def pre_common_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options): assert isinstance(dn, DN) add_sshpubkey_to_attrs_pre(self.context, attrs_list) self.check_namelength(ldap, **options) self.check_mail(entry_attrs) self.check_manager(entry_attrs, self.obj.active_container_dn) self.check_userpassword(entry_attrs, **options) self.check_objectclass(ldap, dn, entry_attrs) self.obj.convert_usercertificate_pre(entry_attrs)
def pre_callback(self, ldap, filter, attrs_list, base_dn, scope, *args, **options): assert isinstance(base_dn, DN) if 'locality' in attrs_list: attrs_list.remove('locality') attrs_list.append('l') if 'man_host' in options or 'not_man_host' in options: hosts = [] if options.get('man_host') is not None: for pkey in options.get('man_host', []): dn = self.obj.get_dn(pkey) try: entry_attrs = ldap.get_entry(dn, ['managedby']) except errors.NotFound: self.obj.handle_not_found(pkey) hosts.append(set(entry_attrs.get('managedby', ''))) hosts = list(reduce(lambda s1, s2: s1 & s2, hosts)) if not hosts: # There is no host managing _all_ hosts in --man-hosts filter = ldap.combine_filters( (filter, '(objectclass=disabled)'), ldap.MATCH_ALL ) not_hosts = [] if options.get('not_man_host') is not None: for pkey in options.get('not_man_host', []): dn = self.obj.get_dn(pkey) try: entry_attrs = ldap.get_entry(dn, ['managedby']) except errors.NotFound: self.obj.handle_not_found(pkey) not_hosts += entry_attrs.get('managedby', []) not_hosts = list(set(not_hosts)) for target_hosts, filter_op in ((hosts, ldap.MATCH_ANY), (not_hosts, ldap.MATCH_NONE)): hosts_avas = [DN(host)[0][0] for host in target_hosts] hosts_filters = [ldap.make_filter_from_attr(ava.attr, ava.value) for ava in hosts_avas] hosts_filter = ldap.combine_filters(hosts_filters, filter_op) filter = ldap.combine_filters( (filter, hosts_filter), ldap.MATCH_ALL ) add_sshpubkey_to_attrs_pre(self.context, attrs_list) return (filter.replace('locality', 'l'), base_dn, scope)
def pre_common_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options): assert isinstance(dn, DN) add_sshpubkey_to_attrs_pre(self.context, attrs_list) self.check_namelength(ldap, **options) self.check_mail(entry_attrs) self.check_manager(entry_attrs, self.obj.active_container_dn) self.check_userpassword(entry_attrs, **options) self.check_objectclass(ldap, dn, entry_attrs) self.obj.convert_usercertificate_pre(entry_attrs) self.preserve_krbprincipalname_pre(ldap, entry_attrs, *keys, **options)
def pre_common_callback(self, ldap, dn, attrs_list, *keys, **options): assert isinstance(dn, DN) add_sshpubkey_to_attrs_pre(self.context, attrs_list)
def pre_common_callback(self, ldap, filters, attrs_list, base_dn, scope, *args, **options): add_sshpubkey_to_attrs_pre(self.context, attrs_list)
def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options): assert isinstance(dn, DN) # Allow an existing OTP to be reset but don't allow a OTP to be # added to an enrolled host. if options.get('userpassword') or options.get('random'): entry = {} self.obj.get_password_attributes(ldap, dn, entry) if not entry['has_password'] and entry['has_keytab']: raise errors.ValidationError( name='password', error=_('Password cannot be set on enrolled host.')) # Once a principal name is set it cannot be changed if 'cn' in entry_attrs: raise errors.ACIError(info=_('cn is immutable')) if 'locality' in entry_attrs: entry_attrs['l'] = entry_attrs['locality'] if 'krbprincipalname' in entry_attrs: entry_attrs_old = ldap.get_entry( dn, ['objectclass', 'krbprincipalname'] ) if 'krbprincipalname' in entry_attrs_old: msg = 'Principal name already set, it is unchangeable.' raise errors.ACIError(info=msg) obj_classes = entry_attrs_old['objectclass'] if 'krbprincipalaux' not in obj_classes: obj_classes.append('krbprincipalaux') entry_attrs['objectclass'] = obj_classes # verify certificates certs = entry_attrs.get('usercertificate') or [] certs_der = [x509.normalize_certificate(c) for c in certs] for cert in certs_der: x509.verify_cert_subject(ldap, keys[-1], cert) # revoke removed certificates if certs and self.api.Command.ca_is_enabled()['result']: try: entry_attrs_old = ldap.get_entry(dn, ['usercertificate']) except errors.NotFound: self.obj.handle_not_found(*keys) old_certs = entry_attrs_old.get('usercertificate', []) old_certs_der = [x509.normalize_certificate(c) for c in old_certs] removed_certs_der = set(old_certs_der) - set(certs_der) revoke_certs(removed_certs_der, self.log) if certs: entry_attrs['usercertificate'] = certs_der if options.get('random'): entry_attrs['userpassword'] = ipa_generate_password(characters=host_pwd_chars) setattr(context, 'randompassword', entry_attrs['userpassword']) if 'macaddress' in entry_attrs: if 'objectclass' in entry_attrs: obj_classes = entry_attrs['objectclass'] else: _entry_attrs = ldap.get_entry(dn, ['objectclass']) obj_classes = _entry_attrs['objectclass'] if 'ieee802device' not in obj_classes: obj_classes.append('ieee802device') entry_attrs['objectclass'] = obj_classes if options.get('updatedns', False) and dns_container_exists(ldap): parts = keys[-1].split('.') domain = unicode('.'.join(parts[1:])) try: result = api.Command['dnszone_show'](domain)['result'] domain = result['idnsname'][0] except errors.NotFound: self.obj.handle_not_found(*keys) update_sshfp_record(domain, unicode(parts[0]), entry_attrs) if 'ipasshpubkey' in entry_attrs: if 'objectclass' in entry_attrs: obj_classes = entry_attrs['objectclass'] else: _entry_attrs = ldap.get_entry(dn, ['objectclass']) obj_classes = entry_attrs['objectclass'] = _entry_attrs['objectclass'] if 'ipasshhost' not in obj_classes: obj_classes.append('ipasshhost') update_krbticketflags(ldap, entry_attrs, attrs_list, options, True) if 'krbticketflags' in entry_attrs: if 'objectclass' not in entry_attrs: entry_attrs_old = ldap.get_entry(dn, ['objectclass']) entry_attrs['objectclass'] = entry_attrs_old['objectclass'] if 'krbticketpolicyaux' not in entry_attrs['objectclass']: entry_attrs['objectclass'].append('krbticketpolicyaux') add_sshpubkey_to_attrs_pre(self.context, attrs_list) return dn