diff options
Diffstat (limited to 'ipaserver/plugins/service.py')
-rw-r--r-- | ipaserver/plugins/service.py | 53 |
1 files changed, 41 insertions, 12 deletions
diff --git a/ipaserver/plugins/service.py b/ipaserver/plugins/service.py index 7b0832b23..417be0011 100644 --- a/ipaserver/plugins/service.py +++ b/ipaserver/plugins/service.py @@ -422,6 +422,13 @@ class service(LDAPObject): ], 'default_privileges': {'Service Administrators'}, }, + 'System: Manage Service Principals': { + 'ipapermright': {'write'}, + 'ipapermdefaultattr': {'krbprincipalname', 'krbcanonicalname'}, + 'default_privileges': { + 'Service Administrators', + }, + }, 'System: Remove Services': { 'ipapermright': {'delete'}, 'replaces': [ @@ -439,12 +446,22 @@ class service(LDAPObject): 'krbcanonicalname', validate_realm, cli_name='canonical_principal', - label=_('Principal'), + label=_('Principal name'), doc=_('Service principal'), primary_key=True, normalizer=normalize_principal, require_service=True ), + Principal( + 'krbprincipalname*', + validate_realm, + cli_name='principal', + label=_('Principal alias'), + doc=_('Service principal alias'), + normalizer=normalize_principal, + require_service=True, + flags={'no_create'} + ), Bytes('usercertificate*', validate_certificate, cli_name='certificate', label=_('Certificate'), @@ -503,16 +520,6 @@ class service(LDAPObject): " Use 'radius' to allow RADIUS-based 2FA authentications." " Other values may be used for custom configurations."), ), - Principal( - 'krbprincipalname', - validate_realm, - cli_name='principal', - label=_('Principal Alias'), - doc=_('Service principal alias'), - normalizer=normalize_principal, - require_service=True, - flags={'no_create', 'no_update'} - ), ) + ticket_flags_params def validate_ipakrbauthzdata(self, entry): @@ -819,7 +826,6 @@ class service_show(LDAPRetrieve): return dn - @register() class service_add_host(LDAPAddMember): __doc__ = _('Add hosts that can manage this service.') @@ -978,3 +984,26 @@ class service_remove_cert(LDAPRemoveAttributeViaOption): revoke_certs(options['usercertificate'], self.log) return dn + + +@register() +class service_add_principal(LDAPAddAttribute): + __doc__ = _('Add new principal alias to a service') + msg_summary = _('Added new aliases to the service principal "%(value)s"') + attribute = 'krbprincipalname' + + def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options): + util.check_principal_realm_in_trust_namespace(self.api, *keys) + util.ensure_krbcanonicalname_set(ldap, entry_attrs) + return dn + + +@register() +class service_remove_principal(LDAPRemoveAttribute): + __doc__ = _('Remove principal alias from a service') + msg_summary = _('Removed aliases to the service principal "%(value)s"') + attribute = 'krbprincipalname' + + def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options): + util.ensure_last_krbprincipalname(ldap, entry_attrs, *keys) + return dn |