class hbactest(Command):
__doc__ = _("Simulate use of Host-based access controls")
takes_options = (
parameters.Str(
'user',
label=_(u'User name'),
),
parameters.Str(
'sourcehost',
required=False,
cli_name='srchost',
label=_(u'Source host'),
),
parameters.Str(
'targethost',
cli_name='host',
label=_(u'Target host'),
),
parameters.Str(
'service',
label=_(u'Service'),
),
parameters.Str(
'rules',
required=False,
multivalue=True,
label=_(u'Rules to test. If not specified, --enabled is assumed'),
),
parameters.Flag(
'nodetail',
required=False,
label=_(
u'Hide details which rules are matched, not matched, or invalid'
),
default=False,
autofill=True,
),
parameters.Flag(
'enabled',
required=False,
label=_(u'Include all enabled IPA rules into test [default]'),
default=False,
autofill=True,
),
parameters.Flag(
'disabled',
required=False,
label=_(u'Include all disabled IPA rules into test'),
default=False,
autofill=True,
),
parameters.Int(
'sizelimit',
required=False,
label=_(u'Size Limit'),
doc=
_(u'Maximum number of rules to process when no --rules is specified'
),
),
)
has_output = (
output.Output(
'summary',
(unicode, type(None)),
doc=_(u'User-friendly description of action performed'),
),
output.Output(
'warning',
(list, tuple, type(None)),
doc=_(u'Warning'),
),
output.Output(
'matched',
(list, tuple, type(None)),
doc=_(u'Matched rules'),
),
output.Output(
'notmatched',
(list, tuple, type(None)),
doc=_(u'Not matched rules'),
),
output.Output(
'error',
(list, tuple, type(None)),
doc=_(u'Non-existent or invalid rules'),
),
output.Output(
'value',
bool,
doc=_(u'Result of simulation'),
),
)
class trustconfig_mod(Method):
__doc__ = _("Modify global trust configuration.")
takes_options = (
parameters.Str(
'ipantfallbackprimarygroup',
required=False,
cli_name='fallback_primary_group',
label=_(u'Fallback primary group'),
),
parameters.Str(
'setattr',
required=False,
multivalue=True,
doc=
_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'
),
exclude=('webui', ),
),
parameters.Str(
'addattr',
required=False,
multivalue=True,
doc=
_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'
),
exclude=('webui', ),
),
parameters.Str(
'delattr',
required=False,
multivalue=True,
doc=
_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'
),
exclude=('webui', ),
),
parameters.Flag(
'rights',
label=_(u'Rights'),
doc=
_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'
),
default=False,
autofill=True,
),
parameters.Str(
'trust_type',
cli_name='type',
cli_metavar="['ad']",
label=_(u'Trust type (ad for Active Directory, default)'),
default=u'ad',
autofill=True,
),
parameters.Flag(
'all',
doc=
_(u'Retrieve and print all attributes from the server. Affects command output.'
),
exclude=('webui', ),
default=False,
autofill=True,
),
parameters.Flag(
'raw',
doc=
_(u'Print entries as stored on the server. Only affects output format.'
),
exclude=('webui', ),
default=False,
autofill=True,
),
)
has_output = (
output.Output(
'summary',
(unicode, type(None)),
doc=_(u'User-friendly description of action performed'),
),
output.Entry('result', ),
output.Output(
'value',
unicode,
doc=_(
u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
),
)
class group_add(Method):
__doc__ = _("Create a new group.")
takes_args = (parameters.Str(
'cn',
cli_name='group_name',
label=_(u'Group name'),
no_convert=True,
), )
takes_options = (
parameters.Str(
'description',
required=False,
cli_name='desc',
label=_(u'Description'),
doc=_(u'Group description'),
),
parameters.Int(
'gidnumber',
required=False,
cli_name='gid',
label=_(u'GID'),
doc=_(u'GID (use this option to set it manually)'),
),
parameters.Str(
'setattr',
required=False,
multivalue=True,
doc=
_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'
),
exclude=('webui', ),
),
parameters.Str(
'addattr',
required=False,
multivalue=True,
doc=
_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'
),
exclude=('webui', ),
),
parameters.Flag(
'nonposix',
doc=_(u'Create as a non-POSIX group'),
default=False,
autofill=True,
),
parameters.Flag(
'external',
doc=_(
u'Allow adding external non-IPA members from trusted domains'),
default=False,
autofill=True,
),
parameters.Flag(
'all',
doc=
_(u'Retrieve and print all attributes from the server. Affects command output.'
),
exclude=('webui', ),
default=False,
autofill=True,
),
parameters.Flag(
'raw',
doc=
_(u'Print entries as stored on the server. Only affects output format.'
),
exclude=('webui', ),
default=False,
autofill=True,
),
parameters.Flag(
'no_members',
doc=_(u'Suppress processing of membership attributes.'),
exclude=('webui', 'cli'),
default=False,
autofill=True,
),
)
has_output = (
output.Output(
'summary',
(unicode, type(None)),
doc=_(u'User-friendly description of action performed'),
),
output.Entry('result', ),
output.PrimaryKey(
'value',
doc=_(
u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
),
)
class migrate_ds(Command):
__doc__ = _('Migrate users and groups from DS to IPA.')
migrate_objects = {
# OBJECT_NAME: (search_filter, pre_callback, post_callback)
#
# OBJECT_NAME - is the name of an LDAPObject subclass
# search_filter - is the filter to retrieve objects from DS
# pre_callback - is called for each object just after it was
# retrieved from DS and before being added to IPA
# post_callback - is called for each object after it was added to IPA
# exc_callback - is called when adding entry to IPA raises an exception
#
# {pre, post}_callback parameters:
# ldap - ldap2 instance connected to IPA
# pkey - primary key value of the object (uid for users, etc.)
# dn - dn of the object as it (will be/is) stored in IPA
# entry_attrs - attributes of the object
# failed - a list of so-far failed objects
# config - IPA config entry attributes
# ctx - object context, used to pass data between callbacks
#
# If pre_callback return value evaluates to False, migration
# of the current object is aborted.
'user': {
'filter_template': '(&(|%s)(uid=*))',
'oc_option': 'userobjectclass',
'oc_blacklist_option': 'userignoreobjectclass',
'attr_blacklist_option': 'userignoreattribute',
'pre_callback': _pre_migrate_user,
'post_callback': _post_migrate_user,
'exc_callback': None
},
'group': {
'filter_template': '(&(|%s)(cn=*))',
'oc_option': 'groupobjectclass',
'oc_blacklist_option': 'groupignoreobjectclass',
'attr_blacklist_option': 'groupignoreattribute',
'pre_callback': _pre_migrate_group,
'post_callback': None,
'exc_callback': _group_exc_callback,
},
}
migrate_order = ('user', 'group')
takes_args = (
Str(
'ldapuri',
validate_ldapuri,
cli_name='ldap_uri',
label=_('LDAP URI'),
doc=_('LDAP URI of DS server to migrate from'),
),
Password(
'bindpw',
cli_name='password',
label=_('Password'),
confirm=False,
doc=_('bind password'),
),
)
takes_options = (
DNParam('binddn?',
cli_name='bind_dn',
label=_('Bind DN'),
default=DN(('cn', 'directory manager')),
autofill=True,
),
DNParam('usercontainer',
cli_name='user_container',
label=_('User container'),
doc=_('DN of container for users in DS relative to base DN'),
default=DN(('ou', 'people')),
autofill=True,
),
DNParam('groupcontainer',
cli_name='group_container',
label=_('Group container'),
doc=_('DN of container for groups in DS relative to base DN'),
default=DN(('ou', 'groups')),
autofill=True,
),
Str('userobjectclass+',
cli_name='user_objectclass',
label=_('User object class'),
doc=_('Objectclasses used to search for user entries in DS'),
csv=True,
default=(u'person',),
autofill=True,
),
Str('groupobjectclass+',
cli_name='group_objectclass',
label=_('Group object class'),
doc=_('Objectclasses used to search for group entries in DS'),
csv=True,
default=(u'groupOfUniqueNames', u'groupOfNames'),
autofill=True,
),
Str('userignoreobjectclass*',
cli_name='user_ignore_objectclass',
label=_('Ignore user object class'),
doc=_('Objectclasses to be ignored for user entries in DS'),
csv=True,
default=tuple(),
autofill=True,
),
Str('userignoreattribute*',
cli_name='user_ignore_attribute',
label=_('Ignore user attribute'),
doc=_('Attributes to be ignored for user entries in DS'),
csv=True,
default=tuple(),
autofill=True,
),
Str('groupignoreobjectclass*',
cli_name='group_ignore_objectclass',
label=_('Ignore group object class'),
doc=_('Objectclasses to be ignored for group entries in DS'),
csv=True,
default=tuple(),
autofill=True,
),
Str('groupignoreattribute*',
cli_name='group_ignore_attribute',
label=_('Ignore group attribute'),
doc=_('Attributes to be ignored for group entries in DS'),
csv=True,
default=tuple(),
autofill=True,
),
Flag('groupoverwritegid',
cli_name='group_overwrite_gid',
label=_('Overwrite GID'),
doc=_('When migrating a group already existing in IPA domain overwrite the '\
'group GID and report as success'),
),
StrEnum('schema?',
cli_name='schema',
label=_('LDAP schema'),
doc=_('The schema used on the LDAP server. Supported values are RFC2307 and RFC2307bis. The default is RFC2307bis'),
values=_supported_schemas,
default=_supported_schemas[0],
autofill=True,
),
Flag('continue?',
label=_('Continue'),
doc=_('Continuous operation mode. Errors are reported but the process continues'),
default=False,
),
DNParam('basedn?',
cli_name='base_dn',
label=_('Base DN'),
doc=_('Base DN on remote LDAP server'),
),
Flag('compat?',
cli_name='with_compat',
label=_('Ignore compat plugin'),
doc=_('Allows migration despite the usage of compat plugin'),
default=False,
),
File('cacertfile?',
cli_name='ca_cert_file',
label=_('CA certificate'),
doc=_('Load CA certificate of LDAP server from FILE'),
default=None
),
)
has_output = (
output.Output(
'result',
type=dict,
doc=_('Lists of objects migrated; categorized by type.'),
),
output.Output(
'failed',
type=dict,
doc=
_('Lists of objects that could not be migrated; categorized by type.'
),
),
output.Output(
'enabled',
type=bool,
doc=_('False if migration mode was disabled.'),
),
output.Output(
'compat',
type=bool,
doc=
_('False if migration fails because the compatibility plug-in is enabled.'
),
),
)
exclude_doc = _('%s to exclude from migration')
truncated_err_msg = _('''\
search results for objects to be migrated
have been truncated by the server;
migration process might be incomplete\n''')
migration_disabled_msg = _('''\
Migration mode is disabled. Use \'ipa config-mod\' to enable it.''')
pwd_migration_msg = _('''\
Passwords have been migrated in pre-hashed format.
IPA is unable to generate Kerberos keys unless provided
with clear text passwords. All migrated users need to
login at https://your.domain/ipa/migration/ before they
can use their Kerberos accounts.''')
def get_options(self):
"""
Call get_options of the baseclass and add "exclude" options
for each type of object being migrated.
"""
for option in super(migrate_ds, self).get_options():
yield option
for ldap_obj_name in self.migrate_objects:
ldap_obj = self.api.Object[ldap_obj_name]
name = 'exclude_%ss' % to_cli(ldap_obj_name)
doc = self.exclude_doc % ldap_obj.object_name_plural
yield Str('%s*' % name,
cli_name=name,
doc=doc,
csv=True,
default=tuple(),
autofill=True)
def normalize_options(self, options):
"""
Convert all "exclude" option values to lower-case.
Also, empty List parameters are converted to None, but the migration
plugin doesn't like that - convert back to empty lists.
"""
for p in self.params():
if p.csv:
if options[p.name]:
options[p.name] = tuple(v.lower() for v in options[p.name])
else:
options[p.name] = tuple()
def _get_search_bases(self, options, ds_base_dn, migrate_order):
search_bases = dict()
for ldap_obj_name in migrate_order:
container = options.get('%scontainer' % to_cli(ldap_obj_name))
if container:
# Don't append base dn if user already appended it in the container dn
if container.endswith(ds_base_dn):
search_base = container
else:
search_base = DN(container, ds_base_dn)
else:
search_base = ds_base_dn
search_bases[ldap_obj_name] = search_base
return search_bases
def migrate(self, ldap, config, ds_ldap, ds_base_dn, options):
"""
Migrate objects from DS to LDAP.
"""
assert isinstance(ds_base_dn, DN)
migrated = {} # {'OBJ': ['PKEY1', 'PKEY2', ...], ...}
failed = {} # {'OBJ': {'PKEY1': 'Failed 'cos blabla', ...}, ...}
search_bases = self._get_search_bases(options, ds_base_dn,
self.migrate_order)
migration_start = datetime.datetime.now()
for ldap_obj_name in self.migrate_order:
ldap_obj = self.api.Object[ldap_obj_name]
template = self.migrate_objects[ldap_obj_name]['filter_template']
oc_list = options[to_cli(
self.migrate_objects[ldap_obj_name]['oc_option'])]
search_filter = construct_filter(template, oc_list)
exclude = options['exclude_%ss' % to_cli(ldap_obj_name)]
context = dict(ds_ldap=ds_ldap)
migrated[ldap_obj_name] = []
failed[ldap_obj_name] = {}
try:
entries, truncated = ds_ldap.find_entries(
search_filter,
['*'],
search_bases[ldap_obj_name],
ds_ldap.SCOPE_ONELEVEL,
time_limit=0,
size_limit=-1,
search_refs=True # migrated DS may contain search references
)
except errors.NotFound:
if not options.get('continue', False):
raise errors.NotFound(
reason=
_('%(container)s LDAP search did not return any result '
'(search base: %(search_base)s, '
'objectclass: %(objectclass)s)') % {
'container': ldap_obj_name,
'search_base': search_bases[ldap_obj_name],
'objectclass': ', '.join(oc_list)
})
else:
truncated = False
entries = []
if truncated:
self.log.error('%s: %s' %
(ldap_obj.name, self.truncated_err_msg))
blacklists = {}
for blacklist in ('oc_blacklist', 'attr_blacklist'):
blacklist_option = self.migrate_objects[ldap_obj_name][
blacklist + '_option']
if blacklist_option is not None:
blacklists[blacklist] = options.get(
blacklist_option, tuple())
else:
blacklists[blacklist] = tuple()
# get default primary group for new users
if 'def_group_dn' not in context:
def_group = config.get('ipadefaultprimarygroup')
context['def_group_dn'] = api.Object.group.get_dn(def_group)
try:
g_attrs = ldap.get_entry(context['def_group_dn'],
['gidnumber', 'cn'])
except errors.NotFound:
error_msg = _('Default group for new users not found')
raise errors.NotFound(reason=error_msg)
if 'gidnumber' in g_attrs:
context['def_group_gid'] = g_attrs['gidnumber'][0]
context['has_upg'] = ldap.has_upg()
valid_gids = []
invalid_gids = []
migrate_cnt = 0
context['migrate_cnt'] = 0
for entry_attrs in entries:
context['migrate_cnt'] = migrate_cnt
s = datetime.datetime.now()
ava = entry_attrs.dn[0][0]
if ava.attr == ldap_obj.primary_key.name:
# In case if pkey attribute is in the migrated object DN
# and the original LDAP is multivalued, make sure that
# we pick the correct value (the unique one stored in DN)
pkey = ava.value.lower()
else:
pkey = entry_attrs[ldap_obj.primary_key.name][0].lower()
if pkey in exclude:
continue
entry_attrs.dn = ldap_obj.get_dn(pkey)
entry_attrs['objectclass'] = list(
set(
config.get(ldap_obj.object_class_config,
ldap_obj.object_class) +
[o.lower() for o in entry_attrs['objectclass']]))
entry_attrs[ldap_obj.primary_key.name][0] = entry_attrs[
ldap_obj.primary_key.name][0].lower()
callback = self.migrate_objects[ldap_obj_name]['pre_callback']
if callable(callback):
try:
entry_attrs.dn = callback(ldap,
pkey,
entry_attrs.dn,
entry_attrs,
failed[ldap_obj_name],
config,
context,
schema=options['schema'],
search_bases=search_bases,
valid_gids=valid_gids,
invalid_gids=invalid_gids,
**blacklists)
if not entry_attrs.dn:
continue
except errors.NotFound, e:
failed[ldap_obj_name][pkey] = unicode(e.reason)
continue
try:
ldap.add_entry(entry_attrs)
except errors.ExecutionError, e:
callback = self.migrate_objects[ldap_obj_name][
'exc_callback']
if callable(callback):
try:
callback(ldap, entry_attrs.dn, entry_attrs, e,
options)
except errors.ExecutionError, e:
failed[ldap_obj_name][pkey] = unicode(e)
continue
else:
failed[ldap_obj_name][pkey] = unicode(e)
continue
migrated[ldap_obj_name].append(pkey)
callback = self.migrate_objects[ldap_obj_name]['post_callback']
if callable(callback):
callback(ldap, pkey, entry_attrs.dn, entry_attrs,
failed[ldap_obj_name], config, context)
e = datetime.datetime.now()
d = e - s
total_dur = e - migration_start
migrate_cnt += 1
if migrate_cnt > 0 and migrate_cnt % 100 == 0:
api.log.info("%d %ss migrated. %s elapsed." %
(migrate_cnt, ldap_obj_name, total_dur))
api.log.debug("%d %ss migrated, duration: %s (total %s)" %
(migrate_cnt, ldap_obj_name, d, total_dur))
class trust_find(Method):
__doc__ = _("Search for trusts.")
takes_args = (parameters.Str(
'criteria',
required=False,
doc=_(u'A string searched in all relevant object attributes'),
), )
takes_options = (
parameters.Str(
'cn',
required=False,
cli_name='realm',
label=_(u'Realm name'),
),
parameters.Str(
'ipantflatname',
required=False,
cli_name='flat_name',
label=_(u'Domain NetBIOS name'),
),
parameters.Str(
'ipanttrusteddomainsid',
required=False,
cli_name='sid',
label=_(u'Domain Security Identifier'),
),
parameters.Str(
'ipantsidblacklistincoming',
required=False,
multivalue=True,
cli_name='sid_blacklist_incoming',
label=_(u'SID blacklist incoming'),
),
parameters.Str(
'ipantsidblacklistoutgoing',
required=False,
multivalue=True,
cli_name='sid_blacklist_outgoing',
label=_(u'SID blacklist outgoing'),
),
parameters.Int(
'timelimit',
required=False,
label=_(u'Time Limit'),
doc=_(u'Time limit of search in seconds'),
),
parameters.Int(
'sizelimit',
required=False,
label=_(u'Size Limit'),
doc=_(u'Maximum number of entries returned'),
),
parameters.Flag(
'all',
doc=
_(u'Retrieve and print all attributes from the server. Affects command output.'
),
exclude=('webui', ),
default=False,
autofill=True,
),
parameters.Flag(
'raw',
doc=
_(u'Print entries as stored on the server. Only affects output format.'
),
exclude=('webui', ),
default=False,
autofill=True,
),
parameters.Flag(
'pkey_only',
required=False,
label=_(u'Primary key only'),
doc=_(
u'Results should contain primary key attribute only ("realm")'
),
default=False,
autofill=True,
),
)
has_output = (
output.Output(
'summary',
(unicode, type(None)),
doc=_(u'User-friendly description of action performed'),
),
output.ListOfEntries('result', ),
output.Output(
'count',
int,
doc=_(u'Number of entries returned'),
),
output.Output(
'truncated',
bool,
doc=_(u'True if not all results were returned'),
),
)
class cosentry_find(Method):
NO_CLI = True
takes_args = (parameters.Str(
'criteria',
required=False,
doc=_(u'A string searched in all relevant object attributes'),
), )
takes_options = (
parameters.Str(
'cn',
required=False,
),
parameters.DNParam(
'krbpwdpolicyreference',
required=False,
),
parameters.Int(
'cospriority',
required=False,
),
parameters.Int(
'timelimit',
required=False,
label=_(u'Time Limit'),
doc=_(u'Time limit of search in seconds'),
),
parameters.Int(
'sizelimit',
required=False,
label=_(u'Size Limit'),
doc=_(u'Maximum number of entries returned'),
),
parameters.Flag(
'all',
doc=
_(u'Retrieve and print all attributes from the server. Affects command output.'
),
exclude=('webui', ),
default=False,
autofill=True,
),
parameters.Flag(
'raw',
doc=
_(u'Print entries as stored on the server. Only affects output format.'
),
exclude=('webui', ),
default=False,
autofill=True,
),
parameters.Flag(
'pkey_only',
required=False,
label=_(u'Primary key only'),
doc=_(u'Results should contain primary key attribute only ("cn")'),
default=False,
autofill=True,
),
)
has_output = (
output.Output(
'summary',
(unicode, type(None)),
doc=_(u'User-friendly description of action performed'),
),
output.ListOfEntries('result', ),
output.Output(
'count',
int,
doc=_(u'Number of entries returned'),
),
output.Output(
'truncated',
bool,
doc=_(u'True if not all results were returned'),
),
)
class pwpolicy_find(Method):
__doc__ = _("Search for group password policies.")
takes_args = (parameters.Str(
'criteria',
required=False,
doc=_(u'A string searched in all relevant object attributes'),
), )
takes_options = (
parameters.Str(
'cn',
required=False,
cli_name='group',
label=_(u'Group'),
doc=_(u'Manage password policy for specific group'),
),
parameters.Int(
'krbmaxpwdlife',
required=False,
cli_name='maxlife',
label=_(u'Max lifetime (days)'),
doc=_(u'Maximum password lifetime (in days)'),
),
parameters.Int(
'krbminpwdlife',
required=False,
cli_name='minlife',
label=_(u'Min lifetime (hours)'),
doc=_(u'Minimum password lifetime (in hours)'),
),
parameters.Int(
'krbpwdhistorylength',
required=False,
cli_name='history',
label=_(u'History size'),
doc=_(u'Password history size'),
),
parameters.Int(
'krbpwdmindiffchars',
required=False,
cli_name='minclasses',
label=_(u'Character classes'),
doc=_(u'Minimum number of character classes'),
),
parameters.Int(
'krbpwdminlength',
required=False,
cli_name='minlength',
label=_(u'Min length'),
doc=_(u'Minimum length of password'),
),
parameters.Int(
'cospriority',
required=False,
cli_name='priority',
label=_(u'Priority'),
doc=_(
u'Priority of the policy (higher number means lower priority'),
),
parameters.Int(
'krbpwdmaxfailure',
required=False,
cli_name='maxfail',
label=_(u'Max failures'),
doc=_(u'Consecutive failures before lockout'),
),
parameters.Int(
'krbpwdfailurecountinterval',
required=False,
cli_name='failinterval',
label=_(u'Failure reset interval'),
doc=_(u'Period after which failure count will be reset (seconds)'),
),
parameters.Int(
'krbpwdlockoutduration',
required=False,
cli_name='lockouttime',
label=_(u'Lockout duration'),
doc=_(u'Period for which lockout is enforced (seconds)'),
),
parameters.Int(
'timelimit',
required=False,
label=_(u'Time Limit'),
doc=_(u'Time limit of search in seconds'),
),
parameters.Int(
'sizelimit',
required=False,
label=_(u'Size Limit'),
doc=_(u'Maximum number of entries returned'),
),
parameters.Flag(
'all',
doc=
_(u'Retrieve and print all attributes from the server. Affects command output.'
),
exclude=('webui', ),
default=False,
autofill=True,
),
parameters.Flag(
'raw',
doc=
_(u'Print entries as stored on the server. Only affects output format.'
),
exclude=('webui', ),
default=False,
autofill=True,
),
parameters.Flag(
'pkey_only',
required=False,
label=_(u'Primary key only'),
doc=_(
u'Results should contain primary key attribute only ("group")'
),
default=False,
autofill=True,
),
)
has_output = (
output.Output(
'summary',
(unicode, type(None)),
doc=_(u'User-friendly description of action performed'),
),
output.ListOfEntries('result', ),
output.Output(
'count',
int,
doc=_(u'Number of entries returned'),
),
output.Output(
'truncated',
bool,
doc=_(u'True if not all results were returned'),
),
)
class server_find(Method):
__doc__ = _("Search for IPA servers.")
takes_args = (
parameters.Str(
'criteria',
required=False,
doc=_(u'A string searched in all relevant object attributes'),
),
)
takes_options = (
parameters.Str(
'cn',
required=False,
cli_name='name',
label=_(u'Server name'),
doc=_(u'IPA server hostname'),
),
parameters.Int(
'ipamindomainlevel',
required=False,
cli_name='minlevel',
label=_(u'Min domain level'),
doc=_(u'Minimum domain level'),
),
parameters.Int(
'ipamaxdomainlevel',
required=False,
cli_name='maxlevel',
label=_(u'Max domain level'),
doc=_(u'Maximum domain level'),
),
parameters.Int(
'timelimit',
required=False,
label=_(u'Time Limit'),
doc=_(u'Time limit of search in seconds (0 is unlimited)'),
),
parameters.Int(
'sizelimit',
required=False,
label=_(u'Size Limit'),
doc=_(u'Maximum number of entries returned (0 is unlimited)'),
),
parameters.Flag(
'all',
doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
exclude=('webui',),
default=False,
autofill=True,
),
parameters.Flag(
'raw',
doc=_(u'Print entries as stored on the server. Only affects output format.'),
exclude=('webui',),
default=False,
autofill=True,
),
parameters.Flag(
'no_members',
doc=_(u'Suppress processing of membership attributes.'),
exclude=('webui', 'cli'),
default=False,
autofill=True,
),
parameters.Flag(
'pkey_only',
required=False,
label=_(u'Primary key only'),
doc=_(u'Results should contain primary key attribute only ("name")'),
default=False,
autofill=True,
),
parameters.Str(
'topologysuffix',
required=False,
multivalue=True,
cli_name='topologysuffixes',
label=_(u'suffix'),
doc=_(u'Search for servers with these managed suffixes.'),
),
parameters.Str(
'no_topologysuffix',
required=False,
multivalue=True,
cli_name='no_topologysuffixes',
label=_(u'suffix'),
doc=_(u'Search for servers without these managed suffixes.'),
),
)
has_output = (
output.Output(
'summary',
(unicode, type(None)),
doc=_(u'User-friendly description of action performed'),
),
output.ListOfEntries(
'result',
),
output.Output(
'count',
int,
doc=_(u'Number of entries returned'),
),
output.Output(
'truncated',
bool,
doc=_(u'True if not all results were returned'),
),
)
class Complex(self.cls):
has_output = (
output.Output('foo', int),
output.Output('bar', list),
)
class hostgroup_remove_member(Method):
__doc__ = _("Remove members from a hostgroup.")
takes_args = (
parameters.Str(
'cn',
cli_name='hostgroup_name',
label=_(u'Host-group'),
doc=_(u'Name of host-group'),
no_convert=True,
),
)
takes_options = (
parameters.Flag(
'all',
doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
exclude=('webui',),
default=False,
autofill=True,
),
parameters.Flag(
'raw',
doc=_(u'Print entries as stored on the server. Only affects output format.'),
exclude=('webui',),
default=False,
autofill=True,
),
parameters.Flag(
'no_members',
doc=_(u'Suppress processing of membership attributes.'),
exclude=('webui', 'cli'),
default=False,
autofill=True,
),
parameters.Str(
'host',
required=False,
multivalue=True,
cli_name='hosts',
label=_(u'member host'),
doc=_(u'hosts to remove'),
alwaysask=True,
),
parameters.Str(
'hostgroup',
required=False,
multivalue=True,
cli_name='hostgroups',
label=_(u'member host group'),
doc=_(u'host groups to remove'),
alwaysask=True,
),
)
has_output = (
output.Entry(
'result',
),
output.Output(
'failed',
dict,
doc=_(u'Members that could not be removed'),
),
output.Output(
'completed',
int,
doc=_(u'Number of members removed'),
),
)
class trustdomain_add(Method):
__doc__ = _("Allow access from the trusted domain")
NO_CLI = True
takes_args = (
parameters.Str(
'trustcn',
cli_name='trust',
label=_(u'Realm name'),
),
parameters.Str(
'cn',
cli_name='domain',
label=_(u'Domain name'),
),
)
takes_options = (
parameters.Str(
'ipantflatname',
required=False,
cli_name='flat_name',
label=_(u'Domain NetBIOS name'),
),
parameters.Str(
'ipanttrusteddomainsid',
required=False,
cli_name='sid',
label=_(u'Domain Security Identifier'),
),
parameters.Str(
'ipanttrustpartner',
required=False,
label=_(u'Trusted domain partner'),
exclude=('cli', 'webui'),
),
parameters.Str(
'setattr',
required=False,
multivalue=True,
doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
exclude=('webui',),
),
parameters.Str(
'addattr',
required=False,
multivalue=True,
doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
exclude=('webui',),
),
parameters.Str(
'trust_type',
cli_name='type',
cli_metavar="['ad']",
label=_(u'Trust type (ad for Active Directory, default)'),
default=u'ad',
autofill=True,
),
parameters.Flag(
'all',
doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
exclude=('webui',),
default=False,
autofill=True,
),
parameters.Flag(
'raw',
doc=_(u'Print entries as stored on the server. Only affects output format.'),
exclude=('webui',),
default=False,
autofill=True,
),
)
has_output = (
output.Output(
'summary',
(unicode, type(None)),
doc=_(u'User-friendly description of action performed'),
),
output.Entry(
'result',
),
output.PrimaryKey(
'value',
doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
),
)
class hostgroup_mod(Method):
__doc__ = _("Modify a hostgroup.")
takes_args = (
parameters.Str(
'cn',
cli_name='hostgroup_name',
label=_(u'Host-group'),
doc=_(u'Name of host-group'),
no_convert=True,
),
)
takes_options = (
parameters.Str(
'description',
required=False,
cli_name='desc',
label=_(u'Description'),
doc=_(u'A description of this host-group'),
),
parameters.Str(
'setattr',
required=False,
multivalue=True,
doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
exclude=('webui',),
),
parameters.Str(
'addattr',
required=False,
multivalue=True,
doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
exclude=('webui',),
),
parameters.Str(
'delattr',
required=False,
multivalue=True,
doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'),
exclude=('webui',),
),
parameters.Flag(
'rights',
label=_(u'Rights'),
doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
default=False,
autofill=True,
),
parameters.Flag(
'all',
doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
exclude=('webui',),
default=False,
autofill=True,
),
parameters.Flag(
'raw',
doc=_(u'Print entries as stored on the server. Only affects output format.'),
exclude=('webui',),
default=False,
autofill=True,
),
parameters.Flag(
'no_members',
doc=_(u'Suppress processing of membership attributes.'),
exclude=('webui', 'cli'),
default=False,
autofill=True,
),
)
has_output = (
output.Output(
'summary',
(unicode, type(None)),
doc=_(u'User-friendly description of action performed'),
),
output.Entry(
'result',
),
output.PrimaryKey(
'value',
doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
),
)
class hostgroup_find(Method):
__doc__ = _("Search for hostgroups.")
takes_args = (
parameters.Str(
'criteria',
required=False,
doc=_(u'A string searched in all relevant object attributes'),
),
)
takes_options = (
parameters.Str(
'cn',
required=False,
cli_name='hostgroup_name',
label=_(u'Host-group'),
doc=_(u'Name of host-group'),
no_convert=True,
),
parameters.Str(
'description',
required=False,
cli_name='desc',
label=_(u'Description'),
doc=_(u'A description of this host-group'),
),
parameters.Int(
'timelimit',
required=False,
label=_(u'Time Limit'),
doc=_(u'Time limit of search in seconds'),
),
parameters.Int(
'sizelimit',
required=False,
label=_(u'Size Limit'),
doc=_(u'Maximum number of entries returned'),
),
parameters.Flag(
'all',
doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
exclude=('webui',),
default=False,
autofill=True,
),
parameters.Flag(
'raw',
doc=_(u'Print entries as stored on the server. Only affects output format.'),
exclude=('webui',),
default=False,
autofill=True,
),
parameters.Flag(
'no_members',
doc=_(u'Suppress processing of membership attributes.'),
exclude=('webui', 'cli'),
default=False,
autofill=True,
),
parameters.Flag(
'pkey_only',
required=False,
label=_(u'Primary key only'),
doc=_(u'Results should contain primary key attribute only ("hostgroup-name")'),
default=False,
autofill=True,
),
parameters.Str(
'host',
required=False,
multivalue=True,
cli_name='hosts',
label=_(u'host'),
doc=_(u'Search for host groups with these member hosts.'),
),
parameters.Str(
'no_host',
required=False,
multivalue=True,
cli_name='no_hosts',
label=_(u'host'),
doc=_(u'Search for host groups without these member hosts.'),
),
parameters.Str(
'hostgroup',
required=False,
multivalue=True,
cli_name='hostgroups',
label=_(u'host group'),
doc=_(u'Search for host groups with these member host groups.'),
),
parameters.Str(
'no_hostgroup',
required=False,
multivalue=True,
cli_name='no_hostgroups',
label=_(u'host group'),
doc=_(u'Search for host groups without these member host groups.'),
),
parameters.Str(
'in_hostgroup',
required=False,
multivalue=True,
cli_name='in_hostgroups',
label=_(u'host group'),
doc=_(u'Search for host groups with these member of host groups.'),
),
parameters.Str(
'not_in_hostgroup',
required=False,
multivalue=True,
cli_name='not_in_hostgroups',
label=_(u'host group'),
doc=_(u'Search for host groups without these member of host groups.'),
),
parameters.Str(
'in_netgroup',
required=False,
multivalue=True,
cli_name='in_netgroups',
label=_(u'netgroup'),
doc=_(u'Search for host groups with these member of netgroups.'),
),
parameters.Str(
'not_in_netgroup',
required=False,
multivalue=True,
cli_name='not_in_netgroups',
label=_(u'netgroup'),
doc=_(u'Search for host groups without these member of netgroups.'),
),
parameters.Str(
'in_hbacrule',
required=False,
multivalue=True,
cli_name='in_hbacrules',
label=_(u'HBAC rule'),
doc=_(u'Search for host groups with these member of HBAC rules.'),
),
parameters.Str(
'not_in_hbacrule',
required=False,
multivalue=True,
cli_name='not_in_hbacrules',
label=_(u'HBAC rule'),
doc=_(u'Search for host groups without these member of HBAC rules.'),
),
parameters.Str(
'in_sudorule',
required=False,
multivalue=True,
cli_name='in_sudorules',
label=_(u'sudo rule'),
doc=_(u'Search for host groups with these member of sudo rules.'),
),
parameters.Str(
'not_in_sudorule',
required=False,
multivalue=True,
cli_name='not_in_sudorules',
label=_(u'sudo rule'),
doc=_(u'Search for host groups without these member of sudo rules.'),
),
)
has_output = (
output.Output(
'summary',
(unicode, type(None)),
doc=_(u'User-friendly description of action performed'),
),
output.ListOfEntries(
'result',
),
output.Output(
'count',
int,
doc=_(u'Number of entries returned'),
),
output.Output(
'truncated',
bool,
doc=_(u'True if not all results were returned'),
),
)
class GetKeytab(Command):
__doc__ = _('Retrieve a keytab.')
name = 'get_keytab'
takes_args = (
Principal(
'krbcanonicalname',
validate_realm,
cli_name='canonical_principal',
label=_('Principal name'),
doc=_('Kerberos principal'),
primary_key=True,
normalizer=normalize_principal
)
)
takes_options = (
Flag(
'retrieve',
doc=_('Retrieve an existing keytab (service principals only)'),
)
)
has_output = (
output.summary,
output.Output(
'result',
dict,
_('The keytab response which has a base64 encoded keytab element.')
),
)
# See https://web.mit.edu/kerberos/krb5-devel/doc/formats/keytab_file_format.html
# for the keytab file format.
#
# NOTE: http://web.mit.edu/kerberos/www/krb5-1.12/doc/formats/keytab_file_format.html
# has an incorrect size for the principal's count of components and it is
# missing the entry's second key version.
# Keytab header:
# [0] = 5 (KRB5)
# [1] = 2 (Big endian)
__keytab_big_endian_header = b'\x05\x02'
# The keytab record lenght is a signed 32 bit integers where 0 indicates
# the end of records.
__keytab_end_of_records = b'\x00\x00\x00\x00'
# A keytab has a header followed by record lengths followed by records or
# holes.
__empty_keytab = __keytab_big_endian_header + __keytab_end_of_records
def execute(self, krbcanonicalname, **options):
retrieve = options.get('retrieve')
principal_string = unicode(krbcanonicalname)
keytab = self.get_keytab(principal_string, retrieve)
base64_keytab = base64.b64encode(keytab).decode('ascii')
action = ('Created', 'Retrieved')[retrieve]
summary = u'{0} keytab for principal "{1}"'.format(
action, principal_string)
return dict(
summary=summary,
result=dict(keytab=base64_keytab)
)
def get_keytab(self, principal, retrieve):
action = ('creating', 'retrieving')[retrieve]
logger.debug(u'%s keytab for principal "%s"', action, principal)
try:
# NOTE: This is run from httpd with PrivateTmp=yes so the
# temporary files are not accessible to other services running on
# the same VM. This is in addition to the security of the
# discretionary access controls being locked down (using
# NamedTemporaryFile creates files that are only accessible by the
# user).
with tempfile.NamedTemporaryFile(suffix='.keytab') as temp_keytab:
# Since this uses a temporary file and ipa-getkkeytab tool can
# either create a new keytab file or add to an existing keytab
# file. A valid keytab file needs to be constructed.
temp_keytab.write(self.__empty_keytab)
temp_keytab.flush()
args = ['ipa-getkeytab',
'-p', principal,
'-k', temp_keytab.name]
if retrieve:
args.append('-r')
# The ipa-getkeytab utility enforces the authorization policy
# for retrieving the keytab.
p = subprocess.Popen(args,
stdout=subprocess.PIPE,
stderr=subprocess.PIPE,
close_fds=True,
shell=False)
# There is no stdout output from ipa-getkeytab
(_, err) = p.communicate()
p_status = p.wait()
if p_status != 0:
logger.error(
u'ipa-getkeytab failed %s keytab for principal "%s" with error code %d and standard error '
u'message "%s"',
action, principal, p_status, err)
raise errors.InternalError()
temp_keytab.seek(0)
keytab = temp_keytab.read()
except errors.InternalError:
# The details were already logged
raise
except Exception as e:
logger.error(u'failed %s keytab for principal "%s" with error "%s"', action, principal, e)
raise
logger.debug(u'%s keytab for principal "%s" succeeded', action, principal)
return keytab
class service_find(Method):
__doc__ = _("Search for IPA services.")
takes_args = (
parameters.Str(
'criteria',
required=False,
doc=_(u'A string searched in all relevant object attributes'),
),
)
takes_options = (
parameters.Str(
'krbprincipalname',
required=False,
cli_name='principal',
label=_(u'Principal'),
doc=_(u'Service principal'),
no_convert=True,
),
parameters.Str(
'ipakrbauthzdata',
required=False,
multivalue=True,
cli_name='pac_type',
cli_metavar="['MS-PAC', 'PAD', 'NONE']",
label=_(u'PAC type'),
doc=_(u"Override default list of supported PAC types. Use 'NONE' to disable PAC support for this service, e.g. this might be necessary for NFS services."),
),
parameters.Int(
'timelimit',
required=False,
label=_(u'Time Limit'),
doc=_(u'Time limit of search in seconds (0 is unlimited)'),
),
parameters.Int(
'sizelimit',
required=False,
label=_(u'Size Limit'),
doc=_(u'Maximum number of entries returned (0 is unlimited)'),
),
parameters.Flag(
'all',
doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
exclude=('webui',),
default=False,
autofill=True,
),
parameters.Flag(
'raw',
doc=_(u'Print entries as stored on the server. Only affects output format.'),
exclude=('webui',),
default=False,
autofill=True,
),
parameters.Flag(
'no_members',
doc=_(u'Suppress processing of membership attributes.'),
exclude=('webui', 'cli'),
default=False,
autofill=True,
),
parameters.Flag(
'pkey_only',
required=False,
label=_(u'Primary key only'),
doc=_(u'Results should contain primary key attribute only ("principal")'),
default=False,
autofill=True,
),
parameters.Str(
'man_by_host',
required=False,
multivalue=True,
cli_name='man_by_hosts',
label=_(u'host'),
doc=_(u'Search for services with these managed by hosts.'),
),
parameters.Str(
'not_man_by_host',
required=False,
multivalue=True,
cli_name='not_man_by_hosts',
label=_(u'host'),
doc=_(u'Search for services without these managed by hosts.'),
),
)
has_output = (
output.Output(
'summary',
(unicode, type(None)),
doc=_(u'User-friendly description of action performed'),
),
output.ListOfEntries(
'result',
),
output.Output(
'count',
int,
doc=_(u'Number of entries returned'),
),
output.Output(
'truncated',
bool,
doc=_(u'True if not all results were returned'),
),
)
class nested(self.cls):
has_output = (
output.Output('hello', int),
Subclass('world'),
)
class service_mod(Method):
__doc__ = _("Modify an existing IPA service.")
takes_args = (
parameters.Str(
'krbprincipalname',
cli_name='principal',
label=_(u'Principal'),
doc=_(u'Service principal'),
no_convert=True,
),
)
takes_options = (
parameters.Bytes(
'usercertificate',
required=False,
multivalue=True,
cli_name='certificate',
label=_(u'Certificate'),
doc=_(u'Base-64 encoded server certificate'),
),
parameters.Str(
'ipakrbauthzdata',
required=False,
multivalue=True,
cli_name='pac_type',
cli_metavar="['MS-PAC', 'PAD', 'NONE']",
label=_(u'PAC type'),
doc=_(u"Override default list of supported PAC types. Use 'NONE' to disable PAC support for this service, e.g. this might be necessary for NFS services."),
),
parameters.Bool(
'ipakrbrequirespreauth',
required=False,
cli_name='requires_pre_auth',
label=_(u'Requires pre-authentication'),
doc=_(u'Pre-authentication is required for the service'),
),
parameters.Bool(
'ipakrbokasdelegate',
required=False,
cli_name='ok_as_delegate',
label=_(u'Trusted for delegation'),
doc=_(u'Client credentials may be delegated to the service'),
),
parameters.Str(
'setattr',
required=False,
multivalue=True,
doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
exclude=('webui',),
),
parameters.Str(
'addattr',
required=False,
multivalue=True,
doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
exclude=('webui',),
),
parameters.Str(
'delattr',
required=False,
multivalue=True,
doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'),
exclude=('webui',),
),
parameters.Flag(
'rights',
label=_(u'Rights'),
doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
default=False,
autofill=True,
),
parameters.Flag(
'all',
doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
exclude=('webui',),
default=False,
autofill=True,
),
parameters.Flag(
'raw',
doc=_(u'Print entries as stored on the server. Only affects output format.'),
exclude=('webui',),
default=False,
autofill=True,
),
parameters.Flag(
'no_members',
doc=_(u'Suppress processing of membership attributes.'),
exclude=('webui', 'cli'),
default=False,
autofill=True,
),
)
has_output = (
output.Output(
'summary',
(unicode, type(None)),
doc=_(u'User-friendly description of action performed'),
),
output.Entry(
'result',
),
output.PrimaryKey(
'value',
doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
),
)
class idrange_add(Method):
__doc__ = _("""
Add new ID range.
To add a new ID range you always have to specify
--base-id
--range-size
Additionally
--rid-base
--secondary-rid-base
may be given for a new ID range for the local domain while
--rid-base
--dom-sid
must be given to add a new range for a trusted AD domain.
WARNING:
DNA plugin in 389-ds will allocate IDs based on the ranges configured for the
local domain. Currently the DNA plugin *cannot* be reconfigured itself based
on the local ranges set via this family of commands.
Manual configuration change has to be done in the DNA plugin configuration for
the new local range. Specifically, The dnaNextRange attribute of 'cn=Posix
IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config' has to be
modified to match the new range.
""")
takes_args = (
parameters.Str(
'cn',
cli_name='name',
label=_(u'Range name'),
),
)
takes_options = (
parameters.Int(
'ipabaseid',
cli_name='base_id',
label=_(u'First Posix ID of the range'),
),
parameters.Int(
'ipaidrangesize',
cli_name='range_size',
label=_(u'Number of IDs in the range'),
),
parameters.Int(
'ipabaserid',
required=False,
cli_name='rid_base',
label=_(u'First RID of the corresponding RID range'),
),
parameters.Int(
'ipasecondarybaserid',
required=False,
cli_name='secondary_rid_base',
label=_(u'First RID of the secondary RID range'),
),
parameters.Str(
'ipanttrusteddomainsid',
required=False,
cli_name='dom_sid',
label=_(u'Domain SID of the trusted domain'),
),
parameters.Str(
'ipanttrusteddomainname',
required=False,
cli_name='dom_name',
label=_(u'Name of the trusted domain'),
),
parameters.Str(
'iparangetype',
required=False,
cli_name='type',
cli_metavar="['ipa-ad-trust-posix', 'ipa-ad-trust', 'ipa-local']",
label=_(u'Range type'),
doc=_(u'ID range type, one of ipa-ad-trust-posix, ipa-ad-trust, ipa-local'),
),
parameters.Str(
'setattr',
required=False,
multivalue=True,
doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
exclude=('webui',),
),
parameters.Str(
'addattr',
required=False,
multivalue=True,
doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
exclude=('webui',),
),
parameters.Flag(
'all',
doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
exclude=('webui',),
default=False,
autofill=True,
),
parameters.Flag(
'raw',
doc=_(u'Print entries as stored on the server. Only affects output format.'),
exclude=('webui',),
default=False,
autofill=True,
),
)
has_output = (
output.Output(
'summary',
(unicode, type(None)),
doc=_(u'User-friendly description of action performed'),
),
output.Entry(
'result',
),
output.PrimaryKey(
'value',
doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
),
)
class cosentry_mod(Method):
NO_CLI = True
takes_args = (parameters.Str('cn', ), )
takes_options = (
parameters.DNParam(
'krbpwdpolicyreference',
required=False,
),
parameters.Int(
'cospriority',
required=False,
),
parameters.Str(
'setattr',
required=False,
multivalue=True,
doc=
_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'
),
exclude=('webui', ),
),
parameters.Str(
'addattr',
required=False,
multivalue=True,
doc=
_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'
),
exclude=('webui', ),
),
parameters.Str(
'delattr',
required=False,
multivalue=True,
doc=
_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'
),
exclude=('webui', ),
),
parameters.Flag(
'rights',
label=_(u'Rights'),
doc=
_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'
),
default=False,
autofill=True,
),
parameters.Flag(
'all',
doc=
_(u'Retrieve and print all attributes from the server. Affects command output.'
),
exclude=('webui', ),
default=False,
autofill=True,
),
parameters.Flag(
'raw',
doc=
_(u'Print entries as stored on the server. Only affects output format.'
),
exclude=('webui', ),
default=False,
autofill=True,
),
)
has_output = (
output.Output(
'summary',
(unicode, type(None)),
doc=_(u'User-friendly description of action performed'),
),
output.Entry('result', ),
output.PrimaryKey(
'value',
doc=_(
u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
),
)
class idrange_find(Method):
__doc__ = _("Search for ranges.")
takes_args = (
parameters.Str(
'criteria',
required=False,
doc=_(u'A string searched in all relevant object attributes'),
),
)
takes_options = (
parameters.Str(
'cn',
required=False,
cli_name='name',
label=_(u'Range name'),
),
parameters.Int(
'ipabaseid',
required=False,
cli_name='base_id',
label=_(u'First Posix ID of the range'),
),
parameters.Int(
'ipaidrangesize',
required=False,
cli_name='range_size',
label=_(u'Number of IDs in the range'),
),
parameters.Int(
'ipabaserid',
required=False,
cli_name='rid_base',
label=_(u'First RID of the corresponding RID range'),
),
parameters.Int(
'ipasecondarybaserid',
required=False,
cli_name='secondary_rid_base',
label=_(u'First RID of the secondary RID range'),
),
parameters.Str(
'ipanttrusteddomainsid',
required=False,
cli_name='dom_sid',
label=_(u'Domain SID of the trusted domain'),
),
parameters.Str(
'iparangetype',
required=False,
cli_name='type',
cli_metavar="['ipa-ad-trust-posix', 'ipa-ad-trust', 'ipa-local']",
label=_(u'Range type'),
doc=_(u'ID range type, one of ipa-ad-trust-posix, ipa-ad-trust, ipa-local'),
),
parameters.Int(
'timelimit',
required=False,
label=_(u'Time Limit'),
doc=_(u'Time limit of search in seconds'),
),
parameters.Int(
'sizelimit',
required=False,
label=_(u'Size Limit'),
doc=_(u'Maximum number of entries returned'),
),
parameters.Flag(
'all',
doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
exclude=('webui',),
default=False,
autofill=True,
),
parameters.Flag(
'raw',
doc=_(u'Print entries as stored on the server. Only affects output format.'),
exclude=('webui',),
default=False,
autofill=True,
),
parameters.Flag(
'pkey_only',
required=False,
label=_(u'Primary key only'),
doc=_(u'Results should contain primary key attribute only ("name")'),
default=False,
autofill=True,
),
)
has_output = (
output.Output(
'summary',
(unicode, type(None)),
doc=_(u'User-friendly description of action performed'),
),
output.ListOfEntries(
'result',
),
output.Output(
'count',
int,
doc=_(u'Number of entries returned'),
),
output.Output(
'truncated',
bool,
doc=_(u'True if not all results were returned'),
),
)
class pwpolicy_mod(Method):
__doc__ = _("Modify a group password policy.")
takes_args = (parameters.Str(
'cn',
required=False,
cli_name='group',
label=_(u'Group'),
doc=_(u'Manage password policy for specific group'),
), )
takes_options = (
parameters.Int(
'krbmaxpwdlife',
required=False,
cli_name='maxlife',
label=_(u'Max lifetime (days)'),
doc=_(u'Maximum password lifetime (in days)'),
),
parameters.Int(
'krbminpwdlife',
required=False,
cli_name='minlife',
label=_(u'Min lifetime (hours)'),
doc=_(u'Minimum password lifetime (in hours)'),
),
parameters.Int(
'krbpwdhistorylength',
required=False,
cli_name='history',
label=_(u'History size'),
doc=_(u'Password history size'),
),
parameters.Int(
'krbpwdmindiffchars',
required=False,
cli_name='minclasses',
label=_(u'Character classes'),
doc=_(u'Minimum number of character classes'),
),
parameters.Int(
'krbpwdminlength',
required=False,
cli_name='minlength',
label=_(u'Min length'),
doc=_(u'Minimum length of password'),
),
parameters.Int(
'cospriority',
required=False,
cli_name='priority',
label=_(u'Priority'),
doc=_(
u'Priority of the policy (higher number means lower priority'),
),
parameters.Int(
'krbpwdmaxfailure',
required=False,
cli_name='maxfail',
label=_(u'Max failures'),
doc=_(u'Consecutive failures before lockout'),
),
parameters.Int(
'krbpwdfailurecountinterval',
required=False,
cli_name='failinterval',
label=_(u'Failure reset interval'),
doc=_(u'Period after which failure count will be reset (seconds)'),
),
parameters.Int(
'krbpwdlockoutduration',
required=False,
cli_name='lockouttime',
label=_(u'Lockout duration'),
doc=_(u'Period for which lockout is enforced (seconds)'),
),
parameters.Str(
'setattr',
required=False,
multivalue=True,
doc=
_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'
),
exclude=('webui', ),
),
parameters.Str(
'addattr',
required=False,
multivalue=True,
doc=
_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'
),
exclude=('webui', ),
),
parameters.Str(
'delattr',
required=False,
multivalue=True,
doc=
_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'
),
exclude=('webui', ),
),
parameters.Flag(
'rights',
label=_(u'Rights'),
doc=
_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'
),
default=False,
autofill=True,
),
parameters.Flag(
'all',
doc=
_(u'Retrieve and print all attributes from the server. Affects command output.'
),
exclude=('webui', ),
default=False,
autofill=True,
),
parameters.Flag(
'raw',
doc=
_(u'Print entries as stored on the server. Only affects output format.'
),
exclude=('webui', ),
default=False,
autofill=True,
),
)
has_output = (
output.Output(
'summary',
(unicode, type(None)),
doc=_(u'User-friendly description of action performed'),
),
output.Entry('result', ),
output.PrimaryKey(
'value',
doc=_(
u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
),
)
class idrange_mod(Method):
__doc__ = _("Modify ID range.")
takes_args = (
parameters.Str(
'cn',
cli_name='name',
label=_(u'Range name'),
),
)
takes_options = (
parameters.Int(
'ipabaseid',
required=False,
cli_name='base_id',
label=_(u'First Posix ID of the range'),
),
parameters.Int(
'ipaidrangesize',
required=False,
cli_name='range_size',
label=_(u'Number of IDs in the range'),
),
parameters.Int(
'ipabaserid',
required=False,
cli_name='rid_base',
label=_(u'First RID of the corresponding RID range'),
),
parameters.Int(
'ipasecondarybaserid',
required=False,
cli_name='secondary_rid_base',
label=_(u'First RID of the secondary RID range'),
),
parameters.Str(
'setattr',
required=False,
multivalue=True,
doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
exclude=('webui',),
),
parameters.Str(
'addattr',
required=False,
multivalue=True,
doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
exclude=('webui',),
),
parameters.Str(
'delattr',
required=False,
multivalue=True,
doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'),
exclude=('webui',),
),
parameters.Flag(
'rights',
label=_(u'Rights'),
doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
default=False,
autofill=True,
),
parameters.Str(
'ipanttrusteddomainsid',
required=False,
deprecated=True,
exclude=('cli', 'webui'),
),
parameters.Str(
'ipanttrusteddomainname',
required=False,
deprecated=True,
exclude=('cli', 'webui'),
),
parameters.Flag(
'all',
doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
exclude=('webui',),
default=False,
autofill=True,
),
parameters.Flag(
'raw',
doc=_(u'Print entries as stored on the server. Only affects output format.'),
exclude=('webui',),
default=False,
autofill=True,
),
)
has_output = (
output.Output(
'summary',
(unicode, type(None)),
doc=_(u'User-friendly description of action performed'),
),
output.Entry(
'result',
),
output.PrimaryKey(
'value',
doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
),
)
class trust_add(Method):
__doc__ = _("""
Add new trust to use.
This command establishes trust relationship to another domain
which becomes 'trusted'. As result, users of the trusted domain
may access resources of this domain.
Only trusts to Active Directory domains are supported right now.
The command can be safely run multiple times against the same domain,
this will cause change to trust relationship credentials on both
sides.
""")
takes_args = (parameters.Str(
'cn',
cli_name='realm',
label=_(u'Realm name'),
), )
takes_options = (
parameters.Str(
'setattr',
required=False,
multivalue=True,
doc=
_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'
),
exclude=('webui', ),
),
parameters.Str(
'addattr',
required=False,
multivalue=True,
doc=
_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'
),
exclude=('webui', ),
),
parameters.Str(
'trust_type',
cli_name='type',
cli_metavar="['ad']",
label=_(u'Trust type (ad for Active Directory, default)'),
default=u'ad',
autofill=True,
),
parameters.Str(
'realm_admin',
required=False,
cli_name='admin',
label=_(u'Active Directory domain administrator'),
),
parameters.Password(
'realm_passwd',
required=False,
cli_name='password',
label=_(u"Active directory domain administrator's password"),
),
parameters.Str(
'realm_server',
required=False,
cli_name='server',
label=_(
u'Domain controller for the Active Directory domain (optional)'
),
),
parameters.Password(
'trust_secret',
required=False,
label=_(u'Shared secret for the trust'),
),
parameters.Int(
'base_id',
required=False,
label=_(
u'First Posix ID of the range reserved for the trusted domain'
),
),
parameters.Int(
'range_size',
required=False,
label=_(u'Size of the ID range reserved for the trusted domain'),
default=200000,
autofill=True,
),
parameters.Flag(
'all',
doc=
_(u'Retrieve and print all attributes from the server. Affects command output.'
),
exclude=('webui', ),
default=False,
autofill=True,
),
parameters.Flag(
'raw',
doc=
_(u'Print entries as stored on the server. Only affects output format.'
),
exclude=('webui', ),
default=False,
autofill=True,
),
)
has_output = (
output.Output(
'summary',
(unicode, type(None)),
doc=_(u'User-friendly description of action performed'),
),
output.Entry('result', ),
output.Output(
'value',
unicode,
doc=_(
u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
),
)
class ListOfACI(output.Output):
type = (list, tuple)
doc = _('A list of ACI values')
def validate(self, cmd, entries):
assert isinstance(entries, self.type)
for (i, entry) in enumerate(entries):
if not isinstance(entry, unicode):
raise TypeError(output.emsg %
(cmd.name, self.__class__.__name__, self.name,
i, unicode, type(entry), entry))
aci_output = (
output.Output('result', unicode, 'A string representing the ACI'),
output.value,
output.summary,
)
def _make_aci_name(aciprefix, aciname):
"""
Given a name and a prefix construct an ACI name.
"""
if aciprefix == u"none":
return aciname
return aciprefix + ACI_NAME_PREFIX_SEP + aciname
class trust_mod(Method):
__doc__ = _("""
Modify a trust (for future use).
Currently only the default option to modify the LDAP attributes is
available. More specific options will be added in coming releases.
""")
takes_args = (parameters.Str(
'cn',
cli_name='realm',
label=_(u'Realm name'),
), )
takes_options = (
parameters.Str(
'ipantsidblacklistincoming',
required=False,
multivalue=True,
cli_name='sid_blacklist_incoming',
label=_(u'SID blacklist incoming'),
),
parameters.Str(
'ipantsidblacklistoutgoing',
required=False,
multivalue=True,
cli_name='sid_blacklist_outgoing',
label=_(u'SID blacklist outgoing'),
),
parameters.Str(
'setattr',
required=False,
multivalue=True,
doc=
_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'
),
exclude=('webui', ),
),
parameters.Str(
'addattr',
required=False,
multivalue=True,
doc=
_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'
),
exclude=('webui', ),
),
parameters.Str(
'delattr',
required=False,
multivalue=True,
doc=
_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'
),
exclude=('webui', ),
),
parameters.Flag(
'rights',
label=_(u'Rights'),
doc=
_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'
),
default=False,
autofill=True,
),
parameters.Flag(
'all',
doc=
_(u'Retrieve and print all attributes from the server. Affects command output.'
),
exclude=('webui', ),
default=False,
autofill=True,
),
parameters.Flag(
'raw',
doc=
_(u'Print entries as stored on the server. Only affects output format.'
),
exclude=('webui', ),
default=False,
autofill=True,
),
)
has_output = (
output.Output(
'summary',
(unicode, type(None)),
doc=_(u'User-friendly description of action performed'),
),
output.Entry('result', ),
output.Output(
'value',
unicode,
doc=_(
u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
),
)
class service_show(Method):
__doc__ = _("Display information about an IPA service.")
takes_args = (
parameters.Str(
'krbprincipalname',
cli_name='principal',
label=_(u'Principal'),
doc=_(u'Service principal'),
no_convert=True,
),
)
takes_options = (
parameters.Flag(
'rights',
label=_(u'Rights'),
doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
default=False,
autofill=True,
),
parameters.Str(
'out',
required=False,
doc=_(u'file to store certificate in'),
),
parameters.Flag(
'all',
doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
exclude=('webui',),
default=False,
autofill=True,
),
parameters.Flag(
'raw',
doc=_(u'Print entries as stored on the server. Only affects output format.'),
exclude=('webui',),
default=False,
autofill=True,
),
parameters.Flag(
'no_members',
doc=_(u'Suppress processing of membership attributes.'),
exclude=('webui', 'cli'),
default=False,
autofill=True,
),
)
has_output = (
output.Output(
'summary',
(unicode, type(None)),
doc=_(u'User-friendly description of action performed'),
),
output.Entry(
'result',
),
output.PrimaryKey(
'value',
doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
),
)
class whoami(Command):
__doc__ = _('Describe currently authenticated identity.')
NO_CLI = True
output_params = (
Str('object', label=_('Object class name')),
Str('command', label=_('Function to get details')),
Str('arguments*', label=_('Arguments to details function')),
)
has_output = (
output.Output('object', unicode, _('Object class name')),
output.Output('command', unicode, _('Function to get details')),
output.Output('arguments', list, _('Arguments to details function')),
)
def execute(self, **options):
"""
Retrieve the DN we are authenticated as to LDAP and find bindable IPA
object that handles the container where this DN belongs to. Then report
details about this object.
"""
exceptions = {
'idoverrideuser': (DN("cn={0}".format(DEFAULT_TRUST_VIEW_NAME)),
DEFAULT_TRUST_VIEW_NAME, 'ipaOriginalUid'),
}
ldap = api.Backend.ldap2
# whoami_s() call returns a string 'dn: <actual DN value>'
# We also reject ldapi-as-root connections as DM is a virtual object
dn = DN(ldap.conn.whoami_s()[4:])
if dn == DN('cn=Directory Manager'):
raise errors.NotFound(
reason=_('Cannot query Directory Manager with API'))
entry = ldap.get_entry(dn)
o_name = None
o_func = None
o_args = []
for o in api.Object():
if not getattr(o, 'bindable', None):
continue
container = getattr(o, 'container_dn', None)
if container is None:
continue
# Adjust container for exception two-level objects
if o.name in exceptions:
container = exceptions[o.name][0] + container
if dn.find(container + api.env.basedn) == 1:
# We found exact container this DN belongs to
o_name = unicode(o.name)
o_args = [unicode(entry.single_value.get(o.primary_key.name))]
o_func = unicode(o.methods.show.full_name)
if o.name in exceptions:
o_args = [
unicode(exceptions[o.name][1]),
unicode(entry.single_value.get(exceptions[o.name][2]))
]
break
return {'object': o_name, 'command': o_func, 'arguments': o_args}
class service_disallow_retrieve_keytab(Method):
__doc__ = _("Disallow users, groups, hosts or host groups to retrieve a keytab of this service.")
takes_args = (
parameters.Str(
'krbprincipalname',
cli_name='principal',
label=_(u'Principal'),
doc=_(u'Service principal'),
no_convert=True,
),
)
takes_options = (
parameters.Flag(
'all',
doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
exclude=('webui',),
default=False,
autofill=True,
),
parameters.Flag(
'raw',
doc=_(u'Print entries as stored on the server. Only affects output format.'),
exclude=('webui',),
default=False,
autofill=True,
),
parameters.Flag(
'no_members',
doc=_(u'Suppress processing of membership attributes.'),
exclude=('webui', 'cli'),
default=False,
autofill=True,
),
parameters.Str(
'user',
required=False,
multivalue=True,
cli_name='users',
label=_(u'member user'),
doc=_(u'users to remove'),
alwaysask=True,
),
parameters.Str(
'group',
required=False,
multivalue=True,
cli_name='groups',
label=_(u'member group'),
doc=_(u'groups to remove'),
alwaysask=True,
),
parameters.Str(
'host',
required=False,
multivalue=True,
cli_name='hosts',
label=_(u'member host'),
doc=_(u'hosts to remove'),
alwaysask=True,
),
parameters.Str(
'hostgroup',
required=False,
multivalue=True,
cli_name='hostgroups',
label=_(u'member host group'),
doc=_(u'host groups to remove'),
alwaysask=True,
),
)
has_output = (
output.Entry(
'result',
),
output.Output(
'failed',
dict,
doc=_(u'Members that could not be removed'),
),
output.Output(
'completed',
int,
doc=_(u'Number of members removed'),
),
)
class group_add_member(Method):
__doc__ = _("Add members to a group.")
takes_args = (parameters.Str(
'cn',
cli_name='group_name',
label=_(u'Group name'),
no_convert=True,
), )
takes_options = (
parameters.Str(
'ipaexternalmember',
required=False,
multivalue=True,
cli_name='external',
label=_(u'External member'),
doc=_(
u'Members of a trusted domain in DOM\\name or name@domain form'
),
),
parameters.Flag(
'all',
doc=
_(u'Retrieve and print all attributes from the server. Affects command output.'
),
exclude=('webui', ),
default=False,
autofill=True,
),
parameters.Flag(
'raw',
doc=
_(u'Print entries as stored on the server. Only affects output format.'
),
exclude=('webui', ),
default=False,
autofill=True,
),
parameters.Flag(
'no_members',
doc=_(u'Suppress processing of membership attributes.'),
exclude=('webui', 'cli'),
default=False,
autofill=True,
),
parameters.Str(
'user',
required=False,
multivalue=True,
cli_name='users',
label=_(u'member user'),
doc=_(u'users to add'),
alwaysask=True,
),
parameters.Str(
'group',
required=False,
multivalue=True,
cli_name='groups',
label=_(u'member group'),
doc=_(u'groups to add'),
alwaysask=True,
),
)
has_output = (
output.Entry('result', ),
output.Output(
'failed',
dict,
doc=_(u'Members that could not be added'),
),
output.Output(
'completed',
int,
doc=_(u'Number of members added'),
),
)
from ipalib import errors
from ipalib import output
from ipalib.parameters import Int
from ipalib.plugable import Registry
from ipapython.dn import DN
__doc__ = _("""
Raise the IPA Domain Level.
""")
register = Registry()
DomainLevelRange = namedtuple('DomainLevelRange', ['min', 'max'])
domainlevel_output = (output.Output('result', int,
_('Current domain level:')), )
def get_domainlevel_dn(api):
domainlevel_dn = DN(('cn', 'Domain Level'), ('cn', 'ipa'), ('cn', 'etc'),
api.env.basedn)
return domainlevel_dn
def get_domainlevel_range(master_entry):
try:
return DomainLevelRange(int(master_entry['ipaMinDomainLevel'][0]),
int(master_entry['ipaMaxDomainLevel'][0]))
except KeyError:
return DomainLevelRange(0, 0)