def accountpolicy_del_config(inst, basedn, log, args):
log = log.getChild('accountpolicy_del_config')
targetdn = args.DN
if not ldap.dn.is_dn(targetdn):
raise ValueError("Specified DN is not a valid DN")
config = AccountPolicyConfig(inst, targetdn)
config.delete()
log.info("Successfully deleted the %s", targetdn)
def accountpolicy_show_config(inst, basedn, log, args):
log = log.getChild('accountpolicy_show_config')
targetdn = args.DN
if not ldap.dn.is_dn(targetdn):
raise ValueError("Specified DN is not a valid DN")
config = AccountPolicyConfig(inst, targetdn)
if not config.exists():
raise ldap.NO_SUCH_OBJECT("Entry %s doesn't exists" % targetdn)
if args and args.json:
o_str = config.get_all_attrs_json()
log.info(o_str)
else:
log.info(config.display())
def accountpolicy_edit_config(inst, basedn, log, args):
log = log.getChild('accountpolicy_edit_config')
targetdn = args.DN
if not ldap.dn.is_dn(targetdn):
raise ValueError("Specified DN is not a valid DN")
config = AccountPolicyConfig(inst, targetdn)
generic_object_edit(config, log, args, arg_to_attr_config)
def accpol_local(topology_st, accpol_global, request):
"""Configure Local account policy plugin for ou=people subtree and restart the server"""
log.info('Adding Local account policy plugin configuration entries')
try:
topology_st.standalone.config.set('passwordmaxage', '400')
accp = AccountPolicyConfig(topology_st.standalone, dn=ACCP_CONF)
accp.remove_all('accountInactivityLimit')
locl_conf = AccountPolicyConfig(topology_st.standalone, dn=LOCL_CONF)
locl_conf.create(properties={
'cn': 'AccountPolicy1',
'accountInactivityLimit': '10'
})
cos_template = CosTemplate(topology_st.standalone, dn=TEMPL_COS)
cos_template.create(properties={
'cn': 'TempltCoS',
'acctPolicySubentry': LOCL_CONF
})
cos_def = CosPointerDefinition(topology_st.standalone, dn=DEFIN_COS)
cos_def.create(
properties={
'cn': 'DefnCoS',
'cosTemplateDn': TEMPL_COS,
'cosAttribute':
'acctPolicySubentry default operational-default'
})
except ldap.LDAPError as e:
log.error('Failed to configure Local account policy plugin')
log.error('Failed to add entry {}, {}, {}:'.format(
LOCL_CONF, TEMPL_COS, DEFIN_COS))
raise e
topology_st.standalone.restart(timeout=10)
def fin():
log.info(
'Disabling Local accpolicy plugin and removing pwpolicy attrs')
try:
topology_st.standalone.plugins.disable(name=PLUGIN_ACCT_POLICY)
for entry_dn in [LOCL_CONF, TEMPL_COS, DEFIN_COS]:
entry = UserAccount(topology_st.standalone, dn=entry_dn)
entry.delete()
except ldap.LDAPError as e:
log.error('Failed to disable Local accpolicy plugin, {}'.format(
e.message['desc']))
assert False
topology_st.standalone.restart(timeout=10)
request.addfinalizer(fin)
def status(self):
"""Check if account is locked by Account Policy plugin or
nsAccountLock (directly or indirectly)
:returns: a dict in a format -
{"status": status, "params": activity_data, "calc_time": epoch_time}
"""
inst = self._instance
# Fetch Account Policy data if its enabled
plugin = AccountPolicyPlugin(inst)
state_attr = ""
alt_state_attr = ""
limit = ""
spec_attr = ""
limit_attr = ""
process_account_policy = False
try:
process_account_policy = plugin.status()
except IndexError:
self._log.debug(
"The bound user doesn't have rights to access Account Policy settings. Not checking."
)
if process_account_policy:
config_dn = plugin.get_attr_val_utf8("nsslapd-pluginarg0")
config = AccountPolicyConfig(inst, config_dn)
config_settings = config.get_attrs_vals_utf8([
"stateattrname", "altstateattrname", "specattrname",
"limitattrname"
])
state_attr = self._dict_get_with_ignore_indexerror(
config_settings, "stateattrname")
alt_state_attr = self._dict_get_with_ignore_indexerror(
config_settings, "altstateattrname")
spec_attr = self._dict_get_with_ignore_indexerror(
config_settings, "specattrname")
limit_attr = self._dict_get_with_ignore_indexerror(
config_settings, "limitattrname")
mapping_trees = MappingTrees(inst)
root_suffix = mapping_trees.get_root_suffix_by_entry(self.dn)
cos_entries = CosTemplates(inst, root_suffix)
accpol_entry_dn = ""
for cos in cos_entries.list():
if cos.present(spec_attr):
accpol_entry_dn = cos.get_attr_val_utf8_l(spec_attr)
if accpol_entry_dn:
accpol_entry = AccountPolicyEntry(inst, accpol_entry_dn)
else:
accpol_entry = config
limit = accpol_entry.get_attr_val_utf8_l(limit_attr)
# Fetch account data
account_data = self.get_attrs_vals_utf8([
"createTimestamp", "modifyTimeStamp", "nsAccountLock", state_attr
])
last_login_time = self._dict_get_with_ignore_indexerror(
account_data, state_attr)
if not last_login_time:
last_login_time = self._dict_get_with_ignore_indexerror(
account_data, alt_state_attr)
create_time = self._dict_get_with_ignore_indexerror(
account_data, "createTimestamp")
modify_time = self._dict_get_with_ignore_indexerror(
account_data, "modifyTimeStamp")
acct_roles = self.get_attr_vals_utf8_l("nsRole")
mapping_trees = MappingTrees(inst)
root_suffix = ""
try:
root_suffix = mapping_trees.get_root_suffix_by_entry(self.dn)
except ldap.NO_SUCH_OBJECT:
self._log.debug(
"The bound user doesn't have rights to access disabled roles settings. Not checking."
)
if root_suffix:
roles = Roles(inst, root_suffix)
try:
disabled_roles = roles.get_disabled_roles()
# Locked indirectly through a role
locked_indirectly_role_dn = ""
for role in acct_roles:
if str.lower(role) in [
str.lower(role.dn)
for role in disabled_roles.keys()
]:
locked_indirectly_role_dn = role
if locked_indirectly_role_dn:
return self._format_status_message(
AccountState.INDIRECTLY_LOCKED, create_time,
modify_time, last_login_time, limit,
locked_indirectly_role_dn)
except ldap.NO_SUCH_OBJECT:
pass
# Locked directly
if self._dict_get_with_ignore_indexerror(account_data,
"nsAccountLock") == "true":
return self._format_status_message(AccountState.DIRECTLY_LOCKED,
create_time, modify_time,
last_login_time, limit)
# Locked indirectly through Account Policy plugin
if process_account_policy and last_login_time:
# Now check the Account Policy Plugin inactivity limits
remaining_time = float(limit) - (time.mktime(
time.gmtime()) - gentime_to_posix_time(last_login_time))
if remaining_time <= 0:
return self._format_status_message(
AccountState.INACTIVITY_LIMIT_EXCEEDED, create_time,
modify_time, last_login_time, limit)
# All checks are passed - we are active
return self._format_status_message(AccountState.ACTIVATED, create_time,
modify_time, last_login_time, limit)
def accpol_global(topology_st, request):
"""Configure Global account policy plugin and restart the server"""
log.info(
'Configuring Global account policy plugin, pwpolicy attributes and restarting the server'
)
plugin = AccountPolicyPlugin(topology_st.standalone)
try:
if DEBUGGING:
topology_st.standalone.config.set(
'nsslapd-auditlog-logging-enabled', 'on')
plugin.enable()
plugin.set('nsslapd-pluginarg0', ACCP_CONF)
accp = AccountPolicyConfig(topology_st.standalone, dn=ACCP_CONF)
accp.set('alwaysrecordlogin', 'yes')
accp.set('stateattrname', 'lastLoginTime')
accp.set('altstateattrname', 'createTimestamp')
accp.set('specattrname', 'acctPolicySubentry')
accp.set('limitattrname', 'accountInactivityLimit')
accp.set('accountInactivityLimit', '12')
topology_st.standalone.config.set('passwordexp', 'on')
topology_st.standalone.config.set('passwordmaxage', '400')
topology_st.standalone.config.set('passwordwarning', '1')
topology_st.standalone.config.set('passwordlockout', 'on')
topology_st.standalone.config.set('passwordlockoutduration', '5')
topology_st.standalone.config.set('passwordmaxfailure', '3')
topology_st.standalone.config.set('passwordunlock', 'on')
except ldap.LDAPError as e:
log.error(
'Failed to enable Global Account Policy Plugin and Password policy attributes'
)
raise e
topology_st.standalone.restart(timeout=10)
def fin():
log.info(
'Disabling Global accpolicy plugin and removing pwpolicy attrs')
try:
plugin = AccountPolicyPlugin(topology_st.standalone)
plugin.disable()
topology_st.standalone.config.set('passwordexp', 'off')
topology_st.standalone.config.set('passwordlockout', 'off')
except ldap.LDAPError as e:
log.error('Failed to disable Global accpolicy plugin, {}'.format(
e.message['desc']))
assert False
topology_st.standalone.restart(timeout=10)
request.addfinalizer(fin)