Exemple #1
0
    def _build_new_entry(self, ldap, dn, entry_from, entry_to):
        config = ldap.get_ipa_config()

        if 'uidnumber' not in entry_from:
            entry_to['uidnumber'] = baseldap.DNA_MAGIC
        if 'gidnumber' not in entry_from:
            entry_to['gidnumber'] = baseldap.DNA_MAGIC
        if 'homedirectory' not in entry_from:
            # get home's root directory from config
            homes_root = config.get('ipahomesrootdir', [paths.HOME_DIR])[0]
            # build user's home directory based on his uid
            entry_to['homedirectory'] = posixpath.join(homes_root, dn[0].value)
        if 'ipamaxusernamelength' in config:
            if len(dn[0].value) > int(config.get('ipamaxusernamelength')[0]):
                raise errors.ValidationError(
                    name=self.obj.primary_key.cli_name,
                    error=_('can be at most %(len)d characters') %
                    dict(len=int(config.get('ipamaxusernamelength')[0])))
        if 'loginshell' not in entry_from:
            default_shell = config.get('ipadefaultloginshell',
                                       [platformconstants.DEFAULT_SHELL])[0]
            if default_shell:
                entry_to.setdefault('loginshell', default_shell)

        if 'givenname' not in entry_from:
            entry_to['givenname'] = entry_from['cn'][0].split()[0]

        if 'krbprincipalname' not in entry_from:
            entry_to['krbprincipalname'] = '%s@%s' % (entry_from['uid'][0],
                                                      api.env.realm)

        set_krbcanonicalname(entry_to)
Exemple #2
0
    def _build_new_entry(self, ldap, dn, entry_from, entry_to):
        config = ldap.get_ipa_config()

        if 'uidnumber' not in entry_from:
            entry_to['uidnumber'] = baseldap.DNA_MAGIC
        if 'gidnumber' not in entry_from:
            entry_to['gidnumber'] = baseldap.DNA_MAGIC
        if 'homedirectory' not in entry_from:
            # get home's root directory from config
            homes_root = config.get('ipahomesrootdir', [paths.HOME_DIR])[0]
            # build user's home directory based on his uid
            entry_to['homedirectory'] = posixpath.join(homes_root, dn[0].value)
        if 'ipamaxusernamelength' in config:
            if len(dn[0].value) > int(config.get('ipamaxusernamelength')[0]):
                raise errors.ValidationError(
                    name=self.obj.primary_key.cli_name,
                    error=_('can be at most %(len)d characters') % dict(
                        len = int(config.get('ipamaxusernamelength')[0])
                    )
                )
        if 'loginshell' not in entry_from:
            default_shell = config.get('ipadefaultloginshell', [paths.SH])[0]
            if default_shell:
                entry_to.setdefault('loginshell', default_shell)

        if 'givenname' not in entry_from:
            entry_to['givenname'] = entry_from['cn'][0].split()[0]

        if 'krbprincipalname' not in entry_from:
            entry_to['krbprincipalname'] = '%s@%s' % (entry_from['uid'][0], api.env.realm)

        set_krbcanonicalname(entry_to)
Exemple #3
0
 def pre_common_callback(self, ldap, dn, entry_attrs, attrs_list, *keys,
                         **options):
     assert isinstance(dn, DN)
     set_krbcanonicalname(entry_attrs)
     self.obj.convert_usercertificate_pre(entry_attrs)
     if entry_attrs.get('ipatokenradiususername', None):
         add_missing_object_class(ldap, u'ipatokenradiusproxyuser', dn,
                                  entry_attrs, update=False)
Exemple #4
0
 def pre_common_callback(self, ldap, dn, entry_attrs, attrs_list, *keys,
                         **options):
     assert isinstance(dn, DN)
     set_krbcanonicalname(entry_attrs)
     self.obj.convert_usercertificate_pre(entry_attrs)
     if entry_attrs.get('ipatokenradiususername', None):
         add_missing_object_class(ldap, u'ipatokenradiusproxyuser', dn,
                                  entry_attrs, update=False)
Exemple #5
0
    def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys,
                     **options):
        assert isinstance(dn, DN)
        principal = keys[-1]
        hostname = principal.hostname

        if principal.is_host and not options['force']:
            raise errors.HostService()

        try:
            hostresult = self.api.Command['host_show'](hostname)['result']
        except errors.NotFound:
            raise errors.NotFound(
                reason=_("The host '%s' does not exist to add a service to.") %
                hostname)

        self.obj.validate_ipakrbauthzdata(entry_attrs)

        certs = options.get('usercertificate', [])
        certs_der = [x509.normalize_certificate(c) for c in certs]
        entry_attrs['usercertificate'] = certs_der

        if not options.get('force', False):
            # We know the host exists if we've gotten this far but we
            # really want to discourage creating services for hosts that
            # don't exist in DNS.
            util.verify_host_resolvable(hostname)
        if not 'managedby' in entry_attrs:
            entry_attrs['managedby'] = hostresult['dn']

        # Enforce ipaKrbPrincipalAlias to aid case-insensitive searches
        # as krbPrincipalName/krbCanonicalName are case-sensitive in Kerberos
        # schema
        entry_attrs['ipakrbprincipalalias'] = keys[-1]

        # Objectclass ipakrbprincipal providing ipakrbprincipalalias is not in
        # in a list of default objectclasses, add it manually
        entry_attrs['objectclass'].append('ipakrbprincipal')

        # set krbcanonicalname attribute to enable principal canonicalization
        util.set_krbcanonicalname(entry_attrs)

        update_krbticketflags(ldap, entry_attrs, attrs_list, options, False)

        return dn
Exemple #6
0
    def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options):
        assert isinstance(dn, DN)
        principal = keys[-1]
        hostname = principal.hostname

        if principal.is_host and not options['force']:
            raise errors.HostService()

        try:
            hostresult = self.api.Command['host_show'](hostname)['result']
        except errors.NotFound:
            raise errors.NotFound(
                reason=_("The host '%s' does not exist to add a service to.") %
                    hostname)

        self.obj.validate_ipakrbauthzdata(entry_attrs)

        certs = options.get('usercertificate', [])
        certs_der = [x509.normalize_certificate(c) for c in certs]
        entry_attrs['usercertificate'] = certs_der

        if not options.get('force', False):
            # We know the host exists if we've gotten this far but we
            # really want to discourage creating services for hosts that
            # don't exist in DNS.
            util.verify_host_resolvable(hostname)
        if not 'managedby' in entry_attrs:
            entry_attrs['managedby'] = hostresult['dn']

        # Enforce ipaKrbPrincipalAlias to aid case-insensitive searches
        # as krbPrincipalName/krbCanonicalName are case-sensitive in Kerberos
        # schema
        entry_attrs['ipakrbprincipalalias'] = keys[-1]

        # Objectclass ipakrbprincipal providing ipakrbprincipalalias is not in
        # in a list of default objectclasses, add it manually
        entry_attrs['objectclass'].append('ipakrbprincipal')

        # set krbcanonicalname attribute to enable principal canonicalization
        util.set_krbcanonicalname(entry_attrs)

        update_krbticketflags(ldap, entry_attrs, attrs_list, options, False)

        return dn
Exemple #7
0
 def pre_common_callback(self, ldap, dn, entry_attrs, attrs_list, *keys,
                         **options):
     assert isinstance(dn, DN)
     set_krbcanonicalname(entry_attrs)
     self.obj.convert_usercertificate_pre(entry_attrs)
Exemple #8
0
 def pre_common_callback(self, ldap, dn, entry_attrs, attrs_list, *keys,
                         **options):
     assert isinstance(dn, DN)
     set_krbcanonicalname(entry_attrs)
     check_fips_auth_opts(fips_mode=self.api.env.fips_mode, **options)
     self.obj.convert_usercertificate_pre(entry_attrs)