From 6a8026f974c4ab65313729eb9e61303b5395a0c0 Mon Sep 17 00:00:00 2001 From: Rob Crittenden Date: Fri, 24 Oct 2008 11:39:47 -0400 Subject: [PATCH 1/2] If a password is supplied then this host will be bulk-enrolled A bulk-enrolled host does not get a kerberos service principal until enrollment time. --- ipalib/plugins/f_host.py | 23 +++++++++++++++++++---- 1 file changed, 19 insertions(+), 4 deletions(-) diff --git a/ipalib/plugins/f_host.py b/ipalib/plugins/f_host.py index da2815480..4f4f72044 100644 --- a/ipalib/plugins/f_host.py +++ b/ipalib/plugins/f_host.py @@ -103,6 +103,9 @@ class host_add(crud.Add): The dn should not be passed as a keyword argument as it is constructed by this method. + If password is set then this is considered a 'bulk' host so we + do not create a kerberos service principal. + Returns the entry as it will be created in LDAP. :param hostname: The name of the host being added. @@ -110,27 +113,39 @@ class host_add(crud.Add): """ assert 'cn' not in kw assert 'dn' not in kw + assert 'krbprincipalname' not in kw ldap = self.api.Backend.ldap kw['cn'] = hostname kw['serverhostname'] = hostname.split('.',1)[0] kw['dn'] = ldap.make_host_dn(hostname) - kw['krbPrincipalName'] = "host/%s@%s" % (hostname, self.api.env.realm) # FIXME: do a DNS lookup to ensure host exists current = util.get_current_principal() if not current: raise errors.NotFound('Unable to determine current user') - kw['enrolledBy'] = ldap.find_entry_dn("krbPrincipalName", current, "person") + kw['enrolledby'] = ldap.find_entry_dn("krbPrincipalName", current, "posixAccount") # Get our configuration config = ldap.get_ipa_config() # some required objectclasses # FIXME: add this attribute to cn=ipaconfig - #kw['objectClass'] = config.get('ipahostobjectclasses') - kw['objectClass'] = ['nsHost', 'krbPrincipalAux', 'ipaHost'] + #kw['objectclass'] = config.get('ipahostobjectclasses') + kw['objectclass'] = ['nsHost', 'ipaHost'] + + # Ensure the list of objectclasses is lower-case + kw['objectclass'] = map(lambda z: z.lower(), kw.get('objectclass')) + + if not kw.get('userpassword', False): + kw['krbprincipalname'] = "host/%s@%s" % (hostname, self.api.env.realm) + + if 'krbprincipalaux' not in kw.get('objectclass'): + kw['objectclass'].append('krbprincipalaux') + else: + if 'krbprincipalaux' in kw.get('objectclass'): + kw['objectclass'].remove('krbprincipalaux') return ldap.create(**kw) def output_for_cli(self, ret): From 8788afe18403e7585e4fc2b6a52a352a035fee0b Mon Sep 17 00:00:00 2001 From: Rob Crittenden Date: Fri, 24 Oct 2008 11:40:47 -0400 Subject: [PATCH 2/2] Use posixAccount instead of person to identify users Add output_for_cli to service-find --- ipa_server/plugins/b_ldap.py | 2 +- ipa_server/servercore.py | 2 +- ipalib/plugins/f_passwd.py | 2 +- ipalib/plugins/f_service.py | 10 ++++++++-- 4 files changed, 11 insertions(+), 5 deletions(-) diff --git a/ipa_server/plugins/b_ldap.py b/ipa_server/plugins/b_ldap.py index a7a3c8b35..2c65ba457 100644 --- a/ipa_server/plugins/b_ldap.py +++ b/ipa_server/plugins/b_ldap.py @@ -88,7 +88,7 @@ class ldap(CrudBackend): attribute = attribute.lower() object_type = None if attribute == "uid": # User - object_type = "person" + object_type = "posixAccount" elif attribute == "cn": # Group object_type = "posixGroup" elif attribute == "krbprincipalname": # Service diff --git a/ipa_server/servercore.py b/ipa_server/servercore.py index e69967a90..052c386b8 100644 --- a/ipa_server/servercore.py +++ b/ipa_server/servercore.py @@ -168,7 +168,7 @@ def get_user_by_uid(uid, sattrs): """Get a specific user's entry.""" # FIXME: should accept a container to look in # uid = self.__safe_filter(uid) - searchfilter = "(&(uid=%s)(objectclass=person))" % uid + searchfilter = "(&(uid=%s)(objectclass=posixAccount))" % uid return get_sub_entry("cn=accounts," + api.env.basedn, searchfilter, sattrs) diff --git a/ipalib/plugins/f_passwd.py b/ipalib/plugins/f_passwd.py index f70eacac8..7b424a3bc 100644 --- a/ipalib/plugins/f_passwd.py +++ b/ipalib/plugins/f_passwd.py @@ -60,7 +60,7 @@ class passwd(frontend.Command): else: principal = principal - dn = ldap.find_entry_dn("krbprincipalname", principal, "person") + dn = ldap.find_entry_dn("krbprincipalname", principal, "posixAccount") # FIXME: we need a way to prompt for passwords using getpass kw['newpass'] = "password" diff --git a/ipalib/plugins/f_service.py b/ipalib/plugins/f_service.py index 38c80ad2b..9e9cec538 100644 --- a/ipalib/plugins/f_service.py +++ b/ipalib/plugins/f_service.py @@ -110,7 +110,7 @@ class service_add(crud.Add): def output_to_cli(self, ret): if ret: - print "Service added" + print "Service added" api.register(service_add) @@ -146,7 +146,7 @@ class service_find(crud.Find): def execute(self, principal, **kw): ldap = self.api.Backend.ldap - kw['filter'] = "&(objectclass=krbPrincipalAux)(!(objectClass=person))(!(|(krbprincipalname=kadmin/*)(krbprincipalname=K/M@*)(krbprincipalname=krbtgt/*)))" + kw['filter'] = "&(objectclass=krbPrincipalAux)(!(objectClass=posixAccount))(!(|(krbprincipalname=kadmin/*)(krbprincipalname=K/M@*)(krbprincipalname=krbtgt/*)))" kw['krbprincipalname'] = principal object_type = ldap.get_object_type("krbprincipalname") @@ -193,5 +193,11 @@ class service_show(crud.Get): dn = ldap.find_entry_dn("krbprincipalname", principal) # FIXME: should kw contain the list of attributes to display? return ldap.retrieve(dn) + def output_for_cli(self, service): + if not service: + return + + for a in service.keys(): + print "%s: %s" % (a, service[a]) api.register(service_show)