freeipa/ipa_server/servercore.py

465 lines
15 KiB
Python
Raw Normal View History

2008-09-12 11:36:04 -05:00
# Authors: Rob Crittenden <rcritten@redhat.com>
#
# Copyright (C) 2007 Red Hat
# see file 'COPYING' for use and warranty information
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License as
# published by the Free Software Foundation; version 2 only
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
#
import ldap
import string
import re
2008-09-29 23:48:53 -05:00
from ipa_server.context import context
2008-10-13 16:17:00 -05:00
from ipa_server import ipaldap
2008-09-29 23:48:53 -05:00
import ipautil
from ipalib import errors
from ipalib import api
2008-09-12 11:36:04 -05:00
def convert_entry(ent):
entry = dict(ent.data)
entry['dn'] = ent.dn
# For now convert single entry lists to a string for the ui.
# TODO: we need to deal with multi-values better
for key,value in entry.iteritems():
if isinstance(value,list) or isinstance(value,tuple):
if len(value) == 0:
entry[key] = ''
elif len(value) == 1:
entry[key] = value[0]
return entry
def convert_scalar_values(orig_dict):
"""LDAP update dicts expect all values to be a list (except for dn).
This method converts single entries to a list."""
new_dict={}
for (k,v) in orig_dict.iteritems():
if not isinstance(v, list) and k != 'dn':
v = [v]
new_dict[k] = v
return new_dict
def generate_match_filters(search_fields, criteria_words):
"""Generates a search filter based on a list of words and a list
of fields to search against.
Returns a tuple of two filters: (exact_match, partial_match)"""
# construct search pattern for a single word
# (|(f1=word)(f2=word)...)
search_pattern = "(|"
for field in search_fields:
search_pattern += "(" + field + "=%(match)s)"
search_pattern += ")"
gen_search_pattern = lambda word: search_pattern % {'match':word}
# construct the giant match for all words
exact_match_filter = "(&"
partial_match_filter = "(|"
for word in criteria_words:
exact_match_filter += gen_search_pattern(word)
partial_match_filter += gen_search_pattern("*%s*" % word)
exact_match_filter += ")"
partial_match_filter += ")"
return (exact_match_filter, partial_match_filter)
2008-09-12 11:36:04 -05:00
# TODO: rethink the get_entry vs get_list API calls.
# they currently restrict the data coming back without
# restricting scope. For now adding a get_base/sub_entry()
# calls, but the API isn't great.
def get_entry (base, scope, searchfilter, sattrs=None):
"""Get a specific entry (with a parametized scope).
Return as a dict of values.
Multi-valued fields are represented as lists.
"""
ent=""
ent = context.conn.getConn().getEntry(base, scope, searchfilter, sattrs)
return convert_entry(ent)
def get_base_entry (base, searchfilter, sattrs=None):
"""Get a specific entry (with a scope of BASE).
Return as a dict of values.
Multi-valued fields are represented as lists.
"""
return get_entry(base, ldap.SCOPE_BASE, searchfilter, sattrs)
def get_sub_entry (base, searchfilter, sattrs=None):
"""Get a specific entry (with a scope of SUB).
Return as a dict of values.
Multi-valued fields are represented as lists.
"""
return get_entry(base, ldap.SCOPE_SUBTREE, searchfilter, sattrs)
def get_one_entry (base, searchfilter, sattrs=None):
"""Get the children of an entry (with a scope of ONE).
Return as a list of dict of values.
Multi-valued fields are represented as lists.
"""
return get_list(base, searchfilter, sattrs, ldap.SCOPE_ONELEVEL)
def get_list (base, searchfilter, sattrs=None, scope=ldap.SCOPE_SUBTREE):
2008-09-12 11:36:04 -05:00
"""Gets a list of entries. Each is converted to a dict of values.
Multi-valued fields are represented as lists.
"""
entries = []
entries = context.conn.getConn().getList(base, scope, searchfilter, sattrs)
2008-09-12 11:36:04 -05:00
return map(convert_entry, entries)
2008-10-13 16:17:00 -05:00
def has_nsaccountlock(dn):
"""Check to see if an entry has the nsaccountlock attribute.
This attribute is provided by the Class of Service plugin so
doing a search isn't enough. It is provided by the two
entries cn=inactivated and cn=activated. So if the entry has
the attribute and isn't in either cn=activated or cn=inactivated
then the attribute must be in the entry itself.
Returns True or False
"""
# First get the entry. If it doesn't have nsaccountlock at all we
# can exit early.
entry = get_entry_by_dn(dn, ['dn', 'nsaccountlock', 'memberof'])
if not entry.get('nsaccountlock'):
return False
# Now look to see if they are in activated or inactivated
# entry is a member
memberof = entry.get('memberof')
if isinstance(memberof, basestring):
memberof = [memberof]
for m in memberof:
inactivated = m.find("cn=inactivated")
activated = m.find("cn=activated")
# if they are in either group that means that the nsaccountlock
# value comes from there, otherwise it must be in this entry.
if inactivated >= 0 or activated >= 0:
return False
return True
# General searches
def get_entry_by_dn (dn, sattrs=None):
"""Get a specific entry. Return as a dict of values.
Multi-valued fields are represented as lists.
"""
searchfilter = "(objectClass=*)"
2008-11-03 16:18:45 -06:00
api.log.info("IPA: get_entry_by_dn '%s'" % dn)
return get_base_entry(dn, searchfilter, sattrs)
2008-10-09 22:11:03 -05:00
def get_entry_by_cn (cn, sattrs):
"""Get a specific entry by cn. Return as a dict of values.
Multi-valued fields are represented as lists.
"""
2008-11-03 16:18:45 -06:00
api.log.info("IPA: get_entry_by_cn '%s'" % cn)
2008-10-09 22:11:03 -05:00
# cn = self.__safe_filter(cn)
searchfilter = "(cn=%s)" % cn
return get_sub_entry("cn=accounts," + api.env.basedn, searchfilter, sattrs)
2008-10-09 22:11:03 -05:00
2008-10-13 16:17:00 -05:00
def get_user_by_uid(uid, sattrs):
"""Get a specific user's entry."""
# FIXME: should accept a container to look in
# uid = self.__safe_filter(uid)
searchfilter = "(&(uid=%s)(objectclass=posixAccount))" % uid
2008-10-13 16:17:00 -05:00
return get_sub_entry("cn=accounts," + api.env.basedn, searchfilter, sattrs)
2008-10-13 16:17:00 -05:00
# User support
def entry_exists(dn):
"""Return True if the entry exists, False otherwise."""
try:
get_base_entry(dn, "objectclass=*", ['dn','objectclass'])
2008-10-13 16:17:00 -05:00
return True
except errors.NotFound:
return False
2008-10-07 03:31:22 -05:00
def get_user_by_uid (uid, sattrs):
"""Get a specific user's entry. Return as a dict of values.
Multi-valued fields are represented as lists.
"""
if not isinstance(uid,basestring) or len(uid) == 0:
raise SyntaxError("uid is not a string")
# raise ipaerror.gen_exception(ipaerror.INPUT_INVALID_PARAMETER)
if sattrs is not None and not isinstance(sattrs,list):
raise SyntaxError("sattrs is not a list")
# raise ipaerror.gen_exception(ipaerror.INPUT_INVALID_PARAMETER)
2008-11-03 16:18:45 -06:00
api.log.info("IPA: get_user_by_uid '%s'" % uid)
2008-10-07 03:31:22 -05:00
# uid = self.__safe_filter(uid)
searchfilter = "(uid=" + uid + ")"
return get_sub_entry("cn=accounts," + api.env.basedn, searchfilter, sattrs)
2008-10-07 03:31:22 -05:00
def uid_too_long(uid):
"""Verify that the new uid is within the limits we set. This is a
very narrow test.
Returns True if it is longer than allowed
False otherwise
"""
if not isinstance(uid,basestring) or len(uid) == 0:
# It is bad, but not too long
return False
2008-11-03 16:18:45 -06:00
api.log.debug("IPA: __uid_too_long(%s)" % uid)
try:
config = get_ipa_config()
maxlen = int(config.get('ipamaxusernamelength', 0))
if maxlen > 0 and len(uid) > maxlen:
return True
except Exception, e:
2008-11-03 16:18:45 -06:00
api.log.debug("There was a problem " + str(e))
pass
return False
2008-10-07 03:31:22 -05:00
def update_entry (entry):
2008-09-12 11:36:04 -05:00
"""Update an LDAP entry
2008-10-07 03:31:22 -05:00
entry is a dict
This refreshes the record from LDAP in order to obtain the list of
attributes that has changed.
2008-09-12 11:36:04 -05:00
"""
2008-10-07 03:31:22 -05:00
attrs = entry.keys()
o = get_base_entry(entry['dn'], "objectclass=*", attrs)
oldentry = convert_scalar_values(o)
newentry = convert_scalar_values(entry)
2008-09-12 11:36:04 -05:00
# Should be able to get this from either the old or new entry
# but just in case someone has decided to try changing it, use the
# original
try:
moddn = oldentry['dn']
except KeyError, e:
# FIXME: return a missing DN error message
raise e
2008-10-07 03:31:22 -05:00
return context.conn.getConn().updateEntry(moddn, oldentry, newentry)
2008-09-12 11:36:04 -05:00
def add_entry(entry):
"""Add a new entry"""
return context.conn.getConn().addEntry(entry)
def delete_entry(dn):
"""Remove an entry"""
return context.conn.getConn().deleteEntry(dn)
# FIXME, get time and search limit from cn=ipaconfig
def search(base, filter, attributes, timelimit=1, sizelimit=3000):
"""Perform an LDAP query"""
try:
timelimit = float(timelimit)
results = context.conn.getConn().getListAsync(base, ldap.SCOPE_SUBTREE,
filter, attributes, 0, None, None, timelimit, sizelimit)
except ldap.NO_SUCH_OBJECT:
raise errors.NotFound
counter = results[0]
entries = [counter]
for r in results[1:]:
entries.append(convert_entry(r))
return entries
2008-09-12 11:36:04 -05:00
def uniq_list(x):
"""Return a unique list, preserving order and ignoring case"""
myset = {}
return [myset.setdefault(e.lower(),e) for e in x if e.lower() not in myset]
2008-09-12 11:36:04 -05:00
def get_schema():
"""Retrieves the current LDAP schema from the LDAP server."""
schema_entry = get_base_entry("", "objectclass=*", ['dn','subschemasubentry'])
schema_cn = schema_entry.get('subschemasubentry')
schema = get_base_entry(schema_cn, "objectclass=*", ['*'])
return schema
def get_objectclasses():
"""Returns a list of available objectclasses that the LDAP
server supports. This parses out the syntax, attributes, etc
and JUST returns a lower-case list of the names."""
schema = get_schema()
objectclasses = schema.get('objectclasses')
# Convert this list into something more readable
result = []
for i in range(len(objectclasses)):
oc = objectclasses[i].lower().split(" ")
result.append(oc[3].replace("'",""))
return result
def get_ipa_config():
"""Retrieve the IPA configuration"""
searchfilter = "cn=ipaconfig"
try:
config = get_sub_entry("cn=etc," + api.env.basedn, searchfilter)
except ldap.NO_SUCH_OBJECT, e:
# FIXME
raise errors.NotFound
return config
2008-10-13 16:17:00 -05:00
def modify_password(dn, oldpass, newpass):
return context.conn.getConn().modifyPassword(dn, oldpass, newpass)
2008-10-13 16:17:00 -05:00
def mark_entry_active (dn):
"""Mark an entry as active in LDAP."""
# This can be tricky. The entry itself can be marked inactive
# by being in the inactivated group. It can also be inactivated by
# being the member of an inactive group.
#
# First we try to remove the entry from the inactivated group. Then
# if it is still inactive we have to add it to the activated group
# which will override the group membership.
res = ""
# First, check the entry status
entry = get_entry_by_dn(dn, ['dn', 'nsAccountlock'])
if entry.get('nsaccountlock', 'false').lower() == "false":
2008-11-03 16:18:45 -06:00
api.log.debug("IPA: already active")
2008-10-13 16:17:00 -05:00
raise errors.AlreadyActiveError
if has_nsaccountlock(dn):
2008-11-03 16:18:45 -06:00
api.log.debug("IPA: appears to have the nsaccountlock attribute")
2008-10-13 16:17:00 -05:00
raise errors.HasNSAccountLock
group = get_entry_by_cn("inactivated", None)
try:
remove_member_from_group(entry.get('dn'), group.get('dn'))
except errors.NotGroupMember:
# Perhaps the user is there as a result of group membership
pass
# Now they aren't a member of inactivated directly, what is the status
# now?
entry = get_entry_by_dn(dn, ['dn', 'nsAccountlock'])
if entry.get('nsaccountlock', 'false').lower() == "false":
# great, we're done
2008-11-03 16:18:45 -06:00
api.log.debug("IPA: removing from inactivated did it.")
return True
2008-10-13 16:17:00 -05:00
# So still inactive, add them to activated
group = get_entry_by_cn("activated", None)
res = add_member_to_group(dn, group.get('dn'))
2008-11-03 16:18:45 -06:00
api.log.debug("IPA: added to activated.")
2008-10-13 16:17:00 -05:00
return res
def mark_entry_inactive (dn):
"""Mark an entry as inactive in LDAP."""
entry = get_entry_by_dn(dn, ['dn', 'nsAccountlock', 'memberOf'])
if entry.get('nsaccountlock', 'false').lower() == "true":
2008-11-03 16:18:45 -06:00
api.log.debug("IPA: already marked as inactive")
2008-10-13 16:17:00 -05:00
raise errors.AlreadyInactiveError
if has_nsaccountlock(dn):
2008-11-03 16:18:45 -06:00
api.log.debug("IPA: appears to have the nsaccountlock attribute")
2008-10-13 16:17:00 -05:00
raise errors.HasNSAccountLock
# First see if they are in the activated group as this will override
# the our inactivation.
group = get_entry_by_cn("activated", None)
try:
remove_member_from_group(dn, group.get('dn'))
except errors.NotGroupMember:
# this is fine, they may not be explicitly in this group
pass
# Now add them to inactivated
group = get_entry_by_cn("inactivated", None)
res = add_member_to_group(dn, group.get('dn'))
return res
def add_member_to_group(member_dn, group_dn):
"""
Add a member to an existing group.
"""
2008-11-03 16:18:45 -06:00
api.log.info("IPA: add_member_to_group '%s' to '%s'" % (member_dn, group_dn))
2008-10-13 16:17:00 -05:00
if member_dn.lower() == group_dn.lower():
# You can't add a group to itself
raise errors.SameGroupError
group = get_entry_by_dn(group_dn, None)
if group is None:
raise errors.NotFound
# check to make sure member_dn exists
member_entry = get_base_entry(member_dn, "(objectClass=*)", ['dn','objectclass'])
if not member_entry:
raise errors.NotFound
# Add the new member to the group member attribute
members = group.get('member', [])
if isinstance(members, basestring):
members = [members]
members.append(member_dn)
group['member'] = members
2008-10-13 16:17:00 -05:00
try:
return update_entry(group)
except errors.EmptyModlist:
raise
def remove_member_from_group(member_dn, group_dn=None):
"""Remove a member_dn from an existing group."""
group = get_entry_by_dn(group_dn, None)
if group is None:
raise errors.NotFound
"""
if group.get('cn') == "admins":
member = get_entry_by_dn(member_dn, ['dn','uid'])
if member.get('uid') == "admin":
raise ipaerror.gen_exception(ipaerror.INPUT_ADMIN_REQUIRED_IN_ADMINS)
"""
2008-11-03 16:18:45 -06:00
api.log.info("IPA: remove_member_from_group '%s' from '%s'" % (member_dn, group_dn))
2008-10-13 16:17:00 -05:00
members = group.get('member', False)
if not members:
raise errors.NotGroupMember
if isinstance(members,basestring):
members = [members]
for i in range(len(members)):
members[i] = ipaldap.IPAdmin.normalizeDN(members[i])
try:
members.remove(member_dn)
except ValueError:
# member is not in the group
# FIXME: raise more specific error?
2008-10-13 16:17:00 -05:00
raise errors.NotGroupMember
except Exception, e:
raise e
group['member'] = members
2008-10-13 16:17:00 -05:00
try:
return update_entry(group)
except errors.EmptyModlist:
raise