
+ doc=_(u'Comma-separated list of raw SSHFP records'),
+ ),
+ parameters.Str(
+ 'tarecord',
+ required=False,
+ multivalue=True,
+ cli_name='ta_rec',
+ label=_(u'TA record'),
+ doc=_(u'Comma-separated list of raw TA records'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'tkeyrecord',
+ required=False,
+ multivalue=True,
+ cli_name='tkey_rec',
+ label=_(u'TKEY record'),
+ doc=_(u'Comma-separated list of raw TKEY records'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'tsigrecord',
+ required=False,
+ multivalue=True,
+ cli_name='tsig_rec',
+ label=_(u'TSIG record'),
+ doc=_(u'Comma-separated list of raw TSIG records'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'txtrecord',
+ required=False,
+ multivalue=True,
+ cli_name='txt_rec',
+ label=_(u'TXT record'),
+ doc=_(u'Comma-separated list of raw TXT records'),
+ ),
+ parameters.Int(
+ 'timelimit',
+ required=False,
+ label=_(u'Time Limit'),
+ doc=_(u'Time limit of search in seconds'),
+ ),
+ parameters.Int(
+ 'sizelimit',
+ required=False,
+ label=_(u'Size Limit'),
+ doc=_(u'Maximum number of entries returned'),
+ ),
+ parameters.Flag(
+ 'structured',
+ label=_(u'Structured'),
+ doc=_(u'Parse all raw DNS records and return them in a structured way'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'pkey_only',
+ required=False,
+ label=_(u'Primary key only'),
+ doc=_(u'Results should contain primary key attribute only ("name")'),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.ListOfEntries(
+ 'result',
+ ),
+ output.Output(
+ 'count',
+ int,
+ doc=_(u'Number of entries returned'),
+ ),
+ output.Output(
+ 'truncated',
+ bool,
+ doc=_(u'True if not all results were returned'),
+ ),
+ )
+
+
+@register()
+class dnsrecord_mod(Method):
+ __doc__ = _("Modify a DNS resource record.")
+
+ takes_args = (
+ parameters.Str(
+ 'dnszoneidnsname',
+ cli_name='dnszone',
+ label=_(u'Zone name'),
+ ),
+ parameters.Str(
+ 'idnsname',
+ cli_name='name',
+ label=_(u'Record name'),
+ ),
+ )
+ takes_options = (
+ parameters.Int(
+ 'dnsttl',
+ required=False,
+ cli_name='ttl',
+ label=_(u'Time to live'),
+ ),
+ parameters.Str(
+ 'dnsclass',
+ required=False,
+ cli_name='class',
+ cli_metavar="['IN', 'CS', 'CH', 'HS']",
+ label=_(u'Class'),
+ doc=_(u'DNS class'),
+ ),
+ parameters.Str(
+ 'arecord',
+ required=False,
+ multivalue=True,
+ cli_name='a_rec',
+ option_group=u'A Record',
+ label=_(u'A record'),
+ doc=_(u'Comma-separated list of raw A records'),
+ ),
+ parameters.Str(
+ 'a_part_ip_address',
+ required=False,
+ cli_name='a_ip_address',
+ option_group=u'A Record',
+ label=_(u'A IP Address'),
+ doc=_(u'IP Address'),
+ ),
+ parameters.Str(
+ 'aaaarecord',
+ required=False,
+ multivalue=True,
+ cli_name='aaaa_rec',
+ option_group=u'AAAA Record',
+ label=_(u'AAAA record'),
+ doc=_(u'Comma-separated list of raw AAAA records'),
+ ),
+ parameters.Str(
+ 'aaaa_part_ip_address',
+ required=False,
+ cli_name='aaaa_ip_address',
+ option_group=u'AAAA Record',
+ label=_(u'AAAA IP Address'),
+ doc=_(u'IP Address'),
+ ),
+ parameters.Str(
+ 'a6record',
+ required=False,
+ multivalue=True,
+ cli_name='a6_rec',
+ option_group=u'A6 Record',
+ label=_(u'A6 record'),
+ doc=_(u'Comma-separated list of raw A6 records'),
+ ),
+ parameters.Str(
+ 'a6_part_data',
+ required=False,
+ cli_name='a6_data',
+ option_group=u'A6 Record',
+ label=_(u'A6 Record data'),
+ doc=_(u'Record data'),
+ ),
+ parameters.Str(
+ 'afsdbrecord',
+ required=False,
+ multivalue=True,
+ cli_name='afsdb_rec',
+ option_group=u'AFSDB Record',
+ label=_(u'AFSDB record'),
+ doc=_(u'Comma-separated list of raw AFSDB records'),
+ ),
+ parameters.Int(
+ 'afsdb_part_subtype',
+ required=False,
+ cli_name='afsdb_subtype',
+ option_group=u'AFSDB Record',
+ label=_(u'AFSDB Subtype'),
+ doc=_(u'Subtype'),
+ ),
+ parameters.Str(
+ 'afsdb_part_hostname',
+ required=False,
+ cli_name='afsdb_hostname',
+ option_group=u'AFSDB Record',
+ label=_(u'AFSDB Hostname'),
+ doc=_(u'Hostname'),
+ ),
+ parameters.Str(
+ 'aplrecord',
+ required=False,
+ multivalue=True,
+ cli_name='apl_rec',
+ option_group=u'APL Record',
+ label=_(u'APL record'),
+ doc=_(u'Comma-separated list of raw APL records'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'certrecord',
+ required=False,
+ multivalue=True,
+ cli_name='cert_rec',
+ option_group=u'CERT Record',
+ label=_(u'CERT record'),
+ doc=_(u'Comma-separated list of raw CERT records'),
+ ),
+ parameters.Int(
+ 'cert_part_type',
+ required=False,
+ cli_name='cert_type',
+ option_group=u'CERT Record',
+ label=_(u'CERT Certificate Type'),
+ doc=_(u'Certificate Type'),
+ ),
+ parameters.Int(
+ 'cert_part_key_tag',
+ required=False,
+ cli_name='cert_key_tag',
+ option_group=u'CERT Record',
+ label=_(u'CERT Key Tag'),
+ doc=_(u'Key Tag'),
+ ),
+ parameters.Int(
+ 'cert_part_algorithm',
+ required=False,
+ cli_name='cert_algorithm',
+ option_group=u'CERT Record',
+ label=_(u'CERT Algorithm'),
+ doc=_(u'Algorithm'),
+ ),
+ parameters.Str(
+ 'cert_part_certificate_or_crl',
+ required=False,
+ cli_name='cert_certificate_or_crl',
+ option_group=u'CERT Record',
+ label=_(u'CERT Certificate/CRL'),
+ doc=_(u'Certificate/CRL'),
+ ),
+ parameters.Str(
+ 'cnamerecord',
+ required=False,
+ multivalue=True,
+ cli_name='cname_rec',
+ option_group=u'CNAME Record',
+ label=_(u'CNAME record'),
+ doc=_(u'Comma-separated list of raw CNAME records'),
+ ),
+ parameters.Str(
+ 'cname_part_hostname',
+ required=False,
+ cli_name='cname_hostname',
+ option_group=u'CNAME Record',
+ label=_(u'CNAME Hostname'),
+ doc=_(u'A hostname which this alias hostname points to'),
+ ),
+ parameters.Str(
+ 'dhcidrecord',
+ required=False,
+ multivalue=True,
+ cli_name='dhcid_rec',
+ option_group=u'DHCID Record',
+ label=_(u'DHCID record'),
+ doc=_(u'Comma-separated list of raw DHCID records'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'dlvrecord',
+ required=False,
+ multivalue=True,
+ cli_name='dlv_rec',
+ option_group=u'DLV Record',
+ label=_(u'DLV record'),
+ doc=_(u'Comma-separated list of raw DLV records'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'dnamerecord',
+ required=False,
+ multivalue=True,
+ cli_name='dname_rec',
+ option_group=u'DNAME Record',
+ label=_(u'DNAME record'),
+ doc=_(u'Comma-separated list of raw DNAME records'),
+ ),
+ parameters.Str(
+ 'dname_part_target',
+ required=False,
+ cli_name='dname_target',
+ option_group=u'DNAME Record',
+ label=_(u'DNAME Target'),
+ doc=_(u'Target'),
+ ),
+ parameters.Str(
+ 'dnskeyrecord',
+ required=False,
+ multivalue=True,
+ cli_name='dnskey_rec',
+ option_group=u'DNSKEY Record',
+ label=_(u'DNSKEY record'),
+ doc=_(u'Comma-separated list of raw DNSKEY records'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'dsrecord',
+ required=False,
+ multivalue=True,
+ cli_name='ds_rec',
+ option_group=u'DS Record',
+ label=_(u'DS record'),
+ doc=_(u'Comma-separated list of raw DS records'),
+ ),
+ parameters.Int(
+ 'ds_part_key_tag',
+ required=False,
+ cli_name='ds_key_tag',
+ option_group=u'DS Record',
+ label=_(u'DS Key Tag'),
+ doc=_(u'Key Tag'),
+ ),
+ parameters.Int(
+ 'ds_part_algorithm',
+ required=False,
+ cli_name='ds_algorithm',
+ option_group=u'DS Record',
+ label=_(u'DS Algorithm'),
+ doc=_(u'Algorithm'),
+ ),
+ parameters.Int(
+ 'ds_part_digest_type',
+ required=False,
+ cli_name='ds_digest_type',
+ option_group=u'DS Record',
+ label=_(u'DS Digest Type'),
+ doc=_(u'Digest Type'),
+ ),
+ parameters.Str(
+ 'ds_part_digest',
+ required=False,
+ cli_name='ds_digest',
+ option_group=u'DS Record',
+ label=_(u'DS Digest'),
+ doc=_(u'Digest'),
+ ),
+ parameters.Str(
+ 'hiprecord',
+ required=False,
+ multivalue=True,
+ cli_name='hip_rec',
+ option_group=u'HIP Record',
+ label=_(u'HIP record'),
+ doc=_(u'Comma-separated list of raw HIP records'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'ipseckeyrecord',
+ required=False,
+ multivalue=True,
+ cli_name='ipseckey_rec',
+ option_group=u'IPSECKEY Record',
+ label=_(u'IPSECKEY record'),
+ doc=_(u'Comma-separated list of raw IPSECKEY records'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'keyrecord',
+ required=False,
+ multivalue=True,
+ cli_name='key_rec',
+ option_group=u'KEY Record',
+ label=_(u'KEY record'),
+ doc=_(u'Comma-separated list of raw KEY records'),
+ ),
+ parameters.Int(
+ 'key_part_flags',
+ required=False,
+ cli_name='key_flags',
+ option_group=u'KEY Record',
+ label=_(u'KEY Flags'),
+ doc=_(u'Flags'),
+ ),
+ parameters.Int(
+ 'key_part_protocol',
+ required=False,
+ cli_name='key_protocol',
+ option_group=u'KEY Record',
+ label=_(u'KEY Protocol'),
+ doc=_(u'Protocol'),
+ ),
+ parameters.Int(
+ 'key_part_algorithm',
+ required=False,
+ cli_name='key_algorithm',
+ option_group=u'KEY Record',
+ label=_(u'KEY Algorithm'),
+ doc=_(u'Algorithm'),
+ ),
+ parameters.Str(
+ 'key_part_public_key',
+ required=False,
+ cli_name='key_public_key',
+ option_group=u'KEY Record',
+ label=_(u'KEY Public Key'),
+ doc=_(u'Public Key'),
+ ),
+ parameters.Str(
+ 'kxrecord',
+ required=False,
+ multivalue=True,
+ cli_name='kx_rec',
+ option_group=u'KX Record',
+ label=_(u'KX record'),
+ doc=_(u'Comma-separated list of raw KX records'),
+ ),
+ parameters.Int(
+ 'kx_part_preference',
+ required=False,
+ cli_name='kx_preference',
+ option_group=u'KX Record',
+ label=_(u'KX Preference'),
+ doc=_(u'Preference given to this exchanger. Lower values are more preferred'),
+ ),
+ parameters.Str(
+ 'kx_part_exchanger',
+ required=False,
+ cli_name='kx_exchanger',
+ option_group=u'KX Record',
+ label=_(u'KX Exchanger'),
+ doc=_(u'A host willing to act as a key exchanger'),
+ ),
+ parameters.Str(
+ 'locrecord',
+ required=False,
+ multivalue=True,
+ cli_name='loc_rec',
+ option_group=u'LOC Record',
+ label=_(u'LOC record'),
+ doc=_(u'Comma-separated list of raw LOC records'),
+ ),
+ parameters.Int(
+ 'loc_part_lat_deg',
+ required=False,
+ cli_name='loc_lat_deg',
+ option_group=u'LOC Record',
+ label=_(u'LOC Degrees Latitude'),
+ doc=_(u'Degrees Latitude'),
+ ),
+ parameters.Int(
+ 'loc_part_lat_min',
+ required=False,
+ cli_name='loc_lat_min',
+ option_group=u'LOC Record',
+ label=_(u'LOC Minutes Latitude'),
+ doc=_(u'Minutes Latitude'),
+ ),
+ parameters.Decimal(
+ 'loc_part_lat_sec',
+ required=False,
+ cli_name='loc_lat_sec',
+ option_group=u'LOC Record',
+ label=_(u'LOC Seconds Latitude'),
+ doc=_(u'Seconds Latitude'),
+ no_convert=True,
+ ),
+ parameters.Str(
+ 'loc_part_lat_dir',
+ required=False,
+ cli_name='loc_lat_dir',
+ option_group=u'LOC Record',
+ cli_metavar="['N', 'S']",
+ label=_(u'LOC Direction Latitude'),
+ doc=_(u'Direction Latitude'),
+ ),
+ parameters.Int(
+ 'loc_part_lon_deg',
+ required=False,
+ cli_name='loc_lon_deg',
+ option_group=u'LOC Record',
+ label=_(u'LOC Degrees Longitude'),
+ doc=_(u'Degrees Longitude'),
+ ),
+ parameters.Int(
+ 'loc_part_lon_min',
+ required=False,
+ cli_name='loc_lon_min',
+ option_group=u'LOC Record',
+ label=_(u'LOC Minutes Longitude'),
+ doc=_(u'Minutes Longitude'),
+ ),
+ parameters.Decimal(
+ 'loc_part_lon_sec',
+ required=False,
+ cli_name='loc_lon_sec',
+ option_group=u'LOC Record',
+ label=_(u'LOC Seconds Longitude'),
+ doc=_(u'Seconds Longitude'),
+ no_convert=True,
+ ),
+ parameters.Str(
+ 'loc_part_lon_dir',
+ required=False,
+ cli_name='loc_lon_dir',
+ option_group=u'LOC Record',
+ cli_metavar="['E', 'W']",
+ label=_(u'LOC Direction Longitude'),
+ doc=_(u'Direction Longitude'),
+ ),
+ parameters.Decimal(
+ 'loc_part_altitude',
+ required=False,
+ cli_name='loc_altitude',
+ option_group=u'LOC Record',
+ label=_(u'LOC Altitude'),
+ doc=_(u'Altitude'),
+ no_convert=True,
+ ),
+ parameters.Decimal(
+ 'loc_part_size',
+ required=False,
+ cli_name='loc_size',
+ option_group=u'LOC Record',
+ label=_(u'LOC Size'),
+ doc=_(u'Size'),
+ no_convert=True,
+ ),
+ parameters.Decimal(
+ 'loc_part_h_precision',
+ required=False,
+ cli_name='loc_h_precision',
+ option_group=u'LOC Record',
+ label=_(u'LOC Horizontal Precision'),
+ doc=_(u'Horizontal Precision'),
+ no_convert=True,
+ ),
+ parameters.Decimal(
+ 'loc_part_v_precision',
+ required=False,
+ cli_name='loc_v_precision',
+ option_group=u'LOC Record',
+ label=_(u'LOC Vertical Precision'),
+ doc=_(u'Vertical Precision'),
+ no_convert=True,
+ ),
+ parameters.Str(
+ 'mxrecord',
+ required=False,
+ multivalue=True,
+ cli_name='mx_rec',
+ option_group=u'MX Record',
+ label=_(u'MX record'),
+ doc=_(u'Comma-separated list of raw MX records'),
+ ),
+ parameters.Int(
+ 'mx_part_preference',
+ required=False,
+ cli_name='mx_preference',
+ option_group=u'MX Record',
+ label=_(u'MX Preference'),
+ doc=_(u'Preference given to this exchanger. Lower values are more preferred'),
+ ),
+ parameters.Str(
+ 'mx_part_exchanger',
+ required=False,
+ cli_name='mx_exchanger',
+ option_group=u'MX Record',
+ label=_(u'MX Exchanger'),
+ doc=_(u'A host willing to act as a mail exchanger'),
+ ),
+ parameters.Str(
+ 'naptrrecord',
+ required=False,
+ multivalue=True,
+ cli_name='naptr_rec',
+ option_group=u'NAPTR Record',
+ label=_(u'NAPTR record'),
+ doc=_(u'Comma-separated list of raw NAPTR records'),
+ ),
+ parameters.Int(
+ 'naptr_part_order',
+ required=False,
+ cli_name='naptr_order',
+ option_group=u'NAPTR Record',
+ label=_(u'NAPTR Order'),
+ doc=_(u'Order'),
+ ),
+ parameters.Int(
+ 'naptr_part_preference',
+ required=False,
+ cli_name='naptr_preference',
+ option_group=u'NAPTR Record',
+ label=_(u'NAPTR Preference'),
+ doc=_(u'Preference'),
+ ),
+ parameters.Str(
+ 'naptr_part_flags',
+ required=False,
+ cli_name='naptr_flags',
+ option_group=u'NAPTR Record',
+ label=_(u'NAPTR Flags'),
+ doc=_(u'Flags'),
+ no_convert=True,
+ ),
+ parameters.Str(
+ 'naptr_part_service',
+ required=False,
+ cli_name='naptr_service',
+ option_group=u'NAPTR Record',
+ label=_(u'NAPTR Service'),
+ doc=_(u'Service'),
+ ),
+ parameters.Str(
+ 'naptr_part_regexp',
+ required=False,
+ cli_name='naptr_regexp',
+ option_group=u'NAPTR Record',
+ label=_(u'NAPTR Regular Expression'),
+ doc=_(u'Regular Expression'),
+ ),
+ parameters.Str(
+ 'naptr_part_replacement',
+ required=False,
+ cli_name='naptr_replacement',
+ option_group=u'NAPTR Record',
+ label=_(u'NAPTR Replacement'),
+ doc=_(u'Replacement'),
+ ),
+ parameters.Str(
+ 'nsrecord',
+ required=False,
+ multivalue=True,
+ cli_name='ns_rec',
+ option_group=u'NS Record',
+ label=_(u'NS record'),
+ doc=_(u'Comma-separated list of raw NS records'),
+ ),
+ parameters.Str(
+ 'ns_part_hostname',
+ required=False,
+ cli_name='ns_hostname',
+ option_group=u'NS Record',
+ label=_(u'NS Hostname'),
+ doc=_(u'Hostname'),
+ ),
+ parameters.Str(
+ 'nsecrecord',
+ required=False,
+ multivalue=True,
+ cli_name='nsec_rec',
+ option_group=u'NSEC Record',
+ label=_(u'NSEC record'),
+ doc=_(u'Comma-separated list of raw NSEC records'),
+ ),
+ parameters.Str(
+ 'nsec_part_next',
+ required=False,
+ cli_name='nsec_next',
+ option_group=u'NSEC Record',
+ label=_(u'NSEC Next Domain Name'),
+ doc=_(u'Next Domain Name'),
+ ),
+ parameters.Str(
+ 'nsec_part_types',
+ required=False,
+ multivalue=True,
+ cli_name='nsec_types',
+ option_group=u'NSEC Record',
+ cli_metavar="['SOA', 'A', 'AAAA', 'A6', 'AFSDB', 'APL', 'CERT', 'CNAME', 'DHCID', 'DLV', 'DNAME', 'DNSKEY', 'DS', 'HIP', 'IPSECKEY', 'KEY', 'KX', 'LOC', 'MX', 'NAPTR', 'NS', 'NSEC', 'NSEC3', 'NSEC3PARAM', 'PTR', 'RRSIG', 'RP', 'SIG', 'SPF', 'SRV', 'SSHFP', 'TA', 'TKEY', 'TSIG', 'TXT']",
+ label=_(u'NSEC Type Map'),
+ doc=_(u'Type Map'),
+ ),
+ parameters.Str(
+ 'nsec3record',
+ required=False,
+ multivalue=True,
+ cli_name='nsec3_rec',
+ option_group=u'NSEC3 Record',
+ label=_(u'NSEC3 record'),
+ doc=_(u'Comma-separated list of raw NSEC3 records'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'nsec3paramrecord',
+ required=False,
+ multivalue=True,
+ cli_name='nsec3param_rec',
+ option_group=u'NSEC3PARAM Record',
+ label=_(u'NSEC3PARAM record'),
+ doc=_(u'Comma-separated list of raw NSEC3PARAM records'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'ptrrecord',
+ required=False,
+ multivalue=True,
+ cli_name='ptr_rec',
+ option_group=u'PTR Record',
+ label=_(u'PTR record'),
+ doc=_(u'Comma-separated list of raw PTR records'),
+ ),
+ parameters.Str(
+ 'ptr_part_hostname',
+ required=False,
+ cli_name='ptr_hostname',
+ option_group=u'PTR Record',
+ label=_(u'PTR Hostname'),
+ doc=_(u'The hostname this reverse record points to'),
+ no_convert=True,
+ ),
+ parameters.Str(
+ 'rrsigrecord',
+ required=False,
+ multivalue=True,
+ cli_name='rrsig_rec',
+ option_group=u'RRSIG Record',
+ label=_(u'RRSIG record'),
+ doc=_(u'Comma-separated list of raw RRSIG records'),
+ ),
+ parameters.Str(
+ 'rrsig_part_type_covered',
+ required=False,
+ cli_name='rrsig_type_covered',
+ option_group=u'RRSIG Record',
+ cli_metavar="['SOA', 'A', 'AAAA', 'A6', 'AFSDB', 'APL', 'CERT', 'CNAME', 'DHCID', 'DLV', 'DNAME', 'DNSKEY', 'DS', 'HIP', 'IPSECKEY', 'KEY', 'KX', 'LOC', 'MX', 'NAPTR', 'NS', 'NSEC', 'NSEC3', 'NSEC3PARAM', 'PTR', 'RRSIG', 'RP', 'SPF', 'SRV', 'SSHFP', 'TA', 'TKEY', 'TSIG', 'TXT']",
+ label=_(u'RRSIG Type Covered'),
+ doc=_(u'Type Covered'),
+ ),
+ parameters.Int(
+ 'rrsig_part_algorithm',
+ required=False,
+ cli_name='rrsig_algorithm',
+ option_group=u'RRSIG Record',
+ label=_(u'RRSIG Algorithm'),
+ doc=_(u'Algorithm'),
+ ),
+ parameters.Int(
+ 'rrsig_part_labels',
+ required=False,
+ cli_name='rrsig_labels',
+ option_group=u'RRSIG Record',
+ label=_(u'RRSIG Labels'),
+ doc=_(u'Labels'),
+ ),
+ parameters.Int(
+ 'rrsig_part_original_ttl',
+ required=False,
+ cli_name='rrsig_original_ttl',
+ option_group=u'RRSIG Record',
+ label=_(u'RRSIG Original TTL'),
+ doc=_(u'Original TTL'),
+ ),
+ parameters.Str(
+ 'rrsig_part_signature_expiration',
+ required=False,
+ cli_name='rrsig_signature_expiration',
+ option_group=u'RRSIG Record',
+ label=_(u'RRSIG Signature Expiration'),
+ doc=_(u'Signature Expiration'),
+ ),
+ parameters.Str(
+ 'rrsig_part_signature_inception',
+ required=False,
+ cli_name='rrsig_signature_inception',
+ option_group=u'RRSIG Record',
+ label=_(u'RRSIG Signature Inception'),
+ doc=_(u'Signature Inception'),
+ ),
+ parameters.Int(
+ 'rrsig_part_key_tag',
+ required=False,
+ cli_name='rrsig_key_tag',
+ option_group=u'RRSIG Record',
+ label=_(u'RRSIG Key Tag'),
+ doc=_(u'Key Tag'),
+ ),
+ parameters.Str(
+ 'rrsig_part_signers_name',
+ required=False,
+ cli_name='rrsig_signers_name',
+ option_group=u'RRSIG Record',
+ label=_(u"RRSIG Signer's Name"),
+ doc=_(u"Signer's Name"),
+ ),
+ parameters.Str(
+ 'rrsig_part_signature',
+ required=False,
+ cli_name='rrsig_signature',
+ option_group=u'RRSIG Record',
+ label=_(u'RRSIG Signature'),
+ doc=_(u'Signature'),
+ ),
+ parameters.Str(
+ 'rprecord',
+ required=False,
+ multivalue=True,
+ cli_name='rp_rec',
+ option_group=u'RP Record',
+ label=_(u'RP record'),
+ doc=_(u'Comma-separated list of raw RP records'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'sigrecord',
+ required=False,
+ multivalue=True,
+ cli_name='sig_rec',
+ option_group=u'SIG Record',
+ label=_(u'SIG record'),
+ doc=_(u'Comma-separated list of raw SIG records'),
+ ),
+ parameters.Str(
+ 'sig_part_type_covered',
+ required=False,
+ cli_name='sig_type_covered',
+ option_group=u'SIG Record',
+ cli_metavar="['SOA', 'A', 'AAAA', 'A6', 'AFSDB', 'APL', 'CERT', 'CNAME', 'DHCID', 'DLV', 'DNAME', 'DNSKEY', 'DS', 'HIP', 'IPSECKEY', 'KEY', 'KX', 'LOC', 'MX', 'NAPTR', 'NS', 'NSEC', 'NSEC3', 'NSEC3PARAM', 'PTR', 'RRSIG', 'RP', 'SPF', 'SRV', 'SSHFP', 'TA', 'TKEY', 'TSIG', 'TXT']",
+ label=_(u'SIG Type Covered'),
+ doc=_(u'Type Covered'),
+ ),
+ parameters.Int(
+ 'sig_part_algorithm',
+ required=False,
+ cli_name='sig_algorithm',
+ option_group=u'SIG Record',
+ label=_(u'SIG Algorithm'),
+ doc=_(u'Algorithm'),
+ ),
+ parameters.Int(
+ 'sig_part_labels',
+ required=False,
+ cli_name='sig_labels',
+ option_group=u'SIG Record',
+ label=_(u'SIG Labels'),
+ doc=_(u'Labels'),
+ ),
+ parameters.Int(
+ 'sig_part_original_ttl',
+ required=False,
+ cli_name='sig_original_ttl',
+ option_group=u'SIG Record',
+ label=_(u'SIG Original TTL'),
+ doc=_(u'Original TTL'),
+ ),
+ parameters.Str(
+ 'sig_part_signature_expiration',
+ required=False,
+ cli_name='sig_signature_expiration',
+ option_group=u'SIG Record',
+ label=_(u'SIG Signature Expiration'),
+ doc=_(u'Signature Expiration'),
+ ),
+ parameters.Str(
+ 'sig_part_signature_inception',
+ required=False,
+ cli_name='sig_signature_inception',
+ option_group=u'SIG Record',
+ label=_(u'SIG Signature Inception'),
+ doc=_(u'Signature Inception'),
+ ),
+ parameters.Int(
+ 'sig_part_key_tag',
+ required=False,
+ cli_name='sig_key_tag',
+ option_group=u'SIG Record',
+ label=_(u'SIG Key Tag'),
+ doc=_(u'Key Tag'),
+ ),
+ parameters.Str(
+ 'sig_part_signers_name',
+ required=False,
+ cli_name='sig_signers_name',
+ option_group=u'SIG Record',
+ label=_(u"SIG Signer's Name"),
+ doc=_(u"Signer's Name"),
+ ),
+ parameters.Str(
+ 'sig_part_signature',
+ required=False,
+ cli_name='sig_signature',
+ option_group=u'SIG Record',
+ label=_(u'SIG Signature'),
+ doc=_(u'Signature'),
+ ),
+ parameters.Str(
+ 'spfrecord',
+ required=False,
+ multivalue=True,
+ cli_name='spf_rec',
+ option_group=u'SPF Record',
+ label=_(u'SPF record'),
+ doc=_(u'Comma-separated list of raw SPF records'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'srvrecord',
+ required=False,
+ multivalue=True,
+ cli_name='srv_rec',
+ option_group=u'SRV Record',
+ label=_(u'SRV record'),
+ doc=_(u'Comma-separated list of raw SRV records'),
+ ),
+ parameters.Int(
+ 'srv_part_priority',
+ required=False,
+ cli_name='srv_priority',
+ option_group=u'SRV Record',
+ label=_(u'SRV Priority'),
+ doc=_(u'Priority'),
+ ),
+ parameters.Int(
+ 'srv_part_weight',
+ required=False,
+ cli_name='srv_weight',
+ option_group=u'SRV Record',
+ label=_(u'SRV Weight'),
+ doc=_(u'Weight'),
+ ),
+ parameters.Int(
+ 'srv_part_port',
+ required=False,
+ cli_name='srv_port',
+ option_group=u'SRV Record',
+ label=_(u'SRV Port'),
+ doc=_(u'Port'),
+ ),
+ parameters.Str(
+ 'srv_part_target',
+ required=False,
+ cli_name='srv_target',
+ option_group=u'SRV Record',
+ label=_(u'SRV Target'),
+ doc=_(u"The domain name of the target host or '.' if the service is decidedly not available at this domain"),
+ ),
+ parameters.Str(
+ 'sshfprecord',
+ required=False,
+ multivalue=True,
+ cli_name='sshfp_rec',
+ option_group=u'SSHFP Record',
+ label=_(u'SSHFP record'),
+ doc=_(u'Comma-separated list of raw SSHFP records'),
+ ),
+ parameters.Int(
+ 'sshfp_part_algorithm',
+ required=False,
+ cli_name='sshfp_algorithm',
+ option_group=u'SSHFP Record',
+ label=_(u'SSHFP Algorithm'),
+ doc=_(u'Algorithm'),
+ ),
+ parameters.Int(
+ 'sshfp_part_fp_type',
+ required=False,
+ cli_name='sshfp_fp_type',
+ option_group=u'SSHFP Record',
+ label=_(u'SSHFP Fingerprint Type'),
+ doc=_(u'Fingerprint Type'),
+ ),
+ parameters.Str(
+ 'sshfp_part_fingerprint',
+ required=False,
+ cli_name='sshfp_fingerprint',
+ option_group=u'SSHFP Record',
+ label=_(u'SSHFP Fingerprint'),
+ doc=_(u'Fingerprint'),
+ ),
+ parameters.Str(
+ 'tarecord',
+ required=False,
+ multivalue=True,
+ cli_name='ta_rec',
+ option_group=u'TA Record',
+ label=_(u'TA record'),
+ doc=_(u'Comma-separated list of raw TA records'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'tkeyrecord',
+ required=False,
+ multivalue=True,
+ cli_name='tkey_rec',
+ option_group=u'TKEY Record',
+ label=_(u'TKEY record'),
+ doc=_(u'Comma-separated list of raw TKEY records'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'tsigrecord',
+ required=False,
+ multivalue=True,
+ cli_name='tsig_rec',
+ option_group=u'TSIG Record',
+ label=_(u'TSIG record'),
+ doc=_(u'Comma-separated list of raw TSIG records'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'txtrecord',
+ required=False,
+ multivalue=True,
+ cli_name='txt_rec',
+ option_group=u'TXT Record',
+ label=_(u'TXT record'),
+ doc=_(u'Comma-separated list of raw TXT records'),
+ ),
+ parameters.Str(
+ 'txt_part_data',
+ required=False,
+ cli_name='txt_data',
+ option_group=u'TXT Record',
+ label=_(u'TXT Text Data'),
+ doc=_(u'Text Data'),
+ ),
+ parameters.Str(
+ 'setattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'addattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'delattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'),
+ exclude=('webui',),
+ ),
+ parameters.Flag(
+ 'rights',
+ label=_(u'Rights'),
+ doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'structured',
+ label=_(u'Structured'),
+ doc=_(u'Parse all raw DNS records and return them in a structured way'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'rename',
+ required=False,
+ label=_(u'Rename'),
+ doc=_(u'Rename the DNS resource record object'),
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'value',
+ unicode,
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class dnsrecord_show(Method):
+ __doc__ = _("Display DNS resource.")
+
+ takes_args = (
+ parameters.Str(
+ 'dnszoneidnsname',
+ cli_name='dnszone',
+ label=_(u'Zone name'),
+ ),
+ parameters.Str(
+ 'idnsname',
+ cli_name='name',
+ label=_(u'Record name'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'rights',
+ label=_(u'Rights'),
+ doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'structured',
+ label=_(u'Structured'),
+ doc=_(u'Parse all raw DNS records and return them in a structured way'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'value',
+ unicode,
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class dnszone_add(Method):
+ __doc__ = _("Create new DNS zone (SOA record).")
+
+ takes_args = (
+ parameters.Str(
+ 'idnsname',
+ cli_name='name',
+ label=_(u'Zone name'),
+ doc=_(u'Zone name (FQDN)'),
+ default_from=DefaultFrom(lambda name_from_ip: None, 'name_from_ip'),
+ # FIXME:
+ # lambda name_from_ip: _reverse_zone_name(name_from_ip)
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'name_from_ip',
+ required=False,
+ label=_(u'Reverse zone IP network'),
+ doc=_(u'IP network to create reverse zone name from'),
+ ),
+ parameters.Str(
+ 'idnssoamname',
+ cli_name='name_server',
+ label=_(u'Authoritative nameserver'),
+ doc=_(u'Authoritative nameserver domain name'),
+ no_convert=True,
+ ),
+ parameters.Str(
+ 'idnssoarname',
+ cli_name='admin_email',
+ label=_(u'Administrator e-mail address'),
+ default_from=DefaultFrom(lambda idnsname: 'hostmaster.%s' % idnsname, 'name_from_ip'),
+ no_convert=True,
+ ),
+ parameters.Int(
+ 'idnssoaserial',
+ cli_name='serial',
+ label=_(u'SOA serial'),
+ doc=_(u'SOA record serial number'),
+ default_from=DefaultFrom(lambda : None),
+ # FIXME:
+ # def _create_zone_serial():
+ # """
+ # Generate serial number for zones. bind-dyndb-ldap expects unix time in
+ # to be used for SOA serial.
+ #
+ # SOA serial in a date format would also work, but it may be set to far
+ # future when many DNS updates are done per day (more than 100). Unix
+ # timestamp is more resilient to this issue.
+ # """
+ # return int(time.time())
+ autofill=True,
+ ),
+ parameters.Int(
+ 'idnssoarefresh',
+ cli_name='refresh',
+ label=_(u'SOA refresh'),
+ doc=_(u'SOA record refresh time'),
+ default=3600,
+ autofill=True,
+ ),
+ parameters.Int(
+ 'idnssoaretry',
+ cli_name='retry',
+ label=_(u'SOA retry'),
+ doc=_(u'SOA record retry time'),
+ default=900,
+ autofill=True,
+ ),
+ parameters.Int(
+ 'idnssoaexpire',
+ cli_name='expire',
+ label=_(u'SOA expire'),
+ doc=_(u'SOA record expire time'),
+ default=1209600,
+ autofill=True,
+ ),
+ parameters.Int(
+ 'idnssoaminimum',
+ cli_name='minimum',
+ label=_(u'SOA minimum'),
+ doc=_(u'How long should negative responses be cached'),
+ default=3600,
+ autofill=True,
+ ),
+ parameters.Int(
+ 'dnsttl',
+ required=False,
+ cli_name='ttl',
+ label=_(u'SOA time to live'),
+ doc=_(u'SOA record time to live'),
+ ),
+ parameters.Str(
+ 'dnsclass',
+ required=False,
+ cli_name='class',
+ cli_metavar="['IN', 'CS', 'CH', 'HS']",
+ label=_(u'SOA class'),
+ doc=_(u'SOA record class'),
+ ),
+ parameters.Str(
+ 'idnsupdatepolicy',
+ required=False,
+ cli_name='update_policy',
+ label=_(u'BIND update policy'),
+ default_from=DefaultFrom(lambda idnsname: None, 'idnsname'),
+ # FIXME:
+ # lambda idnsname: default_zone_update_policy(idnsname)
+ autofill=True,
+ ),
+ parameters.Bool(
+ 'idnsallowdynupdate',
+ required=False,
+ cli_name='dynamic_update',
+ label=_(u'Dynamic update'),
+ doc=_(u'Allow dynamic updates.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'idnsallowquery',
+ required=False,
+ cli_name='allow_query',
+ label=_(u'Allow query'),
+ doc=_(u'Semicolon separated list of IP addresses or networks which are allowed to issue queries'),
+ default=u'any;',
+ autofill=True,
+ no_convert=True,
+ ),
+ parameters.Str(
+ 'idnsallowtransfer',
+ required=False,
+ cli_name='allow_transfer',
+ label=_(u'Allow transfer'),
+ doc=_(u'Semicolon separated list of IP addresses or networks which are allowed to transfer the zone'),
+ default=u'none;',
+ autofill=True,
+ no_convert=True,
+ ),
+ parameters.Str(
+ 'idnsforwarders',
+ required=False,
+ multivalue=True,
+ cli_name='forwarder',
+ label=_(u'Zone forwarders'),
+ doc=_(u'A list of per-zone forwarders. A custom port can be specified for each forwarder using a standard format "IP_ADDRESS port PORT"'),
+ ),
+ parameters.Str(
+ 'idnsforwardpolicy',
+ required=False,
+ cli_name='forward_policy',
+ cli_metavar="['only', 'first', 'none']",
+ label=_(u'Forward policy'),
+ doc=_(u'Per-zone conditional forwarding policy. Set to "none" to disable forwarding to global forwarder for this zone. In that case, conditional zone forwarders are disregarded.'),
+ ),
+ parameters.Bool(
+ 'idnsallowsyncptr',
+ required=False,
+ cli_name='allow_sync_ptr',
+ label=_(u'Allow PTR sync'),
+ doc=_(u'Allow synchronization of forward (A, AAAA) and reverse (PTR) records in the zone'),
+ ),
+ parameters.Str(
+ 'setattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'addattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
+ exclude=('webui',),
+ ),
+ parameters.Flag(
+ 'force',
+ label=_(u'Force'),
+ doc=_(u'Force DNS zone creation even if nameserver is not resolvable.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'ip_address',
+ required=False,
+ doc=_(u'Add forward record for nameserver located in the created zone'),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'value',
+ unicode,
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class dnszone_add_permission(Method):
+ __doc__ = _("Add a permission for per-zone access delegation.")
+
+ takes_args = (
+ parameters.Str(
+ 'idnsname',
+ cli_name='name',
+ label=_(u'Zone name'),
+ doc=_(u'Zone name (FQDN)'),
+ default_from=DefaultFrom(lambda name_from_ip: None, 'name_from_ip'),
+ # FIXME:
+ # lambda name_from_ip: _reverse_zone_name(name_from_ip)
+ no_convert=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Output(
+ 'result',
+ bool,
+ doc=_(u'True means the operation was successful'),
+ ),
+ output.Output(
+ 'value',
+ unicode,
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class dnszone_del(Method):
+ __doc__ = _("Delete DNS zone (SOA record).")
+
+ takes_args = (
+ parameters.Str(
+ 'idnsname',
+ multivalue=True,
+ cli_name='name',
+ label=_(u'Zone name'),
+ doc=_(u'Zone name (FQDN)'),
+ default_from=DefaultFrom(lambda name_from_ip: None, 'name_from_ip'),
+ # FIXME:
+ # lambda name_from_ip: _reverse_zone_name(name_from_ip)
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'continue',
+ doc=_(u"Continuous mode: Don't stop on errors."),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Output(
+ 'result',
+ dict,
+ doc=_(u'List of deletions that failed'),
+ ),
+ output.Output(
+ 'value',
+ unicode,
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class dnszone_disable(Method):
+ __doc__ = _("Disable DNS Zone.")
+
+ takes_args = (
+ parameters.Str(
+ 'idnsname',
+ cli_name='name',
+ label=_(u'Zone name'),
+ doc=_(u'Zone name (FQDN)'),
+ default_from=DefaultFrom(lambda name_from_ip: None, 'name_from_ip'),
+ # FIXME:
+ # lambda name_from_ip: _reverse_zone_name(name_from_ip)
+ no_convert=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Output(
+ 'result',
+ bool,
+ doc=_(u'True means the operation was successful'),
+ ),
+ output.Output(
+ 'value',
+ unicode,
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class dnszone_enable(Method):
+ __doc__ = _("Enable DNS Zone.")
+
+ takes_args = (
+ parameters.Str(
+ 'idnsname',
+ cli_name='name',
+ label=_(u'Zone name'),
+ doc=_(u'Zone name (FQDN)'),
+ default_from=DefaultFrom(lambda name_from_ip: None, 'name_from_ip'),
+ # FIXME:
+ # lambda name_from_ip: _reverse_zone_name(name_from_ip)
+ no_convert=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Output(
+ 'result',
+ bool,
+ doc=_(u'True means the operation was successful'),
+ ),
+ output.Output(
+ 'value',
+ unicode,
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class dnszone_find(Method):
+ __doc__ = _("Search for DNS zones (SOA records).")
+
+ takes_args = (
+ parameters.Str(
+ 'criteria',
+ required=False,
+ doc=_(u'A string searched in all relevant object attributes'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'idnsname',
+ required=False,
+ cli_name='name',
+ label=_(u'Zone name'),
+ doc=_(u'Zone name (FQDN)'),
+ default_from=DefaultFrom(lambda name_from_ip: None, 'name_from_ip'),
+ # FIXME:
+ # lambda name_from_ip: _reverse_zone_name(name_from_ip)
+ no_convert=True,
+ ),
+ parameters.Str(
+ 'name_from_ip',
+ required=False,
+ label=_(u'Reverse zone IP network'),
+ doc=_(u'IP network to create reverse zone name from'),
+ ),
+ parameters.Str(
+ 'idnssoamname',
+ required=False,
+ cli_name='name_server',
+ label=_(u'Authoritative nameserver'),
+ doc=_(u'Authoritative nameserver domain name'),
+ no_convert=True,
+ ),
+ parameters.Str(
+ 'idnssoarname',
+ required=False,
+ cli_name='admin_email',
+ label=_(u'Administrator e-mail address'),
+ default_from=DefaultFrom(lambda idnsname: 'hostmaster.%s' % idnsname, 'name_from_ip'),
+ no_convert=True,
+ ),
+ parameters.Int(
+ 'idnssoaserial',
+ required=False,
+ cli_name='serial',
+ label=_(u'SOA serial'),
+ doc=_(u'SOA record serial number'),
+ default_from=DefaultFrom(lambda : None),
+ # FIXME:
+ # def _create_zone_serial():
+ # """
+ # Generate serial number for zones. bind-dyndb-ldap expects unix time in
+ # to be used for SOA serial.
+ #
+ # SOA serial in a date format would also work, but it may be set to far
+ # future when many DNS updates are done per day (more than 100). Unix
+ # timestamp is more resilient to this issue.
+ # """
+ # return int(time.time())
+ ),
+ parameters.Int(
+ 'idnssoarefresh',
+ required=False,
+ cli_name='refresh',
+ label=_(u'SOA refresh'),
+ doc=_(u'SOA record refresh time'),
+ default=3600,
+ ),
+ parameters.Int(
+ 'idnssoaretry',
+ required=False,
+ cli_name='retry',
+ label=_(u'SOA retry'),
+ doc=_(u'SOA record retry time'),
+ default=900,
+ ),
+ parameters.Int(
+ 'idnssoaexpire',
+ required=False,
+ cli_name='expire',
+ label=_(u'SOA expire'),
+ doc=_(u'SOA record expire time'),
+ default=1209600,
+ ),
+ parameters.Int(
+ 'idnssoaminimum',
+ required=False,
+ cli_name='minimum',
+ label=_(u'SOA minimum'),
+ doc=_(u'How long should negative responses be cached'),
+ default=3600,
+ ),
+ parameters.Int(
+ 'dnsttl',
+ required=False,
+ cli_name='ttl',
+ label=_(u'SOA time to live'),
+ doc=_(u'SOA record time to live'),
+ ),
+ parameters.Str(
+ 'dnsclass',
+ required=False,
+ cli_name='class',
+ cli_metavar="['IN', 'CS', 'CH', 'HS']",
+ label=_(u'SOA class'),
+ doc=_(u'SOA record class'),
+ ),
+ parameters.Str(
+ 'idnsupdatepolicy',
+ required=False,
+ cli_name='update_policy',
+ label=_(u'BIND update policy'),
+ default_from=DefaultFrom(lambda idnsname: None, 'idnsname'),
+ # FIXME:
+ # lambda idnsname: default_zone_update_policy(idnsname)
+ ),
+ parameters.Bool(
+ 'idnszoneactive',
+ required=False,
+ cli_name='zone_active',
+ label=_(u'Active zone'),
+ doc=_(u'Is zone active?'),
+ ),
+ parameters.Bool(
+ 'idnsallowdynupdate',
+ required=False,
+ cli_name='dynamic_update',
+ label=_(u'Dynamic update'),
+ doc=_(u'Allow dynamic updates.'),
+ default=False,
+ ),
+ parameters.Str(
+ 'idnsallowquery',
+ required=False,
+ cli_name='allow_query',
+ label=_(u'Allow query'),
+ doc=_(u'Semicolon separated list of IP addresses or networks which are allowed to issue queries'),
+ default=u'any;',
+ no_convert=True,
+ ),
+ parameters.Str(
+ 'idnsallowtransfer',
+ required=False,
+ cli_name='allow_transfer',
+ label=_(u'Allow transfer'),
+ doc=_(u'Semicolon separated list of IP addresses or networks which are allowed to transfer the zone'),
+ default=u'none;',
+ no_convert=True,
+ ),
+ parameters.Str(
+ 'idnsforwarders',
+ required=False,
+ multivalue=True,
+ cli_name='forwarder',
+ label=_(u'Zone forwarders'),
+ doc=_(u'A list of per-zone forwarders. A custom port can be specified for each forwarder using a standard format "IP_ADDRESS port PORT"'),
+ ),
+ parameters.Str(
+ 'idnsforwardpolicy',
+ required=False,
+ cli_name='forward_policy',
+ cli_metavar="['only', 'first', 'none']",
+ label=_(u'Forward policy'),
+ doc=_(u'Per-zone conditional forwarding policy. Set to "none" to disable forwarding to global forwarder for this zone. In that case, conditional zone forwarders are disregarded.'),
+ ),
+ parameters.Bool(
+ 'idnsallowsyncptr',
+ required=False,
+ cli_name='allow_sync_ptr',
+ label=_(u'Allow PTR sync'),
+ doc=_(u'Allow synchronization of forward (A, AAAA) and reverse (PTR) records in the zone'),
+ ),
+ parameters.Int(
+ 'timelimit',
+ required=False,
+ label=_(u'Time Limit'),
+ doc=_(u'Time limit of search in seconds'),
+ ),
+ parameters.Int(
+ 'sizelimit',
+ required=False,
+ label=_(u'Size Limit'),
+ doc=_(u'Maximum number of entries returned'),
+ ),
+ parameters.Flag(
+ 'forward_only',
+ label=_(u'Forward zones only'),
+ doc=_(u'Search for forward zones only'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'pkey_only',
+ required=False,
+ label=_(u'Primary key only'),
+ doc=_(u'Results should contain primary key attribute only ("name")'),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.ListOfEntries(
+ 'result',
+ ),
+ output.Output(
+ 'count',
+ int,
+ doc=_(u'Number of entries returned'),
+ ),
+ output.Output(
+ 'truncated',
+ bool,
+ doc=_(u'True if not all results were returned'),
+ ),
+ )
+
+
+@register()
+class dnszone_mod(Method):
+ __doc__ = _("Modify DNS zone (SOA record).")
+
+ takes_args = (
+ parameters.Str(
+ 'idnsname',
+ cli_name='name',
+ label=_(u'Zone name'),
+ doc=_(u'Zone name (FQDN)'),
+ default_from=DefaultFrom(lambda name_from_ip: None, 'name_from_ip'),
+ # FIXME:
+ # lambda name_from_ip: _reverse_zone_name(name_from_ip)
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'name_from_ip',
+ required=False,
+ label=_(u'Reverse zone IP network'),
+ doc=_(u'IP network to create reverse zone name from'),
+ ),
+ parameters.Str(
+ 'idnssoamname',
+ required=False,
+ cli_name='name_server',
+ label=_(u'Authoritative nameserver'),
+ doc=_(u'Authoritative nameserver domain name'),
+ no_convert=True,
+ ),
+ parameters.Str(
+ 'idnssoarname',
+ required=False,
+ cli_name='admin_email',
+ label=_(u'Administrator e-mail address'),
+ default_from=DefaultFrom(lambda idnsname: 'hostmaster.%s' % idnsname, 'name_from_ip'),
+ no_convert=True,
+ ),
+ parameters.Int(
+ 'idnssoaserial',
+ required=False,
+ cli_name='serial',
+ label=_(u'SOA serial'),
+ doc=_(u'SOA record serial number'),
+ default_from=DefaultFrom(lambda : None),
+ # FIXME:
+ # def _create_zone_serial():
+ # """
+ # Generate serial number for zones. bind-dyndb-ldap expects unix time in
+ # to be used for SOA serial.
+ #
+ # SOA serial in a date format would also work, but it may be set to far
+ # future when many DNS updates are done per day (more than 100). Unix
+ # timestamp is more resilient to this issue.
+ # """
+ # return int(time.time())
+ ),
+ parameters.Int(
+ 'idnssoarefresh',
+ required=False,
+ cli_name='refresh',
+ label=_(u'SOA refresh'),
+ doc=_(u'SOA record refresh time'),
+ default=3600,
+ ),
+ parameters.Int(
+ 'idnssoaretry',
+ required=False,
+ cli_name='retry',
+ label=_(u'SOA retry'),
+ doc=_(u'SOA record retry time'),
+ default=900,
+ ),
+ parameters.Int(
+ 'idnssoaexpire',
+ required=False,
+ cli_name='expire',
+ label=_(u'SOA expire'),
+ doc=_(u'SOA record expire time'),
+ default=1209600,
+ ),
+ parameters.Int(
+ 'idnssoaminimum',
+ required=False,
+ cli_name='minimum',
+ label=_(u'SOA minimum'),
+ doc=_(u'How long should negative responses be cached'),
+ default=3600,
+ ),
+ parameters.Int(
+ 'dnsttl',
+ required=False,
+ cli_name='ttl',
+ label=_(u'SOA time to live'),
+ doc=_(u'SOA record time to live'),
+ ),
+ parameters.Str(
+ 'dnsclass',
+ required=False,
+ cli_name='class',
+ cli_metavar="['IN', 'CS', 'CH', 'HS']",
+ label=_(u'SOA class'),
+ doc=_(u'SOA record class'),
+ ),
+ parameters.Str(
+ 'idnsupdatepolicy',
+ required=False,
+ cli_name='update_policy',
+ label=_(u'BIND update policy'),
+ default_from=DefaultFrom(lambda idnsname: None, 'idnsname'),
+ # FIXME:
+ # lambda idnsname: default_zone_update_policy(idnsname)
+ ),
+ parameters.Bool(
+ 'idnsallowdynupdate',
+ required=False,
+ cli_name='dynamic_update',
+ label=_(u'Dynamic update'),
+ doc=_(u'Allow dynamic updates.'),
+ default=False,
+ ),
+ parameters.Str(
+ 'idnsallowquery',
+ required=False,
+ cli_name='allow_query',
+ label=_(u'Allow query'),
+ doc=_(u'Semicolon separated list of IP addresses or networks which are allowed to issue queries'),
+ default=u'any;',
+ no_convert=True,
+ ),
+ parameters.Str(
+ 'idnsallowtransfer',
+ required=False,
+ cli_name='allow_transfer',
+ label=_(u'Allow transfer'),
+ doc=_(u'Semicolon separated list of IP addresses or networks which are allowed to transfer the zone'),
+ default=u'none;',
+ no_convert=True,
+ ),
+ parameters.Str(
+ 'idnsforwarders',
+ required=False,
+ multivalue=True,
+ cli_name='forwarder',
+ label=_(u'Zone forwarders'),
+ doc=_(u'A list of per-zone forwarders. A custom port can be specified for each forwarder using a standard format "IP_ADDRESS port PORT"'),
+ ),
+ parameters.Str(
+ 'idnsforwardpolicy',
+ required=False,
+ cli_name='forward_policy',
+ cli_metavar="['only', 'first', 'none']",
+ label=_(u'Forward policy'),
+ doc=_(u'Per-zone conditional forwarding policy. Set to "none" to disable forwarding to global forwarder for this zone. In that case, conditional zone forwarders are disregarded.'),
+ ),
+ parameters.Bool(
+ 'idnsallowsyncptr',
+ required=False,
+ cli_name='allow_sync_ptr',
+ label=_(u'Allow PTR sync'),
+ doc=_(u'Allow synchronization of forward (A, AAAA) and reverse (PTR) records in the zone'),
+ ),
+ parameters.Str(
+ 'setattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'addattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'delattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'),
+ exclude=('webui',),
+ ),
+ parameters.Flag(
+ 'rights',
+ label=_(u'Rights'),
+ doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'force',
+ label=_(u'Force'),
+ doc=_(u'Force nameserver change even if nameserver not in DNS'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'value',
+ unicode,
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class dnszone_remove_permission(Method):
+ __doc__ = _("Remove a permission for per-zone access delegation.")
+
+ takes_args = (
+ parameters.Str(
+ 'idnsname',
+ cli_name='name',
+ label=_(u'Zone name'),
+ doc=_(u'Zone name (FQDN)'),
+ default_from=DefaultFrom(lambda name_from_ip: None, 'name_from_ip'),
+ # FIXME:
+ # lambda name_from_ip: _reverse_zone_name(name_from_ip)
+ no_convert=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Output(
+ 'result',
+ bool,
+ doc=_(u'True means the operation was successful'),
+ ),
+ output.Output(
+ 'value',
+ unicode,
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class dnszone_show(Method):
+ __doc__ = _("Display information about a DNS zone (SOA record).")
+
+ takes_args = (
+ parameters.Str(
+ 'idnsname',
+ cli_name='name',
+ label=_(u'Zone name'),
+ doc=_(u'Zone name (FQDN)'),
+ default_from=DefaultFrom(lambda name_from_ip: None, 'name_from_ip'),
+ # FIXME:
+ # lambda name_from_ip: _reverse_zone_name(name_from_ip)
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'rights',
+ label=_(u'Rights'),
+ doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'value',
+ unicode,
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
diff --git a/ipaclient/remote_plugins/2_49/entitle.py b/ipaclient/remote_plugins/2_49/entitle.py
new file mode 100644
index 000000000..f527939bf
--- /dev/null
+++ b/ipaclient/remote_plugins/2_49/entitle.py
@@ -0,0 +1,383 @@
+#
+# Copyright (C) 2016 FreeIPA Contributors see COPYING for license
+#
+
+# pylint: disable=unused-import
+import six
+
+from . import Command, Method, Object
+from ipalib import api, parameters, output
+from ipalib.parameters import DefaultFrom
+from ipalib.plugable import Registry
+from ipalib.text import _
+from ipapython.dn import DN
+from ipapython.dnsutil import DNSName
+
+if six.PY3:
+ unicode = str
+
+__doc__ = _("""
+Entitlements
+
+Manage entitlements for client machines
+
+Entitlements can be managed either by registering with an entitlement
+server with a username and password or by manually importing entitlement
+certificates. An entitlement certificate contains embedded information
+such as the product being entitled, the quantity and the validity dates.
+
+An entitlement server manages the number of client entitlements available.
+To mark these entitlements as used by the IPA server you provide a quantity
+and they are marked as consumed on the entitlement server.
+
+ Register with an entitlement server:
+ ipa entitle-register consumer
+
+ Import an entitlement certificate:
+ ipa entitle-import /home/user/ipaclient.pem
+
+ Display current entitlements:
+ ipa entitle-status
+
+ Retrieve details on entitlement certificates:
+ ipa entitle-get
+
+ Consume some entitlements from the entitlement server:
+ ipa entitle-consume 50
+
+The registration ID is a Unique Identifier (UUID). This ID will be
+IMPORTED if you have used entitle-import.
+
+Changes to /etc/rhsm/rhsm.conf require a restart of the httpd service.
+""")
+
+register = Registry()
+
+
+@register()
+class entitle(Object):
+ takes_params = (
+ )
+
+
+@register()
+class entitle_consume(Method):
+ __doc__ = _("Consume an entitlement.")
+
+ takes_args = (
+ parameters.Int(
+ 'quantity',
+ label=_(u'Quantity'),
+ ),
+ )
+ takes_options = (
+ parameters.Int(
+ 'hidden',
+ label=_(u'Quantity'),
+ exclude=('cli', 'webui'),
+ default=1,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'value',
+ unicode,
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class entitle_find(Method):
+ __doc__ = _("Search for entitlement accounts.")
+
+ takes_args = (
+ parameters.Str(
+ 'criteria',
+ required=False,
+ doc=_(u'A string searched in all relevant object attributes'),
+ ),
+ )
+ takes_options = (
+ parameters.Int(
+ 'timelimit',
+ required=False,
+ label=_(u'Time Limit'),
+ doc=_(u'Time limit of search in seconds'),
+ ),
+ parameters.Int(
+ 'sizelimit',
+ required=False,
+ label=_(u'Size Limit'),
+ doc=_(u'Maximum number of entries returned'),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.ListOfEntries(
+ 'result',
+ ),
+ output.Output(
+ 'count',
+ int,
+ doc=_(u'Number of entries returned'),
+ ),
+ output.Output(
+ 'truncated',
+ bool,
+ doc=_(u'True if not all results were returned'),
+ ),
+ )
+
+
+@register()
+class entitle_get(Command):
+ __doc__ = _("Retrieve the entitlement certs.")
+
+ takes_options = (
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.ListOfEntries(
+ 'result',
+ ),
+ output.Output(
+ 'count',
+ int,
+ doc=_(u'Number of entries returned'),
+ ),
+ output.Output(
+ 'truncated',
+ bool,
+ doc=_(u'True if not all results were returned'),
+ ),
+ )
+
+
+@register()
+class entitle_import(Method):
+ __doc__ = _("Import an entitlement certificate.")
+
+ takes_args = (
+ parameters.Str(
+ 'usercertificate',
+ required=False,
+ multivalue=True,
+ cli_name='certificate_file',
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'setattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'addattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'uuid',
+ required=False,
+ label=_(u'UUID'),
+ doc=_(u'Enrollment UUID'),
+ default=u'IMPORTED',
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'result',
+ dict,
+ doc=_(u'Dictionary mapping variable name to value'),
+ ),
+ )
+
+
+@register()
+class entitle_register(Method):
+ __doc__ = _("Register to the entitlement system.")
+
+ takes_args = (
+ parameters.Str(
+ 'username',
+ label=_(u'Username'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'setattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'addattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'ipaentitlementid',
+ required=False,
+ label=_(u'UUID'),
+ doc=_(u'Enrollment UUID (not implemented)'),
+ ),
+ parameters.Password(
+ 'password',
+ label=_(u'Password'),
+ doc=_(u'Registration password'),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'value',
+ unicode,
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class entitle_status(Command):
+ __doc__ = _("Display current entitlements.")
+
+ has_output = (
+ output.Output(
+ 'result',
+ dict,
+ doc=_(u'Dictionary mapping variable name to value'),
+ ),
+ )
+
+
+@register()
+class entitle_sync(Method):
+ __doc__ = _("Re-sync the local entitlement cache with the entitlement server.")
+
+ takes_options = (
+ parameters.Int(
+ 'hidden',
+ label=_(u'Quantity'),
+ exclude=('cli', 'webui'),
+ default=1,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'value',
+ unicode,
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
diff --git a/ipaclient/remote_plugins/2_49/group.py b/ipaclient/remote_plugins/2_49/group.py
new file mode 100644
index 000000000..940a113df
--- /dev/null
+++ b/ipaclient/remote_plugins/2_49/group.py
@@ -0,0 +1,854 @@
+#
+# Copyright (C) 2016 FreeIPA Contributors see COPYING for license
+#
+
+# pylint: disable=unused-import
+import six
+
+from . import Command, Method, Object
+from ipalib import api, parameters, output
+from ipalib.parameters import DefaultFrom
+from ipalib.plugable import Registry
+from ipalib.text import _
+from ipapython.dn import DN
+from ipapython.dnsutil import DNSName
+
+if six.PY3:
+ unicode = str
+
+__doc__ = _("""
+Groups of users
+
+Manage groups of users. By default, new groups are POSIX groups. You
+can add the --nonposix option to the group-add command to mark a new group
+as non-POSIX. You can use the --posix argument with the group-mod command
+to convert a non-POSIX group into a POSIX group. POSIX groups cannot be
+converted to non-POSIX groups.
+
+Every group must have a description.
+
+POSIX groups must have a Group ID (GID) number. Changing a GID is
+supported but can have an impact on your file permissions. It is not necessary
+to supply a GID when creating a group. IPA will generate one automatically
+if it is not provided.
+
+EXAMPLES:
+
+ Add a new group:
+ ipa group-add --desc='local administrators' localadmins
+
+ Add a new non-POSIX group:
+ ipa group-add --nonposix --desc='remote administrators' remoteadmins
+
+ Convert a non-POSIX group to posix:
+ ipa group-mod --posix remoteadmins
+
+ Add a new POSIX group with a specific Group ID number:
+ ipa group-add --gid=500 --desc='unix admins' unixadmins
+
+ Add a new POSIX group and let IPA assign a Group ID number:
+ ipa group-add --desc='printer admins' printeradmins
+
+ Remove a group:
+ ipa group-del unixadmins
+
+ To add the "remoteadmins" group to the "localadmins" group:
+ ipa group-add-member --groups=remoteadmins localadmins
+
+ Add a list of users to the "localadmins" group:
+ ipa group-add-member --users=test1,test2 localadmins
+
+ Remove a user from the "localadmins" group:
+ ipa group-remove-member --users=test2 localadmins
+
+ Display information about a named group.
+ ipa group-show localadmins
+
+External group membership is designed to allow users from trusted domains
+to be mapped to local POSIX groups in order to actually use IPA resources.
+External members should be added to groups that specifically created as
+external and non-POSIX. Such group later should be included into one of POSIX
+groups.
+
+An external group member is currently a Security Identifier (SID) as defined by
+the trusted domain. When adding external group members, it is possible to
+specify them in either SID, or DOM\name, or name@domain format. IPA will attempt
+to resolve passed name to SID with the use of Global Catalog of the trusted domain.
+
+Example:
+
+1. Create group for the trusted domain admins' mapping and their local POSIX group:
+
+ ipa group-add --desc='<ad.domain> admins external map' ad_admins_external --external
+ ipa group-add --desc='<ad.domain> admins' ad_admins
+
+2. Add security identifier of Domain Admins of the <ad.domain> to the ad_admins_external
+ group:
+
+ ipa group-add-member ad_admins_external --external 'AD\Domain Admins'
+
+3. Allow members of ad_admins_external group to be associated with ad_admins POSIX group:
+
+ ipa group-add-member ad_admins --groups ad_admins_external
+
+4. List members of external members of ad_admins_external group to see their SIDs:
+
+ ipa group-show ad_admins_external
+""")
+
+register = Registry()
+
+
+@register()
+class group(Object):
+ takes_params = (
+ parameters.Str(
+ 'cn',
+ primary_key=True,
+ label=_(u'Group name'),
+ ),
+ parameters.Str(
+ 'description',
+ label=_(u'Description'),
+ doc=_(u'Group description'),
+ ),
+ parameters.Int(
+ 'gidnumber',
+ required=False,
+ label=_(u'GID'),
+ doc=_(u'GID (use this option to set it manually)'),
+ ),
+ parameters.Str(
+ 'member_user',
+ required=False,
+ label=_(u'Member users'),
+ ),
+ parameters.Str(
+ 'member_group',
+ required=False,
+ label=_(u'Member groups'),
+ ),
+ parameters.Str(
+ 'memberof_group',
+ required=False,
+ label=_(u'Member of groups'),
+ ),
+ parameters.Str(
+ 'memberof_role',
+ required=False,
+ label=_(u'Roles'),
+ ),
+ parameters.Str(
+ 'memberof_netgroup',
+ required=False,
+ label=_(u'Member of netgroups'),
+ ),
+ parameters.Str(
+ 'memberof_sudorule',
+ required=False,
+ label=_(u'Member of Sudo rule'),
+ ),
+ parameters.Str(
+ 'memberof_hbacrule',
+ required=False,
+ label=_(u'Member of HBAC rule'),
+ ),
+ parameters.Str(
+ 'memberindirect_user',
+ required=False,
+ label=_(u'Indirect Member users'),
+ ),
+ parameters.Str(
+ 'memberindirect_group',
+ required=False,
+ label=_(u'Indirect Member groups'),
+ ),
+ parameters.Str(
+ 'memberofindirect_group',
+ required=False,
+ label=_(u'Indirect Member of group'),
+ ),
+ parameters.Str(
+ 'memberofindirect_netgroup',
+ required=False,
+ label=_(u'Indirect Member of netgroup'),
+ ),
+ parameters.Str(
+ 'memberofindirect_role',
+ required=False,
+ label=_(u'Indirect Member of role'),
+ ),
+ parameters.Str(
+ 'memberofindirect_sudorule',
+ required=False,
+ label=_(u'Indirect Member of Sudo rule'),
+ ),
+ parameters.Str(
+ 'memberofindirect_hbacrule',
+ required=False,
+ label=_(u'Indirect Member of HBAC rule'),
+ ),
+ )
+
+
+@register()
+class group_add(Method):
+ __doc__ = _("Create a new group.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='group_name',
+ label=_(u'Group name'),
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'description',
+ cli_name='desc',
+ label=_(u'Description'),
+ doc=_(u'Group description'),
+ ),
+ parameters.Int(
+ 'gidnumber',
+ required=False,
+ cli_name='gid',
+ label=_(u'GID'),
+ doc=_(u'GID (use this option to set it manually)'),
+ ),
+ parameters.Str(
+ 'setattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'addattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
+ exclude=('webui',),
+ ),
+ parameters.Flag(
+ 'nonposix',
+ doc=_(u'Create as a non-POSIX group'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'external',
+ doc=_(u'Allow adding external non-IPA members from trusted domains'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'value',
+ unicode,
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class group_add_member(Method):
+ __doc__ = _("Add members to a group.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='group_name',
+ label=_(u'Group name'),
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'ipaexternalmember',
+ required=False,
+ multivalue=True,
+ cli_name='external',
+ label=_(u'External member'),
+ doc=_(u'comma-separated list of members of a trusted domain in DOM\\name or name@domain form'),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'user',
+ required=False,
+ multivalue=True,
+ cli_name='users',
+ label=_(u'member user'),
+ doc=_(u'comma-separated list of users to add'),
+ alwaysask=True,
+ ),
+ parameters.Str(
+ 'group',
+ required=False,
+ multivalue=True,
+ cli_name='groups',
+ label=_(u'member group'),
+ doc=_(u'comma-separated list of groups to add'),
+ alwaysask=True,
+ ),
+ )
+ has_output = (
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'failed',
+ dict,
+ doc=_(u'Members that could not be added'),
+ ),
+ output.Output(
+ 'completed',
+ int,
+ doc=_(u'Number of members added'),
+ ),
+ )
+
+
+@register()
+class group_del(Method):
+ __doc__ = _("Delete group.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ multivalue=True,
+ cli_name='group_name',
+ label=_(u'Group name'),
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'continue',
+ doc=_(u"Continuous mode: Don't stop on errors."),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Output(
+ 'result',
+ dict,
+ doc=_(u'List of deletions that failed'),
+ ),
+ output.Output(
+ 'value',
+ unicode,
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class group_detach(Method):
+ __doc__ = _("Detach a managed group from a user.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='group_name',
+ label=_(u'Group name'),
+ no_convert=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Output(
+ 'result',
+ bool,
+ doc=_(u'True means the operation was successful'),
+ ),
+ output.Output(
+ 'value',
+ unicode,
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class group_find(Method):
+ __doc__ = _("Search for groups.")
+
+ takes_args = (
+ parameters.Str(
+ 'criteria',
+ required=False,
+ doc=_(u'A string searched in all relevant object attributes'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'cn',
+ required=False,
+ cli_name='group_name',
+ label=_(u'Group name'),
+ no_convert=True,
+ ),
+ parameters.Str(
+ 'description',
+ required=False,
+ cli_name='desc',
+ label=_(u'Description'),
+ doc=_(u'Group description'),
+ ),
+ parameters.Int(
+ 'gidnumber',
+ required=False,
+ cli_name='gid',
+ label=_(u'GID'),
+ doc=_(u'GID (use this option to set it manually)'),
+ ),
+ parameters.Int(
+ 'timelimit',
+ required=False,
+ label=_(u'Time Limit'),
+ doc=_(u'Time limit of search in seconds'),
+ ),
+ parameters.Int(
+ 'sizelimit',
+ required=False,
+ label=_(u'Size Limit'),
+ doc=_(u'Maximum number of entries returned'),
+ ),
+ parameters.Flag(
+ 'private',
+ doc=_(u'search for private groups'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'pkey_only',
+ required=False,
+ label=_(u'Primary key only'),
+ doc=_(u'Results should contain primary key attribute only ("group-name")'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'user',
+ required=False,
+ multivalue=True,
+ cli_name='users',
+ label=_(u'user'),
+ doc=_(u'Search for groups with these member users.'),
+ ),
+ parameters.Str(
+ 'no_user',
+ required=False,
+ multivalue=True,
+ cli_name='no_users',
+ label=_(u'user'),
+ doc=_(u'Search for groups without these member users.'),
+ ),
+ parameters.Str(
+ 'group',
+ required=False,
+ multivalue=True,
+ cli_name='groups',
+ label=_(u'group'),
+ doc=_(u'Search for groups with these member groups.'),
+ ),
+ parameters.Str(
+ 'no_group',
+ required=False,
+ multivalue=True,
+ cli_name='no_groups',
+ label=_(u'group'),
+ doc=_(u'Search for groups without these member groups.'),
+ ),
+ parameters.Str(
+ 'in_group',
+ required=False,
+ multivalue=True,
+ cli_name='in_groups',
+ label=_(u'group'),
+ doc=_(u'Search for groups with these member of groups.'),
+ ),
+ parameters.Str(
+ 'not_in_group',
+ required=False,
+ multivalue=True,
+ cli_name='not_in_groups',
+ label=_(u'group'),
+ doc=_(u'Search for groups without these member of groups.'),
+ ),
+ parameters.Str(
+ 'in_netgroup',
+ required=False,
+ multivalue=True,
+ cli_name='in_netgroups',
+ label=_(u'netgroup'),
+ doc=_(u'Search for groups with these member of netgroups.'),
+ ),
+ parameters.Str(
+ 'not_in_netgroup',
+ required=False,
+ multivalue=True,
+ cli_name='not_in_netgroups',
+ label=_(u'netgroup'),
+ doc=_(u'Search for groups without these member of netgroups.'),
+ ),
+ parameters.Str(
+ 'in_role',
+ required=False,
+ multivalue=True,
+ cli_name='in_roles',
+ label=_(u'role'),
+ doc=_(u'Search for groups with these member of roles.'),
+ ),
+ parameters.Str(
+ 'not_in_role',
+ required=False,
+ multivalue=True,
+ cli_name='not_in_roles',
+ label=_(u'role'),
+ doc=_(u'Search for groups without these member of roles.'),
+ ),
+ parameters.Str(
+ 'in_hbacrule',
+ required=False,
+ multivalue=True,
+ cli_name='in_hbacrules',
+ label=_(u'HBAC rule'),
+ doc=_(u'Search for groups with these member of HBAC rules.'),
+ ),
+ parameters.Str(
+ 'not_in_hbacrule',
+ required=False,
+ multivalue=True,
+ cli_name='not_in_hbacrules',
+ label=_(u'HBAC rule'),
+ doc=_(u'Search for groups without these member of HBAC rules.'),
+ ),
+ parameters.Str(
+ 'in_sudorule',
+ required=False,
+ multivalue=True,
+ cli_name='in_sudorules',
+ label=_(u'sudo rule'),
+ doc=_(u'Search for groups with these member of sudo rules.'),
+ ),
+ parameters.Str(
+ 'not_in_sudorule',
+ required=False,
+ multivalue=True,
+ cli_name='not_in_sudorules',
+ label=_(u'sudo rule'),
+ doc=_(u'Search for groups without these member of sudo rules.'),
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.ListOfEntries(
+ 'result',
+ ),
+ output.Output(
+ 'count',
+ int,
+ doc=_(u'Number of entries returned'),
+ ),
+ output.Output(
+ 'truncated',
+ bool,
+ doc=_(u'True if not all results were returned'),
+ ),
+ )
+
+
+@register()
+class group_mod(Method):
+ __doc__ = _("Modify a group.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='group_name',
+ label=_(u'Group name'),
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'description',
+ required=False,
+ cli_name='desc',
+ label=_(u'Description'),
+ doc=_(u'Group description'),
+ ),
+ parameters.Int(
+ 'gidnumber',
+ required=False,
+ cli_name='gid',
+ label=_(u'GID'),
+ doc=_(u'GID (use this option to set it manually)'),
+ ),
+ parameters.Str(
+ 'setattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'addattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'delattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'),
+ exclude=('webui',),
+ ),
+ parameters.Flag(
+ 'rights',
+ label=_(u'Rights'),
+ doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'posix',
+ doc=_(u'change to a POSIX group'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'external',
+ doc=_(u'change to support external non-IPA members from trusted domains'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'rename',
+ required=False,
+ label=_(u'Rename'),
+ doc=_(u'Rename the group object'),
+ no_convert=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'value',
+ unicode,
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class group_remove_member(Method):
+ __doc__ = _("Remove members from a group.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='group_name',
+ label=_(u'Group name'),
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'ipaexternalmember',
+ required=False,
+ multivalue=True,
+ cli_name='external',
+ label=_(u'External member'),
+ doc=_(u'comma-separated list of members of a trusted domain in DOM\\name or name@domain form'),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'user',
+ required=False,
+ multivalue=True,
+ cli_name='users',
+ label=_(u'member user'),
+ doc=_(u'comma-separated list of users to remove'),
+ alwaysask=True,
+ ),
+ parameters.Str(
+ 'group',
+ required=False,
+ multivalue=True,
+ cli_name='groups',
+ label=_(u'member group'),
+ doc=_(u'comma-separated list of groups to remove'),
+ alwaysask=True,
+ ),
+ )
+ has_output = (
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'failed',
+ dict,
+ doc=_(u'Members that could not be removed'),
+ ),
+ output.Output(
+ 'completed',
+ int,
+ doc=_(u'Number of members removed'),
+ ),
+ )
+
+
+@register()
+class group_show(Method):
+ __doc__ = _("Display information about a named group.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='group_name',
+ label=_(u'Group name'),
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'rights',
+ label=_(u'Rights'),
+ doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'value',
+ unicode,
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
diff --git a/ipaclient/remote_plugins/2_49/hbacrule.py b/ipaclient/remote_plugins/2_49/hbacrule.py
new file mode 100644
index 000000000..64e195797
--- /dev/null
+++ b/ipaclient/remote_plugins/2_49/hbacrule.py
@@ -0,0 +1,1198 @@
+#
+# Copyright (C) 2016 FreeIPA Contributors see COPYING for license
+#
+
+# pylint: disable=unused-import
+import six
+
+from . import Command, Method, Object
+from ipalib import api, parameters, output
+from ipalib.parameters import DefaultFrom
+from ipalib.plugable import Registry
+from ipalib.text import _
+from ipapython.dn import DN
+from ipapython.dnsutil import DNSName
+
+if six.PY3:
+ unicode = str
+
+__doc__ = _("""
+Host-based access control
+
+Control who can access what services on what hosts and from where. You
+can use HBAC to control which users or groups on a source host can
+access a service, or group of services, on a target host.
+
+You can also specify a category of users, target hosts, and source
+hosts. This is currently limited to "all", but might be expanded in the
+future.
+
+Target hosts and source hosts in HBAC rules must be hosts managed by IPA.
+
+The available services and groups of services are controlled by the
+hbacsvc and hbacsvcgroup plug-ins respectively.
+
+EXAMPLES:
+
+ Create a rule, "test1", that grants all users access to the host "server" from
+ anywhere:
+ ipa hbacrule-add --usercat=all --srchostcat=all test1
+ ipa hbacrule-add-host --hosts=server.example.com test1
+
+ Display the properties of a named HBAC rule:
+ ipa hbacrule-show test1
+
+ Create a rule for a specific service. This lets the user john access
+ the sshd service on any machine from any machine:
+ ipa hbacrule-add --hostcat=all --srchostcat=all john_sshd
+ ipa hbacrule-add-user --users=john john_sshd
+ ipa hbacrule-add-service --hbacsvcs=sshd john_sshd
+
+ Create a rule for a new service group. This lets the user john access
+ the FTP service on any machine from any machine:
+ ipa hbacsvcgroup-add ftpers
+ ipa hbacsvc-add sftp
+ ipa hbacsvcgroup-add-member --hbacsvcs=ftp,sftp ftpers
+ ipa hbacrule-add --hostcat=all --srchostcat=all john_ftp
+ ipa hbacrule-add-user --users=john john_ftp
+ ipa hbacrule-add-service --hbacsvcgroups=ftpers john_ftp
+
+ Disable a named HBAC rule:
+ ipa hbacrule-disable test1
+
+ Remove a named HBAC rule:
+ ipa hbacrule-del allow_server
+""")
+
+register = Registry()
+
+
+@register()
+class hbacrule(Object):
+ takes_params = (
+ parameters.Str(
+ 'cn',
+ primary_key=True,
+ label=_(u'Rule name'),
+ ),
+ parameters.Str(
+ 'accessruletype',
+ label=_(u'Rule type'),
+ doc=_(u'Rule type (allow)'),
+ exclude=('webui', 'cli'),
+ ),
+ parameters.Str(
+ 'usercategory',
+ required=False,
+ label=_(u'User category'),
+ doc=_(u'User category the rule applies to'),
+ ),
+ parameters.Str(
+ 'hostcategory',
+ required=False,
+ label=_(u'Host category'),
+ doc=_(u'Host category the rule applies to'),
+ ),
+ parameters.Str(
+ 'sourcehostcategory',
+ required=False,
+ label=_(u'Source host category'),
+ doc=_(u'Source host category the rule applies to'),
+ ),
+ parameters.Str(
+ 'servicecategory',
+ required=False,
+ label=_(u'Service category'),
+ doc=_(u'Service category the rule applies to'),
+ ),
+ parameters.Str(
+ 'description',
+ required=False,
+ label=_(u'Description'),
+ ),
+ parameters.Bool(
+ 'ipaenabledflag',
+ required=False,
+ label=_(u'Enabled'),
+ ),
+ parameters.Str(
+ 'memberuser_user',
+ required=False,
+ label=_(u'Users'),
+ ),
+ parameters.Str(
+ 'memberuser_group',
+ required=False,
+ label=_(u'User Groups'),
+ ),
+ parameters.Str(
+ 'memberhost_host',
+ required=False,
+ label=_(u'Hosts'),
+ ),
+ parameters.Str(
+ 'memberhost_hostgroup',
+ required=False,
+ label=_(u'Host Groups'),
+ ),
+ parameters.Str(
+ 'sourcehost_host',
+ required=False,
+ label=_(u'Source Hosts'),
+ ),
+ parameters.Str(
+ 'sourcehost_hostgroup',
+ required=False,
+ label=_(u'Source Host Groups'),
+ ),
+ parameters.Str(
+ 'memberservice_hbacsvc',
+ required=False,
+ label=_(u'Services'),
+ ),
+ parameters.Str(
+ 'memberservice_hbacsvcgroup',
+ required=False,
+ label=_(u'Service Groups'),
+ ),
+ parameters.Str(
+ 'externalhost',
+ required=False,
+ multivalue=True,
+ label=_(u'External host'),
+ ),
+ )
+
+
+@register()
+class hbacrule_add(Method):
+ __doc__ = _("Create a new HBAC rule.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='name',
+ label=_(u'Rule name'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'accessruletype',
+ cli_name='type',
+ cli_metavar="['allow', 'deny']",
+ label=_(u'Rule type'),
+ doc=_(u'Rule type (allow)'),
+ exclude=('webui', 'cli'),
+ default=u'allow',
+ autofill=True,
+ ),
+ parameters.Str(
+ 'usercategory',
+ required=False,
+ cli_name='usercat',
+ cli_metavar="['all']",
+ label=_(u'User category'),
+ doc=_(u'User category the rule applies to'),
+ ),
+ parameters.Str(
+ 'hostcategory',
+ required=False,
+ cli_name='hostcat',
+ cli_metavar="['all']",
+ label=_(u'Host category'),
+ doc=_(u'Host category the rule applies to'),
+ ),
+ parameters.Str(
+ 'sourcehostcategory',
+ required=False,
+ cli_name='srchostcat',
+ cli_metavar="['all']",
+ label=_(u'Source host category'),
+ doc=_(u'Source host category the rule applies to'),
+ ),
+ parameters.Str(
+ 'servicecategory',
+ required=False,
+ cli_name='servicecat',
+ cli_metavar="['all']",
+ label=_(u'Service category'),
+ doc=_(u'Service category the rule applies to'),
+ ),
+ parameters.Str(
+ 'description',
+ required=False,
+ cli_name='desc',
+ label=_(u'Description'),
+ ),
+ parameters.Bool(
+ 'ipaenabledflag',
+ required=False,
+ label=_(u'Enabled'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'externalhost',
+ required=False,
+ multivalue=True,
+ label=_(u'External host'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'setattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'addattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
+ exclude=('webui',),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'value',
+ unicode,
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class hbacrule_add_host(Method):
+ __doc__ = _("Add target hosts and hostgroups to an HBAC rule.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='name',
+ label=_(u'Rule name'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'host',
+ required=False,
+ multivalue=True,
+ cli_name='hosts',
+ label=_(u'member host'),
+ doc=_(u'comma-separated list of hosts to add'),
+ alwaysask=True,
+ ),
+ parameters.Str(
+ 'hostgroup',
+ required=False,
+ multivalue=True,
+ cli_name='hostgroups',
+ label=_(u'member host group'),
+ doc=_(u'comma-separated list of host groups to add'),
+ alwaysask=True,
+ ),
+ )
+ has_output = (
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'failed',
+ dict,
+ doc=_(u'Members that could not be added'),
+ ),
+ output.Output(
+ 'completed',
+ int,
+ doc=_(u'Number of members added'),
+ ),
+ )
+
+
+@register()
+class hbacrule_add_service(Method):
+ __doc__ = _("Add services to an HBAC rule.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='name',
+ label=_(u'Rule name'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'hbacsvc',
+ required=False,
+ multivalue=True,
+ cli_name='hbacsvcs',
+ label=_(u'member HBAC service'),
+ doc=_(u'comma-separated list of HBAC services to add'),
+ alwaysask=True,
+ ),
+ parameters.Str(
+ 'hbacsvcgroup',
+ required=False,
+ multivalue=True,
+ cli_name='hbacsvcgroups',
+ label=_(u'member HBAC service group'),
+ doc=_(u'comma-separated list of HBAC service groups to add'),
+ alwaysask=True,
+ ),
+ )
+ has_output = (
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'failed',
+ dict,
+ doc=_(u'Members that could not be added'),
+ ),
+ output.Output(
+ 'completed',
+ int,
+ doc=_(u'Number of members added'),
+ ),
+ )
+
+
+@register()
+class hbacrule_add_sourcehost(Method):
+ __doc__ = _("Add source hosts and hostgroups from a HBAC rule.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='name',
+ label=_(u'Rule name'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'host',
+ required=False,
+ multivalue=True,
+ cli_name='hosts',
+ label=_(u'member host'),
+ doc=_(u'comma-separated list of hosts to add'),
+ alwaysask=True,
+ ),
+ parameters.Str(
+ 'hostgroup',
+ required=False,
+ multivalue=True,
+ cli_name='hostgroups',
+ label=_(u'member host group'),
+ doc=_(u'comma-separated list of host groups to add'),
+ alwaysask=True,
+ ),
+ )
+ has_output = (
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'failed',
+ dict,
+ doc=_(u'Members that could not be added'),
+ ),
+ output.Output(
+ 'completed',
+ int,
+ doc=_(u'Number of members added'),
+ ),
+ )
+
+
+@register()
+class hbacrule_add_user(Method):
+ __doc__ = _("Add users and groups to an HBAC rule.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='name',
+ label=_(u'Rule name'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'user',
+ required=False,
+ multivalue=True,
+ cli_name='users',
+ label=_(u'member user'),
+ doc=_(u'comma-separated list of users to add'),
+ alwaysask=True,
+ ),
+ parameters.Str(
+ 'group',
+ required=False,
+ multivalue=True,
+ cli_name='groups',
+ label=_(u'member group'),
+ doc=_(u'comma-separated list of groups to add'),
+ alwaysask=True,
+ ),
+ )
+ has_output = (
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'failed',
+ dict,
+ doc=_(u'Members that could not be added'),
+ ),
+ output.Output(
+ 'completed',
+ int,
+ doc=_(u'Number of members added'),
+ ),
+ )
+
+
+@register()
+class hbacrule_del(Method):
+ __doc__ = _("Delete an HBAC rule.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ multivalue=True,
+ cli_name='name',
+ label=_(u'Rule name'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'continue',
+ doc=_(u"Continuous mode: Don't stop on errors."),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Output(
+ 'result',
+ dict,
+ doc=_(u'List of deletions that failed'),
+ ),
+ output.Output(
+ 'value',
+ unicode,
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class hbacrule_disable(Method):
+ __doc__ = _("Disable an HBAC rule.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='name',
+ label=_(u'Rule name'),
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Output(
+ 'result',
+ bool,
+ doc=_(u'True means the operation was successful'),
+ ),
+ output.Output(
+ 'value',
+ unicode,
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class hbacrule_enable(Method):
+ __doc__ = _("Enable an HBAC rule.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='name',
+ label=_(u'Rule name'),
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Output(
+ 'result',
+ bool,
+ doc=_(u'True means the operation was successful'),
+ ),
+ output.Output(
+ 'value',
+ unicode,
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class hbacrule_find(Method):
+ __doc__ = _("Search for HBAC rules.")
+
+ takes_args = (
+ parameters.Str(
+ 'criteria',
+ required=False,
+ doc=_(u'A string searched in all relevant object attributes'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'cn',
+ required=False,
+ cli_name='name',
+ label=_(u'Rule name'),
+ ),
+ parameters.Str(
+ 'accessruletype',
+ required=False,
+ cli_name='type',
+ cli_metavar="['allow', 'deny']",
+ label=_(u'Rule type'),
+ doc=_(u'Rule type (allow)'),
+ exclude=('webui', 'cli'),
+ default=u'allow',
+ ),
+ parameters.Str(
+ 'usercategory',
+ required=False,
+ cli_name='usercat',
+ cli_metavar="['all']",
+ label=_(u'User category'),
+ doc=_(u'User category the rule applies to'),
+ ),
+ parameters.Str(
+ 'hostcategory',
+ required=False,
+ cli_name='hostcat',
+ cli_metavar="['all']",
+ label=_(u'Host category'),
+ doc=_(u'Host category the rule applies to'),
+ ),
+ parameters.Str(
+ 'sourcehostcategory',
+ required=False,
+ cli_name='srchostcat',
+ cli_metavar="['all']",
+ label=_(u'Source host category'),
+ doc=_(u'Source host category the rule applies to'),
+ ),
+ parameters.Str(
+ 'servicecategory',
+ required=False,
+ cli_name='servicecat',
+ cli_metavar="['all']",
+ label=_(u'Service category'),
+ doc=_(u'Service category the rule applies to'),
+ ),
+ parameters.Str(
+ 'description',
+ required=False,
+ cli_name='desc',
+ label=_(u'Description'),
+ ),
+ parameters.Bool(
+ 'ipaenabledflag',
+ required=False,
+ label=_(u'Enabled'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'externalhost',
+ required=False,
+ multivalue=True,
+ label=_(u'External host'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Int(
+ 'timelimit',
+ required=False,
+ label=_(u'Time Limit'),
+ doc=_(u'Time limit of search in seconds'),
+ ),
+ parameters.Int(
+ 'sizelimit',
+ required=False,
+ label=_(u'Size Limit'),
+ doc=_(u'Maximum number of entries returned'),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'pkey_only',
+ required=False,
+ label=_(u'Primary key only'),
+ doc=_(u'Results should contain primary key attribute only ("name")'),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.ListOfEntries(
+ 'result',
+ ),
+ output.Output(
+ 'count',
+ int,
+ doc=_(u'Number of entries returned'),
+ ),
+ output.Output(
+ 'truncated',
+ bool,
+ doc=_(u'True if not all results were returned'),
+ ),
+ )
+
+
+@register()
+class hbacrule_mod(Method):
+ __doc__ = _("Modify an HBAC rule.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='name',
+ label=_(u'Rule name'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'accessruletype',
+ required=False,
+ cli_name='type',
+ cli_metavar="['allow', 'deny']",
+ label=_(u'Rule type'),
+ doc=_(u'Rule type (allow)'),
+ exclude=('webui', 'cli'),
+ default=u'allow',
+ ),
+ parameters.Str(
+ 'usercategory',
+ required=False,
+ cli_name='usercat',
+ cli_metavar="['all']",
+ label=_(u'User category'),
+ doc=_(u'User category the rule applies to'),
+ ),
+ parameters.Str(
+ 'hostcategory',
+ required=False,
+ cli_name='hostcat',
+ cli_metavar="['all']",
+ label=_(u'Host category'),
+ doc=_(u'Host category the rule applies to'),
+ ),
+ parameters.Str(
+ 'sourcehostcategory',
+ required=False,
+ cli_name='srchostcat',
+ cli_metavar="['all']",
+ label=_(u'Source host category'),
+ doc=_(u'Source host category the rule applies to'),
+ ),
+ parameters.Str(
+ 'servicecategory',
+ required=False,
+ cli_name='servicecat',
+ cli_metavar="['all']",
+ label=_(u'Service category'),
+ doc=_(u'Service category the rule applies to'),
+ ),
+ parameters.Str(
+ 'description',
+ required=False,
+ cli_name='desc',
+ label=_(u'Description'),
+ ),
+ parameters.Bool(
+ 'ipaenabledflag',
+ required=False,
+ label=_(u'Enabled'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'externalhost',
+ required=False,
+ multivalue=True,
+ label=_(u'External host'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'setattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'addattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'delattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'),
+ exclude=('webui',),
+ ),
+ parameters.Flag(
+ 'rights',
+ label=_(u'Rights'),
+ doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'value',
+ unicode,
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class hbacrule_remove_host(Method):
+ __doc__ = _("Remove target hosts and hostgroups from an HBAC rule.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='name',
+ label=_(u'Rule name'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'host',
+ required=False,
+ multivalue=True,
+ cli_name='hosts',
+ label=_(u'member host'),
+ doc=_(u'comma-separated list of hosts to remove'),
+ alwaysask=True,
+ ),
+ parameters.Str(
+ 'hostgroup',
+ required=False,
+ multivalue=True,
+ cli_name='hostgroups',
+ label=_(u'member host group'),
+ doc=_(u'comma-separated list of host groups to remove'),
+ alwaysask=True,
+ ),
+ )
+ has_output = (
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'failed',
+ dict,
+ doc=_(u'Members that could not be removed'),
+ ),
+ output.Output(
+ 'completed',
+ int,
+ doc=_(u'Number of members removed'),
+ ),
+ )
+
+
+@register()
+class hbacrule_remove_service(Method):
+ __doc__ = _("Remove service and service groups from an HBAC rule.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='name',
+ label=_(u'Rule name'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'hbacsvc',
+ required=False,
+ multivalue=True,
+ cli_name='hbacsvcs',
+ label=_(u'member HBAC service'),
+ doc=_(u'comma-separated list of HBAC services to remove'),
+ alwaysask=True,
+ ),
+ parameters.Str(
+ 'hbacsvcgroup',
+ required=False,
+ multivalue=True,
+ cli_name='hbacsvcgroups',
+ label=_(u'member HBAC service group'),
+ doc=_(u'comma-separated list of HBAC service groups to remove'),
+ alwaysask=True,
+ ),
+ )
+ has_output = (
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'failed',
+ dict,
+ doc=_(u'Members that could not be removed'),
+ ),
+ output.Output(
+ 'completed',
+ int,
+ doc=_(u'Number of members removed'),
+ ),
+ )
+
+
+@register()
+class hbacrule_remove_sourcehost(Method):
+ __doc__ = _("Remove source hosts and hostgroups from an HBAC rule.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='name',
+ label=_(u'Rule name'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'host',
+ required=False,
+ multivalue=True,
+ cli_name='hosts',
+ label=_(u'member host'),
+ doc=_(u'comma-separated list of hosts to remove'),
+ alwaysask=True,
+ ),
+ parameters.Str(
+ 'hostgroup',
+ required=False,
+ multivalue=True,
+ cli_name='hostgroups',
+ label=_(u'member host group'),
+ doc=_(u'comma-separated list of host groups to remove'),
+ alwaysask=True,
+ ),
+ )
+ has_output = (
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'failed',
+ dict,
+ doc=_(u'Members that could not be removed'),
+ ),
+ output.Output(
+ 'completed',
+ int,
+ doc=_(u'Number of members removed'),
+ ),
+ )
+
+
+@register()
+class hbacrule_remove_user(Method):
+ __doc__ = _("Remove users and groups from an HBAC rule.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='name',
+ label=_(u'Rule name'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'user',
+ required=False,
+ multivalue=True,
+ cli_name='users',
+ label=_(u'member user'),
+ doc=_(u'comma-separated list of users to remove'),
+ alwaysask=True,
+ ),
+ parameters.Str(
+ 'group',
+ required=False,
+ multivalue=True,
+ cli_name='groups',
+ label=_(u'member group'),
+ doc=_(u'comma-separated list of groups to remove'),
+ alwaysask=True,
+ ),
+ )
+ has_output = (
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'failed',
+ dict,
+ doc=_(u'Members that could not be removed'),
+ ),
+ output.Output(
+ 'completed',
+ int,
+ doc=_(u'Number of members removed'),
+ ),
+ )
+
+
+@register()
+class hbacrule_show(Method):
+ __doc__ = _("Display the properties of an HBAC rule.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='name',
+ label=_(u'Rule name'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'rights',
+ label=_(u'Rights'),
+ doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'value',
+ unicode,
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
diff --git a/ipaclient/remote_plugins/2_49/hbacsvc.py b/ipaclient/remote_plugins/2_49/hbacsvc.py
new file mode 100644
index 000000000..89d57b512
--- /dev/null
+++ b/ipaclient/remote_plugins/2_49/hbacsvc.py
@@ -0,0 +1,390 @@
+#
+# Copyright (C) 2016 FreeIPA Contributors see COPYING for license
+#
+
+# pylint: disable=unused-import
+import six
+
+from . import Command, Method, Object
+from ipalib import api, parameters, output
+from ipalib.parameters import DefaultFrom
+from ipalib.plugable import Registry
+from ipalib.text import _
+from ipapython.dn import DN
+from ipapython.dnsutil import DNSName
+
+if six.PY3:
+ unicode = str
+
+__doc__ = _("""
+HBAC Services
+
+The PAM services that HBAC can control access to. The name used here
+must match the service name that PAM is evaluating.
+
+EXAMPLES:
+
+ Add a new HBAC service:
+ ipa hbacsvc-add tftp
+
+ Modify an existing HBAC service:
+ ipa hbacsvc-mod --desc="TFTP service" tftp
+
+ Search for HBAC services. This example will return two results, the FTP
+ service and the newly-added tftp service:
+ ipa hbacsvc-find ftp
+
+ Delete an HBAC service:
+ ipa hbacsvc-del tftp
+""")
+
+register = Registry()
+
+
+@register()
+class hbacsvc(Object):
+ takes_params = (
+ parameters.Str(
+ 'cn',
+ primary_key=True,
+ label=_(u'Service name'),
+ doc=_(u'HBAC service'),
+ ),
+ parameters.Str(
+ 'description',
+ required=False,
+ label=_(u'Description'),
+ doc=_(u'HBAC service description'),
+ ),
+ parameters.Str(
+ 'memberof_hbacsvcgroup',
+ required=False,
+ label=_(u'Member of HBAC service groups'),
+ ),
+ )
+
+
+@register()
+class hbacsvc_add(Method):
+ __doc__ = _("Add a new HBAC service.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='service',
+ label=_(u'Service name'),
+ doc=_(u'HBAC service'),
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'description',
+ required=False,
+ cli_name='desc',
+ label=_(u'Description'),
+ doc=_(u'HBAC service description'),
+ ),
+ parameters.Str(
+ 'setattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'addattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
+ exclude=('webui',),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'value',
+ unicode,
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class hbacsvc_del(Method):
+ __doc__ = _("Delete an existing HBAC service.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ multivalue=True,
+ cli_name='service',
+ label=_(u'Service name'),
+ doc=_(u'HBAC service'),
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'continue',
+ doc=_(u"Continuous mode: Don't stop on errors."),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Output(
+ 'result',
+ dict,
+ doc=_(u'List of deletions that failed'),
+ ),
+ output.Output(
+ 'value',
+ unicode,
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class hbacsvc_find(Method):
+ __doc__ = _("Search for HBAC services.")
+
+ takes_args = (
+ parameters.Str(
+ 'criteria',
+ required=False,
+ doc=_(u'A string searched in all relevant object attributes'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'cn',
+ required=False,
+ cli_name='service',
+ label=_(u'Service name'),
+ doc=_(u'HBAC service'),
+ no_convert=True,
+ ),
+ parameters.Str(
+ 'description',
+ required=False,
+ cli_name='desc',
+ label=_(u'Description'),
+ doc=_(u'HBAC service description'),
+ ),
+ parameters.Int(
+ 'timelimit',
+ required=False,
+ label=_(u'Time Limit'),
+ doc=_(u'Time limit of search in seconds'),
+ ),
+ parameters.Int(
+ 'sizelimit',
+ required=False,
+ label=_(u'Size Limit'),
+ doc=_(u'Maximum number of entries returned'),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'pkey_only',
+ required=False,
+ label=_(u'Primary key only'),
+ doc=_(u'Results should contain primary key attribute only ("service")'),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.ListOfEntries(
+ 'result',
+ ),
+ output.Output(
+ 'count',
+ int,
+ doc=_(u'Number of entries returned'),
+ ),
+ output.Output(
+ 'truncated',
+ bool,
+ doc=_(u'True if not all results were returned'),
+ ),
+ )
+
+
+@register()
+class hbacsvc_mod(Method):
+ __doc__ = _("Modify an HBAC service.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='service',
+ label=_(u'Service name'),
+ doc=_(u'HBAC service'),
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'description',
+ required=False,
+ cli_name='desc',
+ label=_(u'Description'),
+ doc=_(u'HBAC service description'),
+ ),
+ parameters.Str(
+ 'setattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'addattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'delattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'),
+ exclude=('webui',),
+ ),
+ parameters.Flag(
+ 'rights',
+ label=_(u'Rights'),
+ doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'value',
+ unicode,
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class hbacsvc_show(Method):
+ __doc__ = _("Display information about an HBAC service.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='service',
+ label=_(u'Service name'),
+ doc=_(u'HBAC service'),
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'rights',
+ label=_(u'Rights'),
+ doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'value',
+ unicode,
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
diff --git a/ipaclient/remote_plugins/2_49/hbacsvcgroup.py b/ipaclient/remote_plugins/2_49/hbacsvcgroup.py
new file mode 100644
index 000000000..4949ddc4c
--- /dev/null
+++ b/ipaclient/remote_plugins/2_49/hbacsvcgroup.py
@@ -0,0 +1,493 @@
+#
+# Copyright (C) 2016 FreeIPA Contributors see COPYING for license
+#
+
+# pylint: disable=unused-import
+import six
+
+from . import Command, Method, Object
+from ipalib import api, parameters, output
+from ipalib.parameters import DefaultFrom
+from ipalib.plugable import Registry
+from ipalib.text import _
+from ipapython.dn import DN
+from ipapython.dnsutil import DNSName
+
+if six.PY3:
+ unicode = str
+
+__doc__ = _("""
+HBAC Service Groups
+
+HBAC service groups can contain any number of individual services,
+or "members". Every group must have a description.
+
+EXAMPLES:
+
+ Add a new HBAC service group:
+ ipa hbacsvcgroup-add --desc="login services" login
+
+ Add members to an HBAC service group:
+ ipa hbacsvcgroup-add-member --hbacsvcs=sshd,login login
+
+ Display information about a named group:
+ ipa hbacsvcgroup-show login
+
+ Add a new group to the "login" group:
+ ipa hbacsvcgroup-add --desc="switch users" login
+ ipa hbacsvcgroup-add-member --hbacsvcs=su,su-l login
+
+ Delete an HBAC service group:
+ ipa hbacsvcgroup-del login
+""")
+
+register = Registry()
+
+
+@register()
+class hbacsvcgroup(Object):
+ takes_params = (
+ parameters.Str(
+ 'cn',
+ primary_key=True,
+ label=_(u'Service group name'),
+ ),
+ parameters.Str(
+ 'description',
+ label=_(u'Description'),
+ doc=_(u'HBAC service group description'),
+ ),
+ parameters.Str(
+ 'member_hbacsvc',
+ required=False,
+ label=_(u'Member HBAC service'),
+ ),
+ )
+
+
+@register()
+class hbacsvcgroup_add(Method):
+ __doc__ = _("Add a new HBAC service group.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='name',
+ label=_(u'Service group name'),
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'description',
+ cli_name='desc',
+ label=_(u'Description'),
+ doc=_(u'HBAC service group description'),
+ ),
+ parameters.Str(
+ 'setattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'addattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
+ exclude=('webui',),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'value',
+ unicode,
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class hbacsvcgroup_add_member(Method):
+ __doc__ = _("Add members to an HBAC service group.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='name',
+ label=_(u'Service group name'),
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'hbacsvc',
+ required=False,
+ multivalue=True,
+ cli_name='hbacsvcs',
+ label=_(u'member HBAC service'),
+ doc=_(u'comma-separated list of HBAC services to add'),
+ alwaysask=True,
+ ),
+ )
+ has_output = (
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'failed',
+ dict,
+ doc=_(u'Members that could not be added'),
+ ),
+ output.Output(
+ 'completed',
+ int,
+ doc=_(u'Number of members added'),
+ ),
+ )
+
+
+@register()
+class hbacsvcgroup_del(Method):
+ __doc__ = _("Delete an HBAC service group.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ multivalue=True,
+ cli_name='name',
+ label=_(u'Service group name'),
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'continue',
+ doc=_(u"Continuous mode: Don't stop on errors."),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Output(
+ 'result',
+ dict,
+ doc=_(u'List of deletions that failed'),
+ ),
+ output.Output(
+ 'value',
+ unicode,
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class hbacsvcgroup_find(Method):
+ __doc__ = _("Search for an HBAC service group.")
+
+ takes_args = (
+ parameters.Str(
+ 'criteria',
+ required=False,
+ doc=_(u'A string searched in all relevant object attributes'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'cn',
+ required=False,
+ cli_name='name',
+ label=_(u'Service group name'),
+ no_convert=True,
+ ),
+ parameters.Str(
+ 'description',
+ required=False,
+ cli_name='desc',
+ label=_(u'Description'),
+ doc=_(u'HBAC service group description'),
+ ),
+ parameters.Int(
+ 'timelimit',
+ required=False,
+ label=_(u'Time Limit'),
+ doc=_(u'Time limit of search in seconds'),
+ ),
+ parameters.Int(
+ 'sizelimit',
+ required=False,
+ label=_(u'Size Limit'),
+ doc=_(u'Maximum number of entries returned'),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'pkey_only',
+ required=False,
+ label=_(u'Primary key only'),
+ doc=_(u'Results should contain primary key attribute only ("name")'),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.ListOfEntries(
+ 'result',
+ ),
+ output.Output(
+ 'count',
+ int,
+ doc=_(u'Number of entries returned'),
+ ),
+ output.Output(
+ 'truncated',
+ bool,
+ doc=_(u'True if not all results were returned'),
+ ),
+ )
+
+
+@register()
+class hbacsvcgroup_mod(Method):
+ __doc__ = _("Modify an HBAC service group.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='name',
+ label=_(u'Service group name'),
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'description',
+ required=False,
+ cli_name='desc',
+ label=_(u'Description'),
+ doc=_(u'HBAC service group description'),
+ ),
+ parameters.Str(
+ 'setattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'addattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'delattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'),
+ exclude=('webui',),
+ ),
+ parameters.Flag(
+ 'rights',
+ label=_(u'Rights'),
+ doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'value',
+ unicode,
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class hbacsvcgroup_remove_member(Method):
+ __doc__ = _("Remove members from an HBAC service group.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='name',
+ label=_(u'Service group name'),
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'hbacsvc',
+ required=False,
+ multivalue=True,
+ cli_name='hbacsvcs',
+ label=_(u'member HBAC service'),
+ doc=_(u'comma-separated list of HBAC services to remove'),
+ alwaysask=True,
+ ),
+ )
+ has_output = (
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'failed',
+ dict,
+ doc=_(u'Members that could not be removed'),
+ ),
+ output.Output(
+ 'completed',
+ int,
+ doc=_(u'Number of members removed'),
+ ),
+ )
+
+
+@register()
+class hbacsvcgroup_show(Method):
+ __doc__ = _("Display information about an HBAC service group.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='name',
+ label=_(u'Service group name'),
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'rights',
+ label=_(u'Rights'),
+ doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'value',
+ unicode,
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
diff --git a/ipaclient/remote_plugins/2_49/hbactest.py b/ipaclient/remote_plugins/2_49/hbactest.py
new file mode 100644
index 000000000..e13093df0
--- /dev/null
+++ b/ipaclient/remote_plugins/2_49/hbactest.py
@@ -0,0 +1,213 @@
+#
+# Copyright (C) 2016 FreeIPA Contributors see COPYING for license
+#
+
+# pylint: disable=unused-import
+import six
+
+from . import Command, Method, Object
+from ipalib import api, parameters, output
+from ipalib.parameters import DefaultFrom
+from ipalib.plugable import Registry
+from ipalib.text import _
+from ipapython.dn import DN
+from ipapython.dnsutil import DNSName
+
+if six.PY3:
+ unicode = str
+
+__doc__ = _("""
+Simulate use of Host-based access controls
+
+HBAC rules control who can access what services on what hosts and from where.
+You can use HBAC to control which users or groups can access a service,
+or group of services, on a target host.
+
+Since applying HBAC rules implies use of a production environment,
+this plugin aims to provide simulation of HBAC rules evaluation without
+having access to the production environment.
+
+ Test user coming to a service on a named host against
+ existing enabled rules.
+
+ ipa hbactest --user= --host= --service=
+ [--rules=rules-list] [--nodetail] [--enabled] [--disabled]
+ [--srchost= ] [--sizelimit= ]
+
+ --user, --host, and --service are mandatory, others are optional.
+
+ If --rules is specified simulate enabling of the specified rules and test
+ the login of the user using only these rules.
+
+ If --enabled is specified, all enabled HBAC rules will be added to simulation
+
+ If --disabled is specified, all disabled HBAC rules will be added to simulation
+
+ If --nodetail is specified, do not return information about rules matched/not matched.
+
+ If both --rules and --enabled are specified, apply simulation to --rules _and_
+ all IPA enabled rules.
+
+ If no --rules specified, simulation is run against all IPA enabled rules.
+ By default there is a IPA-wide limit to number of entries fetched, you can change it
+ with --sizelimit option.
+
+ If --srchost is specified, it will be ignored. It is left because of compatibility reasons only.
+
+EXAMPLES:
+
+ 1. Use all enabled HBAC rules in IPA database to simulate:
+ $ ipa hbactest --user=a1a --host=bar --service=sshd
+ --------------------
+ Access granted: True
+ --------------------
+ notmatched: my-second-rule
+ notmatched: my-third-rule
+ notmatched: myrule
+ matched: allow_all
+
+ 2. Disable detailed summary of how rules were applied:
+ $ ipa hbactest --user=a1a --host=bar --service=sshd --nodetail
+ --------------------
+ Access granted: True
+ --------------------
+
+ 3. Test explicitly specified HBAC rules:
+ $ ipa hbactest --user=a1a --host=bar --service=sshd --rules=my-second-rule,myrule
+ ---------------------
+ Access granted: False
+ ---------------------
+ notmatched: my-second-rule
+ notmatched: myrule
+
+ 4. Use all enabled HBAC rules in IPA database + explicitly specified rules:
+ $ ipa hbactest --user=a1a --host=bar --service=sshd --rules=my-second-rule,myrule --enabled
+ --------------------
+ Access granted: True
+ --------------------
+ notmatched: my-second-rule
+ notmatched: my-third-rule
+ notmatched: myrule
+ matched: allow_all
+
+ 5. Test all disabled HBAC rules in IPA database:
+ $ ipa hbactest --user=a1a --host=bar --service=sshd --disabled
+ ---------------------
+ Access granted: False
+ ---------------------
+ notmatched: new-rule
+
+ 6. Test all disabled HBAC rules in IPA database + explicitly specified rules:
+ $ ipa hbactest --user=a1a --host=bar --service=sshd --rules=my-second-rule,myrule --disabled
+ ---------------------
+ Access granted: False
+ ---------------------
+ notmatched: my-second-rule
+ notmatched: my-third-rule
+ notmatched: myrule
+
+ 7. Test all (enabled and disabled) HBAC rules in IPA database:
+ $ ipa hbactest --user=a1a --host=bar --service=sshd --enabled --disabled
+ --------------------
+ Access granted: True
+ --------------------
+ notmatched: my-second-rule
+ notmatched: my-third-rule
+ notmatched: myrule
+ notmatched: new-rule
+ matched: allow_all
+""")
+
+register = Registry()
+
+
+@register()
+class hbactest(Command):
+ __doc__ = _("Simulate use of Host-based access controls")
+
+ takes_options = (
+ parameters.Str(
+ 'user',
+ label=_(u'User name'),
+ ),
+ parameters.Str(
+ 'sourcehost',
+ required=False,
+ cli_name='srchost',
+ label=_(u'Source host'),
+ ),
+ parameters.Str(
+ 'targethost',
+ cli_name='host',
+ label=_(u'Target host'),
+ ),
+ parameters.Str(
+ 'service',
+ label=_(u'Service'),
+ ),
+ parameters.Str(
+ 'rules',
+ required=False,
+ multivalue=True,
+ label=_(u'Rules to test. If not specified, --enabled is assumed'),
+ ),
+ parameters.Flag(
+ 'nodetail',
+ required=False,
+ label=_(u'Hide details which rules are matched, not matched, or invalid'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'enabled',
+ required=False,
+ label=_(u'Include all enabled IPA rules into test [default]'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'disabled',
+ required=False,
+ label=_(u'Include all disabled IPA rules into test'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Int(
+ 'sizelimit',
+ required=False,
+ label=_(u'Size Limit'),
+ doc=_(u'Maximum number of rules to process when no --rules is specified'),
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Output(
+ 'warning',
+ (list, tuple, type(None)),
+ doc=_(u'Warning'),
+ ),
+ output.Output(
+ 'matched',
+ (list, tuple, type(None)),
+ doc=_(u'Matched rules'),
+ ),
+ output.Output(
+ 'notmatched',
+ (list, tuple, type(None)),
+ doc=_(u'Not matched rules'),
+ ),
+ output.Output(
+ 'error',
+ (list, tuple, type(None)),
+ doc=_(u'Non-existent or invalid rules'),
+ ),
+ output.Output(
+ 'value',
+ bool,
+ doc=_(u'Result of simulation'),
+ ),
+ )
diff --git a/ipaclient/remote_plugins/2_49/host.py b/ipaclient/remote_plugins/2_49/host.py
new file mode 100644
index 000000000..988a83b2d
--- /dev/null
+++ b/ipaclient/remote_plugins/2_49/host.py
@@ -0,0 +1,1030 @@
+#
+# Copyright (C) 2016 FreeIPA Contributors see COPYING for license
+#
+
+# pylint: disable=unused-import
+import six
+
+from . import Command, Method, Object
+from ipalib import api, parameters, output
+from ipalib.parameters import DefaultFrom
+from ipalib.plugable import Registry
+from ipalib.text import _
+from ipapython.dn import DN
+from ipapython.dnsutil import DNSName
+
+if six.PY3:
+ unicode = str
+
+__doc__ = _("""
+Hosts/Machines
+
+A host represents a machine. It can be used in a number of contexts:
+- service entries are associated with a host
+- a host stores the host/ service principal
+- a host can be used in Host-based Access Control (HBAC) rules
+- every enrolled client generates a host entry
+
+ENROLLMENT:
+
+There are three enrollment scenarios when enrolling a new client:
+
+1. You are enrolling as a full administrator. The host entry may exist
+ or not. A full administrator is a member of the hostadmin role
+ or the admins group.
+2. You are enrolling as a limited administrator. The host must already
+ exist. A limited administrator is a member a role with the
+ Host Enrollment privilege.
+3. The host has been created with a one-time password.
+
+A host can only be enrolled once. If a client has enrolled and needs to
+be re-enrolled, the host entry must be removed and re-created. Note that
+re-creating the host entry will result in all services for the host being
+removed, and all SSL certificates associated with those services being
+revoked.
+
+A host can optionally store information such as where it is located,
+the OS that it runs, etc.
+
+EXAMPLES:
+
+ Add a new host:
+ ipa host-add --location="3rd floor lab" --locality=Dallas test.example.com
+
+ Delete a host:
+ ipa host-del test.example.com
+
+ Add a new host with a one-time password:
+ ipa host-add --os='Fedora 12' --password=Secret123 test.example.com
+
+ Add a new host with a random one-time password:
+ ipa host-add --os='Fedora 12' --random test.example.com
+
+ Modify information about a host:
+ ipa host-mod --os='Fedora 12' test.example.com
+
+ Remove SSH public keys of a host and update DNS to reflect this change:
+ ipa host-mod --sshpubkey= --updatedns test.example.com
+
+ Disable the host Kerberos key, SSL certificate and all of its services:
+ ipa host-disable test.example.com
+
+ Add a host that can manage this host's keytab and certificate:
+ ipa host-add-managedby --hosts=test2 test
+""")
+
+register = Registry()
+
+
+@register()
+class host(Object):
+ takes_params = (
+ parameters.Str(
+ 'fqdn',
+ primary_key=True,
+ label=_(u'Host name'),
+ ),
+ parameters.Str(
+ 'description',
+ required=False,
+ label=_(u'Description'),
+ doc=_(u'A description of this host'),
+ ),
+ parameters.Str(
+ 'l',
+ required=False,
+ label=_(u'Locality'),
+ doc=_(u'Host locality (e.g. "Baltimore, MD")'),
+ ),
+ parameters.Str(
+ 'nshostlocation',
+ required=False,
+ label=_(u'Location'),
+ doc=_(u'Host location (e.g. "Lab 2")'),
+ ),
+ parameters.Str(
+ 'nshardwareplatform',
+ required=False,
+ label=_(u'Platform'),
+ doc=_(u'Host hardware platform (e.g. "Lenovo T61")'),
+ ),
+ parameters.Str(
+ 'nsosversion',
+ required=False,
+ label=_(u'Operating system'),
+ doc=_(u'Host operating system and version (e.g. "Fedora 9")'),
+ ),
+ parameters.Str(
+ 'userpassword',
+ required=False,
+ label=_(u'User password'),
+ doc=_(u'Password used in bulk enrollment'),
+ ),
+ parameters.Flag(
+ 'random',
+ required=False,
+ doc=_(u'Generate a random password to be used in bulk enrollment'),
+ ),
+ parameters.Str(
+ 'randompassword',
+ required=False,
+ label=_(u'Random password'),
+ ),
+ parameters.Bytes(
+ 'usercertificate',
+ required=False,
+ label=_(u'Certificate'),
+ doc=_(u'Base-64 encoded server certificate'),
+ ),
+ parameters.Str(
+ 'krbprincipalname',
+ required=False,
+ label=_(u'Principal name'),
+ ),
+ parameters.Str(
+ 'macaddress',
+ required=False,
+ multivalue=True,
+ label=_(u'MAC address'),
+ doc=_(u'Hardware MAC address(es) on this host'),
+ ),
+ parameters.Str(
+ 'ipasshpubkey',
+ required=False,
+ multivalue=True,
+ label=_(u'SSH public key'),
+ ),
+ parameters.Flag(
+ 'has_password',
+ label=_(u'Password'),
+ ),
+ parameters.Str(
+ 'memberof_hostgroup',
+ required=False,
+ label=_(u'Member of host-groups'),
+ ),
+ parameters.Str(
+ 'memberof_role',
+ required=False,
+ label=_(u'Roles'),
+ ),
+ parameters.Str(
+ 'memberof_netgroup',
+ required=False,
+ label=_(u'Member of netgroups'),
+ ),
+ parameters.Str(
+ 'memberof_sudorule',
+ required=False,
+ label=_(u'Member of Sudo rule'),
+ ),
+ parameters.Str(
+ 'memberof_hbacrule',
+ required=False,
+ label=_(u'Member of HBAC rule'),
+ ),
+ parameters.Str(
+ 'memberofindirect_netgroup',
+ required=False,
+ label=_(u'Indirect Member of netgroup'),
+ ),
+ parameters.Str(
+ 'memberofindirect_hostgroup',
+ required=False,
+ label=_(u'Indirect Member of host-group'),
+ ),
+ parameters.Str(
+ 'memberofindirect_role',
+ required=False,
+ label=_(u'Indirect Member of role'),
+ ),
+ parameters.Str(
+ 'memberofindirect_sudorule',
+ required=False,
+ label=_(u'Indirect Member of Sudo rule'),
+ ),
+ parameters.Str(
+ 'memberofindirect_hbacrule',
+ required=False,
+ label=_(u'Indirect Member of HBAC rule'),
+ ),
+ parameters.Flag(
+ 'has_keytab',
+ label=_(u'Keytab'),
+ ),
+ parameters.Str(
+ 'managedby_host',
+ label=_(u'Managed by'),
+ ),
+ parameters.Str(
+ 'managing_host',
+ label=_(u'Managing'),
+ ),
+ )
+
+
+@register()
+class host_add(Method):
+ __doc__ = _("Add a new host.")
+
+ takes_args = (
+ parameters.Str(
+ 'fqdn',
+ cli_name='hostname',
+ label=_(u'Host name'),
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'description',
+ required=False,
+ cli_name='desc',
+ label=_(u'Description'),
+ doc=_(u'A description of this host'),
+ ),
+ parameters.Str(
+ 'l',
+ required=False,
+ cli_name='locality',
+ label=_(u'Locality'),
+ doc=_(u'Host locality (e.g. "Baltimore, MD")'),
+ ),
+ parameters.Str(
+ 'nshostlocation',
+ required=False,
+ cli_name='location',
+ label=_(u'Location'),
+ doc=_(u'Host location (e.g. "Lab 2")'),
+ ),
+ parameters.Str(
+ 'nshardwareplatform',
+ required=False,
+ cli_name='platform',
+ label=_(u'Platform'),
+ doc=_(u'Host hardware platform (e.g. "Lenovo T61")'),
+ ),
+ parameters.Str(
+ 'nsosversion',
+ required=False,
+ cli_name='os',
+ label=_(u'Operating system'),
+ doc=_(u'Host operating system and version (e.g. "Fedora 9")'),
+ ),
+ parameters.Str(
+ 'userpassword',
+ required=False,
+ cli_name='password',
+ label=_(u'User password'),
+ doc=_(u'Password used in bulk enrollment'),
+ ),
+ parameters.Flag(
+ 'random',
+ required=False,
+ doc=_(u'Generate a random password to be used in bulk enrollment'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Bytes(
+ 'usercertificate',
+ required=False,
+ cli_name='certificate',
+ label=_(u'Certificate'),
+ doc=_(u'Base-64 encoded server certificate'),
+ ),
+ parameters.Str(
+ 'macaddress',
+ required=False,
+ multivalue=True,
+ label=_(u'MAC address'),
+ doc=_(u'Hardware MAC address(es) on this host'),
+ no_convert=True,
+ ),
+ parameters.Str(
+ 'ipasshpubkey',
+ required=False,
+ multivalue=True,
+ cli_name='sshpubkey',
+ label=_(u'SSH public key'),
+ no_convert=True,
+ ),
+ parameters.Str(
+ 'setattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'addattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
+ exclude=('webui',),
+ ),
+ parameters.Flag(
+ 'force',
+ label=_(u'Force'),
+ doc=_(u'force host name even if not in DNS'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'no_reverse',
+ doc=_(u'skip reverse DNS detection'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'ip_address',
+ required=False,
+ label=_(u'IP Address'),
+ doc=_(u'Add the host to DNS with this IP address'),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'value',
+ unicode,
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class host_add_managedby(Method):
+ __doc__ = _("Add hosts that can manage this host.")
+
+ takes_args = (
+ parameters.Str(
+ 'fqdn',
+ cli_name='hostname',
+ label=_(u'Host name'),
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'host',
+ required=False,
+ multivalue=True,
+ cli_name='hosts',
+ label=_(u'member host'),
+ doc=_(u'comma-separated list of hosts to add'),
+ alwaysask=True,
+ ),
+ )
+ has_output = (
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'failed',
+ dict,
+ doc=_(u'Members that could not be added'),
+ ),
+ output.Output(
+ 'completed',
+ int,
+ doc=_(u'Number of members added'),
+ ),
+ )
+
+
+@register()
+class host_del(Method):
+ __doc__ = _("Delete a host.")
+
+ takes_args = (
+ parameters.Str(
+ 'fqdn',
+ multivalue=True,
+ cli_name='hostname',
+ label=_(u'Host name'),
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'updatedns',
+ required=False,
+ doc=_(u'Remove entries from DNS'),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Output(
+ 'result',
+ dict,
+ doc=_(u'List of deletions that failed'),
+ ),
+ output.Output(
+ 'value',
+ unicode,
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class host_disable(Method):
+ __doc__ = _("Disable the Kerberos key, SSL certificate and all services of a host.")
+
+ takes_args = (
+ parameters.Str(
+ 'fqdn',
+ cli_name='hostname',
+ label=_(u'Host name'),
+ no_convert=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Output(
+ 'result',
+ bool,
+ doc=_(u'True means the operation was successful'),
+ ),
+ output.Output(
+ 'value',
+ unicode,
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class host_find(Method):
+ __doc__ = _("Search for hosts.")
+
+ takes_args = (
+ parameters.Str(
+ 'criteria',
+ required=False,
+ doc=_(u'A string searched in all relevant object attributes'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'fqdn',
+ required=False,
+ cli_name='hostname',
+ label=_(u'Host name'),
+ no_convert=True,
+ ),
+ parameters.Str(
+ 'description',
+ required=False,
+ cli_name='desc',
+ label=_(u'Description'),
+ doc=_(u'A description of this host'),
+ ),
+ parameters.Str(
+ 'l',
+ required=False,
+ cli_name='locality',
+ label=_(u'Locality'),
+ doc=_(u'Host locality (e.g. "Baltimore, MD")'),
+ ),
+ parameters.Str(
+ 'nshostlocation',
+ required=False,
+ cli_name='location',
+ label=_(u'Location'),
+ doc=_(u'Host location (e.g. "Lab 2")'),
+ ),
+ parameters.Str(
+ 'nshardwareplatform',
+ required=False,
+ cli_name='platform',
+ label=_(u'Platform'),
+ doc=_(u'Host hardware platform (e.g. "Lenovo T61")'),
+ ),
+ parameters.Str(
+ 'nsosversion',
+ required=False,
+ cli_name='os',
+ label=_(u'Operating system'),
+ doc=_(u'Host operating system and version (e.g. "Fedora 9")'),
+ ),
+ parameters.Str(
+ 'userpassword',
+ required=False,
+ cli_name='password',
+ label=_(u'User password'),
+ doc=_(u'Password used in bulk enrollment'),
+ ),
+ parameters.Bytes(
+ 'usercertificate',
+ required=False,
+ cli_name='certificate',
+ label=_(u'Certificate'),
+ doc=_(u'Base-64 encoded server certificate'),
+ ),
+ parameters.Str(
+ 'macaddress',
+ required=False,
+ multivalue=True,
+ label=_(u'MAC address'),
+ doc=_(u'Hardware MAC address(es) on this host'),
+ no_convert=True,
+ ),
+ parameters.Int(
+ 'timelimit',
+ required=False,
+ label=_(u'Time Limit'),
+ doc=_(u'Time limit of search in seconds'),
+ ),
+ parameters.Int(
+ 'sizelimit',
+ required=False,
+ label=_(u'Size Limit'),
+ doc=_(u'Maximum number of entries returned'),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'pkey_only',
+ required=False,
+ label=_(u'Primary key only'),
+ doc=_(u'Results should contain primary key attribute only ("hostname")'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'in_hostgroup',
+ required=False,
+ multivalue=True,
+ cli_name='in_hostgroups',
+ label=_(u'host group'),
+ doc=_(u'Search for hosts with these member of host groups.'),
+ ),
+ parameters.Str(
+ 'not_in_hostgroup',
+ required=False,
+ multivalue=True,
+ cli_name='not_in_hostgroups',
+ label=_(u'host group'),
+ doc=_(u'Search for hosts without these member of host groups.'),
+ ),
+ parameters.Str(
+ 'in_netgroup',
+ required=False,
+ multivalue=True,
+ cli_name='in_netgroups',
+ label=_(u'netgroup'),
+ doc=_(u'Search for hosts with these member of netgroups.'),
+ ),
+ parameters.Str(
+ 'not_in_netgroup',
+ required=False,
+ multivalue=True,
+ cli_name='not_in_netgroups',
+ label=_(u'netgroup'),
+ doc=_(u'Search for hosts without these member of netgroups.'),
+ ),
+ parameters.Str(
+ 'in_role',
+ required=False,
+ multivalue=True,
+ cli_name='in_roles',
+ label=_(u'role'),
+ doc=_(u'Search for hosts with these member of roles.'),
+ ),
+ parameters.Str(
+ 'not_in_role',
+ required=False,
+ multivalue=True,
+ cli_name='not_in_roles',
+ label=_(u'role'),
+ doc=_(u'Search for hosts without these member of roles.'),
+ ),
+ parameters.Str(
+ 'in_hbacrule',
+ required=False,
+ multivalue=True,
+ cli_name='in_hbacrules',
+ label=_(u'HBAC rule'),
+ doc=_(u'Search for hosts with these member of HBAC rules.'),
+ ),
+ parameters.Str(
+ 'not_in_hbacrule',
+ required=False,
+ multivalue=True,
+ cli_name='not_in_hbacrules',
+ label=_(u'HBAC rule'),
+ doc=_(u'Search for hosts without these member of HBAC rules.'),
+ ),
+ parameters.Str(
+ 'in_sudorule',
+ required=False,
+ multivalue=True,
+ cli_name='in_sudorules',
+ label=_(u'sudo rule'),
+ doc=_(u'Search for hosts with these member of sudo rules.'),
+ ),
+ parameters.Str(
+ 'not_in_sudorule',
+ required=False,
+ multivalue=True,
+ cli_name='not_in_sudorules',
+ label=_(u'sudo rule'),
+ doc=_(u'Search for hosts without these member of sudo rules.'),
+ ),
+ parameters.Str(
+ 'enroll_by_user',
+ required=False,
+ multivalue=True,
+ cli_name='enroll_by_users',
+ label=_(u'user'),
+ doc=_(u'Search for hosts with these enrolled by users.'),
+ ),
+ parameters.Str(
+ 'not_enroll_by_user',
+ required=False,
+ multivalue=True,
+ cli_name='not_enroll_by_users',
+ label=_(u'user'),
+ doc=_(u'Search for hosts without these enrolled by users.'),
+ ),
+ parameters.Str(
+ 'man_by_host',
+ required=False,
+ multivalue=True,
+ cli_name='man_by_hosts',
+ label=_(u'host'),
+ doc=_(u'Search for hosts with these managed by hosts.'),
+ ),
+ parameters.Str(
+ 'not_man_by_host',
+ required=False,
+ multivalue=True,
+ cli_name='not_man_by_hosts',
+ label=_(u'host'),
+ doc=_(u'Search for hosts without these managed by hosts.'),
+ ),
+ parameters.Str(
+ 'man_host',
+ required=False,
+ multivalue=True,
+ cli_name='man_hosts',
+ label=_(u'host'),
+ doc=_(u'Search for hosts with these managing hosts.'),
+ ),
+ parameters.Str(
+ 'not_man_host',
+ required=False,
+ multivalue=True,
+ cli_name='not_man_hosts',
+ label=_(u'host'),
+ doc=_(u'Search for hosts without these managing hosts.'),
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.ListOfEntries(
+ 'result',
+ ),
+ output.Output(
+ 'count',
+ int,
+ doc=_(u'Number of entries returned'),
+ ),
+ output.Output(
+ 'truncated',
+ bool,
+ doc=_(u'True if not all results were returned'),
+ ),
+ )
+
+
+@register()
+class host_mod(Method):
+ __doc__ = _("Modify information about a host.")
+
+ takes_args = (
+ parameters.Str(
+ 'fqdn',
+ cli_name='hostname',
+ label=_(u'Host name'),
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'description',
+ required=False,
+ cli_name='desc',
+ label=_(u'Description'),
+ doc=_(u'A description of this host'),
+ ),
+ parameters.Str(
+ 'l',
+ required=False,
+ cli_name='locality',
+ label=_(u'Locality'),
+ doc=_(u'Host locality (e.g. "Baltimore, MD")'),
+ ),
+ parameters.Str(
+ 'nshostlocation',
+ required=False,
+ cli_name='location',
+ label=_(u'Location'),
+ doc=_(u'Host location (e.g. "Lab 2")'),
+ ),
+ parameters.Str(
+ 'nshardwareplatform',
+ required=False,
+ cli_name='platform',
+ label=_(u'Platform'),
+ doc=_(u'Host hardware platform (e.g. "Lenovo T61")'),
+ ),
+ parameters.Str(
+ 'nsosversion',
+ required=False,
+ cli_name='os',
+ label=_(u'Operating system'),
+ doc=_(u'Host operating system and version (e.g. "Fedora 9")'),
+ ),
+ parameters.Str(
+ 'userpassword',
+ required=False,
+ cli_name='password',
+ label=_(u'User password'),
+ doc=_(u'Password used in bulk enrollment'),
+ ),
+ parameters.Flag(
+ 'random',
+ required=False,
+ doc=_(u'Generate a random password to be used in bulk enrollment'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Bytes(
+ 'usercertificate',
+ required=False,
+ cli_name='certificate',
+ label=_(u'Certificate'),
+ doc=_(u'Base-64 encoded server certificate'),
+ ),
+ parameters.Str(
+ 'macaddress',
+ required=False,
+ multivalue=True,
+ label=_(u'MAC address'),
+ doc=_(u'Hardware MAC address(es) on this host'),
+ no_convert=True,
+ ),
+ parameters.Str(
+ 'ipasshpubkey',
+ required=False,
+ multivalue=True,
+ cli_name='sshpubkey',
+ label=_(u'SSH public key'),
+ no_convert=True,
+ ),
+ parameters.Str(
+ 'setattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'addattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'delattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'),
+ exclude=('webui',),
+ ),
+ parameters.Flag(
+ 'rights',
+ label=_(u'Rights'),
+ doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'krbprincipalname',
+ required=False,
+ cli_name='principalname',
+ label=_(u'Principal name'),
+ doc=_(u'Kerberos principal name for this host'),
+ ),
+ parameters.Flag(
+ 'updatedns',
+ required=False,
+ doc=_(u'Update DNS entries'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'value',
+ unicode,
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class host_remove_managedby(Method):
+ __doc__ = _("Remove hosts that can manage this host.")
+
+ takes_args = (
+ parameters.Str(
+ 'fqdn',
+ cli_name='hostname',
+ label=_(u'Host name'),
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'host',
+ required=False,
+ multivalue=True,
+ cli_name='hosts',
+ label=_(u'member host'),
+ doc=_(u'comma-separated list of hosts to remove'),
+ alwaysask=True,
+ ),
+ )
+ has_output = (
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'failed',
+ dict,
+ doc=_(u'Members that could not be removed'),
+ ),
+ output.Output(
+ 'completed',
+ int,
+ doc=_(u'Number of members removed'),
+ ),
+ )
+
+
+@register()
+class host_show(Method):
+ __doc__ = _("Display information about a host.")
+
+ takes_args = (
+ parameters.Str(
+ 'fqdn',
+ cli_name='hostname',
+ label=_(u'Host name'),
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'rights',
+ label=_(u'Rights'),
+ doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'out',
+ required=False,
+ doc=_(u'file to store certificate in'),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'value',
+ unicode,
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
diff --git a/ipaclient/remote_plugins/2_49/hostgroup.py b/ipaclient/remote_plugins/2_49/hostgroup.py
new file mode 100644
index 000000000..2ff646db5
--- /dev/null
+++ b/ipaclient/remote_plugins/2_49/hostgroup.py
@@ -0,0 +1,670 @@
+#
+# Copyright (C) 2016 FreeIPA Contributors see COPYING for license
+#
+
+# pylint: disable=unused-import
+import six
+
+from . import Command, Method, Object
+from ipalib import api, parameters, output
+from ipalib.parameters import DefaultFrom
+from ipalib.plugable import Registry
+from ipalib.text import _
+from ipapython.dn import DN
+from ipapython.dnsutil import DNSName
+
+if six.PY3:
+ unicode = str
+
+__doc__ = _("""
+Groups of hosts.
+
+Manage groups of hosts. This is useful for applying access control to a
+number of hosts by using Host-based Access Control.
+
+EXAMPLES:
+
+ Add a new host group:
+ ipa hostgroup-add --desc="Baltimore hosts" baltimore
+
+ Add another new host group:
+ ipa hostgroup-add --desc="Maryland hosts" maryland
+
+ Add members to the hostgroup:
+ ipa hostgroup-add-member --hosts=box1,box2,box3 baltimore
+
+ Add a hostgroup as a member of another hostgroup:
+ ipa hostgroup-add-member --hostgroups=baltimore maryland
+
+ Remove a host from the hostgroup:
+ ipa hostgroup-remove-member --hosts=box2 baltimore
+
+ Display a host group:
+ ipa hostgroup-show baltimore
+
+ Delete a hostgroup:
+ ipa hostgroup-del baltimore
+""")
+
+register = Registry()
+
+
+@register()
+class hostgroup(Object):
+ takes_params = (
+ parameters.Str(
+ 'cn',
+ primary_key=True,
+ label=_(u'Host-group'),
+ doc=_(u'Name of host-group'),
+ ),
+ parameters.Str(
+ 'description',
+ label=_(u'Description'),
+ doc=_(u'A description of this host-group'),
+ ),
+ parameters.Str(
+ 'member_host',
+ required=False,
+ label=_(u'Member hosts'),
+ ),
+ parameters.Str(
+ 'member_hostgroup',
+ required=False,
+ label=_(u'Member host-groups'),
+ ),
+ parameters.Str(
+ 'memberof_hostgroup',
+ required=False,
+ label=_(u'Member of host-groups'),
+ ),
+ parameters.Str(
+ 'memberof_netgroup',
+ required=False,
+ label=_(u'Member of netgroups'),
+ ),
+ parameters.Str(
+ 'memberof_sudorule',
+ required=False,
+ label=_(u'Member of Sudo rule'),
+ ),
+ parameters.Str(
+ 'memberof_hbacrule',
+ required=False,
+ label=_(u'Member of HBAC rule'),
+ ),
+ parameters.Str(
+ 'memberindirect_host',
+ required=False,
+ label=_(u'Indirect Member hosts'),
+ ),
+ parameters.Str(
+ 'memberindirect_hostgroup',
+ required=False,
+ label=_(u'Indirect Member host-groups'),
+ ),
+ parameters.Str(
+ 'memberofindirect_hostgroup',
+ required=False,
+ label=_(u'Indirect Member of host-group'),
+ ),
+ parameters.Str(
+ 'memberofindirect_sudorule',
+ required=False,
+ label=_(u'Indirect Member of Sudo rule'),
+ ),
+ parameters.Str(
+ 'memberofindirect_hbacrule',
+ required=False,
+ label=_(u'Indirect Member of HBAC rule'),
+ ),
+ )
+
+
+@register()
+class hostgroup_add(Method):
+ __doc__ = _("Add a new hostgroup.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='hostgroup_name',
+ label=_(u'Host-group'),
+ doc=_(u'Name of host-group'),
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'description',
+ cli_name='desc',
+ label=_(u'Description'),
+ doc=_(u'A description of this host-group'),
+ ),
+ parameters.Str(
+ 'setattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'addattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
+ exclude=('webui',),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'value',
+ unicode,
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class hostgroup_add_member(Method):
+ __doc__ = _("Add members to a hostgroup.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='hostgroup_name',
+ label=_(u'Host-group'),
+ doc=_(u'Name of host-group'),
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'host',
+ required=False,
+ multivalue=True,
+ cli_name='hosts',
+ label=_(u'member host'),
+ doc=_(u'comma-separated list of hosts to add'),
+ alwaysask=True,
+ ),
+ parameters.Str(
+ 'hostgroup',
+ required=False,
+ multivalue=True,
+ cli_name='hostgroups',
+ label=_(u'member host group'),
+ doc=_(u'comma-separated list of host groups to add'),
+ alwaysask=True,
+ ),
+ )
+ has_output = (
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'failed',
+ dict,
+ doc=_(u'Members that could not be added'),
+ ),
+ output.Output(
+ 'completed',
+ int,
+ doc=_(u'Number of members added'),
+ ),
+ )
+
+
+@register()
+class hostgroup_del(Method):
+ __doc__ = _("Delete a hostgroup.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ multivalue=True,
+ cli_name='hostgroup_name',
+ label=_(u'Host-group'),
+ doc=_(u'Name of host-group'),
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'continue',
+ doc=_(u"Continuous mode: Don't stop on errors."),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Output(
+ 'result',
+ dict,
+ doc=_(u'List of deletions that failed'),
+ ),
+ output.Output(
+ 'value',
+ unicode,
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class hostgroup_find(Method):
+ __doc__ = _("Search for hostgroups.")
+
+ takes_args = (
+ parameters.Str(
+ 'criteria',
+ required=False,
+ doc=_(u'A string searched in all relevant object attributes'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'cn',
+ required=False,
+ cli_name='hostgroup_name',
+ label=_(u'Host-group'),
+ doc=_(u'Name of host-group'),
+ no_convert=True,
+ ),
+ parameters.Str(
+ 'description',
+ required=False,
+ cli_name='desc',
+ label=_(u'Description'),
+ doc=_(u'A description of this host-group'),
+ ),
+ parameters.Int(
+ 'timelimit',
+ required=False,
+ label=_(u'Time Limit'),
+ doc=_(u'Time limit of search in seconds'),
+ ),
+ parameters.Int(
+ 'sizelimit',
+ required=False,
+ label=_(u'Size Limit'),
+ doc=_(u'Maximum number of entries returned'),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'pkey_only',
+ required=False,
+ label=_(u'Primary key only'),
+ doc=_(u'Results should contain primary key attribute only ("hostgroup-name")'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'host',
+ required=False,
+ multivalue=True,
+ cli_name='hosts',
+ label=_(u'host'),
+ doc=_(u'Search for host groups with these member hosts.'),
+ ),
+ parameters.Str(
+ 'no_host',
+ required=False,
+ multivalue=True,
+ cli_name='no_hosts',
+ label=_(u'host'),
+ doc=_(u'Search for host groups without these member hosts.'),
+ ),
+ parameters.Str(
+ 'hostgroup',
+ required=False,
+ multivalue=True,
+ cli_name='hostgroups',
+ label=_(u'host group'),
+ doc=_(u'Search for host groups with these member host groups.'),
+ ),
+ parameters.Str(
+ 'no_hostgroup',
+ required=False,
+ multivalue=True,
+ cli_name='no_hostgroups',
+ label=_(u'host group'),
+ doc=_(u'Search for host groups without these member host groups.'),
+ ),
+ parameters.Str(
+ 'in_hostgroup',
+ required=False,
+ multivalue=True,
+ cli_name='in_hostgroups',
+ label=_(u'host group'),
+ doc=_(u'Search for host groups with these member of host groups.'),
+ ),
+ parameters.Str(
+ 'not_in_hostgroup',
+ required=False,
+ multivalue=True,
+ cli_name='not_in_hostgroups',
+ label=_(u'host group'),
+ doc=_(u'Search for host groups without these member of host groups.'),
+ ),
+ parameters.Str(
+ 'in_netgroup',
+ required=False,
+ multivalue=True,
+ cli_name='in_netgroups',
+ label=_(u'netgroup'),
+ doc=_(u'Search for host groups with these member of netgroups.'),
+ ),
+ parameters.Str(
+ 'not_in_netgroup',
+ required=False,
+ multivalue=True,
+ cli_name='not_in_netgroups',
+ label=_(u'netgroup'),
+ doc=_(u'Search for host groups without these member of netgroups.'),
+ ),
+ parameters.Str(
+ 'in_hbacrule',
+ required=False,
+ multivalue=True,
+ cli_name='in_hbacrules',
+ label=_(u'HBAC rule'),
+ doc=_(u'Search for host groups with these member of HBAC rules.'),
+ ),
+ parameters.Str(
+ 'not_in_hbacrule',
+ required=False,
+ multivalue=True,
+ cli_name='not_in_hbacrules',
+ label=_(u'HBAC rule'),
+ doc=_(u'Search for host groups without these member of HBAC rules.'),
+ ),
+ parameters.Str(
+ 'in_sudorule',
+ required=False,
+ multivalue=True,
+ cli_name='in_sudorules',
+ label=_(u'sudo rule'),
+ doc=_(u'Search for host groups with these member of sudo rules.'),
+ ),
+ parameters.Str(
+ 'not_in_sudorule',
+ required=False,
+ multivalue=True,
+ cli_name='not_in_sudorules',
+ label=_(u'sudo rule'),
+ doc=_(u'Search for host groups without these member of sudo rules.'),
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.ListOfEntries(
+ 'result',
+ ),
+ output.Output(
+ 'count',
+ int,
+ doc=_(u'Number of entries returned'),
+ ),
+ output.Output(
+ 'truncated',
+ bool,
+ doc=_(u'True if not all results were returned'),
+ ),
+ )
+
+
+@register()
+class hostgroup_mod(Method):
+ __doc__ = _("Modify a hostgroup.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='hostgroup_name',
+ label=_(u'Host-group'),
+ doc=_(u'Name of host-group'),
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'description',
+ required=False,
+ cli_name='desc',
+ label=_(u'Description'),
+ doc=_(u'A description of this host-group'),
+ ),
+ parameters.Str(
+ 'setattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'addattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'delattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'),
+ exclude=('webui',),
+ ),
+ parameters.Flag(
+ 'rights',
+ label=_(u'Rights'),
+ doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'value',
+ unicode,
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class hostgroup_remove_member(Method):
+ __doc__ = _("Remove members from a hostgroup.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='hostgroup_name',
+ label=_(u'Host-group'),
+ doc=_(u'Name of host-group'),
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'host',
+ required=False,
+ multivalue=True,
+ cli_name='hosts',
+ label=_(u'member host'),
+ doc=_(u'comma-separated list of hosts to remove'),
+ alwaysask=True,
+ ),
+ parameters.Str(
+ 'hostgroup',
+ required=False,
+ multivalue=True,
+ cli_name='hostgroups',
+ label=_(u'member host group'),
+ doc=_(u'comma-separated list of host groups to remove'),
+ alwaysask=True,
+ ),
+ )
+ has_output = (
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'failed',
+ dict,
+ doc=_(u'Members that could not be removed'),
+ ),
+ output.Output(
+ 'completed',
+ int,
+ doc=_(u'Number of members removed'),
+ ),
+ )
+
+
+@register()
+class hostgroup_show(Method):
+ __doc__ = _("Display information about a hostgroup.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='hostgroup_name',
+ label=_(u'Host-group'),
+ doc=_(u'Name of host-group'),
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'rights',
+ label=_(u'Rights'),
+ doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'value',
+ unicode,
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
diff --git a/ipaclient/remote_plugins/2_49/idrange.py b/ipaclient/remote_plugins/2_49/idrange.py
new file mode 100644
index 000000000..5b2c1096d
--- /dev/null
+++ b/ipaclient/remote_plugins/2_49/idrange.py
@@ -0,0 +1,609 @@
+#
+# Copyright (C) 2016 FreeIPA Contributors see COPYING for license
+#
+
+# pylint: disable=unused-import
+import six
+
+from . import Command, Method, Object
+from ipalib import api, parameters, output
+from ipalib.parameters import DefaultFrom
+from ipalib.plugable import Registry
+from ipalib.text import _
+from ipapython.dn import DN
+from ipapython.dnsutil import DNSName
+
+if six.PY3:
+ unicode = str
+
+__doc__ = _("""
+ID ranges
+
+Manage ID ranges used to map Posix IDs to SIDs and back.
+
+There are two type of ID ranges which are both handled by this utility:
+
+ - the ID ranges of the local domain
+ - the ID ranges of trusted remote domains
+
+Both types have the following attributes in common:
+
+ - base-id: the first ID of the Posix ID range
+ - range-size: the size of the range
+
+With those two attributes a range object can reserve the Posix IDs starting
+with base-id up to but not including base-id+range-size exclusively.
+
+Additionally an ID range of the local domain may set
+ - rid-base: the first RID(*) of the corresponding RID range
+ - secondary-rid-base: first RID of the secondary RID range
+
+and an ID range of a trusted domain must set
+ - rid-base: the first RID of the corresponding RID range
+ - dom_sid: domain SID of the trusted domain
+
+
+
+EXAMPLE: Add a new ID range for a trusted domain
+
+Since there might be more than one trusted domain the domain SID must be given
+while creating the ID range.
+
+ ipa idrange-add --base-id=1200000 --range-size=200000 --rid-base=0 \
+ --dom-sid=S-1-5-21-123-456-789 trusted_dom_range
+
+This ID range is then used by the IPA server and the SSSD IPA provider to
+assign Posix UIDs to users from the trusted domain.
+
+If e.g a range for a trusted domain is configured with the following values:
+ base-id = 1200000
+ range-size = 200000
+ rid-base = 0
+the RIDs 0 to 199999 are mapped to the Posix ID from 1200000 to 13999999. So
+RID 1000 <-> Posix ID 1201000
+
+
+
+EXAMPLE: Add a new ID range for the local domain
+
+To create an ID range for the local domain it is not necessary to specify a
+domain SID. But since it is possible that a user and a group can have the same
+value as Posix ID a second RID interval is needed to handle conflicts.
+
+ ipa idrange-add --base-id=1200000 --range-size=200000 --rid-base=1000 \
+ --secondary-rid-base=1000000 local_range
+
+The data from the ID ranges of the local domain are used by the IPA server
+internally to assign SIDs to IPA users and groups. The SID will then be stored
+in the user or group objects.
+
+If e.g. the ID range for the local domain is configured with the values from
+the example above then a new user with the UID 1200007 will get the RID 1007.
+If this RID is already used by a group the RID will be 1000007. This can only
+happen if a user or a group object was created with a fixed ID because the
+automatic assignment will not assign the same ID twice. Since there are only
+users and groups sharing the same ID namespace it is sufficient to have only
+one fallback range to handle conflicts.
+
+To find the Posix ID for a given RID from the local domain it has to be
+checked first if the RID falls in the primary or secondary RID range and
+the rid-base or the secondary-rid-base has to be subtracted, respectively,
+and the base-id has to be added to get the Posix ID.
+
+Typically the creation of ID ranges happens behind the scenes and this CLI
+must not be used at all. The ID range for the local domain will be created
+during installation or upgrade from an older version. The ID range for a
+trusted domain will be created together with the trust by 'ipa trust-add ...'.
+
+USE CASES:
+
+ Add an ID range from a transitively trusted domain
+
+ If the trusted domain (A) trusts another domain (B) as well and this trust
+ is transitive 'ipa trust-add domain-A' will only create a range for
+ domain A. The ID range for domain B must be added manually.
+
+ Add an additional ID range for the local domain
+
+ If the ID range of the local domain is exhausted, i.e. no new IDs can be
+ assigned to Posix users or groups by the DNA plugin, a new range has to be
+ created to allow new users and groups to be added. (Currently there is no
+ connection between this range CLI and the DNA plugin, but a future version
+ might be able to modify the configuration of the DNS plugin as well)
+
+In general it is not necessary to modify or delete ID ranges. If there is no
+other way to achieve a certain configuration than to modify or delete an ID
+range it should be done with great care. Because UIDs are stored in the file
+system and are used for access control it might be possible that users are
+allowed to access files of other users if an ID range got deleted and reused
+for a different domain.
+
+(*) The RID is typically the last integer of a user or group SID which follows
+the domain SID. E.g. if the domain SID is S-1-5-21-123-456-789 and a user from
+this domain has the SID S-1-5-21-123-456-789-1010 then 1010 id the RID of the
+user. RIDs are unique in a domain, 32bit values and are used for users and
+groups.
+
+WARNING:
+
+DNA plugin in 389-ds will allocate IDs based on the ranges configured for the
+local domain. Currently the DNA plugin *cannot* be reconfigured itself based
+on the local ranges set via this family of commands.
+
+Manual configuration change has to be done in the DNA plugin configuration for
+the new local range. Specifically, The dnaNextRange attribute of 'cn=Posix
+IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config' has to be
+modified to match the new range.
+""")
+
+register = Registry()
+
+
+@register()
+class idrange(Object):
+ takes_params = (
+ parameters.Str(
+ 'cn',
+ primary_key=True,
+ label=_(u'Range name'),
+ ),
+ parameters.Int(
+ 'ipabaseid',
+ label=_(u'First Posix ID of the range'),
+ ),
+ parameters.Int(
+ 'ipaidrangesize',
+ label=_(u'Number of IDs in the range'),
+ ),
+ parameters.Int(
+ 'ipabaserid',
+ required=False,
+ label=_(u'First RID of the corresponding RID range'),
+ ),
+ parameters.Int(
+ 'ipasecondarybaserid',
+ required=False,
+ label=_(u'First RID of the secondary RID range'),
+ ),
+ parameters.Str(
+ 'ipanttrusteddomainsid',
+ required=False,
+ label=_(u'Domain SID of the trusted domain'),
+ ),
+ parameters.Str(
+ 'iparangetype',
+ required=False,
+ label=_(u'Range type'),
+ ),
+ )
+
+
+@register()
+class idrange_add(Method):
+ __doc__ = _("""
+Add new ID range.
+
+ To add a new ID range you always have to specify
+
+ --base-id
+ --range-size
+
+ Additionally
+
+ --rid-base
+ --secondary-rid-base
+
+ may be given for a new ID range for the local domain while
+
+ --rid-bas
+ --dom-sid
+
+ must be given to add a new range for a trusted AD domain.
+
+ WARNING:
+
+ DNA plugin in 389-ds will allocate IDs based on the ranges configured for the
+ local domain. Currently the DNA plugin *cannot* be reconfigured itself based
+ on the local ranges set via this family of commands.
+
+ Manual configuration change has to be done in the DNA plugin configuration for
+ the new local range. Specifically, The dnaNextRange attribute of 'cn=Posix
+ IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config' has to be
+ modified to match the new range.
+ """)
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='name',
+ label=_(u'Range name'),
+ ),
+ )
+ takes_options = (
+ parameters.Int(
+ 'ipabaseid',
+ cli_name='base_id',
+ label=_(u'First Posix ID of the range'),
+ ),
+ parameters.Int(
+ 'ipaidrangesize',
+ cli_name='range_size',
+ label=_(u'Number of IDs in the range'),
+ ),
+ parameters.Int(
+ 'ipabaserid',
+ required=False,
+ cli_name='rid_base',
+ label=_(u'First RID of the corresponding RID range'),
+ ),
+ parameters.Int(
+ 'ipasecondarybaserid',
+ required=False,
+ cli_name='secondary_rid_base',
+ label=_(u'First RID of the secondary RID range'),
+ ),
+ parameters.Str(
+ 'ipanttrusteddomainsid',
+ required=False,
+ cli_name='dom_sid',
+ label=_(u'Domain SID of the trusted domain'),
+ ),
+ parameters.Str(
+ 'iparangetype',
+ required=False,
+ label=_(u'Range type'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'setattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'addattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
+ exclude=('webui',),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'value',
+ unicode,
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class idrange_del(Method):
+ __doc__ = _("Delete an ID range.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ multivalue=True,
+ cli_name='name',
+ label=_(u'Range name'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'continue',
+ doc=_(u"Continuous mode: Don't stop on errors."),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Output(
+ 'result',
+ dict,
+ doc=_(u'List of deletions that failed'),
+ ),
+ output.Output(
+ 'value',
+ unicode,
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class idrange_find(Method):
+ __doc__ = _("Search for ranges.")
+
+ takes_args = (
+ parameters.Str(
+ 'criteria',
+ required=False,
+ doc=_(u'A string searched in all relevant object attributes'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'cn',
+ required=False,
+ cli_name='name',
+ label=_(u'Range name'),
+ ),
+ parameters.Int(
+ 'ipabaseid',
+ required=False,
+ cli_name='base_id',
+ label=_(u'First Posix ID of the range'),
+ ),
+ parameters.Int(
+ 'ipaidrangesize',
+ required=False,
+ cli_name='range_size',
+ label=_(u'Number of IDs in the range'),
+ ),
+ parameters.Int(
+ 'ipabaserid',
+ required=False,
+ cli_name='rid_base',
+ label=_(u'First RID of the corresponding RID range'),
+ ),
+ parameters.Int(
+ 'ipasecondarybaserid',
+ required=False,
+ cli_name='secondary_rid_base',
+ label=_(u'First RID of the secondary RID range'),
+ ),
+ parameters.Str(
+ 'ipanttrusteddomainsid',
+ required=False,
+ cli_name='dom_sid',
+ label=_(u'Domain SID of the trusted domain'),
+ ),
+ parameters.Str(
+ 'iparangetype',
+ required=False,
+ label=_(u'Range type'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Int(
+ 'timelimit',
+ required=False,
+ label=_(u'Time Limit'),
+ doc=_(u'Time limit of search in seconds'),
+ ),
+ parameters.Int(
+ 'sizelimit',
+ required=False,
+ label=_(u'Size Limit'),
+ doc=_(u'Maximum number of entries returned'),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'pkey_only',
+ required=False,
+ label=_(u'Primary key only'),
+ doc=_(u'Results should contain primary key attribute only ("name")'),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.ListOfEntries(
+ 'result',
+ ),
+ output.Output(
+ 'count',
+ int,
+ doc=_(u'Number of entries returned'),
+ ),
+ output.Output(
+ 'truncated',
+ bool,
+ doc=_(u'True if not all results were returned'),
+ ),
+ )
+
+
+@register()
+class idrange_mod(Method):
+ __doc__ = _("Modify ID range.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='name',
+ label=_(u'Range name'),
+ ),
+ )
+ takes_options = (
+ parameters.Int(
+ 'ipabaseid',
+ required=False,
+ cli_name='base_id',
+ label=_(u'First Posix ID of the range'),
+ ),
+ parameters.Int(
+ 'ipaidrangesize',
+ required=False,
+ cli_name='range_size',
+ label=_(u'Number of IDs in the range'),
+ ),
+ parameters.Int(
+ 'ipabaserid',
+ required=False,
+ cli_name='rid_base',
+ label=_(u'First RID of the corresponding RID range'),
+ ),
+ parameters.Int(
+ 'ipasecondarybaserid',
+ required=False,
+ cli_name='secondary_rid_base',
+ label=_(u'First RID of the secondary RID range'),
+ ),
+ parameters.Str(
+ 'ipanttrusteddomainsid',
+ required=False,
+ cli_name='dom_sid',
+ label=_(u'Domain SID of the trusted domain'),
+ ),
+ parameters.Str(
+ 'iparangetype',
+ required=False,
+ label=_(u'Range type'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'setattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'addattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'delattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'),
+ exclude=('webui',),
+ ),
+ parameters.Flag(
+ 'rights',
+ label=_(u'Rights'),
+ doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'value',
+ unicode,
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class idrange_show(Method):
+ __doc__ = _("Display information about a range.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='name',
+ label=_(u'Range name'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'rights',
+ label=_(u'Rights'),
+ doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'value',
+ unicode,
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
diff --git a/ipaclient/remote_plugins/2_49/internal.py b/ipaclient/remote_plugins/2_49/internal.py
new file mode 100644
index 000000000..63a4adca1
--- /dev/null
+++ b/ipaclient/remote_plugins/2_49/internal.py
@@ -0,0 +1,90 @@
+#
+# Copyright (C) 2016 FreeIPA Contributors see COPYING for license
+#
+
+# pylint: disable=unused-import
+import six
+
+from . import Command, Method, Object
+from ipalib import api, parameters, output
+from ipalib.parameters import DefaultFrom
+from ipalib.plugable import Registry
+from ipalib.text import _
+from ipapython.dn import DN
+from ipapython.dnsutil import DNSName
+
+if six.PY3:
+ unicode = str
+
+__doc__ = _("""
+Plugins not accessible directly through the CLI, commands used internally
+""")
+
+register = Registry()
+
+
+@register()
+class i18n_messages(Command):
+ NO_CLI = True
+
+ has_output = (
+ output.Output(
+ 'messages',
+ dict,
+ doc=_(u'Dict of I18N messages'),
+ ),
+ )
+
+
+@register()
+class json_metadata(Command):
+ __doc__ = _("Export plugin meta-data for the webUI.")
+
+ NO_CLI = True
+
+ takes_args = (
+ parameters.Str(
+ 'objname',
+ required=False,
+ doc=_(u'Name of object to export'),
+ ),
+ parameters.Str(
+ 'methodname',
+ required=False,
+ doc=_(u'Name of method to export'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'object',
+ required=False,
+ doc=_(u'Name of object to export'),
+ ),
+ parameters.Str(
+ 'method',
+ required=False,
+ doc=_(u'Name of method to export'),
+ ),
+ parameters.Str(
+ 'command',
+ required=False,
+ doc=_(u'Name of command to export'),
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'objects',
+ dict,
+ doc=_(u'Dict of JSON encoded IPA Objects'),
+ ),
+ output.Output(
+ 'methods',
+ dict,
+ doc=_(u'Dict of JSON encoded IPA Methods'),
+ ),
+ output.Output(
+ 'commands',
+ dict,
+ doc=_(u'Dict of JSON encoded IPA Commands'),
+ ),
+ )
diff --git a/ipaclient/remote_plugins/2_49/join.py b/ipaclient/remote_plugins/2_49/join.py
new file mode 100644
index 000000000..dc0904dc4
--- /dev/null
+++ b/ipaclient/remote_plugins/2_49/join.py
@@ -0,0 +1,64 @@
+#
+# Copyright (C) 2016 FreeIPA Contributors see COPYING for license
+#
+
+# pylint: disable=unused-import
+import six
+
+from . import Command, Method, Object
+from ipalib import api, parameters, output
+from ipalib.parameters import DefaultFrom
+from ipalib.plugable import Registry
+from ipalib.text import _
+from ipapython.dn import DN
+from ipapython.dnsutil import DNSName
+
+if six.PY3:
+ unicode = str
+
+__doc__ = _("""
+Joining an IPA domain
+""")
+
+register = Registry()
+
+
+@register()
+class join(Command):
+ __doc__ = _("Join an IPA domain")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='hostname',
+ doc=_(u'The hostname to register as'),
+ default_from=DefaultFrom(lambda : None),
+ # FIXME:
+ # lambda: unicode(installutils.get_fqdn())
+ autofill=True,
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'realm',
+ doc=_(u'The IPA realm'),
+ default_from=DefaultFrom(lambda : None),
+ # FIXME:
+ # lambda: get_realm()
+ autofill=True,
+ ),
+ parameters.Str(
+ 'nshardwareplatform',
+ required=False,
+ cli_name='platform',
+ doc=_(u'Hardware platform of the host (e.g. Lenovo T61)'),
+ ),
+ parameters.Str(
+ 'nsosversion',
+ required=False,
+ cli_name='os',
+ doc=_(u'Operating System and version of the host (e.g. Fedora 9)'),
+ ),
+ )
+ has_output = (
+ )
diff --git a/ipaclient/remote_plugins/2_49/krbtpolicy.py b/ipaclient/remote_plugins/2_49/krbtpolicy.py
new file mode 100644
index 000000000..9765c4cd8
--- /dev/null
+++ b/ipaclient/remote_plugins/2_49/krbtpolicy.py
@@ -0,0 +1,269 @@
+#
+# Copyright (C) 2016 FreeIPA Contributors see COPYING for license
+#
+
+# pylint: disable=unused-import
+import six
+
+from . import Command, Method, Object
+from ipalib import api, parameters, output
+from ipalib.parameters import DefaultFrom
+from ipalib.plugable import Registry
+from ipalib.text import _
+from ipapython.dn import DN
+from ipapython.dnsutil import DNSName
+
+if six.PY3:
+ unicode = str
+
+__doc__ = _("""
+Kerberos ticket policy
+
+There is a single Kerberos ticket policy. This policy defines the
+maximum ticket lifetime and the maximum renewal age, the period during
+which the ticket is renewable.
+
+You can also create a per-user ticket policy by specifying the user login.
+
+For changes to the global policy to take effect, restarting the KDC service
+is required, which can be achieved using:
+
+service krb5kdc restart
+
+Changes to per-user policies take effect immediately for newly requested
+tickets (e.g. when the user next runs kinit).
+
+EXAMPLES:
+
+ Display the current Kerberos ticket policy:
+ ipa krbtpolicy-show
+
+ Reset the policy to the default:
+ ipa krbtpolicy-reset
+
+ Modify the policy to 8 hours max life, 1-day max renewal:
+ ipa krbtpolicy-mod --maxlife=28800 --maxrenew=86400
+
+ Display effective Kerberos ticket policy for user 'admin':
+ ipa krbtpolicy-show admin
+
+ Reset per-user policy for user 'admin':
+ ipa krbtpolicy-reset admin
+
+ Modify per-user policy for user 'admin':
+ ipa krbtpolicy-mod admin --maxlife=3600
+""")
+
+register = Registry()
+
+
+@register()
+class krbtpolicy(Object):
+ takes_params = (
+ parameters.Str(
+ 'uid',
+ required=False,
+ primary_key=True,
+ label=_(u'User name'),
+ doc=_(u'Manage ticket policy for specific user'),
+ ),
+ parameters.Int(
+ 'krbmaxticketlife',
+ required=False,
+ label=_(u'Max life'),
+ doc=_(u'Maximum ticket life (seconds)'),
+ ),
+ parameters.Int(
+ 'krbmaxrenewableage',
+ required=False,
+ label=_(u'Max renew'),
+ doc=_(u'Maximum renewable age (seconds)'),
+ ),
+ )
+
+
+@register()
+class krbtpolicy_mod(Method):
+ __doc__ = _("Modify Kerberos ticket policy.")
+
+ takes_args = (
+ parameters.Str(
+ 'uid',
+ required=False,
+ cli_name='user',
+ label=_(u'User name'),
+ doc=_(u'Manage ticket policy for specific user'),
+ ),
+ )
+ takes_options = (
+ parameters.Int(
+ 'krbmaxticketlife',
+ required=False,
+ cli_name='maxlife',
+ label=_(u'Max life'),
+ doc=_(u'Maximum ticket life (seconds)'),
+ ),
+ parameters.Int(
+ 'krbmaxrenewableage',
+ required=False,
+ cli_name='maxrenew',
+ label=_(u'Max renew'),
+ doc=_(u'Maximum renewable age (seconds)'),
+ ),
+ parameters.Str(
+ 'setattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'addattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'delattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'),
+ exclude=('webui',),
+ ),
+ parameters.Flag(
+ 'rights',
+ label=_(u'Rights'),
+ doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'value',
+ unicode,
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class krbtpolicy_reset(Method):
+ __doc__ = _("Reset Kerberos ticket policy to the default values.")
+
+ takes_args = (
+ parameters.Str(
+ 'uid',
+ required=False,
+ cli_name='user',
+ label=_(u'User name'),
+ doc=_(u'Manage ticket policy for specific user'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'value',
+ unicode,
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class krbtpolicy_show(Method):
+ __doc__ = _("Display the current Kerberos ticket policy.")
+
+ takes_args = (
+ parameters.Str(
+ 'uid',
+ required=False,
+ cli_name='user',
+ label=_(u'User name'),
+ doc=_(u'Manage ticket policy for specific user'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'rights',
+ label=_(u'Rights'),
+ doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'value',
+ unicode,
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
diff --git a/ipaclient/remote_plugins/2_49/migration.py b/ipaclient/remote_plugins/2_49/migration.py
new file mode 100644
index 000000000..753f23a16
--- /dev/null
+++ b/ipaclient/remote_plugins/2_49/migration.py
@@ -0,0 +1,295 @@
+#
+# Copyright (C) 2016 FreeIPA Contributors see COPYING for license
+#
+
+# pylint: disable=unused-import
+import six
+
+from . import Command, Method, Object
+from ipalib import api, parameters, output
+from ipalib.parameters import DefaultFrom
+from ipalib.plugable import Registry
+from ipalib.text import _
+from ipapython.dn import DN
+from ipapython.dnsutil import DNSName
+
+if six.PY3:
+ unicode = str
+
+__doc__ = _("""
+Migration to IPA
+
+Migrate users and groups from an LDAP server to IPA.
+
+This performs an LDAP query against the remote server searching for
+users and groups in a container. In order to migrate passwords you need
+to bind as a user that can read the userPassword attribute on the remote
+server. This is generally restricted to high-level admins such as
+cn=Directory Manager in 389-ds (this is the default bind user).
+
+The default user container is ou=People.
+
+The default group container is ou=Groups.
+
+Users and groups that already exist on the IPA server are skipped.
+
+Two LDAP schemas define how group members are stored: RFC2307 and
+RFC2307bis. RFC2307bis uses member and uniquemember to specify group
+members, RFC2307 uses memberUid. The default schema is RFC2307bis.
+
+The schema compat feature allows IPA to reformat data for systems that
+do not support RFC2307bis. It is recommended that this feature is disabled
+during migration to reduce system overhead. It can be re-enabled after
+migration. To migrate with it enabled use the "--with-compat" option.
+
+Migrated users do not have Kerberos credentials, they have only their
+LDAP password. To complete the migration process, users need to go
+to http://ipa.example.com/ipa/migration and authenticate using their
+LDAP password in order to generate their Kerberos credentials.
+
+Migration is disabled by default. Use the command ipa config-mod to
+enable it:
+
+ ipa config-mod --enable-migration=TRUE
+
+If a base DN is not provided with --basedn then IPA will use either
+the value of defaultNamingContext if it is set or the first value
+in namingContexts set in the root of the remote LDAP server.
+
+Users are added as members to the default user group. This can be a
+time-intensive task so during migration this is done in a batch
+mode for every 100 users. As a result there will be a window in which
+users will be added to IPA but will not be members of the default
+user group.
+
+EXAMPLES:
+
+ The simplest migration, accepting all defaults:
+ ipa migrate-ds ldap://ds.example.com:389
+
+ Specify the user and group container. This can be used to migrate user
+ and group data from an IPA v1 server:
+ ipa migrate-ds --user-container='cn=users,cn=accounts' \
+ --group-container='cn=groups,cn=accounts' \
+ ldap://ds.example.com:389
+
+ Since IPA v2 server already contain predefined groups that may collide with
+ groups in migrated (IPA v1) server (for example admins, ipausers), users
+ having colliding group as their primary group may happen to belong to
+ an unknown group on new IPA v2 server.
+ Use --group-overwrite-gid option to overwrite GID of already existing groups
+ to prevent this issue:
+ ipa migrate-ds --group-overwrite-gid \
+ --user-container='cn=users,cn=accounts' \
+ --group-container='cn=groups,cn=accounts' \
+ ldap://ds.example.com:389
+
+ Migrated users or groups may have object class and accompanied attributes
+ unknown to the IPA v2 server. These object classes and attributes may be
+ left out of the migration process:
+ ipa migrate-ds --user-container='cn=users,cn=accounts' \
+ --group-container='cn=groups,cn=accounts' \
+ --user-ignore-objectclass=radiusprofile \
+ --user-ignore-attribute=radiusgroupname \
+ ldap://ds.example.com:389
+
+LOGGING
+
+Migration will log warnings and errors to the Apache error log. This
+file should be evaluated post-migration to correct or investigate any
+issues that were discovered.
+
+For every 100 users migrated an info-level message will be displayed to
+give the current progress and duration to make it possible to track
+the progress of migration.
+
+If the log level is debug, either by setting debug = True in
+/etc/ipa/default.conf or /etc/ipa/server.conf, then an entry will be printed
+for each user added plus a summary when the default user group is
+updated.
+""")
+
+register = Registry()
+
+
+@register()
+class migrate_ds(Command):
+ __doc__ = _("Migrate users and groups from DS to IPA.")
+
+ takes_args = (
+ parameters.Str(
+ 'ldapuri',
+ cli_name='ldap_uri',
+ label=_(u'LDAP URI'),
+ doc=_(u'LDAP URI of DS server to migrate from'),
+ ),
+ parameters.Password(
+ 'bindpw',
+ cli_name='password',
+ label=_(u'Password'),
+ doc=_(u'bind password'),
+ ),
+ )
+ takes_options = (
+ parameters.DNParam(
+ 'binddn',
+ required=False,
+ cli_name='bind_dn',
+ label=_(u'Bind DN'),
+ default=DN(u'cn=directory manager'),
+ autofill=True,
+ ),
+ parameters.DNParam(
+ 'usercontainer',
+ cli_name='user_container',
+ label=_(u'User container'),
+ doc=_(u'DN of container for users in DS relative to base DN'),
+ default=DN(u'ou=people'),
+ autofill=True,
+ ),
+ parameters.DNParam(
+ 'groupcontainer',
+ cli_name='group_container',
+ label=_(u'Group container'),
+ doc=_(u'DN of container for groups in DS relative to base DN'),
+ default=DN(u'ou=groups'),
+ autofill=True,
+ ),
+ parameters.Str(
+ 'userobjectclass',
+ multivalue=True,
+ cli_name='user_objectclass',
+ label=_(u'User object class'),
+ doc=_(u'Comma-separated list of objectclasses used to search for user entries in DS'),
+ default=(u'person',),
+ autofill=True,
+ ),
+ parameters.Str(
+ 'groupobjectclass',
+ multivalue=True,
+ cli_name='group_objectclass',
+ label=_(u'Group object class'),
+ doc=_(u'Comma-separated list of objectclasses used to search for group entries in DS'),
+ default=(u'groupOfUniqueNames', u'groupOfNames'),
+ autofill=True,
+ ),
+ parameters.Str(
+ 'userignoreobjectclass',
+ required=False,
+ multivalue=True,
+ cli_name='user_ignore_objectclass',
+ label=_(u'Ignore user object class'),
+ doc=_(u'Comma-separated list of objectclasses to be ignored for user entries in DS'),
+ default=(),
+ autofill=True,
+ ),
+ parameters.Str(
+ 'userignoreattribute',
+ required=False,
+ multivalue=True,
+ cli_name='user_ignore_attribute',
+ label=_(u'Ignore user attribute'),
+ doc=_(u'Comma-separated list of attributes to be ignored for user entries in DS'),
+ default=(),
+ autofill=True,
+ ),
+ parameters.Str(
+ 'groupignoreobjectclass',
+ required=False,
+ multivalue=True,
+ cli_name='group_ignore_objectclass',
+ label=_(u'Ignore group object class'),
+ doc=_(u'Comma-separated list of objectclasses to be ignored for group entries in DS'),
+ default=(),
+ autofill=True,
+ ),
+ parameters.Str(
+ 'groupignoreattribute',
+ required=False,
+ multivalue=True,
+ cli_name='group_ignore_attribute',
+ label=_(u'Ignore group attribute'),
+ doc=_(u'Comma-separated list of attributes to be ignored for group entries in DS'),
+ default=(),
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'groupoverwritegid',
+ cli_name='group_overwrite_gid',
+ label=_(u'Overwrite GID'),
+ doc=_(u'When migrating a group already existing in IPA domain overwrite the group GID and report as success'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'schema',
+ required=False,
+ cli_metavar="['RFC2307bis', 'RFC2307']",
+ label=_(u'LDAP schema'),
+ doc=_(u'The schema used on the LDAP server. Supported values are RFC2307 and RFC2307bis. The default is RFC2307bis'),
+ default=u'RFC2307bis',
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'continue',
+ required=False,
+ label=_(u'Continue'),
+ doc=_(u'Continuous operation mode. Errors are reported but the process continues'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.DNParam(
+ 'basedn',
+ required=False,
+ cli_name='base_dn',
+ label=_(u'Base DN'),
+ doc=_(u'Base DN on remote LDAP server'),
+ ),
+ parameters.Flag(
+ 'compat',
+ required=False,
+ cli_name='with_compat',
+ label=_(u'Ignore compat plugin'),
+ doc=_(u'Allows migration despite the usage of compat plugin'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'exclude_groups',
+ required=False,
+ multivalue=True,
+ doc=_(u'comma-separated list of groups to exclude from migration'),
+ default=(),
+ autofill=True,
+ ),
+ parameters.Str(
+ 'exclude_users',
+ required=False,
+ multivalue=True,
+ doc=_(u'comma-separated list of users to exclude from migration'),
+ default=(),
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'result',
+ dict,
+ doc=_(u'Lists of objects migrated; categorized by type.'),
+ ),
+ output.Output(
+ 'failed',
+ dict,
+ doc=_(u'Lists of objects that could not be migrated; categorized by type.'),
+ ),
+ output.Output(
+ 'enabled',
+ bool,
+ doc=_(u'False if migration mode was disabled.'),
+ ),
+ output.Output(
+ 'compat',
+ bool,
+ doc=_(u'False if migration fails because the compatibility plug-in is enabled.'),
+ ),
+ )
diff --git a/ipaclient/remote_plugins/2_49/misc.py b/ipaclient/remote_plugins/2_49/misc.py
new file mode 100644
index 000000000..4889e666b
--- /dev/null
+++ b/ipaclient/remote_plugins/2_49/misc.py
@@ -0,0 +1,113 @@
+#
+# Copyright (C) 2016 FreeIPA Contributors see COPYING for license
+#
+
+# pylint: disable=unused-import
+import six
+
+from . import Command, Method, Object
+from ipalib import api, parameters, output
+from ipalib.parameters import DefaultFrom
+from ipalib.plugable import Registry
+from ipalib.text import _
+from ipapython.dn import DN
+from ipapython.dnsutil import DNSName
+
+if six.PY3:
+ unicode = str
+
+__doc__ = _("""
+Misc plug-ins
+""")
+
+register = Registry()
+
+
+@register()
+class env(Command):
+ __doc__ = _("Show environment variables.")
+
+ takes_args = (
+ parameters.Str(
+ 'variables',
+ required=False,
+ multivalue=True,
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'server',
+ required=False,
+ doc=_(u'Forward to server instead of running locally'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=True,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'result',
+ dict,
+ doc=_(u'Dictionary mapping variable name to value'),
+ ),
+ output.Output(
+ 'total',
+ int,
+ doc=_(u'Total number of variables env (>= count)'),
+ ),
+ output.Output(
+ 'count',
+ int,
+ doc=_(u'Number of variables returned (<= total)'),
+ ),
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ )
+
+
+@register()
+class plugins(Command):
+ __doc__ = _("Show all loaded plugins.")
+
+ takes_options = (
+ parameters.Flag(
+ 'server',
+ required=False,
+ doc=_(u'Forward to server instead of running locally'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=True,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'result',
+ dict,
+ doc=_(u'Dictionary mapping plugin names to bases'),
+ ),
+ output.Output(
+ 'count',
+ int,
+ doc=_(u'Number of plugins loaded'),
+ ),
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ )
diff --git a/ipaclient/remote_plugins/2_49/netgroup.py b/ipaclient/remote_plugins/2_49/netgroup.py
new file mode 100644
index 000000000..ea2936270
--- /dev/null
+++ b/ipaclient/remote_plugins/2_49/netgroup.py
@@ -0,0 +1,826 @@
+#
+# Copyright (C) 2016 FreeIPA Contributors see COPYING for license
+#
+
+# pylint: disable=unused-import
+import six
+
+from . import Command, Method, Object
+from ipalib import api, parameters, output
+from ipalib.parameters import DefaultFrom
+from ipalib.plugable import Registry
+from ipalib.text import _
+from ipapython.dn import DN
+from ipapython.dnsutil import DNSName
+
+if six.PY3:
+ unicode = str
+
+__doc__ = _("""
+Netgroups
+
+A netgroup is a group used for permission checking. It can contain both
+user and host values.
+
+EXAMPLES:
+
+ Add a new netgroup:
+ ipa netgroup-add --desc="NFS admins" admins
+
+ Add members to the netgroup:
+ ipa netgroup-add-member --users=tuser1,tuser2 admins
+
+ Remove a member from the netgroup:
+ ipa netgroup-remove-member --users=tuser2 admins
+
+ Display information about a netgroup:
+ ipa netgroup-show admins
+
+ Delete a netgroup:
+ ipa netgroup-del admins
+""")
+
+register = Registry()
+
+
+@register()
+class netgroup(Object):
+ takes_params = (
+ parameters.Str(
+ 'cn',
+ primary_key=True,
+ label=_(u'Netgroup name'),
+ ),
+ parameters.Str(
+ 'description',
+ label=_(u'Description'),
+ doc=_(u'Netgroup description'),
+ ),
+ parameters.Str(
+ 'nisdomainname',
+ required=False,
+ label=_(u'NIS domain name'),
+ ),
+ parameters.Str(
+ 'ipauniqueid',
+ required=False,
+ label=_(u'IPA unique ID'),
+ doc=_(u'IPA unique ID'),
+ ),
+ parameters.Str(
+ 'usercategory',
+ required=False,
+ label=_(u'User category'),
+ doc=_(u'User category the rule applies to'),
+ ),
+ parameters.Str(
+ 'hostcategory',
+ required=False,
+ label=_(u'Host category'),
+ doc=_(u'Host category the rule applies to'),
+ ),
+ parameters.Str(
+ 'externalhost',
+ required=False,
+ multivalue=True,
+ label=_(u'External host'),
+ ),
+ parameters.Str(
+ 'member_netgroup',
+ required=False,
+ label=_(u'Member netgroups'),
+ ),
+ parameters.Str(
+ 'memberof_netgroup',
+ required=False,
+ label=_(u'Member of netgroups'),
+ ),
+ parameters.Str(
+ 'memberindirect_netgroup',
+ required=False,
+ label=_(u'Indirect Member netgroups'),
+ ),
+ parameters.Str(
+ 'memberuser_user',
+ required=False,
+ label=_(u'Member User'),
+ ),
+ parameters.Str(
+ 'memberuser_group',
+ required=False,
+ label=_(u'Member Group'),
+ ),
+ parameters.Str(
+ 'memberhost_host',
+ required=False,
+ label=_(u'Member Host'),
+ ),
+ parameters.Str(
+ 'memberhost_hostgroup',
+ required=False,
+ label=_(u'Member Hostgroup'),
+ ),
+ )
+
+
+@register()
+class netgroup_add(Method):
+ __doc__ = _("Add a new netgroup.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='name',
+ label=_(u'Netgroup name'),
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'description',
+ cli_name='desc',
+ label=_(u'Description'),
+ doc=_(u'Netgroup description'),
+ ),
+ parameters.Str(
+ 'nisdomainname',
+ required=False,
+ cli_name='nisdomain',
+ label=_(u'NIS domain name'),
+ ),
+ parameters.Str(
+ 'usercategory',
+ required=False,
+ cli_name='usercat',
+ cli_metavar="['all']",
+ label=_(u'User category'),
+ doc=_(u'User category the rule applies to'),
+ ),
+ parameters.Str(
+ 'hostcategory',
+ required=False,
+ cli_name='hostcat',
+ cli_metavar="['all']",
+ label=_(u'Host category'),
+ doc=_(u'Host category the rule applies to'),
+ ),
+ parameters.Str(
+ 'externalhost',
+ required=False,
+ multivalue=True,
+ label=_(u'External host'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'setattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'addattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
+ exclude=('webui',),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'value',
+ unicode,
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class netgroup_add_member(Method):
+ __doc__ = _("Add members to a netgroup.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='name',
+ label=_(u'Netgroup name'),
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'user',
+ required=False,
+ multivalue=True,
+ cli_name='users',
+ label=_(u'member user'),
+ doc=_(u'comma-separated list of users to add'),
+ alwaysask=True,
+ ),
+ parameters.Str(
+ 'group',
+ required=False,
+ multivalue=True,
+ cli_name='groups',
+ label=_(u'member group'),
+ doc=_(u'comma-separated list of groups to add'),
+ alwaysask=True,
+ ),
+ parameters.Str(
+ 'host',
+ required=False,
+ multivalue=True,
+ cli_name='hosts',
+ label=_(u'member host'),
+ doc=_(u'comma-separated list of hosts to add'),
+ alwaysask=True,
+ ),
+ parameters.Str(
+ 'hostgroup',
+ required=False,
+ multivalue=True,
+ cli_name='hostgroups',
+ label=_(u'member host group'),
+ doc=_(u'comma-separated list of host groups to add'),
+ alwaysask=True,
+ ),
+ parameters.Str(
+ 'netgroup',
+ required=False,
+ multivalue=True,
+ cli_name='netgroups',
+ label=_(u'member netgroup'),
+ doc=_(u'comma-separated list of netgroups to add'),
+ alwaysask=True,
+ ),
+ )
+ has_output = (
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'failed',
+ dict,
+ doc=_(u'Members that could not be added'),
+ ),
+ output.Output(
+ 'completed',
+ int,
+ doc=_(u'Number of members added'),
+ ),
+ )
+
+
+@register()
+class netgroup_del(Method):
+ __doc__ = _("Delete a netgroup.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ multivalue=True,
+ cli_name='name',
+ label=_(u'Netgroup name'),
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'continue',
+ doc=_(u"Continuous mode: Don't stop on errors."),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Output(
+ 'result',
+ dict,
+ doc=_(u'List of deletions that failed'),
+ ),
+ output.Output(
+ 'value',
+ unicode,
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class netgroup_find(Method):
+ __doc__ = _("Search for a netgroup.")
+
+ takes_args = (
+ parameters.Str(
+ 'criteria',
+ required=False,
+ doc=_(u'A string searched in all relevant object attributes'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'cn',
+ required=False,
+ cli_name='name',
+ label=_(u'Netgroup name'),
+ no_convert=True,
+ ),
+ parameters.Str(
+ 'description',
+ required=False,
+ cli_name='desc',
+ label=_(u'Description'),
+ doc=_(u'Netgroup description'),
+ ),
+ parameters.Str(
+ 'nisdomainname',
+ required=False,
+ cli_name='nisdomain',
+ label=_(u'NIS domain name'),
+ ),
+ parameters.Str(
+ 'ipauniqueid',
+ required=False,
+ cli_name='uuid',
+ label=_(u'IPA unique ID'),
+ doc=_(u'IPA unique ID'),
+ ),
+ parameters.Str(
+ 'usercategory',
+ required=False,
+ cli_name='usercat',
+ cli_metavar="['all']",
+ label=_(u'User category'),
+ doc=_(u'User category the rule applies to'),
+ ),
+ parameters.Str(
+ 'hostcategory',
+ required=False,
+ cli_name='hostcat',
+ cli_metavar="['all']",
+ label=_(u'Host category'),
+ doc=_(u'Host category the rule applies to'),
+ ),
+ parameters.Str(
+ 'externalhost',
+ required=False,
+ multivalue=True,
+ label=_(u'External host'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Int(
+ 'timelimit',
+ required=False,
+ label=_(u'Time Limit'),
+ doc=_(u'Time limit of search in seconds'),
+ ),
+ parameters.Int(
+ 'sizelimit',
+ required=False,
+ label=_(u'Size Limit'),
+ doc=_(u'Maximum number of entries returned'),
+ ),
+ parameters.Flag(
+ 'private',
+ exclude=('webui', 'cli'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'managed',
+ doc=_(u'search for managed groups'),
+ default=False,
+ default_from=DefaultFrom(lambda private: private),
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'pkey_only',
+ required=False,
+ label=_(u'Primary key only'),
+ doc=_(u'Results should contain primary key attribute only ("name")'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'netgroup',
+ required=False,
+ multivalue=True,
+ cli_name='netgroups',
+ label=_(u'netgroup'),
+ doc=_(u'Search for netgroups with these member netgroups.'),
+ ),
+ parameters.Str(
+ 'no_netgroup',
+ required=False,
+ multivalue=True,
+ cli_name='no_netgroups',
+ label=_(u'netgroup'),
+ doc=_(u'Search for netgroups without these member netgroups.'),
+ ),
+ parameters.Str(
+ 'user',
+ required=False,
+ multivalue=True,
+ cli_name='users',
+ label=_(u'user'),
+ doc=_(u'Search for netgroups with these member users.'),
+ ),
+ parameters.Str(
+ 'no_user',
+ required=False,
+ multivalue=True,
+ cli_name='no_users',
+ label=_(u'user'),
+ doc=_(u'Search for netgroups without these member users.'),
+ ),
+ parameters.Str(
+ 'group',
+ required=False,
+ multivalue=True,
+ cli_name='groups',
+ label=_(u'group'),
+ doc=_(u'Search for netgroups with these member groups.'),
+ ),
+ parameters.Str(
+ 'no_group',
+ required=False,
+ multivalue=True,
+ cli_name='no_groups',
+ label=_(u'group'),
+ doc=_(u'Search for netgroups without these member groups.'),
+ ),
+ parameters.Str(
+ 'host',
+ required=False,
+ multivalue=True,
+ cli_name='hosts',
+ label=_(u'host'),
+ doc=_(u'Search for netgroups with these member hosts.'),
+ ),
+ parameters.Str(
+ 'no_host',
+ required=False,
+ multivalue=True,
+ cli_name='no_hosts',
+ label=_(u'host'),
+ doc=_(u'Search for netgroups without these member hosts.'),
+ ),
+ parameters.Str(
+ 'hostgroup',
+ required=False,
+ multivalue=True,
+ cli_name='hostgroups',
+ label=_(u'host group'),
+ doc=_(u'Search for netgroups with these member host groups.'),
+ ),
+ parameters.Str(
+ 'no_hostgroup',
+ required=False,
+ multivalue=True,
+ cli_name='no_hostgroups',
+ label=_(u'host group'),
+ doc=_(u'Search for netgroups without these member host groups.'),
+ ),
+ parameters.Str(
+ 'in_netgroup',
+ required=False,
+ multivalue=True,
+ cli_name='in_netgroups',
+ label=_(u'netgroup'),
+ doc=_(u'Search for netgroups with these member of netgroups.'),
+ ),
+ parameters.Str(
+ 'not_in_netgroup',
+ required=False,
+ multivalue=True,
+ cli_name='not_in_netgroups',
+ label=_(u'netgroup'),
+ doc=_(u'Search for netgroups without these member of netgroups.'),
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.ListOfEntries(
+ 'result',
+ ),
+ output.Output(
+ 'count',
+ int,
+ doc=_(u'Number of entries returned'),
+ ),
+ output.Output(
+ 'truncated',
+ bool,
+ doc=_(u'True if not all results were returned'),
+ ),
+ )
+
+
+@register()
+class netgroup_mod(Method):
+ __doc__ = _("Modify a netgroup.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='name',
+ label=_(u'Netgroup name'),
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'description',
+ required=False,
+ cli_name='desc',
+ label=_(u'Description'),
+ doc=_(u'Netgroup description'),
+ ),
+ parameters.Str(
+ 'nisdomainname',
+ required=False,
+ cli_name='nisdomain',
+ label=_(u'NIS domain name'),
+ ),
+ parameters.Str(
+ 'usercategory',
+ required=False,
+ cli_name='usercat',
+ cli_metavar="['all']",
+ label=_(u'User category'),
+ doc=_(u'User category the rule applies to'),
+ ),
+ parameters.Str(
+ 'hostcategory',
+ required=False,
+ cli_name='hostcat',
+ cli_metavar="['all']",
+ label=_(u'Host category'),
+ doc=_(u'Host category the rule applies to'),
+ ),
+ parameters.Str(
+ 'externalhost',
+ required=False,
+ multivalue=True,
+ label=_(u'External host'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'setattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'addattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'delattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'),
+ exclude=('webui',),
+ ),
+ parameters.Flag(
+ 'rights',
+ label=_(u'Rights'),
+ doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'value',
+ unicode,
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class netgroup_remove_member(Method):
+ __doc__ = _("Remove members from a netgroup.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='name',
+ label=_(u'Netgroup name'),
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'user',
+ required=False,
+ multivalue=True,
+ cli_name='users',
+ label=_(u'member user'),
+ doc=_(u'comma-separated list of users to remove'),
+ alwaysask=True,
+ ),
+ parameters.Str(
+ 'group',
+ required=False,
+ multivalue=True,
+ cli_name='groups',
+ label=_(u'member group'),
+ doc=_(u'comma-separated list of groups to remove'),
+ alwaysask=True,
+ ),
+ parameters.Str(
+ 'host',
+ required=False,
+ multivalue=True,
+ cli_name='hosts',
+ label=_(u'member host'),
+ doc=_(u'comma-separated list of hosts to remove'),
+ alwaysask=True,
+ ),
+ parameters.Str(
+ 'hostgroup',
+ required=False,
+ multivalue=True,
+ cli_name='hostgroups',
+ label=_(u'member host group'),
+ doc=_(u'comma-separated list of host groups to remove'),
+ alwaysask=True,
+ ),
+ parameters.Str(
+ 'netgroup',
+ required=False,
+ multivalue=True,
+ cli_name='netgroups',
+ label=_(u'member netgroup'),
+ doc=_(u'comma-separated list of netgroups to remove'),
+ alwaysask=True,
+ ),
+ )
+ has_output = (
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'failed',
+ dict,
+ doc=_(u'Members that could not be removed'),
+ ),
+ output.Output(
+ 'completed',
+ int,
+ doc=_(u'Number of members removed'),
+ ),
+ )
+
+
+@register()
+class netgroup_show(Method):
+ __doc__ = _("Display information about a netgroup.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='name',
+ label=_(u'Netgroup name'),
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'rights',
+ label=_(u'Rights'),
+ doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'value',
+ unicode,
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
diff --git a/ipaclient/remote_plugins/2_49/passwd.py b/ipaclient/remote_plugins/2_49/passwd.py
new file mode 100644
index 000000000..34385df6d
--- /dev/null
+++ b/ipaclient/remote_plugins/2_49/passwd.py
@@ -0,0 +1,86 @@
+#
+# Copyright (C) 2016 FreeIPA Contributors see COPYING for license
+#
+
+# pylint: disable=unused-import
+import six
+
+from . import Command, Method, Object
+from ipalib import api, parameters, output
+from ipalib.parameters import DefaultFrom
+from ipalib.plugable import Registry
+from ipalib.text import _
+from ipapython.dn import DN
+from ipapython.dnsutil import DNSName
+
+if six.PY3:
+ unicode = str
+
+__doc__ = _("""
+Set a user's password
+
+If someone other than a user changes that user's password (e.g., Helpdesk
+resets it) then the password will need to be changed the first time it
+is used. This is so the end-user is the only one who knows the password.
+
+The IPA password policy controls how often a password may be changed,
+what strength requirements exist, and the length of the password history.
+
+EXAMPLES:
+
+ To reset your own password:
+ ipa passwd
+
+ To change another user's password:
+ ipa passwd tuser1
+""")
+
+register = Registry()
+
+
+@register()
+class passwd(Command):
+ __doc__ = _("Set a user's password.")
+
+ takes_args = (
+ parameters.Str(
+ 'principal',
+ cli_name='user',
+ label=_(u'User name'),
+ default_from=DefaultFrom(lambda : None),
+ # FIXME:
+ # lambda: util.get_current_principal()
+ autofill=True,
+ no_convert=True,
+ ),
+ parameters.Password(
+ 'password',
+ label=_(u'New Password'),
+ confirm=True,
+ ),
+ parameters.Password(
+ 'current_password',
+ label=_(u'Current Password'),
+ default_from=DefaultFrom(lambda principal: None, 'principal'),
+ # FIXME:
+ # lambda principal: get_current_password(principal)
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Output(
+ 'result',
+ bool,
+ doc=_(u'True means the operation was successful'),
+ ),
+ output.Output(
+ 'value',
+ unicode,
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
diff --git a/ipaclient/remote_plugins/2_49/permission.py b/ipaclient/remote_plugins/2_49/permission.py
new file mode 100644
index 000000000..bce582fdd
--- /dev/null
+++ b/ipaclient/remote_plugins/2_49/permission.py
@@ -0,0 +1,751 @@
+#
+# Copyright (C) 2016 FreeIPA Contributors see COPYING for license
+#
+
+# pylint: disable=unused-import
+import six
+
+from . import Command, Method, Object
+from ipalib import api, parameters, output
+from ipalib.parameters import DefaultFrom
+from ipalib.plugable import Registry
+from ipalib.text import _
+from ipapython.dn import DN
+from ipapython.dnsutil import DNSName
+
+if six.PY3:
+ unicode = str
+
+__doc__ = _("""
+Permissions
+
+A permission enables fine-grained delegation of rights. A permission is
+a human-readable form of a 389-ds Access Control Rule, or instruction (ACI).
+A permission grants the right to perform a specific task such as adding a
+user, modifying a group, etc.
+
+A permission may not contain other permissions.
+
+* A permission grants access to read, write, add or delete.
+* A privilege combines similar permissions (for example all the permissions
+ needed to add a user).
+* A role grants a set of privileges to users, groups, hosts or hostgroups.
+
+A permission is made up of a number of different parts:
+
+1. The name of the permission.
+2. The target of the permission.
+3. The rights granted by the permission.
+
+Rights define what operations are allowed, and may be one or more
+of the following:
+1. write - write one or more attributes
+2. read - read one or more attributes
+3. add - add a new entry to the tree
+4. delete - delete an existing entry
+5. all - all permissions are granted
+
+Read permission is granted for most attributes by default so the read
+permission is not expected to be used very often.
+
+Note the distinction between attributes and entries. The permissions are
+independent, so being able to add a user does not mean that the user will
+be editable.
+
+There are a number of allowed targets:
+1. type: a type of object (user, group, etc).
+2. memberof: a member of a group or hostgroup
+3. filter: an LDAP filter
+4. subtree: an LDAP filter specifying part of the LDAP DIT. This is a
+ super-set of the "type" target.
+5. targetgroup: grant access to modify a specific group (such as granting
+ the rights to manage group membership)
+
+EXAMPLES:
+
+ Add a permission that grants the creation of users:
+ ipa permission-add --type=user --permissions=add "Add Users"
+
+ Add a permission that grants the ability to manage group membership:
+ ipa permission-add --attrs=member --permissions=write --type=group "Manage Group Members"
+""")
+
+register = Registry()
+
+
+@register()
+class permission(Object):
+ takes_params = (
+ parameters.Str(
+ 'cn',
+ primary_key=True,
+ label=_(u'Permission name'),
+ ),
+ parameters.Str(
+ 'permissions',
+ multivalue=True,
+ label=_(u'Permissions'),
+ doc=_(u'Comma-separated list of permissions to grant (read, write, add, delete, all)'),
+ ),
+ parameters.Str(
+ 'attrs',
+ required=False,
+ multivalue=True,
+ label=_(u'Attributes'),
+ doc=_(u'Comma-separated list of attributes'),
+ ),
+ parameters.Str(
+ 'type',
+ required=False,
+ label=_(u'Type'),
+ doc=_(u'Type of IPA object (user, group, host, hostgroup, service, netgroup, dns)'),
+ ),
+ parameters.Str(
+ 'memberof',
+ required=False,
+ label=_(u'Member of group'),
+ doc=_(u'Target members of a group'),
+ ),
+ parameters.Str(
+ 'filter',
+ required=False,
+ label=_(u'Filter'),
+ doc=_(u'Legal LDAP filter (e.g. ou=Engineering)'),
+ ),
+ parameters.Str(
+ 'subtree',
+ required=False,
+ label=_(u'Subtree'),
+ doc=_(u'Subtree to apply permissions to'),
+ ),
+ parameters.Str(
+ 'targetgroup',
+ required=False,
+ label=_(u'Target group'),
+ doc=_(u'User group to apply permissions to'),
+ ),
+ parameters.Str(
+ 'member_privilege',
+ required=False,
+ label=_(u'Granted to Privilege'),
+ ),
+ parameters.Str(
+ 'memberindirect_role',
+ required=False,
+ label=_(u'Indirect Member of roles'),
+ ),
+ )
+
+
+@register()
+class permission_add(Method):
+ __doc__ = _("Add a new permission.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='name',
+ label=_(u'Permission name'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'permissions',
+ multivalue=True,
+ label=_(u'Permissions'),
+ doc=_(u'Comma-separated list of permissions to grant (read, write, add, delete, all)'),
+ ),
+ parameters.Str(
+ 'attrs',
+ required=False,
+ multivalue=True,
+ label=_(u'Attributes'),
+ doc=_(u'Comma-separated list of attributes'),
+ alwaysask=True,
+ no_convert=True,
+ ),
+ parameters.Str(
+ 'type',
+ required=False,
+ cli_metavar="['user', 'group', 'host', 'service', 'hostgroup', 'netgroup', 'dnsrecord']",
+ label=_(u'Type'),
+ doc=_(u'Type of IPA object (user, group, host, hostgroup, service, netgroup, dns)'),
+ alwaysask=True,
+ ),
+ parameters.Str(
+ 'memberof',
+ required=False,
+ label=_(u'Member of group'),
+ doc=_(u'Target members of a group'),
+ alwaysask=True,
+ ),
+ parameters.Str(
+ 'filter',
+ required=False,
+ label=_(u'Filter'),
+ doc=_(u'Legal LDAP filter (e.g. ou=Engineering)'),
+ alwaysask=True,
+ ),
+ parameters.Str(
+ 'subtree',
+ required=False,
+ label=_(u'Subtree'),
+ doc=_(u'Subtree to apply permissions to'),
+ alwaysask=True,
+ ),
+ parameters.Str(
+ 'targetgroup',
+ required=False,
+ label=_(u'Target group'),
+ doc=_(u'User group to apply permissions to'),
+ alwaysask=True,
+ ),
+ parameters.Str(
+ 'setattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'addattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
+ exclude=('webui',),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'value',
+ unicode,
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class permission_add_member(Method):
+ __doc__ = _("Add members to a permission.")
+
+ NO_CLI = True
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='name',
+ label=_(u'Permission name'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'privilege',
+ required=False,
+ multivalue=True,
+ cli_name='privileges',
+ label=_(u'member privilege'),
+ doc=_(u'comma-separated list of privileges to add'),
+ alwaysask=True,
+ ),
+ )
+ has_output = (
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'failed',
+ dict,
+ doc=_(u'Members that could not be added'),
+ ),
+ output.Output(
+ 'completed',
+ int,
+ doc=_(u'Number of members added'),
+ ),
+ )
+
+
+@register()
+class permission_add_noaci(Method):
+ __doc__ = _("Add a system permission without an ACI")
+
+ NO_CLI = True
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='name',
+ label=_(u'Permission name'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'permissiontype',
+ required=False,
+ cli_metavar="['SYSTEM']",
+ label=_(u'Permission type'),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'value',
+ unicode,
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class permission_del(Method):
+ __doc__ = _("Delete a permission.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ multivalue=True,
+ cli_name='name',
+ label=_(u'Permission name'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'continue',
+ doc=_(u"Continuous mode: Don't stop on errors."),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'force',
+ label=_(u'Force'),
+ doc=_(u'force delete of SYSTEM permissions'),
+ exclude=('cli', 'webui'),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Output(
+ 'result',
+ dict,
+ doc=_(u'List of deletions that failed'),
+ ),
+ output.Output(
+ 'value',
+ unicode,
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class permission_find(Method):
+ __doc__ = _("Search for permissions.")
+
+ takes_args = (
+ parameters.Str(
+ 'criteria',
+ required=False,
+ doc=_(u'A string searched in all relevant object attributes'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'cn',
+ required=False,
+ cli_name='name',
+ label=_(u'Permission name'),
+ ),
+ parameters.Str(
+ 'permissions',
+ required=False,
+ multivalue=True,
+ label=_(u'Permissions'),
+ doc=_(u'Comma-separated list of permissions to grant (read, write, add, delete, all)'),
+ ),
+ parameters.Str(
+ 'attrs',
+ required=False,
+ multivalue=True,
+ label=_(u'Attributes'),
+ doc=_(u'Comma-separated list of attributes'),
+ no_convert=True,
+ ),
+ parameters.Str(
+ 'type',
+ required=False,
+ cli_metavar="['user', 'group', 'host', 'service', 'hostgroup', 'netgroup', 'dnsrecord']",
+ label=_(u'Type'),
+ doc=_(u'Type of IPA object (user, group, host, hostgroup, service, netgroup, dns)'),
+ ),
+ parameters.Str(
+ 'memberof',
+ required=False,
+ label=_(u'Member of group'),
+ doc=_(u'Target members of a group'),
+ ),
+ parameters.Str(
+ 'filter',
+ required=False,
+ label=_(u'Filter'),
+ doc=_(u'Legal LDAP filter (e.g. ou=Engineering)'),
+ ),
+ parameters.Str(
+ 'subtree',
+ required=False,
+ label=_(u'Subtree'),
+ doc=_(u'Subtree to apply permissions to'),
+ ),
+ parameters.Str(
+ 'targetgroup',
+ required=False,
+ label=_(u'Target group'),
+ doc=_(u'User group to apply permissions to'),
+ ),
+ parameters.Int(
+ 'timelimit',
+ required=False,
+ label=_(u'Time Limit'),
+ doc=_(u'Time limit of search in seconds'),
+ ),
+ parameters.Int(
+ 'sizelimit',
+ required=False,
+ label=_(u'Size Limit'),
+ doc=_(u'Maximum number of entries returned'),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'pkey_only',
+ required=False,
+ label=_(u'Primary key only'),
+ doc=_(u'Results should contain primary key attribute only ("name")'),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.ListOfEntries(
+ 'result',
+ ),
+ output.Output(
+ 'count',
+ int,
+ doc=_(u'Number of entries returned'),
+ ),
+ output.Output(
+ 'truncated',
+ bool,
+ doc=_(u'True if not all results were returned'),
+ ),
+ )
+
+
+@register()
+class permission_mod(Method):
+ __doc__ = _("Modify a permission.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='name',
+ label=_(u'Permission name'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'permissions',
+ required=False,
+ multivalue=True,
+ label=_(u'Permissions'),
+ doc=_(u'Comma-separated list of permissions to grant (read, write, add, delete, all)'),
+ ),
+ parameters.Str(
+ 'attrs',
+ required=False,
+ multivalue=True,
+ label=_(u'Attributes'),
+ doc=_(u'Comma-separated list of attributes'),
+ no_convert=True,
+ ),
+ parameters.Str(
+ 'type',
+ required=False,
+ cli_metavar="['user', 'group', 'host', 'service', 'hostgroup', 'netgroup', 'dnsrecord']",
+ label=_(u'Type'),
+ doc=_(u'Type of IPA object (user, group, host, hostgroup, service, netgroup, dns)'),
+ ),
+ parameters.Str(
+ 'memberof',
+ required=False,
+ label=_(u'Member of group'),
+ doc=_(u'Target members of a group'),
+ ),
+ parameters.Str(
+ 'filter',
+ required=False,
+ label=_(u'Filter'),
+ doc=_(u'Legal LDAP filter (e.g. ou=Engineering)'),
+ ),
+ parameters.Str(
+ 'subtree',
+ required=False,
+ label=_(u'Subtree'),
+ doc=_(u'Subtree to apply permissions to'),
+ ),
+ parameters.Str(
+ 'targetgroup',
+ required=False,
+ label=_(u'Target group'),
+ doc=_(u'User group to apply permissions to'),
+ ),
+ parameters.Str(
+ 'setattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'addattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'delattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'),
+ exclude=('webui',),
+ ),
+ parameters.Flag(
+ 'rights',
+ label=_(u'Rights'),
+ doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'rename',
+ required=False,
+ label=_(u'Rename'),
+ doc=_(u'Rename the permission object'),
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'value',
+ unicode,
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class permission_remove_member(Method):
+ __doc__ = _("Remove members from a permission.")
+
+ NO_CLI = True
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='name',
+ label=_(u'Permission name'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'privilege',
+ required=False,
+ multivalue=True,
+ cli_name='privileges',
+ label=_(u'member privilege'),
+ doc=_(u'comma-separated list of privileges to remove'),
+ alwaysask=True,
+ ),
+ )
+ has_output = (
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'failed',
+ dict,
+ doc=_(u'Members that could not be removed'),
+ ),
+ output.Output(
+ 'completed',
+ int,
+ doc=_(u'Number of members removed'),
+ ),
+ )
+
+
+@register()
+class permission_show(Method):
+ __doc__ = _("Display information about a permission.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='name',
+ label=_(u'Permission name'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'rights',
+ label=_(u'Rights'),
+ doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'value',
+ unicode,
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
diff --git a/ipaclient/remote_plugins/2_49/ping.py b/ipaclient/remote_plugins/2_49/ping.py
new file mode 100644
index 000000000..83917fbb7
--- /dev/null
+++ b/ipaclient/remote_plugins/2_49/ping.py
@@ -0,0 +1,60 @@
+#
+# Copyright (C) 2016 FreeIPA Contributors see COPYING for license
+#
+
+# pylint: disable=unused-import
+import six
+
+from . import Command, Method, Object
+from ipalib import api, parameters, output
+from ipalib.parameters import DefaultFrom
+from ipalib.plugable import Registry
+from ipalib.text import _
+from ipapython.dn import DN
+from ipapython.dnsutil import DNSName
+
+if six.PY3:
+ unicode = str
+
+__doc__ = _("""
+Ping the remote IPA server to ensure it is running.
+
+The ping command sends an echo request to an IPA server. The server
+returns its version information. This is used by an IPA client
+to confirm that the server is available and accepting requests.
+
+The server from xmlrpc_uri in /etc/ipa/default.conf is contacted first.
+If it does not respond then the client will contact any servers defined
+by ldap SRV records in DNS.
+
+EXAMPLES:
+
+ Ping an IPA server:
+ ipa ping
+ ------------------------------------------
+ IPA server version 2.1.9. API version 2.20
+ ------------------------------------------
+
+ Ping an IPA server verbosely:
+ ipa -v ping
+ ipa: INFO: trying https://ipa.example.com/ipa/xml
+ ipa: INFO: Forwarding 'ping' to server u'https://ipa.example.com/ipa/xml'
+ -----------------------------------------------------
+ IPA server version 2.1.9. API version 2.20
+ -----------------------------------------------------
+""")
+
+register = Registry()
+
+
+@register()
+class ping(Command):
+ __doc__ = _("Ping a remote server.")
+
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ )
diff --git a/ipaclient/remote_plugins/2_49/pkinit.py b/ipaclient/remote_plugins/2_49/pkinit.py
new file mode 100644
index 000000000..9b06c2ef0
--- /dev/null
+++ b/ipaclient/remote_plugins/2_49/pkinit.py
@@ -0,0 +1,61 @@
+#
+# Copyright (C) 2016 FreeIPA Contributors see COPYING for license
+#
+
+# pylint: disable=unused-import
+import six
+
+from . import Command, Method, Object
+from ipalib import api, parameters, output
+from ipalib.parameters import DefaultFrom
+from ipalib.plugable import Registry
+from ipalib.text import _
+from ipapython.dn import DN
+from ipapython.dnsutil import DNSName
+
+if six.PY3:
+ unicode = str
+
+__doc__ = _("""
+Kerberos pkinit options
+
+Enable or disable anonymous pkinit using the principal
+WELLKNOWN/ANONYMOUS@REALM. The server must have been installed with
+pkinit support.
+
+EXAMPLES:
+
+ Enable anonymous pkinit:
+ ipa pkinit-anonymous enable
+
+ Disable anonymous pkinit:
+ ipa pkinit-anonymous disable
+
+For more information on anonymous pkinit see:
+
+http://k5wiki.kerberos.org/wiki/Projects/Anonymous_pkinit
+""")
+
+register = Registry()
+
+
+@register()
+class pkinit(Object):
+ takes_params = (
+ )
+
+
+@register()
+class pkinit_anonymous(Command):
+ __doc__ = _("Enable or Disable Anonymous PKINIT.")
+
+ takes_args = (
+ parameters.Str(
+ 'action',
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'result',
+ ),
+ )
diff --git a/ipaclient/remote_plugins/2_49/privilege.py b/ipaclient/remote_plugins/2_49/privilege.py
new file mode 100644
index 000000000..f450c20f1
--- /dev/null
+++ b/ipaclient/remote_plugins/2_49/privilege.py
@@ -0,0 +1,603 @@
+#
+# Copyright (C) 2016 FreeIPA Contributors see COPYING for license
+#
+
+# pylint: disable=unused-import
+import six
+
+from . import Command, Method, Object
+from ipalib import api, parameters, output
+from ipalib.parameters import DefaultFrom
+from ipalib.plugable import Registry
+from ipalib.text import _
+from ipapython.dn import DN
+from ipapython.dnsutil import DNSName
+
+if six.PY3:
+ unicode = str
+
+__doc__ = _("""
+Privileges
+
+A privilege combines permissions into a logical task. A permission provides
+the rights to do a single task. There are some IPA operations that require
+multiple permissions to succeed. A privilege is where permissions are
+combined in order to perform a specific task.
+
+For example, adding a user requires the following permissions:
+ * Creating a new user entry
+ * Resetting a user password
+ * Adding the new user to the default IPA users group
+
+Combining these three low-level tasks into a higher level task in the
+form of a privilege named "Add User" makes it easier to manage Roles.
+
+A privilege may not contain other privileges.
+
+See role and permission for additional information.
+""")
+
+register = Registry()
+
+
+@register()
+class privilege(Object):
+ takes_params = (
+ parameters.Str(
+ 'cn',
+ primary_key=True,
+ label=_(u'Privilege name'),
+ ),
+ parameters.Str(
+ 'description',
+ label=_(u'Description'),
+ doc=_(u'Privilege description'),
+ ),
+ parameters.Str(
+ 'memberof_permission',
+ required=False,
+ label=_(u'Permissions'),
+ ),
+ parameters.Str(
+ 'member_role',
+ required=False,
+ label=_(u'Granting privilege to roles'),
+ ),
+ )
+
+
+@register()
+class privilege_add(Method):
+ __doc__ = _("Add a new privilege.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='name',
+ label=_(u'Privilege name'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'description',
+ cli_name='desc',
+ label=_(u'Description'),
+ doc=_(u'Privilege description'),
+ ),
+ parameters.Str(
+ 'setattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'addattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
+ exclude=('webui',),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'value',
+ unicode,
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class privilege_add_member(Method):
+ __doc__ = _("Add members to a privilege.")
+
+ NO_CLI = True
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='name',
+ label=_(u'Privilege name'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'role',
+ required=False,
+ multivalue=True,
+ cli_name='roles',
+ label=_(u'member role'),
+ doc=_(u'comma-separated list of roles to add'),
+ alwaysask=True,
+ ),
+ )
+ has_output = (
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'failed',
+ dict,
+ doc=_(u'Members that could not be added'),
+ ),
+ output.Output(
+ 'completed',
+ int,
+ doc=_(u'Number of members added'),
+ ),
+ )
+
+
+@register()
+class privilege_add_permission(Method):
+ __doc__ = _("Add permissions to a privilege.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='name',
+ label=_(u'Privilege name'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'permission',
+ required=False,
+ multivalue=True,
+ cli_name='permissions',
+ label=_(u'permission'),
+ doc=_(u'comma-separated list of permissions'),
+ alwaysask=True,
+ ),
+ )
+ has_output = (
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'failed',
+ dict,
+ doc=_(u'Members that could not be added'),
+ ),
+ output.Output(
+ 'completed',
+ int,
+ doc=_(u'Number of permissions added'),
+ ),
+ )
+
+
+@register()
+class privilege_del(Method):
+ __doc__ = _("Delete a privilege.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ multivalue=True,
+ cli_name='name',
+ label=_(u'Privilege name'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'continue',
+ doc=_(u"Continuous mode: Don't stop on errors."),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Output(
+ 'result',
+ dict,
+ doc=_(u'List of deletions that failed'),
+ ),
+ output.Output(
+ 'value',
+ unicode,
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class privilege_find(Method):
+ __doc__ = _("Search for privileges.")
+
+ takes_args = (
+ parameters.Str(
+ 'criteria',
+ required=False,
+ doc=_(u'A string searched in all relevant object attributes'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'cn',
+ required=False,
+ cli_name='name',
+ label=_(u'Privilege name'),
+ ),
+ parameters.Str(
+ 'description',
+ required=False,
+ cli_name='desc',
+ label=_(u'Description'),
+ doc=_(u'Privilege description'),
+ ),
+ parameters.Int(
+ 'timelimit',
+ required=False,
+ label=_(u'Time Limit'),
+ doc=_(u'Time limit of search in seconds'),
+ ),
+ parameters.Int(
+ 'sizelimit',
+ required=False,
+ label=_(u'Size Limit'),
+ doc=_(u'Maximum number of entries returned'),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'pkey_only',
+ required=False,
+ label=_(u'Primary key only'),
+ doc=_(u'Results should contain primary key attribute only ("name")'),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.ListOfEntries(
+ 'result',
+ ),
+ output.Output(
+ 'count',
+ int,
+ doc=_(u'Number of entries returned'),
+ ),
+ output.Output(
+ 'truncated',
+ bool,
+ doc=_(u'True if not all results were returned'),
+ ),
+ )
+
+
+@register()
+class privilege_mod(Method):
+ __doc__ = _("Modify a privilege.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='name',
+ label=_(u'Privilege name'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'description',
+ required=False,
+ cli_name='desc',
+ label=_(u'Description'),
+ doc=_(u'Privilege description'),
+ ),
+ parameters.Str(
+ 'setattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'addattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'delattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'),
+ exclude=('webui',),
+ ),
+ parameters.Flag(
+ 'rights',
+ label=_(u'Rights'),
+ doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'rename',
+ required=False,
+ label=_(u'Rename'),
+ doc=_(u'Rename the privilege object'),
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'value',
+ unicode,
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class privilege_remove_member(Method):
+ __doc__ = _("Remove members from a privilege")
+
+ NO_CLI = True
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='name',
+ label=_(u'Privilege name'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'role',
+ required=False,
+ multivalue=True,
+ cli_name='roles',
+ label=_(u'member role'),
+ doc=_(u'comma-separated list of roles to remove'),
+ alwaysask=True,
+ ),
+ )
+ has_output = (
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'failed',
+ dict,
+ doc=_(u'Members that could not be removed'),
+ ),
+ output.Output(
+ 'completed',
+ int,
+ doc=_(u'Number of members removed'),
+ ),
+ )
+
+
+@register()
+class privilege_remove_permission(Method):
+ __doc__ = _("Remove permissions from a privilege.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='name',
+ label=_(u'Privilege name'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'permission',
+ required=False,
+ multivalue=True,
+ cli_name='permissions',
+ label=_(u'permission'),
+ doc=_(u'comma-separated list of permissions'),
+ alwaysask=True,
+ ),
+ )
+ has_output = (
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'failed',
+ dict,
+ doc=_(u'Members that could not be added'),
+ ),
+ output.Output(
+ 'completed',
+ int,
+ doc=_(u'Number of permissions removed'),
+ ),
+ )
+
+
+@register()
+class privilege_show(Method):
+ __doc__ = _("Display information about a privilege.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='name',
+ label=_(u'Privilege name'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'rights',
+ label=_(u'Rights'),
+ doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'value',
+ unicode,
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
diff --git a/ipaclient/remote_plugins/2_49/pwpolicy.py b/ipaclient/remote_plugins/2_49/pwpolicy.py
new file mode 100644
index 000000000..99e494548
--- /dev/null
+++ b/ipaclient/remote_plugins/2_49/pwpolicy.py
@@ -0,0 +1,947 @@
+#
+# Copyright (C) 2016 FreeIPA Contributors see COPYING for license
+#
+
+# pylint: disable=unused-import
+import six
+
+from . import Command, Method, Object
+from ipalib import api, parameters, output
+from ipalib.parameters import DefaultFrom
+from ipalib.plugable import Registry
+from ipalib.text import _
+from ipapython.dn import DN
+from ipapython.dnsutil import DNSName
+
+if six.PY3:
+ unicode = str
+
+__doc__ = _("""
+Password policy
+
+A password policy sets limitations on IPA passwords, including maximum
+lifetime, minimum lifetime, the number of passwords to save in
+history, the number of character classes required (for stronger passwords)
+and the minimum password length.
+
+By default there is a single, global policy for all users. You can also
+create a password policy to apply to a group. Each user is only subject
+to one password policy, either the group policy or the global policy. A
+group policy stands alone; it is not a super-set of the global policy plus
+custom settings.
+
+Each group password policy requires a unique priority setting. If a user
+is in multiple groups that have password policies, this priority determines
+which password policy is applied. A lower value indicates a higher priority
+policy.
+
+Group password policies are automatically removed when the groups they
+are associated with are removed.
+
+EXAMPLES:
+
+ Modify the global policy:
+ ipa pwpolicy-mod --minlength=10
+
+ Add a new group password policy:
+ ipa pwpolicy-add --maxlife=90 --minlife=1 --history=10 --minclasses=3 --minlength=8 --priority=10 localadmins
+
+ Display the global password policy:
+ ipa pwpolicy-show
+
+ Display a group password policy:
+ ipa pwpolicy-show localadmins
+
+ Display the policy that would be applied to a given user:
+ ipa pwpolicy-show --user=tuser1
+
+ Modify a group password policy:
+ ipa pwpolicy-mod --minclasses=2 localadmins
+""")
+
+register = Registry()
+
+
+@register()
+class cosentry(Object):
+ takes_params = (
+ parameters.Str(
+ 'cn',
+ primary_key=True,
+ ),
+ parameters.DNParam(
+ 'krbpwdpolicyreference',
+ ),
+ parameters.Int(
+ 'cospriority',
+ ),
+ )
+
+
+@register()
+class pwpolicy(Object):
+ takes_params = (
+ parameters.Str(
+ 'cn',
+ required=False,
+ primary_key=True,
+ label=_(u'Group'),
+ doc=_(u'Manage password policy for specific group'),
+ ),
+ parameters.Int(
+ 'krbmaxpwdlife',
+ required=False,
+ label=_(u'Max lifetime (days)'),
+ doc=_(u'Maximum password lifetime (in days)'),
+ ),
+ parameters.Int(
+ 'krbminpwdlife',
+ required=False,
+ label=_(u'Min lifetime (hours)'),
+ doc=_(u'Minimum password lifetime (in hours)'),
+ ),
+ parameters.Int(
+ 'krbpwdhistorylength',
+ required=False,
+ label=_(u'History size'),
+ doc=_(u'Password history size'),
+ ),
+ parameters.Int(
+ 'krbpwdmindiffchars',
+ required=False,
+ label=_(u'Character classes'),
+ doc=_(u'Minimum number of character classes'),
+ ),
+ parameters.Int(
+ 'krbpwdminlength',
+ required=False,
+ label=_(u'Min length'),
+ doc=_(u'Minimum length of password'),
+ ),
+ parameters.Int(
+ 'cospriority',
+ label=_(u'Priority'),
+ doc=_(u'Priority of the policy (higher number means lower priority'),
+ ),
+ parameters.Int(
+ 'krbpwdmaxfailure',
+ required=False,
+ label=_(u'Max failures'),
+ doc=_(u'Consecutive failures before lockout'),
+ ),
+ parameters.Int(
+ 'krbpwdfailurecountinterval',
+ required=False,
+ label=_(u'Failure reset interval'),
+ doc=_(u'Period after which failure count will be reset (seconds)'),
+ ),
+ parameters.Int(
+ 'krbpwdlockoutduration',
+ required=False,
+ label=_(u'Lockout duration'),
+ doc=_(u'Period for which lockout is enforced (seconds)'),
+ ),
+ )
+
+
+@register()
+class cosentry_add(Method):
+ NO_CLI = True
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ ),
+ )
+ takes_options = (
+ parameters.DNParam(
+ 'krbpwdpolicyreference',
+ ),
+ parameters.Int(
+ 'cospriority',
+ ),
+ parameters.Str(
+ 'setattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'addattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
+ exclude=('webui',),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'value',
+ unicode,
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class cosentry_del(Method):
+ NO_CLI = True
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ multivalue=True,
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'continue',
+ doc=_(u"Continuous mode: Don't stop on errors."),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Output(
+ 'result',
+ dict,
+ doc=_(u'List of deletions that failed'),
+ ),
+ output.Output(
+ 'value',
+ unicode,
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class cosentry_find(Method):
+ NO_CLI = True
+
+ takes_args = (
+ parameters.Str(
+ 'criteria',
+ required=False,
+ doc=_(u'A string searched in all relevant object attributes'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'cn',
+ required=False,
+ ),
+ parameters.DNParam(
+ 'krbpwdpolicyreference',
+ required=False,
+ ),
+ parameters.Int(
+ 'cospriority',
+ required=False,
+ ),
+ parameters.Int(
+ 'timelimit',
+ required=False,
+ label=_(u'Time Limit'),
+ doc=_(u'Time limit of search in seconds'),
+ ),
+ parameters.Int(
+ 'sizelimit',
+ required=False,
+ label=_(u'Size Limit'),
+ doc=_(u'Maximum number of entries returned'),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'pkey_only',
+ required=False,
+ label=_(u'Primary key only'),
+ doc=_(u'Results should contain primary key attribute only ("cn")'),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.ListOfEntries(
+ 'result',
+ ),
+ output.Output(
+ 'count',
+ int,
+ doc=_(u'Number of entries returned'),
+ ),
+ output.Output(
+ 'truncated',
+ bool,
+ doc=_(u'True if not all results were returned'),
+ ),
+ )
+
+
+@register()
+class cosentry_mod(Method):
+ NO_CLI = True
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ ),
+ )
+ takes_options = (
+ parameters.DNParam(
+ 'krbpwdpolicyreference',
+ required=False,
+ ),
+ parameters.Int(
+ 'cospriority',
+ required=False,
+ ),
+ parameters.Str(
+ 'setattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'addattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'delattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'),
+ exclude=('webui',),
+ ),
+ parameters.Flag(
+ 'rights',
+ label=_(u'Rights'),
+ doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'value',
+ unicode,
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class cosentry_show(Method):
+ NO_CLI = True
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'rights',
+ label=_(u'Rights'),
+ doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'value',
+ unicode,
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class pwpolicy_add(Method):
+ __doc__ = _("Add a new group password policy.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='group',
+ label=_(u'Group'),
+ doc=_(u'Manage password policy for specific group'),
+ ),
+ )
+ takes_options = (
+ parameters.Int(
+ 'krbmaxpwdlife',
+ required=False,
+ cli_name='maxlife',
+ label=_(u'Max lifetime (days)'),
+ doc=_(u'Maximum password lifetime (in days)'),
+ ),
+ parameters.Int(
+ 'krbminpwdlife',
+ required=False,
+ cli_name='minlife',
+ label=_(u'Min lifetime (hours)'),
+ doc=_(u'Minimum password lifetime (in hours)'),
+ ),
+ parameters.Int(
+ 'krbpwdhistorylength',
+ required=False,
+ cli_name='history',
+ label=_(u'History size'),
+ doc=_(u'Password history size'),
+ ),
+ parameters.Int(
+ 'krbpwdmindiffchars',
+ required=False,
+ cli_name='minclasses',
+ label=_(u'Character classes'),
+ doc=_(u'Minimum number of character classes'),
+ ),
+ parameters.Int(
+ 'krbpwdminlength',
+ required=False,
+ cli_name='minlength',
+ label=_(u'Min length'),
+ doc=_(u'Minimum length of password'),
+ ),
+ parameters.Int(
+ 'cospriority',
+ cli_name='priority',
+ label=_(u'Priority'),
+ doc=_(u'Priority of the policy (higher number means lower priority'),
+ ),
+ parameters.Int(
+ 'krbpwdmaxfailure',
+ required=False,
+ cli_name='maxfail',
+ label=_(u'Max failures'),
+ doc=_(u'Consecutive failures before lockout'),
+ ),
+ parameters.Int(
+ 'krbpwdfailurecountinterval',
+ required=False,
+ cli_name='failinterval',
+ label=_(u'Failure reset interval'),
+ doc=_(u'Period after which failure count will be reset (seconds)'),
+ ),
+ parameters.Int(
+ 'krbpwdlockoutduration',
+ required=False,
+ cli_name='lockouttime',
+ label=_(u'Lockout duration'),
+ doc=_(u'Period for which lockout is enforced (seconds)'),
+ ),
+ parameters.Str(
+ 'setattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'addattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
+ exclude=('webui',),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'value',
+ unicode,
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class pwpolicy_del(Method):
+ __doc__ = _("Delete a group password policy.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ multivalue=True,
+ cli_name='group',
+ label=_(u'Group'),
+ doc=_(u'Manage password policy for specific group'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'continue',
+ doc=_(u"Continuous mode: Don't stop on errors."),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Output(
+ 'result',
+ dict,
+ doc=_(u'List of deletions that failed'),
+ ),
+ output.Output(
+ 'value',
+ unicode,
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class pwpolicy_find(Method):
+ __doc__ = _("Search for group password policies.")
+
+ takes_args = (
+ parameters.Str(
+ 'criteria',
+ required=False,
+ doc=_(u'A string searched in all relevant object attributes'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'cn',
+ required=False,
+ cli_name='group',
+ label=_(u'Group'),
+ doc=_(u'Manage password policy for specific group'),
+ ),
+ parameters.Int(
+ 'krbmaxpwdlife',
+ required=False,
+ cli_name='maxlife',
+ label=_(u'Max lifetime (days)'),
+ doc=_(u'Maximum password lifetime (in days)'),
+ ),
+ parameters.Int(
+ 'krbminpwdlife',
+ required=False,
+ cli_name='minlife',
+ label=_(u'Min lifetime (hours)'),
+ doc=_(u'Minimum password lifetime (in hours)'),
+ ),
+ parameters.Int(
+ 'krbpwdhistorylength',
+ required=False,
+ cli_name='history',
+ label=_(u'History size'),
+ doc=_(u'Password history size'),
+ ),
+ parameters.Int(
+ 'krbpwdmindiffchars',
+ required=False,
+ cli_name='minclasses',
+ label=_(u'Character classes'),
+ doc=_(u'Minimum number of character classes'),
+ ),
+ parameters.Int(
+ 'krbpwdminlength',
+ required=False,
+ cli_name='minlength',
+ label=_(u'Min length'),
+ doc=_(u'Minimum length of password'),
+ ),
+ parameters.Int(
+ 'cospriority',
+ required=False,
+ cli_name='priority',
+ label=_(u'Priority'),
+ doc=_(u'Priority of the policy (higher number means lower priority'),
+ ),
+ parameters.Int(
+ 'krbpwdmaxfailure',
+ required=False,
+ cli_name='maxfail',
+ label=_(u'Max failures'),
+ doc=_(u'Consecutive failures before lockout'),
+ ),
+ parameters.Int(
+ 'krbpwdfailurecountinterval',
+ required=False,
+ cli_name='failinterval',
+ label=_(u'Failure reset interval'),
+ doc=_(u'Period after which failure count will be reset (seconds)'),
+ ),
+ parameters.Int(
+ 'krbpwdlockoutduration',
+ required=False,
+ cli_name='lockouttime',
+ label=_(u'Lockout duration'),
+ doc=_(u'Period for which lockout is enforced (seconds)'),
+ ),
+ parameters.Int(
+ 'timelimit',
+ required=False,
+ label=_(u'Time Limit'),
+ doc=_(u'Time limit of search in seconds'),
+ ),
+ parameters.Int(
+ 'sizelimit',
+ required=False,
+ label=_(u'Size Limit'),
+ doc=_(u'Maximum number of entries returned'),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'pkey_only',
+ required=False,
+ label=_(u'Primary key only'),
+ doc=_(u'Results should contain primary key attribute only ("group")'),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.ListOfEntries(
+ 'result',
+ ),
+ output.Output(
+ 'count',
+ int,
+ doc=_(u'Number of entries returned'),
+ ),
+ output.Output(
+ 'truncated',
+ bool,
+ doc=_(u'True if not all results were returned'),
+ ),
+ )
+
+
+@register()
+class pwpolicy_mod(Method):
+ __doc__ = _("Modify a group password policy.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ required=False,
+ cli_name='group',
+ label=_(u'Group'),
+ doc=_(u'Manage password policy for specific group'),
+ ),
+ )
+ takes_options = (
+ parameters.Int(
+ 'krbmaxpwdlife',
+ required=False,
+ cli_name='maxlife',
+ label=_(u'Max lifetime (days)'),
+ doc=_(u'Maximum password lifetime (in days)'),
+ ),
+ parameters.Int(
+ 'krbminpwdlife',
+ required=False,
+ cli_name='minlife',
+ label=_(u'Min lifetime (hours)'),
+ doc=_(u'Minimum password lifetime (in hours)'),
+ ),
+ parameters.Int(
+ 'krbpwdhistorylength',
+ required=False,
+ cli_name='history',
+ label=_(u'History size'),
+ doc=_(u'Password history size'),
+ ),
+ parameters.Int(
+ 'krbpwdmindiffchars',
+ required=False,
+ cli_name='minclasses',
+ label=_(u'Character classes'),
+ doc=_(u'Minimum number of character classes'),
+ ),
+ parameters.Int(
+ 'krbpwdminlength',
+ required=False,
+ cli_name='minlength',
+ label=_(u'Min length'),
+ doc=_(u'Minimum length of password'),
+ ),
+ parameters.Int(
+ 'cospriority',
+ required=False,
+ cli_name='priority',
+ label=_(u'Priority'),
+ doc=_(u'Priority of the policy (higher number means lower priority'),
+ ),
+ parameters.Int(
+ 'krbpwdmaxfailure',
+ required=False,
+ cli_name='maxfail',
+ label=_(u'Max failures'),
+ doc=_(u'Consecutive failures before lockout'),
+ ),
+ parameters.Int(
+ 'krbpwdfailurecountinterval',
+ required=False,
+ cli_name='failinterval',
+ label=_(u'Failure reset interval'),
+ doc=_(u'Period after which failure count will be reset (seconds)'),
+ ),
+ parameters.Int(
+ 'krbpwdlockoutduration',
+ required=False,
+ cli_name='lockouttime',
+ label=_(u'Lockout duration'),
+ doc=_(u'Period for which lockout is enforced (seconds)'),
+ ),
+ parameters.Str(
+ 'setattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'addattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'delattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'),
+ exclude=('webui',),
+ ),
+ parameters.Flag(
+ 'rights',
+ label=_(u'Rights'),
+ doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'value',
+ unicode,
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class pwpolicy_show(Method):
+ __doc__ = _("Display information about password policy.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ required=False,
+ cli_name='group',
+ label=_(u'Group'),
+ doc=_(u'Manage password policy for specific group'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'rights',
+ label=_(u'Rights'),
+ doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'user',
+ required=False,
+ label=_(u'User'),
+ doc=_(u'Display effective policy for a specific user'),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'value',
+ unicode,
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
diff --git a/ipaclient/remote_plugins/2_49/role.py b/ipaclient/remote_plugins/2_49/role.py
new file mode 100644
index 000000000..e7ac59b7f
--- /dev/null
+++ b/ipaclient/remote_plugins/2_49/role.py
@@ -0,0 +1,682 @@
+#
+# Copyright (C) 2016 FreeIPA Contributors see COPYING for license
+#
+
+# pylint: disable=unused-import
+import six
+
+from . import Command, Method, Object
+from ipalib import api, parameters, output
+from ipalib.parameters import DefaultFrom
+from ipalib.plugable import Registry
+from ipalib.text import _
+from ipapython.dn import DN
+from ipapython.dnsutil import DNSName
+
+if six.PY3:
+ unicode = str
+
+__doc__ = _("""
+Roles
+
+A role is used for fine-grained delegation. A permission grants the ability
+to perform given low-level tasks (add a user, modify a group, etc.). A
+privilege combines one or more permissions into a higher-level abstraction
+such as useradmin. A useradmin would be able to add, delete and modify users.
+
+Privileges are assigned to Roles.
+
+Users, groups, hosts and hostgroups may be members of a Role.
+
+Roles can not contain other roles.
+
+EXAMPLES:
+
+ Add a new role:
+ ipa role-add --desc="Junior-level admin" junioradmin
+
+ Add some privileges to this role:
+ ipa role-add-privilege --privileges=addusers junioradmin
+ ipa role-add-privilege --privileges=change_password junioradmin
+ ipa role-add-privilege --privileges=add_user_to_default_group junioradmin
+
+ Add a group of users to this role:
+ ipa group-add --desc="User admins" useradmins
+ ipa role-add-member --groups=useradmins junioradmin
+
+ Display information about a role:
+ ipa role-show junioradmin
+
+ The result of this is that any users in the group 'junioradmin' can
+ add users, reset passwords or add a user to the default IPA user group.
+""")
+
+register = Registry()
+
+
+@register()
+class role(Object):
+ takes_params = (
+ parameters.Str(
+ 'cn',
+ primary_key=True,
+ label=_(u'Role name'),
+ ),
+ parameters.Str(
+ 'description',
+ label=_(u'Description'),
+ doc=_(u'A description of this role-group'),
+ ),
+ parameters.Str(
+ 'member_user',
+ required=False,
+ label=_(u'Member users'),
+ ),
+ parameters.Str(
+ 'member_group',
+ required=False,
+ label=_(u'Member groups'),
+ ),
+ parameters.Str(
+ 'member_host',
+ required=False,
+ label=_(u'Member hosts'),
+ ),
+ parameters.Str(
+ 'member_hostgroup',
+ required=False,
+ label=_(u'Member host-groups'),
+ ),
+ parameters.Str(
+ 'memberof_privilege',
+ required=False,
+ label=_(u'Privileges'),
+ ),
+ )
+
+
+@register()
+class role_add(Method):
+ __doc__ = _("Add a new role.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='name',
+ label=_(u'Role name'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'description',
+ cli_name='desc',
+ label=_(u'Description'),
+ doc=_(u'A description of this role-group'),
+ ),
+ parameters.Str(
+ 'setattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'addattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
+ exclude=('webui',),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'value',
+ unicode,
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class role_add_member(Method):
+ __doc__ = _("Add members to a role.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='name',
+ label=_(u'Role name'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'user',
+ required=False,
+ multivalue=True,
+ cli_name='users',
+ label=_(u'member user'),
+ doc=_(u'comma-separated list of users to add'),
+ alwaysask=True,
+ ),
+ parameters.Str(
+ 'group',
+ required=False,
+ multivalue=True,
+ cli_name='groups',
+ label=_(u'member group'),
+ doc=_(u'comma-separated list of groups to add'),
+ alwaysask=True,
+ ),
+ parameters.Str(
+ 'host',
+ required=False,
+ multivalue=True,
+ cli_name='hosts',
+ label=_(u'member host'),
+ doc=_(u'comma-separated list of hosts to add'),
+ alwaysask=True,
+ ),
+ parameters.Str(
+ 'hostgroup',
+ required=False,
+ multivalue=True,
+ cli_name='hostgroups',
+ label=_(u'member host group'),
+ doc=_(u'comma-separated list of host groups to add'),
+ alwaysask=True,
+ ),
+ )
+ has_output = (
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'failed',
+ dict,
+ doc=_(u'Members that could not be added'),
+ ),
+ output.Output(
+ 'completed',
+ int,
+ doc=_(u'Number of members added'),
+ ),
+ )
+
+
+@register()
+class role_add_privilege(Method):
+ __doc__ = _("Add privileges to a role.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='name',
+ label=_(u'Role name'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'privilege',
+ required=False,
+ multivalue=True,
+ cli_name='privileges',
+ label=_(u'privilege'),
+ doc=_(u'comma-separated list of privileges'),
+ alwaysask=True,
+ ),
+ )
+ has_output = (
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'failed',
+ dict,
+ doc=_(u'Members that could not be added'),
+ ),
+ output.Output(
+ 'completed',
+ int,
+ doc=_(u'Number of privileges added'),
+ ),
+ )
+
+
+@register()
+class role_del(Method):
+ __doc__ = _("Delete a role.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ multivalue=True,
+ cli_name='name',
+ label=_(u'Role name'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'continue',
+ doc=_(u"Continuous mode: Don't stop on errors."),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Output(
+ 'result',
+ dict,
+ doc=_(u'List of deletions that failed'),
+ ),
+ output.Output(
+ 'value',
+ unicode,
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class role_find(Method):
+ __doc__ = _("Search for roles.")
+
+ takes_args = (
+ parameters.Str(
+ 'criteria',
+ required=False,
+ doc=_(u'A string searched in all relevant object attributes'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'cn',
+ required=False,
+ cli_name='name',
+ label=_(u'Role name'),
+ ),
+ parameters.Str(
+ 'description',
+ required=False,
+ cli_name='desc',
+ label=_(u'Description'),
+ doc=_(u'A description of this role-group'),
+ ),
+ parameters.Int(
+ 'timelimit',
+ required=False,
+ label=_(u'Time Limit'),
+ doc=_(u'Time limit of search in seconds'),
+ ),
+ parameters.Int(
+ 'sizelimit',
+ required=False,
+ label=_(u'Size Limit'),
+ doc=_(u'Maximum number of entries returned'),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'pkey_only',
+ required=False,
+ label=_(u'Primary key only'),
+ doc=_(u'Results should contain primary key attribute only ("name")'),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.ListOfEntries(
+ 'result',
+ ),
+ output.Output(
+ 'count',
+ int,
+ doc=_(u'Number of entries returned'),
+ ),
+ output.Output(
+ 'truncated',
+ bool,
+ doc=_(u'True if not all results were returned'),
+ ),
+ )
+
+
+@register()
+class role_mod(Method):
+ __doc__ = _("Modify a role.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='name',
+ label=_(u'Role name'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'description',
+ required=False,
+ cli_name='desc',
+ label=_(u'Description'),
+ doc=_(u'A description of this role-group'),
+ ),
+ parameters.Str(
+ 'setattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'addattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'delattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'),
+ exclude=('webui',),
+ ),
+ parameters.Flag(
+ 'rights',
+ label=_(u'Rights'),
+ doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'rename',
+ required=False,
+ label=_(u'Rename'),
+ doc=_(u'Rename the role object'),
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'value',
+ unicode,
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class role_remove_member(Method):
+ __doc__ = _("Remove members from a role.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='name',
+ label=_(u'Role name'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'user',
+ required=False,
+ multivalue=True,
+ cli_name='users',
+ label=_(u'member user'),
+ doc=_(u'comma-separated list of users to remove'),
+ alwaysask=True,
+ ),
+ parameters.Str(
+ 'group',
+ required=False,
+ multivalue=True,
+ cli_name='groups',
+ label=_(u'member group'),
+ doc=_(u'comma-separated list of groups to remove'),
+ alwaysask=True,
+ ),
+ parameters.Str(
+ 'host',
+ required=False,
+ multivalue=True,
+ cli_name='hosts',
+ label=_(u'member host'),
+ doc=_(u'comma-separated list of hosts to remove'),
+ alwaysask=True,
+ ),
+ parameters.Str(
+ 'hostgroup',
+ required=False,
+ multivalue=True,
+ cli_name='hostgroups',
+ label=_(u'member host group'),
+ doc=_(u'comma-separated list of host groups to remove'),
+ alwaysask=True,
+ ),
+ )
+ has_output = (
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'failed',
+ dict,
+ doc=_(u'Members that could not be removed'),
+ ),
+ output.Output(
+ 'completed',
+ int,
+ doc=_(u'Number of members removed'),
+ ),
+ )
+
+
+@register()
+class role_remove_privilege(Method):
+ __doc__ = _("Remove privileges from a role.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='name',
+ label=_(u'Role name'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'privilege',
+ required=False,
+ multivalue=True,
+ cli_name='privileges',
+ label=_(u'privilege'),
+ doc=_(u'comma-separated list of privileges'),
+ alwaysask=True,
+ ),
+ )
+ has_output = (
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'failed',
+ dict,
+ doc=_(u'Members that could not be added'),
+ ),
+ output.Output(
+ 'completed',
+ int,
+ doc=_(u'Number of privileges removed'),
+ ),
+ )
+
+
+@register()
+class role_show(Method):
+ __doc__ = _("Display information about a role.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='name',
+ label=_(u'Role name'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'rights',
+ label=_(u'Rights'),
+ doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'value',
+ unicode,
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
diff --git a/ipaclient/remote_plugins/2_49/selfservice.py b/ipaclient/remote_plugins/2_49/selfservice.py
new file mode 100644
index 000000000..76bb84ca4
--- /dev/null
+++ b/ipaclient/remote_plugins/2_49/selfservice.py
@@ -0,0 +1,337 @@
+#
+# Copyright (C) 2016 FreeIPA Contributors see COPYING for license
+#
+
+# pylint: disable=unused-import
+import six
+
+from . import Command, Method, Object
+from ipalib import api, parameters, output
+from ipalib.parameters import DefaultFrom
+from ipalib.plugable import Registry
+from ipalib.text import _
+from ipapython.dn import DN
+from ipapython.dnsutil import DNSName
+
+if six.PY3:
+ unicode = str
+
+__doc__ = _("""
+Self-service Permissions
+
+A permission enables fine-grained delegation of permissions. Access Control
+Rules, or instructions (ACIs), grant permission to permissions to perform
+given tasks such as adding a user, modifying a group, etc.
+
+A Self-service permission defines what an object can change in its own entry.
+
+
+EXAMPLES:
+
+ Add a self-service rule to allow users to manage their address:
+ ipa selfservice-add --permissions=write --attrs=street,postalCode,l,c,st "Users manage their own address"
+
+ When managing the list of attributes you need to include all attributes
+ in the list, including existing ones. Add telephoneNumber to the list:
+ ipa selfservice-mod --attrs=street,postalCode,l,c,st,telephoneNumber "Users manage their own address"
+
+ Display our updated rule:
+ ipa selfservice-show "Users manage their own address"
+
+ Delete a rule:
+ ipa selfservice-del "Users manage their own address"
+""")
+
+register = Registry()
+
+
+@register()
+class selfservice(Object):
+ takes_params = (
+ parameters.Str(
+ 'aciname',
+ primary_key=True,
+ label=_(u'Self-service name'),
+ ),
+ parameters.Str(
+ 'permissions',
+ required=False,
+ multivalue=True,
+ label=_(u'Permissions'),
+ doc=_(u'Comma-separated list of permissions to grant (read, write). Default is write.'),
+ ),
+ parameters.Str(
+ 'attrs',
+ multivalue=True,
+ label=_(u'Attributes'),
+ doc=_(u'Comma-separated list of attributes'),
+ ),
+ )
+
+
+@register()
+class selfservice_add(Method):
+ __doc__ = _("Add a new self-service permission.")
+
+ takes_args = (
+ parameters.Str(
+ 'aciname',
+ cli_name='name',
+ label=_(u'Self-service name'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'permissions',
+ required=False,
+ multivalue=True,
+ label=_(u'Permissions'),
+ doc=_(u'Comma-separated list of permissions to grant (read, write). Default is write.'),
+ ),
+ parameters.Str(
+ 'attrs',
+ multivalue=True,
+ label=_(u'Attributes'),
+ doc=_(u'Comma-separated list of attributes'),
+ no_convert=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'value',
+ unicode,
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class selfservice_del(Method):
+ __doc__ = _("Delete a self-service permission.")
+
+ takes_args = (
+ parameters.Str(
+ 'aciname',
+ cli_name='name',
+ label=_(u'Self-service name'),
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Output(
+ 'result',
+ bool,
+ doc=_(u'True means the operation was successful'),
+ ),
+ output.Output(
+ 'value',
+ unicode,
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class selfservice_find(Method):
+ __doc__ = _("Search for a self-service permission.")
+
+ takes_args = (
+ parameters.Str(
+ 'criteria',
+ required=False,
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'aciname',
+ required=False,
+ cli_name='name',
+ label=_(u'Self-service name'),
+ ),
+ parameters.Str(
+ 'permissions',
+ required=False,
+ multivalue=True,
+ label=_(u'Permissions'),
+ doc=_(u'Comma-separated list of permissions to grant (read, write). Default is write.'),
+ ),
+ parameters.Str(
+ 'attrs',
+ required=False,
+ multivalue=True,
+ label=_(u'Attributes'),
+ doc=_(u'Comma-separated list of attributes'),
+ no_convert=True,
+ ),
+ parameters.Flag(
+ 'pkey_only',
+ required=False,
+ label=_(u'Primary key only'),
+ doc=_(u'Results should contain primary key attribute only ("name")'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.ListOfEntries(
+ 'result',
+ ),
+ output.Output(
+ 'count',
+ int,
+ doc=_(u'Number of entries returned'),
+ ),
+ output.Output(
+ 'truncated',
+ bool,
+ doc=_(u'True if not all results were returned'),
+ ),
+ )
+
+
+@register()
+class selfservice_mod(Method):
+ __doc__ = _("Modify a self-service permission.")
+
+ takes_args = (
+ parameters.Str(
+ 'aciname',
+ cli_name='name',
+ label=_(u'Self-service name'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'permissions',
+ required=False,
+ multivalue=True,
+ label=_(u'Permissions'),
+ doc=_(u'Comma-separated list of permissions to grant (read, write). Default is write.'),
+ ),
+ parameters.Str(
+ 'attrs',
+ required=False,
+ multivalue=True,
+ label=_(u'Attributes'),
+ doc=_(u'Comma-separated list of attributes'),
+ no_convert=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'value',
+ unicode,
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class selfservice_show(Method):
+ __doc__ = _("Display information about a self-service permission.")
+
+ takes_args = (
+ parameters.Str(
+ 'aciname',
+ cli_name='name',
+ label=_(u'Self-service name'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'value',
+ unicode,
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
diff --git a/ipaclient/remote_plugins/2_49/selinuxusermap.py b/ipaclient/remote_plugins/2_49/selinuxusermap.py
new file mode 100644
index 000000000..eaa98412a
--- /dev/null
+++ b/ipaclient/remote_plugins/2_49/selinuxusermap.py
@@ -0,0 +1,852 @@
+#
+# Copyright (C) 2016 FreeIPA Contributors see COPYING for license
+#
+
+# pylint: disable=unused-import
+import six
+
+from . import Command, Method, Object
+from ipalib import api, parameters, output
+from ipalib.parameters import DefaultFrom
+from ipalib.plugable import Registry
+from ipalib.text import _
+from ipapython.dn import DN
+from ipapython.dnsutil import DNSName
+
+if six.PY3:
+ unicode = str
+
+__doc__ = _("""
+SELinux User Mapping
+
+Map IPA users to SELinux users by host.
+
+Hosts, hostgroups, users and groups can be either defined within
+the rule or it may point to an existing HBAC rule. When using
+--hbacrule option to selinuxusermap-find an exact match is made on the
+HBAC rule name, so only one or zero entries will be returned.
+
+EXAMPLES:
+
+ Create a rule, "test1", that sets all users to xguest_u:s0 on the host "server":
+ ipa selinuxusermap-add --usercat=all --selinuxuser=xguest_u:s0 test1
+ ipa selinuxusermap-add-host --hosts=server.example.com test1
+
+ Create a rule, "test2", that sets all users to guest_u:s0 and uses an existing HBAC rule for users and hosts:
+ ipa selinuxusermap-add --usercat=all --hbacrule=webserver --selinuxuser=guest_u:s0 test2
+
+ Display the properties of a rule:
+ ipa selinuxusermap-show test2
+
+ Create a rule for a specific user. This sets the SELinux context for
+ user john to unconfined_u:s0-s0:c0.c1023 on any machine:
+ ipa selinuxusermap-add --hostcat=all --selinuxuser=unconfined_u:s0-s0:c0.c1023 john_unconfined
+ ipa selinuxusermap-add-user --users=john john_unconfined
+
+ Disable a rule:
+ ipa selinuxusermap-disable test1
+
+ Enable a rule:
+ ipa selinuxusermap-enable test1
+
+ Find a rule referencing a specific HBAC rule:
+ ipa selinuxusermap-find --hbacrule=allow_some
+
+ Remove a rule:
+ ipa selinuxusermap-del john_unconfined
+
+SEEALSO:
+
+ The list controlling the order in which the SELinux user map is applied
+ and the default SELinux user are available in the config-show command.
+""")
+
+register = Registry()
+
+
+@register()
+class selinuxusermap(Object):
+ takes_params = (
+ parameters.Str(
+ 'cn',
+ primary_key=True,
+ label=_(u'Rule name'),
+ ),
+ parameters.Str(
+ 'ipaselinuxuser',
+ label=_(u'SELinux User'),
+ ),
+ parameters.Str(
+ 'seealso',
+ required=False,
+ label=_(u'HBAC Rule'),
+ doc=_(u'HBAC Rule that defines the users, groups and hostgroups'),
+ ),
+ parameters.Str(
+ 'usercategory',
+ required=False,
+ label=_(u'User category'),
+ doc=_(u'User category the rule applies to'),
+ ),
+ parameters.Str(
+ 'hostcategory',
+ required=False,
+ label=_(u'Host category'),
+ doc=_(u'Host category the rule applies to'),
+ ),
+ parameters.Str(
+ 'description',
+ required=False,
+ label=_(u'Description'),
+ ),
+ parameters.Bool(
+ 'ipaenabledflag',
+ required=False,
+ label=_(u'Enabled'),
+ ),
+ parameters.Str(
+ 'memberuser_user',
+ required=False,
+ label=_(u'Users'),
+ ),
+ parameters.Str(
+ 'memberuser_group',
+ required=False,
+ label=_(u'User Groups'),
+ ),
+ parameters.Str(
+ 'memberhost_host',
+ required=False,
+ label=_(u'Hosts'),
+ ),
+ parameters.Str(
+ 'memberhost_hostgroup',
+ required=False,
+ label=_(u'Host Groups'),
+ ),
+ )
+
+
+@register()
+class selinuxusermap_add(Method):
+ __doc__ = _("Create a new SELinux User Map.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='name',
+ label=_(u'Rule name'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'ipaselinuxuser',
+ cli_name='selinuxuser',
+ label=_(u'SELinux User'),
+ ),
+ parameters.Str(
+ 'seealso',
+ required=False,
+ cli_name='hbacrule',
+ label=_(u'HBAC Rule'),
+ doc=_(u'HBAC Rule that defines the users, groups and hostgroups'),
+ ),
+ parameters.Str(
+ 'usercategory',
+ required=False,
+ cli_name='usercat',
+ cli_metavar="['all']",
+ label=_(u'User category'),
+ doc=_(u'User category the rule applies to'),
+ ),
+ parameters.Str(
+ 'hostcategory',
+ required=False,
+ cli_name='hostcat',
+ cli_metavar="['all']",
+ label=_(u'Host category'),
+ doc=_(u'Host category the rule applies to'),
+ ),
+ parameters.Str(
+ 'description',
+ required=False,
+ cli_name='desc',
+ label=_(u'Description'),
+ ),
+ parameters.Bool(
+ 'ipaenabledflag',
+ required=False,
+ label=_(u'Enabled'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'setattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'addattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
+ exclude=('webui',),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'value',
+ unicode,
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class selinuxusermap_add_host(Method):
+ __doc__ = _("Add target hosts and hostgroups to an SELinux User Map rule.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='name',
+ label=_(u'Rule name'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'host',
+ required=False,
+ multivalue=True,
+ cli_name='hosts',
+ label=_(u'member host'),
+ doc=_(u'comma-separated list of hosts to add'),
+ alwaysask=True,
+ ),
+ parameters.Str(
+ 'hostgroup',
+ required=False,
+ multivalue=True,
+ cli_name='hostgroups',
+ label=_(u'member host group'),
+ doc=_(u'comma-separated list of host groups to add'),
+ alwaysask=True,
+ ),
+ )
+ has_output = (
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'failed',
+ dict,
+ doc=_(u'Members that could not be added'),
+ ),
+ output.Output(
+ 'completed',
+ int,
+ doc=_(u'Number of members added'),
+ ),
+ )
+
+
+@register()
+class selinuxusermap_add_user(Method):
+ __doc__ = _("Add users and groups to an SELinux User Map rule.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='name',
+ label=_(u'Rule name'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'user',
+ required=False,
+ multivalue=True,
+ cli_name='users',
+ label=_(u'member user'),
+ doc=_(u'comma-separated list of users to add'),
+ alwaysask=True,
+ ),
+ parameters.Str(
+ 'group',
+ required=False,
+ multivalue=True,
+ cli_name='groups',
+ label=_(u'member group'),
+ doc=_(u'comma-separated list of groups to add'),
+ alwaysask=True,
+ ),
+ )
+ has_output = (
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'failed',
+ dict,
+ doc=_(u'Members that could not be added'),
+ ),
+ output.Output(
+ 'completed',
+ int,
+ doc=_(u'Number of members added'),
+ ),
+ )
+
+
+@register()
+class selinuxusermap_del(Method):
+ __doc__ = _("Delete a SELinux User Map.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ multivalue=True,
+ cli_name='name',
+ label=_(u'Rule name'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'continue',
+ doc=_(u"Continuous mode: Don't stop on errors."),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Output(
+ 'result',
+ dict,
+ doc=_(u'List of deletions that failed'),
+ ),
+ output.Output(
+ 'value',
+ unicode,
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class selinuxusermap_disable(Method):
+ __doc__ = _("Disable an SELinux User Map rule.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='name',
+ label=_(u'Rule name'),
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Output(
+ 'result',
+ bool,
+ doc=_(u'True means the operation was successful'),
+ ),
+ output.Output(
+ 'value',
+ unicode,
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class selinuxusermap_enable(Method):
+ __doc__ = _("Enable an SELinux User Map rule.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='name',
+ label=_(u'Rule name'),
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Output(
+ 'result',
+ bool,
+ doc=_(u'True means the operation was successful'),
+ ),
+ output.Output(
+ 'value',
+ unicode,
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class selinuxusermap_find(Method):
+ __doc__ = _("Search for SELinux User Maps.")
+
+ takes_args = (
+ parameters.Str(
+ 'criteria',
+ required=False,
+ doc=_(u'A string searched in all relevant object attributes'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'cn',
+ required=False,
+ cli_name='name',
+ label=_(u'Rule name'),
+ ),
+ parameters.Str(
+ 'ipaselinuxuser',
+ required=False,
+ cli_name='selinuxuser',
+ label=_(u'SELinux User'),
+ ),
+ parameters.Str(
+ 'seealso',
+ required=False,
+ cli_name='hbacrule',
+ label=_(u'HBAC Rule'),
+ doc=_(u'HBAC Rule that defines the users, groups and hostgroups'),
+ ),
+ parameters.Str(
+ 'usercategory',
+ required=False,
+ cli_name='usercat',
+ cli_metavar="['all']",
+ label=_(u'User category'),
+ doc=_(u'User category the rule applies to'),
+ ),
+ parameters.Str(
+ 'hostcategory',
+ required=False,
+ cli_name='hostcat',
+ cli_metavar="['all']",
+ label=_(u'Host category'),
+ doc=_(u'Host category the rule applies to'),
+ ),
+ parameters.Str(
+ 'description',
+ required=False,
+ cli_name='desc',
+ label=_(u'Description'),
+ ),
+ parameters.Bool(
+ 'ipaenabledflag',
+ required=False,
+ label=_(u'Enabled'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Int(
+ 'timelimit',
+ required=False,
+ label=_(u'Time Limit'),
+ doc=_(u'Time limit of search in seconds'),
+ ),
+ parameters.Int(
+ 'sizelimit',
+ required=False,
+ label=_(u'Size Limit'),
+ doc=_(u'Maximum number of entries returned'),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'pkey_only',
+ required=False,
+ label=_(u'Primary key only'),
+ doc=_(u'Results should contain primary key attribute only ("name")'),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.ListOfEntries(
+ 'result',
+ ),
+ output.Output(
+ 'count',
+ int,
+ doc=_(u'Number of entries returned'),
+ ),
+ output.Output(
+ 'truncated',
+ bool,
+ doc=_(u'True if not all results were returned'),
+ ),
+ )
+
+
+@register()
+class selinuxusermap_mod(Method):
+ __doc__ = _("Modify a SELinux User Map.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='name',
+ label=_(u'Rule name'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'ipaselinuxuser',
+ required=False,
+ cli_name='selinuxuser',
+ label=_(u'SELinux User'),
+ ),
+ parameters.Str(
+ 'seealso',
+ required=False,
+ cli_name='hbacrule',
+ label=_(u'HBAC Rule'),
+ doc=_(u'HBAC Rule that defines the users, groups and hostgroups'),
+ ),
+ parameters.Str(
+ 'usercategory',
+ required=False,
+ cli_name='usercat',
+ cli_metavar="['all']",
+ label=_(u'User category'),
+ doc=_(u'User category the rule applies to'),
+ ),
+ parameters.Str(
+ 'hostcategory',
+ required=False,
+ cli_name='hostcat',
+ cli_metavar="['all']",
+ label=_(u'Host category'),
+ doc=_(u'Host category the rule applies to'),
+ ),
+ parameters.Str(
+ 'description',
+ required=False,
+ cli_name='desc',
+ label=_(u'Description'),
+ ),
+ parameters.Bool(
+ 'ipaenabledflag',
+ required=False,
+ label=_(u'Enabled'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'setattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'addattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'delattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'),
+ exclude=('webui',),
+ ),
+ parameters.Flag(
+ 'rights',
+ label=_(u'Rights'),
+ doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'value',
+ unicode,
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class selinuxusermap_remove_host(Method):
+ __doc__ = _("Remove target hosts and hostgroups from an SELinux User Map rule.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='name',
+ label=_(u'Rule name'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'host',
+ required=False,
+ multivalue=True,
+ cli_name='hosts',
+ label=_(u'member host'),
+ doc=_(u'comma-separated list of hosts to remove'),
+ alwaysask=True,
+ ),
+ parameters.Str(
+ 'hostgroup',
+ required=False,
+ multivalue=True,
+ cli_name='hostgroups',
+ label=_(u'member host group'),
+ doc=_(u'comma-separated list of host groups to remove'),
+ alwaysask=True,
+ ),
+ )
+ has_output = (
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'failed',
+ dict,
+ doc=_(u'Members that could not be removed'),
+ ),
+ output.Output(
+ 'completed',
+ int,
+ doc=_(u'Number of members removed'),
+ ),
+ )
+
+
+@register()
+class selinuxusermap_remove_user(Method):
+ __doc__ = _("Remove users and groups from an SELinux User Map rule.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='name',
+ label=_(u'Rule name'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'user',
+ required=False,
+ multivalue=True,
+ cli_name='users',
+ label=_(u'member user'),
+ doc=_(u'comma-separated list of users to remove'),
+ alwaysask=True,
+ ),
+ parameters.Str(
+ 'group',
+ required=False,
+ multivalue=True,
+ cli_name='groups',
+ label=_(u'member group'),
+ doc=_(u'comma-separated list of groups to remove'),
+ alwaysask=True,
+ ),
+ )
+ has_output = (
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'failed',
+ dict,
+ doc=_(u'Members that could not be removed'),
+ ),
+ output.Output(
+ 'completed',
+ int,
+ doc=_(u'Number of members removed'),
+ ),
+ )
+
+
+@register()
+class selinuxusermap_show(Method):
+ __doc__ = _("Display the properties of a SELinux User Map rule.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='name',
+ label=_(u'Rule name'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'rights',
+ label=_(u'Rights'),
+ doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'value',
+ unicode,
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
diff --git a/ipaclient/remote_plugins/2_49/service.py b/ipaclient/remote_plugins/2_49/service.py
new file mode 100644
index 000000000..b0d6da055
--- /dev/null
+++ b/ipaclient/remote_plugins/2_49/service.py
@@ -0,0 +1,621 @@
+#
+# Copyright (C) 2016 FreeIPA Contributors see COPYING for license
+#
+
+# pylint: disable=unused-import
+import six
+
+from . import Command, Method, Object
+from ipalib import api, parameters, output
+from ipalib.parameters import DefaultFrom
+from ipalib.plugable import Registry
+from ipalib.text import _
+from ipapython.dn import DN
+from ipapython.dnsutil import DNSName
+
+if six.PY3:
+ unicode = str
+
+__doc__ = _("""
+Services
+
+A IPA service represents a service that runs on a host. The IPA service
+record can store a Kerberos principal, an SSL certificate, or both.
+
+An IPA service can be managed directly from a machine, provided that
+machine has been given the correct permission. This is true even for
+machines other than the one the service is associated with. For example,
+requesting an SSL certificate using the host service principal credentials
+of the host. To manage a service using host credentials you need to
+kinit as the host:
+
+ # kinit -kt /etc/krb5.keytab host/ipa.example.com@EXAMPLE.COM
+
+Adding an IPA service allows the associated service to request an SSL
+certificate or keytab, but this is performed as a separate step; they
+are not produced as a result of adding the service.
+
+Only the public aspect of a certificate is stored in a service record;
+the private key is not stored.
+
+EXAMPLES:
+
+ Add a new IPA service:
+ ipa service-add HTTP/web.example.com
+
+ Allow a host to manage an IPA service certificate:
+ ipa service-add-host --hosts=web.example.com HTTP/web.example.com
+ ipa role-add-member --hosts=web.example.com certadmin
+
+ Override a default list of supported PAC types for the service:
+ ipa service-mod HTTP/web.example.com --pac-type=MS-PAC
+
+ Delete an IPA service:
+ ipa service-del HTTP/web.example.com
+
+ Find all IPA services associated with a host:
+ ipa service-find web.example.com
+
+ Find all HTTP services:
+ ipa service-find HTTP
+
+ Disable the service Kerberos key and SSL certificate:
+ ipa service-disable HTTP/web.example.com
+
+ Request a certificate for an IPA service:
+ ipa cert-request --principal=HTTP/web.example.com example.csr
+
+ Generate and retrieve a keytab for an IPA service:
+ ipa-getkeytab -s ipa.example.com -p HTTP/web.example.com -k /etc/httpd/httpd.keytab
+""")
+
+register = Registry()
+
+
+@register()
+class service(Object):
+ takes_params = (
+ parameters.Str(
+ 'krbprincipalname',
+ primary_key=True,
+ label=_(u'Principal'),
+ doc=_(u'Service principal'),
+ ),
+ parameters.Bytes(
+ 'usercertificate',
+ required=False,
+ label=_(u'Certificate'),
+ doc=_(u'Base-64 encoded server certificate'),
+ ),
+ parameters.Str(
+ 'ipakrbauthzdata',
+ required=False,
+ multivalue=True,
+ label=_(u'PAC type'),
+ doc=_(u"Override default list of supported PAC types. Use 'NONE' to disable PAC support for this service"),
+ ),
+ parameters.Flag(
+ 'has_keytab',
+ label=_(u'Keytab'),
+ ),
+ parameters.Str(
+ 'managedby_host',
+ label=_(u'Managed by'),
+ ),
+ )
+
+
+@register()
+class service_add(Method):
+ __doc__ = _("Add a new IPA new service.")
+
+ takes_args = (
+ parameters.Str(
+ 'krbprincipalname',
+ cli_name='principal',
+ label=_(u'Principal'),
+ doc=_(u'Service principal'),
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Bytes(
+ 'usercertificate',
+ required=False,
+ cli_name='certificate',
+ label=_(u'Certificate'),
+ doc=_(u'Base-64 encoded server certificate'),
+ ),
+ parameters.Str(
+ 'ipakrbauthzdata',
+ required=False,
+ multivalue=True,
+ cli_name='pac_type',
+ cli_metavar="['MS-PAC', 'PAD', 'NONE']",
+ label=_(u'PAC type'),
+ doc=_(u"Override default list of supported PAC types. Use 'NONE' to disable PAC support for this service"),
+ ),
+ parameters.Str(
+ 'setattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'addattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
+ exclude=('webui',),
+ ),
+ parameters.Flag(
+ 'force',
+ label=_(u'Force'),
+ doc=_(u'force principal name even if not in DNS'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'value',
+ unicode,
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class service_add_host(Method):
+ __doc__ = _("Add hosts that can manage this service.")
+
+ takes_args = (
+ parameters.Str(
+ 'krbprincipalname',
+ cli_name='principal',
+ label=_(u'Principal'),
+ doc=_(u'Service principal'),
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'host',
+ required=False,
+ multivalue=True,
+ cli_name='hosts',
+ label=_(u'member host'),
+ doc=_(u'comma-separated list of hosts to add'),
+ alwaysask=True,
+ ),
+ )
+ has_output = (
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'failed',
+ dict,
+ doc=_(u'Members that could not be added'),
+ ),
+ output.Output(
+ 'completed',
+ int,
+ doc=_(u'Number of members added'),
+ ),
+ )
+
+
+@register()
+class service_del(Method):
+ __doc__ = _("Delete an IPA service.")
+
+ takes_args = (
+ parameters.Str(
+ 'krbprincipalname',
+ multivalue=True,
+ cli_name='principal',
+ label=_(u'Principal'),
+ doc=_(u'Service principal'),
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'continue',
+ doc=_(u"Continuous mode: Don't stop on errors."),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Output(
+ 'result',
+ dict,
+ doc=_(u'List of deletions that failed'),
+ ),
+ output.Output(
+ 'value',
+ unicode,
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class service_disable(Method):
+ __doc__ = _("Disable the Kerberos key and SSL certificate of a service.")
+
+ takes_args = (
+ parameters.Str(
+ 'krbprincipalname',
+ cli_name='principal',
+ label=_(u'Principal'),
+ doc=_(u'Service principal'),
+ no_convert=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Output(
+ 'result',
+ bool,
+ doc=_(u'True means the operation was successful'),
+ ),
+ output.Output(
+ 'value',
+ unicode,
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class service_find(Method):
+ __doc__ = _("Search for IPA services.")
+
+ takes_args = (
+ parameters.Str(
+ 'criteria',
+ required=False,
+ doc=_(u'A string searched in all relevant object attributes'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'krbprincipalname',
+ required=False,
+ cli_name='principal',
+ label=_(u'Principal'),
+ doc=_(u'Service principal'),
+ no_convert=True,
+ ),
+ parameters.Str(
+ 'ipakrbauthzdata',
+ required=False,
+ multivalue=True,
+ cli_name='pac_type',
+ cli_metavar="['MS-PAC', 'PAD', 'NONE']",
+ label=_(u'PAC type'),
+ doc=_(u"Override default list of supported PAC types. Use 'NONE' to disable PAC support for this service"),
+ ),
+ parameters.Int(
+ 'timelimit',
+ required=False,
+ label=_(u'Time Limit'),
+ doc=_(u'Time limit of search in seconds'),
+ ),
+ parameters.Int(
+ 'sizelimit',
+ required=False,
+ label=_(u'Size Limit'),
+ doc=_(u'Maximum number of entries returned'),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'pkey_only',
+ required=False,
+ label=_(u'Primary key only'),
+ doc=_(u'Results should contain primary key attribute only ("principal")'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'man_by_host',
+ required=False,
+ multivalue=True,
+ cli_name='man_by_hosts',
+ label=_(u'host'),
+ doc=_(u'Search for services with these managed by hosts.'),
+ ),
+ parameters.Str(
+ 'not_man_by_host',
+ required=False,
+ multivalue=True,
+ cli_name='not_man_by_hosts',
+ label=_(u'host'),
+ doc=_(u'Search for services without these managed by hosts.'),
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.ListOfEntries(
+ 'result',
+ ),
+ output.Output(
+ 'count',
+ int,
+ doc=_(u'Number of entries returned'),
+ ),
+ output.Output(
+ 'truncated',
+ bool,
+ doc=_(u'True if not all results were returned'),
+ ),
+ )
+
+
+@register()
+class service_mod(Method):
+ __doc__ = _("Modify an existing IPA service.")
+
+ takes_args = (
+ parameters.Str(
+ 'krbprincipalname',
+ cli_name='principal',
+ label=_(u'Principal'),
+ doc=_(u'Service principal'),
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Bytes(
+ 'usercertificate',
+ required=False,
+ cli_name='certificate',
+ label=_(u'Certificate'),
+ doc=_(u'Base-64 encoded server certificate'),
+ ),
+ parameters.Str(
+ 'ipakrbauthzdata',
+ required=False,
+ multivalue=True,
+ cli_name='pac_type',
+ cli_metavar="['MS-PAC', 'PAD', 'NONE']",
+ label=_(u'PAC type'),
+ doc=_(u"Override default list of supported PAC types. Use 'NONE' to disable PAC support for this service"),
+ ),
+ parameters.Str(
+ 'setattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'addattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'delattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'),
+ exclude=('webui',),
+ ),
+ parameters.Flag(
+ 'rights',
+ label=_(u'Rights'),
+ doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'value',
+ unicode,
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class service_remove_host(Method):
+ __doc__ = _("Remove hosts that can manage this service.")
+
+ takes_args = (
+ parameters.Str(
+ 'krbprincipalname',
+ cli_name='principal',
+ label=_(u'Principal'),
+ doc=_(u'Service principal'),
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'host',
+ required=False,
+ multivalue=True,
+ cli_name='hosts',
+ label=_(u'member host'),
+ doc=_(u'comma-separated list of hosts to remove'),
+ alwaysask=True,
+ ),
+ )
+ has_output = (
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'failed',
+ dict,
+ doc=_(u'Members that could not be removed'),
+ ),
+ output.Output(
+ 'completed',
+ int,
+ doc=_(u'Number of members removed'),
+ ),
+ )
+
+
+@register()
+class service_show(Method):
+ __doc__ = _("Display information about an IPA service.")
+
+ takes_args = (
+ parameters.Str(
+ 'krbprincipalname',
+ cli_name='principal',
+ label=_(u'Principal'),
+ doc=_(u'Service principal'),
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'rights',
+ label=_(u'Rights'),
+ doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'out',
+ required=False,
+ doc=_(u'file to store certificate in'),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'value',
+ unicode,
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
diff --git a/ipaclient/remote_plugins/2_49/session.py b/ipaclient/remote_plugins/2_49/session.py
new file mode 100644
index 000000000..af56cd688
--- /dev/null
+++ b/ipaclient/remote_plugins/2_49/session.py
@@ -0,0 +1,624 @@
+#
+# Copyright (C) 2016 FreeIPA Contributors see COPYING for license
+#
+
+# pylint: disable=unused-import
+import six
+
+from . import Command, Method, Object
+from ipalib import api, parameters, output
+from ipalib.parameters import DefaultFrom
+from ipalib.plugable import Registry
+from ipalib.text import _
+from ipapython.dn import DN
+from ipapython.dnsutil import DNSName
+
+if six.PY3:
+ unicode = str
+
+__doc__ = _("""
+Session Support for IPA
+John Dennis <jdennis@redhat.com>
+
+Goals
+=====
+
+Provide per-user session data caching which persists between
+requests. Desired features are:
+
+* Integrates cleanly with minimum impact on existing infrastructure.
+
+* Provides maximum security balanced against real-world performance
+ demands.
+
+* Sessions must be able to be revoked (flushed).
+
+* Should be flexible and easy to use for developers.
+
+* Should leverage existing technology and code to the maximum extent
+ possible to avoid re-invention, excessive implementation time and to
+ benefit from robustness in field proven components commonly shared
+ in the open source community.
+
+* Must support multiple independent processes which share session
+ data.
+
+* System must function correctly if session data is available or not.
+
+* Must be high performance.
+
+* Should not be tied to specific web servers or browsers. Should
+ integrate with our chosen WSGI model.
+
+Issues
+======
+
+Cookies
+-------
+
+Most session implementations are based on the use of cookies. Cookies
+have some inherent problems.
+
+* User has the option to disable cookies.
+
+* User stored cookie data is not secure. Can be mitigated by setting
+ flags indicating the cookie is only to be used with SSL secured HTTP
+ connections to specific web resources and setting the cookie to
+ expire at session termination. Most modern browsers enforce these.
+
+Where to store session data?
+----------------------------
+
+Session data may be stored on either on the client or on the
+server. Storing session data on the client addresses the problem of
+session data availability when requests are serviced by independent web
+servers because the session data travels with the request. However
+there are data size limitations. Storing session data on the client
+also exposes sensitive data but this can be mitigated by encrypting
+the session data such that only the server can decrypt it.
+
+The more conventional approach is to bind session data to a unique
+name, the session ID. The session ID is transmitted to the client and
+the session data is paired with the session ID on the server in a
+associative data store. The session data is retrieved by the server
+using the session ID when the receiving the request. This eliminates
+exposing sensitive session data on the client along with limitations
+on data size. It however introduces the issue of session data
+availability when requests are serviced by more than one server
+process.
+
+Multi-process session data availability
+---------------------------------------
+
+Apache (and other web servers) fork child processes to handle requests
+in parallel. Also web servers may be deployed in a farm where requests
+are load balanced in round robin fashion across different nodes. In
+both cases session data cannot be stored in the memory of a server
+process because it is not available to other processes, either sibling
+children of a master server process or server processes on distinct
+nodes.
+
+Typically this is addressed by storing session data in a SQL
+database. When a request is received by a server process containing a
+session ID in it's cookie data the session ID is used to perform a SQL
+query and the resulting data is then attached to the request as it
+proceeds through the request processing pipeline. This of course
+introduces coherency issues.
+
+For IPA the introduction of a SQL database dependency is undesired and
+should be avoided.
+
+Session data may also be shared by independent processes by storing
+the session data in files.
+
+An alternative solution which has gained considerable popularity
+recently is the use of a fast memory based caching server. Data is
+stored in a single process memory and may be queried and set via a
+light weight protocol using standard socket mechanisms, memcached is
+one example. A typical use is to optimize SQL queries by storing a SQL
+result in shared memory cache avoiding the more expensive SQL
+operation. But the memory cache has distinct advantages in non-SQL
+situations as well.
+
+Possible implementations for use by IPA
+=======================================
+
+Apache Sessions
+---------------
+
+Apache has 2.3 has implemented session support via these modules:
+
+ mod_session
+ Overarching session support based on cookies.
+
+ See: http://httpd.apache.org/docs/2.3/mod/mod_session.html
+
+ mod_session_cookie
+ Stores session data in the client.
+
+ See: http://httpd.apache.org/docs/2.3/mod/mod_session_cookie.html
+
+ mod_session_crypto
+ Encrypts session data for security. Encryption key is shared
+ configuration parameter visible to all Apache processes and is
+ stored in a configuration file.
+
+ See: http://httpd.apache.org/docs/2.3/mod/mod_session_crypto.html
+
+ mod_session_dbd
+ Stores session data in a SQL database permitting multiple
+ processes to access and share the same session data.
+
+ See: http://httpd.apache.org/docs/2.3/mod/mod_session_dbd.html
+
+Issues with Apache sessions
+~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Although Apache has implemented generic session support and Apache is
+our web server of preference it nonetheless introduces issues for IPA.
+
+ * Session support is only available in httpd >= 2.3 which at the
+ time of this writing is currently only available as a Beta release
+ from upstream. We currently only ship httpd 2.2, the same is true
+ for other distributions.
+
+ * We could package and ship the sessions modules as a temporary
+ package in httpd 2.2 environments. But this has the following
+ consequences:
+
+ - The code has to be backported. the module API has changed
+ slightly between httpd 2.2 and 2.3. The backporting is not
+ terribly difficult and a proof of concept has been
+ implemented.
+
+ - We would then be on the hook to package and maintain a special
+ case Apache package. This is maintenance burden as well as a
+ distribution packaging burden. Both of which would be best
+ avoided if possible.
+
+ * The design of the Apache session modules is such that they can
+ only be manipulated by other Apache modules. The ability of
+ consumers of the session data to control the session data is
+ simplistic, constrained and static during the period the request
+ is processed. Request handlers which are not native Apache modules
+ (e.g. IPA via WSGI) can only examine the session data
+ via request headers and reset it in response headers.
+
+ * Shared session data is available exclusively via SQL.
+
+However using the 2.3 Apache session modules would give us robust
+session support implemented in C based on standardized Apache
+interfaces which are widely used.
+
+Python Web Frameworks
+---------------------
+
+Virtually every Python web framework supports cookie based sessions,
+e.g. Django, Twisted, Zope, Turbogears etc. Early on in IPA we decided
+to avoid the use of these frameworks. Trying to pull in just one part
+of these frameworks just to get session support would be problematic
+because the code does not function outside it's framework.
+
+IPA implemented sessions
+------------------------
+
+Originally it was believed the path of least effort was to utilize
+existing session support, most likely what would be provided by
+Apache. However there are enough basic modular components available in
+native Python and other standard packages it should be possible to
+provide session support meeting the aforementioned goals with a modest
+implementation effort. Because we're leveraging existing components
+the implementation difficulties are subsumed by other components which
+have already been field proven and have community support. This is a
+smart strategy.
+
+Proposed Solution
+=================
+
+Our interface to the web server is via WSGI which invokes a callback
+per request passing us an environmental context for the request. For
+this discussion we'll name the WSGI callback "application()", a
+conventional name in WSGI parlance.
+
+Shared session data will be handled by memcached. We will create one
+instance of memcached on each server node dedicated to IPA
+exclusively. Communication with memcached will be via a UNIX socket
+located in the file system under /var/run/ipa_memcached. It will be
+protected by file permissions and optionally SELinux policy.
+
+In application() we examine the request cookies and if there is an IPA
+session cookie with a session ID we retrieve the session data from our
+memcached instance.
+
+The session data will be a Python dict. IPA components will read or
+write their session information by using a pre-agreed upon name
+(e.g. key) in the dict. This is a very flexible system and consistent
+with how we pass data in most parts of IPA.
+
+If the session data is not available an empty session data dict will
+be created.
+
+How does this session data travel with the request in the IPA
+pipeline? In IPA we use the HTTP request/response to implement RPC. In
+application() we convert the request into a procedure call passing it
+arguments derived from the HTTP request. The passed parameters are
+specific to the RPC method being invoked. The context the RPC call is
+executing in is not passed as an RPC parameter.
+
+How would the contextual information such as session data be bound to
+the request and hence the RPC call?
+
+In IPA when a RPC invocation is being prepared from a request we
+recognize this will only ever be processed serially by one Python
+thread. A thread local dict called "context" is allocated for each
+thread. The context dict is cleared in between requests (e.g. RPC method
+invocations). The per-thread context dict is populated during the
+lifetime of the request and is used as a global data structure unique to
+the request that various IPA component can read from and write to with
+the assurance the data is unique to the current request and/or method
+call.
+
+The session data dict will be written into the context dict under the
+session key before the RPC method begins execution. Thus session data
+can be read and written by any IPA component by accessing
+``context.session``.
+
+When the RPC method finishes execution the session data bound to the
+request/method is retrieved from the context and written back to the
+memcached instance. The session ID is set in the response sent back to
+the client in the ``Set-Cookie`` header along with the flags
+controlling it's usage.
+
+Issues and details
+------------------
+
+IPA code cannot depend on session data being present, however it
+should always update session data with the hope it will be available
+in the future. Session data may not be available because:
+
+ * This is the first request from the user and no session data has
+ been created yet.
+
+ * The user may have cookies disabled.
+
+ * The session data may have been flushed. memcached operates with
+ a fixed memory allocation and will flush entries on a LRU basis,
+ like with any cache there is no guarantee of persistence.
+
+ Also we may have have deliberately expired or deleted session
+ data, see below.
+
+Cookie manipulation is done via the standard Python Cookie module.
+
+Session cookies will be set to only persist as long as the browser has
+the session open. They will be tagged so the browser only returns
+the session ID on SSL secured HTTP requests. They will not be visible
+to Javascript in the browser.
+
+Session ID's will be created by using 48 bits of random data and
+converted to 12 hexadecimal digits. Newly generated session ID's will
+be checked for prior existence to handle the unlikely case the random
+number repeats.
+
+memcached will have significantly higher performance than a SQL or file
+based storage solution. Communication is effectively though a pipe
+(UNIX socket) using a very simple protocol and the data is held
+entirely in process memory. memcached also scales easily, it is easy
+to add more memcached processes and distribute the load across them.
+At this point in time we don't anticipate the need for this.
+
+A very nice feature of the Python memcached module is that when a data
+item is written to the cache it is done with standard Python pickling
+(pickling is a standard Python mechanism to marshal and unmarshal
+Python objects). We adopt the convention the object written to cache
+will be a dict to meet our internal data handling conventions. The
+pickling code will recursively handle nested objects in the dict. Thus
+we gain a lot of flexibility using standard Python data structures to
+store and retrieve our session data without having to author and debug
+code to marshal and unmarshal the data if some other storage mechanism
+had been used. This is a significant implementation win. Of course
+some common sense limitations need to observed when deciding on what
+is written to the session cache keeping in mind the data is shared
+between processes and it should not be excessively large (a
+configurable option)
+
+We can set an expiration on memcached entries. We may elect to do that
+to force session data to be refreshed periodically. For example we may
+wish the client to present fresh credentials on a periodic basis even
+if the cached credentials are otherwise within their validity period.
+
+We can explicitly delete session data if for some reason we believe it
+is stale, invalid or compromised.
+
+memcached also gives us certain facilities to prevent race conditions
+between different processes utilizing the cache. For example you can
+check of the entry has been modified since you last read it or use CAS
+(Check And Set) semantics. What has to be protected in terms of cache
+coherency will likely have to be determined as the session support is
+utilized and different data items are added to the cache. This is very
+much data and context specific. Fortunately memcached operations are
+atomic.
+
+Controlling the memcached process
+---------------------------------
+
+We need a mechanism to start the memcached process and secure it so
+that only IPA components can access it.
+
+Although memcached ships with both an initscript and systemd unit
+files those are for generic instances. We want a memcached instance
+dedicated exclusively to IPA usage. To accomplish this we would install
+a systemd unit file or an SysV initscript to control the IPA specific
+memcached service. ipactl would be extended to know about this
+additional service. systemd's cgroup facility would give us additional
+mechanisms to integrate the IPA memcached service within a larger IPA
+process group.
+
+Protecting the memcached data would be done via file permissions (and
+optionally SELinux policy) on the UNIX domain socket. Although recent
+implementations of memcached support authentication via SASL this
+introduces a performance and complexity burden not warranted when
+cached is dedicated to our exclusive use and access controlled by OS
+mechanisms.
+
+Conventionally daemons are protected by assigning a system uid and/or
+gid to the daemon. A daemon launched by root will drop it's privileges
+by assuming the effective uid:gid assigned to it. File system access
+is controlled by the OS via the effective identity and SELinux policy
+can be crafted based on the identity. Thus the memcached UNIX socket
+would be protected by having it owned by a specific system user and/or
+membership in a restricted system group (discounting for the moment
+SELinux).
+
+Unfortunately we currently do not have an IPA system uid whose
+identity our processes operate under nor do we have an IPA system
+group. IPA does manage a collection of related processes (daemons) and
+historically each has been assigned their own uid. When these
+unrelated processes communicate they mutually authenticate via other
+mechanisms. We do not have much of a history of using shared file
+system objects across identities. When file objects are created they
+are typically assigned the identity of daemon needing to access the
+object and are not accessed by other daemons, or they carry root
+identity.
+
+When our WSGI application runs in Apache it is run as a WSGI
+daemon. This means when Apache starts up it forks off WSGI processes
+for us and we are independent of other Apache processes. When WSGI is
+run in this mode there is the ability to set the uid:gid of the WSGI
+process hosting us, however we currently do not take advantage of this
+option. WSGI can be run in other modes as well, only in daemon mode
+can the uid:gid be independently set from the rest of Apache. All
+processes started by Apache can be set to a common uid:gid specified
+in the global Apache configuration, by default it's
+apache:apache. Thus when our IPA code executes it is running as
+apache:apache.
+
+To protect our memcached UNIX socket we can do one of two things:
+
+1. Assign it's uid:gid as apache:apache. This would limit access to
+ our cache only to processes running under httpd. It's somewhat
+ restricted but far from ideal. Any code running in the web server
+ could potentially access our cache. It's difficult to control what the
+ web server runs and admins may not understand the consequences of
+ configuring httpd to serve other things besides IPA.
+
+2. Create an IPA specific uid:gid, for example ipa:ipa. We then configure
+ our WSGI application to run as the ipa:ipa user and group. We also
+ configure our memcached instance to run as the ipa:ipa user and
+ group. In this configuration we are now fully protected, only our WSGI
+ code can read & write to our memcached UNIX socket.
+
+However there may be unforeseen issues by converting our code to run as
+something other than apache:apache. This would require some
+investigation and testing.
+
+IPA is dependent on other system daemons, specifically Directory
+Server (ds) and Certificate Server (cs). Currently we configure ds to
+run under the dirsrv:dirsrv user and group, an identity of our
+creation. We allow cs to default to it's pkiuser:pkiuser user and
+group. Should these other cooperating daemons also run under the
+common ipa:ipa user and group identities? At first blush there would
+seem to be an advantage to coalescing all process identities under a
+common IPA user and group identity. However these other processes do
+not depend on user and group permissions when working with external
+agents, processes, etc. Rather they are designed to be stand-alone
+network services which authenticate their clients via other
+mechanisms. They do depend on user and group permission to manage
+their own file system objects. If somehow the ipa user and/or group
+were compromised or malicious code somehow executed under the ipa
+identity there would be an advantage in having the cooperating
+processes cordoned off under their own identities providing one extra
+layer of protection. (Note, these cooperating daemons may not even be
+co-located on the same node in which case the issue is moot)
+
+The UNIX socket behavior (ldapi) with Directory Server is as follows:
+
+ * The socket ownership is: root:root
+
+ * The socket permissions are: 0666
+
+ * When connecting via ldapi you must authenticate as you would
+ normally with a TCP socket, except ...
+
+ * If autobind is enabled and the uid:gid is available via
+ SO_PEERCRED and the uid:gid can be found in the set of users known
+ to the Directory Server then that connection will be bound as that
+ user.
+
+ * Otherwise an anonymous bind will occur.
+
+memcached UNIX socket behavior is as follows:
+
+ * memcached can be invoked with a user argument, no group may be
+ specified. The effective uid is the uid of the user argument and
+ the effective gid is the primary group of the user, let's call
+ this euid:egid
+
+ * The socket ownership is: euid:egid
+
+ * The socket permissions are 0700 by default, but this can be
+ modified by the -a mask command line arg which sets the umask
+ (defaults to 0700).
+
+Overview of authentication in IPA
+=================================
+
+This describes how we currently authenticate and how we plan to
+improve authentication performance. First some definitions.
+
+There are 4 major players:
+
+ 1. client
+ 2. mod_auth_kerb (in Apache process)
+ 3. wsgi handler (in IPA wsgi python process)
+ 4. ds (directory server)
+
+There are several resources:
+
+ 1. /ipa/ui (unprotected, web UI static resources)
+ 2. /ipa/xml (protected, xmlrpc RPC used by command line clients)
+ 3. /ipa/json (protected, json RPC used by javascript in web UI)
+ 4. ds (protected, wsgi acts as proxy, our LDAP server)
+
+Current Model
+-------------
+
+This describes how things work in our current system for the web UI.
+
+ 1. Client requests /ipa/ui, this is unprotected, is static and
+ contains no sensitive information. Apache replies with html and
+ javascript. The javascript requests /ipa/json.
+
+ 2. Client sends post to /ipa/json.
+
+ 3. mod_auth_kerb is configured to protect /ipa/json, replies 401
+ authenticate negotiate.
+
+ 4. Client resends with credentials
+
+ 5. mod_auth_kerb validates credentials
+
+ a. if invalid replies 403 access denied (stops here)
+
+ b. if valid creates temporary ccache, adds KRB5CCNAME to request
+ headers
+
+ 6. Request passed to wsgi handler
+
+ a. validates request, KRB5CCNAME must be present, referrer, etc.
+
+ b. ccache saved and used to bind to ds
+
+ c. routes to specified RPC handler.
+
+ 7. wsgi handler replies to client
+
+Proposed new session based optimization
+---------------------------------------
+
+The round trip negotiate and credential validation in steps 3,4,5 is
+expensive. This can be avoided if we can cache the client
+credentials. With client sessions we can store the client credentials
+in the session bound to the client.
+
+A few notes about the session implementation.
+
+ * based on session cookies, cookies must be enabled
+
+ * session cookie is secure, only passed on secure connections, only
+ passed to our URL resource, never visible to client javascript
+ etc.
+
+ * session cookie has a session id which is used by wsgi handler to
+ retrieve client session data from shared multi-process cache.
+
+Changes to Apache's resource protection
+---------------------------------------
+
+ * /ipa/json is no longer protected by mod_auth_kerb. This is
+ necessary to avoid the negotiate expense in steps 3,4,5
+ above. Instead the /ipa/json resource will be protected in our wsgi
+ handler via the session cookie.
+
+ * A new protected URI is introduced, /ipa/login. This resource
+ does no serve any data, it is used exclusively for authentication.
+
+The new sequence is:
+
+ 1. Client requests /ipa/ui, this is unprotected. Apache replies with
+ html and javascript. The javascript requests /ipa/json.
+
+ 2. Client sends post to /ipa/json, which is unprotected.
+
+ 3. wsgi handler obtains session data from session cookie.
+
+ a. if ccache is present in session data and is valid
+
+ - request is further validated
+
+ - ccache is established for bind to ds
+
+ - request is routed to RPC handler
+
+ - wsgi handler eventually replies to client
+
+ b. if ccache is not present or not valid processing continues ...
+
+ 4. wsgi handler replies with 401 Unauthorized
+
+ 5. client sends request to /ipa/login to obtain session credentials
+
+ 6. mod_auth_kerb replies 401 negotiate on /ipa/login
+
+ 7. client sends credentials to /ipa/login
+
+ 8. mod_auth_kerb validates credentials
+
+ a. if valid
+
+ - mod_auth_kerb permits access to /ipa/login. wsgi handler is
+ invoked and does the following:
+
+ * establishes session for client
+
+ * retrieves the ccache from KRB5CCNAME and stores it
+
+ a. if invalid
+
+ - mod_auth_kerb sends 403 access denied (processing stops)
+
+ 9. client now posts the same data again to /ipa/json including
+ session cookie. Processing repeats starting at step 2 and since
+ the session data now contains a valid ccache step 3a executes, a
+ successful reply is sent to client.
+
+Command line client using xmlrpc
+--------------------------------
+
+The above describes the web UI utilizing the json RPC mechanism. The
+IPA command line tools utilize a xmlrpc RPC mechanism on the same
+HTTP server. Access to the xmlrpc is via the /ipa/xml URI. The json
+and xmlrpc API's are the same, they differ only on how their procedure
+calls are marshalled and unmarshalled.
+
+Under the new scheme /ipa/xml will continue to be Kerberos protected
+at all times. Apache's mod_auth_kerb will continue to require the
+client provides valid Kerberos credentials.
+
+When the WSGI handler routes to /ipa/xml the Kerberos credentials will
+be extracted from the KRB5CCNAME environment variable as provided by
+mod_auth_kerb. Everything else remains the same.
+""")
+
+register = Registry()
+
+
+@register()
+class session_logout(Command):
+ __doc__ = _("RPC command used to log the current user out of their session.")
+
+ has_output = (
+ output.Output(
+ 'result',
+ ),
+ )
diff --git a/ipaclient/remote_plugins/2_49/sudocmd.py b/ipaclient/remote_plugins/2_49/sudocmd.py
new file mode 100644
index 000000000..5df9f792d
--- /dev/null
+++ b/ipaclient/remote_plugins/2_49/sudocmd.py
@@ -0,0 +1,371 @@
+#
+# Copyright (C) 2016 FreeIPA Contributors see COPYING for license
+#
+
+# pylint: disable=unused-import
+import six
+
+from . import Command, Method, Object
+from ipalib import api, parameters, output
+from ipalib.parameters import DefaultFrom
+from ipalib.plugable import Registry
+from ipalib.text import _
+from ipapython.dn import DN
+from ipapython.dnsutil import DNSName
+
+if six.PY3:
+ unicode = str
+
+__doc__ = _("""
+Sudo Commands
+
+Commands used as building blocks for sudo
+
+EXAMPLES:
+
+ Create a new command
+ ipa sudocmd-add --desc='For reading log files' /usr/bin/less
+
+ Remove a command
+ ipa sudocmd-del /usr/bin/less
+""")
+
+register = Registry()
+
+
+@register()
+class sudocmd(Object):
+ takes_params = (
+ parameters.Str(
+ 'sudocmd',
+ primary_key=True,
+ label=_(u'Sudo Command'),
+ ),
+ parameters.Str(
+ 'description',
+ required=False,
+ label=_(u'Description'),
+ doc=_(u'A description of this command'),
+ ),
+ parameters.Str(
+ 'memberof_sudocmdgroup',
+ required=False,
+ label=_(u'Sudo Command Groups'),
+ ),
+ )
+
+
+@register()
+class sudocmd_add(Method):
+ __doc__ = _("Create new Sudo Command.")
+
+ takes_args = (
+ parameters.Str(
+ 'sudocmd',
+ cli_name='command',
+ label=_(u'Sudo Command'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'description',
+ required=False,
+ cli_name='desc',
+ label=_(u'Description'),
+ doc=_(u'A description of this command'),
+ ),
+ parameters.Str(
+ 'setattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'addattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
+ exclude=('webui',),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'value',
+ unicode,
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class sudocmd_del(Method):
+ __doc__ = _("Delete Sudo Command.")
+
+ takes_args = (
+ parameters.Str(
+ 'sudocmd',
+ multivalue=True,
+ cli_name='command',
+ label=_(u'Sudo Command'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'continue',
+ doc=_(u"Continuous mode: Don't stop on errors."),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Output(
+ 'result',
+ dict,
+ doc=_(u'List of deletions that failed'),
+ ),
+ output.Output(
+ 'value',
+ unicode,
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class sudocmd_find(Method):
+ __doc__ = _("Search for Sudo Commands.")
+
+ takes_args = (
+ parameters.Str(
+ 'criteria',
+ required=False,
+ doc=_(u'A string searched in all relevant object attributes'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'sudocmd',
+ required=False,
+ cli_name='command',
+ label=_(u'Sudo Command'),
+ ),
+ parameters.Str(
+ 'description',
+ required=False,
+ cli_name='desc',
+ label=_(u'Description'),
+ doc=_(u'A description of this command'),
+ ),
+ parameters.Int(
+ 'timelimit',
+ required=False,
+ label=_(u'Time Limit'),
+ doc=_(u'Time limit of search in seconds'),
+ ),
+ parameters.Int(
+ 'sizelimit',
+ required=False,
+ label=_(u'Size Limit'),
+ doc=_(u'Maximum number of entries returned'),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'pkey_only',
+ required=False,
+ label=_(u'Primary key only'),
+ doc=_(u'Results should contain primary key attribute only ("command")'),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.ListOfEntries(
+ 'result',
+ ),
+ output.Output(
+ 'count',
+ int,
+ doc=_(u'Number of entries returned'),
+ ),
+ output.Output(
+ 'truncated',
+ bool,
+ doc=_(u'True if not all results were returned'),
+ ),
+ )
+
+
+@register()
+class sudocmd_mod(Method):
+ __doc__ = _("Modify Sudo Command.")
+
+ takes_args = (
+ parameters.Str(
+ 'sudocmd',
+ cli_name='command',
+ label=_(u'Sudo Command'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'description',
+ required=False,
+ cli_name='desc',
+ label=_(u'Description'),
+ doc=_(u'A description of this command'),
+ ),
+ parameters.Str(
+ 'setattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'addattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'delattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'),
+ exclude=('webui',),
+ ),
+ parameters.Flag(
+ 'rights',
+ label=_(u'Rights'),
+ doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'value',
+ unicode,
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class sudocmd_show(Method):
+ __doc__ = _("Display Sudo Command.")
+
+ takes_args = (
+ parameters.Str(
+ 'sudocmd',
+ cli_name='command',
+ label=_(u'Sudo Command'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'rights',
+ label=_(u'Rights'),
+ doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'value',
+ unicode,
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
diff --git a/ipaclient/remote_plugins/2_49/sudocmdgroup.py b/ipaclient/remote_plugins/2_49/sudocmdgroup.py
new file mode 100644
index 000000000..4bad860c6
--- /dev/null
+++ b/ipaclient/remote_plugins/2_49/sudocmdgroup.py
@@ -0,0 +1,501 @@
+#
+# Copyright (C) 2016 FreeIPA Contributors see COPYING for license
+#
+
+# pylint: disable=unused-import
+import six
+
+from . import Command, Method, Object
+from ipalib import api, parameters, output
+from ipalib.parameters import DefaultFrom
+from ipalib.plugable import Registry
+from ipalib.text import _
+from ipapython.dn import DN
+from ipapython.dnsutil import DNSName
+
+if six.PY3:
+ unicode = str
+
+__doc__ = _("""
+Groups of Sudo Commands
+
+Manage groups of Sudo Commands.
+
+EXAMPLES:
+
+ Add a new Sudo Command Group:
+ ipa sudocmdgroup-add --desc='administrators commands' admincmds
+
+ Remove a Sudo Command Group:
+ ipa sudocmdgroup-del admincmds
+
+ Manage Sudo Command Group membership, commands:
+ ipa sudocmdgroup-add-member --sudocmds=/usr/bin/less,/usr/bin/vim admincmds
+
+ Manage Sudo Command Group membership, commands:
+ ipa group-remove-member --sudocmds=/usr/bin/less admincmds
+
+ Show a Sudo Command Group:
+ ipa group-show localadmins
+""")
+
+register = Registry()
+
+
+@register()
+class sudocmdgroup(Object):
+ takes_params = (
+ parameters.Str(
+ 'cn',
+ primary_key=True,
+ label=_(u'Sudo Command Group'),
+ ),
+ parameters.Str(
+ 'description',
+ label=_(u'Description'),
+ doc=_(u'Group description'),
+ ),
+ parameters.Str(
+ 'membercmd_sudocmd',
+ required=False,
+ label=_(u'Commands'),
+ ),
+ parameters.Str(
+ 'membercmd_sudocmdgroup',
+ required=False,
+ label=_(u'Sudo Command Groups'),
+ ),
+ parameters.Str(
+ 'member_sudocmd',
+ required=False,
+ label=_(u'Member Sudo commands'),
+ ),
+ )
+
+
+@register()
+class sudocmdgroup_add(Method):
+ __doc__ = _("Create new Sudo Command Group.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='sudocmdgroup_name',
+ label=_(u'Sudo Command Group'),
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'description',
+ cli_name='desc',
+ label=_(u'Description'),
+ doc=_(u'Group description'),
+ ),
+ parameters.Str(
+ 'setattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'addattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
+ exclude=('webui',),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'value',
+ unicode,
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class sudocmdgroup_add_member(Method):
+ __doc__ = _("Add members to Sudo Command Group.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='sudocmdgroup_name',
+ label=_(u'Sudo Command Group'),
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'sudocmd',
+ required=False,
+ multivalue=True,
+ cli_name='sudocmds',
+ label=_(u'member sudo command'),
+ doc=_(u'comma-separated list of sudo commands to add'),
+ alwaysask=True,
+ ),
+ )
+ has_output = (
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'failed',
+ dict,
+ doc=_(u'Members that could not be added'),
+ ),
+ output.Output(
+ 'completed',
+ int,
+ doc=_(u'Number of members added'),
+ ),
+ )
+
+
+@register()
+class sudocmdgroup_del(Method):
+ __doc__ = _("Delete Sudo Command Group.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ multivalue=True,
+ cli_name='sudocmdgroup_name',
+ label=_(u'Sudo Command Group'),
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'continue',
+ doc=_(u"Continuous mode: Don't stop on errors."),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Output(
+ 'result',
+ dict,
+ doc=_(u'List of deletions that failed'),
+ ),
+ output.Output(
+ 'value',
+ unicode,
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class sudocmdgroup_find(Method):
+ __doc__ = _("Search for Sudo Command Groups.")
+
+ takes_args = (
+ parameters.Str(
+ 'criteria',
+ required=False,
+ doc=_(u'A string searched in all relevant object attributes'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'cn',
+ required=False,
+ cli_name='sudocmdgroup_name',
+ label=_(u'Sudo Command Group'),
+ no_convert=True,
+ ),
+ parameters.Str(
+ 'description',
+ required=False,
+ cli_name='desc',
+ label=_(u'Description'),
+ doc=_(u'Group description'),
+ ),
+ parameters.Int(
+ 'timelimit',
+ required=False,
+ label=_(u'Time Limit'),
+ doc=_(u'Time limit of search in seconds'),
+ ),
+ parameters.Int(
+ 'sizelimit',
+ required=False,
+ label=_(u'Size Limit'),
+ doc=_(u'Maximum number of entries returned'),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'pkey_only',
+ required=False,
+ label=_(u'Primary key only'),
+ doc=_(u'Results should contain primary key attribute only ("sudocmdgroup-name")'),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.ListOfEntries(
+ 'result',
+ ),
+ output.Output(
+ 'count',
+ int,
+ doc=_(u'Number of entries returned'),
+ ),
+ output.Output(
+ 'truncated',
+ bool,
+ doc=_(u'True if not all results were returned'),
+ ),
+ )
+
+
+@register()
+class sudocmdgroup_mod(Method):
+ __doc__ = _("Modify Sudo Command Group.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='sudocmdgroup_name',
+ label=_(u'Sudo Command Group'),
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'description',
+ required=False,
+ cli_name='desc',
+ label=_(u'Description'),
+ doc=_(u'Group description'),
+ ),
+ parameters.Str(
+ 'setattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'addattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'delattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'),
+ exclude=('webui',),
+ ),
+ parameters.Flag(
+ 'rights',
+ label=_(u'Rights'),
+ doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'value',
+ unicode,
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class sudocmdgroup_remove_member(Method):
+ __doc__ = _("Remove members from Sudo Command Group.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='sudocmdgroup_name',
+ label=_(u'Sudo Command Group'),
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'sudocmd',
+ required=False,
+ multivalue=True,
+ cli_name='sudocmds',
+ label=_(u'member sudo command'),
+ doc=_(u'comma-separated list of sudo commands to remove'),
+ alwaysask=True,
+ ),
+ )
+ has_output = (
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'failed',
+ dict,
+ doc=_(u'Members that could not be removed'),
+ ),
+ output.Output(
+ 'completed',
+ int,
+ doc=_(u'Number of members removed'),
+ ),
+ )
+
+
+@register()
+class sudocmdgroup_show(Method):
+ __doc__ = _("Display Sudo Command Group.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='sudocmdgroup_name',
+ label=_(u'Sudo Command Group'),
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'rights',
+ label=_(u'Rights'),
+ doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'value',
+ unicode,
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
diff --git a/ipaclient/remote_plugins/2_49/sudorule.py b/ipaclient/remote_plugins/2_49/sudorule.py
new file mode 100644
index 000000000..3d01ecdf2
--- /dev/null
+++ b/ipaclient/remote_plugins/2_49/sudorule.py
@@ -0,0 +1,1561 @@
+#
+# Copyright (C) 2016 FreeIPA Contributors see COPYING for license
+#
+
+# pylint: disable=unused-import
+import six
+
+from . import Command, Method, Object
+from ipalib import api, parameters, output
+from ipalib.parameters import DefaultFrom
+from ipalib.plugable import Registry
+from ipalib.text import _
+from ipapython.dn import DN
+from ipapython.dnsutil import DNSName
+
+if six.PY3:
+ unicode = str
+
+__doc__ = _("""
+Sudo Rules
+
+Sudo (su "do") allows a system administrator to delegate authority to
+give certain users (or groups of users) the ability to run some (or all)
+commands as root or another user while providing an audit trail of the
+commands and their arguments.
+
+FreeIPA provides a means to configure the various aspects of Sudo:
+ Users: The user(s)/group(s) allowed to invoke Sudo.
+ Hosts: The host(s)/hostgroup(s) which the user is allowed to to invoke Sudo.
+ Allow Command: The specific command(s) permitted to be run via Sudo.
+ Deny Command: The specific command(s) prohibited to be run via Sudo.
+ RunAsUser: The user(s) or group(s) of users whose rights Sudo will be invoked with.
+ RunAsGroup: The group(s) whose gid rights Sudo will be invoked with.
+ Options: The various Sudoers Options that can modify Sudo's behavior.
+
+An order can be added to a sudorule to control the order in which they
+are evaluated (if the client supports it). This order is an integer and
+must be unique.
+
+FreeIPA provides a designated binddn to use with Sudo located at:
+uid=sudo,cn=sysaccounts,cn=etc,dc=example,dc=com
+
+To enable the binddn run the following command to set the password:
+LDAPTLS_CACERT=/etc/ipa/ca.crt /usr/bin/ldappasswd -S -W -h ipa.example.com -ZZ -D "cn=Directory Manager" uid=sudo,cn=sysaccounts,cn=etc,dc=example,dc=com
+
+For more information, see the FreeIPA Documentation to Sudo.
+""")
+
+register = Registry()
+
+
+@register()
+class sudorule(Object):
+ takes_params = (
+ parameters.Str(
+ 'cn',
+ primary_key=True,
+ label=_(u'Rule name'),
+ ),
+ parameters.Str(
+ 'description',
+ required=False,
+ label=_(u'Description'),
+ ),
+ parameters.Bool(
+ 'ipaenabledflag',
+ required=False,
+ label=_(u'Enabled'),
+ ),
+ parameters.Str(
+ 'usercategory',
+ required=False,
+ label=_(u'User category'),
+ doc=_(u'User category the rule applies to'),
+ ),
+ parameters.Str(
+ 'hostcategory',
+ required=False,
+ label=_(u'Host category'),
+ doc=_(u'Host category the rule applies to'),
+ ),
+ parameters.Str(
+ 'cmdcategory',
+ required=False,
+ label=_(u'Command category'),
+ doc=_(u'Command category the rule applies to'),
+ ),
+ parameters.Str(
+ 'ipasudorunasusercategory',
+ required=False,
+ label=_(u'RunAs User category'),
+ doc=_(u'RunAs User category the rule applies to'),
+ ),
+ parameters.Str(
+ 'ipasudorunasgroupcategory',
+ required=False,
+ label=_(u'RunAs Group category'),
+ doc=_(u'RunAs Group category the rule applies to'),
+ ),
+ parameters.Int(
+ 'sudoorder',
+ required=False,
+ label=_(u'Sudo order'),
+ doc=_(u'integer to order the Sudo rules'),
+ ),
+ parameters.Str(
+ 'memberuser_user',
+ required=False,
+ label=_(u'Users'),
+ ),
+ parameters.Str(
+ 'memberuser_group',
+ required=False,
+ label=_(u'User Groups'),
+ ),
+ parameters.Str(
+ 'memberhost_host',
+ required=False,
+ label=_(u'Hosts'),
+ ),
+ parameters.Str(
+ 'memberhost_hostgroup',
+ required=False,
+ label=_(u'Host Groups'),
+ ),
+ parameters.Str(
+ 'memberallowcmd_sudocmd',
+ required=False,
+ label=_(u'Sudo Allow Commands'),
+ ),
+ parameters.Str(
+ 'memberdenycmd_sudocmd',
+ required=False,
+ label=_(u'Sudo Deny Commands'),
+ ),
+ parameters.Str(
+ 'memberallowcmd_sudocmdgroup',
+ required=False,
+ label=_(u'Sudo Allow Command Groups'),
+ ),
+ parameters.Str(
+ 'memberdenycmd_sudocmdgroup',
+ required=False,
+ label=_(u'Sudo Deny Command Groups'),
+ ),
+ parameters.Str(
+ 'ipasudorunas_user',
+ required=False,
+ label=_(u'RunAs Users'),
+ doc=_(u'Run as a user'),
+ ),
+ parameters.Str(
+ 'ipasudorunas_group',
+ required=False,
+ label=_(u'Groups of RunAs Users'),
+ doc=_(u'Run as any user within a specified group'),
+ ),
+ parameters.Str(
+ 'externaluser',
+ required=False,
+ label=_(u'External User'),
+ doc=_(u'External User the rule applies to (sudorule-find only)'),
+ ),
+ parameters.Str(
+ 'ipasudorunasextuser',
+ required=False,
+ label=_(u'RunAs External User'),
+ doc=_(u'External User the commands can run as (sudorule-find only)'),
+ ),
+ parameters.Str(
+ 'ipasudorunasextgroup',
+ required=False,
+ label=_(u'RunAs External Group'),
+ doc=_(u'External Group the commands can run as (sudorule-find only)'),
+ ),
+ parameters.Str(
+ 'ipasudoopt',
+ required=False,
+ label=_(u'Sudo Option'),
+ ),
+ parameters.Str(
+ 'ipasudorunasgroup_group',
+ required=False,
+ label=_(u'RunAs Groups'),
+ doc=_(u'Run with the gid of a specified POSIX group'),
+ ),
+ parameters.Str(
+ 'externalhost',
+ required=False,
+ multivalue=True,
+ label=_(u'External host'),
+ ),
+ )
+
+
+@register()
+class sudorule_add(Method):
+ __doc__ = _("Create new Sudo Rule.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='sudorule_name',
+ label=_(u'Rule name'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'description',
+ required=False,
+ cli_name='desc',
+ label=_(u'Description'),
+ ),
+ parameters.Bool(
+ 'ipaenabledflag',
+ required=False,
+ label=_(u'Enabled'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'usercategory',
+ required=False,
+ cli_name='usercat',
+ cli_metavar="['all']",
+ label=_(u'User category'),
+ doc=_(u'User category the rule applies to'),
+ ),
+ parameters.Str(
+ 'hostcategory',
+ required=False,
+ cli_name='hostcat',
+ cli_metavar="['all']",
+ label=_(u'Host category'),
+ doc=_(u'Host category the rule applies to'),
+ ),
+ parameters.Str(
+ 'cmdcategory',
+ required=False,
+ cli_name='cmdcat',
+ cli_metavar="['all']",
+ label=_(u'Command category'),
+ doc=_(u'Command category the rule applies to'),
+ ),
+ parameters.Str(
+ 'ipasudorunasusercategory',
+ required=False,
+ cli_name='runasusercat',
+ cli_metavar="['all']",
+ label=_(u'RunAs User category'),
+ doc=_(u'RunAs User category the rule applies to'),
+ ),
+ parameters.Str(
+ 'ipasudorunasgroupcategory',
+ required=False,
+ cli_name='runasgroupcat',
+ cli_metavar="['all']",
+ label=_(u'RunAs Group category'),
+ doc=_(u'RunAs Group category the rule applies to'),
+ ),
+ parameters.Int(
+ 'sudoorder',
+ required=False,
+ cli_name='order',
+ label=_(u'Sudo order'),
+ doc=_(u'integer to order the Sudo rules'),
+ default=0,
+ ),
+ parameters.Str(
+ 'externaluser',
+ required=False,
+ label=_(u'External User'),
+ doc=_(u'External User the rule applies to (sudorule-find only)'),
+ ),
+ parameters.Str(
+ 'ipasudorunasextuser',
+ required=False,
+ cli_name='runasexternaluser',
+ label=_(u'RunAs External User'),
+ doc=_(u'External User the commands can run as (sudorule-find only)'),
+ ),
+ parameters.Str(
+ 'ipasudorunasextgroup',
+ required=False,
+ cli_name='runasexternalgroup',
+ label=_(u'RunAs External Group'),
+ doc=_(u'External Group the commands can run as (sudorule-find only)'),
+ ),
+ parameters.Str(
+ 'externalhost',
+ required=False,
+ multivalue=True,
+ label=_(u'External host'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'setattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'addattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
+ exclude=('webui',),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'value',
+ unicode,
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class sudorule_add_allow_command(Method):
+ __doc__ = _("Add commands and sudo command groups affected by Sudo Rule.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='sudorule_name',
+ label=_(u'Rule name'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'sudocmd',
+ required=False,
+ multivalue=True,
+ cli_name='sudocmds',
+ label=_(u'member sudo command'),
+ doc=_(u'comma-separated list of sudo commands to add'),
+ alwaysask=True,
+ ),
+ parameters.Str(
+ 'sudocmdgroup',
+ required=False,
+ multivalue=True,
+ cli_name='sudocmdgroups',
+ label=_(u'member sudo command group'),
+ doc=_(u'comma-separated list of sudo command groups to add'),
+ alwaysask=True,
+ ),
+ )
+ has_output = (
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'failed',
+ dict,
+ doc=_(u'Members that could not be added'),
+ ),
+ output.Output(
+ 'completed',
+ int,
+ doc=_(u'Number of members added'),
+ ),
+ )
+
+
+@register()
+class sudorule_add_deny_command(Method):
+ __doc__ = _("Add commands and sudo command groups affected by Sudo Rule.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='sudorule_name',
+ label=_(u'Rule name'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'sudocmd',
+ required=False,
+ multivalue=True,
+ cli_name='sudocmds',
+ label=_(u'member sudo command'),
+ doc=_(u'comma-separated list of sudo commands to add'),
+ alwaysask=True,
+ ),
+ parameters.Str(
+ 'sudocmdgroup',
+ required=False,
+ multivalue=True,
+ cli_name='sudocmdgroups',
+ label=_(u'member sudo command group'),
+ doc=_(u'comma-separated list of sudo command groups to add'),
+ alwaysask=True,
+ ),
+ )
+ has_output = (
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'failed',
+ dict,
+ doc=_(u'Members that could not be added'),
+ ),
+ output.Output(
+ 'completed',
+ int,
+ doc=_(u'Number of members added'),
+ ),
+ )
+
+
+@register()
+class sudorule_add_host(Method):
+ __doc__ = _("Add hosts and hostgroups affected by Sudo Rule.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='sudorule_name',
+ label=_(u'Rule name'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'host',
+ required=False,
+ multivalue=True,
+ cli_name='hosts',
+ label=_(u'member host'),
+ doc=_(u'comma-separated list of hosts to add'),
+ alwaysask=True,
+ ),
+ parameters.Str(
+ 'hostgroup',
+ required=False,
+ multivalue=True,
+ cli_name='hostgroups',
+ label=_(u'member host group'),
+ doc=_(u'comma-separated list of host groups to add'),
+ alwaysask=True,
+ ),
+ )
+ has_output = (
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'failed',
+ dict,
+ doc=_(u'Members that could not be added'),
+ ),
+ output.Output(
+ 'completed',
+ int,
+ doc=_(u'Number of members added'),
+ ),
+ )
+
+
+@register()
+class sudorule_add_option(Method):
+ __doc__ = _("Add an option to the Sudo Rule.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='sudorule_name',
+ label=_(u'Rule name'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'ipasudoopt',
+ cli_name='sudooption',
+ label=_(u'Sudo Option'),
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'result',
+ ),
+ )
+
+
+@register()
+class sudorule_add_runasgroup(Method):
+ __doc__ = _("Add group for Sudo to execute as.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='sudorule_name',
+ label=_(u'Rule name'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'group',
+ required=False,
+ multivalue=True,
+ cli_name='groups',
+ label=_(u'member group'),
+ doc=_(u'comma-separated list of groups to add'),
+ alwaysask=True,
+ ),
+ )
+ has_output = (
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'failed',
+ dict,
+ doc=_(u'Members that could not be added'),
+ ),
+ output.Output(
+ 'completed',
+ int,
+ doc=_(u'Number of members added'),
+ ),
+ )
+
+
+@register()
+class sudorule_add_runasuser(Method):
+ __doc__ = _("Add users and groups for Sudo to execute as.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='sudorule_name',
+ label=_(u'Rule name'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'user',
+ required=False,
+ multivalue=True,
+ cli_name='users',
+ label=_(u'member user'),
+ doc=_(u'comma-separated list of users to add'),
+ alwaysask=True,
+ ),
+ parameters.Str(
+ 'group',
+ required=False,
+ multivalue=True,
+ cli_name='groups',
+ label=_(u'member group'),
+ doc=_(u'comma-separated list of groups to add'),
+ alwaysask=True,
+ ),
+ )
+ has_output = (
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'failed',
+ dict,
+ doc=_(u'Members that could not be added'),
+ ),
+ output.Output(
+ 'completed',
+ int,
+ doc=_(u'Number of members added'),
+ ),
+ )
+
+
+@register()
+class sudorule_add_user(Method):
+ __doc__ = _("Add users and groups affected by Sudo Rule.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='sudorule_name',
+ label=_(u'Rule name'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'user',
+ required=False,
+ multivalue=True,
+ cli_name='users',
+ label=_(u'member user'),
+ doc=_(u'comma-separated list of users to add'),
+ alwaysask=True,
+ ),
+ parameters.Str(
+ 'group',
+ required=False,
+ multivalue=True,
+ cli_name='groups',
+ label=_(u'member group'),
+ doc=_(u'comma-separated list of groups to add'),
+ alwaysask=True,
+ ),
+ )
+ has_output = (
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'failed',
+ dict,
+ doc=_(u'Members that could not be added'),
+ ),
+ output.Output(
+ 'completed',
+ int,
+ doc=_(u'Number of members added'),
+ ),
+ )
+
+
+@register()
+class sudorule_del(Method):
+ __doc__ = _("Delete Sudo Rule.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ multivalue=True,
+ cli_name='sudorule_name',
+ label=_(u'Rule name'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'continue',
+ doc=_(u"Continuous mode: Don't stop on errors."),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Output(
+ 'result',
+ dict,
+ doc=_(u'List of deletions that failed'),
+ ),
+ output.Output(
+ 'value',
+ unicode,
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class sudorule_disable(Method):
+ __doc__ = _("Disable a Sudo Rule.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='sudorule_name',
+ label=_(u'Rule name'),
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'result',
+ ),
+ )
+
+
+@register()
+class sudorule_enable(Method):
+ __doc__ = _("Enable a Sudo Rule.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='sudorule_name',
+ label=_(u'Rule name'),
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'result',
+ ),
+ )
+
+
+@register()
+class sudorule_find(Method):
+ __doc__ = _("Search for Sudo Rule.")
+
+ takes_args = (
+ parameters.Str(
+ 'criteria',
+ required=False,
+ doc=_(u'A string searched in all relevant object attributes'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'cn',
+ required=False,
+ cli_name='sudorule_name',
+ label=_(u'Rule name'),
+ ),
+ parameters.Str(
+ 'description',
+ required=False,
+ cli_name='desc',
+ label=_(u'Description'),
+ ),
+ parameters.Bool(
+ 'ipaenabledflag',
+ required=False,
+ label=_(u'Enabled'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'usercategory',
+ required=False,
+ cli_name='usercat',
+ cli_metavar="['all']",
+ label=_(u'User category'),
+ doc=_(u'User category the rule applies to'),
+ ),
+ parameters.Str(
+ 'hostcategory',
+ required=False,
+ cli_name='hostcat',
+ cli_metavar="['all']",
+ label=_(u'Host category'),
+ doc=_(u'Host category the rule applies to'),
+ ),
+ parameters.Str(
+ 'cmdcategory',
+ required=False,
+ cli_name='cmdcat',
+ cli_metavar="['all']",
+ label=_(u'Command category'),
+ doc=_(u'Command category the rule applies to'),
+ ),
+ parameters.Str(
+ 'ipasudorunasusercategory',
+ required=False,
+ cli_name='runasusercat',
+ cli_metavar="['all']",
+ label=_(u'RunAs User category'),
+ doc=_(u'RunAs User category the rule applies to'),
+ ),
+ parameters.Str(
+ 'ipasudorunasgroupcategory',
+ required=False,
+ cli_name='runasgroupcat',
+ cli_metavar="['all']",
+ label=_(u'RunAs Group category'),
+ doc=_(u'RunAs Group category the rule applies to'),
+ ),
+ parameters.Int(
+ 'sudoorder',
+ required=False,
+ cli_name='order',
+ label=_(u'Sudo order'),
+ doc=_(u'integer to order the Sudo rules'),
+ default=0,
+ ),
+ parameters.Str(
+ 'externaluser',
+ required=False,
+ label=_(u'External User'),
+ doc=_(u'External User the rule applies to (sudorule-find only)'),
+ ),
+ parameters.Str(
+ 'ipasudorunasextuser',
+ required=False,
+ cli_name='runasexternaluser',
+ label=_(u'RunAs External User'),
+ doc=_(u'External User the commands can run as (sudorule-find only)'),
+ ),
+ parameters.Str(
+ 'ipasudorunasextgroup',
+ required=False,
+ cli_name='runasexternalgroup',
+ label=_(u'RunAs External Group'),
+ doc=_(u'External Group the commands can run as (sudorule-find only)'),
+ ),
+ parameters.Str(
+ 'externalhost',
+ required=False,
+ multivalue=True,
+ label=_(u'External host'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Int(
+ 'timelimit',
+ required=False,
+ label=_(u'Time Limit'),
+ doc=_(u'Time limit of search in seconds'),
+ ),
+ parameters.Int(
+ 'sizelimit',
+ required=False,
+ label=_(u'Size Limit'),
+ doc=_(u'Maximum number of entries returned'),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'pkey_only',
+ required=False,
+ label=_(u'Primary key only'),
+ doc=_(u'Results should contain primary key attribute only ("sudorule-name")'),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.ListOfEntries(
+ 'result',
+ ),
+ output.Output(
+ 'count',
+ int,
+ doc=_(u'Number of entries returned'),
+ ),
+ output.Output(
+ 'truncated',
+ bool,
+ doc=_(u'True if not all results were returned'),
+ ),
+ )
+
+
+@register()
+class sudorule_mod(Method):
+ __doc__ = _("Modify Sudo Rule.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='sudorule_name',
+ label=_(u'Rule name'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'description',
+ required=False,
+ cli_name='desc',
+ label=_(u'Description'),
+ ),
+ parameters.Bool(
+ 'ipaenabledflag',
+ required=False,
+ label=_(u'Enabled'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'usercategory',
+ required=False,
+ cli_name='usercat',
+ cli_metavar="['all']",
+ label=_(u'User category'),
+ doc=_(u'User category the rule applies to'),
+ ),
+ parameters.Str(
+ 'hostcategory',
+ required=False,
+ cli_name='hostcat',
+ cli_metavar="['all']",
+ label=_(u'Host category'),
+ doc=_(u'Host category the rule applies to'),
+ ),
+ parameters.Str(
+ 'cmdcategory',
+ required=False,
+ cli_name='cmdcat',
+ cli_metavar="['all']",
+ label=_(u'Command category'),
+ doc=_(u'Command category the rule applies to'),
+ ),
+ parameters.Str(
+ 'ipasudorunasusercategory',
+ required=False,
+ cli_name='runasusercat',
+ cli_metavar="['all']",
+ label=_(u'RunAs User category'),
+ doc=_(u'RunAs User category the rule applies to'),
+ ),
+ parameters.Str(
+ 'ipasudorunasgroupcategory',
+ required=False,
+ cli_name='runasgroupcat',
+ cli_metavar="['all']",
+ label=_(u'RunAs Group category'),
+ doc=_(u'RunAs Group category the rule applies to'),
+ ),
+ parameters.Int(
+ 'sudoorder',
+ required=False,
+ cli_name='order',
+ label=_(u'Sudo order'),
+ doc=_(u'integer to order the Sudo rules'),
+ default=0,
+ ),
+ parameters.Str(
+ 'externaluser',
+ required=False,
+ label=_(u'External User'),
+ doc=_(u'External User the rule applies to (sudorule-find only)'),
+ ),
+ parameters.Str(
+ 'ipasudorunasextuser',
+ required=False,
+ cli_name='runasexternaluser',
+ label=_(u'RunAs External User'),
+ doc=_(u'External User the commands can run as (sudorule-find only)'),
+ ),
+ parameters.Str(
+ 'ipasudorunasextgroup',
+ required=False,
+ cli_name='runasexternalgroup',
+ label=_(u'RunAs External Group'),
+ doc=_(u'External Group the commands can run as (sudorule-find only)'),
+ ),
+ parameters.Str(
+ 'externalhost',
+ required=False,
+ multivalue=True,
+ label=_(u'External host'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'setattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'addattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'delattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'),
+ exclude=('webui',),
+ ),
+ parameters.Flag(
+ 'rights',
+ label=_(u'Rights'),
+ doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'value',
+ unicode,
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class sudorule_remove_allow_command(Method):
+ __doc__ = _("Remove commands and sudo command groups affected by Sudo Rule.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='sudorule_name',
+ label=_(u'Rule name'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'sudocmd',
+ required=False,
+ multivalue=True,
+ cli_name='sudocmds',
+ label=_(u'member sudo command'),
+ doc=_(u'comma-separated list of sudo commands to remove'),
+ alwaysask=True,
+ ),
+ parameters.Str(
+ 'sudocmdgroup',
+ required=False,
+ multivalue=True,
+ cli_name='sudocmdgroups',
+ label=_(u'member sudo command group'),
+ doc=_(u'comma-separated list of sudo command groups to remove'),
+ alwaysask=True,
+ ),
+ )
+ has_output = (
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'failed',
+ dict,
+ doc=_(u'Members that could not be removed'),
+ ),
+ output.Output(
+ 'completed',
+ int,
+ doc=_(u'Number of members removed'),
+ ),
+ )
+
+
+@register()
+class sudorule_remove_deny_command(Method):
+ __doc__ = _("Remove commands and sudo command groups affected by Sudo Rule.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='sudorule_name',
+ label=_(u'Rule name'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'sudocmd',
+ required=False,
+ multivalue=True,
+ cli_name='sudocmds',
+ label=_(u'member sudo command'),
+ doc=_(u'comma-separated list of sudo commands to remove'),
+ alwaysask=True,
+ ),
+ parameters.Str(
+ 'sudocmdgroup',
+ required=False,
+ multivalue=True,
+ cli_name='sudocmdgroups',
+ label=_(u'member sudo command group'),
+ doc=_(u'comma-separated list of sudo command groups to remove'),
+ alwaysask=True,
+ ),
+ )
+ has_output = (
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'failed',
+ dict,
+ doc=_(u'Members that could not be removed'),
+ ),
+ output.Output(
+ 'completed',
+ int,
+ doc=_(u'Number of members removed'),
+ ),
+ )
+
+
+@register()
+class sudorule_remove_host(Method):
+ __doc__ = _("Remove hosts and hostgroups affected by Sudo Rule.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='sudorule_name',
+ label=_(u'Rule name'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'host',
+ required=False,
+ multivalue=True,
+ cli_name='hosts',
+ label=_(u'member host'),
+ doc=_(u'comma-separated list of hosts to remove'),
+ alwaysask=True,
+ ),
+ parameters.Str(
+ 'hostgroup',
+ required=False,
+ multivalue=True,
+ cli_name='hostgroups',
+ label=_(u'member host group'),
+ doc=_(u'comma-separated list of host groups to remove'),
+ alwaysask=True,
+ ),
+ )
+ has_output = (
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'failed',
+ dict,
+ doc=_(u'Members that could not be removed'),
+ ),
+ output.Output(
+ 'completed',
+ int,
+ doc=_(u'Number of members removed'),
+ ),
+ )
+
+
+@register()
+class sudorule_remove_option(Method):
+ __doc__ = _("Remove an option from Sudo Rule.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='sudorule_name',
+ label=_(u'Rule name'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'ipasudoopt',
+ cli_name='sudooption',
+ label=_(u'Sudo Option'),
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'result',
+ ),
+ )
+
+
+@register()
+class sudorule_remove_runasgroup(Method):
+ __doc__ = _("Remove group for Sudo to execute as.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='sudorule_name',
+ label=_(u'Rule name'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'group',
+ required=False,
+ multivalue=True,
+ cli_name='groups',
+ label=_(u'member group'),
+ doc=_(u'comma-separated list of groups to remove'),
+ alwaysask=True,
+ ),
+ )
+ has_output = (
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'failed',
+ dict,
+ doc=_(u'Members that could not be removed'),
+ ),
+ output.Output(
+ 'completed',
+ int,
+ doc=_(u'Number of members removed'),
+ ),
+ )
+
+
+@register()
+class sudorule_remove_runasuser(Method):
+ __doc__ = _("Remove users and groups for Sudo to execute as.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='sudorule_name',
+ label=_(u'Rule name'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'user',
+ required=False,
+ multivalue=True,
+ cli_name='users',
+ label=_(u'member user'),
+ doc=_(u'comma-separated list of users to remove'),
+ alwaysask=True,
+ ),
+ parameters.Str(
+ 'group',
+ required=False,
+ multivalue=True,
+ cli_name='groups',
+ label=_(u'member group'),
+ doc=_(u'comma-separated list of groups to remove'),
+ alwaysask=True,
+ ),
+ )
+ has_output = (
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'failed',
+ dict,
+ doc=_(u'Members that could not be removed'),
+ ),
+ output.Output(
+ 'completed',
+ int,
+ doc=_(u'Number of members removed'),
+ ),
+ )
+
+
+@register()
+class sudorule_remove_user(Method):
+ __doc__ = _("Remove users and groups affected by Sudo Rule.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='sudorule_name',
+ label=_(u'Rule name'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'user',
+ required=False,
+ multivalue=True,
+ cli_name='users',
+ label=_(u'member user'),
+ doc=_(u'comma-separated list of users to remove'),
+ alwaysask=True,
+ ),
+ parameters.Str(
+ 'group',
+ required=False,
+ multivalue=True,
+ cli_name='groups',
+ label=_(u'member group'),
+ doc=_(u'comma-separated list of groups to remove'),
+ alwaysask=True,
+ ),
+ )
+ has_output = (
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'failed',
+ dict,
+ doc=_(u'Members that could not be removed'),
+ ),
+ output.Output(
+ 'completed',
+ int,
+ doc=_(u'Number of members removed'),
+ ),
+ )
+
+
+@register()
+class sudorule_show(Method):
+ __doc__ = _("Display Sudo Rule.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='sudorule_name',
+ label=_(u'Rule name'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'rights',
+ label=_(u'Rights'),
+ doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'value',
+ unicode,
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
diff --git a/ipaclient/remote_plugins/2_49/trust.py b/ipaclient/remote_plugins/2_49/trust.py
new file mode 100644
index 000000000..e3ef33459
--- /dev/null
+++ b/ipaclient/remote_plugins/2_49/trust.py
@@ -0,0 +1,685 @@
+#
+# Copyright (C) 2016 FreeIPA Contributors see COPYING for license
+#
+
+# pylint: disable=unused-import
+import six
+
+from . import Command, Method, Object
+from ipalib import api, parameters, output
+from ipalib.parameters import DefaultFrom
+from ipalib.plugable import Registry
+from ipalib.text import _
+from ipapython.dn import DN
+from ipapython.dnsutil import DNSName
+
+if six.PY3:
+ unicode = str
+
+__doc__ = _("""
+Cross-realm trusts
+
+Manage trust relationship between IPA and Active Directory domains.
+
+In order to allow users from a remote domain to access resources in IPA
+domain, trust relationship needs to be established. Currently IPA supports
+only trusts between IPA and Active Directory domains under control of Windows
+Server 2008 or later, with functional level 2008 or later.
+
+Please note that DNS on both IPA and Active Directory domain sides should be
+configured properly to discover each other. Trust relationship relies on
+ability to discover special resources in the other domain via DNS records.
+
+Examples:
+
+1. Establish cross-realm trust with Active Directory using AD administrator
+ credentials:
+
+ ipa trust-add --type=ad <ad.domain> --admin <AD domain administrator> --password
+
+2. List all existing trust relationships:
+
+ ipa trust-find
+
+3. Show details of the specific trust relationship:
+
+ ipa trust-show <ad.domain>
+
+4. Delete existing trust relationship:
+
+ ipa trust-del <ad.domain>
+
+Once trust relationship is established, remote users will need to be mapped
+to local POSIX groups in order to actually use IPA resources. The mapping should
+be done via use of external membership of non-POSIX group and then this group
+should be included into one of local POSIX groups.
+
+Example:
+
+1. Create group for the trusted domain admins' mapping and their local POSIX group:
+
+ ipa group-add --desc='<ad.domain> admins external map' ad_admins_external --external
+ ipa group-add --desc='<ad.domain> admins' ad_admins
+
+2. Add security identifier of Domain Admins of the <ad.domain> to the ad_admins_external
+ group:
+
+ ipa group-add-member ad_admins_external --external 'AD\Domain Admins'
+
+3. Allow members of ad_admins_external group to be associated with ad_admins POSIX group:
+
+ ipa group-add-member ad_admins --groups ad_admins_external
+
+4. List members of external members of ad_admins_external group to see their SIDs:
+
+ ipa group-show ad_admins_external
+
+
+GLOBAL TRUST CONFIGURATION
+
+When IPA AD trust subpackage is installed and ipa-adtrust-install is run,
+a local domain configuration (SID, GUID, NetBIOS name) is generated. These
+identifiers are then used when communicating with a trusted domain of the
+particular type.
+
+1. Show global trust configuration for Active Directory type of trusts:
+
+ ipa trustconfig-show --type ad
+
+2. Modify global configuration for all trusts of Active Directory type and set
+ a different fallback primary group (fallback primary group GID is used as
+ a primary user GID if user authenticating to IPA domain does not have any other
+ primary GID already set):
+
+ ipa trustconfig-mod --type ad --fallback-primary-group "alternative AD group"
+
+3. Change primary fallback group back to default hidden group (any group with
+ posixGroup object class is allowed):
+
+ ipa trustconfig-mod --type ad --fallback-primary-group "Default SMB Group"
+""")
+
+register = Registry()
+
+
+@register()
+class trust(Object):
+ takes_params = (
+ parameters.Str(
+ 'cn',
+ primary_key=True,
+ label=_(u'Realm name'),
+ ),
+ parameters.Str(
+ 'ipantflatname',
+ label=_(u'Domain NetBIOS name'),
+ ),
+ parameters.Str(
+ 'ipanttrusteddomainsid',
+ label=_(u'Domain Security Identifier'),
+ ),
+ parameters.Str(
+ 'ipantsidblacklistincoming',
+ required=False,
+ multivalue=True,
+ label=_(u'SID blacklist incoming'),
+ ),
+ parameters.Str(
+ 'ipantsidblacklistoutgoing',
+ required=False,
+ multivalue=True,
+ label=_(u'SID blacklist outgoing'),
+ ),
+ )
+
+
+@register()
+class trustconfig(Object):
+ takes_params = (
+ parameters.Str(
+ 'cn',
+ label=_(u'Domain'),
+ ),
+ parameters.Str(
+ 'ipantsecurityidentifier',
+ label=_(u'Security Identifier'),
+ ),
+ parameters.Str(
+ 'ipantflatname',
+ label=_(u'NetBIOS name'),
+ ),
+ parameters.Str(
+ 'ipantdomainguid',
+ label=_(u'Domain GUID'),
+ ),
+ parameters.Str(
+ 'ipantfallbackprimarygroup',
+ label=_(u'Fallback primary group'),
+ ),
+ )
+
+
+@register()
+class trust_add(Method):
+ __doc__ = _("""
+Add new trust to use.
+
+This command establishes trust relationship to another domain
+which becomes 'trusted'. As result, users of the trusted domain
+may access resources of this domain.
+
+Only trusts to Active Directory domains are supported right now.
+
+The command can be safely run multiple times against the same domain,
+this will cause change to trust relationship credentials on both
+sides.
+ """)
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='realm',
+ label=_(u'Realm name'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'setattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'addattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'trust_type',
+ cli_name='type',
+ cli_metavar="['ad']",
+ label=_(u'Trust type (ad for Active Directory, default)'),
+ default=u'ad',
+ autofill=True,
+ ),
+ parameters.Str(
+ 'realm_admin',
+ required=False,
+ cli_name='admin',
+ label=_(u'Active Directory domain administrator'),
+ ),
+ parameters.Password(
+ 'realm_passwd',
+ required=False,
+ cli_name='password',
+ label=_(u"Active directory domain administrator's password"),
+ ),
+ parameters.Str(
+ 'realm_server',
+ required=False,
+ cli_name='server',
+ label=_(u'Domain controller for the Active Directory domain (optional)'),
+ ),
+ parameters.Password(
+ 'trust_secret',
+ required=False,
+ label=_(u'Shared secret for the trust'),
+ ),
+ parameters.Int(
+ 'base_id',
+ required=False,
+ label=_(u'First Posix ID of the range reserved for the trusted domain'),
+ ),
+ parameters.Int(
+ 'range_size',
+ required=False,
+ label=_(u'Size of the ID range reserved for the trusted domain'),
+ default=200000,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'value',
+ unicode,
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class trust_del(Method):
+ __doc__ = _("Delete a trust.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ multivalue=True,
+ cli_name='realm',
+ label=_(u'Realm name'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'continue',
+ doc=_(u"Continuous mode: Don't stop on errors."),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Output(
+ 'result',
+ dict,
+ doc=_(u'List of deletions that failed'),
+ ),
+ output.Output(
+ 'value',
+ unicode,
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class trust_find(Method):
+ __doc__ = _("Search for trusts.")
+
+ takes_args = (
+ parameters.Str(
+ 'criteria',
+ required=False,
+ doc=_(u'A string searched in all relevant object attributes'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'cn',
+ required=False,
+ cli_name='realm',
+ label=_(u'Realm name'),
+ ),
+ parameters.Str(
+ 'ipantflatname',
+ required=False,
+ cli_name='flat_name',
+ label=_(u'Domain NetBIOS name'),
+ ),
+ parameters.Str(
+ 'ipanttrusteddomainsid',
+ required=False,
+ cli_name='sid',
+ label=_(u'Domain Security Identifier'),
+ ),
+ parameters.Str(
+ 'ipantsidblacklistincoming',
+ required=False,
+ multivalue=True,
+ cli_name='sid_blacklist_incoming',
+ label=_(u'SID blacklist incoming'),
+ ),
+ parameters.Str(
+ 'ipantsidblacklistoutgoing',
+ required=False,
+ multivalue=True,
+ cli_name='sid_blacklist_outgoing',
+ label=_(u'SID blacklist outgoing'),
+ ),
+ parameters.Int(
+ 'timelimit',
+ required=False,
+ label=_(u'Time Limit'),
+ doc=_(u'Time limit of search in seconds'),
+ ),
+ parameters.Int(
+ 'sizelimit',
+ required=False,
+ label=_(u'Size Limit'),
+ doc=_(u'Maximum number of entries returned'),
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'pkey_only',
+ required=False,
+ label=_(u'Primary key only'),
+ doc=_(u'Results should contain primary key attribute only ("realm")'),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.ListOfEntries(
+ 'result',
+ ),
+ output.Output(
+ 'count',
+ int,
+ doc=_(u'Number of entries returned'),
+ ),
+ output.Output(
+ 'truncated',
+ bool,
+ doc=_(u'True if not all results were returned'),
+ ),
+ )
+
+
+@register()
+class trust_mod(Method):
+ __doc__ = _("""
+Modify a trust (for future use).
+
+ Currently only the default option to modify the LDAP attributes is
+ available. More specific options will be added in coming releases.
+ """)
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='realm',
+ label=_(u'Realm name'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'ipantsidblacklistincoming',
+ required=False,
+ multivalue=True,
+ cli_name='sid_blacklist_incoming',
+ label=_(u'SID blacklist incoming'),
+ ),
+ parameters.Str(
+ 'ipantsidblacklistoutgoing',
+ required=False,
+ multivalue=True,
+ cli_name='sid_blacklist_outgoing',
+ label=_(u'SID blacklist outgoing'),
+ ),
+ parameters.Str(
+ 'setattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'addattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'delattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'),
+ exclude=('webui',),
+ ),
+ parameters.Flag(
+ 'rights',
+ label=_(u'Rights'),
+ doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'value',
+ unicode,
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class trust_show(Method):
+ __doc__ = _("Display information about a trust.")
+
+ takes_args = (
+ parameters.Str(
+ 'cn',
+ cli_name='realm',
+ label=_(u'Realm name'),
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'rights',
+ label=_(u'Rights'),
+ doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'value',
+ unicode,
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class trustconfig_mod(Method):
+ __doc__ = _("Modify global trust configuration.")
+
+ takes_options = (
+ parameters.Str(
+ 'ipantfallbackprimarygroup',
+ required=False,
+ cli_name='fallback_primary_group',
+ label=_(u'Fallback primary group'),
+ ),
+ parameters.Str(
+ 'setattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'addattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'delattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'),
+ exclude=('webui',),
+ ),
+ parameters.Flag(
+ 'rights',
+ label=_(u'Rights'),
+ doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'trust_type',
+ cli_name='type',
+ cli_metavar="['ad']",
+ label=_(u'Trust type (ad for Active Directory, default)'),
+ default=u'ad',
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'value',
+ unicode,
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class trustconfig_show(Method):
+ __doc__ = _("Show global trust configuration.")
+
+ takes_options = (
+ parameters.Flag(
+ 'rights',
+ label=_(u'Rights'),
+ doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'trust_type',
+ cli_name='type',
+ cli_metavar="['ad']",
+ label=_(u'Trust type (ad for Active Directory, default)'),
+ default=u'ad',
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'value',
+ unicode,
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
diff --git a/ipaclient/remote_plugins/2_49/user.py b/ipaclient/remote_plugins/2_49/user.py
new file mode 100644
index 000000000..e5d7713bc
--- /dev/null
+++ b/ipaclient/remote_plugins/2_49/user.py
@@ -0,0 +1,1372 @@
+#
+# Copyright (C) 2016 FreeIPA Contributors see COPYING for license
+#
+
+# pylint: disable=unused-import
+import six
+
+from . import Command, Method, Object
+from ipalib import api, parameters, output
+from ipalib.parameters import DefaultFrom
+from ipalib.plugable import Registry
+from ipalib.text import _
+from ipapython.dn import DN
+from ipapython.dnsutil import DNSName
+
+if six.PY3:
+ unicode = str
+
+__doc__ = _("""
+Users
+
+Manage user entries. All users are POSIX users.
+
+IPA supports a wide range of username formats, but you need to be aware of any
+restrictions that may apply to your particular environment. For example,
+usernames that start with a digit or usernames that exceed a certain length
+may cause problems for some UNIX systems.
+Use 'ipa config-mod' to change the username format allowed by IPA tools.
+
+Disabling a user account prevents that user from obtaining new Kerberos
+credentials. It does not invalidate any credentials that have already
+been issued.
+
+Password management is not a part of this module. For more information
+about this topic please see: ipa help passwd
+
+Account lockout on password failure happens per IPA master. The user-status
+command can be used to identify which master the user is locked out on.
+It is on that master the administrator must unlock the user.
+
+EXAMPLES:
+
+ Add a new user:
+ ipa user-add --first=Tim --last=User --password tuser1
+
+ Find all users whose entries include the string "Tim":
+ ipa user-find Tim
+
+ Find all users with "Tim" as the first name:
+ ipa user-find --first=Tim
+
+ Disable a user account:
+ ipa user-disable tuser1
+
+ Enable a user account:
+ ipa user-enable tuser1
+
+ Delete a user:
+ ipa user-del tuser1
+""")
+
+register = Registry()
+
+
+@register()
+class user(Object):
+ takes_params = (
+ parameters.Str(
+ 'uid',
+ primary_key=True,
+ label=_(u'User login'),
+ ),
+ parameters.Str(
+ 'givenname',
+ label=_(u'First name'),
+ ),
+ parameters.Str(
+ 'sn',
+ label=_(u'Last name'),
+ ),
+ parameters.Str(
+ 'cn',
+ label=_(u'Full name'),
+ ),
+ parameters.Str(
+ 'displayname',
+ required=False,
+ label=_(u'Display name'),
+ ),
+ parameters.Str(
+ 'initials',
+ required=False,
+ label=_(u'Initials'),
+ ),
+ parameters.Str(
+ 'homedirectory',
+ required=False,
+ label=_(u'Home directory'),
+ ),
+ parameters.Str(
+ 'gecos',
+ required=False,
+ label=_(u'GECOS field'),
+ ),
+ parameters.Str(
+ 'loginshell',
+ required=False,
+ label=_(u'Login shell'),
+ ),
+ parameters.Str(
+ 'krbprincipalname',
+ required=False,
+ label=_(u'Kerberos principal'),
+ ),
+ parameters.Str(
+ 'mail',
+ required=False,
+ multivalue=True,
+ label=_(u'Email address'),
+ ),
+ parameters.Password(
+ 'userpassword',
+ required=False,
+ label=_(u'Password'),
+ doc=_(u'Prompt to set the user password'),
+ exclude=('webui',),
+ ),
+ parameters.Flag(
+ 'random',
+ required=False,
+ doc=_(u'Generate a random user password'),
+ ),
+ parameters.Str(
+ 'randompassword',
+ required=False,
+ label=_(u'Random password'),
+ ),
+ parameters.Int(
+ 'uidnumber',
+ label=_(u'UID'),
+ doc=_(u'User ID Number (system will assign one if not provided)'),
+ ),
+ parameters.Int(
+ 'gidnumber',
+ label=_(u'GID'),
+ doc=_(u'Group ID Number'),
+ ),
+ parameters.Str(
+ 'street',
+ required=False,
+ label=_(u'Street address'),
+ ),
+ parameters.Str(
+ 'l',
+ required=False,
+ label=_(u'City'),
+ ),
+ parameters.Str(
+ 'st',
+ required=False,
+ label=_(u'State/Province'),
+ ),
+ parameters.Str(
+ 'postalcode',
+ required=False,
+ label=_(u'ZIP'),
+ ),
+ parameters.Str(
+ 'telephonenumber',
+ required=False,
+ multivalue=True,
+ label=_(u'Telephone Number'),
+ ),
+ parameters.Str(
+ 'mobile',
+ required=False,
+ multivalue=True,
+ label=_(u'Mobile Telephone Number'),
+ ),
+ parameters.Str(
+ 'pager',
+ required=False,
+ multivalue=True,
+ label=_(u'Pager Number'),
+ ),
+ parameters.Str(
+ 'facsimiletelephonenumber',
+ required=False,
+ multivalue=True,
+ label=_(u'Fax Number'),
+ ),
+ parameters.Str(
+ 'ou',
+ required=False,
+ label=_(u'Org. Unit'),
+ ),
+ parameters.Str(
+ 'title',
+ required=False,
+ label=_(u'Job Title'),
+ ),
+ parameters.Str(
+ 'manager',
+ required=False,
+ label=_(u'Manager'),
+ ),
+ parameters.Str(
+ 'carlicense',
+ required=False,
+ label=_(u'Car License'),
+ ),
+ parameters.Bool(
+ 'nsaccountlock',
+ required=False,
+ label=_(u'Account disabled'),
+ ),
+ parameters.Str(
+ 'ipasshpubkey',
+ required=False,
+ multivalue=True,
+ label=_(u'SSH public key'),
+ ),
+ parameters.Flag(
+ 'has_password',
+ label=_(u'Password'),
+ ),
+ parameters.Str(
+ 'memberof_group',
+ required=False,
+ label=_(u'Member of groups'),
+ ),
+ parameters.Str(
+ 'memberof_role',
+ required=False,
+ label=_(u'Roles'),
+ ),
+ parameters.Str(
+ 'memberof_netgroup',
+ required=False,
+ label=_(u'Member of netgroups'),
+ ),
+ parameters.Str(
+ 'memberof_sudorule',
+ required=False,
+ label=_(u'Member of Sudo rule'),
+ ),
+ parameters.Str(
+ 'memberof_hbacrule',
+ required=False,
+ label=_(u'Member of HBAC rule'),
+ ),
+ parameters.Str(
+ 'memberofindirect_group',
+ required=False,
+ label=_(u'Indirect Member of group'),
+ ),
+ parameters.Str(
+ 'memberofindirect_netgroup',
+ required=False,
+ label=_(u'Indirect Member of netgroup'),
+ ),
+ parameters.Str(
+ 'memberofindirect_role',
+ required=False,
+ label=_(u'Indirect Member of role'),
+ ),
+ parameters.Str(
+ 'memberofindirect_sudorule',
+ required=False,
+ label=_(u'Indirect Member of Sudo rule'),
+ ),
+ parameters.Str(
+ 'memberofindirect_hbacrule',
+ required=False,
+ label=_(u'Indirect Member of HBAC rule'),
+ ),
+ parameters.Flag(
+ 'has_keytab',
+ label=_(u'Kerberos keys available'),
+ ),
+ )
+
+
+@register()
+class user_add(Method):
+ __doc__ = _("Add a new user.")
+
+ takes_args = (
+ parameters.Str(
+ 'uid',
+ cli_name='login',
+ label=_(u'User login'),
+ default_from=DefaultFrom(lambda givenname, sn: givenname[0] + sn, 'principal'),
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'givenname',
+ cli_name='first',
+ label=_(u'First name'),
+ ),
+ parameters.Str(
+ 'sn',
+ cli_name='last',
+ label=_(u'Last name'),
+ ),
+ parameters.Str(
+ 'cn',
+ label=_(u'Full name'),
+ default_from=DefaultFrom(lambda givenname, sn: '%s %s' % (givenname, sn), 'principal'),
+ autofill=True,
+ ),
+ parameters.Str(
+ 'displayname',
+ required=False,
+ label=_(u'Display name'),
+ default_from=DefaultFrom(lambda givenname, sn: '%s %s' % (givenname, sn), 'principal'),
+ autofill=True,
+ ),
+ parameters.Str(
+ 'initials',
+ required=False,
+ label=_(u'Initials'),
+ default_from=DefaultFrom(lambda givenname, sn: '%c%c' % (givenname[0], sn[0]), 'principal'),
+ autofill=True,
+ ),
+ parameters.Str(
+ 'homedirectory',
+ required=False,
+ cli_name='homedir',
+ label=_(u'Home directory'),
+ ),
+ parameters.Str(
+ 'gecos',
+ required=False,
+ label=_(u'GECOS field'),
+ default_from=DefaultFrom(lambda givenname, sn: '%s %s' % (givenname, sn), 'principal'),
+ autofill=True,
+ ),
+ parameters.Str(
+ 'loginshell',
+ required=False,
+ cli_name='shell',
+ label=_(u'Login shell'),
+ ),
+ parameters.Str(
+ 'krbprincipalname',
+ required=False,
+ cli_name='principal',
+ label=_(u'Kerberos principal'),
+ default_from=DefaultFrom(lambda uid: '%s@%s' % (uid.lower(), api.env.realm), 'principal'),
+ autofill=True,
+ no_convert=True,
+ ),
+ parameters.Str(
+ 'mail',
+ required=False,
+ multivalue=True,
+ cli_name='email',
+ label=_(u'Email address'),
+ ),
+ parameters.Password(
+ 'userpassword',
+ required=False,
+ cli_name='password',
+ label=_(u'Password'),
+ doc=_(u'Prompt to set the user password'),
+ exclude=('webui',),
+ confirm=True,
+ ),
+ parameters.Flag(
+ 'random',
+ required=False,
+ doc=_(u'Generate a random user password'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Int(
+ 'uidnumber',
+ cli_name='uid',
+ label=_(u'UID'),
+ doc=_(u'User ID Number (system will assign one if not provided)'),
+ default=999,
+ autofill=True,
+ ),
+ parameters.Int(
+ 'gidnumber',
+ label=_(u'GID'),
+ doc=_(u'Group ID Number'),
+ default=999,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'street',
+ required=False,
+ label=_(u'Street address'),
+ ),
+ parameters.Str(
+ 'l',
+ required=False,
+ cli_name='city',
+ label=_(u'City'),
+ ),
+ parameters.Str(
+ 'st',
+ required=False,
+ cli_name='state',
+ label=_(u'State/Province'),
+ ),
+ parameters.Str(
+ 'postalcode',
+ required=False,
+ label=_(u'ZIP'),
+ ),
+ parameters.Str(
+ 'telephonenumber',
+ required=False,
+ multivalue=True,
+ cli_name='phone',
+ label=_(u'Telephone Number'),
+ ),
+ parameters.Str(
+ 'mobile',
+ required=False,
+ multivalue=True,
+ label=_(u'Mobile Telephone Number'),
+ ),
+ parameters.Str(
+ 'pager',
+ required=False,
+ multivalue=True,
+ label=_(u'Pager Number'),
+ ),
+ parameters.Str(
+ 'facsimiletelephonenumber',
+ required=False,
+ multivalue=True,
+ cli_name='fax',
+ label=_(u'Fax Number'),
+ ),
+ parameters.Str(
+ 'ou',
+ required=False,
+ cli_name='orgunit',
+ label=_(u'Org. Unit'),
+ ),
+ parameters.Str(
+ 'title',
+ required=False,
+ label=_(u'Job Title'),
+ ),
+ parameters.Str(
+ 'manager',
+ required=False,
+ label=_(u'Manager'),
+ ),
+ parameters.Str(
+ 'carlicense',
+ required=False,
+ label=_(u'Car License'),
+ ),
+ parameters.Bool(
+ 'nsaccountlock',
+ required=False,
+ label=_(u'Account disabled'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'ipasshpubkey',
+ required=False,
+ multivalue=True,
+ cli_name='sshpubkey',
+ label=_(u'SSH public key'),
+ no_convert=True,
+ ),
+ parameters.Str(
+ 'setattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'addattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
+ exclude=('webui',),
+ ),
+ parameters.Flag(
+ 'noprivate',
+ doc=_(u"Don't create user private group"),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'value',
+ unicode,
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class user_del(Method):
+ __doc__ = _("Delete a user.")
+
+ takes_args = (
+ parameters.Str(
+ 'uid',
+ multivalue=True,
+ cli_name='login',
+ label=_(u'User login'),
+ default_from=DefaultFrom(lambda givenname, sn: givenname[0] + sn, 'principal'),
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'continue',
+ doc=_(u"Continuous mode: Don't stop on errors."),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Output(
+ 'result',
+ dict,
+ doc=_(u'List of deletions that failed'),
+ ),
+ output.Output(
+ 'value',
+ unicode,
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class user_disable(Method):
+ __doc__ = _("Disable a user account.")
+
+ takes_args = (
+ parameters.Str(
+ 'uid',
+ cli_name='login',
+ label=_(u'User login'),
+ default_from=DefaultFrom(lambda givenname, sn: givenname[0] + sn, 'principal'),
+ no_convert=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Output(
+ 'result',
+ bool,
+ doc=_(u'True means the operation was successful'),
+ ),
+ output.Output(
+ 'value',
+ unicode,
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class user_enable(Method):
+ __doc__ = _("Enable a user account.")
+
+ takes_args = (
+ parameters.Str(
+ 'uid',
+ cli_name='login',
+ label=_(u'User login'),
+ default_from=DefaultFrom(lambda givenname, sn: givenname[0] + sn, 'principal'),
+ no_convert=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Output(
+ 'result',
+ bool,
+ doc=_(u'True means the operation was successful'),
+ ),
+ output.Output(
+ 'value',
+ unicode,
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class user_find(Method):
+ __doc__ = _("Search for users.")
+
+ takes_args = (
+ parameters.Str(
+ 'criteria',
+ required=False,
+ doc=_(u'A string searched in all relevant object attributes'),
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'uid',
+ required=False,
+ cli_name='login',
+ label=_(u'User login'),
+ default_from=DefaultFrom(lambda givenname, sn: givenname[0] + sn, 'principal'),
+ no_convert=True,
+ ),
+ parameters.Str(
+ 'givenname',
+ required=False,
+ cli_name='first',
+ label=_(u'First name'),
+ ),
+ parameters.Str(
+ 'sn',
+ required=False,
+ cli_name='last',
+ label=_(u'Last name'),
+ ),
+ parameters.Str(
+ 'cn',
+ required=False,
+ label=_(u'Full name'),
+ default_from=DefaultFrom(lambda givenname, sn: '%s %s' % (givenname, sn), 'principal'),
+ ),
+ parameters.Str(
+ 'displayname',
+ required=False,
+ label=_(u'Display name'),
+ default_from=DefaultFrom(lambda givenname, sn: '%s %s' % (givenname, sn), 'principal'),
+ ),
+ parameters.Str(
+ 'initials',
+ required=False,
+ label=_(u'Initials'),
+ default_from=DefaultFrom(lambda givenname, sn: '%c%c' % (givenname[0], sn[0]), 'principal'),
+ ),
+ parameters.Str(
+ 'homedirectory',
+ required=False,
+ cli_name='homedir',
+ label=_(u'Home directory'),
+ ),
+ parameters.Str(
+ 'gecos',
+ required=False,
+ label=_(u'GECOS field'),
+ default_from=DefaultFrom(lambda givenname, sn: '%s %s' % (givenname, sn), 'principal'),
+ ),
+ parameters.Str(
+ 'loginshell',
+ required=False,
+ cli_name='shell',
+ label=_(u'Login shell'),
+ ),
+ parameters.Str(
+ 'krbprincipalname',
+ required=False,
+ cli_name='principal',
+ label=_(u'Kerberos principal'),
+ default_from=DefaultFrom(lambda uid: '%s@%s' % (uid.lower(), api.env.realm), 'principal'),
+ no_convert=True,
+ ),
+ parameters.Str(
+ 'mail',
+ required=False,
+ multivalue=True,
+ cli_name='email',
+ label=_(u'Email address'),
+ ),
+ parameters.Password(
+ 'userpassword',
+ required=False,
+ cli_name='password',
+ label=_(u'Password'),
+ doc=_(u'Prompt to set the user password'),
+ exclude=('webui',),
+ confirm=True,
+ ),
+ parameters.Int(
+ 'uidnumber',
+ required=False,
+ cli_name='uid',
+ label=_(u'UID'),
+ doc=_(u'User ID Number (system will assign one if not provided)'),
+ default=999,
+ ),
+ parameters.Int(
+ 'gidnumber',
+ required=False,
+ label=_(u'GID'),
+ doc=_(u'Group ID Number'),
+ default=999,
+ ),
+ parameters.Str(
+ 'street',
+ required=False,
+ label=_(u'Street address'),
+ ),
+ parameters.Str(
+ 'l',
+ required=False,
+ cli_name='city',
+ label=_(u'City'),
+ ),
+ parameters.Str(
+ 'st',
+ required=False,
+ cli_name='state',
+ label=_(u'State/Province'),
+ ),
+ parameters.Str(
+ 'postalcode',
+ required=False,
+ label=_(u'ZIP'),
+ ),
+ parameters.Str(
+ 'telephonenumber',
+ required=False,
+ multivalue=True,
+ cli_name='phone',
+ label=_(u'Telephone Number'),
+ ),
+ parameters.Str(
+ 'mobile',
+ required=False,
+ multivalue=True,
+ label=_(u'Mobile Telephone Number'),
+ ),
+ parameters.Str(
+ 'pager',
+ required=False,
+ multivalue=True,
+ label=_(u'Pager Number'),
+ ),
+ parameters.Str(
+ 'facsimiletelephonenumber',
+ required=False,
+ multivalue=True,
+ cli_name='fax',
+ label=_(u'Fax Number'),
+ ),
+ parameters.Str(
+ 'ou',
+ required=False,
+ cli_name='orgunit',
+ label=_(u'Org. Unit'),
+ ),
+ parameters.Str(
+ 'title',
+ required=False,
+ label=_(u'Job Title'),
+ ),
+ parameters.Str(
+ 'manager',
+ required=False,
+ label=_(u'Manager'),
+ ),
+ parameters.Str(
+ 'carlicense',
+ required=False,
+ label=_(u'Car License'),
+ ),
+ parameters.Bool(
+ 'nsaccountlock',
+ required=False,
+ label=_(u'Account disabled'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Int(
+ 'timelimit',
+ required=False,
+ label=_(u'Time Limit'),
+ doc=_(u'Time limit of search in seconds'),
+ ),
+ parameters.Int(
+ 'sizelimit',
+ required=False,
+ label=_(u'Size Limit'),
+ doc=_(u'Maximum number of entries returned'),
+ ),
+ parameters.Flag(
+ 'whoami',
+ label=_(u'Self'),
+ doc=_(u'Display user record for current Kerberos principal'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'pkey_only',
+ required=False,
+ label=_(u'Primary key only'),
+ doc=_(u'Results should contain primary key attribute only ("login")'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'in_group',
+ required=False,
+ multivalue=True,
+ cli_name='in_groups',
+ label=_(u'group'),
+ doc=_(u'Search for users with these member of groups.'),
+ ),
+ parameters.Str(
+ 'not_in_group',
+ required=False,
+ multivalue=True,
+ cli_name='not_in_groups',
+ label=_(u'group'),
+ doc=_(u'Search for users without these member of groups.'),
+ ),
+ parameters.Str(
+ 'in_netgroup',
+ required=False,
+ multivalue=True,
+ cli_name='in_netgroups',
+ label=_(u'netgroup'),
+ doc=_(u'Search for users with these member of netgroups.'),
+ ),
+ parameters.Str(
+ 'not_in_netgroup',
+ required=False,
+ multivalue=True,
+ cli_name='not_in_netgroups',
+ label=_(u'netgroup'),
+ doc=_(u'Search for users without these member of netgroups.'),
+ ),
+ parameters.Str(
+ 'in_role',
+ required=False,
+ multivalue=True,
+ cli_name='in_roles',
+ label=_(u'role'),
+ doc=_(u'Search for users with these member of roles.'),
+ ),
+ parameters.Str(
+ 'not_in_role',
+ required=False,
+ multivalue=True,
+ cli_name='not_in_roles',
+ label=_(u'role'),
+ doc=_(u'Search for users without these member of roles.'),
+ ),
+ parameters.Str(
+ 'in_hbacrule',
+ required=False,
+ multivalue=True,
+ cli_name='in_hbacrules',
+ label=_(u'HBAC rule'),
+ doc=_(u'Search for users with these member of HBAC rules.'),
+ ),
+ parameters.Str(
+ 'not_in_hbacrule',
+ required=False,
+ multivalue=True,
+ cli_name='not_in_hbacrules',
+ label=_(u'HBAC rule'),
+ doc=_(u'Search for users without these member of HBAC rules.'),
+ ),
+ parameters.Str(
+ 'in_sudorule',
+ required=False,
+ multivalue=True,
+ cli_name='in_sudorules',
+ label=_(u'sudo rule'),
+ doc=_(u'Search for users with these member of sudo rules.'),
+ ),
+ parameters.Str(
+ 'not_in_sudorule',
+ required=False,
+ multivalue=True,
+ cli_name='not_in_sudorules',
+ label=_(u'sudo rule'),
+ doc=_(u'Search for users without these member of sudo rules.'),
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.ListOfEntries(
+ 'result',
+ ),
+ output.Output(
+ 'count',
+ int,
+ doc=_(u'Number of entries returned'),
+ ),
+ output.Output(
+ 'truncated',
+ bool,
+ doc=_(u'True if not all results were returned'),
+ ),
+ )
+
+
+@register()
+class user_mod(Method):
+ __doc__ = _("Modify a user.")
+
+ takes_args = (
+ parameters.Str(
+ 'uid',
+ cli_name='login',
+ label=_(u'User login'),
+ default_from=DefaultFrom(lambda givenname, sn: givenname[0] + sn, 'principal'),
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Str(
+ 'givenname',
+ required=False,
+ cli_name='first',
+ label=_(u'First name'),
+ ),
+ parameters.Str(
+ 'sn',
+ required=False,
+ cli_name='last',
+ label=_(u'Last name'),
+ ),
+ parameters.Str(
+ 'cn',
+ required=False,
+ label=_(u'Full name'),
+ default_from=DefaultFrom(lambda givenname, sn: '%s %s' % (givenname, sn), 'principal'),
+ ),
+ parameters.Str(
+ 'displayname',
+ required=False,
+ label=_(u'Display name'),
+ default_from=DefaultFrom(lambda givenname, sn: '%s %s' % (givenname, sn), 'principal'),
+ ),
+ parameters.Str(
+ 'initials',
+ required=False,
+ label=_(u'Initials'),
+ default_from=DefaultFrom(lambda givenname, sn: '%c%c' % (givenname[0], sn[0]), 'principal'),
+ ),
+ parameters.Str(
+ 'homedirectory',
+ required=False,
+ cli_name='homedir',
+ label=_(u'Home directory'),
+ ),
+ parameters.Str(
+ 'gecos',
+ required=False,
+ label=_(u'GECOS field'),
+ default_from=DefaultFrom(lambda givenname, sn: '%s %s' % (givenname, sn), 'principal'),
+ ),
+ parameters.Str(
+ 'loginshell',
+ required=False,
+ cli_name='shell',
+ label=_(u'Login shell'),
+ ),
+ parameters.Str(
+ 'mail',
+ required=False,
+ multivalue=True,
+ cli_name='email',
+ label=_(u'Email address'),
+ ),
+ parameters.Password(
+ 'userpassword',
+ required=False,
+ cli_name='password',
+ label=_(u'Password'),
+ doc=_(u'Prompt to set the user password'),
+ exclude=('webui',),
+ confirm=True,
+ ),
+ parameters.Flag(
+ 'random',
+ required=False,
+ doc=_(u'Generate a random user password'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Int(
+ 'uidnumber',
+ required=False,
+ cli_name='uid',
+ label=_(u'UID'),
+ doc=_(u'User ID Number (system will assign one if not provided)'),
+ default=999,
+ ),
+ parameters.Int(
+ 'gidnumber',
+ required=False,
+ label=_(u'GID'),
+ doc=_(u'Group ID Number'),
+ default=999,
+ ),
+ parameters.Str(
+ 'street',
+ required=False,
+ label=_(u'Street address'),
+ ),
+ parameters.Str(
+ 'l',
+ required=False,
+ cli_name='city',
+ label=_(u'City'),
+ ),
+ parameters.Str(
+ 'st',
+ required=False,
+ cli_name='state',
+ label=_(u'State/Province'),
+ ),
+ parameters.Str(
+ 'postalcode',
+ required=False,
+ label=_(u'ZIP'),
+ ),
+ parameters.Str(
+ 'telephonenumber',
+ required=False,
+ multivalue=True,
+ cli_name='phone',
+ label=_(u'Telephone Number'),
+ ),
+ parameters.Str(
+ 'mobile',
+ required=False,
+ multivalue=True,
+ label=_(u'Mobile Telephone Number'),
+ ),
+ parameters.Str(
+ 'pager',
+ required=False,
+ multivalue=True,
+ label=_(u'Pager Number'),
+ ),
+ parameters.Str(
+ 'facsimiletelephonenumber',
+ required=False,
+ multivalue=True,
+ cli_name='fax',
+ label=_(u'Fax Number'),
+ ),
+ parameters.Str(
+ 'ou',
+ required=False,
+ cli_name='orgunit',
+ label=_(u'Org. Unit'),
+ ),
+ parameters.Str(
+ 'title',
+ required=False,
+ label=_(u'Job Title'),
+ ),
+ parameters.Str(
+ 'manager',
+ required=False,
+ label=_(u'Manager'),
+ ),
+ parameters.Str(
+ 'carlicense',
+ required=False,
+ label=_(u'Car License'),
+ ),
+ parameters.Bool(
+ 'nsaccountlock',
+ required=False,
+ label=_(u'Account disabled'),
+ exclude=('cli', 'webui'),
+ ),
+ parameters.Str(
+ 'ipasshpubkey',
+ required=False,
+ multivalue=True,
+ cli_name='sshpubkey',
+ label=_(u'SSH public key'),
+ no_convert=True,
+ ),
+ parameters.Str(
+ 'setattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'addattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
+ exclude=('webui',),
+ ),
+ parameters.Str(
+ 'delattr',
+ required=False,
+ multivalue=True,
+ doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'),
+ exclude=('webui',),
+ ),
+ parameters.Flag(
+ 'rights',
+ label=_(u'Rights'),
+ doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Str(
+ 'rename',
+ required=False,
+ label=_(u'Rename'),
+ doc=_(u'Rename the user object'),
+ default_from=DefaultFrom(lambda givenname, sn: givenname[0] + sn, 'principal'),
+ no_convert=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'value',
+ unicode,
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class user_show(Method):
+ __doc__ = _("Display information about a user.")
+
+ takes_args = (
+ parameters.Str(
+ 'uid',
+ cli_name='login',
+ label=_(u'User login'),
+ default_from=DefaultFrom(lambda givenname, sn: givenname[0] + sn, 'principal'),
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'rights',
+ label=_(u'Rights'),
+ doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Entry(
+ 'result',
+ ),
+ output.Output(
+ 'value',
+ unicode,
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
+
+
+@register()
+class user_status(Method):
+ __doc__ = _("""
+Lockout status of a user account
+
+ An account may become locked if the password is entered incorrectly too
+ many times within a specific time period as controlled by password
+ policy. A locked account is a temporary condition and may be unlocked by
+ an administrator.
+
+ This connects to each IPA master and displays the lockout status on
+ each one.
+
+ To determine whether an account is locked on a given server you need
+ to compare the number of failed logins and the time of the last failure.
+ For an account to be locked it must exceed the maxfail failures within
+ the failinterval duration as specified in the password policy associated
+ with the user.
+
+ The failed login counter is modified only when a user attempts a log in
+ so it is possible that an account may appear locked but the last failed
+ login attempt is older than the lockouttime of the password policy. This
+ means that the user may attempt a login again.
+ """)
+
+ takes_args = (
+ parameters.Str(
+ 'uid',
+ cli_name='login',
+ label=_(u'User login'),
+ default_from=DefaultFrom(lambda givenname, sn: givenname[0] + sn, 'principal'),
+ no_convert=True,
+ ),
+ )
+ takes_options = (
+ parameters.Flag(
+ 'all',
+ doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ parameters.Flag(
+ 'raw',
+ doc=_(u'Print entries as stored on the server. Only affects output format.'),
+ exclude=('webui',),
+ default=False,
+ autofill=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.ListOfEntries(
+ 'result',
+ ),
+ output.Output(
+ 'count',
+ int,
+ doc=_(u'Number of entries returned'),
+ ),
+ output.Output(
+ 'truncated',
+ bool,
+ doc=_(u'True if not all results were returned'),
+ ),
+ )
+
+
+@register()
+class user_unlock(Method):
+ __doc__ = _("""
+Unlock a user account
+
+ An account may become locked if the password is entered incorrectly too
+ many times within a specific time period as controlled by password
+ policy. A locked account is a temporary condition and may be unlocked by
+ an administrator.
+ """)
+
+ takes_args = (
+ parameters.Str(
+ 'uid',
+ cli_name='login',
+ label=_(u'User login'),
+ default_from=DefaultFrom(lambda givenname, sn: givenname[0] + sn, 'principal'),
+ no_convert=True,
+ ),
+ )
+ has_output = (
+ output.Output(
+ 'summary',
+ (unicode, type(None)),
+ doc=_(u'User-friendly description of action performed'),
+ ),
+ output.Output(
+ 'result',
+ bool,
+ doc=_(u'True means the operation was successful'),
+ ),
+ output.Output(
+ 'value',
+ unicode,
+ doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
+ ),
+ )
diff --git a/ipaclient/remote_plugins/__init__.py b/ipaclient/remote_plugins/__init__.py
index 93636fcb5..6454a4f4e 100644
--- a/ipaclient/remote_plugins/__init__.py
+++ b/ipaclient/remote_plugins/__init__.py
@@ -2,13 +2,23 @@
# Copyright (C) 2016 FreeIPA Contributors see COPYING for license
#
+from . import compat
from . import schema
+from ipaclient.plugins.rpcclient import rpcclient
def get_package(api):
if api.env.in_tree:
from ipaserver import plugins
else:
- plugins = schema.get_package(api)
+ client = rpcclient(api)
+ client.finalize()
+ try:
+ plugins = schema.get_package(api, client)
+ except schema.NotAvailable:
+ plugins = compat.get_package(api, client)
+ finally:
+ if client.isconnected():
+ client.disconnect()
return plugins
diff --git a/ipaclient/remote_plugins/compat.py b/ipaclient/remote_plugins/compat.py
new file mode 100644
index 000000000..40521af45
--- /dev/null
+++ b/ipaclient/remote_plugins/compat.py
@@ -0,0 +1,76 @@
+#
+# Copyright (C) 2016 FreeIPA Contributors see COPYING for license
+#
+
+from distutils.version import LooseVersion
+import importlib
+import os
+import re
+import sys
+
+import six
+
+from ipaclient.frontend import ClientCommand, ClientMethod
+from ipalib.frontend import Object
+
+if six.PY3:
+ unicode = str
+
+
+class CompatCommand(ClientCommand):
+ @property
+ def forwarded_name(self):
+ return self.name
+
+
+class CompatMethod(ClientMethod, CompatCommand):
+ pass
+
+
+class CompatObject(Object):
+ pass
+
+
+def get_package(api, client):
+ if not client.isconnected():
+ client.connect(verbose=False)
+
+ env = client.forward(u'env', u'api_version', version=u'2.0')
+ try:
+ server_version = env['result']['api_version']
+ except KeyError:
+ ping = client.forward(u'ping', u'api_version', version=u'2.0')
+ try:
+ match = re.search(u'API version (2\.[0-9]+)', ping['summary'])
+ except KeyError:
+ match = None
+ if match is not None:
+ server_version = match.group(1)
+ else:
+ server_version = u'2.0'
+ server_version = LooseVersion(server_version)
+
+ package_names = {}
+ base_name = __name__.rpartition('.')[0]
+ base_dir = os.path.dirname(__file__)
+ for name in os.listdir(base_dir):
+ package_dir = os.path.join(base_dir, name)
+ if name.startswith('2_') and os.path.isdir(package_dir):
+ package_version = name.replace('_', '.')
+ package_names[package_version] = '{}.{}'.format(base_name, name)
+
+ package_version = None
+ for version in sorted(package_names, key=LooseVersion):
+ if (package_version is None or
+ LooseVersion(package_version) < LooseVersion(version)):
+ package_version = version
+ if LooseVersion(version) >= server_version:
+ break
+
+ package_name = package_names[package_version]
+ try:
+ package = sys.modules[package_name]
+ except KeyError:
+ package = importlib.import_module(package_name)
+
+ return package
diff --git a/ipaclient/remote_plugins/schema.py b/ipaclient/remote_plugins/schema.py
index da917a984..8ce26e608 100644
--- a/ipaclient/remote_plugins/schema.py
+++ b/ipaclient/remote_plugins/schema.py
@@ -16,12 +16,11 @@ import zipfile
import six
-from ipaclient.plugins.rpcclient import rpcclient
+from ipaclient.frontend import ClientCommand, ClientMethod
from ipalib import errors, parameters, plugable
-from ipalib.frontend import Command, Method, Object
+from ipalib.frontend import Object
from ipalib.output import Output
from ipalib.parameters import DefaultFrom, Flag, Password, Str
-from ipalib.text import _
from ipapython.dn import DN
from ipapython.dnsutil import DNSName
from ipapython.ipa_log_manager import log_mgr
@@ -70,92 +69,11 @@ SERVERS_DIR = os.path.join(USER_CACHE_PATH, 'ipa', 'servers')
logger = log_mgr.get_logger(__name__)
-class _SchemaCommand(Command):
- def get_options(self):
- skip = set()
- for option in super(_SchemaCommand, self).get_options():
- if option.name in skip:
- continue
- if option.name in ('all', 'raw'):
- skip.add(option.name)
- yield option
+class _SchemaCommand(ClientCommand):
+ pass
-class _SchemaMethod(Method, _SchemaCommand):
- _failed_member_output_params = (
- # baseldap
- Str(
- 'member',
- label=_("Failed members"),
- ),
- Str(
- 'sourcehost',
- label=_("Failed source hosts/hostgroups"),
- ),
- Str(
- 'memberhost',
- label=_("Failed hosts/hostgroups"),
- ),
- Str(
- 'memberuser',
- label=_("Failed users/groups"),
- ),
- Str(
- 'memberservice',
- label=_("Failed service/service groups"),
- ),
- Str(
- 'failed',
- label=_("Failed to remove"),
- flags=['suppress_empty'],
- ),
- Str(
- 'ipasudorunas',
- label=_("Failed RunAs"),
- ),
- Str(
- 'ipasudorunasgroup',
- label=_("Failed RunAsGroup"),
- ),
- # caacl
- Str(
- 'ipamembercertprofile',
- label=_("Failed profiles"),
- ),
- Str(
- 'ipamemberca',
- label=_("Failed CAs"),
- ),
- # host
- Str(
- 'managedby',
- label=_("Failed managedby"),
- ),
- # service
- Str(
- 'ipaallowedtoperform_read_keys',
- label=_("Failed allowed to retrieve keytab"),
- ),
- Str(
- 'ipaallowedtoperform_write_keys',
- label=_("Failed allowed to create keytab"),
- ),
- # servicedelegation
- Str(
- 'failed_memberprincipal',
- label=_("Failed members"),
- ),
- Str(
- 'ipaallowedtarget',
- label=_("Failed targets"),
- ),
- # vault
- Str(
- 'owner?',
- label=_("Failed owners"),
- ),
- )
-
+class _SchemaMethod(ClientMethod):
@property
def obj_name(self):
return self.api.Object[self.obj_full_name].name
@@ -164,15 +82,6 @@ class _SchemaMethod(Method, _SchemaCommand):
def obj_version(self):
return self.api.Object[self.obj_full_name].version
- def get_output_params(self):
- seen = set()
- for output_param in super(_SchemaMethod, self).get_output_params():
- seen.add(output_param.name)
- yield output_param
- for output_param in self._failed_member_output_params:
- if output_param.name not in seen:
- yield output_param
-
class _SchemaObject(Object):
pass
@@ -407,6 +316,10 @@ class _SchemaNameSpace(collections.Mapping):
return len(list(self._schema.iter_namespace(self.name)))
+class NotAvailable(Exception):
+ pass
+
+
class Schema(object):
"""
Store and provide schema for commands and topics
@@ -443,8 +356,9 @@ class Schema(object):
def _in_cache(cls, fingeprint):
return os.path.exists(cls.schema_path_template.format(fingeprint))
- def __init__(self, api):
+ def __init__(self, api, client):
self._api = api
+ self._client = client
self._dict = {}
def _open_server_info(self, hostname, mode):
@@ -453,9 +367,9 @@ class Schema(object):
return open(path, mode)
def _get_schema(self):
- client = rpcclient(self._api)
- client.finalize()
- client.connect(verbose=False)
+ client = self._client
+ if not client.isconnected():
+ client.connect(verbose=False)
fps = [unicode(f) for f in Schema._list()]
kwargs = {u'version': u'2.170'}
@@ -463,6 +377,8 @@ class Schema(object):
kwargs[u'known_fingerprints'] = fps
try:
schema = client.forward(u'schema', **kwargs)['result']
+ except errors.CommandError:
+ raise NotAvailable()
except errors.SchemaUpToDate as e:
fp = e.fingerprint
ttl = e.ttl
@@ -561,11 +477,11 @@ class Schema(object):
yield r.groups('name')[0]
-def get_package(api):
+def get_package(api, client):
try:
schema = api._schema
except AttributeError:
- schema = Schema(api)
+ schema = Schema(api, client)
object.__setattr__(api, '_schema', schema)
fingerprint = str(schema['fingerprint'])
diff --git a/ipaclient/setup.py.in b/ipaclient/setup.py.in
index 139b9dec6..1c8654f00 100644
--- a/ipaclient/setup.py.in
+++ b/ipaclient/setup.py.in
@@ -64,6 +64,10 @@ def setup_package():
"ipaclient",
"ipaclient.plugins",
"ipaclient.remote_plugins",
+ "ipaclient.remote_plugins.2_49",
+ "ipaclient.remote_plugins.2_114",
+ "ipaclient.remote_plugins.2_156",
+ "ipaclient.remote_plugins.2_164",
],
scripts=['../ipa'],
data_files = [('share/man/man1', ["../ipa.1"])],
diff --git a/ipalib/frontend.py b/ipalib/frontend.py
index f324add29..cb00841f2 100644
--- a/ipalib/frontend.py
+++ b/ipalib/frontend.py
@@ -424,6 +424,8 @@ class Command(HasParam):
callback_types = ('interactive_prompt',)
+ api_version = API_VERSION
+
@property
def topic(self):
return type(self).__module__.rpartition('.')[2]
@@ -451,11 +453,11 @@ class Command(HasParam):
elif self.api.env.skip_version_check and not self.api.env.in_server:
options['version'] = u'2.0'
else:
- options['version'] = API_VERSION
+ options['version'] = self.api_version
if self.api.env.in_server:
# add message only on server side
self.add_message(
- messages.VersionMissing(server_version=API_VERSION))
+ messages.VersionMissing(server_version=self.api_version))
params = self.args_options_2_params(*args, **options)
self.debug(
'raw: %s(%s)', self.name, ', '.join(self._repr_iter(**params))
generated by cgit (git 2.34.1) at 2024-04-19 08:05:12 +0000