diff options
| author | Martin Babinsky <mbabinsk@redhat.com> | 2016-06-23 20:06:42 +0200 |
|---|---|---|
| committer | Martin Basti <mbasti@redhat.com> | 2016-07-01 09:37:25 +0200 |
| commit | e6ff83e3610d553f6ff98e3adbfbe3c6984b2f17 (patch) | |
| tree | 4ee2d2755dc707a8e722a5e42978b5cbc25b8f46 /ipaserver/plugins/user.py | |
| parent | a28d312796839e3413c98ee37d34ccc892e85357 (diff) | |
| download | freeipa-e6ff83e3610d553f6ff98e3adbfbe3c6984b2f17.tar.gz freeipa-e6ff83e3610d553f6ff98e3adbfbe3c6984b2f17.tar.xz freeipa-e6ff83e3610d553f6ff98e3adbfbe3c6984b2f17.zip | |
Provide API for management of host, service, and user principal aliases
New commands (*-{add,remove}-principal [PKEY] [PRINCIPAL ...])
were added to manage principal aliases.
'add' commands will check the following:
* the correct principal type is supplied as an alias
* the principals have correct realm and the realm/alternative suffix (e.g.
e-mail) do not overlap with those of trusted AD domains
If the entry does not have canonical principal name, the first returned
principal name will be set as one. This is mostly to smoothly operate on
entries created on older servers.
'remove' commands will check that there is at least one principal alias equal
to the canonical name left on the entry.
See also: http://www.freeipa.org/page/V4/Kerberos_principal_aliases
https://fedorahosted.org/freeipa/ticket/1365
https://fedorahosted.org/freeipa/ticket/3961
https://fedorahosted.org/freeipa/ticket/5413
Reviewed-By: David Kupka <dkupka@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Diffstat (limited to 'ipaserver/plugins/user.py')
| -rw-r--r-- | ipaserver/plugins/user.py | 24 |
1 files changed, 23 insertions, 1 deletions
diff --git a/ipaserver/plugins/user.py b/ipaserver/plugins/user.py index c231847d5..b3ae7646f 100644 --- a/ipaserver/plugins/user.py +++ b/ipaserver/plugins/user.py @@ -43,7 +43,9 @@ from .baseuser import ( convert_nsaccountlock, fix_addressbook_permission_bindrule, baseuser_add_manager, - baseuser_remove_manager) + baseuser_remove_manager, + baseuser_add_principal, + baseuser_remove_principal) from .idviews import remove_ipaobject_overrides from ipalib.plugable import Registry from .baseldap import ( @@ -287,6 +289,14 @@ class user(baseuser): 'Modify Users and Reset passwords', }, }, + 'System: Manage User Principals': { + 'ipapermright': {'write'}, + 'ipapermdefaultattr': {'krbprincipalname', 'krbcanonicalname'}, + 'default_privileges': { + 'User Administrators', + 'Modify Users and Reset passwords', + }, + }, 'System: Modify Users': { 'ipapermright': {'write'}, 'ipapermdefaultattr': { @@ -1187,3 +1197,15 @@ class user_add_manager(baseuser_add_manager): @register() class user_remove_manager(baseuser_remove_manager): __doc__ = _("Remove a manager to the user entry") + + +@register() +class user_add_principal(baseuser_add_principal): + __doc__ = _('Add new principal alias to the user entry') + msg_summary = _('Added new aliases to user "%(value)s"') + + +@register() +class user_remove_principal(baseuser_remove_principal): + __doc__ = _('Remove principal alias from the user entry') + msg_summary = _('Removed aliases from user "%(value)s"') |