def pre_common_callback(self, ldap, dn, entry_attrs, attrs_list, *keys,
**options):
assert isinstance(dn, DN)
add_sshpubkey_to_attrs_pre(self.context, attrs_list)
self.check_namelength(ldap, **options)
self.check_mail(entry_attrs)
self.check_manager(entry_attrs, self.obj.active_container_dn)
self.check_userpassword(entry_attrs, **options)
self.check_objectclass(ldap, dn, entry_attrs)
self.obj.convert_usercertificate_pre(entry_attrs)
def pre_callback(self, ldap, filter, attrs_list, base_dn, scope, *args, **options):
assert isinstance(base_dn, DN)
if 'locality' in attrs_list:
attrs_list.remove('locality')
attrs_list.append('l')
if 'man_host' in options or 'not_man_host' in options:
hosts = []
if options.get('man_host') is not None:
for pkey in options.get('man_host', []):
dn = self.obj.get_dn(pkey)
try:
entry_attrs = ldap.get_entry(dn, ['managedby'])
except errors.NotFound:
self.obj.handle_not_found(pkey)
hosts.append(set(entry_attrs.get('managedby', '')))
hosts = list(reduce(lambda s1, s2: s1 & s2, hosts))
if not hosts:
# There is no host managing _all_ hosts in --man-hosts
filter = ldap.combine_filters(
(filter, '(objectclass=disabled)'), ldap.MATCH_ALL
)
not_hosts = []
if options.get('not_man_host') is not None:
for pkey in options.get('not_man_host', []):
dn = self.obj.get_dn(pkey)
try:
entry_attrs = ldap.get_entry(dn, ['managedby'])
except errors.NotFound:
self.obj.handle_not_found(pkey)
not_hosts += entry_attrs.get('managedby', [])
not_hosts = list(set(not_hosts))
for target_hosts, filter_op in ((hosts, ldap.MATCH_ANY),
(not_hosts, ldap.MATCH_NONE)):
hosts_avas = [DN(host)[0][0] for host in target_hosts]
hosts_filters = [ldap.make_filter_from_attr(ava.attr, ava.value)
for ava in hosts_avas]
hosts_filter = ldap.combine_filters(hosts_filters, filter_op)
filter = ldap.combine_filters(
(filter, hosts_filter), ldap.MATCH_ALL
)
add_sshpubkey_to_attrs_pre(self.context, attrs_list)
return (filter.replace('locality', 'l'), base_dn, scope)
def pre_common_callback(self, ldap, dn, entry_attrs, attrs_list, *keys,
**options):
assert isinstance(dn, DN)
add_sshpubkey_to_attrs_pre(self.context, attrs_list)
self.check_namelength(ldap, **options)
self.check_mail(entry_attrs)
self.check_manager(entry_attrs, self.obj.active_container_dn)
self.check_userpassword(entry_attrs, **options)
self.check_objectclass(ldap, dn, entry_attrs)
self.obj.convert_usercertificate_pre(entry_attrs)
self.preserve_krbprincipalname_pre(ldap, entry_attrs, *keys, **options)
def pre_common_callback(self, ldap, dn, attrs_list, *keys, **options):
assert isinstance(dn, DN)
add_sshpubkey_to_attrs_pre(self.context, attrs_list)
def pre_common_callback(self, ldap, filters, attrs_list, base_dn, scope,
*args, **options):
add_sshpubkey_to_attrs_pre(self.context, attrs_list)
def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options):
assert isinstance(dn, DN)
# Allow an existing OTP to be reset but don't allow a OTP to be
# added to an enrolled host.
if options.get('userpassword') or options.get('random'):
entry = {}
self.obj.get_password_attributes(ldap, dn, entry)
if not entry['has_password'] and entry['has_keytab']:
raise errors.ValidationError(
name='password',
error=_('Password cannot be set on enrolled host.'))
# Once a principal name is set it cannot be changed
if 'cn' in entry_attrs:
raise errors.ACIError(info=_('cn is immutable'))
if 'locality' in entry_attrs:
entry_attrs['l'] = entry_attrs['locality']
if 'krbprincipalname' in entry_attrs:
entry_attrs_old = ldap.get_entry(
dn, ['objectclass', 'krbprincipalname']
)
if 'krbprincipalname' in entry_attrs_old:
msg = 'Principal name already set, it is unchangeable.'
raise errors.ACIError(info=msg)
obj_classes = entry_attrs_old['objectclass']
if 'krbprincipalaux' not in obj_classes:
obj_classes.append('krbprincipalaux')
entry_attrs['objectclass'] = obj_classes
# verify certificates
certs = entry_attrs.get('usercertificate') or []
certs_der = [x509.normalize_certificate(c) for c in certs]
for cert in certs_der:
x509.verify_cert_subject(ldap, keys[-1], cert)
# revoke removed certificates
if certs and self.api.Command.ca_is_enabled()['result']:
try:
entry_attrs_old = ldap.get_entry(dn, ['usercertificate'])
except errors.NotFound:
self.obj.handle_not_found(*keys)
old_certs = entry_attrs_old.get('usercertificate', [])
old_certs_der = [x509.normalize_certificate(c) for c in old_certs]
removed_certs_der = set(old_certs_der) - set(certs_der)
revoke_certs(removed_certs_der, self.log)
if certs:
entry_attrs['usercertificate'] = certs_der
if options.get('random'):
entry_attrs['userpassword'] = ipa_generate_password(characters=host_pwd_chars)
setattr(context, 'randompassword', entry_attrs['userpassword'])
if 'macaddress' in entry_attrs:
if 'objectclass' in entry_attrs:
obj_classes = entry_attrs['objectclass']
else:
_entry_attrs = ldap.get_entry(dn, ['objectclass'])
obj_classes = _entry_attrs['objectclass']
if 'ieee802device' not in obj_classes:
obj_classes.append('ieee802device')
entry_attrs['objectclass'] = obj_classes
if options.get('updatedns', False) and dns_container_exists(ldap):
parts = keys[-1].split('.')
domain = unicode('.'.join(parts[1:]))
try:
result = api.Command['dnszone_show'](domain)['result']
domain = result['idnsname'][0]
except errors.NotFound:
self.obj.handle_not_found(*keys)
update_sshfp_record(domain, unicode(parts[0]), entry_attrs)
if 'ipasshpubkey' in entry_attrs:
if 'objectclass' in entry_attrs:
obj_classes = entry_attrs['objectclass']
else:
_entry_attrs = ldap.get_entry(dn, ['objectclass'])
obj_classes = entry_attrs['objectclass'] = _entry_attrs['objectclass']
if 'ipasshhost' not in obj_classes:
obj_classes.append('ipasshhost')
update_krbticketflags(ldap, entry_attrs, attrs_list, options, True)
if 'krbticketflags' in entry_attrs:
if 'objectclass' not in entry_attrs:
entry_attrs_old = ldap.get_entry(dn, ['objectclass'])
entry_attrs['objectclass'] = entry_attrs_old['objectclass']
if 'krbticketpolicyaux' not in entry_attrs['objectclass']:
entry_attrs['objectclass'].append('krbticketpolicyaux')
add_sshpubkey_to_attrs_pre(self.context, attrs_list)
return dn
