def entry_status(inst, basedn, log, args):
dn = _get_dn_arg(args.dn, msg="Enter dn to check")
roles = Roles(inst, basedn)
role = roles.get(dn=dn)
status = role.status()
log.info(f'Entry DN: {dn}')
log.info(f'Entry State: {status["state"].describe(status["role_dn"])}\n')
def entry_status(inst, basedn, log, args):
dn = _get_dn_arg(args.dn, msg="Enter dn to check")
roles = Roles(inst, basedn)
try:
role = roles.get(dn=dn)
except ldap.NO_SUCH_OBJECT:
raise ValueError(
"Role \"{}\" is not found or the entry is not a role.".format(dn))
status = role.status()
info_dict = {}
if args.json:
info_dict["dn"] = dn
info_dict["state"] = f'{status["state"].describe(status["role_dn"])}'
log.info(json.dumps({"type": "status", "info": info_dict}, indent=4))
else:
log.info(f'Entry DN: {dn}')
log.info(
f'Entry State: {status["state"].describe(status["role_dn"])}\n')
def subtree_status(inst, basedn, log, args):
basedn = _get_dn_arg(args.basedn, msg="Enter basedn to check")
filter = ""
scope = ldap.SCOPE_SUBTREE
role_list = Roles(inst, basedn).filter(filter, scope)
if not role_list:
raise ValueError(f"No entries were found under {basedn} or the user doesn't have an access")
for entry in role_list:
status = entry.status()
log.info(f'Entry DN: {entry.dn}')
log.info(f'Entry State: {status["state"].describe(status["role_dn"])}\n')
def status(self):
"""Check if account is locked by Account Policy plugin or
nsAccountLock (directly or indirectly)
:returns: a dict in a format -
{"status": status, "params": activity_data, "calc_time": epoch_time}
"""
inst = self._instance
# Fetch Account Policy data if its enabled
plugin = AccountPolicyPlugin(inst)
state_attr = ""
alt_state_attr = ""
limit = ""
spec_attr = ""
limit_attr = ""
process_account_policy = False
try:
process_account_policy = plugin.status()
except IndexError:
self._log.debug(
"The bound user doesn't have rights to access Account Policy settings. Not checking."
)
if process_account_policy:
config_dn = plugin.get_attr_val_utf8("nsslapd-pluginarg0")
config = AccountPolicyConfig(inst, config_dn)
config_settings = config.get_attrs_vals_utf8([
"stateattrname", "altstateattrname", "specattrname",
"limitattrname"
])
state_attr = self._dict_get_with_ignore_indexerror(
config_settings, "stateattrname")
alt_state_attr = self._dict_get_with_ignore_indexerror(
config_settings, "altstateattrname")
spec_attr = self._dict_get_with_ignore_indexerror(
config_settings, "specattrname")
limit_attr = self._dict_get_with_ignore_indexerror(
config_settings, "limitattrname")
mapping_trees = MappingTrees(inst)
root_suffix = mapping_trees.get_root_suffix_by_entry(self.dn)
cos_entries = CosTemplates(inst, root_suffix)
accpol_entry_dn = ""
for cos in cos_entries.list():
if cos.present(spec_attr):
accpol_entry_dn = cos.get_attr_val_utf8_l(spec_attr)
if accpol_entry_dn:
accpol_entry = AccountPolicyEntry(inst, accpol_entry_dn)
else:
accpol_entry = config
limit = accpol_entry.get_attr_val_utf8_l(limit_attr)
# Fetch account data
account_data = self.get_attrs_vals_utf8([
"createTimestamp", "modifyTimeStamp", "nsAccountLock", state_attr
])
last_login_time = self._dict_get_with_ignore_indexerror(
account_data, state_attr)
if not last_login_time:
last_login_time = self._dict_get_with_ignore_indexerror(
account_data, alt_state_attr)
create_time = self._dict_get_with_ignore_indexerror(
account_data, "createTimestamp")
modify_time = self._dict_get_with_ignore_indexerror(
account_data, "modifyTimeStamp")
acct_roles = self.get_attr_vals_utf8_l("nsRole")
mapping_trees = MappingTrees(inst)
root_suffix = ""
try:
root_suffix = mapping_trees.get_root_suffix_by_entry(self.dn)
except ldap.NO_SUCH_OBJECT:
self._log.debug(
"The bound user doesn't have rights to access disabled roles settings. Not checking."
)
if root_suffix:
roles = Roles(inst, root_suffix)
try:
disabled_roles = roles.get_disabled_roles()
# Locked indirectly through a role
locked_indirectly_role_dn = ""
for role in acct_roles:
if str.lower(role) in [
str.lower(role.dn)
for role in disabled_roles.keys()
]:
locked_indirectly_role_dn = role
if locked_indirectly_role_dn:
return self._format_status_message(
AccountState.INDIRECTLY_LOCKED, create_time,
modify_time, last_login_time, limit,
locked_indirectly_role_dn)
except ldap.NO_SUCH_OBJECT:
pass
# Locked directly
if self._dict_get_with_ignore_indexerror(account_data,
"nsAccountLock") == "true":
return self._format_status_message(AccountState.DIRECTLY_LOCKED,
create_time, modify_time,
last_login_time, limit)
# Locked indirectly through Account Policy plugin
if process_account_policy and last_login_time:
# Now check the Account Policy Plugin inactivity limits
remaining_time = float(limit) - (time.mktime(
time.gmtime()) - gentime_to_posix_time(last_login_time))
if remaining_time <= 0:
return self._format_status_message(
AccountState.INACTIVITY_LIMIT_EXCEEDED, create_time,
modify_time, last_login_time, limit)
# All checks are passed - we are active
return self._format_status_message(AccountState.ACTIVATED, create_time,
modify_time, last_login_time, limit)