2015-03-05 07:25:33 -06:00
|
|
|
# Authors:
|
|
|
|
|
# Thierry Bordaz <tbordaz@redhat.com>
|
|
|
|
|
#
|
|
|
|
|
# Copyright (C) 2014 Red Hat
|
|
|
|
|
# see file 'COPYING' for use and warranty information
|
|
|
|
|
#
|
|
|
|
|
# This program is free software; you can redistribute it and/or modify
|
|
|
|
|
# it under the terms of the GNU General Public License as published by
|
|
|
|
|
# the Free Software Foundation, either version 3 of the License, or
|
|
|
|
|
# (at your option) any later version.
|
|
|
|
|
#
|
|
|
|
|
# This program is distributed in the hope that it will be useful,
|
|
|
|
|
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
|
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
|
|
|
# GNU General Public License for more details.
|
|
|
|
|
#
|
|
|
|
|
# You should have received a copy of the GNU General Public License
|
|
|
|
|
# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
|
|
|
|
|
2018-04-05 02:21:16 -05:00
|
|
|
from __future__ import absolute_import
|
|
|
|
|
|
2017-05-23 11:35:57 -05:00
|
|
|
import logging
|
2015-03-05 07:25:33 -06:00
|
|
|
import posixpath
|
2015-05-08 09:12:58 -05:00
|
|
|
from copy import deepcopy
|
2015-09-11 06:43:28 -05:00
|
|
|
|
|
|
|
|
import six
|
|
|
|
|
|
2015-03-05 07:25:33 -06:00
|
|
|
from ipalib import api, errors
|
2016-06-02 08:58:43 -05:00
|
|
|
from ipalib import Bool
|
2015-03-05 07:25:33 -06:00
|
|
|
from ipalib.plugable import Registry
|
2016-04-20 08:41:34 -05:00
|
|
|
from .baseldap import (
|
2015-12-16 09:06:03 -06:00
|
|
|
LDAPCreate,
|
|
|
|
|
LDAPQuery,
|
2016-03-07 05:15:58 -06:00
|
|
|
DN)
|
2016-04-20 08:41:34 -05:00
|
|
|
from . import baseldap
|
|
|
|
|
from .baseuser import (
|
2015-12-16 09:06:03 -06:00
|
|
|
baseuser,
|
|
|
|
|
baseuser_add,
|
|
|
|
|
baseuser_del,
|
|
|
|
|
baseuser_mod,
|
|
|
|
|
baseuser_find,
|
|
|
|
|
baseuser_show,
|
|
|
|
|
NO_UPG_MAGIC,
|
|
|
|
|
baseuser_output_params,
|
2017-01-18 06:24:29 -06:00
|
|
|
baseuser_add_cert,
|
|
|
|
|
baseuser_remove_cert,
|
2017-01-18 06:25:11 -06:00
|
|
|
baseuser_add_principal,
|
|
|
|
|
baseuser_remove_principal,
|
2015-12-16 09:06:03 -06:00
|
|
|
baseuser_add_manager,
|
2016-12-20 09:21:58 -06:00
|
|
|
baseuser_remove_manager,
|
|
|
|
|
baseuser_add_certmapdata,
|
|
|
|
|
baseuser_remove_certmapdata)
|
2015-03-05 07:25:33 -06:00
|
|
|
from ipalib.request import context
|
2015-09-08 10:43:30 -05:00
|
|
|
from ipalib.util import set_krbcanonicalname
|
2015-03-05 07:25:33 -06:00
|
|
|
from ipalib import _, ngettext
|
|
|
|
|
from ipalib import output
|
|
|
|
|
from ipaplatform.paths import paths
|
2016-12-21 08:07:34 -06:00
|
|
|
from ipapython.ipautil import ipa_generate_password, TMP_PWD_ENTROPY_BITS
|
2015-03-05 07:25:33 -06:00
|
|
|
from ipalib.capabilities import client_has_capability
|
|
|
|
|
|
2015-09-11 06:43:28 -05:00
|
|
|
if six.PY3:
|
|
|
|
|
unicode = str
|
|
|
|
|
|
2015-03-05 07:25:33 -06:00
|
|
|
__doc__ = _("""
|
|
|
|
|
Stageusers
|
|
|
|
|
|
|
|
|
|
Manage stage user entries.
|
|
|
|
|
|
|
|
|
|
Stage user entries are directly under the container: "cn=stage users,
|
|
|
|
|
cn=accounts, cn=provisioning, SUFFIX".
|
2015-07-04 06:56:24 -05:00
|
|
|
Users can not authenticate with those entries (even if the entries
|
|
|
|
|
contain credentials). Those entries are only candidate to become Active entries.
|
2015-03-05 07:25:33 -06:00
|
|
|
|
|
|
|
|
Active user entries are Posix users directly under the container: "cn=accounts, SUFFIX".
|
2015-07-04 06:56:24 -05:00
|
|
|
Users can authenticate with Active entries, at the condition they have
|
|
|
|
|
credentials.
|
2015-03-05 07:25:33 -06:00
|
|
|
|
2015-07-04 06:56:24 -05:00
|
|
|
Deleted user entries are Posix users directly under the container: "cn=deleted users,
|
2015-03-05 07:25:33 -06:00
|
|
|
cn=accounts, cn=provisioning, SUFFIX".
|
2015-07-04 06:56:24 -05:00
|
|
|
Users can not authenticate with those entries, even if the entries contain credentials.
|
2015-03-05 07:25:33 -06:00
|
|
|
|
2015-07-04 06:56:24 -05:00
|
|
|
The stage user container contains entries:
|
|
|
|
|
- created by 'stageuser-add' commands that are Posix users,
|
|
|
|
|
- created by external provisioning system.
|
2015-03-05 07:25:33 -06:00
|
|
|
|
2015-07-04 06:56:24 -05:00
|
|
|
A valid stage user entry MUST have:
|
|
|
|
|
- entry RDN is 'uid',
|
|
|
|
|
- ipaUniqueID is 'autogenerate'.
|
2015-03-05 07:25:33 -06:00
|
|
|
|
|
|
|
|
IPA supports a wide range of username formats, but you need to be aware of any
|
|
|
|
|
restrictions that may apply to your particular environment. For example,
|
|
|
|
|
usernames that start with a digit or usernames that exceed a certain length
|
|
|
|
|
may cause problems for some UNIX systems.
|
|
|
|
|
Use 'ipa config-mod' to change the username format allowed by IPA tools.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
EXAMPLES:
|
|
|
|
|
|
|
|
|
|
Add a new stageuser:
|
|
|
|
|
ipa stageuser-add --first=Tim --last=User --password tuser1
|
|
|
|
|
|
2015-07-04 06:56:24 -05:00
|
|
|
Add a stageuser from the deleted users container:
|
2015-03-05 07:25:33 -06:00
|
|
|
ipa stageuser-add --first=Tim --last=User --from-delete tuser1
|
|
|
|
|
|
|
|
|
|
""")
|
|
|
|
|
|
2017-05-23 11:35:57 -05:00
|
|
|
logger = logging.getLogger(__name__)
|
|
|
|
|
|
2015-03-05 07:25:33 -06:00
|
|
|
register = Registry()
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
stageuser_output_params = baseuser_output_params
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
@register()
|
|
|
|
|
class stageuser(baseuser):
|
|
|
|
|
"""
|
|
|
|
|
Stage User object
|
|
|
|
|
A Stage user is not an Active user and can not be used to bind with.
|
|
|
|
|
Stage container is: cn=staged users,cn=accounts,cn=provisioning,SUFFIX
|
|
|
|
|
Stage entry conforms the schema
|
|
|
|
|
Stage entry RDN attribute is 'uid'
|
|
|
|
|
Stage entry are disabled (nsAccountLock: True) through cos
|
|
|
|
|
"""
|
|
|
|
|
|
|
|
|
|
container_dn = baseuser.stage_container_dn
|
|
|
|
|
label = _('Stage Users')
|
|
|
|
|
label_singular = _('Stage User')
|
|
|
|
|
object_name = _('stage user')
|
|
|
|
|
object_name_plural = _('stage users')
|
2015-05-08 03:41:44 -05:00
|
|
|
managed_permissions = {
|
2015-06-11 06:18:27 -05:00
|
|
|
#
|
|
|
|
|
# Stage container
|
|
|
|
|
#
|
|
|
|
|
# Allowed to create stage user
|
|
|
|
|
'System: Add Stage User': {
|
2015-04-23 11:43:48 -05:00
|
|
|
'ipapermlocation': DN(baseuser.stage_container_dn, api.env.basedn),
|
|
|
|
|
'ipapermbindruletype': 'permission',
|
|
|
|
|
'ipapermtarget': DN('uid=*', baseuser.stage_container_dn, api.env.basedn),
|
|
|
|
|
'ipapermtargetfilter': {'(objectclass=*)'},
|
|
|
|
|
'ipapermright': {'add'},
|
|
|
|
|
'ipapermdefaultattr': {'*'},
|
|
|
|
|
'default_privileges': {'Stage User Administrators', 'Stage User Provisioning'},
|
|
|
|
|
},
|
2015-06-11 06:18:27 -05:00
|
|
|
# Allow to read kerberos/password
|
|
|
|
|
'System: Read Stage User password': {
|
|
|
|
|
'ipapermlocation': DN(baseuser.stage_container_dn, api.env.basedn),
|
|
|
|
|
'ipapermbindruletype': 'permission',
|
|
|
|
|
'ipapermtarget': DN('uid=*', baseuser.stage_container_dn, api.env.basedn),
|
|
|
|
|
'ipapermtargetfilter': {'(objectclass=*)'},
|
|
|
|
|
'ipapermright': {'read', 'search', 'compare'},
|
|
|
|
|
'ipapermdefaultattr': {
|
|
|
|
|
'userPassword', 'krbPrincipalKey',
|
|
|
|
|
},
|
|
|
|
|
'default_privileges': {'Stage User Administrators'},
|
|
|
|
|
},
|
|
|
|
|
# Allow to update stage user
|
|
|
|
|
'System: Modify Stage User': {
|
2015-05-08 03:41:44 -05:00
|
|
|
'ipapermlocation': DN(baseuser.stage_container_dn, api.env.basedn),
|
|
|
|
|
'ipapermbindruletype': 'permission',
|
|
|
|
|
'ipapermtarget': DN('uid=*', baseuser.stage_container_dn, api.env.basedn),
|
|
|
|
|
'ipapermtargetfilter': {'(objectclass=*)'},
|
2015-06-11 06:18:27 -05:00
|
|
|
'ipapermright': {'write'},
|
|
|
|
|
'ipapermdefaultattr': {'*'},
|
2015-05-08 03:41:44 -05:00
|
|
|
'default_privileges': {'Stage User Administrators'},
|
|
|
|
|
},
|
2015-06-11 06:18:27 -05:00
|
|
|
# Allow to delete stage user
|
|
|
|
|
'System: Remove Stage User': {
|
2015-05-08 03:41:44 -05:00
|
|
|
'ipapermlocation': DN(baseuser.stage_container_dn, api.env.basedn),
|
|
|
|
|
'ipapermbindruletype': 'permission',
|
|
|
|
|
'ipapermtarget': DN('uid=*', baseuser.stage_container_dn, api.env.basedn),
|
|
|
|
|
'ipapermtargetfilter': {'(objectclass=*)'},
|
2015-06-11 06:18:27 -05:00
|
|
|
'ipapermright': {'delete'},
|
2015-05-08 03:41:44 -05:00
|
|
|
'ipapermdefaultattr': {'*'},
|
|
|
|
|
'default_privileges': {'Stage User Administrators'},
|
|
|
|
|
},
|
2015-06-11 06:18:27 -05:00
|
|
|
# Allow to read any attributes of stage users
|
|
|
|
|
'System: Read Stage Users': {
|
2015-05-08 03:41:44 -05:00
|
|
|
'ipapermlocation': DN(baseuser.stage_container_dn, api.env.basedn),
|
|
|
|
|
'ipapermbindruletype': 'permission',
|
|
|
|
|
'ipapermtarget': DN('uid=*', baseuser.stage_container_dn, api.env.basedn),
|
|
|
|
|
'ipapermtargetfilter': {'(objectclass=*)'},
|
|
|
|
|
'ipapermright': {'read', 'search', 'compare'},
|
|
|
|
|
'ipapermdefaultattr': {'*'},
|
|
|
|
|
'default_privileges': {'Stage User Administrators'},
|
|
|
|
|
},
|
|
|
|
|
#
|
2015-06-11 06:18:27 -05:00
|
|
|
# Preserve container
|
2015-05-08 03:41:44 -05:00
|
|
|
#
|
2015-06-11 06:18:27 -05:00
|
|
|
# Allow to read Preserved User
|
|
|
|
|
'System: Read Preserved Users': {
|
2015-05-08 03:41:44 -05:00
|
|
|
'ipapermlocation': DN(baseuser.delete_container_dn, api.env.basedn),
|
|
|
|
|
'ipapermbindruletype': 'permission',
|
|
|
|
|
'ipapermtarget': DN('uid=*', baseuser.delete_container_dn, api.env.basedn),
|
|
|
|
|
'ipapermtargetfilter': {'(objectclass=posixaccount)'},
|
2015-06-11 06:18:27 -05:00
|
|
|
'ipapermright': {'read', 'search', 'compare'},
|
2015-05-08 03:41:44 -05:00
|
|
|
'ipapermdefaultattr': {'*'},
|
|
|
|
|
'default_privileges': {'Stage User Administrators'},
|
|
|
|
|
},
|
2015-06-11 06:18:27 -05:00
|
|
|
# Allow to update Preserved User
|
|
|
|
|
'System: Modify Preserved Users': {
|
2015-05-08 03:41:44 -05:00
|
|
|
'ipapermlocation': DN(baseuser.delete_container_dn, api.env.basedn),
|
|
|
|
|
'ipapermbindruletype': 'permission',
|
|
|
|
|
'ipapermtarget': DN('uid=*', baseuser.delete_container_dn, api.env.basedn),
|
|
|
|
|
'ipapermtargetfilter': {'(objectclass=posixaccount)'},
|
|
|
|
|
'ipapermright': {'write'},
|
2015-06-11 06:18:27 -05:00
|
|
|
'ipapermdefaultattr': {'*'},
|
2015-05-08 03:41:44 -05:00
|
|
|
'default_privileges': {'Stage User Administrators'},
|
|
|
|
|
},
|
2015-06-11 06:18:27 -05:00
|
|
|
# Allow to reset Preserved User password
|
|
|
|
|
'System: Reset Preserved User password': {
|
2015-05-08 03:41:44 -05:00
|
|
|
'ipapermlocation': DN(baseuser.delete_container_dn, api.env.basedn),
|
|
|
|
|
'ipapermbindruletype': 'permission',
|
|
|
|
|
'ipapermtarget': DN('uid=*', baseuser.delete_container_dn, api.env.basedn),
|
|
|
|
|
'ipapermtargetfilter': {'(objectclass=posixaccount)'},
|
|
|
|
|
'ipapermright': {'read', 'search', 'write'},
|
|
|
|
|
'ipapermdefaultattr': {
|
|
|
|
|
'userPassword', 'krbPrincipalKey','krbPasswordExpiration','krbLastPwdChange'
|
|
|
|
|
},
|
|
|
|
|
'default_privileges': {'Stage User Administrators'},
|
|
|
|
|
},
|
2015-06-19 10:27:11 -05:00
|
|
|
# Allow to delete preserved user
|
|
|
|
|
'System: Remove preserved User': {
|
|
|
|
|
'ipapermlocation': DN(baseuser.delete_container_dn, api.env.basedn),
|
|
|
|
|
'ipapermbindruletype': 'permission',
|
|
|
|
|
'ipapermtarget': DN('uid=*', baseuser.delete_container_dn, api.env.basedn),
|
|
|
|
|
'ipapermtargetfilter': {'(objectclass=*)'},
|
|
|
|
|
'ipapermright': {'delete'},
|
|
|
|
|
'ipapermdefaultattr': {'*'},
|
|
|
|
|
'default_privileges': {'Stage User Administrators'},
|
|
|
|
|
},
|
2015-05-08 03:41:44 -05:00
|
|
|
#
|
|
|
|
|
# Active container
|
|
|
|
|
#
|
|
|
|
|
# Stage user administrators need write right on RDN when
|
|
|
|
|
# the active user is deleted (preserved)
|
2015-06-11 06:18:27 -05:00
|
|
|
'System: Modify User RDN': {
|
2015-05-08 03:41:44 -05:00
|
|
|
'ipapermlocation': DN(baseuser.active_container_dn, api.env.basedn),
|
|
|
|
|
'ipapermbindruletype': 'permission',
|
|
|
|
|
'ipapermtarget': DN('uid=*', baseuser.active_container_dn, api.env.basedn),
|
|
|
|
|
'ipapermtargetfilter': {'(objectclass=posixaccount)'},
|
|
|
|
|
'ipapermright': {'write'},
|
|
|
|
|
'ipapermdefaultattr': {'uid'},
|
|
|
|
|
'default_privileges': {'Stage User Administrators'},
|
|
|
|
|
},
|
|
|
|
|
#
|
|
|
|
|
# Cross containers autorization
|
|
|
|
|
#
|
2015-06-11 06:18:27 -05:00
|
|
|
# Allow to move active user to preserve container (user-del --preserve)
|
2015-05-08 03:41:44 -05:00
|
|
|
# Note: targetfilter is the target parent container
|
2015-06-11 06:18:27 -05:00
|
|
|
'System: Preserve User': {
|
2015-05-08 03:41:44 -05:00
|
|
|
'ipapermlocation': DN(api.env.basedn),
|
|
|
|
|
'ipapermbindruletype': 'permission',
|
|
|
|
|
'ipapermtargetfrom': DN(baseuser.active_container_dn, api.env.basedn),
|
|
|
|
|
'ipapermtargetto': DN(baseuser.delete_container_dn, api.env.basedn),
|
|
|
|
|
'ipapermtargetfilter': {'(objectclass=nsContainer)'},
|
|
|
|
|
'ipapermright': {'moddn'},
|
|
|
|
|
'default_privileges': {'Stage User Administrators'},
|
|
|
|
|
},
|
2015-06-11 06:18:27 -05:00
|
|
|
# Allow to move preserved user to active container (user-undel)
|
2015-05-08 03:41:44 -05:00
|
|
|
# Note: targetfilter is the target parent container
|
2015-06-11 06:18:27 -05:00
|
|
|
'System: Undelete User': {
|
2015-05-08 03:41:44 -05:00
|
|
|
'ipapermlocation': DN(api.env.basedn),
|
|
|
|
|
'ipapermbindruletype': 'permission',
|
|
|
|
|
'ipapermtargetfrom': DN(baseuser.delete_container_dn, api.env.basedn),
|
|
|
|
|
'ipapermtargetto': DN(baseuser.active_container_dn, api.env.basedn),
|
|
|
|
|
'ipapermtargetfilter': {'(objectclass=nsContainer)'},
|
|
|
|
|
'ipapermright': {'moddn'},
|
|
|
|
|
'default_privileges': {'Stage User Administrators'},
|
|
|
|
|
},
|
|
|
|
|
}
|
2015-03-05 07:25:33 -06:00
|
|
|
|
|
|
|
|
@register()
|
|
|
|
|
class stageuser_add(baseuser_add):
|
|
|
|
|
__doc__ = _('Add a new stage user.')
|
|
|
|
|
|
|
|
|
|
msg_summary = _('Added stage user "%(value)s"')
|
|
|
|
|
|
|
|
|
|
has_output_params = baseuser_add.has_output_params + stageuser_output_params
|
|
|
|
|
|
|
|
|
|
takes_options = LDAPCreate.takes_options + (
|
2016-06-02 08:58:43 -05:00
|
|
|
Bool(
|
|
|
|
|
'from_delete?',
|
|
|
|
|
deprecated=True,
|
2015-03-05 07:25:33 -06:00
|
|
|
doc=_('Create Stage user in from a delete user'),
|
|
|
|
|
cli_name='from_delete',
|
2016-06-02 08:58:43 -05:00
|
|
|
flags={'no_option'},
|
2015-03-05 07:25:33 -06:00
|
|
|
),
|
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options):
|
|
|
|
|
assert isinstance(dn, DN)
|
|
|
|
|
|
2015-08-17 13:11:21 -05:00
|
|
|
# then givenname and sn are required attributes
|
|
|
|
|
if 'givenname' not in entry_attrs:
|
|
|
|
|
raise errors.RequirementError(name='givenname', error=_('givenname is required'))
|
2015-03-05 07:25:33 -06:00
|
|
|
|
2015-08-17 13:11:21 -05:00
|
|
|
if 'sn' not in entry_attrs:
|
|
|
|
|
raise errors.RequirementError(name='sn', error=_('sn is required'))
|
2015-03-05 07:25:33 -06:00
|
|
|
|
|
|
|
|
# we don't want an user private group to be created for this user
|
|
|
|
|
# add NO_UPG_MAGIC description attribute to let the DS plugin know
|
|
|
|
|
entry_attrs.setdefault('description', [])
|
|
|
|
|
entry_attrs['description'].append(NO_UPG_MAGIC)
|
|
|
|
|
|
|
|
|
|
# uidNumber/gidNumber
|
|
|
|
|
entry_attrs.setdefault('uidnumber', baseldap.DNA_MAGIC)
|
|
|
|
|
entry_attrs.setdefault('gidnumber', baseldap.DNA_MAGIC)
|
|
|
|
|
|
|
|
|
|
if not client_has_capability(
|
|
|
|
|
options['version'], 'optional_uid_params'):
|
|
|
|
|
# https://fedorahosted.org/freeipa/ticket/2886
|
|
|
|
|
# Old clients say 999 (OLD_DNA_MAGIC) when they really mean
|
|
|
|
|
# "assign a value dynamically".
|
|
|
|
|
OLD_DNA_MAGIC = 999
|
|
|
|
|
if entry_attrs.get('uidnumber') == OLD_DNA_MAGIC:
|
|
|
|
|
entry_attrs['uidnumber'] = baseldap.DNA_MAGIC
|
|
|
|
|
if entry_attrs.get('gidnumber') == OLD_DNA_MAGIC:
|
|
|
|
|
entry_attrs['gidnumber'] = baseldap.DNA_MAGIC
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
# Check the lenght of the RDN (uid) value
|
|
|
|
|
config = ldap.get_ipa_config()
|
|
|
|
|
if 'ipamaxusernamelength' in config:
|
|
|
|
|
if len(keys[-1]) > int(config.get('ipamaxusernamelength')[0]):
|
|
|
|
|
raise errors.ValidationError(
|
|
|
|
|
name=self.obj.primary_key.cli_name,
|
|
|
|
|
error=_('can be at most %(len)d characters') % dict(
|
|
|
|
|
len = int(config.get('ipamaxusernamelength')[0])
|
|
|
|
|
)
|
|
|
|
|
)
|
|
|
|
|
default_shell = config.get('ipadefaultloginshell', [paths.SH])[0]
|
|
|
|
|
entry_attrs.setdefault('loginshell', default_shell)
|
|
|
|
|
# hack so we can request separate first and last name in CLI
|
|
|
|
|
full_name = '%s %s' % (entry_attrs['givenname'], entry_attrs['sn'])
|
|
|
|
|
entry_attrs.setdefault('cn', full_name)
|
|
|
|
|
|
|
|
|
|
# Homedirectory
|
|
|
|
|
# (order is : option, placeholder (TBD), CLI default value (here in config))
|
|
|
|
|
if 'homedirectory' not in entry_attrs:
|
|
|
|
|
# get home's root directory from config
|
|
|
|
|
homes_root = config.get('ipahomesrootdir', [paths.HOME_DIR])[0]
|
|
|
|
|
# build user's home directory based on his uid
|
|
|
|
|
entry_attrs['homedirectory'] = posixpath.join(homes_root, keys[-1])
|
|
|
|
|
|
|
|
|
|
# Kerberos principal
|
|
|
|
|
entry_attrs.setdefault('krbprincipalname', '%s@%s' % (entry_attrs['uid'], api.env.realm))
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
# If requested, generate a userpassword
|
|
|
|
|
if 'userpassword' not in entry_attrs and options.get('random'):
|
2016-07-22 09:41:29 -05:00
|
|
|
entry_attrs['userpassword'] = ipa_generate_password(
|
2016-12-21 08:07:34 -06:00
|
|
|
entropy_bits=TMP_PWD_ENTROPY_BITS)
|
2015-03-05 07:25:33 -06:00
|
|
|
# save the password so it can be displayed in post_callback
|
|
|
|
|
setattr(context, 'randompassword', entry_attrs['userpassword'])
|
|
|
|
|
|
|
|
|
|
# Check the email or create it
|
|
|
|
|
if 'mail' in entry_attrs:
|
|
|
|
|
entry_attrs['mail'] = self.obj.normalize_and_validate_email(entry_attrs['mail'], config)
|
|
|
|
|
else:
|
|
|
|
|
# No e-mail passed in. If we have a default e-mail domain set
|
|
|
|
|
# then we'll add it automatically.
|
|
|
|
|
defaultdomain = config.get('ipadefaultemaildomain', [None])[0]
|
|
|
|
|
if defaultdomain:
|
|
|
|
|
entry_attrs['mail'] = self.obj.normalize_and_validate_email(keys[-1], config)
|
|
|
|
|
|
|
|
|
|
# If the manager is defined, check it is a ACTIVE user to validate it
|
|
|
|
|
if 'manager' in entry_attrs:
|
|
|
|
|
entry_attrs['manager'] = self.obj.normalize_manager(entry_attrs['manager'], self.obj.active_container_dn)
|
|
|
|
|
|
|
|
|
|
if ('objectclass' in entry_attrs
|
|
|
|
|
and 'userclass' in entry_attrs
|
|
|
|
|
and 'ipauser' not in entry_attrs['objectclass']):
|
|
|
|
|
entry_attrs['objectclass'].append('ipauser')
|
|
|
|
|
|
|
|
|
|
if 'ipatokenradiusconfiglink' in entry_attrs:
|
|
|
|
|
cl = entry_attrs['ipatokenradiusconfiglink']
|
|
|
|
|
if cl:
|
|
|
|
|
if 'objectclass' not in entry_attrs:
|
|
|
|
|
_entry = ldap.get_entry(dn, ['objectclass'])
|
|
|
|
|
entry_attrs['objectclass'] = _entry['objectclass']
|
|
|
|
|
|
|
|
|
|
if 'ipatokenradiusproxyuser' not in entry_attrs['objectclass']:
|
|
|
|
|
entry_attrs['objectclass'].append('ipatokenradiusproxyuser')
|
|
|
|
|
|
|
|
|
|
answer = self.api.Object['radiusproxy'].get_dn_if_exists(cl)
|
|
|
|
|
entry_attrs['ipatokenradiusconfiglink'] = answer
|
|
|
|
|
|
2016-03-14 11:42:56 -05:00
|
|
|
self.pre_common_callback(ldap, dn, entry_attrs, attrs_list, *keys,
|
|
|
|
|
**options)
|
2016-03-31 02:37:36 -05:00
|
|
|
|
2015-03-05 07:25:33 -06:00
|
|
|
return dn
|
|
|
|
|
|
|
|
|
|
def post_callback(self, ldap, dn, entry_attrs, *keys, **options):
|
|
|
|
|
assert isinstance(dn, DN)
|
|
|
|
|
|
|
|
|
|
# Fetch the entry again to update memberof, mep data, etc updated
|
|
|
|
|
# at the end of the transaction.
|
|
|
|
|
newentry = ldap.get_entry(dn, ['*'])
|
|
|
|
|
entry_attrs.update(newentry)
|
|
|
|
|
|
|
|
|
|
if options.get('random', False):
|
|
|
|
|
try:
|
|
|
|
|
entry_attrs['randompassword'] = unicode(getattr(context, 'randompassword'))
|
|
|
|
|
except AttributeError:
|
|
|
|
|
# if both randompassword and userpassword options were used
|
|
|
|
|
pass
|
|
|
|
|
|
2016-03-14 11:42:56 -05:00
|
|
|
self.post_common_callback(ldap, dn, entry_attrs, *keys, **options)
|
2015-03-05 07:25:33 -06:00
|
|
|
return dn
|
2015-05-12 08:03:58 -05:00
|
|
|
|
|
|
|
|
@register()
|
|
|
|
|
class stageuser_del(baseuser_del):
|
|
|
|
|
__doc__ = _('Delete a stage user.')
|
|
|
|
|
|
|
|
|
|
msg_summary = _('Deleted stage user "%(value)s"')
|
|
|
|
|
|
|
|
|
|
@register()
|
|
|
|
|
class stageuser_mod(baseuser_mod):
|
|
|
|
|
__doc__ = _('Modify a stage user.')
|
|
|
|
|
|
|
|
|
|
msg_summary = _('Modified stage user "%(value)s"')
|
|
|
|
|
|
|
|
|
|
has_output_params = baseuser_mod.has_output_params + stageuser_output_params
|
|
|
|
|
|
|
|
|
|
def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options):
|
2016-03-14 11:42:56 -05:00
|
|
|
self.pre_common_callback(ldap, dn, entry_attrs, attrs_list, *keys,
|
|
|
|
|
**options)
|
2015-05-12 08:03:58 -05:00
|
|
|
# Make sure it is not possible to authenticate with a Stage user account
|
|
|
|
|
if 'nsaccountlock' in entry_attrs:
|
|
|
|
|
del entry_attrs['nsaccountlock']
|
|
|
|
|
return dn
|
|
|
|
|
|
|
|
|
|
def post_callback(self, ldap, dn, entry_attrs, *keys, **options):
|
|
|
|
|
self.post_common_callback(ldap, dn, entry_attrs, **options)
|
|
|
|
|
if 'nsaccountlock' in entry_attrs:
|
|
|
|
|
del entry_attrs['nsaccountlock']
|
|
|
|
|
return dn
|
|
|
|
|
|
|
|
|
|
@register()
|
|
|
|
|
class stageuser_find(baseuser_find):
|
|
|
|
|
__doc__ = _('Search for stage users.')
|
|
|
|
|
|
|
|
|
|
member_attributes = ['memberof']
|
|
|
|
|
has_output_params = baseuser_find.has_output_params + stageuser_output_params
|
|
|
|
|
|
|
|
|
|
def pre_callback(self, ldap, filter, attrs_list, base_dn, scope, *keys, **options):
|
|
|
|
|
assert isinstance(base_dn, DN)
|
2016-03-14 11:42:56 -05:00
|
|
|
self.pre_common_callback(ldap, filter, attrs_list, base_dn, scope,
|
|
|
|
|
*keys, **options)
|
2015-05-12 08:03:58 -05:00
|
|
|
|
2015-05-11 10:08:16 -05:00
|
|
|
container_filter = "(objectclass=posixaccount)"
|
|
|
|
|
# provisioning system can create non posixaccount stage user
|
|
|
|
|
# but then they have to create inetOrgPerson stage user
|
|
|
|
|
stagefilter = filter.replace(container_filter,
|
|
|
|
|
"(|%s(objectclass=inetOrgPerson))" % container_filter)
|
2017-05-23 11:35:57 -05:00
|
|
|
logger.debug("stageuser_find: pre_callback new filter=%s ",
|
|
|
|
|
stagefilter)
|
2015-05-11 10:08:16 -05:00
|
|
|
return (stagefilter, base_dn, scope)
|
2015-05-12 08:03:58 -05:00
|
|
|
|
|
|
|
|
def post_callback(self, ldap, entries, truncated, *args, **options):
|
|
|
|
|
if options.get('pkey_only', False):
|
|
|
|
|
return truncated
|
|
|
|
|
self.post_common_callback(ldap, entries, lockout=True, **options)
|
|
|
|
|
return truncated
|
|
|
|
|
|
|
|
|
|
msg_summary = ngettext(
|
|
|
|
|
'%(count)d user matched', '%(count)d users matched', 0
|
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
@register()
|
|
|
|
|
class stageuser_show(baseuser_show):
|
|
|
|
|
__doc__ = _('Display information about a stage user.')
|
|
|
|
|
|
|
|
|
|
has_output_params = baseuser_show.has_output_params + stageuser_output_params
|
|
|
|
|
|
2016-03-14 11:42:56 -05:00
|
|
|
def pre_callback(self, ldap, dn, attrs_list, *keys, **options):
|
|
|
|
|
assert isinstance(dn, DN)
|
|
|
|
|
self.pre_common_callback(ldap, dn, attrs_list, *keys, **options)
|
|
|
|
|
return dn
|
|
|
|
|
|
2015-05-12 08:03:58 -05:00
|
|
|
def post_callback(self, ldap, dn, entry_attrs, *keys, **options):
|
|
|
|
|
entry_attrs['nsaccountlock'] = True
|
2016-03-14 11:42:56 -05:00
|
|
|
self.post_common_callback(ldap, dn, entry_attrs, *keys, **options)
|
2015-05-12 08:03:58 -05:00
|
|
|
return dn
|
2015-05-08 09:12:58 -05:00
|
|
|
|
|
|
|
|
|
|
|
|
|
@register()
|
|
|
|
|
class stageuser_activate(LDAPQuery):
|
|
|
|
|
__doc__ = _('Activate a stage user.')
|
|
|
|
|
|
|
|
|
|
msg_summary = _('Activate a stage user "%(value)s"')
|
|
|
|
|
|
|
|
|
|
preserved_DN_syntax_attrs = ('manager', 'managedby', 'secretary')
|
|
|
|
|
|
|
|
|
|
searched_operational_attributes = ['uidNumber', 'gidNumber', 'nsAccountLock', 'ipauniqueid']
|
|
|
|
|
|
|
|
|
|
has_output = output.standard_entry
|
|
|
|
|
has_output_params = LDAPQuery.has_output_params + stageuser_output_params
|
|
|
|
|
|
2015-05-11 10:08:16 -05:00
|
|
|
def _check_validy(self, dn, entry):
|
|
|
|
|
if dn[0].attr != 'uid':
|
|
|
|
|
raise errors.ValidationError(
|
|
|
|
|
name=self.obj.primary_key.cli_name,
|
|
|
|
|
error=_('Entry RDN is not \'uid\''),
|
|
|
|
|
)
|
|
|
|
|
for attr in ('cn', 'sn', 'uid'):
|
|
|
|
|
if attr not in entry:
|
|
|
|
|
raise errors.ValidationError(
|
|
|
|
|
name=self.obj.primary_key.cli_name,
|
2015-07-01 07:46:22 -05:00
|
|
|
error=_('Entry has no \'%(attribute)s\'') % dict(attribute=attr),
|
2015-05-11 10:08:16 -05:00
|
|
|
)
|
|
|
|
|
|
|
|
|
|
def _build_new_entry(self, ldap, dn, entry_from, entry_to):
|
|
|
|
|
config = ldap.get_ipa_config()
|
|
|
|
|
|
|
|
|
|
if 'uidnumber' not in entry_from:
|
|
|
|
|
entry_to['uidnumber'] = baseldap.DNA_MAGIC
|
|
|
|
|
if 'gidnumber' not in entry_from:
|
|
|
|
|
entry_to['gidnumber'] = baseldap.DNA_MAGIC
|
|
|
|
|
if 'homedirectory' not in entry_from:
|
|
|
|
|
# get home's root directory from config
|
|
|
|
|
homes_root = config.get('ipahomesrootdir', [paths.HOME_DIR])[0]
|
|
|
|
|
# build user's home directory based on his uid
|
|
|
|
|
entry_to['homedirectory'] = posixpath.join(homes_root, dn[0].value)
|
|
|
|
|
if 'ipamaxusernamelength' in config:
|
|
|
|
|
if len(dn[0].value) > int(config.get('ipamaxusernamelength')[0]):
|
|
|
|
|
raise errors.ValidationError(
|
|
|
|
|
name=self.obj.primary_key.cli_name,
|
|
|
|
|
error=_('can be at most %(len)d characters') % dict(
|
|
|
|
|
len = int(config.get('ipamaxusernamelength')[0])
|
|
|
|
|
)
|
|
|
|
|
)
|
|
|
|
|
if 'loginshell' not in entry_from:
|
|
|
|
|
default_shell = config.get('ipadefaultloginshell', [paths.SH])[0]
|
|
|
|
|
if default_shell:
|
|
|
|
|
entry_to.setdefault('loginshell', default_shell)
|
|
|
|
|
|
|
|
|
|
if 'givenname' not in entry_from:
|
|
|
|
|
entry_to['givenname'] = entry_from['cn'][0].split()[0]
|
|
|
|
|
|
|
|
|
|
if 'krbprincipalname' not in entry_from:
|
|
|
|
|
entry_to['krbprincipalname'] = '%s@%s' % (entry_from['uid'][0], api.env.realm)
|
|
|
|
|
|
2015-09-08 10:43:30 -05:00
|
|
|
set_krbcanonicalname(entry_to)
|
|
|
|
|
|
2015-05-08 09:12:58 -05:00
|
|
|
def __dict_new_entry(self, *args, **options):
|
|
|
|
|
ldap = self.obj.backend
|
|
|
|
|
|
|
|
|
|
entry_attrs = self.args_options_2_entry(*args, **options)
|
|
|
|
|
entry_attrs = ldap.make_entry(DN(), entry_attrs)
|
|
|
|
|
|
|
|
|
|
self.process_attr_options(entry_attrs, None, args, options)
|
|
|
|
|
|
|
|
|
|
entry_attrs['objectclass'] = deepcopy(self.obj.object_class)
|
|
|
|
|
|
|
|
|
|
if self.obj.object_class_config:
|
|
|
|
|
config = ldap.get_ipa_config()
|
|
|
|
|
entry_attrs['objectclass'] = config.get(
|
|
|
|
|
self.obj.object_class_config, entry_attrs['objectclass']
|
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
return(entry_attrs)
|
|
|
|
|
|
|
|
|
|
def __merge_values(self, args, options, entry_from, entry_to, attr):
|
|
|
|
|
'''
|
|
|
|
|
This routine merges the values of attr taken from entry_from, into entry_to.
|
|
|
|
|
If attr is a syntax DN attribute, it is replaced by an empty value. It is a preferable solution
|
|
|
|
|
compare to skiping it because the final entry may no longer conform the schema.
|
|
|
|
|
An exception of this is for a limited set of syntax DN attribute that we want to
|
|
|
|
|
preserved (defined in preserved_DN_syntax_attrs)
|
|
|
|
|
see http://www.freeipa.org/page/V3/User_Life-Cycle_Management#Adjustment_of_DN_syntax_attributes
|
|
|
|
|
'''
|
|
|
|
|
if not attr in entry_to:
|
|
|
|
|
if isinstance(entry_from[attr], (list, tuple)):
|
|
|
|
|
# attr is multi value attribute
|
|
|
|
|
entry_to[attr] = []
|
|
|
|
|
else:
|
|
|
|
|
# attr single valued attribute
|
|
|
|
|
entry_to[attr] = None
|
|
|
|
|
|
|
|
|
|
# At this point entry_to contains for all resulting attributes
|
|
|
|
|
# either a list (possibly empty) or a value (possibly None)
|
|
|
|
|
|
|
|
|
|
for value in entry_from[attr]:
|
|
|
|
|
# merge all the values from->to
|
|
|
|
|
v = self.__value_2_add(args, options, attr, value)
|
2015-05-11 10:08:16 -05:00
|
|
|
if (isinstance(v, str) and v in ('', None)) or \
|
|
|
|
|
(isinstance(v, unicode) and v in (u'', None)):
|
2015-05-08 09:12:58 -05:00
|
|
|
try:
|
|
|
|
|
v.decode('utf-8')
|
2017-05-23 11:35:57 -05:00
|
|
|
logger.debug("merge: %s:%r wiped", attr, v)
|
2016-03-22 10:39:39 -05:00
|
|
|
except Exception:
|
2017-05-23 11:35:57 -05:00
|
|
|
logger.debug("merge %s: [no_print %s]",
|
|
|
|
|
attr, v.__class__.__name__)
|
2015-05-08 09:12:58 -05:00
|
|
|
if isinstance(entry_to[attr], (list, tuple)):
|
|
|
|
|
# multi value attribute
|
|
|
|
|
if v not in entry_to[attr]:
|
|
|
|
|
# it may has been added before in the loop
|
|
|
|
|
# so add it only if it not present
|
|
|
|
|
entry_to[attr].append(v)
|
|
|
|
|
else:
|
|
|
|
|
# single value attribute
|
|
|
|
|
# keep the value defined in staging
|
|
|
|
|
entry_to[attr] = v
|
|
|
|
|
else:
|
|
|
|
|
try:
|
|
|
|
|
v.decode('utf-8')
|
2017-05-23 11:35:57 -05:00
|
|
|
logger.debug("Add: %s:%r", attr, v)
|
2016-03-22 10:39:39 -05:00
|
|
|
except Exception:
|
2017-05-23 11:35:57 -05:00
|
|
|
logger.debug("Add %s: [no_print %s]",
|
|
|
|
|
attr, v.__class__.__name__)
|
2015-12-16 18:29:29 -06:00
|
|
|
|
2015-05-08 09:12:58 -05:00
|
|
|
if isinstance(entry_to[attr], (list, tuple)):
|
|
|
|
|
# multi value attribute
|
2015-05-11 10:08:16 -05:00
|
|
|
if attr.lower() == 'objectclass':
|
|
|
|
|
entry_to[attr] = [oc.lower() for oc in entry_to[attr]]
|
|
|
|
|
value = value.lower()
|
|
|
|
|
if value not in entry_to[attr]:
|
|
|
|
|
entry_to[attr].append(value)
|
|
|
|
|
else:
|
|
|
|
|
if value not in entry_to[attr]:
|
|
|
|
|
entry_to[attr].append(value)
|
2015-05-08 09:12:58 -05:00
|
|
|
else:
|
|
|
|
|
# single value attribute
|
|
|
|
|
if value:
|
|
|
|
|
entry_to[attr] = value
|
|
|
|
|
|
|
|
|
|
def __value_2_add(self, args, options, attr, value):
|
|
|
|
|
'''
|
|
|
|
|
If the attribute is NOT syntax DN it returns its value.
|
|
|
|
|
Else it checks if the value can be preserved.
|
|
|
|
|
To be preserved:
|
|
|
|
|
- attribute must be in preserved_DN_syntax_attrs
|
|
|
|
|
- value must be an active user DN (in Active container)
|
|
|
|
|
- the active user entry exists
|
|
|
|
|
'''
|
|
|
|
|
ldap = self.obj.backend
|
|
|
|
|
|
|
|
|
|
if ldap.has_dn_syntax(attr):
|
|
|
|
|
if attr.lower() in self.preserved_DN_syntax_attrs:
|
|
|
|
|
# we are about to add a DN syntax value
|
|
|
|
|
# Check this is a valid DN
|
|
|
|
|
if not isinstance(value, DN):
|
|
|
|
|
return u''
|
|
|
|
|
|
|
|
|
|
if not self.obj.active_user(value):
|
|
|
|
|
return u''
|
|
|
|
|
|
|
|
|
|
# Check that this value is a Active user
|
|
|
|
|
try:
|
2016-10-04 13:02:32 -05:00
|
|
|
self._exc_wrapper(args, options, ldap.get_entry)(
|
|
|
|
|
value, ['dn']
|
|
|
|
|
)
|
2015-05-08 09:12:58 -05:00
|
|
|
return value
|
|
|
|
|
except errors.NotFound:
|
|
|
|
|
return u''
|
|
|
|
|
else:
|
|
|
|
|
return u''
|
|
|
|
|
else:
|
|
|
|
|
return value
|
|
|
|
|
|
|
|
|
|
def execute(self, *args, **options):
|
|
|
|
|
|
|
|
|
|
ldap = self.obj.backend
|
|
|
|
|
|
|
|
|
|
staging_dn = self.obj.get_dn(*args, **options)
|
|
|
|
|
assert isinstance(staging_dn, DN)
|
|
|
|
|
|
|
|
|
|
# retrieve the current entry
|
|
|
|
|
try:
|
|
|
|
|
entry_attrs = self._exc_wrapper(args, options, ldap.get_entry)(
|
|
|
|
|
staging_dn, ['*']
|
|
|
|
|
)
|
|
|
|
|
except errors.NotFound:
|
2018-01-03 05:11:15 -06:00
|
|
|
raise self.obj.handle_not_found(*args)
|
Use Python3-compatible dict method names
Python 2 has keys()/values()/items(), which return lists,
iterkeys()/itervalues()/iteritems(), which return iterators,
and viewkeys()/viewvalues()/viewitems() which return views.
Python 3 has only keys()/values()/items(), which return views.
To get iterators, one can use iter() or a for loop/comprehension;
for lists there's the list() constructor.
When iterating through the entire dict, without modifying the dict,
the difference between Python 2's items() and iteritems() is
negligible, especially on small dicts (the main overhead is
extra memory, not CPU time). In the interest of simpler code,
this patch changes many instances of iteritems() to items(),
iterkeys() to keys() etc.
In other cases, helpers like six.itervalues are used.
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2015-08-11 06:51:14 -05:00
|
|
|
entry_attrs = dict((k.lower(), v) for (k, v) in entry_attrs.items())
|
2015-05-08 09:12:58 -05:00
|
|
|
|
|
|
|
|
# Check it does not exist an active entry with the same RDN
|
|
|
|
|
active_dn = DN(staging_dn[0], api.env.container_user, api.env.basedn)
|
|
|
|
|
try:
|
2016-10-04 13:02:32 -05:00
|
|
|
self._exc_wrapper(args, options, ldap.get_entry)(
|
2015-05-08 09:12:58 -05:00
|
|
|
active_dn, ['dn']
|
|
|
|
|
)
|
2015-07-10 07:47:59 -05:00
|
|
|
raise errors.DuplicateEntry(
|
|
|
|
|
message=_('active user with name "%(user)s" already exists') %
|
|
|
|
|
dict(user=args[-1]))
|
2015-05-08 09:12:58 -05:00
|
|
|
except errors.NotFound:
|
|
|
|
|
pass
|
|
|
|
|
|
2015-05-11 10:08:16 -05:00
|
|
|
# Check the original entry is valid
|
|
|
|
|
self._check_validy(staging_dn, entry_attrs)
|
2015-05-08 09:12:58 -05:00
|
|
|
|
|
|
|
|
# Time to build the new entry
|
|
|
|
|
result_entry = {'dn' : active_dn}
|
|
|
|
|
new_entry_attrs = self.__dict_new_entry()
|
Use Python3-compatible dict method names
Python 2 has keys()/values()/items(), which return lists,
iterkeys()/itervalues()/iteritems(), which return iterators,
and viewkeys()/viewvalues()/viewitems() which return views.
Python 3 has only keys()/values()/items(), which return views.
To get iterators, one can use iter() or a for loop/comprehension;
for lists there's the list() constructor.
When iterating through the entire dict, without modifying the dict,
the difference between Python 2's items() and iteritems() is
negligible, especially on small dicts (the main overhead is
extra memory, not CPU time). In the interest of simpler code,
this patch changes many instances of iteritems() to items(),
iterkeys() to keys() etc.
In other cases, helpers like six.itervalues are used.
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2015-08-11 06:51:14 -05:00
|
|
|
for (attr, values) in entry_attrs.items():
|
2015-05-08 09:12:58 -05:00
|
|
|
self.__merge_values(args, options, entry_attrs, new_entry_attrs, attr)
|
|
|
|
|
result_entry[attr] = values
|
|
|
|
|
|
|
|
|
|
# Allow Managed entry plugin to do its work
|
|
|
|
|
if 'description' in new_entry_attrs and NO_UPG_MAGIC in new_entry_attrs['description']:
|
|
|
|
|
new_entry_attrs['description'].remove(NO_UPG_MAGIC)
|
|
|
|
|
if result_entry['description'] == NO_UPG_MAGIC:
|
|
|
|
|
del result_entry['description']
|
|
|
|
|
|
Use Python3-compatible dict method names
Python 2 has keys()/values()/items(), which return lists,
iterkeys()/itervalues()/iteritems(), which return iterators,
and viewkeys()/viewvalues()/viewitems() which return views.
Python 3 has only keys()/values()/items(), which return views.
To get iterators, one can use iter() or a for loop/comprehension;
for lists there's the list() constructor.
When iterating through the entire dict, without modifying the dict,
the difference between Python 2's items() and iteritems() is
negligible, especially on small dicts (the main overhead is
extra memory, not CPU time). In the interest of simpler code,
this patch changes many instances of iteritems() to items(),
iterkeys() to keys() etc.
In other cases, helpers like six.itervalues are used.
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2015-08-11 06:51:14 -05:00
|
|
|
for (k, v) in new_entry_attrs.items():
|
2017-05-23 11:35:57 -05:00
|
|
|
logger.debug("new entry: k=%r and v=%r)", k, v)
|
2015-05-08 09:12:58 -05:00
|
|
|
|
2015-05-11 10:08:16 -05:00
|
|
|
self._build_new_entry(ldap, staging_dn, entry_attrs, new_entry_attrs)
|
|
|
|
|
|
2015-05-08 09:12:58 -05:00
|
|
|
# Add the Active entry
|
|
|
|
|
entry = ldap.make_entry(active_dn, new_entry_attrs)
|
|
|
|
|
self._exc_wrapper(args, options, ldap.add_entry)(entry)
|
|
|
|
|
|
|
|
|
|
# Now delete the Staging entry
|
|
|
|
|
try:
|
|
|
|
|
self._exc_wrapper(args, options, ldap.delete_entry)(staging_dn)
|
|
|
|
|
except:
|
|
|
|
|
try:
|
2017-05-23 11:35:57 -05:00
|
|
|
logger.error("Fail to delete the Staging user after "
|
|
|
|
|
"activating it %s ", staging_dn)
|
2015-05-08 09:12:58 -05:00
|
|
|
self._exc_wrapper(args, options, ldap.delete_entry)(active_dn)
|
2016-03-11 12:51:07 -06:00
|
|
|
except Exception:
|
2017-05-23 11:35:57 -05:00
|
|
|
logger.error("Fail to cleanup activation. The user remains "
|
|
|
|
|
"active %s", active_dn)
|
2015-05-08 09:12:58 -05:00
|
|
|
raise
|
|
|
|
|
|
|
|
|
|
# add the user we just created into the default primary group
|
|
|
|
|
config = ldap.get_ipa_config()
|
|
|
|
|
def_primary_group = config.get('ipadefaultprimarygroup')
|
|
|
|
|
group_dn = self.api.Object['group'].get_dn(def_primary_group)
|
|
|
|
|
|
|
|
|
|
# if the user is already a member of default primary group,
|
|
|
|
|
# do not raise error
|
|
|
|
|
# this can happen if automember rule or default group is set
|
|
|
|
|
try:
|
|
|
|
|
ldap.add_entry_to_group(active_dn, group_dn)
|
|
|
|
|
except errors.AlreadyGroupMember:
|
|
|
|
|
pass
|
|
|
|
|
|
|
|
|
|
# Now retrieve the activated entry
|
2016-03-07 05:15:58 -06:00
|
|
|
result = self.api.Command.user_show(
|
|
|
|
|
args[-1],
|
|
|
|
|
all=options.get('all', False),
|
|
|
|
|
raw=options.get('raw', False),
|
|
|
|
|
version=options.get('version'),
|
|
|
|
|
)
|
|
|
|
|
result['summary'] = unicode(
|
|
|
|
|
_('Stage user %s activated' % staging_dn[0].value))
|
|
|
|
|
|
|
|
|
|
return result
|
2015-11-05 10:11:23 -06:00
|
|
|
|
|
|
|
|
|
|
|
|
|
@register()
|
|
|
|
|
class stageuser_add_manager(baseuser_add_manager):
|
|
|
|
|
__doc__ = _("Add a manager to the stage user entry")
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
@register()
|
|
|
|
|
class stageuser_remove_manager(baseuser_remove_manager):
|
|
|
|
|
__doc__ = _("Remove a manager to the stage user entry")
|
2017-01-18 06:24:29 -06:00
|
|
|
|
|
|
|
|
|
|
|
|
|
@register()
|
|
|
|
|
class stageuser_add_cert(baseuser_add_cert):
|
|
|
|
|
__doc__ = _("Add one or more certificates to the stageuser entry")
|
|
|
|
|
msg_summary = _('Added certificates to stageuser "%(value)s"')
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
@register()
|
|
|
|
|
class stageuser_remove_cert(baseuser_remove_cert):
|
|
|
|
|
__doc__ = _("Remove one or more certificates to the stageuser entry")
|
|
|
|
|
msg_summary = _('Removed certificates from stageuser "%(value)s"')
|
2017-01-18 06:25:11 -06:00
|
|
|
|
|
|
|
|
|
|
|
|
|
@register()
|
|
|
|
|
class stageuser_add_principal(baseuser_add_principal):
|
|
|
|
|
__doc__ = _('Add new principal alias to the stageuser entry')
|
|
|
|
|
msg_summary = _('Added new aliases to stageuser "%(value)s"')
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
@register()
|
|
|
|
|
class stageuser_remove_principal(baseuser_remove_principal):
|
|
|
|
|
__doc__ = _('Remove principal alias from the stageuser entry')
|
|
|
|
|
msg_summary = _('Removed aliases from stageuser "%(value)s"')
|
2016-12-20 09:21:58 -06:00
|
|
|
|
|
|
|
|
|
|
|
|
|
@register()
|
|
|
|
|
class stageuser_add_certmapdata(baseuser_add_certmapdata):
|
|
|
|
|
__doc__ = _("Add one or more certificate mappings to the stage user"
|
|
|
|
|
" entry.")
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
@register()
|
|
|
|
|
class stageuser_remove_certmapdata(baseuser_remove_certmapdata):
|
|
|
|
|
__doc__ = _("Remove one or more certificate mappings from the stage user"
|
|
|
|
|
" entry.")
|
