Ejemplo n.º 1
0
def accountpolicy_del_config(inst, basedn, log, args):
    log = log.getChild('accountpolicy_del_config')
    targetdn = args.DN
    if not ldap.dn.is_dn(targetdn):
        raise ValueError("Specified DN is not a valid DN")
    config = AccountPolicyConfig(inst, targetdn)
    config.delete()
    log.info("Successfully deleted the %s", targetdn)
Ejemplo n.º 2
0
def accountpolicy_show_config(inst, basedn, log, args):
    log = log.getChild('accountpolicy_show_config')
    targetdn = args.DN
    if not ldap.dn.is_dn(targetdn):
        raise ValueError("Specified DN is not a valid DN")
    config = AccountPolicyConfig(inst, targetdn)

    if not config.exists():
        raise ldap.NO_SUCH_OBJECT("Entry %s doesn't exists" % targetdn)
    if args and args.json:
        o_str = config.get_all_attrs_json()

        log.info(o_str)
    else:
        log.info(config.display())
Ejemplo n.º 3
0
def accountpolicy_edit_config(inst, basedn, log, args):
    log = log.getChild('accountpolicy_edit_config')
    targetdn = args.DN
    if not ldap.dn.is_dn(targetdn):
        raise ValueError("Specified DN is not a valid DN")
    config = AccountPolicyConfig(inst, targetdn)
    generic_object_edit(config, log, args, arg_to_attr_config)
Ejemplo n.º 4
0
def accpol_local(topology_st, accpol_global, request):
    """Configure Local account policy plugin for ou=people subtree and restart the server"""

    log.info('Adding Local account policy plugin configuration entries')
    try:
        topology_st.standalone.config.set('passwordmaxage', '400')
        accp = AccountPolicyConfig(topology_st.standalone, dn=ACCP_CONF)
        accp.remove_all('accountInactivityLimit')
        locl_conf = AccountPolicyConfig(topology_st.standalone, dn=LOCL_CONF)
        locl_conf.create(properties={
            'cn': 'AccountPolicy1',
            'accountInactivityLimit': '10'
        })
        cos_template = CosTemplate(topology_st.standalone, dn=TEMPL_COS)
        cos_template.create(properties={
            'cn': 'TempltCoS',
            'acctPolicySubentry': LOCL_CONF
        })
        cos_def = CosPointerDefinition(topology_st.standalone, dn=DEFIN_COS)
        cos_def.create(
            properties={
                'cn': 'DefnCoS',
                'cosTemplateDn': TEMPL_COS,
                'cosAttribute':
                'acctPolicySubentry default operational-default'
            })
    except ldap.LDAPError as e:
        log.error('Failed to configure Local account policy plugin')
        log.error('Failed to add entry {}, {}, {}:'.format(
            LOCL_CONF, TEMPL_COS, DEFIN_COS))
        raise e
    topology_st.standalone.restart(timeout=10)

    def fin():
        log.info(
            'Disabling Local accpolicy plugin and removing pwpolicy attrs')
        try:
            topology_st.standalone.plugins.disable(name=PLUGIN_ACCT_POLICY)
            for entry_dn in [LOCL_CONF, TEMPL_COS, DEFIN_COS]:
                entry = UserAccount(topology_st.standalone, dn=entry_dn)
                entry.delete()
        except ldap.LDAPError as e:
            log.error('Failed to disable Local accpolicy plugin, {}'.format(
                e.message['desc']))
            assert False
        topology_st.standalone.restart(timeout=10)

    request.addfinalizer(fin)
Ejemplo n.º 5
0
    def status(self):
        """Check if account is locked by Account Policy plugin or
        nsAccountLock (directly or indirectly)

        :returns: a dict in a format -
                  {"status": status, "params": activity_data, "calc_time": epoch_time}
        """

        inst = self._instance

        # Fetch Account Policy data if its enabled
        plugin = AccountPolicyPlugin(inst)
        state_attr = ""
        alt_state_attr = ""
        limit = ""
        spec_attr = ""
        limit_attr = ""
        process_account_policy = False
        try:
            process_account_policy = plugin.status()
        except IndexError:
            self._log.debug(
                "The bound user doesn't have rights to access Account Policy settings. Not checking."
            )

        if process_account_policy:
            config_dn = plugin.get_attr_val_utf8("nsslapd-pluginarg0")
            config = AccountPolicyConfig(inst, config_dn)
            config_settings = config.get_attrs_vals_utf8([
                "stateattrname", "altstateattrname", "specattrname",
                "limitattrname"
            ])
            state_attr = self._dict_get_with_ignore_indexerror(
                config_settings, "stateattrname")
            alt_state_attr = self._dict_get_with_ignore_indexerror(
                config_settings, "altstateattrname")
            spec_attr = self._dict_get_with_ignore_indexerror(
                config_settings, "specattrname")
            limit_attr = self._dict_get_with_ignore_indexerror(
                config_settings, "limitattrname")

            mapping_trees = MappingTrees(inst)
            root_suffix = mapping_trees.get_root_suffix_by_entry(self.dn)
            cos_entries = CosTemplates(inst, root_suffix)
            accpol_entry_dn = ""
            for cos in cos_entries.list():
                if cos.present(spec_attr):
                    accpol_entry_dn = cos.get_attr_val_utf8_l(spec_attr)
            if accpol_entry_dn:
                accpol_entry = AccountPolicyEntry(inst, accpol_entry_dn)
            else:
                accpol_entry = config
            limit = accpol_entry.get_attr_val_utf8_l(limit_attr)

        # Fetch account data
        account_data = self.get_attrs_vals_utf8([
            "createTimestamp", "modifyTimeStamp", "nsAccountLock", state_attr
        ])

        last_login_time = self._dict_get_with_ignore_indexerror(
            account_data, state_attr)
        if not last_login_time:
            last_login_time = self._dict_get_with_ignore_indexerror(
                account_data, alt_state_attr)

        create_time = self._dict_get_with_ignore_indexerror(
            account_data, "createTimestamp")
        modify_time = self._dict_get_with_ignore_indexerror(
            account_data, "modifyTimeStamp")

        acct_roles = self.get_attr_vals_utf8_l("nsRole")
        mapping_trees = MappingTrees(inst)
        root_suffix = ""
        try:
            root_suffix = mapping_trees.get_root_suffix_by_entry(self.dn)
        except ldap.NO_SUCH_OBJECT:
            self._log.debug(
                "The bound user doesn't have rights to access disabled roles settings. Not checking."
            )
        if root_suffix:
            roles = Roles(inst, root_suffix)
            try:
                disabled_roles = roles.get_disabled_roles()

                # Locked indirectly through a role
                locked_indirectly_role_dn = ""
                for role in acct_roles:
                    if str.lower(role) in [
                            str.lower(role.dn)
                            for role in disabled_roles.keys()
                    ]:
                        locked_indirectly_role_dn = role
                if locked_indirectly_role_dn:
                    return self._format_status_message(
                        AccountState.INDIRECTLY_LOCKED, create_time,
                        modify_time, last_login_time, limit,
                        locked_indirectly_role_dn)
            except ldap.NO_SUCH_OBJECT:
                pass

        # Locked directly
        if self._dict_get_with_ignore_indexerror(account_data,
                                                 "nsAccountLock") == "true":
            return self._format_status_message(AccountState.DIRECTLY_LOCKED,
                                               create_time, modify_time,
                                               last_login_time, limit)

        # Locked indirectly through Account Policy plugin
        if process_account_policy and last_login_time:
            # Now check the Account Policy Plugin inactivity limits
            remaining_time = float(limit) - (time.mktime(
                time.gmtime()) - gentime_to_posix_time(last_login_time))
            if remaining_time <= 0:
                return self._format_status_message(
                    AccountState.INACTIVITY_LIMIT_EXCEEDED, create_time,
                    modify_time, last_login_time, limit)
        # All checks are passed - we are active
        return self._format_status_message(AccountState.ACTIVATED, create_time,
                                           modify_time, last_login_time, limit)
Ejemplo n.º 6
0
def accpol_global(topology_st, request):
    """Configure Global account policy plugin and restart the server"""

    log.info(
        'Configuring Global account policy plugin, pwpolicy attributes and restarting the server'
    )
    plugin = AccountPolicyPlugin(topology_st.standalone)
    try:
        if DEBUGGING:
            topology_st.standalone.config.set(
                'nsslapd-auditlog-logging-enabled', 'on')
        plugin.enable()
        plugin.set('nsslapd-pluginarg0', ACCP_CONF)
        accp = AccountPolicyConfig(topology_st.standalone, dn=ACCP_CONF)
        accp.set('alwaysrecordlogin', 'yes')
        accp.set('stateattrname', 'lastLoginTime')
        accp.set('altstateattrname', 'createTimestamp')
        accp.set('specattrname', 'acctPolicySubentry')
        accp.set('limitattrname', 'accountInactivityLimit')
        accp.set('accountInactivityLimit', '12')
        topology_st.standalone.config.set('passwordexp', 'on')
        topology_st.standalone.config.set('passwordmaxage', '400')
        topology_st.standalone.config.set('passwordwarning', '1')
        topology_st.standalone.config.set('passwordlockout', 'on')
        topology_st.standalone.config.set('passwordlockoutduration', '5')
        topology_st.standalone.config.set('passwordmaxfailure', '3')
        topology_st.standalone.config.set('passwordunlock', 'on')
    except ldap.LDAPError as e:
        log.error(
            'Failed to enable Global Account Policy Plugin and Password policy attributes'
        )
        raise e
    topology_st.standalone.restart(timeout=10)

    def fin():
        log.info(
            'Disabling Global accpolicy plugin and removing pwpolicy attrs')
        try:
            plugin = AccountPolicyPlugin(topology_st.standalone)
            plugin.disable()
            topology_st.standalone.config.set('passwordexp', 'off')
            topology_st.standalone.config.set('passwordlockout', 'off')
        except ldap.LDAPError as e:
            log.error('Failed to disable Global accpolicy plugin, {}'.format(
                e.message['desc']))
            assert False
        topology_st.standalone.restart(timeout=10)

    request.addfinalizer(fin)