class pkinit_status(Search):
__doc__ = _('Report PKINIT status on the IPA masters')
msg_summary = ngettext('%(count)s server matched',
'%(count)s servers matched', 0)
takes_options = Search.takes_options + (
Int(
'timelimit?',
label=_('Time Limit'),
doc=_('Time limit of search in seconds (0 is unlimited)'),
flags=['no_display'],
minvalue=0,
autofill=False,
),
Int(
'sizelimit?',
label=_('Size Limit'),
doc=_('Maximum number of entries returned (0 is unlimited)'),
flags=['no_display'],
minvalue=0,
autofill=False,
),
)
def get_pkinit_status(self, server, status):
backend = self.api.Backend.serverroles
ipa_master_config = backend.config_retrieve("IPA master")
if server is not None:
servers = [server]
else:
servers = ipa_master_config['ipa_master_server']
pkinit_servers = ipa_master_config['pkinit_server_server']
for s in servers:
pkinit_status = {
u'server_server': s,
u'status': (u'enabled' if s in pkinit_servers else u'disabled')
}
if status is not None and pkinit_status[u'status'] != status:
continue
yield pkinit_status
def execute(self, *keys, **options):
if keys:
return dict(result=[], count=0, truncated=False)
server = options.get('server_server', None)
status = options.get('status', None)
if server is not None:
self.api.Object.server_role.ensure_master_exists(server)
result = sorted(self.get_pkinit_status(server, status))
return dict(result=result, count=len(result), truncated=False)
class server_role_find(Search):
__doc__ = _('Find a server role on a server(s)')
obj_name = 'server_role'
attr_name = 'find'
msg_summary = ngettext('%(count)s server role matched',
'%(count)s server roles matched', 0)
takes_options = Search.takes_options + (
Int(
'timelimit?',
label=_('Time Limit'),
doc=_('Time limit of search in seconds (0 is unlimited)'),
flags=['no_display'],
minvalue=0,
autofill=False,
),
Int(
'sizelimit?',
label=_('Size Limit'),
doc=_('Maximum number of entries returned (0 is unlimited)'),
flags=['no_display'],
minvalue=0,
autofill=False,
), Flag(
'include_master',
doc=_('Include IPA master entries'),
))
def execute(self, *keys, **options):
if keys:
return dict(result=[], count=0, truncated=False)
server = options.get('server_server', None)
role_name = options.get('role_servrole', None)
status = options.get('status', None)
if server is not None:
self.obj.ensure_master_exists(server)
role_status = self.obj.backend.server_role_search(
server_server=server, role_servrole=role_name, status=status)
# Don't display "IPA master" information unless the role is
# requested explicitly. All servers are considered IPA masters,
# except for replicas during installation.
if options.get('include_master') or role_name == "IPA master":
result = role_status
else:
result = [
r for r in role_status if r[u'role_servrole'] != "IPA master"
]
return dict(
result=result,
count=len(result),
truncated=False,
)
class server_role_find(Search):
__doc__ = _('Find a server role on a server(s)')
obj_name = 'server_role'
attr_name = 'find'
msg_summary = ngettext('%(count)s server role matched',
'%(count)s server roles matched', 0)
takes_options = Search.takes_options + (
Int(
'timelimit?',
label=_('Time Limit'),
doc=_('Time limit of search in seconds (0 is unlimited)'),
flags=['no_display'],
minvalue=0,
autofill=False,
),
Int(
'sizelimit?',
label=_('Size Limit'),
doc=_('Maximum number of entries returned (0 is unlimited)'),
flags=['no_display'],
minvalue=0,
autofill=False,
),
)
def execute(self, *keys, **options):
if keys:
return dict(
result=[],
count=0,
truncated=False
)
server = options.get('server_server', None)
role_name = options.get('role_servrole', None)
status = options.get('status', None)
if server is not None:
self.obj.ensure_master_exists(server)
role_status = self.obj.backend.server_role_search(
server_server=server,
role_servrole=role_name,
status=status)
result = [
r for r in role_status if r[u'role_servrole'] != "IPA master"]
return dict(
result=result,
count=len(result),
truncated=False,
)
class domainlevel_set(Command):
__doc__ = _('Change current Domain Level.')
has_output = domainlevel_output
takes_args = (
Int('ipadomainlevel',
cli_name='level',
label=_('Domain Level'),
minvalue=0,
),
)
def execute(self, *args, **options):
"""
Checks all the IPA masters for supported domain level ranges.
If the desired domain level is within the supported range of all
masters, it will be raised.
Domain level cannot be lowered.
"""
ldap = self.api.Backend.ldap2
current_entry = ldap.get_entry(get_domainlevel_dn(self.api))
current_value = int(current_entry.single_value['ipadomainlevel'])
desired_value = int(args[0])
# Domain level cannot be lowered
if int(desired_value) < int(current_value):
message = _("Domain Level cannot be lowered.")
raise errors.InvalidDomainLevelError(reason=message)
# Check if every master supports the desired level
for master in get_master_entries(ldap, self.api):
supported = get_domainlevel_range(master)
if supported.min > desired_value or supported.max < desired_value:
message = _("Domain Level cannot be raised to {0}, server {1} "
"does not support it."
).format(desired_value, master['cn'][0])
raise errors.InvalidDomainLevelError(reason=message)
# Check if conflict entries exist in topology subtree
# should be resolved first
check_conflict_entries(ldap, self.api, desired_value)
current_entry.single_value['ipaDomainLevel'] = desired_value
ldap.update_entry(current_entry)
return {'result': int(current_entry.single_value['ipaDomainLevel'])}
class astsite(LDAPObject):
"""
Asterisk site, container for users, extensions, mailboxes and configs.
"""
container_dn = 'cn=asterisk'
object_name = _('Asterisk Site')
object_name_plural = _('Asterisk Sites')
object_class = ['top', 'nsContainer', 'AsteriskSiteDefaults']
default_attributes = ['cn', 'description']
label = _('Asterisk Sites')
label_singular = _('Asterisk Site')
takes_params = (
Str(
'cn',
cli_name='name',
label=_('Site name'),
doc=_('Site Name'),
normalizer=lambda value: value.lower(),
primary_key=True,
),
Str(
'description',
cli_name='description',
label=_('Site Description'),
doc=_('Site Description'),
),
Str(
'astaccountregistrationserver?',
cli_name='default_registrationserver',
label=_('Default registration server'),
doc=
_('Default registration server for this site. You may specify an IP or domain name'
),
),
Str(
'astaccountfromdomain?',
cli_name='default_fromdomain',
label=_('Default FromDomain'),
doc=
_('Sets default From: domain in SIP messages when acting as a SIP ua (client)'
),
),
StrEnum(
'astaccountallowoverlap?',
cli_name='default_allowoverlap',
label=_('AllowOverlap Default'),
doc=
_('Overlap dial provides for a longer time-out period between digits, also called the inter-digit timer. With overlap dial set to off, the gateway expects to receive the digits one right after the other coming in to this line with very little delay between digits'
),
values=(
u'yes',
u'no',
),
),
Str(
'astaccountallowedcodec?',
cli_name='default_allowedcodec',
label=_('Default Allowed Codecs'),
doc=_('Default Allowed Codecs'),
),
Str(
'astaccountdisallowedcodec?',
cli_name='default_disallowedcodec',
label=_('Default Disallowed Codecs'),
doc=_('Default Disallowed Codecs'),
),
StrEnum(
'astaccountamaflags?',
cli_name='default_amaflags',
label=_('AMAflags Default'),
doc=_('Default Automated Message Accounting flags'),
values=(
u'default',
u'omit',
u'billing',
u'documentation',
),
),
Int(
'astaccountcalllimit?',
cli_name='default_calllimit',
label=_('CallLimit Default'),
doc=_(
'Number of simultaneous calls through this user/peer by default'
),
minvalue=0,
),
StrEnum(
'astaccountcanreinvite?',
cli_name='default_canreinvite',
label=_('CanReinvite Default'),
doc=_('Permit direct media traffic between endpoints by default'),
values=(
u'yes',
u'no',
),
),
StrEnum(
'astaccountnat?',
cli_name='default_nat',
label=_('Nat Default'),
doc=
_('Setting it to yes forces RFC 3581 behavior and enables symmetric RTP support. Setting it to no only enables RFC 3581 behavior if the remote side requests it and disables symmetric RTP support. Setting it to force_rport forces RFC 3581 behavior and disables symmetric RTP support. Setting it to comedia enables RFC 3581 behavior if the remote side requests it and enables symmetric RTP support.'
),
values=(
u'yes',
u'no',
u'force_rport',
u'comedia',
),
),
StrEnum(
'astaccountqualify?',
cli_name='default_qualify',
label=_('Qualify Default'),
doc=_('Check if peer is online'),
values=(
u'yes',
u'no',
),
),
StrEnum(
'astaccountdtmfmode?',
cli_name='default_dtmfmode',
label=_('Default Dtmfmode'),
doc=_('Configure DTMF transmission'),
values=(
u'inband',
u'rfc2833',
u'info',
u'auto',
),
),
Str(
'astaccountpermit?',
_validate_ipmask,
cli_name='default_permit',
label=_('Default permitted subnet'),
doc=_('Default permitted subnet in ip/mask format'),
),
Str(
'astaccountdeny?',
_validate_ipmask,
cli_name='default_deny',
label=_('Default denied subnet'),
doc=_('Default permitted subnet in ip/mask format'),
),
Str(
'astaccountlanguage?',
cli_name='default_language',
label=_('Default Language'),
doc=_('Default language for voice prompts'),
),
Str(
'astaccountmusiconhold?',
cli_name='default_musiconhold',
label=_('Default MOH'),
doc=_('Default music on hold category'),
),
Int(
'astaccountrtpholdtimeout?',
cli_name='default_rtpholdtimeout',
label=_('Default RTPHoldTimeout'),
doc=_('Default value for RTP HOLD timeout parameter'),
minvalue=0,
),
Int(
'astaccountrtptimeout?',
cli_name='default_rtptimeout',
label=_('Default RTPtimeout'),
doc=_('Default value for RTP timeout parameter'),
minvalue=0,
),
Str(
'astaccountregistrationcontext?',
cli_name='default_registrationcontext',
label=_('Default registration context'),
doc=
_('If specified, Asterisk will dynamically create and destroy a NoOp priority 1 extension in this context for a given peer who registers '
),
),
Str(
'astaccountsubscribecontext?',
cli_name='default_subscribecontext',
label=_('Default subscribe context'),
doc=_('Set a specific context for SIP SUBSCRIBE requests'),
),
Str(
'astaccounttransport?',
cli_name='default_transport',
label=_('Default transport'),
doc=
_('Default transports in preferred order, comma separated. E.g. tls,tcp,udp'
),
),
StrEnum(
'astaccounttype?',
cli_name='default_type',
label=_('type Default'),
doc=_(' '),
values=(u'user', u'peer', u'friend'),
),
StrEnum(
'astaccountvideosupport?',
cli_name='default_videosupport',
label=_('videosupport Default'),
doc=_(' '),
values=(
u'yes',
u'no',
),
),
#astvoicemailoptions
#astvoicemailtimestamp
#astvoicemailcontext
StrEnum(
'astaccountencryption?',
cli_name='default_encryption',
label=_('encryption Default'),
doc=_(' '),
values=(
u'yes',
u'no',
),
),
#ipaautoastextension
#ipaautoasttemplate
)
class certmaprule(LDAPObject):
"""
Certificate Identity Mapping Rules
"""
label = _('Certificate Identity Mapping Rules')
label_singular = _('Certificate Identity Mapping Rule')
object_name = _('Certificate Identity Mapping Rule')
object_name_plural = _('Certificate Identity Mapping Rules')
object_class = ['ipacertmaprule']
container_dn = api.env.container_certmaprules
default_attributes = [
'cn', 'description', 'ipacertmapmaprule', 'ipacertmapmatchrule',
'associateddomain', 'ipacertmappriority', 'ipaenabledflag'
]
search_attributes = [
'cn', 'description', 'ipacertmapmaprule', 'ipacertmapmatchrule',
'associateddomain', 'ipacertmappriority', 'ipaenabledflag'
]
takes_params = (
Str(
'cn',
cli_name='rulename',
primary_key=True,
label=_('Rule name'),
doc=_('Certificate Identity Mapping Rule name'),
),
Str(
'description?',
cli_name='desc',
label=_('Description'),
doc=_('Certificate Identity Mapping Rule description'),
),
Str(
'ipacertmapmaprule?',
cli_name='maprule',
label=_('Mapping rule'),
doc=_('Rule used to map the certificate with a user entry'),
),
Str(
'ipacertmapmatchrule?',
cli_name='matchrule',
label=_('Matching rule'),
doc=_('Rule used to check if a certificate can be used for'
' authentication'),
),
DNSNameParam(
'associateddomain*',
cli_name='domain',
label=_('Domain name'),
doc=_('Domain where the user entry will be searched'),
),
Int(
'ipacertmappriority?',
cli_name='priority',
label=_('Priority'),
doc=_('Priority of the rule (higher number means lower priority'),
minvalue=0,
),
Flag('ipaenabledflag?',
label=_('Enabled'),
flags=['no_option'],
default=True),
)
permission_filter_objectclasses = ['ipacertmaprule']
managed_permissions = {
'System: Add Certmap Rules': {
'replaces_global_anonymous_aci': True,
'ipapermright': {'add'},
'default_privileges':
{'Certificate Identity Mapping Administrators'},
},
'System: Read Certmap Rules': {
'replaces_global_anonymous_aci': True,
'ipapermbindruletype': 'all',
'ipapermright': {'read', 'search', 'compare'},
'ipapermdefaultattr': {
'objectclass',
'cn',
'description',
'ipacertmapmaprule',
'ipacertmapmatchrule',
'associateddomain',
'ipacertmappriority',
'ipaenabledflag',
},
},
'System: Delete Certmap Rules': {
'replaces_global_anonymous_aci': True,
'ipapermright': {'delete'},
'default_privileges':
{'Certificate Identity Mapping Administrators'},
},
'System: Modify Certmap Rules': {
'replaces_global_anonymous_aci': True,
'ipapermright': {'write'},
'ipapermdefaultattr': {
'objectclass',
'cn',
'description',
'ipacertmapmaprule',
'ipacertmapmatchrule',
'associateddomain',
'ipacertmappriority',
'ipaenabledflag',
},
'default_privileges':
{'Certificate Identity Mapping Administrators'},
},
}
class subid(LDAPObject):
"""Subordinate id object."""
container_dn = api.env.container_subids
object_name = _("Subordinate id")
object_name_plural = _("Subordinate ids")
label = _("Subordinate ids")
label_singular = _("Subordinate id")
object_class = ["ipasubordinateidentry"]
possible_objectclasses = [
"ipasubordinategid",
"ipasubordinateuid",
"ipasubordinateid",
]
default_attributes = [
"ipauniqueid",
"ipaowner",
"ipasubuidnumber",
"ipasubuidcount",
"ipasubgidnumber",
"ipasubgidcount",
]
allow_rename = False
permission_filter_objectclasses_string = (
"(objectclass=ipasubordinateidentry)")
managed_permissions = {
# all authenticated principals can read subordinate id information
"System: Read Subordinate Id Attributes": {
"ipapermbindruletype": "all",
"ipapermright": {"read", "search", "compare"},
"ipapermtargetfilter": [
permission_filter_objectclasses_string,
],
"ipapermdefaultattr": {
"objectclass",
"ipauniqueid",
"description",
"ipaowner",
"ipasubuidnumber",
"ipasubuidcount",
"ipasubgidnumber",
"ipasubgidcount",
},
},
"System: Read Subordinate Id Count": {
"ipapermbindruletype": "all",
"ipapermright": {"read", "search", "compare"},
"ipapermtargetfilter": [],
"ipapermtarget": DN(container_dn, api.env.basedn),
"ipapermdefaultattr": {"numSubordinates"},
},
# user administrators can remove subordinate ids or update the
# ipaowner attribute. This enables user admins to remove users
# with assigned subids or move them to staging area (--preserve).
"System: Manage Subordinate Ids": {
"ipapermright": {"write"},
"ipapermtargetfilter": [
permission_filter_objectclasses_string,
],
"ipapermdefaultattr": {
"description",
"ipaowner", # allow user admins to preserve users
},
"default_privileges": {"User Administrators"},
},
"System: Remove Subordinate Ids": {
"ipapermright": {"delete"},
"ipapermtargetfilter": [
permission_filter_objectclasses_string,
],
"default_privileges": {"User Administrators"},
},
}
takes_params = (
Str(
"ipauniqueid",
cli_name="id",
label=_("Unique ID"),
primary_key=True,
flags={"optional_create"},
),
Str(
"description?",
cli_name="desc",
label=_("Description"),
doc=_("Subordinate id description"),
),
Str(
"ipaowner",
cli_name="owner",
label=_("Owner"),
doc=_("Owning user of subordinate id entry"),
flags={"no_update"},
),
Int(
"ipasubuidnumber?",
label=_("SubUID range start"),
cli_name="subuid",
doc=_("Start value for subordinate user ID (subuid) range"),
flags={"no_update"},
minvalue=constants.SUBID_RANGE_START,
maxvalue=constants.SUBID_RANGE_MAX,
),
Int(
"ipasubuidcount?",
label=_("SubUID range size"),
cli_name="subuidcount",
doc=_("Subordinate user ID count"),
flags={"no_create", "no_update", "no_search"}, # auto-assigned
minvalue=constants.SUBID_COUNT,
maxvalue=constants.SUBID_COUNT,
),
Int(
"ipasubgidnumber?",
label=_("SubGID range start"),
cli_name="subgid",
doc=_("Start value for subordinate group ID (subgid) range"),
flags={"no_create", "no_update"}, # auto-assigned
minvalue=constants.SUBID_RANGE_START,
maxvalue=constants.SUBID_RANGE_MAX,
),
Int(
"ipasubgidcount?",
label=_("SubGID range size"),
cli_name="subgidcount",
doc=_("Subordinate group ID count"),
flags={"no_create", "no_update", "no_search"}, # auto-assigned
minvalue=constants.SUBID_COUNT,
maxvalue=constants.SUBID_COUNT,
),
)
def fixup_objectclass(self, entry_attrs):
"""Add missing object classes to entry"""
has_subuid = "ipasubuidnumber" in entry_attrs
has_subgid = "ipasubgidnumber" in entry_attrs
candicates = set(self.object_class)
if has_subgid:
candicates.add("ipasubordinategid")
if has_subuid:
candicates.add("ipasubordinateuid")
if has_subgid and has_subuid:
candicates.add("ipasubordinateid")
entry_oc = entry_attrs.setdefault("objectclass", [])
current_oc = {x.lower() for x in entry_oc}
for oc in candicates.difference(current_oc):
entry_oc.append(oc)
def handle_duplicate_entry(self, *keys):
if hasattr(context, "subid_owner_dn"):
uid = context.subid_owner_dn[0].value
msg = _(
'%(oname)s with with name "%(pkey)s" or for user "%(uid)s" '
"already exists.") % {
"uid": uid,
"pkey": keys[-1] if keys else "",
"oname": self.object_name,
}
raise errors.DuplicateEntry(message=msg) from None
else:
super().handle_duplicate_entry(*keys)
def convert_owner(self, entry_attrs, options):
"""Change owner from DN to uid string"""
if not options.get("raw", False) and "ipaowner" in entry_attrs:
userobj = self.api.Object.user
entry_attrs["ipaowner"] = [
userobj.get_primary_key_from_dn(entry_attrs["ipaowner"][0])
]
def get_owner_dn(self, *keys, **options):
"""Get owning user entry entry (username or DN)"""
owner = keys[-1]
userobj = self.api.Object.user
if isinstance(owner, DN):
# it's already a DN, validate it's either an active or preserved
# user. Ref integrity plugin checks that it's not a dangling DN.
user_dns = (
DN(userobj.active_container_dn, self.api.env.basedn),
DN(userobj.delete_container_dn, self.api.env.basedn),
)
if not owner.endswith(user_dns):
raise errors.ValidationError(
name="ipaowner",
error=_("'%(dn)s is not a valid user") % {"dn": owner},
)
return owner
# similar to user.get_either_dn() but with error reporting and
# returns an entry
ldap = self.backend
try:
active_dn = userobj.get_dn(owner, **options)
entry = ldap.get_entry(active_dn, attrs_list=[])
return entry.dn
except errors.NotFound:
# fall back to deleted user
try:
delete_dn = userobj.get_delete_dn(owner, **options)
entry = ldap.get_entry(delete_dn, attrs_list=[])
return entry.dn
except errors.NotFound:
raise userobj.handle_not_found(owner)
def handle_subordinate_ids(self, ldap, dn, entry_attrs):
"""Handle ipaSubordinateId object class"""
new_subuid = entry_attrs.single_value.get("ipasubuidnumber")
new_subgid = entry_attrs.single_value.get("ipasubgidnumber")
if new_subuid is None:
new_subuid = DNA_MAGIC
# enforce subuid == subgid
if new_subgid is not None and new_subgid != new_subuid:
raise errors.ValidationError(
name="ipasubgidnumber",
error=_("subgidnumber must be equal to subuidnumber"),
)
self.set_subordinate_ids(ldap, dn, entry_attrs, new_subuid)
return True
def set_subordinate_ids(self, ldap, dn, entry_attrs, subuid):
"""Set subuid value of an entry
Takes care of objectclass and sibbling attributes
"""
if "objectclass" not in entry_attrs:
_entry_attrs = ldap.get_entry(dn, ["objectclass"])
entry_attrs["objectclass"] = _entry_attrs["objectclass"]
entry_attrs["ipasubuidnumber"] = subuid
# enforce subuid == subgid for now
entry_attrs["ipasubgidnumber"] = subuid
# hard-coded constants
entry_attrs["ipasubuidcount"] = constants.SUBID_COUNT
entry_attrs["ipasubgidcount"] = constants.SUBID_COUNT
self.fixup_objectclass(entry_attrs)
def get_subid_match_candidate_filter(
self,
ldap,
*,
subuid,
subgid,
extra_filters=(),
offset=None,
):
"""Create LDAP filter to locate matching/overlapping subids"""
if subuid is None and subgid is None:
raise ValueError("subuid and subgid are both None")
if offset is None:
# assumes that no subordinate count is larger than SUBID_COUNT
offset = constants.SUBID_COUNT - 1
class_filters = "(objectclass=ipasubordinateid)"
subid_filters = []
if subuid is not None:
subid_filters.append(
ldap.combine_filters(
[
f"(ipasubuidnumber>={subuid - offset})",
f"(ipasubuidnumber<={subuid + offset})",
],
rules=ldap.MATCH_ALL,
))
if subgid is not None:
subid_filters.append(
ldap.combine_filters(
[
f"(ipasubgidnumber>={subgid - offset})",
f"(ipasubgidnumber<={subgid + offset})",
],
rules=ldap.MATCH_ALL,
))
subid_filters = ldap.combine_filters(subid_filters,
rules=ldap.MATCH_ANY)
filters = [class_filters, subid_filters]
filters.extend(extra_filters)
return ldap.combine_filters(filters, rules=ldap.MATCH_ALL)
Str(
'radiusframedipaddress?',
validate_ipaddr,
cli_name='radius_ip_addr',
label=_('Radius Framed IP Address'),
),
Str(
'radiusframedroute*',
validate_ipnet,
cli_name='radius_route',
label=_('Radius Framed route'),
# normalizer = framed_route_normalizer,
),
Int(
'radiusclass?',
cli_name='radius_class',
label=_('Radius Class'),
minvalue=0,
),
)
def useradd_precallback(self, ldap, dn, entry_attrs, attrs_list, *keys,
**options):
entry_attrs['objectclass'].append('radiusprofile')
self.log.debug('Adding radiusprofile objectClass')
return dn
def usermod_precallback(self, ldap, dn, entry_attrs, attrs_list, *keys,
**options):
if 'objectclass' not in entry_attrs.keys():