def execute(self, aciname, aciprefix, **options):
"""
Execute the aci-delete operation.
:param aciname: The name of the ACI being deleted.
:param aciprefix: The ACI prefix.
"""
ldap = self.api.Backend.ldap2
entry = ldap.get_entry(self.api.env.basedn, ["aci"])
acistrs = entry.get("aci", [])
acis = _convert_strings_to_acis(acistrs)
aci = _find_aci_by_name(acis, aciprefix, aciname)
for a in acistrs:
candidate = ACI(a)
if aci.isequal(candidate):
acistrs.remove(a)
break
entry["aci"] = acistrs
ldap.update_entry(entry)
return dict(result=True, value=pkey_to_value(aciname, options))
def execute(self, *keys, **options):
ldap = self.obj.backend
dn = self.obj.get_dn(*keys, **options)
def_values = {}
# if reseting policy for a user - just his values
if keys[-1] is not None:
for a in self.obj.default_attributes:
def_values[a] = None
# if reseting global policy - set values to default
else:
def_values = _default_values
entry = ldap.get_entry(dn, def_values.keys())
entry.update(def_values)
try:
ldap.update_entry(entry)
except errors.EmptyModlist:
pass
if keys[-1] is not None:
# policy for user was deleted, retrieve global policy
dn = self.obj.get_dn(None)
entry_attrs = ldap.get_entry(dn, self.obj.default_attributes)
entry_attrs = entry_to_dict(entry_attrs, **options)
return dict(result=entry_attrs, value=pkey_to_value(keys[-1], options))
def execute(self, aciname, **kw):
"""
Execute the aci-create operation.
Returns the entry as it will be created in LDAP.
:param aciname: The name of the ACI being added.
:param kw: Keyword arguments for the other LDAP attributes.
"""
assert "aciname" not in kw
ldap = self.api.Backend.ldap2
newaci = _make_aci(ldap, None, aciname, kw)
entry = ldap.get_entry(self.api.env.basedn, ["aci"])
acis = _convert_strings_to_acis(entry.get("aci", []))
for a in acis:
# FIXME: add check for permission_group = permission_group
if a.isequal(newaci) or newaci.name == a.name:
raise errors.DuplicateEntry()
newaci_str = unicode(newaci)
entry.setdefault("aci", []).append(newaci_str)
if not kw.get("test", False):
ldap.update_entry(entry)
if kw.get("raw", False):
result = dict(aci=unicode(newaci_str))
else:
result = _aci_to_kw(ldap, newaci, kw.get("test", False))
return dict(result=result, value=pkey_to_value(aciname, kw))
def execute(self, aciname, aciprefix, **options):
"""
Execute the aci-delete operation.
:param aciname: The name of the ACI being deleted.
:param aciprefix: The ACI prefix.
"""
ldap = self.api.Backend.ldap2
entry = ldap.get_entry(self.api.env.basedn, ['aci'])
acistrs = entry.get('aci', [])
acis = _convert_strings_to_acis(acistrs)
aci = _find_aci_by_name(acis, aciprefix, aciname)
for a in acistrs:
candidate = ACI(a)
if aci.isequal(candidate):
acistrs.remove(a)
break
entry['aci'] = acistrs
ldap.update_entry(entry)
return dict(
result=True,
value=pkey_to_value(aciname, options),
)
def execute(self, *keys, **options):
ldap = self.api.Backend.ldap2
key = options['automountkey']
info = options.get('automountinformation', None)
keys += (self.obj.get_pk(key, info), )
# handle RDN changes
if 'rename' in options or 'newautomountinformation' in options:
new_key = options.get('rename', key)
new_info = options.get('newautomountinformation', info)
if new_key == DIRECT_MAP_KEY and not new_info:
# automountinformation attribute of existing LDAP object needs
# to be retrieved so that RDN can be generated
dn = self.obj.get_dn(*keys, **options)
entry_attrs_ = ldap.get_entry(dn, ['automountinformation'])
new_info = entry_attrs_.get('automountinformation', [])[0]
# automounkey attribute cannot be overwritten so that get_dn()
# still works right
options['newautomountkey'] = new_key
new_rdn = self.obj.get_pk(new_key, new_info)
if new_rdn != keys[-1]:
options['rename'] = new_rdn
result = super(automountkey_mod, self).execute(*keys, **options)
result['value'] = pkey_to_value(options['automountkey'], options)
return result
def execute(self, aciname, **kw):
result = api.Command['aci_show'](aciname, aciprefix=ACI_PREFIX, **kw)['result']
self.obj.postprocess_result(result)
return dict(
result=result,
value=pkey_to_value(aciname, kw),
)
def execute(self, aciname, **kw):
"""
Execute the aci-show operation.
Returns the entry
:param uid: The login name of the user to retrieve.
:param kw: unused
"""
ldap = self.api.Backend.ldap2
dn = kw.get('location', self.api.env.basedn)
entry = ldap.get_entry(dn, ['aci'])
acis = _convert_strings_to_acis(entry.get('aci', []))
aci = _find_aci_by_name(acis, kw['aciprefix'], aciname)
if kw.get('raw', False):
result = dict(aci=unicode(aci))
else:
result = _aci_to_kw(ldap, aci)
return dict(
result=result,
value=pkey_to_value(aciname, kw),
)
def execute(self, *keys, **options):
ldap = self.obj.backend
dn = self.obj.get_dn(*keys, **options)
def_values = {}
# if reseting policy for a user - just his values
if keys[-1] is not None:
for a in self.obj.default_attributes:
def_values[a] = None
# if reseting global policy - set values to default
else:
def_values = _default_values
entry = ldap.get_entry(dn, def_values.keys())
entry.update(def_values)
try:
ldap.update_entry(entry)
except errors.EmptyModlist:
pass
if keys[-1] is not None:
# policy for user was deleted, retrieve global policy
dn = self.obj.get_dn(None)
entry_attrs = ldap.get_entry(dn, self.obj.default_attributes)
entry_attrs = entry_to_dict(entry_attrs, **options)
return dict(result=entry_attrs, value=pkey_to_value(keys[-1], options))
def execute(self, aciname, **kw):
"""
Execute the aci-show operation.
Returns the entry
:param uid: The login name of the user to retrieve.
:param kw: unused
"""
ldap = self.api.Backend.ldap2
dn = kw.get('location', self.api.env.basedn)
entry = ldap.get_entry(dn, ['aci'])
acis = _convert_strings_to_acis(entry.get('aci', []))
aci = _find_aci_by_name(acis, kw['aciprefix'], aciname)
if kw.get('raw', False):
result = dict(aci=unicode(aci))
else:
result = _aci_to_kw(ldap, aci)
return dict(
result=result,
value=pkey_to_value(aciname, kw),
)
def execute(self, cn, **options):
ldap = self.obj.backend
dn = self.obj.get_dn(cn)
if not options['ipasudoopt'].strip():
raise errors.EmptyModlist()
entry_attrs = ldap.get_entry(dn, ['ipasudoopt'])
try:
if options['ipasudoopt'] not in entry_attrs['ipasudoopt']:
entry_attrs.setdefault('ipasudoopt', []).append(
options['ipasudoopt'])
else:
raise errors.DuplicateEntry
except KeyError:
entry_attrs.setdefault('ipasudoopt', []).append(
options['ipasudoopt'])
try:
ldap.update_entry(entry_attrs)
except errors.EmptyModlist:
pass
except errors.NotFound:
self.obj.handle_not_found(cn)
attrs_list = self.obj.default_attributes
entry_attrs = ldap.get_entry(dn, attrs_list)
entry_attrs = entry_to_dict(entry_attrs, **options)
return dict(result=entry_attrs, value=pkey_to_value(cn, options))
def execute(self, cn, **options):
ldap = self.obj.backend
dn = self.obj.get_dn(cn)
if not options['ipasudoopt'].strip():
raise errors.EmptyModlist()
entry_attrs = ldap.get_entry(dn, ['ipasudoopt'])
try:
if options['ipasudoopt'] not in entry_attrs['ipasudoopt']:
entry_attrs.setdefault('ipasudoopt', []).append(
options['ipasudoopt'])
else:
raise errors.DuplicateEntry
except KeyError:
entry_attrs.setdefault('ipasudoopt', []).append(
options['ipasudoopt'])
try:
ldap.update_entry(entry_attrs)
except errors.EmptyModlist:
pass
except errors.NotFound:
self.obj.handle_not_found(cn)
attrs_list = self.obj.default_attributes
entry_attrs = ldap.get_entry(dn, attrs_list)
entry_attrs = entry_to_dict(entry_attrs, **options)
return dict(result=entry_attrs, value=pkey_to_value(cn, options))
def execute(self, aciname, **kw):
result = api.Command['aci_del'](aciname, aciprefix=ACI_PREFIX)
self.obj.postprocess_result(result)
return dict(
result=True,
value=pkey_to_value(aciname, kw),
)
def execute(self, aciname, **kw):
result = api.Command['aci_show'](aciname, aciprefix=ACI_PREFIX,
**kw)['result']
self.obj.postprocess_result(result)
return dict(
result=result,
value=pkey_to_value(aciname, kw),
)
def execute(self, aciname, **kw):
result = api.Command['aci_del'](aciname, aciprefix=ACI_PREFIX)
self.obj.postprocess_result(result)
return dict(
result=True,
value=pkey_to_value(aciname, kw),
)
def execute(self, *keys, **options):
key = options['automountkey']
info = options.get('automountinformation', None)
options[self.obj.primary_key.name] = self.obj.get_pk(key, info)
options['add_operation'] = True
result = super(automountkey_add, self).execute(*keys, **options)
result['value'] = pkey_to_value(options['automountkey'], options)
return result
def execute(self, *keys, **options):
keys += (self.obj.get_pk(options['automountkey'],
options.get('automountinformation', None)),)
options[self.obj.primary_key.name] = self.obj.get_pk(
options['automountkey'],
options.get('automountinformation', None))
result = super(automountkey_del, self).execute(*keys, **options)
result['value'] = pkey_to_value([options['automountkey']], options)
return result
def execute(self, *keys, **options):
ldap = self.obj.backend
dn = self.obj.get_either_dn(*keys, **options)
ldap.activate_entry(dn)
return dict(
result=True,
value=pkey_to_value(keys[0], options),
)
def execute(self, *keys, **options):
dn = self.obj.get_dn(*keys, **options)
entry = self.obj.backend.get_entry(dn, ['objectclass', '*'])
lsm = LdapSyncManager(self, dn, None, entry)
lsm.update_local()
return dict(
result=True,
value=pkey_to_value(keys[0], options),
)
def execute(self, aciname, **kw):
if not 'permissions' in kw:
kw['permissions'] = (u'write',)
kw['aciprefix'] = ACI_PREFIX
result = api.Command['aci_add'](aciname, **kw)['result']
self.obj.postprocess_result(result)
return dict(
result=result,
value=pkey_to_value(aciname, kw),
)
def execute(self, aciname, **kw):
if not 'permissions' in kw:
kw['permissions'] = (u'write', )
kw['aciprefix'] = ACI_PREFIX
result = api.Command['aci_add'](aciname, **kw)['result']
self.obj.postprocess_result(result)
return dict(
result=result,
value=pkey_to_value(aciname, kw),
)
def execute(self, *keys, **options):
staged = []
failed = []
for key in keys[-1]:
single_keys = keys[:-1] + (key,)
multi_keys = keys[:-1] + ((key,),)
user = self.api.Command.user_show(*single_keys, all=True)['result']
new_options = {}
for param in self.api.Command.stageuser_add.options():
try:
value = user[param.name]
except KeyError:
continue
if param.multivalue and not isinstance(value, (list, tuple)):
value = [value]
elif not param.multivalue and isinstance(value, (list, tuple)):
value = value[0]
new_options[param.name] = value
try:
self.api.Command.stageuser_add(*single_keys, **new_options)
try:
self.api.Command.user_del(*multi_keys, preserve=False)
except errors.ExecutionError:
self.api.Command.stageuser_del(*multi_keys)
raise
except errors.ExecutionError:
if not options['continue']:
raise
failed.append(key)
else:
staged.append(key)
return dict(
result=dict(
failed=pkey_to_value(failed, options),
),
value=pkey_to_value(staged, options),
)
def execute(self, *keys, **options):
ldap = self.obj.backend
check_protected_member(keys[-1])
dn = self.obj.get_either_dn(*keys, **options)
ldap.deactivate_entry(dn)
return dict(
result=True,
value=pkey_to_value(keys[0], options),
)
def execute(self, *args, **options):
base_dn = DN(('cn', 'masters'), ('cn', 'ipa'), ('cn', 'etc'),
self.api.env.basedn)
filter = '(&(objectClass=ipaConfigObject)(cn=KRA))'
try:
self.api.Backend.ldap2.find_entries(
base_dn=base_dn, filter=filter, attrs_list=[])
except errors.NotFound:
result = False
else:
result = True
return dict(result=result, value=pkey_to_value(None, options))
def execute(self, aciname, **kw):
if 'attrs' in kw and kw['attrs'] is None:
raise errors.RequirementError(name='attrs')
kw['aciprefix'] = ACI_PREFIX
result = api.Command['aci_mod'](aciname, **kw)['result']
self.obj.postprocess_result(result)
return dict(
result=result,
value=pkey_to_value(aciname, kw),
)
def execute(self, aciname, **kw):
if 'attrs' in kw and kw['attrs'] is None:
raise errors.RequirementError(name='attrs')
kw['aciprefix'] = ACI_PREFIX
result = api.Command['aci_mod'](aciname, **kw)['result']
self.obj.postprocess_result(result)
return dict(
result=result,
value=pkey_to_value(aciname, kw),
)
def execute(self, *keys, **options):
__doc__ = _("""
Override this so we can set completed and failed.
""")
try:
result = super(automember_remove_condition, self).execute(*keys, **options)
except errors.EmptyModlist:
result = {'result': getattr(context, 'entry_attrs'), 'value': keys[-1]}
result['failed'] = getattr(context, 'failed')
result['completed'] = getattr(context, 'completed')
result['value'] = pkey_to_value(keys[-1], options)
return result
def execute(self, *args, **options):
base_dn = DN(('cn', 'masters'), ('cn', 'ipa'), ('cn', 'etc'),
self.api.env.basedn)
filter = '(&(objectClass=ipaConfigObject)(cn=CA))'
try:
self.api.Backend.ldap2.find_entries(base_dn=base_dn,
filter=filter,
attrs_list=[])
except errors.NotFound:
result = False
else:
result = True
return dict(result=result, value=pkey_to_value(None, options))
def execute(self, *keys, **options):
# We are going to permanent delete or the user is already in the delete container.
delete_container = DN(self.obj.delete_container_dn, self.api.env.basedn)
# The user to delete is active and there is no 'no_preserve' option
if options.get('preserve', False):
failed = []
preserved = []
for pkey in keys[-1]:
try:
self._preserve_user(pkey, delete_container, **options)
preserved.append(pkey_to_value(pkey, options))
except:
if not options.get('continue', False):
raise
failed.append(pkey_to_value(pkey, options))
val = dict(result=dict(failed=failed), value=preserved)
return val
else:
return super(user_del, self).execute(*keys, **options)
def execute(self, *keys, **options):
dn = self.obj.get_dn(*keys, **options)
entry = self.obj.backend.get_entry(dn, ['objectclass'])
if 'eduPerson' not in entry['objectclass']:
entry['objectclass'].append('eduPerson')
self.obj.backend.update_entry(entry)
return dict(
result=True,
value=pkey_to_value(keys[0], options),
)
def execute(self, *keys, **options):
dn = self.obj.get_either_dn(*keys, **options)
entry = self.obj.backend.get_entry(
dn, ['krbLastAdminUnlock', 'krbLoginFailedCount'])
entry['krbLastAdminUnlock'] = [strftime("%Y%m%d%H%M%SZ", gmtime())]
entry['krbLoginFailedCount'] = ['0']
self.obj.backend.update_entry(entry)
return dict(
result=True,
value=pkey_to_value(keys[0], options),
)
def execute(self, aciname, **kw):
aciprefix = kw['aciprefix']
ldap = self.api.Backend.ldap2
entry = ldap.get_entry(self.api.env.basedn, ['aci'])
acis = _convert_strings_to_acis(entry.get('aci', []))
aci = _find_aci_by_name(acis, aciprefix, aciname)
# The strategy here is to convert the ACI we're updating back into
# a series of keywords. Then we replace any keywords that have been
# updated and convert that back into an ACI and write it out.
oldkw = _aci_to_kw(ldap, aci)
newkw = deepcopy(oldkw)
if newkw.get('selfaci', False):
# selfaci is set in aci_to_kw to True only if the target is self
kw['selfaci'] = True
newkw.update(kw)
for acikw in (oldkw, newkw):
acikw.pop('aciname', None)
# _make_aci is what is run in aci_add and validates the input.
# Do this before we delete the existing ACI.
newaci = _make_aci(ldap, None, aciname, newkw)
if aci.isequal(newaci):
raise errors.EmptyModlist()
self.api.Command['aci_del'](aciname, aciprefix=aciprefix)
try:
result = self.api.Command['aci_add'](aciname, **newkw)['result']
except Exception as e:
# ACI could not be added, try to restore the old deleted ACI and
# report the ADD error back to user
try:
self.api.Command['aci_add'](aciname, **oldkw)
except Exception:
pass
raise e
if kw.get('raw', False):
result = dict(aci=unicode(newaci))
else:
result = _aci_to_kw(ldap, newaci)
return dict(
result=result,
value=pkey_to_value(aciname, kw),
)
def execute(self, aciname, **kw):
aciprefix = kw['aciprefix']
ldap = self.api.Backend.ldap2
entry = ldap.get_entry(self.api.env.basedn, ['aci'])
acis = _convert_strings_to_acis(entry.get('aci', []))
aci = _find_aci_by_name(acis, aciprefix, aciname)
# The strategy here is to convert the ACI we're updating back into
# a series of keywords. Then we replace any keywords that have been
# updated and convert that back into an ACI and write it out.
oldkw = _aci_to_kw(ldap, aci)
newkw = deepcopy(oldkw)
if newkw.get('selfaci', False):
# selfaci is set in aci_to_kw to True only if the target is self
kw['selfaci'] = True
newkw.update(kw)
for acikw in (oldkw, newkw):
acikw.pop('aciname', None)
# _make_aci is what is run in aci_add and validates the input.
# Do this before we delete the existing ACI.
newaci = _make_aci(ldap, None, aciname, newkw)
if aci.isequal(newaci):
raise errors.EmptyModlist()
self.api.Command['aci_del'](aciname, aciprefix=aciprefix)
try:
result = self.api.Command['aci_add'](aciname, **newkw)['result']
except Exception as e:
# ACI could not be added, try to restore the old deleted ACI and
# report the ADD error back to user
try:
self.api.Command['aci_add'](aciname, **oldkw)
except Exception:
pass
raise e
if kw.get('raw', False):
result = dict(aci=unicode(newaci))
else:
result = _aci_to_kw(ldap, newaci)
return dict(
result=result,
value=pkey_to_value(aciname, kw),
)
def execute(self, cn, **options):
ldap = self.obj.backend
dn = self.obj.get_dn(cn)
try:
entry_attrs = ldap.get_entry(dn, ["ipaenabledflag"])
except errors.NotFound:
self.obj.handle_not_found(cn)
entry_attrs["ipaenabledflag"] = ["FALSE"]
try:
ldap.update_entry(entry_attrs)
except errors.EmptyModlist:
pass
return dict(result=True, value=pkey_to_value(cn, options))
def execute(self, *keys, **options):
dn = self.obj.get_dn(*keys, **options)
entry = self.obj.backend.get_entry(dn, ['objectclass', 'rfidKey', 'rfidDoorAccess'])
while 'rfidDoorControl' in entry['objectclass']:
entry['objectclass'].remove('rfidDoorControl')
for att in ('rfidKey', 'rfidDoorAccess'):
try:
del entry[att]
except KeyError:
pass
self.obj.backend.update_entry(entry)
return dict(
result=True,
value=pkey_to_value(keys[0], options),
)
def execute(self, *keys, **options):
dn = self.obj.get_dn(*keys, **options)
entry = self.obj.backend.get_entry(dn, ['objectclass'] + ATTRIBUTES)
while 'eduPerson' in entry['objectclass']:
entry['objectclass'].remove('eduPerson')
for att in ATTRIBUTES:
try:
del entry[att]
except KeyError:
pass
self.obj.backend.update_entry(entry)
return dict(
result=True,
value=pkey_to_value(keys[0], options),
)
def execute(self, cn, **options):
ldap = self.obj.backend
dn = self.obj.get_dn(cn)
try:
entry_attrs = ldap.get_entry(dn, ['ipaenabledflag'])
except errors.NotFound:
self.obj.handle_not_found(cn)
entry_attrs['ipaenabledflag'] = ['FALSE']
try:
ldap.update_entry(entry_attrs)
except errors.EmptyModlist:
pass
return dict(
result=True,
value=pkey_to_value(cn, options),
)
def execute(self, cn, **options):
ldap = self.obj.backend
dn = self.obj.get_dn(cn)
try:
entry_attrs = ldap.get_entry(dn, ['ipaenabledflag'])
except errors.NotFound:
self.obj.handle_not_found(cn)
entry_attrs['ipaenabledflag'] = ['FALSE']
try:
ldap.update_entry(entry_attrs)
except errors.EmptyModlist:
raise errors.AlreadyInactive()
return dict(
result=True,
value=pkey_to_value(cn, options),
)
def execute(self, aciname, **kw):
ldap = self.api.Backend.ldap2
entry = ldap.get_entry(self.api.env.basedn, ['aci'])
acis = _convert_strings_to_acis(entry.get('aci', []))
aci = _find_aci_by_name(acis, kw['aciprefix'], aciname)
for a in acis:
prefix, name = _parse_aci_name(a.name)
if _make_aci_name(prefix, kw['newname']) == a.name:
raise errors.DuplicateEntry()
# The strategy here is to convert the ACI we're updating back into
# a series of keywords. Then we replace any keywords that have been
# updated and convert that back into an ACI and write it out.
newkw = _aci_to_kw(ldap, aci)
if 'selfaci' in newkw and newkw['selfaci'] == True:
# selfaci is set in aci_to_kw to True only if the target is self
kw['selfaci'] = True
if 'aciname' in newkw:
del newkw['aciname']
# _make_aci is what is run in aci_add and validates the input.
# Do this before we delete the existing ACI.
newaci = _make_aci(ldap, None, kw['newname'], newkw)
self.api.Command['aci_del'](aciname, aciprefix=kw['aciprefix'])
result = self.api.Command['aci_add'](kw['newname'], **newkw)['result']
if kw.get('raw', False):
result = dict(aci=unicode(newaci))
else:
result = _aci_to_kw(ldap, newaci)
return dict(
result=result,
value=pkey_to_value(kw['newname'], kw),
)
def execute(self, aciname, **kw):
ldap = self.api.Backend.ldap2
entry = ldap.get_entry(self.api.env.basedn, ['aci'])
acis = _convert_strings_to_acis(entry.get('aci', []))
aci = _find_aci_by_name(acis, kw['aciprefix'], aciname)
for a in acis:
prefix, name = _parse_aci_name(a.name)
if _make_aci_name(prefix, kw['newname']) == a.name:
raise errors.DuplicateEntry()
# The strategy here is to convert the ACI we're updating back into
# a series of keywords. Then we replace any keywords that have been
# updated and convert that back into an ACI and write it out.
newkw = _aci_to_kw(ldap, aci)
if 'selfaci' in newkw and newkw['selfaci'] == True:
# selfaci is set in aci_to_kw to True only if the target is self
kw['selfaci'] = True
if 'aciname' in newkw:
del newkw['aciname']
# _make_aci is what is run in aci_add and validates the input.
# Do this before we delete the existing ACI.
newaci = _make_aci(ldap, None, kw['newname'], newkw)
self.api.Command['aci_del'](aciname, aciprefix=kw['aciprefix'])
result = self.api.Command['aci_add'](kw['newname'], **newkw)['result']
if kw.get('raw', False):
result = dict(aci=unicode(newaci))
else:
result = _aci_to_kw(ldap, newaci)
return dict(
result=result,
value=pkey_to_value(kw['newname'], kw),
)
def execute(self, *keys, **options):
ldap = self.obj.backend
# First check that the user exists and is a delete one
delete_dn = self.obj.get_either_dn(*keys, **options)
try:
entry_attrs = self._exc_wrapper(keys, options, ldap.get_entry)(delete_dn)
except errors.NotFound:
self.obj.handle_not_found(*keys)
if delete_dn.endswith(DN(self.obj.active_container_dn,
api.env.basedn)):
raise errors.InvocationError(
message=_('user "%s" is already active') % keys[-1])
active_dn = DN(delete_dn[0], self.obj.active_container_dn, api.env.basedn)
# start to move the entry to the Active container
self._exc_wrapper(keys, options, ldap.move_entry)(delete_dn, active_dn, del_old=True)
# add the user we just undelete into the default primary group
config = ldap.get_ipa_config()
def_primary_group = config.get('ipadefaultprimarygroup')
group_dn = self.api.Object['group'].get_dn(def_primary_group)
# if the user is already a member of default primary group,
# do not raise error
# this can happen if automember rule or default group is set
try:
ldap.add_entry_to_group(active_dn, group_dn)
except errors.AlreadyGroupMember:
pass
return dict(
result=True,
value=pkey_to_value(keys[0], options),
)
def execute(self, aciname, **kw):
"""
Execute the aci-create operation.
Returns the entry as it will be created in LDAP.
:param aciname: The name of the ACI being added.
:param kw: Keyword arguments for the other LDAP attributes.
"""
assert 'aciname' not in kw
ldap = self.api.Backend.ldap2
newaci = _make_aci(ldap, None, aciname, kw)
entry = ldap.get_entry(self.api.env.basedn, ['aci'])
acis = _convert_strings_to_acis(entry.get('aci', []))
for a in acis:
# FIXME: add check for permission_group = permission_group
if a.isequal(newaci) or newaci.name == a.name:
raise errors.DuplicateEntry()
newaci_str = unicode(newaci)
entry.setdefault('aci', []).append(newaci_str)
if not kw.get('test', False):
ldap.update_entry(entry)
if kw.get('raw', False):
result = dict(aci=unicode(newaci_str))
else:
result = _aci_to_kw(ldap, newaci, kw.get('test', False))
return dict(
result=result,
value=pkey_to_value(aciname, kw),
)
def execute(self, *keys, **options):
ldap = self.obj.backend
# If we aren't given a fqdn, find it
if _hostname_validator(None, keys[-1]) is not None:
hostentry = api.Command['host_show'](keys[-1])['result']
fqdn = hostentry['fqdn'][0]
else:
fqdn = keys[-1]
host_is_master(ldap, fqdn)
# See if we actually do anthing here, and if not raise an exception
done_work = False
truncated = True
while truncated:
try:
ret = api.Command['service_find'](fqdn)
truncated = ret['truncated']
services = ret['result']
except errors.NotFound:
break
else:
for entry_attrs in services:
principal = entry_attrs['krbprincipalname'][0]
(service, hostname, realm) = split_principal(principal)
if hostname.lower() == fqdn:
try:
api.Command['service_disable'](principal)
done_work = True
except errors.AlreadyInactive:
pass
dn = self.obj.get_dn(*keys, **options)
try:
entry_attrs = ldap.get_entry(dn, ['usercertificate'])
except errors.NotFound:
self.obj.handle_not_found(*keys)
if self.api.Command.ca_is_enabled()['result']:
certs = entry_attrs.get('usercertificate', [])
if certs:
revoke_certs(certs, self.log)
# Remove the usercertificate altogether
entry_attrs['usercertificate'] = None
ldap.update_entry(entry_attrs)
done_work = True
self.obj.get_password_attributes(ldap, dn, entry_attrs)
if entry_attrs['has_keytab']:
ldap.remove_principal_key(dn)
done_work = True
if not done_work:
raise errors.AlreadyInactive()
return dict(
result=True,
value=pkey_to_value(keys[0], options),
)
def execute(self, *keys, **options):
ldap = self.obj.backend
# If we aren't given a fqdn, find it
if _hostname_validator(None, keys[-1]) is not None:
hostentry = api.Command['host_show'](keys[-1])['result']
fqdn = hostentry['fqdn'][0]
else:
fqdn = keys[-1]
host_is_master(ldap, fqdn)
# See if we actually do anthing here, and if not raise an exception
done_work = False
truncated = True
while truncated:
try:
ret = api.Command['service_find'](fqdn)
truncated = ret['truncated']
services = ret['result']
except errors.NotFound:
break
else:
for entry_attrs in services:
principal = entry_attrs['krbprincipalname'][0]
(service, hostname, realm) = split_principal(principal)
if hostname.lower() == fqdn:
try:
api.Command['service_disable'](principal)
done_work = True
except errors.AlreadyInactive:
pass
dn = self.obj.get_dn(*keys, **options)
try:
entry_attrs = ldap.get_entry(dn, ['usercertificate'])
except errors.NotFound:
self.obj.handle_not_found(*keys)
if self.api.Command.ca_is_enabled()['result']:
certs = entry_attrs.get('usercertificate', [])
if certs:
revoke_certs(certs, self.log)
# Remove the usercertificate altogether
entry_attrs['usercertificate'] = None
ldap.update_entry(entry_attrs)
done_work = True
self.obj.get_password_attributes(ldap, dn, entry_attrs)
if entry_attrs['has_keytab']:
ldap.remove_principal_key(dn)
done_work = True
if not done_work:
raise errors.AlreadyInactive()
return dict(
result=True,
value=pkey_to_value(keys[0], options),
)
def execute(self, *keys, **options):
ldap = self.api.Backend.ldap2
cn = str(uuid.uuid4())
gtype = options.get('type')
if not gtype:
gtype = 'group' if options.get('users') else 'hostgroup'
types = {
'group': (
'user',
'users',
DN(api.env.container_user, api.env.basedn)
),
'hostgroup': (
'host',
'hosts',
DN(api.env.container_host, api.env.basedn)
),
}
obj_name, opt_name, basedn = types[gtype]
obj = self.api.Object[obj_name]
names = options.get(opt_name)
if names:
for name in names:
try:
obj.get_dn_if_exists(name)
except errors.NotFound:
obj.handle_not_found(name)
search_filter = ldap.make_filter_from_attr(
obj.primary_key.name,
names,
rules=ldap.MATCH_ANY
)
else:
search_filter = '(%s=*)' % obj.primary_key.name
task_dn = DN(('cn', cn), REBUILD_TASK_CONTAINER)
entry = ldap.make_entry(
task_dn,
objectclass=['top', 'extensibleObject'],
cn=[cn],
basedn=[basedn],
filter=[search_filter],
scope=['sub'],
ttl=[3600])
ldap.add_entry(entry)
summary = _('Automember rebuild membership task started')
result = {'dn': task_dn}
if not options.get('no_wait'):
summary = _('Automember rebuild membership task completed')
result = {}
start_time = time.time()
while True:
try:
task = ldap.get_entry(task_dn)
except errors.NotFound:
break
if 'nstaskexitcode' in task:
if str(task.single_value['nstaskexitcode']) == '0':
summary=task.single_value['nstaskstatus']
break
else:
raise errors.DatabaseError(
desc=task.single_value['nstaskstatus'],
info=_("Task DN = '%s'" % task_dn))
time.sleep(1)
if time.time() > (start_time + 60):
raise errors.TaskTimeout(task=_('Automember'), task_dn=task_dn)
return dict(
result=result,
summary=unicode(summary),
value=pkey_to_value(None, options))
def execute(self, *args, **options):
ldap = self.obj.backend
staging_dn = self.obj.get_dn(*args, **options)
assert isinstance(staging_dn, DN)
# retrieve the current entry
try:
entry_attrs = self._exc_wrapper(args, options, ldap.get_entry)(
staging_dn, ['*']
)
except errors.NotFound:
self.obj.handle_not_found(*args)
entry_attrs = dict((k.lower(), v) for (k, v) in entry_attrs.iteritems())
# Check it does not exist an active entry with the same RDN
active_dn = DN(staging_dn[0], api.env.container_user, api.env.basedn)
try:
test_entry_attrs = self._exc_wrapper(args, options, ldap.get_entry)(
active_dn, ['dn']
)
assert isinstance(staging_dn, DN)
raise errors.DuplicateEntry(
message=_('active user with name "%(user)s" already exists') %
dict(user=args[-1]))
except errors.NotFound:
pass
# Check the original entry is valid
self._check_validy(staging_dn, entry_attrs)
# Time to build the new entry
result_entry = {'dn' : active_dn}
new_entry_attrs = self.__dict_new_entry()
for (attr, values) in entry_attrs.iteritems():
self.__merge_values(args, options, entry_attrs, new_entry_attrs, attr)
result_entry[attr] = values
# Allow Managed entry plugin to do its work
if 'description' in new_entry_attrs and NO_UPG_MAGIC in new_entry_attrs['description']:
new_entry_attrs['description'].remove(NO_UPG_MAGIC)
if result_entry['description'] == NO_UPG_MAGIC:
del result_entry['description']
for (k,v) in new_entry_attrs.iteritems():
self.log.debug("new entry: k=%r and v=%r)" % (k, v))
self._build_new_entry(ldap, staging_dn, entry_attrs, new_entry_attrs)
# Add the Active entry
entry = ldap.make_entry(active_dn, new_entry_attrs)
self._exc_wrapper(args, options, ldap.add_entry)(entry)
# Now delete the Staging entry
try:
self._exc_wrapper(args, options, ldap.delete_entry)(staging_dn)
except:
try:
self.log.error("Fail to delete the Staging user after activating it %s " % (staging_dn))
self._exc_wrapper(args, options, ldap.delete_entry)(active_dn)
except:
self.log.error("Fail to cleanup activation. The user remains active %s" % (active_dn))
pass
raise
# add the user we just created into the default primary group
config = ldap.get_ipa_config()
def_primary_group = config.get('ipadefaultprimarygroup')
group_dn = self.api.Object['group'].get_dn(def_primary_group)
# if the user is already a member of default primary group,
# do not raise error
# this can happen if automember rule or default group is set
try:
ldap.add_entry_to_group(active_dn, group_dn)
except errors.AlreadyGroupMember:
pass
# Now retrieve the activated entry
result_entry = self._exc_wrapper(args, options, ldap.get_entry)(active_dn)
result_entry = entry_to_dict(result_entry, **options)
result_entry['dn'] = active_dn
return dict(result=result_entry,
summary=unicode(_('Stage user %s activated' % staging_dn[0].value)),
value=pkey_to_value(args[-1], options))