diff options
Diffstat (limited to 'ipaserver/plugins')
| -rw-r--r-- | ipaserver/plugins/baseuser.py | 39 | ||||
| -rw-r--r-- | ipaserver/plugins/host.py | 51 | ||||
| -rw-r--r-- | ipaserver/plugins/service.py | 53 | ||||
| -rw-r--r-- | ipaserver/plugins/user.py | 24 |
4 files changed, 136 insertions, 31 deletions
diff --git a/ipaserver/plugins/baseuser.py b/ipaserver/plugins/baseuser.py index cbb04aaad..c80d5ac0d 100644 --- a/ipaserver/plugins/baseuser.py +++ b/ipaserver/plugins/baseuser.py @@ -27,7 +27,8 @@ from ipalib.parameters import Principal from ipalib.plugable import Registry from .baseldap import ( DN, LDAPObject, LDAPCreate, LDAPUpdate, LDAPSearch, LDAPDelete, - LDAPRetrieve, LDAPAddMember, LDAPRemoveMember) + LDAPRetrieve, LDAPAddAttribute, LDAPRemoveAttribute, LDAPAddMember, + LDAPRemoveMember) from ipaserver.plugins.service import ( validate_certificate, validate_realm, normalize_principal) from ipalib.request import context @@ -42,7 +43,10 @@ from ipalib.util import ( remove_sshpubkey_from_output_post, remove_sshpubkey_from_output_list_post, add_sshpubkey_to_attrs_pre, - set_krbcanonicalname + set_krbcanonicalname, + check_principal_realm_in_trust_namespace, + ensure_last_krbprincipalname, + ensure_krbcanonicalname_set ) if six.PY3: @@ -212,14 +216,20 @@ class baseuser(LDAPObject): label=_('Login shell'), ), Principal( - 'krbprincipalname?', + 'krbcanonicalname?', + validate_realm, + label=_('Principal name'), + flags={'no_option', 'no_create', 'no_update', 'no_search'}, + normalizer=normalize_user_principal + ), + Principal( + 'krbprincipalname*', validate_realm, cli_name='principal', - label=_('Kerberos principal'), - default_from=lambda uid: kerberos.Principal.from_text( + label=_('Principal alias'), + default_from=lambda uid: kerberos.Principal( uid.lower(), realm=api.env.realm), autofill=True, - flags=['no_update'], normalizer=normalize_user_principal, ), DateTime('krbprincipalexpiration?', @@ -621,3 +631,20 @@ class baseuser_add_manager(LDAPAddMember): class baseuser_remove_manager(LDAPRemoveMember): member_attributes = ['manager'] + + +class baseuser_add_principal(LDAPAddAttribute): + attribute = 'krbprincipalname' + + def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options): + check_principal_realm_in_trust_namespace(self.api, *keys) + ensure_krbcanonicalname_set(ldap, entry_attrs) + return dn + + +class baseuser_remove_principal(LDAPRemoveAttribute): + attribute = 'krbprincipalname' + + def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options): + ensure_last_krbprincipalname(ldap, entry_attrs, *keys) + return dn diff --git a/ipaserver/plugins/host.py b/ipaserver/plugins/host.py index 11bddb505..1c1e934b9 100644 --- a/ipaserver/plugins/host.py +++ b/ipaserver/plugins/host.py @@ -35,7 +35,7 @@ from .baseldap import (LDAPQuery, LDAPObject, LDAPCreate, LDAPAddAttribute, LDAPRemoveAttribute, LDAPAddAttributeViaOption, LDAPRemoveAttributeViaOption) -from ipaserver.plugins.service import ( +from .service import ( validate_realm, normalize_principal, validate_certificate, set_certificate_attrs, ticket_flags_params, update_krbticketflags, set_kerberos_attrs, rename_ipaallowedtoperform_from_ldap, @@ -406,6 +406,12 @@ class host(LDAPObject): 'ipapermdefaultattr': {'usercertificate'}, 'default_privileges': {'Host Administrators', 'Host Enrollment'}, }, + 'System: Manage Host Principals': { + 'ipapermbindruletype': 'permission', + 'ipapermright': {'write'}, + 'ipapermdefaultattr': {'krbprincipalname', 'krbcanonicalname'}, + 'default_privileges': {'Host Administrators', 'Host Enrollment'}, + }, 'System: Manage Host Enrollment Password': { 'ipapermbindruletype': 'permission', 'ipapermright': {'write'}, @@ -515,11 +521,18 @@ class host(LDAPObject): flags={'virtual_attribute', 'no_create', 'no_update', 'no_search'}, ), Principal( - 'krbprincipalname?', + 'krbcanonicalname?', validate_realm, label=_('Principal name'), normalizer=normalize_principal, - flags=['no_create', 'no_update', 'no_search'], + flags={'no_create', 'no_update', 'no_search'}, + ), + Principal( + 'krbprincipalname*', + validate_realm, + label=_('Principal alias'), + normalizer=normalize_principal, + flags=['no_create', 'no_search'], ), Str('macaddress*', normalizer=lambda value: value.upper(), @@ -839,15 +852,6 @@ class host_mod(LDAPUpdate): member_attributes = ['managedby'] takes_options = LDAPUpdate.takes_options + ( - Principal( - 'krbprincipalname?', - validate_realm, - cli_name='principalname', - label=_('Principal name'), - doc=_('Kerberos principal name for this host'), - normalizer=normalize_principal, - attribute=True, - ), Flag('updatedns?', doc=_('Update DNS entries'), default=False, @@ -1332,3 +1336,26 @@ class host_remove_cert(LDAPRemoveAttributeViaOption): revoke_certs(options['usercertificate'], self.log) return dn + + +@register() +class host_add_principal(LDAPAddAttribute): + __doc__ = _('Add new principal alias to host entry') + msg_summary = _('Added new aliases to host "%(value)s"') + attribute = 'krbprincipalname' + + def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options): + util.check_principal_realm_in_trust_namespace(self.api, *keys) + util.ensure_krbcanonicalname_set(ldap, entry_attrs) + return dn + + +@register() +class host_remove_principal(LDAPRemoveAttribute): + __doc__ = _('Remove principal alias from a host entry') + msg_summary = _('Removed aliases from host "%(value)s"') + attribute = 'krbprincipalname' + + def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options): + util.ensure_last_krbprincipalname(ldap, entry_attrs, *keys) + return dn diff --git a/ipaserver/plugins/service.py b/ipaserver/plugins/service.py index 7b0832b23..417be0011 100644 --- a/ipaserver/plugins/service.py +++ b/ipaserver/plugins/service.py @@ -422,6 +422,13 @@ class service(LDAPObject): ], 'default_privileges': {'Service Administrators'}, }, + 'System: Manage Service Principals': { + 'ipapermright': {'write'}, + 'ipapermdefaultattr': {'krbprincipalname', 'krbcanonicalname'}, + 'default_privileges': { + 'Service Administrators', + }, + }, 'System: Remove Services': { 'ipapermright': {'delete'}, 'replaces': [ @@ -439,12 +446,22 @@ class service(LDAPObject): 'krbcanonicalname', validate_realm, cli_name='canonical_principal', - label=_('Principal'), + label=_('Principal name'), doc=_('Service principal'), primary_key=True, normalizer=normalize_principal, require_service=True ), + Principal( + 'krbprincipalname*', + validate_realm, + cli_name='principal', + label=_('Principal alias'), + doc=_('Service principal alias'), + normalizer=normalize_principal, + require_service=True, + flags={'no_create'} + ), Bytes('usercertificate*', validate_certificate, cli_name='certificate', label=_('Certificate'), @@ -503,16 +520,6 @@ class service(LDAPObject): " Use 'radius' to allow RADIUS-based 2FA authentications." " Other values may be used for custom configurations."), ), - Principal( - 'krbprincipalname', - validate_realm, - cli_name='principal', - label=_('Principal Alias'), - doc=_('Service principal alias'), - normalizer=normalize_principal, - require_service=True, - flags={'no_create', 'no_update'} - ), ) + ticket_flags_params def validate_ipakrbauthzdata(self, entry): @@ -819,7 +826,6 @@ class service_show(LDAPRetrieve): return dn - @register() class service_add_host(LDAPAddMember): __doc__ = _('Add hosts that can manage this service.') @@ -978,3 +984,26 @@ class service_remove_cert(LDAPRemoveAttributeViaOption): revoke_certs(options['usercertificate'], self.log) return dn + + +@register() +class service_add_principal(LDAPAddAttribute): + __doc__ = _('Add new principal alias to a service') + msg_summary = _('Added new aliases to the service principal "%(value)s"') + attribute = 'krbprincipalname' + + def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options): + util.check_principal_realm_in_trust_namespace(self.api, *keys) + util.ensure_krbcanonicalname_set(ldap, entry_attrs) + return dn + + +@register() +class service_remove_principal(LDAPRemoveAttribute): + __doc__ = _('Remove principal alias from a service') + msg_summary = _('Removed aliases to the service principal "%(value)s"') + attribute = 'krbprincipalname' + + def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options): + util.ensure_last_krbprincipalname(ldap, entry_attrs, *keys) + return dn diff --git a/ipaserver/plugins/user.py b/ipaserver/plugins/user.py index c231847d5..b3ae7646f 100644 --- a/ipaserver/plugins/user.py +++ b/ipaserver/plugins/user.py @@ -43,7 +43,9 @@ from .baseuser import ( convert_nsaccountlock, fix_addressbook_permission_bindrule, baseuser_add_manager, - baseuser_remove_manager) + baseuser_remove_manager, + baseuser_add_principal, + baseuser_remove_principal) from .idviews import remove_ipaobject_overrides from ipalib.plugable import Registry from .baseldap import ( @@ -287,6 +289,14 @@ class user(baseuser): 'Modify Users and Reset passwords', }, }, + 'System: Manage User Principals': { + 'ipapermright': {'write'}, + 'ipapermdefaultattr': {'krbprincipalname', 'krbcanonicalname'}, + 'default_privileges': { + 'User Administrators', + 'Modify Users and Reset passwords', + }, + }, 'System: Modify Users': { 'ipapermright': {'write'}, 'ipapermdefaultattr': { @@ -1187,3 +1197,15 @@ class user_add_manager(baseuser_add_manager): @register() class user_remove_manager(baseuser_remove_manager): __doc__ = _("Remove a manager to the user entry") + + +@register() +class user_add_principal(baseuser_add_principal): + __doc__ = _('Add new principal alias to the user entry') + msg_summary = _('Added new aliases to user "%(value)s"') + + +@register() +class user_remove_principal(baseuser_remove_principal): + __doc__ = _('Remove principal alias from the user entry') + msg_summary = _('Removed aliases from user "%(value)s"') |