From 3f85f09a83f1cd25078c7c11a68d457bb198d66f Mon Sep 17 00:00:00 2001 From: Nathaniel McCallum Date: Wed, 18 Sep 2013 15:48:23 -0400 Subject: Add support for managing user auth types https://fedorahosted.org/freeipa/ticket/3368 --- API.txt | 12 ++++++++---- VERSION | 2 +- install/updates/50-ipaconfig.update | 1 + ipalib/plugins/config.py | 8 ++++++++ ipalib/plugins/user.py | 19 ++++++++++++++----- 5 files changed, 32 insertions(+), 10 deletions(-) diff --git a/API.txt b/API.txt index 605f9ee30..cddb9d719 100644 --- a/API.txt +++ b/API.txt @@ -495,7 +495,7 @@ args: 0,1,1 option: Str('version?', exclude='webui') output: Output('result', None, None) command: config_mod -args: 0,24,3 +args: 0,25,3 option: Str('addattr*', cli_name='addattr', exclude='webui') option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') option: Str('delattr*', cli_name='delattr', exclude='webui') @@ -514,6 +514,7 @@ option: Int('ipasearchrecordslimit', attribute=True, autofill=False, cli_name='s option: Int('ipasearchtimelimit', attribute=True, autofill=False, cli_name='searchtimelimit', minvalue=-1, multivalue=False, required=False) option: Str('ipaselinuxusermapdefault', attribute=True, autofill=False, cli_name='ipaselinuxusermapdefault', multivalue=False, required=False) option: Str('ipaselinuxusermaporder', attribute=True, autofill=False, cli_name='ipaselinuxusermaporder', multivalue=False, required=False) +option: StrEnum('ipauserauthtype', attribute=True, autofill=False, cli_name='user_auth_type', csv=True, multivalue=True, required=False, values=(u'password',)) option: Str('ipauserobjectclasses', attribute=True, autofill=False, cli_name='userobjectclasses', csv=True, multivalue=True, required=False) option: IA5Str('ipausersearchfields', attribute=True, autofill=False, cli_name='usersearch', multivalue=False, required=False) option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') @@ -3586,7 +3587,7 @@ output: Entry('result', , Gettext('A dictionary representing an LDA output: Output('summary', (, ), None) output: Output('value', , None) command: user_add -args: 1,35,3 +args: 1,36,3 arg: Str('uid', attribute=True, cli_name='login', maxlength=255, multivalue=False, pattern='^[a-zA-Z0-9_.][a-zA-Z0-9_.-]{0,252}[a-zA-Z0-9_.$-]?$', primary_key=True, required=True) option: Str('addattr*', cli_name='addattr', exclude='webui') option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') @@ -3600,6 +3601,7 @@ option: Str('givenname', attribute=True, cli_name='first', multivalue=False, req option: Str('homedirectory', attribute=True, cli_name='homedir', multivalue=False, required=False) option: Str('initials', attribute=True, autofill=True, cli_name='initials', multivalue=False, required=False) option: Str('ipasshpubkey', attribute=True, cli_name='sshpubkey', csv=True, multivalue=True, required=False) +option: StrEnum('ipauserauthtype', attribute=True, cli_name='user_auth_type', csv=True, multivalue=True, required=False, values=(u'password',)) option: Str('krbprincipalname', attribute=True, autofill=True, cli_name='principal', multivalue=False, required=False) option: Str('l', attribute=True, cli_name='city', multivalue=False, required=False) option: Str('loginshell', attribute=True, cli_name='shell', multivalue=False, required=False) @@ -3649,7 +3651,7 @@ output: Output('result', , None) output: Output('summary', (, ), None) output: Output('value', , None) command: user_find -args: 1,45,4 +args: 1,46,4 arg: Str('criteria?', noextrawhitespace=False) option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') option: Str('carlicense', attribute=True, autofill=False, cli_name='carlicense', multivalue=False, query=True, required=False) @@ -3666,6 +3668,7 @@ option: Str('in_netgroup*', cli_name='in_netgroups', csv=True) option: Str('in_role*', cli_name='in_roles', csv=True) option: Str('in_sudorule*', cli_name='in_sudorules', csv=True) option: Str('initials', attribute=True, autofill=False, cli_name='initials', multivalue=False, query=True, required=False) +option: StrEnum('ipauserauthtype', attribute=True, autofill=False, cli_name='user_auth_type', csv=True, multivalue=True, query=True, required=False, values=(u'password',)) option: Str('krbprincipalname', attribute=True, autofill=False, cli_name='principal', multivalue=False, query=True, required=False) option: Str('l', attribute=True, autofill=False, cli_name='city', multivalue=False, query=True, required=False) option: Str('loginshell', attribute=True, autofill=False, cli_name='shell', multivalue=False, query=True, required=False) @@ -3701,7 +3704,7 @@ output: ListOfEntries('result', (, ), Gettext('A list output: Output('summary', (, ), None) output: Output('truncated', , None) command: user_mod -args: 1,36,3 +args: 1,37,3 arg: Str('uid', attribute=True, cli_name='login', maxlength=255, multivalue=False, pattern='^[a-zA-Z0-9_.][a-zA-Z0-9_.-]{0,252}[a-zA-Z0-9_.$-]?$', primary_key=True, query=True, required=True) option: Str('addattr*', cli_name='addattr', exclude='webui') option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') @@ -3716,6 +3719,7 @@ option: Str('givenname', attribute=True, autofill=False, cli_name='first', multi option: Str('homedirectory', attribute=True, autofill=False, cli_name='homedir', multivalue=False, required=False) option: Str('initials', attribute=True, autofill=False, cli_name='initials', multivalue=False, required=False) option: Str('ipasshpubkey', attribute=True, autofill=False, cli_name='sshpubkey', csv=True, multivalue=True, required=False) +option: StrEnum('ipauserauthtype', attribute=True, autofill=False, cli_name='user_auth_type', csv=True, multivalue=True, required=False, values=(u'password',)) option: Str('l', attribute=True, autofill=False, cli_name='city', multivalue=False, required=False) option: Str('loginshell', attribute=True, autofill=False, cli_name='shell', multivalue=False, required=False) option: Str('mail', attribute=True, autofill=False, cli_name='email', multivalue=True, required=False) diff --git a/VERSION b/VERSION index c3c6d5a4c..32f6efbc4 100644 --- a/VERSION +++ b/VERSION @@ -89,4 +89,4 @@ IPA_DATA_VERSION=20100614120000 # # ######################################################## IPA_API_VERSION_MAJOR=2 -IPA_API_VERSION_MINOR=65 +IPA_API_VERSION_MINOR=66 diff --git a/install/updates/50-ipaconfig.update b/install/updates/50-ipaconfig.update index ce617fe0d..89a1726f4 100644 --- a/install/updates/50-ipaconfig.update +++ b/install/updates/50-ipaconfig.update @@ -3,3 +3,4 @@ add:ipaSELinuxUserMapOrder: guest_u:s0$$xguest_u:s0$$user_u:s0$$staff_u:s0-s0:c0 add:ipaSELinuxUserMapDefault: unconfined_u:s0-s0:c0.c1023 add:ipaUserObjectClasses: ipasshuser remove:ipaConfigString:AllowLMhash +add:objectClass: ipaUserAuthTypeClass diff --git a/ipalib/plugins/config.py b/ipalib/plugins/config.py index fbaacb7b9..f4e35519f 100644 --- a/ipalib/plugins/config.py +++ b/ipalib/plugins/config.py @@ -92,6 +92,7 @@ class config(LDAPObject): 'ipamigrationenabled', 'ipacertificatesubjectbase', 'ipapwdexpadvnotify', 'ipaselinuxusermaporder', 'ipaselinuxusermapdefault', 'ipaconfigstring', 'ipakrbauthzdata', + 'ipauserauthtype' ] label = _('Configuration') @@ -197,6 +198,13 @@ class config(LDAPObject): values=(u'MS-PAC', u'PAD', u'nfs:NONE'), csv=True, ), + StrEnum('ipauserauthtype*', + cli_name='user_auth_type', + label=_('Default user authentication types'), + doc=_('Default types of supported user authentication'), + values=(u'password',), + csv=True, + ), ) def get_dn(self, *keys, **kwargs): diff --git a/ipalib/plugins/user.py b/ipalib/plugins/user.py index 471981f48..54d11c229 100644 --- a/ipalib/plugins/user.py +++ b/ipalib/plugins/user.py @@ -24,7 +24,7 @@ import posixpath import os from ipalib import api, errors -from ipalib import Flag, Int, Password, Str, Bool +from ipalib import Flag, Int, Password, Str, Bool, StrEnum from ipalib.plugins.baseldap import * from ipalib.plugins import baseldap from ipalib.request import context @@ -198,14 +198,14 @@ class user(LDAPObject): object_name_plural = _('users') object_class = ['posixaccount'] object_class_config = 'ipauserobjectclasses' - possible_objectclasses = ['meporiginentry'] + possible_objectclasses = ['meporiginentry', 'ipauserauthtypeclass'] disallow_object_classes = ['krbticketpolicyaux'] search_attributes_config = 'ipausersearchfields' default_attributes = [ 'uid', 'givenname', 'sn', 'homedirectory', 'loginshell', 'uidnumber', 'gidnumber', 'mail', 'ou', 'telephonenumber', 'title', 'memberof', 'nsaccountlock', - 'memberofindirect', + 'memberofindirect', 'ipauserauthtype' ] search_display_attributes = [ 'uid', 'givenname', 'sn', 'homedirectory', 'loginshell', @@ -365,6 +365,13 @@ class user(LDAPObject): csv=True, flags=['no_search'], ), + StrEnum('ipauserauthtype*', + cli_name='user_auth_type', + label=_('User authentication types'), + doc=_('Types of supported user authentication'), + values=(u'password',), + csv=True, + ), ) def _normalize_and_validate_email(self, email, config=None): @@ -633,14 +640,16 @@ class user_mod(LDAPUpdate): entry_attrs['userpassword'] = ipa_generate_password(user_pwdchars) # save the password so it can be displayed in post_callback setattr(context, 'randompassword', entry_attrs['userpassword']) - if 'ipasshpubkey' in entry_attrs: + if 'ipasshpubkey' in entry_attrs or 'ipauserauthtype' in entry_attrs: if 'objectclass' in entry_attrs: obj_classes = entry_attrs['objectclass'] else: (_dn, _entry_attrs) = ldap.get_entry(dn, ['objectclass']) obj_classes = entry_attrs['objectclass'] = _entry_attrs['objectclass'] - if 'ipasshuser' not in obj_classes: + if 'ipasshpubkey' in entry_attrs and 'ipasshuser' not in obj_classes: obj_classes.append('ipasshuser') + if 'ipauserauthtype' in entry_attrs and 'ipauserauthtype' not in obj_classes: + obj_classes.append('ipauserauthtypeclass') return dn def post_callback(self, ldap, dn, entry_attrs, *keys, **options): -- cgit