IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2024-12-23 07:33:27 -06:00
Code Issues Packages Projects Releases Wiki Activity

Remove radius options completely.

Browse Source 
This has been completely abandoned since ipa v1 and is not built by default.
Instead of carrying dead weight, let's remove it for now.

Fixes: https://fedorahosted.org/freeipa/ticket/761
This commit is contained in:
Simo Sorce 2011-01-13 16:57:23 -05:00
parent da7eb1155e
commit 7ee490e35c
32 changed files with 7 additions and 3223 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
Makefile
View File

@ -1,7 +1,6 @@
include VERSION
SUBDIRS=daemons install ipapython ipa-client
RADIUSDIRS=ipa-radius-server ipa-radius-admintools
CLIENTDIRS=ipapython ipa-client
PRJ_PREFIX=ipa
@ -48,11 +47,6 @@ client: client-autogen
(cd $$subdir && $(MAKE) all) || exit 1; \
done
radius:
@for subdir in $(RADIUSDIRS); do \
(cd $$subdir && $(MAKE) all) || exit 1; \
done
bootstrap-autogen: version-update client-autogen
@echo "Building IPA $(IPA_VERSION)"
cd daemons; if [ ! -e Makefile ]; then ../autogen.sh --prefix=/usr --sysconfdir=/etc --localstatedir=/var --libdir=$(LIBDIR); fi
@ -78,11 +72,6 @@ client-install: client
python setup-client.py install --root $(DESTDIR); \
fi
radius-install: radius install
@for subdir in $(RADIUSDIRS); do \
(cd $$subdir && $(MAKE) install) || exit 1; \
done
test:
$(MAKE) -C install/po test_lang
./make-test
@ -204,7 +193,5 @@ maintainer-clean: clean
cd install && $(MAKE) maintainer-clean
cd ipa-client && $(MAKE) maintainer-clean
cd ipapython && $(MAKE) maintainer-clean
cd ipa-radius-admintools && $(MAKE) maintainer-clean
cd ipa-radius-server && $(MAKE) maintainer-clean
rm -f version.m4
rm -f ipa.spec

2
install/po/Makefile.in
View File

@ -32,7 +32,7 @@ po_files = $(patsubst %, %.po, $(languages))
mo_files = $(patsubst %.po, %.mo, $(po_files))
po_count=$(words $(po_files))
PY_FILES = $(shell cd ../..; git ls-files | grep -v -e "^tests/" -e "^doc/" -e "^install/po/" -e "^ipapython/test/" -e "^ipa-radius-server/" -e "setup.py" -e "setup-client.py" | grep "\.py$$" | tr '\n' ' '; cd install/po)
PY_FILES = $(shell cd ../..; git ls-files | grep -v -e "^tests/" -e "^doc/" -e "^install/po/" -e "^ipapython/test/" -e "setup.py" -e "setup-client.py" | grep "\.py$$" | tr '\n' ' '; cd install/po)
C_FILES = $(shell cd ../..; git ls-files | grep "\.c$$" | tr '\n' ' '; cd install/po)
H_FILES = $(shell cd ../..; git ls-files | grep "\.h$$" | tr '\n' ' '; cd install/po)

559
install/share/60radius.ldif
View File

@ -1,559 +0,0 @@
# This is a LDAPv3 schema for RADIUS attributes.
# Tested on OpenLDAP 2.0.7
# Posted by Javier Fernandez-Sanguino Pena <jfernandez@sgi.es>
# LDAP v3 version by Jochen Friedrich <jochen@scram.de>
# Updates by Adrian Pavlykevych <pam@polynet.lviv.ua>
# Modified by John Dennis <jdennis@redhat.com> for use with Directory Sever/IPA
#
# Note: These OID's do not seem to be registered, the closest I could find
# was 1.3.6.1.4.1.3317
# {iso(1) identified-organization(3) dod(6) internet(1) private(4) enterprise(1) gnome(3317)}
#
##############
dn: cn=schema
attributeTypes:
( 1.3.6.1.4.1.3317.4.3.1.1
NAME 'radiusArapFeatures'
DESC ''
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
SINGLE-VALUE
)
attributeTypes:
( 1.3.6.1.4.1.3317.4.3.1.2
NAME 'radiusArapSecurity'
DESC ''
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
SINGLE-VALUE
)
attributeTypes:
( 1.3.6.1.4.1.3317.4.3.1.3
NAME 'radiusArapZoneAccess'
DESC ''
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
SINGLE-VALUE
)
attributeTypes:
( 1.3.6.1.4.1.3317.4.3.1.44
NAME 'radiusAuthType'
DESC ''
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
SINGLE-VALUE
)
attributeTypes:
( 1.3.6.1.4.1.3317.4.3.1.4
NAME 'radiusCallbackId'
DESC ''
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
SINGLE-VALUE
)
attributeTypes:
( 1.3.6.1.4.1.3317.4.3.1.5
NAME 'radiusCallbackNumber'
DESC ''
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
SINGLE-VALUE
)
attributeTypes:
( 1.3.6.1.4.1.3317.4.3.1.6
NAME 'radiusCalledStationId'
DESC ''
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
SINGLE-VALUE
)
attributeTypes:
( 1.3.6.1.4.1.3317.4.3.1.7
NAME 'radiusCallingStationId'
DESC ''
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
SINGLE-VALUE
)
attributeTypes:
( 1.3.6.1.4.1.3317.4.3.1.8
NAME 'radiusClass'
DESC ''
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
)
attributeTypes:
( 1.3.6.1.4.1.3317.4.3.1.45
NAME 'radiusClientIPAddress'
DESC ''
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
SINGLE-VALUE
)
attributeTypes:
( 1.3.6.1.4.1.3317.4.3.1.9
NAME 'radiusFilterId'
DESC ''
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
)
attributeTypes:
( 1.3.6.1.4.1.3317.4.3.1.10
NAME 'radiusFramedAppleTalkLink'
DESC ''
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
SINGLE-VALUE
)
attributeTypes:
( 1.3.6.1.4.1.3317.4.3.1.11
NAME 'radiusFramedAppleTalkNetwork'
DESC ''
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
)
attributeTypes:
( 1.3.6.1.4.1.3317.4.3.1.12
NAME 'radiusFramedAppleTalkZone'
DESC ''
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
SINGLE-VALUE
)
attributeTypes:
( 1.3.6.1.4.1.3317.4.3.1.13
NAME 'radiusFramedCompression'
DESC ''
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
)
attributeTypes:
( 1.3.6.1.4.1.3317.4.3.1.14
NAME 'radiusFramedIPAddress'
DESC ''
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
SINGLE-VALUE
)
attributeTypes:
( 1.3.6.1.4.1.3317.4.3.1.15
NAME 'radiusFramedIPNetmask'
DESC ''
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
SINGLE-VALUE
)
attributeTypes:
( 1.3.6.1.4.1.3317.4.3.1.16
NAME 'radiusFramedIPXNetwork'
DESC ''
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
SINGLE-VALUE
)
attributeTypes:
( 1.3.6.1.4.1.3317.4.3.1.17
NAME 'radiusFramedMTU'
DESC ''
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
SINGLE-VALUE
)
attributeTypes:
( 1.3.6.1.4.1.3317.4.3.1.18
NAME 'radiusFramedProtocol'
DESC ''
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
SINGLE-VALUE
)
attributeTypes:
( 1.3.6.1.4.1.3317.4.3.1.19
NAME 'radiusFramedRoute'
DESC ''
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
)
attributeTypes:
( 1.3.6.1.4.1.3317.4.3.1.20
NAME 'radiusFramedRouting'
DESC ''
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
SINGLE-VALUE
)
attributeTypes:
( 1.3.6.1.4.1.3317.4.3.1.46
NAME 'radiusGroupName'
DESC ''
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
)
attributeTypes:
( 1.3.6.1.4.1.3317.4.3.1.47
NAME 'radiusHint'
DESC ''
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
SINGLE-VALUE
)
attributeTypes:
( 1.3.6.1.4.1.3317.4.3.1.48
NAME 'radiusHuntgroupName'
DESC ''
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
)
attributeTypes:
( 1.3.6.1.4.1.3317.4.3.1.21
NAME 'radiusIdleTimeout'
DESC ''
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
SINGLE-VALUE
)
attributeTypes:
( 1.3.6.1.4.1.3317.4.3.1.22
NAME 'radiusLoginIPHost'
DESC ''
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
)
attributeTypes:
( 1.3.6.1.4.1.3317.4.3.1.23
NAME 'radiusLoginLATGroup'
DESC ''
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
SINGLE-VALUE
)
attributeTypes:
( 1.3.6.1.4.1.3317.4.3.1.24
NAME 'radiusLoginLATNode'
DESC ''
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
SINGLE-VALUE
)
attributeTypes:
( 1.3.6.1.4.1.3317.4.3.1.25
NAME 'radiusLoginLATPort'
DESC ''
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
SINGLE-VALUE
)
attributeTypes:
( 1.3.6.1.4.1.3317.4.3.1.26
NAME 'radiusLoginLATService'
DESC ''
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
SINGLE-VALUE
)
attributeTypes:
( 1.3.6.1.4.1.3317.4.3.1.27
NAME 'radiusLoginService'
DESC ''
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
SINGLE-VALUE
)
attributeTypes:
( 1.3.6.1.4.1.3317.4.3.1.28
NAME 'radiusLoginTCPPort'
DESC ''
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
SINGLE-VALUE
)
attributeTypes:
( 1.3.6.1.4.1.3317.4.3.1.29
NAME 'radiusPasswordRetry'
DESC ''
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
SINGLE-VALUE
)
attributeTypes:
( 1.3.6.1.4.1.3317.4.3.1.30
NAME 'radiusPortLimit'
DESC ''
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
SINGLE-VALUE
)
attributeTypes:
( 1.3.6.1.4.1.3317.4.3.1.49
NAME 'radiusProfileDn'
DESC ''
EQUALITY distinguishedNameMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.12
SINGLE-VALUE
)
attributeTypes:
( 1.3.6.1.4.1.3317.4.3.1.31
NAME 'radiusPrompt'
DESC ''
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
SINGLE-VALUE
)
attributeTypes:
( 1.3.6.1.4.1.3317.4.3.1.50
NAME 'radiusProxyToRealm'
DESC ''
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
SINGLE-VALUE
)
attributeTypes:
( 1.3.6.1.4.1.3317.4.3.1.51
NAME 'radiusReplicateToRealm'
DESC ''
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
SINGLE-VALUE
)
attributeTypes:
( 1.3.6.1.4.1.3317.4.3.1.52
NAME 'radiusRealm'
DESC ''
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
SINGLE-VALUE
)
attributeTypes:
( 1.3.6.1.4.1.3317.4.3.1.32
NAME 'radiusServiceType'
DESC ''
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
SINGLE-VALUE
)
attributeTypes:
( 1.3.6.1.4.1.3317.4.3.1.33
NAME 'radiusSessionTimeout'
DESC ''
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
SINGLE-VALUE
)
attributeTypes:
( 1.3.6.1.4.1.3317.4.3.1.34
NAME 'radiusTerminationAction'
DESC ''
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
SINGLE-VALUE
)
attributeTypes:
( 1.3.6.1.4.1.3317.4.3.1.35
NAME 'radiusTunnelAssignmentId'
DESC ''
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
)
attributeTypes:
( 1.3.6.1.4.1.3317.4.3.1.36
NAME 'radiusTunnelMediumType'
DESC ''
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
)
attributeTypes:
( 1.3.6.1.4.1.3317.4.3.1.37
NAME 'radiusTunnelPassword'
DESC ''
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
SINGLE-VALUE
)
attributeTypes:
( 1.3.6.1.4.1.3317.4.3.1.38
NAME 'radiusTunnelPreference'
DESC ''
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
)
attributeTypes:
( 1.3.6.1.4.1.3317.4.3.1.39
NAME 'radiusTunnelPrivateGroupId'
DESC ''
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
)
attributeTypes:
( 1.3.6.1.4.1.3317.4.3.1.40
NAME 'radiusTunnelServerEndpoint'
DESC ''
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
)
attributeTypes:
( 1.3.6.1.4.1.3317.4.3.1.41
NAME 'radiusTunnelType'
DESC ''
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
)
attributeTypes:
( 1.3.6.1.4.1.3317.4.3.1.42
NAME 'radiusVSA'
DESC ''
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
)
attributeTypes:
( 1.3.6.1.4.1.3317.4.3.1.43
NAME 'radiusTunnelClientEndpoint'
DESC ''
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
)
#need to change asn1.id
attributeTypes:
( 1.3.6.1.4.1.3317.4.3.1.53
NAME 'radiusSimultaneousUse'
DESC ''
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
SINGLE-VALUE
)
attributeTypes:
( 1.3.6.1.4.1.3317.4.3.1.54
NAME 'radiusLoginTime'
DESC ''
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
SINGLE-VALUE
)
attributeTypes:
( 1.3.6.1.4.1.3317.4.3.1.55
NAME 'radiusUserCategory'
DESC ''
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
SINGLE-VALUE
)
attributeTypes:
( 1.3.6.1.4.1.3317.4.3.1.56
NAME 'radiusStripUserName'
DESC ''
SYNTAX 1.3.6.1.4.1.1466.115.121.1.7
SINGLE-VALUE
)
attributeTypes:
( 1.3.6.1.4.1.3317.4.3.1.57
NAME 'dialupAccess'
DESC ''
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
SINGLE-VALUE
)
attributeTypes:
( 1.3.6.1.4.1.3317.4.3.1.58
NAME 'radiusExpiration'
DESC ''
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
SINGLE-VALUE
)
attributeTypes:
( 1.3.6.1.4.1.3317.4.3.1.59
NAME 'radiusCheckItem'
DESC ''
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
)
attributeTypes:
( 1.3.6.1.4.1.3317.4.3.1.60
NAME 'radiusReplyItem'
DESC ''
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
)
attributeTypes:
( 1.3.6.1.4.1.3317.4.3.1.61
NAME 'radiusNASIpAddress'
DESC ''
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
SINGLE-VALUE
)
attributeTypes:
( 1.3.6.1.4.1.3317.4.3.1.62
NAME 'radiusReplyMessage'
DESC ''
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
)
objectClasses:
( 1.3.6.1.4.1.3317.4.3.2.1
NAME 'radiusprofile'
SUP top AUXILIARY
DESC ''
MUST uid
MAY ( radiusArapFeatures $ radiusArapSecurity $ radiusArapZoneAccess $
radiusAuthType $ radiusCallbackId $ radiusCallbackNumber $
radiusCalledStationId $ radiusCallingStationId $ radiusClass $
radiusClientIPAddress $ radiusFilterId $ radiusFramedAppleTalkLink $
radiusFramedAppleTalkNetwork $ radiusFramedAppleTalkZone $
radiusFramedCompression $ radiusFramedIPAddress $
radiusFramedIPNetmask $ radiusFramedIPXNetwork $
radiusFramedMTU $ radiusFramedProtocol $
radiusCheckItem $ radiusReplyItem $
radiusFramedRoute $ radiusFramedRouting $ radiusIdleTimeout $
radiusGroupName $ radiusHint $ radiusHuntgroupName $
radiusLoginIPHost $ radiusLoginLATGroup $ radiusLoginLATNode $
radiusLoginLATPort $ radiusLoginLATService $ radiusLoginService $
radiusLoginTCPPort $ radiusLoginTime $ radiusPasswordRetry $
radiusPortLimit $ radiusPrompt $ radiusProxyToRealm $
radiusRealm $ radiusReplicateToRealm $ radiusServiceType $
radiusSessionTimeout $ radiusStripUserName $
radiusTerminationAction $ radiusTunnelClientEndpoint $ radiusProfileDn $
radiusSimultaneousUse $ radiusTunnelAssignmentId $
radiusTunnelMediumType $ radiusTunnelPassword $ radiusTunnelPreference $
radiusTunnelPrivateGroupId $ radiusTunnelServerEndpoint $
radiusTunnelType $ radiusUserCategory $ radiusVSA $
radiusExpiration $ dialupAccess $ radiusNASIpAddress $
radiusReplyMessage )
)
objectClasses:
( 1.3.6.1.4.1.3317.4.3.2.2
NAME 'radiusObjectProfile'
SUP top STRUCTURAL
DESC 'A Container Objectclass to be used for creating radius profile object'
MUST cn
MAY ( uid $ userPassword $ description )
)
attributeTypes:
( 1.3.6.1.4.1.3317.4.3.1.64
NAME 'radiusClientSecret'
DESC ''
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
SINGLE-VALUE
)
attributeTypes:
( 1.3.6.1.4.1.3317.4.3.1.65
NAME 'radiusClientNASType'
DESC ''
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
SINGLE-VALUE
)
attributeTypes:
( 1.3.6.1.4.1.3317.4.3.1.66
NAME 'radiusClientShortName'
DESC ''
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
)
objectClasses:
( 1.3.6.1.4.1.3317.4.3.2.3
NAME 'radiusClientProfile'
SUP top STRUCTURAL
DESC 'A Container Objectclass to be used for describing radius clients'
MUST (radiusClientIPAddress $ radiusClientSecret)
MAY ( radiusClientNASType $ radiusClientShortName $ description )
)

1
install/share/Makefile.am
View File

@ -5,7 +5,6 @@ app_DATA = \
05rfc2247.ldif \
60kerberos.ldif \
60samba.ldif \
60radius.ldif \
60ipaconfig.ldif \
60basev2.ldif \
60ipasudo.ldif \

24
install/share/bootstrap-template.ldif
View File

@ -169,30 +169,6 @@ gecos: Administrator
nsAccountLock: False
ipaUniqueID: autogenerate
dn: cn=radius,$SUFFIX
changetype: add
objectClass: nsContainer
objectClass: top
cn: radius
dn: cn=clients,cn=radius,$SUFFIX
changetype: add
objectClass: nsContainer
objectClass: top
cn: clients
dn: cn=profiles,cn=radius,$SUFFIX
changetype: add
objectClass: nsContainer
objectClass: top
cn: profiles
dn: uid=ipa_default, cn=profiles,cn=radius,$SUFFIX
changetype: add
objectClass: top
objectClass: radiusprofile
uid: ipa_default
dn: cn=admins,cn=groups,cn=accounts,$SUFFIX
changetype: add
objectClass: top

6
install/share/default-aci.ldif
View File

@ -34,12 +34,6 @@ add: aci
aci: (targetattr = "krbMaxPwdLife || krbMinPwdLife || krbPwdMinDiffChars || krbPwdMinLength || krbPwdHistoryLength")(version 3.0;acl "Admins can write password policy"; allow (write) groupdn="ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";)
aci: (targetattr = "aci")(version 3.0;acl "Admins can manage delegations"; allow (write, delete) groupdn="ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";)
dn: cn=radius,$SUFFIX
changetype: modify
add: aci
aci: (targetattr = "*")(version 3.0; acl "Only radius and admin can access radius service data"; deny (all) userdn!="ldap:///uid=admin,cn=users,cn=accounts,$SUFFIX || ldap:///krbprincipalname=radius/$FQDN@$REALM,cn=$REALM,cn=kerberos,$SUFFIX";)
aci: (targetfilter = "(objectClass=radiusprofile)")(targetattr != "aci || userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory")(version 3.0; acl "Account Admins can manage Users and Groups"; allow (add, delete, read, write) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";)
dn: cn=services,cn=accounts,$SUFFIX
changetype: modify
add: aci

1
install/static/test/data/group_member_user.json
View File

@ -128,7 +128,6 @@
"posixaccount",
"krbprincipalaux",
"krbticketpolicyaux",
"radiusprofile",
"ipaobject",
"mepOriginEntry"
],

64
install/static/test/data/ipa_init.json
View File

@ -1460,70 +1460,6 @@
"profilettl",
"ptrrecord",
"pwdpolicysubentry",
"radiusarapfeatures",
"radiusarapsecurity",
"radiusarapzoneaccess",
"radiusauthtype",
"radiuscallbackid",
"radiuscallbacknumber",
"radiuscalledstationid",
"radiuscallingstationid",
"radiuscheckitem",
"radiusclass",
"radiusclientipaddress",
"radiusclientnastype",
"radiusclientsecret",
"radiusclientshortname",
"radiusexpiration",
"radiusfilterid",
"radiusframedappletalklink",
"radiusframedappletalknetwork",
"radiusframedappletalkzone",
"radiusframedcompression",
"radiusframedipaddress",
"radiusframedipnetmask",
"radiusframedipxnetwork",
"radiusframedmtu",
"radiusframedprotocol",
"radiusframedroute",
"radiusframedrouting",
"radiusgroupname",
"radiushint",
"radiushuntgroupname",
"radiusidletimeout",
"radiusloginiphost",
"radiusloginlatgroup",
"radiusloginlatnode",
"radiusloginlatport",
"radiusloginlatservice",
"radiusloginservice",
"radiuslogintcpport",
"radiuslogintime",
"radiusnasipaddress",
"radiuspasswordretry",
"radiusportlimit",
"radiusprofiledn",
"radiusprompt",
"radiusproxytorealm",
"radiusrealm",
"radiusreplicatetorealm",
"radiusreplyitem",
"radiusreplymessage",
"radiusservicetype",
"radiussessiontimeout",
"radiussimultaneoususe",
"radiusstripusername",
"radiusterminationaction",
"radiustunnelassignmentid",
"radiustunnelclientendpoint",
"radiustunnelmediumtype",
"radiustunnelpassword",
"radiustunnelpreference",
"radiustunnelprivategroupid",
"radiustunnelserverendpoint",
"radiustunneltype",
"radiususercategory",
"radiusvsa",
"ref",
"registeredaddress",
"replicaabandonedchanges",

3
install/static/test/data/user_add.json
View File

@ -31,7 +31,6 @@
"posixaccount",
"krbprincipalaux",
"krbticketpolicyaux",
"radiusprofile",
"ipaobject"
],
"sn": [
@ -47,4 +46,4 @@
"summary": "Added user \"snuffy\"",
"value": "snuffy"
}
}
}

3
install/static/test/data/user_find.json
View File

@ -100,7 +100,6 @@
"posixaccount",
"krbprincipalaux",
"krbticketpolicyaux",
"radiusprofile",
"ipaobject"
],
"sn": [
@ -160,7 +159,6 @@
"posixaccount",
"krbprincipalaux",
"krbticketpolicyaux",
"radiusprofile",
"ipaobject"
],
"sn": [
@ -220,7 +218,6 @@
"posixaccount",
"krbprincipalaux",
"krbticketpolicyaux",
"radiusprofile",
"ipaobject"
],
"sn": [

64
install/static/test/data/user_mod.json
View File

@ -68,67 +68,6 @@
"postofficebox": "rscwo",
"preferreddeliverymethod": "rscwo",
"preferredlanguage": "rscwo",
"radiusarapfeatures": "rscwo",
"radiusarapsecurity": "rscwo",
"radiusarapzoneaccess": "rscwo",
"radiusauthtype": "rscwo",
"radiuscallbackid": "rscwo",
"radiuscallbacknumber": "rscwo",
"radiuscalledstationid": "rscwo",
"radiuscallingstationid": "rscwo",
"radiuscheckitem": "rscwo",
"radiusclass": "rscwo",
"radiusclientipaddress": "rscwo",
"radiusexpiration": "rscwo",
"radiusfilterid": "rscwo",
"radiusframedappletalklink": "rscwo",
"radiusframedappletalknetwork": "rscwo",
"radiusframedappletalkzone": "rscwo",
"radiusframedcompression": "rscwo",
"radiusframedipaddress": "rscwo",
"radiusframedipnetmask": "rscwo",
"radiusframedipxnetwork": "rscwo",
"radiusframedmtu": "rscwo",
"radiusframedprotocol": "rscwo",
"radiusframedroute": "rscwo",
"radiusframedrouting": "rscwo",
"radiusgroupname": "rscwo",
"radiushint": "rscwo",
"radiushuntgroupname": "rscwo",
"radiusidletimeout": "rscwo",
"radiusloginiphost": "rscwo",
"radiusloginlatgroup": "rscwo",
"radiusloginlatnode": "rscwo",
"radiusloginlatport": "rscwo",
"radiusloginlatservice": "rscwo",
"radiusloginservice": "rscwo",
"radiuslogintcpport": "rscwo",
"radiuslogintime": "rscwo",
"radiusnasipaddress": "rscwo",
"radiuspasswordretry": "rscwo",
"radiusportlimit": "rscwo",
"radiusprofiledn": "rscwo",
"radiusprompt": "rscwo",
"radiusproxytorealm": "rscwo",
"radiusrealm": "rscwo",
"radiusreplicatetorealm": "rscwo",
"radiusreplyitem": "rscwo",
"radiusreplymessage": "rscwo",
"radiusservicetype": "rscwo",
"radiussessiontimeout": "rscwo",
"radiussimultaneoususe": "rscwo",
"radiusstripusername": "rscwo",
"radiusterminationaction": "rscwo",
"radiustunnelassignmentid": "rscwo",
"radiustunnelclientendpoint": "rscwo",
"radiustunnelmediumtype": "rscwo",
"radiustunnelpassword": "rscwo",
"radiustunnelpreference": "rscwo",
"radiustunnelprivategroupid": "rscwo",
"radiustunnelserverendpoint": "rscwo",
"radiustunneltype": "rscwo",
"radiususercategory": "rscwo",
"radiusvsa": "rscwo",
"registeredaddress": "rscwo",
"roomnumber": "rscwo",
"secretary": "rscwo",
@ -204,7 +143,6 @@
"posixaccount",
"krbprincipalaux",
"krbticketpolicyaux",
"radiusprofile",
"ipaobject",
"mepOriginEntry"
],
@ -221,4 +159,4 @@
"summary": "Modified user \"kfrog\"",
"value": "kfrog"
}
}
}

64
install/static/test/data/user_show.json
View File

@ -68,67 +68,6 @@
"postofficebox": "rscwo",
"preferreddeliverymethod": "rscwo",
"preferredlanguage": "rscwo",
"radiusarapfeatures": "rscwo",
"radiusarapsecurity": "rscwo",
"radiusarapzoneaccess": "rscwo",
"radiusauthtype": "rscwo",
"radiuscallbackid": "rscwo",
"radiuscallbacknumber": "rscwo",
"radiuscalledstationid": "rscwo",
"radiuscallingstationid": "rscwo",
"radiuscheckitem": "rscwo",
"radiusclass": "rscwo",
"radiusclientipaddress": "rscwo",
"radiusexpiration": "rscwo",
"radiusfilterid": "rscwo",
"radiusframedappletalklink": "rscwo",
"radiusframedappletalknetwork": "rscwo",
"radiusframedappletalkzone": "rscwo",
"radiusframedcompression": "rscwo",
"radiusframedipaddress": "rscwo",
"radiusframedipnetmask": "rscwo",
"radiusframedipxnetwork": "rscwo",
"radiusframedmtu": "rscwo",
"radiusframedprotocol": "rscwo",
"radiusframedroute": "rscwo",
"radiusframedrouting": "rscwo",
"radiusgroupname": "rscwo",
"radiushint": "rscwo",
"radiushuntgroupname": "rscwo",
"radiusidletimeout": "rscwo",
"radiusloginiphost": "rscwo",
"radiusloginlatgroup": "rscwo",
"radiusloginlatnode": "rscwo",
"radiusloginlatport": "rscwo",
"radiusloginlatservice": "rscwo",
"radiusloginservice": "rscwo",
"radiuslogintcpport": "rscwo",
"radiuslogintime": "rscwo",
"radiusnasipaddress": "rscwo",
"radiuspasswordretry": "rscwo",
"radiusportlimit": "rscwo",
"radiusprofiledn": "rscwo",
"radiusprompt": "rscwo",
"radiusproxytorealm": "rscwo",
"radiusrealm": "rscwo",
"radiusreplicatetorealm": "rscwo",
"radiusreplyitem": "rscwo",
"radiusreplymessage": "rscwo",
"radiusservicetype": "rscwo",
"radiussessiontimeout": "rscwo",
"radiussimultaneoususe": "rscwo",
"radiusstripusername": "rscwo",
"radiusterminationaction": "rscwo",
"radiustunnelassignmentid": "rscwo",
"radiustunnelclientendpoint": "rscwo",
"radiustunnelmediumtype": "rscwo",
"radiustunnelpassword": "rscwo",
"radiustunnelpreference": "rscwo",
"radiustunnelprivategroupid": "rscwo",
"radiustunnelserverendpoint": "rscwo",
"radiustunneltype": "rscwo",
"radiususercategory": "rscwo",
"radiusvsa": "rscwo",
"registeredaddress": "rscwo",
"roomnumber": "rscwo",
"secretary": "rscwo",
@ -205,7 +144,6 @@
"posixaccount",
"krbprincipalaux",
"krbticketpolicyaux",
"radiusprofile",
"ipaobject",
"mepOriginEntry"
],
@ -222,4 +160,4 @@
"summary": null,
"value": "kfrog"
}
}
}

24
ipa-radius-admintools/Makefile
View File

@ -1,24 +0,0 @@
SBINDIR = $(DESTDIR)/usr/sbin
all: ;
install:
install -m 755 ipa-addradiusclient $(SBINDIR)
install -m 755 ipa-modradiusclient $(SBINDIR)
install -m 755 ipa-delradiusclient $(SBINDIR)
install -m 755 ipa-findradiusclient $(SBINDIR)
install -m 755 ipa-addradiusprofile $(SBINDIR)
install -m 755 ipa-modradiusprofile $(SBINDIR)
install -m 755 ipa-delradiusprofile $(SBINDIR)
install -m 755 ipa-findradiusprofile $(SBINDIR)
clean:
rm -f *~ *.pyc
distclean: clean
rm -f ipa-radius-admintools.spec
maintainer-clean: distclean
test:

197
ipa-radius-admintools/ipa-addradiusclient
View File

@ -1,197 +0,0 @@
#! /usr/bin/python -E
# Authors: John Dennis <jdennis@redhat.com>
#
# Copyright (C) 2007 Red Hat
# see file 'COPYING' for use and warranty information
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
#
import sys
import os
from optparse import OptionParser
import ipa.ipaclient as ipaclient
import ipa.ipautil as ipautil
import ipa.config
import ipa.ipaerror
import ipa.radius_util as radius_util
import xmlrpclib
import kerberos
import ldap
#------------------------------------------------------------------------------
radius_attrs = radius_util.radius_client_attr_to_ldap_attr.keys()
radius_attr_to_ldap_attr = radius_util.radius_client_attr_to_ldap_attr
ldap_attr_to_radius_attr = radius_util.radius_client_ldap_attr_to_radius_attr
mandatory_radius_attrs = ['Client-IP-Address', 'Secret']
distinguished_attr = 'Client-IP-Address'
#------------------------------------------------------------------------------
def help_option_callback(option, opt_str, value, parser, *args, **kwargs):
parser.print_help()
print
print "Valid interative attributes are:"
print ipautil.format_list(radius_attrs, quote='"')
print
print "Required attributes are:"
print ipautil.format_list(mandatory_radius_attrs, quote='"')
sys.exit(0)
def main():
pairs = {}
opt_parser = OptionParser(add_help_option=False)
opt_parser.add_option("-a", "--Client-IP-Address", dest="ip_addr",
help="RADIUS client ip address")
opt_parser.add_option("-s", "--Secret", dest="secret",
help="RADIUS client ip address")
opt_parser.add_option("-n", "--Name", dest="name",
help="RADIUS client name")
opt_parser.add_option("-t", "--NAS-Type", dest="nastype",
help="RADIUS client NAS Type")
opt_parser.add_option("-d", "--Description", dest="desc",
help="description of the RADIUS client")
opt_parser.add_option("-h", "--help", action="callback", callback=help_option_callback,
help="detailed help information")
opt_parser.add_option("-i", "--interactive", dest="interactive", action='store_true', default=False,
help="interactive mode, prompts with auto-completion")
opt_parser.add_option("-p", "--pair", dest="pairs", action='append',
help="specify one or more attribute=value pair(s), value may be optionally quoted, pairs are delimited by whitespace")
opt_parser.add_option("-f", "--file", dest="pair_file",
help="attribute=value pair(s) are read from file, value may be optionally quoted, pairs are delimited by whitespace. Reads from stdin if file is -")
opt_parser.add_option("-v", "--verbose", dest="verbose", action='store_true',
help="print information")
opt_parser.set_usage("Usage: %s [options] %s" % (distinguished_attr, os.path.basename(sys.argv[0])))
ipa.config.add_standard_options(opt_parser)
options, args = opt_parser.parse_args()
if len(args) < 1:
opt_parser.error('missing %s' % (distinguished_attr))
ipa.config.init_config(options)
ip_addr = args[0]
pairs[distinguished_attr] = ip_addr
# Get pairs from a file or stdin
if options.pair_file:
try:
av = ipautil.read_pairs_file(options.pair_file)
pairs.update(av)
except Exception, e:
print "ERROR, could not read pairs (%s)" % (e)
# Get pairs specified on the command line as a named argument
if options.ip_addr: pairs[distinguished_attr] = options.ip_addr
if options.secret: pairs['Secret'] = options.secret
if options.name: pairs['Name'] = options.name
if options.nastype: pairs['NAS-Type'] = options.nastype
if options.desc: pairs['Description'] = options.desc
# Get pairs specified on the command line as a pair argument
if options.pairs:
for p in options.pairs:
av = ipautil.parse_key_value_pairs(p)
pairs.update(av)
# Get pairs interactively
if options.interactive:
# Prompt first for mandatory attributes which have not been previously specified
prompted_mandatory_attrs = []
existing_attrs = pairs.keys()
for attr in mandatory_radius_attrs:
if not attr in existing_attrs:
prompted_mandatory_attrs.append(attr)
c = ipautil.AttributeValueCompleter(radius_attrs, pairs)
c.open()
av = c.get_pairs("Enter: ", prompted_mandatory_attrs, radius_util.validate)
pairs.update(av)
c.close()
# FIXME: validation should be moved to xmlrpc server
# Data collection done, assure mandatory data has been specified
if pairs.has_key(distinguished_attr) and pairs[distinguished_attr] != ip_addr:
print "ERROR, %s specified on command line (%s) does not match value found in pairs (%s)" % \
(distinguished_attr, ip_addr, pairs[distinguished_attr])
return 1
valid = True
for attr in mandatory_radius_attrs:
if not pairs.has_key(attr):
valid = False
print "ERROR, %s is mandatory, but has not been specified" % (attr)
if not valid:
return 1
# Make sure each attribute is a member of the set of valid attributes
valid = True
for attr,value in pairs.items():
if attr not in radius_attrs:
valid = False
print "ERROR, %s is not a valid attribute" % (attr)
if not valid:
print "Valid attributes are:"
print ipautil.format_list(radius_attrs, quote='"')
return 1
# Makse sure each value is valid
valid = True
for attr,value in pairs.items():
if not radius_util.validate(attr, value):
valid = False
if not valid:
return 1
# Dump what we've got so far
if options.verbose:
print "Pairs:"
for attr,value in pairs.items():
print "\t%s = %s" % (attr, value)
radius_entity = radius_util.RadiusClient()
for attr,value in pairs.items():
radius_entity.setValue(radius_attr_to_ldap_attr[attr], value)
try:
ipa_client = ipaclient.IPAClient()
ipa_client.add_radius_client(radius_entity)
print "successfully added"
except xmlrpclib.Fault, f:
print f.faultString
return 1
except kerberos.GSSError, e:
print "Could not initialize GSSAPI: %s/%s" % (e[0][0][0], e[0][1][0])
return 1
except xmlrpclib.ProtocolError, e:
print "Unable to connect to IPA server: %s" % (e.errmsg)
return 1
except ipa.ipaerror.IPAError, e:
print "%s" % (e.message)
return 1
return 0
if __name__ == "__main__":
sys.exit(main())

196
ipa-radius-admintools/ipa-addradiusprofile
View File

@ -1,196 +0,0 @@
#! /usr/bin/python -E
# Authors: John Dennis <jdennis@redhat.com>
#
# Copyright (C) 2007 Red Hat
# see file 'COPYING' for use and warranty information
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
#
import sys
import os
from optparse import OptionParser
import ipa.ipaclient as ipaclient
import ipa.ipautil as ipautil
import ipa.config
import ipa.ipaerror
import ipa.radius_util as radius_util
import xmlrpclib
import kerberos
import ldap
#------------------------------------------------------------------------------
radius_attrs = radius_util.radius_profile_attr_to_ldap_attr.keys()
radius_attr_to_ldap_attr = radius_util.radius_profile_attr_to_ldap_attr
ldap_attr_to_radius_attr = radius_util.radius_profile_ldap_attr_to_radius_attr
mandatory_radius_attrs = ['UID']
distinguished_attr = 'UID'
#------------------------------------------------------------------------------
def help_option_callback(option, opt_str, value, parser, *args, **kwargs):
parser.print_help()
print
print "Valid interative attributes are:"
print ipautil.format_list(radius_attrs, quote='"')
print
print "Required attributes are:"
print ipautil.format_list(mandatory_radius_attrs, quote='"')
sys.exit(0)
def main():
pairs = {}
opt_parser = OptionParser(add_help_option=False)
opt_parser.add_option("-u", "--uid", dest="uid",
help="RADIUS profile identifier")
opt_parser.add_option("-s", "--shared", dest="shared", default=False, action='store_true',
help="profile is shared")
opt_parser.add_option("-d", "--Description", dest="desc",
help="description of the RADIUS client")
opt_parser.add_option("-h", "--help", action="callback", callback=help_option_callback,
help="detailed help information")
opt_parser.add_option("-i", "--interactive", dest="interactive", action='store_true', default=False,
help="interactive mode, prompts with auto-completion")
opt_parser.add_option("-p", "--pair", dest="pairs", action='append',
help="specify one or more attribute=value pair(s), value may be optionally quoted, pairs are delimited by whitespace")
opt_parser.add_option("-f", "--file", dest="pair_file",
help="attribute=value pair(s) are read from file, value may be optionally quoted, pairs are delimited by whitespace. Reads from stdin if file is -")
opt_parser.add_option("-v", "--verbose", dest="verbose", action='store_true',
help="print information")
opt_parser.set_usage("Usage: %s [options] %s" % (distinguished_attr, os.path.basename(sys.argv[0])))
ipa.config.add_standard_options(opt_parser)
options, args = opt_parser.parse_args()
if len(args) < 1:
opt_parser.error('missing %s' % (distinguished_attr))
ipa.config.init_config(options)
uid = args[0]
user_profile = not options.shared
pairs[distinguished_attr] = uid
# Per user profiles are pre-created (i.e. objectclass radiusprofile is always added for each user)
if user_profile:
print "ERROR, you cannot add a per-user radius profile, it pre-exists"
return 1
# Get pairs from a file or stdin
if options.pair_file:
try:
av = ipautil.read_pairs_file(options.pair_file)
pairs.update(av)
except Exception, e:
print "ERROR, could not read pairs (%s)" % (e)
# Get pairs specified on the command line as a named argument
if options.uid: pairs['UID'] = options.uid
if options.desc: pairs['Description'] = options.desc
# Get pairs specified on the command line as a pair argument
if options.pairs:
for p in options.pairs:
av = ipautil.parse_key_value_pairs(p)
pairs.update(av)
# Get pairs interactively
if options.interactive:
# Prompt first for mandatory attributes which have not been previously specified
prompted_mandatory_attrs = []
existing_attrs = pairs.keys()
for attr in mandatory_radius_attrs:
if not attr in existing_attrs:
prompted_mandatory_attrs.append(attr)
c = ipautil.AttributeValueCompleter(radius_attrs, pairs)
c.open()
av = c.get_pairs("Enter: ", prompted_mandatory_attrs, radius_util.validate)
pairs.update(av)
c.close()
# FIXME: validation should be moved to xmlrpc server
# Data collection done, assure mandatory data has been specified
if pairs.has_key(distinguished_attr) and pairs[distinguished_attr] != uid:
print "ERROR, %s specified on command line (%s) does not match value found in pairs (%s)" % \
(distinguished_attr, uid, pairs[distinguished_attr])
return 1
valid = True
for attr in mandatory_radius_attrs:
if not pairs.has_key(attr):
valid = False
print "ERROR, %s is mandatory, but has not been specified" % (attr)
if not valid:
return 1
# Make sure each attribute is a member of the set of valid attributes
valid = True
for attr,value in pairs.items():
if attr not in radius_attrs:
valid = False
print "ERROR, %s is not a valid attribute" % (attr)
if not valid:
print "Valid attributes are:"
print ipautil.format_list(radius_attrs, quote='"')
return 1
# Makse sure each value is valid
valid = True
for attr,value in pairs.items():
if not radius_util.validate(attr, value):
valid = False
if not valid:
return 1
# Dump what we've got so far
if options.verbose:
print "Pairs:"
for attr,value in pairs.items():
print "\t%s = %s" % (attr, value)
radius_entity = radius_util.RadiusProfile()
for attr,value in pairs.items():
radius_entity.setValue(radius_attr_to_ldap_attr[attr], value)
try:
ipa_client = ipaclient.IPAClient()
ipa_client.add_radius_profile(radius_entity)
print "successfully added"
except xmlrpclib.Fault, f:
print f.faultString
return 1
except kerberos.GSSError, e:
print "Could not initialize GSSAPI: %s/%s" % (e[0][0][0], e[0][1][0])
return 1
except xmlrpclib.ProtocolError, e:
print "Unable to connect to IPA server: %s" % (e.errmsg)
return 1
except ipa.ipaerror.IPAError, e:
print "%s" % (e.message)
return 1
return 0
if __name__ == "__main__":
sys.exit(main())

79
ipa-radius-admintools/ipa-delradiusclient
View File

@ -1,79 +0,0 @@
#! /usr/bin/python -E
# Authors: John Dennis <jdennis@redhat.com>
#
# Copyright (C) 2007 Red Hat
# see file 'COPYING' for use and warranty information
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
#
import os
import sys
from optparse import OptionParser
import ipa
import ipa.ipaclient as ipaclient
import ipa.ipavalidate as ipavalidate
import ipa.config
import ipa.ipaerror
import ipa.radius_util as radius_util
import xmlrpclib
import kerberos
import ldap
#------------------------------------------------------------------------------
def help_option_callback(option, opt_str, value, parser, *args, **kwargs):
parser.print_help()
sys.exit(0)
def main():
opt_parser = OptionParser(add_help_option=False)
opt_parser.add_option("-h", "--help", action="callback", callback=help_option_callback,
help="detailed help information")
opt_parser.set_usage("Usage: %s [options] Client-IP-Address" % (os.path.basename(sys.argv[0])))
ipa.config.add_standard_options(opt_parser)
options, args = opt_parser.parse_args()
if len(args) < 1:
opt_parser.error("missing Client-IP-Address")
ipa.config.init_config(options)
ip_addr = args[0]
try:
ipa_client = ipaclient.IPAClient()
ipa_client.delete_radius_client(ip_addr)
print "successfully deleted"
except xmlrpclib.Fault, f:
print f.faultString
return 1
except kerberos.GSSError, e:
print "Could not initialize GSSAPI: %s/%s" % (e[0][0][0], e[0][1][0])
return 1
except xmlrpclib.ProtocolError, e:
print "Unable to connect to IPA server: %s" % (e.errmsg)
return 1
except ipa.ipaerror.IPAError, e:
print "%s" % (e.message)
return 1
return 0
if __name__ == "__main__":
sys.exit(main())

87
ipa-radius-admintools/ipa-delradiusprofile
View File

@ -1,87 +0,0 @@
#! /usr/bin/python -E
# Authors: John Dennis <jdennis@redhat.com>
#
# Copyright (C) 2007 Red Hat
# see file 'COPYING' for use and warranty information
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
#
import os
import sys
from optparse import OptionParser
import ipa
import ipa.ipaclient as ipaclient
import ipa.ipavalidate as ipavalidate
import ipa.config
import ipa.ipaerror
import ipa.radius_util as radius_util
import xmlrpclib
import kerberos
import ldap
#------------------------------------------------------------------------------
def help_option_callback(option, opt_str, value, parser, *args, **kwargs):
parser.print_help()
sys.exit(0)
def main():
opt_parser = OptionParser(add_help_option=False)
opt_parser.add_option("-s", "--shared", dest="shared", default=False, action='store_true',
help="profile is shared")
opt_parser.add_option("-h", "--help", action="callback", callback=help_option_callback,
help="detailed help information")
opt_parser.set_usage("Usage: %s [options] UID" % (os.path.basename(sys.argv[0])))
ipa.config.add_standard_options(opt_parser)
options, args = opt_parser.parse_args()
if len(args) < 1:
opt_parser.error("missing UID")
ipa.config.init_config(options)
uid = args[0]
user_profile = not options.shared
# Per user profiles are pre-created (i.e. objectclass radiusprofile is always added for each user)
if user_profile:
print "ERROR, you cannot delete a per-user radius profile, it always exists"
return 1
try:
ipa_client = ipaclient.IPAClient()
ipa_client.delete_radius_profile(uid, user_profile)
print "successfully deleted"
except xmlrpclib.Fault, f:
print f.faultString
return 1
except kerberos.GSSError, e:
print "Could not initialize GSSAPI: %s/%s" % (e[0][0][0], e[0][1][0])
return 1
except xmlrpclib.ProtocolError, e:
print "Unable to connect to IPA server: %s" % (e.errmsg)
return 1
except ipa.ipaerror.IPAError, e:
print "%s" % (e.message)
return 1
return 0
if __name__ == "__main__":
sys.exit(main())

106
ipa-radius-admintools/ipa-findradiusclient
View File

@ -1,106 +0,0 @@
#! /usr/bin/python -E
# Authors: John Dennis <jdennis@redhat.com>
#
# Copyright (C) 2007 Red Hat
# see file 'COPYING' for use and warranty information
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
#
import os
import sys
from optparse import OptionParser
import ipa
from ipa import radius_util
import ipa.ipaclient as ipaclient
import ipa.ipavalidate as ipavalidate
import ipa.config
import ipa.ipaerror
import ipa.ipautil
import xmlrpclib
import kerberos
import ldap
#------------------------------------------------------------------------------
attrs = radius_util.radius_client_ldap_attr_to_radius_attr.keys()
#------------------------------------------------------------------------------
def parse_options():
return options, args
#------------------------------------------------------------------------------
# FIXME
def help_option_callback(option, opt_str, value, parser, *args, **kwargs):
parser.print_help()
print
print "Note: Client-IP-Address may contain wildcards, to get all clients use '*'"
sys.exit(0)
def main():
opt_parser = OptionParser(add_help_option=False)
opt_parser.add_option("-h", "--help", action="callback", callback=help_option_callback,
help="detailed help information")
ipa.config.add_standard_options(opt_parser)
options, args = opt_parser.parse_args()
opt_parser.set_usage("Usage: %s [options] Client-IP-Address [Client-IP-Address ...]" % (os.path.basename(sys.argv[0])))
if len(args) < 1:
opt_parser.error("missing Client-IP-Address(es)")
ipa.config.init_config(options)
ip_addrs = args
try:
ipa_client = ipaclient.IPAClient()
radius_clients = ipa_client.find_radius_clients(ip_addrs, sattrs=attrs)
counter = radius_clients[0]
radius_clients = radius_clients[1:]
if counter == 0:
print "No entries found for", ip_addrs
return 2
for radius_client in radius_clients:
client_attrs = radius_client.attrList()
client_attrs.sort()
print "%s:" % radius_client.getValues(radius_util.radius_client_attr_to_ldap_attr['Client-IP-Address'])
for attr in client_attrs:
value = radius_client.getValues(attr)
print "\t%s = %s" % (radius_util.radius_client_ldap_attr_to_radius_attr[attr], value)
except xmlrpclib.Fault, f:
print f.faultString
return 1
except kerberos.GSSError, e:
print "Could not initialize GSSAPI: %s/%s" % (e[0][0][0], e[0][1][0])
return 1
except xmlrpclib.ProtocolError, e:
print "Unable to connect to IPA server: %s" % (e.errmsg)
return 1
except ipa.ipaerror.IPAError, e:
print "%s" % (e.message)
return 1
return 0
if __name__ == "__main__":
sys.exit(main())

109
ipa-radius-admintools/ipa-findradiusprofile
View File

@ -1,109 +0,0 @@
#! /usr/bin/python -E
# Authors: John Dennis <jdennis@redhat.com>
#
# Copyright (C) 2007 Red Hat
# see file 'COPYING' for use and warranty information
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
#
import os
import sys
from optparse import OptionParser
import ipa
from ipa import radius_util
import ipa.ipaclient as ipaclient
import ipa.ipavalidate as ipavalidate
import ipa.config
import ipa.ipaerror
import ipa.ipautil
import xmlrpclib
import kerberos
import ldap
#------------------------------------------------------------------------------
attrs = radius_util.radius_profile_ldap_attr_to_radius_attr.keys()
#------------------------------------------------------------------------------
def parse_options():
return options, args
#------------------------------------------------------------------------------
# FIXME
def help_option_callback(option, opt_str, value, parser, *args, **kwargs):
parser.print_help()
print
print "Note: UID may contain wildcards, to get all profiles use '*'"
sys.exit(0)
def main():
opt_parser = OptionParser(add_help_option=False)
opt_parser.add_option("-s", "--shared", dest="shared", default=False, action='store_true',
help="profile is shared")
opt_parser.add_option("-h", "--help", action="callback", callback=help_option_callback,
help="detailed help information")
ipa.config.add_standard_options(opt_parser)
options, args = opt_parser.parse_args()
opt_parser.set_usage("Usage: %s [options] UID [UID ...]" % (os.path.basename(sys.argv[0])))
if len(args) < 1:
opt_parser.error("missing UID(es)")
ipa.config.init_config(options)
uids = args
user_profile = not options.shared
try:
ipa_client = ipaclient.IPAClient()
radius_profiles = ipa_client.find_radius_profiles(uids, user_profile, sattrs=attrs)
counter = radius_profiles[0]
radius_profiles = radius_profiles[1:]
if counter == 0:
print "No entries found for", uids
return 2
for radius_profile in radius_profiles:
profile_attrs = radius_profile.attrList()
profile_attrs.sort()
print "%s:" % radius_profile.getValues(radius_util.radius_profile_attr_to_ldap_attr['UID'])
for attr in profile_attrs:
value = radius_profile.getValues(attr)
print "\t%s = %s" % (radius_util.radius_profile_ldap_attr_to_radius_attr[attr], value)
except xmlrpclib.Fault, f:
print f.faultString
return 1
except kerberos.GSSError, e:
print "Could not initialize GSSAPI: %s/%s" % (e[0][0][0], e[0][1][0])
return 1
except xmlrpclib.ProtocolError, e:
print "Unable to connect to IPA server: %s" % (e.errmsg)
return 1
except ipa.ipaerror.IPAError, e:
print "%s" % (e.message)
return 1
return 0
if __name__ == "__main__":
sys.exit(main())

275
ipa-radius-admintools/ipa-modradiusclient
View File

@ -1,275 +0,0 @@
#! /usr/bin/python -E
# Authors: John Dennis <jdennis@redhat.com>
#
# Copyright (C) 2007 Red Hat
# see file 'COPYING' for use and warranty information
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
#
import sys
import os
from optparse import OptionParser
from sets import Set
import ipa.ipaclient as ipaclient
import ipa.ipautil as ipautil
import ipa.config
import ipa.ipaerror
import ipa.radius_util as radius_util
import xmlrpclib
import kerberos
import ldap
#------------------------------------------------------------------------------
radius_attrs = radius_util.radius_client_attr_to_ldap_attr.keys()
radius_attr_to_ldap_attr = radius_util.radius_client_attr_to_ldap_attr
ldap_attr_to_radius_attr = radius_util.radius_client_ldap_attr_to_radius_attr
mandatory_radius_attrs = ['Client-IP-Address', 'Secret']
distinguished_attr = 'Client-IP-Address'
#------------------------------------------------------------------------------
def help_option_callback(option, opt_str, value, parser, *args, **kwargs):
parser.print_help()
print
print "Valid interative attributes are:"
print ipautil.format_list(radius_attrs, quote='"')
print
print "Required attributes are:"
print ipautil.format_list(mandatory_radius_attrs, quote='"')
sys.exit(0)
def main():
opt_parser = OptionParser(add_help_option=False)
opt_parser.add_option("-a", "--Client-IP-Address", dest="ip_addr",
help="RADIUS client ip address")
opt_parser.add_option("-s", "--Secret", dest="secret",
help="RADIUS client ip address")
opt_parser.add_option("-n", "--Name", dest="name",
help="RADIUS client name")
opt_parser.add_option("-t", "--NAS-Type", dest="nastype",
help="RADIUS client NAS Type")
opt_parser.add_option("-d", "--Description", dest="desc",
help="description of the RADIUS client")
opt_parser.add_option("-D", "--delete-attrs", dest="delete_attrs", action='store_true', default=False,
help="delete the specified attributes")
opt_parser.add_option("-h", "--help", action="callback", callback=help_option_callback,
help="detailed help information")
opt_parser.add_option("-i", "--interactive", dest="interactive", action='store_true', default=False,
help="interactive mode, prompts with auto-completion")
opt_parser.add_option("-A", "--attr", dest="attrs", action='append',
help="If adding or modifying then this argument specifies one or more attribute=value pair(s), value may be optionally quoted, pairs are seperated by whitespace. If deleting attributes then this argument specifies one or more attribute names seperated by whitespace or commas")
opt_parser.add_option("-f", "--file", dest="data_file",
help="If adding or modifying then attribute=value pair(s) are read from file, value may be optionally quoted, pairs are delimited by whitespace. If deleting attributes then attributes are read from file, attributes are seperated by whitespace or commas. Reads from stdin if file is -")
opt_parser.add_option("-v", "--verbose", dest="verbose", action='store_true',
help="print information")
opt_parser.set_usage("Usage: %s [options] %s" % (distinguished_attr, os.path.basename(sys.argv[0])))
ipa.config.add_standard_options(opt_parser)
options, args = opt_parser.parse_args()
if len(args) < 1:
opt_parser.error('missing %s' % (distinguished_attr))
ipa.config.init_config(options)
ip_addr = args[0]
# Verify entity previously exists and get current values
ipa_client = ipaclient.IPAClient()
try:
radius_entity = ipa_client.get_radius_client_by_ip_addr(ip_addr)
except ipa.ipaerror.exception_for(ipa.ipaerror.LDAP_NOT_FOUND):
print "client %s not found" % ip_addr
return 1
except ipa.ipaerror.IPAError, e:
print "%s" % e.message
return 1
except kerberos.GSSError, e:
print "Could not initialize GSSAPI: %s/%s" % (e[0][0][0], e[0][1][0])
return 1
# Deleteing attributes is fundamentally different than adding/modifying an attribute.
# When adding/modifying there is always a value the attribute is paired with,
# so handle the two cases independently.
if options.delete_attrs:
attrs = Set()
# Get attrs from a file or stdin
if options.data_file:
try:
items = ipautil.read_items_file(options.data_file)
attrs.update(items)
except Exception, e:
print "ERROR, could not read attrs (%s)" % (e)
# Get attrs specified on the command line as a named argument
if options.secret is not None: attrs.add('Secret')
if options.name is not None: attrs.add('Name')
if options.nastype is not None: attrs.add('NAS-Type')
if options.desc is not None: attrs.add('Description')
# Get attrs specified on the command line as a attr argument
if options.attrs:
for a in options.attrs:
items = ipautil.parse_items(a)
attrs.update(items)
# Get attrs interactively
if options.interactive:
deletable_attrs = []
for radius_attr in radius_attrs:
if radius_attr in mandatory_radius_attrs: continue
if radius_entity.hasAttr(radius_attr_to_ldap_attr[radius_attr]):
deletable_attrs.append(radius_attr)
if deletable_attrs:
c = ipautil.ItemCompleter(deletable_attrs)
c.open()
items = c.get_items("Enter: ")
attrs.update(items)
c.close()
# Data collection done, assure no mandatory attrs are in the delete list
valid = True
for attr in mandatory_radius_attrs:
if attr in attrs:
valid = False
print "ERROR, %s is mandatory, but is set to be deleted" % (attr)
if not valid:
return 1
# Make sure each attribute is a member of the set of valid attributes
valid = True
for attr in attrs:
if attr not in radius_attrs:
valid = False
print "ERROR, %s is not a valid attribute" % (attr)
if not valid:
print "Valid attributes are:"
print ipautil.format_list(radius_attrs, quote='"')
return 1
# Dump what we've got so far
if options.verbose:
print "Attributes:"
for attr in attrs:
print "\t%s" % (attr)
for attr in attrs:
radius_entity.delValue(radius_attr_to_ldap_attr[attr])
else:
pairs = {}
pairs[distinguished_attr] = ip_addr
# Populate the pair list with pre-existing values
for attr in radius_attrs:
value = radius_entity.getValues(radius_attr_to_ldap_attr[attr])
if value is None: continue
pairs[attr] = value
# Get pairs from a file or stdin
if options.data_file:
try:
av = ipautil.read_pairs_file(options.data_file)
pairs.update(av)
except Exception, e:
print "ERROR, could not read pairs (%s)" % (e)
# Get pairs specified on the command line as a named argument
if options.ip_addr is not None: pairs[distinguished_attr] = options.ip_addr
if options.secret is not None: pairs['Secret'] = options.secret
if options.name is not None: pairs['Name'] = options.name
if options.nastype is not None: pairs['NAS-Type'] = options.nastype
if options.desc is not None: pairs['Description'] = options.desc
# Get pairs specified on the command line as a pair argument
if options.attrs:
for p in options.attrs:
av = ipautil.parse_key_value_pairs(p)
pairs.update(av)
# Get pairs interactively
if options.interactive:
prompted_attrs = radius_attrs[:]
prompted_attrs.remove(distinguished_attr)
c = ipautil.AttributeValueCompleter(prompted_attrs, pairs)
c.open()
av = c.get_pairs("Enter: ", validate_callback=radius_util.validate)
pairs.update(av)
c.close()
# FIXME: validation should be moved to xmlrpc server
# Data collection done, assure mandatory data has been specified
if pairs.has_key(distinguished_attr) and pairs[distinguished_attr] != ip_addr:
print "ERROR, %s specified on command line (%s) does not match value found in pairs (%s)" % \
(distinguished_attr, ip_addr, pairs[distinguished_attr])
return 1
# Make sure each attribute is a member of the set of valid attributes
valid = True
for attr,value in pairs.items():
if attr not in radius_attrs:
valid = False
print "ERROR, %s is not a valid attribute" % (attr)
if not valid:
print "Valid attributes are:"
print ipautil.format_list(radius_attrs, quote='"')
return 1
# Makse sure each value is valid
valid = True
for attr,value in pairs.items():
if not radius_util.validate(attr, value):
valid = False
if not valid:
return 1
# Dump what we've got so far
if options.verbose:
print "Pairs:"
for attr,value in pairs.items():
print "\t%s = %s" % (attr, value)
for attr,value in pairs.items():
radius_entity.setValue(radius_attr_to_ldap_attr[attr], value)
try:
ipa_client.update_radius_client(radius_entity)
print "successfully modified"
except xmlrpclib.Fault, f:
print f.faultString
return 1
except kerberos.GSSError, e:
print "Could not initialize GSSAPI: %s/%s" % (e[0][0][0], e[0][1][0])
return 1
except xmlrpclib.ProtocolError, e:
print "Unable to connect to IPA server: %s" % (e.errmsg)
return 1
except ipa.ipaerror.IPAError, e:
print "%s" % (e.message)
return 1
return 0
if __name__ == "__main__":
sys.exit(main())

265
ipa-radius-admintools/ipa-modradiusprofile
View File

@ -1,265 +0,0 @@
#! /usr/bin/python -E
# Authors: John Dennis <jdennis@redhat.com>
#
# Copyright (C) 2007 Red Hat
# see file 'COPYING' for use and warranty information
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
#
import sys
import os
from optparse import OptionParser
from sets import Set
import ipa.ipaclient as ipaclient
import ipa.ipautil as ipautil
import ipa.config
import ipa.ipaerror
import ipa.radius_util as radius_util
import xmlrpclib
import kerberos
import ldap
#------------------------------------------------------------------------------
radius_attrs = radius_util.radius_profile_attr_to_ldap_attr.keys()
radius_attr_to_ldap_attr = radius_util.radius_profile_attr_to_ldap_attr
ldap_attr_to_radius_attr = radius_util.radius_profile_ldap_attr_to_radius_attr
mandatory_radius_attrs = ['UID']
distinguished_attr = 'UID'
#------------------------------------------------------------------------------
def help_option_callback(option, opt_str, value, parser, *args, **kwargs):
parser.print_help()
print
print "Valid interative attributes are:"
print ipautil.format_list(radius_attrs, quote='"')
print
print "Required attributes are:"
print ipautil.format_list(mandatory_radius_attrs, quote='"')
sys.exit(0)
def main():
opt_parser = OptionParser(add_help_option=False)
opt_parser.add_option("-u", "--uid", dest="uid",
help="RADIUS profile identifier")
opt_parser.add_option("-s", "--shared", dest="shared", default=False, action='store_true',
help="profile is shared")
opt_parser.add_option("-d", "--Description", dest="desc",
help="description of the RADIUS client")
opt_parser.add_option("-D", "--delete-attrs", dest="delete_attrs", action='store_true', default=False,
help="delete the specified attributes")
opt_parser.add_option("-h", "--help", action="callback", callback=help_option_callback,
help="detailed help information")
opt_parser.add_option("-i", "--interactive", dest="interactive", action='store_true', default=False,
help="interactive mode, prompts with auto-completion")
opt_parser.add_option("-A", "--attr", dest="attrs", action='append',
help="If adding or modifying then this argument specifies one or more attribute=value pair(s), value may be optionally quoted, pairs are seperated by whitespace. If deleting attributes then this argument specifies one or more attribute names seperated by whitespace or commas")
opt_parser.add_option("-f", "--file", dest="data_file",
help="If adding or modifying then attribute=value pair(s) are read from file, value may be optionally quoted, pairs are delimited by whitespace. If deleting attributes then attributes are read from file, attributes are seperated by whitespace or commas. Reads from stdin if file is -")
opt_parser.add_option("-v", "--verbose", dest="verbose", action='store_true',
help="print information")
opt_parser.set_usage("Usage: %s [options] %s" % (distinguished_attr, os.path.basename(sys.argv[0])))
ipa.config.add_standard_options(opt_parser)
options, args = opt_parser.parse_args()
if len(args) < 1:
opt_parser.error('missing %s' % (distinguished_attr))
ipa.config.init_config(options)
uid = args[0]
user_profile = not options.shared
# Verify entity previously exists and get current values
ipa_client = ipaclient.IPAClient()
try:
radius_entity = ipa_client.get_radius_profile_by_uid(uid, user_profile)
except ipa.ipaerror.exception_for(ipa.ipaerror.LDAP_NOT_FOUND):
print "profile %s not found" % uid
return 1
except ipa.ipaerror.IPAError, e:
print "%s" % e.message
return 1
except kerberos.GSSError, e:
print "Could not initialize GSSAPI: %s/%s" % (e[0][0][0], e[0][1][0])
return 1
# Deleteing attributes is fundamentally different than adding/modifying an attribute.
# When adding/modifying there is always a value the attribute is paired with,
# so handle the two cases independently.
if options.delete_attrs:
attrs = Set()
# Get attrs from a file or stdin
if options.data_file:
try:
items = ipautil.read_items_file(options.data_file)
attrs.update(items)
except Exception, e:
print "ERROR, could not read attrs (%s)" % (e)
# Get attrs specified on the command line as a named argument
if options.desc is not None: attrs.add('Description')
# Get attrs specified on the command line as a attr argument
if options.attrs:
for a in options.attrs:
items = ipautil.parse_items(a)
attrs.update(items)
# Get attrs interactively
if options.interactive:
deletable_attrs = []
for radius_attr in radius_attrs:
if radius_attr in mandatory_radius_attrs: continue
if radius_entity.hasAttr(radius_attr_to_ldap_attr[radius_attr]):
deletable_attrs.append(radius_attr)
if deletable_attrs:
c = ipautil.ItemCompleter(deletable_attrs)
c.open()
items = c.get_items("Enter: ")
attrs.update(items)
c.close()
# Data collection done, assure no mandatory attrs are in the delete list
valid = True
for attr in mandatory_radius_attrs:
if attr in attrs:
valid = False
print "ERROR, %s is mandatory, but is set to be deleted" % (attr)
if not valid:
return 1
# Make sure each attribute is a member of the set of valid attributes
valid = True
for attr in attrs:
if attr not in radius_attrs:
valid = False
print "ERROR, %s is not a valid attribute" % (attr)
if not valid:
print "Valid attributes are:"
print ipautil.format_list(radius_attrs, quote='"')
return 1
# Dump what we've got so far
if options.verbose:
print "Attributes:"
for attr in attrs:
print "\t%s" % (attr)
for attr in attrs:
radius_entity.delValue(radius_attr_to_ldap_attr[attr])
else:
pairs = {}
pairs[distinguished_attr] = uid
# Populate the pair list with pre-existing values
for attr in radius_attrs:
value = radius_entity.getValues(radius_attr_to_ldap_attr[attr])
if value is None: continue
pairs[attr] = value
# Get pairs from a file or stdin
if options.data_file:
try:
av = ipautil.read_pairs_file(options.data_file)
pairs.update(av)
except Exception, e:
print "ERROR, could not read pairs (%s)" % (e)
# Get pairs specified on the command line as a named argument
if options.desc is not None: pairs['Description'] = options.desc
# Get pairs specified on the command line as a pair argument
if options.attrs:
for p in options.attrs:
av = ipautil.parse_key_value_pairs(p)
pairs.update(av)
# Get pairs interactively
if options.interactive:
prompted_attrs = radius_attrs[:]
prompted_attrs.remove(distinguished_attr)
c = ipautil.AttributeValueCompleter(prompted_attrs, pairs)
c.open()
av = c.get_pairs("Enter: ", validate_callback=radius_util.validate)
pairs.update(av)
c.close()
# FIXME: validation should be moved to xmlrpc server
# Data collection done, assure mandatory data has been specified
if pairs.has_key(distinguished_attr) and pairs[distinguished_attr] != uid:
print "ERROR, %s specified on command line (%s) does not match value found in pairs (%s)" % \
(distinguished_attr, uid, pairs[distinguished_attr])
return 1
# Make sure each attribute is a member of the set of valid attributes
valid = True
for attr,value in pairs.items():
if attr not in radius_attrs:
valid = False
print "ERROR, %s is not a valid attribute" % (attr)
if not valid:
print "Valid attributes are:"
print ipautil.format_list(radius_attrs, quote='"')
return 1
# Makse sure each value is valid
valid = True
for attr,value in pairs.items():
if not radius_util.validate(attr, value):
valid = False
if not valid:
return 1
# Dump what we've got so far
if options.verbose:
print "Pairs:"
for attr,value in pairs.items():
print "\t%s = %s" % (attr, value)
for attr,value in pairs.items():
radius_entity.setValue(radius_attr_to_ldap_attr[attr], value)
try:
ipa_client.update_radius_profile(radius_entity)
print "successfully modified"
except xmlrpclib.Fault, f:
print f.faultString
return 1
except kerberos.GSSError, e:
print "Could not initialize GSSAPI: %s/%s" % (e[0][0][0], e[0][1][0])
return 1
except xmlrpclib.ProtocolError, e:
print "Unable to connect to IPA server: %s" % (e.errmsg)
return 1
except ipa.ipaerror.IPAError, e:
print "%s" % (e.message)
return 1
return 0
if __name__ == "__main__":
sys.exit(main())

53
ipa-radius-admintools/ipa-radius-admintools.spec.in
View File

@ -1,53 +0,0 @@
Name: ipa-radius-admintools
Version: __VERSION__
Release: __RELEASE__%{?dist}
Summary: IPA authentication server - radius admin tools
Group: System Environment/Base
License: GPLv2
URL: http://www.freeipa.org
Source0: %{name}-%{version}.tgz
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
BuildArch: noarch
Requires: python python-krbV ipa-python ipa-admintools
%description
IPA is a server for identity, policy, and audit.
%prep
%setup -q
%install
rm -rf %{buildroot}
mkdir -p %{buildroot}%{_sbindir}
make install DESTDIR=%{buildroot}
%clean
rm -rf %{buildroot}
%files
%defattr(-,root,root,-)
%{_sbindir}/ipa*
%changelog
* Thu Apr 3 2008 Rob Crittenden <rcritten@redhat.com> - 1.0.0-1
- Version bump for release
* Thu Feb 21 2008 Rob Crittenden <rcritten@redhat.com> - 0.99.0-1
- Version bump for release
* Thu Jan 31 2008 Rob Crittenden <rcritten@redhat.com> - 0.6.0-3
- Marked with wrong license. IPA is GPLv2.
* Thu Jan 17 2008 Rob Crittenden <rcritten@redhat.com> - 0.6.0-2
- Fixed License in specfile
* Fri Dec 21 2007 Karl MacMillan <kmacmill@redhat.com> - 0.6.0-1
- Version bump for release
* Tue Dec 18 2007 Karl MacMillan <kmacmill@redhat.com> - 0.5.0
- Initial rpm version

23
ipa-radius-server/Makefile
View File

@ -1,23 +0,0 @@
PLUGINS_SHARE = $(DESTDIR)/usr/share/ipa/plugins
PLUGINS_PYTHON = $(DESTDIR)/usr/share/ipa/ipaserver/plugins
SBINDIR = $(DESTDIR)/usr/sbin
all:
install:
-mkdir -p $(PLUGINS_SHARE)
-mkdir -p $(PLUGINS_PYTHON)
-mkdir -p $(SBINDIR)
install -m 644 plugins/*.py $(PLUGINS_PYTHON)
install -m 644 share/*.template $(PLUGINS_SHARE)
install -m 755 ipa-radius-install $(SBINDIR)
clean:
rm -fr *.pyc *~
distclean: clean
rm -fr ipa-radius-server.spec
maintainer-clean: distclean
test:

71
ipa-radius-server/ipa-radius-install
View File

@ -1,71 +0,0 @@
#! /usr/bin/python -E
# Authors: Karl MacMillan <kmacmillan@mentalrootkit.com>
#
# Copyright (C) 2007 Red Hat
# see file 'COPYING' for use and warranty information
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
#
import sys
import traceback, logging, krbV
from ipaserver import installutils
from ipaserver.plugins import radiusinstance
from ipa import ipautil
def get_host_name():
hostname = installutils.get_fqdn()
try:
installutils.verify_fqdn(hostname)
except RuntimeError, e:
logging.error(str(e))
sys.exit(1)
return hostname
def get_realm_name():
c = krbV.default_context()
return c.default_realm
def main():
if not ipautil.file_exists("/etc/ipa/ipa.conf"):
print "This system does not appear to have IPA configured."
print "Has ipa-server-install been run?"
if not ipautil.user_input("Continue with radius install?", False):
sys.exit(1)
installutils.standard_logging_setup("iparadius-install.log", False)
host_name = get_host_name()
realm_name = get_realm_name()
# Create a radius instance
radius = radiusinstance.RadiusInstance()
# FIXME: ldap_server should be derived, not hardcoded to localhost, also should it be a URL?
radius.create_instance(realm_name, host_name, 'localhost')
try:
main()
except Exception, e:
message = "Unexpected error - see iparadius-install.log for details:\n %s" % str(e)
print message
message = str(e)
for str in traceback.format_tb(sys.exc_info()[2]):
message = message + "\n" + str
logging.debug(message)

61
ipa-radius-server/ipa-radius-server.spec.in
View File

@ -1,61 +0,0 @@
Name: ipa-radius-server
Version: __VERSION__
Release: __RELEASE__%{?dist}
Summary: IPA authentication server - radius plugin
Group: System Environment/Base
License: GPLv2
URL: http://www.freeipa.org
Source0: %{name}-%{version}.tgz
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
BuildArch: noarch
Requires: python
Requires: ipa-server
Requires: freeradius
%description
Radius plugin for an IPA server
%prep
%setup -q
%install
rm -rf %{buildroot}
mkdir -p %{buildroot}%{_sbindir}
make install DESTDIR=%{buildroot}
%clean
rm -rf %{buildroot}
%files
%defattr(-,root,root,-)
%{_sbindir}/ipa*
%dir %{_usr}/share/ipa/plugins
%{_usr}/share/ipa/plugins/*
%dir %{_usr}/share/ipa/ipaserver/plugins
%{_usr}/share/ipa/ipaserver/plugins/*
%changelog
* Thu Apr 3 2008 Rob Crittenden <rcritten@redhat.com> - 1.0.0-1
- Version bump for release
* Thu Feb 21 2008 Rob Crittenden <rcritten@redhat.com> - 0.99.0-1
- Version bump for release
* Thu Jan 31 2008 Rob Crittenden <rcritten@redhat.com> - 0.6.0-3
- Marked with wrong license. IPA is GPLv2.
* Thu Jan 17 2008 Rob Crittenden <rcritten@redhat.com> - 0.6.0-2
- Fixed License in specfile
* Fri Dec 21 2007 Karl MacMillan <kmacmill@redhat.com> - 0.6.0-1
- Version bump for release
* Wed Dec 12 2007 Karl MacMillan <kmacmill@redhat.com> - 0.5.0-1
- Initial version

1
ipa-radius-server/plugins/__init__.py
View File

@ -1 +0,0 @@
# intentionally empty

170
ipa-radius-server/plugins/radiusinstance.py
View File

@ -1,170 +0,0 @@
# Authors: John Dennis <jdennis@redhat.com>
#
# Copyright (C) 2007 Red Hat
# see file 'COPYING' for use and warranty information
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
#
import subprocess
import string
import tempfile
import shutil
import logging
import pwd
import time
import sys
from ipa import ipautil
from ipa import radius_util
from ipaserver import service
import os
import re
IPA_RADIUS_VERSION = '0.0.0'
# FIXME there should a utility to get the user base dn
from ipaserver.funcs import DefaultUserContainer, DefaultGroupContainer
#-------------------------------------------------------------------------------
def get_radius_version():
version = None
try:
p = subprocess.Popen([radius_util.RADIUSD, '-v'], stdout=subprocess.PIPE,
stderr=subprocess.PIPE)
stdout, stderr = p.communicate()
status = p.returncode
if status == 0:
match = re.search("radiusd: FreeRADIUS Version (.+), for host", stdout)
if match:
version = match.group(1)
except Exception, e:
pass
return version
#-------------------------------------------------------------------------------
class RadiusInstance(service.Service):
def __init__(self):
service.Service.__init__(self, "radiusd")
self.fqdn = None
self.realm = None
self.principal = None
def create_instance(self, realm_name, host_name, ldap_server):
self.realm = realm_name.upper()
self.suffix = ipautil.realm_to_suffix(self.realm)
self.fqdn = host_name
self.ldap_server = ldap_server
self.principal = "%s/%s@%s" % (radius_util.RADIUS_SERVICE_NAME, self.fqdn, self.realm)
self.basedn = self.suffix
self.user_basedn = "%s,%s" % (DefaultUserContainer, self.basedn) # FIXME, should be utility to get this
self.radius_version = get_radius_version()
try:
self.stop()
except:
# It could have been not running
pass
self.step("create radiusd keytab", self.__create_radius_keytab)
self.step("configuring radiusd.conf for radius instance", self.__radiusd_conf)
self.step("starting radiusd", self.__start_instance)
self.step("configuring radiusd to start on boot", self.chkconfig_on)
# FIXME:
# self.step("setting ldap encrypted attributes", self.__set_ldap_encrypted_attributes)
self.start_creation("Configuring radiusd")
def __start_instance(self):
try:
self.start()
except:
logging.error("radiusd service failed to start")
def __radiusd_conf(self):
version = 'IPA_RADIUS_VERSION=%s FREE_RADIUS_VERSION=%s' % (IPA_RADIUS_VERSION, self.radius_version)
sub_dict = {'CONFIG_FILE_VERSION_INFO' : version,
'LDAP_SERVER' : self.ldap_server,
'RADIUS_KEYTAB' : radius_util.RADIUS_IPA_KEYTAB_FILEPATH,
'RADIUS_PRINCIPAL' : self.principal,
'RADIUS_USER_BASE_DN' : self.user_basedn,
'ACCESS_ATTRIBUTE' : '',
'ACCESS_ATTRIBUTE_DEFAULT' : 'TRUE',
'CLIENTS_BASEDN' : radius_util.radius_clients_basedn(None, self.suffix),
'SUFFIX' : self.suffix,
}
try:
radiusd_conf = ipautil.template_file(radius_util.RADIUSD_CONF_TEMPLATE_FILEPATH, sub_dict)
radiusd_fd = open(radius_util.RADIUSD_CONF_FILEPATH, 'w+')
radiusd_fd.write(radiusd_conf)
radiusd_fd.close()
except Exception, e:
logging.error("could not create %s: %s", radius_util.RADIUSD_CONF_FILEPATH, e)
def __create_radius_keytab(self):
try:
if ipautil.file_exists(radius_util.RADIUS_IPA_KEYTAB_FILEPATH):
os.remove(radius_util.RADIUS_IPA_KEYTAB_FILEPATH)
except os.error:
logging.error("Failed to remove %s", radius_util.RADIUS_IPA_KEYTAB_FILEPATH)
(kwrite, kread, kerr) = os.popen3("/usr/kerberos/sbin/kadmin.local")
kwrite.write("addprinc -randkey %s\n" % (self.principal))
kwrite.flush()
kwrite.write("ktadd -k %s %s\n" % (radius_util.RADIUS_IPA_KEYTAB_FILEPATH, self.principal))
kwrite.flush()
kwrite.close()
kread.close()
kerr.close()
# give kadmin time to actually write the file before we go on
retry = 0
while not ipautil.file_exists(radius_util.RADIUS_IPA_KEYTAB_FILEPATH):
time.sleep(1)
retry += 1
if retry > 15:
print "Error timed out waiting for kadmin to finish operations\n"
sys.exit(1)
try:
pent = pwd.getpwnam(radius_util.RADIUS_USER)
os.chown(radius_util.RADIUS_IPA_KEYTAB_FILEPATH, pent.pw_uid, pent.pw_gid)
except Exception, e:
logging.error("could not chown on %s to %s: %s", radius_util.RADIUS_IPA_KEYTAB_FILEPATH, radius_util.RADIUS_USER, e)
def __ldap_mod(self, ldif):
txt = iputil.template_file(ipautil.SHARE_DIR + ldif, self.sub_dict)
fd = ipautil.write_tmp_file(txt)
args = ["/usr/bin/ldapmodify", "-h", "127.0.0.1", "-xv",
"-D", "cn=Directory Manager", "-w", self.dm_password, "-f", fd.name]
try:
ipautil.run(args)
except ipautil.CalledProcessError, e:
logging.critical("Failed to load %s: %s" % (ldif, str(e)))
fd.close()
#FIXME, should use IPAdmin method
def __set_ldap_encrypted_attributes(self):
self.__ldap_mod("encrypted_attribute.ldif", {"ENCRYPTED_ATTRIBUTE" : "radiusClientSecret"})
#-------------------------------------------------------------------------------

285
ipa-radius-server/share/radius.radiusd.conf.template
View File

@ -1,285 +0,0 @@
#
# WARNING: This file is automatically generated, do not edit
#
# $CONFIG_FILE_VERSION_INFO
#
prefix = /usr
exec_prefix = /usr
sysconfdir = /etc
localstatedir = /var
sbindir = /usr/sbin
logdir = $${localstatedir}/log/radius
raddbdir = $${sysconfdir}/raddb
radacctdir = $${logdir}/radacct
confdir = $${raddbdir}
run_dir = $${localstatedir}/run/radiusd
db_dir = $${localstatedir}/lib/radiusd
log_file = $${logdir}/radius.log
libdir = /usr/lib
pidfile = $${run_dir}/radiusd.pid
user = radiusd
group = radiusd
max_request_time = 30
delete_blocked_requests = no
cleanup_delay = 5
max_requests = 1024
bind_address = *
port = 0
hostname_lookups = no
allow_core_dumps = no
regular_expressions = yes
extended_expressions = yes
log_stripped_names = no
log_auth = no
log_auth_badpass = no
log_auth_goodpass = no
usercollide = no
lower_user = no
lower_pass = no
nospace_user = no
nospace_pass = no
checkrad = $${sbindir}/checkrad
security {
max_attributes = 200
reject_delay = 1
status_server = no
}
proxy_requests = yes
$$INCLUDE $${confdir}/proxy.conf
$$INCLUDE $${confdir}/clients.conf
snmp = no
$$INCLUDE $${confdir}/snmp.conf
thread pool {
start_servers = 5
max_servers = 32
min_spare_servers = 3
max_spare_servers = 10
max_requests_per_server = 0
}
modules {
chap {
authtype = CHAP
}
pam {
pam_auth = radiusd
}
unix {
cache = no
cache_reload = 600
shadow = /etc/shadow
radwtmp = $${logdir}/radwtmp
}
$$INCLUDE $${confdir}/eap.conf
mschap {
}
ldap {
server = "$LDAP_SERVER"
use_sasl = yes
sasl_mech = "GSSAPI"
krb_keytab = "$RADIUS_KEYTAB"
krb_principal = "$RADIUS_PRINCIPAL"
basedn = "$RADIUS_USER_BASE_DN"
filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
base_filter = "(objectclass=radiusprofile)"
start_tls = no
profile_attribute = "radiusProfileDn"
default_profile = "uid=ipa_default,cn=profiles,cn=radius,cn=services,cn=etc,$SUFFIX
# FIXME: we'll want to toggle the access_attr feature on/off,
# but it needs a control, so disable it for now.
#access_attr = "$ACCESS_ATTRIBUTE"
#access_attr_used_for_allow = "$ACCESS_ATTRIBUTE_DEFAULT"
dictionary_mapping = $${raddbdir}/ldap.attrmap
ldap_connections_number = 5
edir_account_policy_check=no
timeout = 4
timelimit = 3
net_timeout = 1
clients_basedn = "$CLIENTS_BASEDN"
}
realm IPASS {
format = prefix
delimiter = "/"
ignore_default = no
ignore_null = no
}
realm suffix {
format = suffix
delimiter = "@"
ignore_default = no
ignore_null = no
}
realm realmpercent {
format = suffix
delimiter = "%"
ignore_default = no
ignore_null = no
}
realm ntdomain {
format = prefix
delimiter = "\\"
ignore_default = no
ignore_null = no
}
checkval {
item-name = Calling-Station-Id
check-name = Calling-Station-Id
data-type = string
}
preprocess {
huntgroups = $${confdir}/huntgroups
hints = $${confdir}/hints
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
}
files {
usersfile = $${confdir}/users
acctusersfile = $${confdir}/acct_users
preproxy_usersfile = $${confdir}/preproxy_users
compat = no
}
detail {
detailfile = $${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d
detailperm = 0600
}
acct_unique {
key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port"
}
radutmp {
filename = $${logdir}/radutmp
username = %{User-Name}
case_sensitive = yes
check_with_nas = yes
perm = 0600
callerid = "yes"
}
radutmp sradutmp {
filename = $${logdir}/sradutmp
perm = 0644
callerid = "no"
}
attr_filter {
attrsfile = $${confdir}/attrs
}
counter daily {
filename = $${db_dir}/db.daily
key = User-Name
count-attribute = Acct-Session-Time
reset = daily
counter-name = Daily-Session-Time
check-name = Max-Daily-Session
allowed-servicetype = Framed-User
cache-size = 5000
}
sqlcounter dailycounter {
counter-name = Daily-Session-Time
check-name = Max-Daily-Session
reply-name = Session-Timeout
sqlmod-inst = sql
key = User-Name
reset = daily
query = "SELECT SUM(AcctSessionTime - \
GREATEST((%b - UNIX_TIMESTAMP(AcctStartTime)), 0)) \
FROM radacct WHERE UserName='%{%k}' AND \
UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime > '%b'"
}
sqlcounter monthlycounter {
counter-name = Monthly-Session-Time
check-name = Max-Monthly-Session
reply-name = Session-Timeout
sqlmod-inst = sql
key = User-Name
reset = monthly
query = "SELECT SUM(AcctSessionTime - \
GREATEST((%b - UNIX_TIMESTAMP(AcctStartTime)), 0)) \
FROM radacct WHERE UserName='%{%k}' AND \
UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime > '%b'"
}
always fail {
rcode = fail
}
always reject {
rcode = reject
}
always ok {
rcode = ok
simulcount = 0
mpp = no
}
expr {
}
digest {
}
exec {
wait = yes
input_pairs = request
}
exec echo {
wait = yes
program = "/bin/echo %{User-Name}"
input_pairs = request
output_pairs = reply
}
ippool main_pool {
range-start = 192.168.1.1
range-stop = 192.168.3.254
netmask = 255.255.255.0
cache-size = 800
session-db = $${db_dir}/db.ippool
ip-index = $${db_dir}/db.ipindex
override = no
maximum-timeout = 0
}
krb5 {
keytab = "$RADIUS_KEYTAB"
service_principal = "$RADIUS_PRINCIPAL"
}
}
instantiate {
exec
expr
}
authorize {
preprocess
chap
mschap
suffix
eap
#files
ldap
}
authenticate {
Auth-Type CHAP {
chap
}
Auth-Type MS-CHAP {
mschap
}
eap
Auth-Type Kerberos {
krb5
}
}
preacct {
preprocess
acct_unique
suffix
files
}
accounting {
detail
unix
radutmp
}
session {
radutmp
}
post-auth {
}
pre-proxy {
}
post-proxy {
eap
}

54
ipa.spec.in
View File

@ -1,9 +1,6 @@
# Define ONLY_CLIENT to only make the ipa-client and ipa-python subpackages
%{!?ONLY_CLIENT:%global ONLY_CLIENT 0}
# Define WITH_RADIUS to build the radius packages
%global WITH_RADIUS 0
%global httpd_conf /etc/httpd/conf.d
%global plugin_dir %{_libdir}/dirsrv/plugins
%{!?python_sitelib: %global python_sitelib %(%{__python} -c "from distutils.sysconfig import get_python_lib; print get_python_lib()")}
@ -189,35 +186,6 @@ user, virtual machines, groups, authentication credentials), Policy
logs, analysis thereof). If you are using IPA you need to install this
package.
%if %{WITH_RADIUS}
%package radius-server
Summary: IPA authentication server - radius plugin
Group: System Environment/Base
Requires: freeradius
Requires: freeradius-ldap
Requires: %{name}-python = %{version}-%{release}
%description radius-server
IPA is an integrated solution to provide centrally managed Identity (machine,
user, virtual machines, groups, authentication credentials), Policy
(configuration settings, access control information) and Audit (events,
logs, analysis thereof). This plugin enables radius support.
%package radius-admintools
Summary: IPA authentication server - radius administration tools
Group: System Environment/Base
Requires: %{name}-python = %{version}-%{release}
Requires: %{name}-admintools = %{version}-%{release}
Requires: python-krbV
%description radius-admintools
IPA is an integrated solution to provide centrally managed Identity (machine,
user, virtual machines, groups, authentication credentials), Policy
(configuration settings, access control information) and Audit (events,
logs, analysis thereof). This package provides command-line tools for
administering radius authentication settings in IPA.
%endif
%prep
%setup -n freeipa-%{version} -q
@ -495,26 +463,10 @@ fi
%endif
%config(noreplace) %{_sysconfdir}/ipa/default.conf
%if %{WITH_RADIUS}
%files radius-server
%doc COPYING README Contributors.txt
%{_usr}/share/ipa/ipaserver/plugins/*
%dir %{_usr}/share/ipa/plugins
%{_usr}/share/ipa/plugins/radius.radiusd.conf.template
%files radius-admintools
%doc COPYING README Contributors.txt
%{_sbindir}/ipa-addradiusclient
%{_sbindir}/ipa-addradiusprofile
%{_sbindir}/ipa-delradiusclient
%{_sbindir}/ipa-delradiusprofile
%{_sbindir}/ipa-findradiusclient
%{_sbindir}/ipa-findradiusprofile
%{_sbindir}/ipa-modradiusclient
%{_sbindir}/ipa-modradiusprofile
%endif
%changelog
* Thu Jan 13 2011 Simo Sorce <ssorce@redhat.com> - 1.99-38
- Remove radius subpackages
* Thu Jan 13 2011 Rob Crittenden <rcritten@redhat.com> - 1.99-37
- Set minimum pki-ca and pki-silent versions to 9.0.0

2
ipapython/README
View File

@ -10,8 +10,6 @@ dnsclient.py - find IPA information via DNS
ipautil.py - helper functions
radius_util.py - helper functions for Radius
entity.py - entity is the main data type. User and Group extend this class
(but don't add anything currently).

366
ipapython/radius_util.py
View File

@ -1,366 +0,0 @@
# Authors: John Dennis <jdennis@redhat.com>
#
# Copyright (C) 2007 Red Hat
# see file 'COPYING' for use and warranty information
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
#
import sys
import os
import re
import ldap
import getpass
import ldap.filter
from ipapython import ipautil
from ipapython.entity import Entity
import ipapython.ipavalidate as ipavalidate
__all__ = [
'RADIUS_PKG_NAME',
'RADIUS_PKG_CONFIG_DIR',
'RADIUS_SERVICE_NAME',
'RADIUS_USER',
'RADIUS_IPA_KEYTAB_FILEPATH',
'RADIUS_LDAP_ATTR_MAP_FILEPATH',
'RADIUSD_CONF_FILEPATH',
'RADIUSD_CONF_TEMPLATE_FILEPATH',
'RADIUSD',
'RadiusClient',
'RadiusProfile',
'clients_container',
'radius_clients_basedn',
'radius_client_filter',
'radius_client_dn',
'profiles_container',
'radius_profiles_basedn',
'radius_profile_filter',
'radius_profile_dn',
'radius_client_ldap_attr_to_radius_attr',
'radius_client_attr_to_ldap_attr',
'radius_profile_ldap_attr_to_radius_attr',
'radius_profile_attr_to_ldap_attr',
'get_secret',
'validate_ip_addr',
'validate_secret',
'validate_name',
'validate_nastype',
'validate_desc',
'validate',
]
#------------------------------------------------------------------------------
RADIUS_PKG_NAME = 'freeradius'
RADIUS_PKG_CONFIG_DIR = '/etc/raddb'
RADIUS_SERVICE_NAME = 'radius'
RADIUS_USER = 'radiusd'
RADIUS_IPA_KEYTAB_FILEPATH = os.path.join(RADIUS_PKG_CONFIG_DIR, 'ipa.keytab')
RADIUS_LDAP_ATTR_MAP_FILEPATH = os.path.join(RADIUS_PKG_CONFIG_DIR, 'ldap.attrmap')
RADIUSD_CONF_FILEPATH = os.path.join(RADIUS_PKG_CONFIG_DIR, 'radiusd.conf')
RADIUSD_CONF_TEMPLATE_FILEPATH = os.path.join(ipautil.PLUGINS_SHARE_DIR, 'radius.radiusd.conf.template')
RADIUSD = '/usr/sbin/radiusd'
#------------------------------------------------------------------------------
dotted_octet_re = re.compile(r"^(\d+)\.(\d+)\.(\d+)\.(\d+)(/(\d+))?$")
dns_re = re.compile(r"^[a-zA-Z][a-zA-Z0-9.-]+$")
# secret, name, nastype all have 31 char max in freeRADIUS, max ip address len is 255
valid_secret_len = (1,31)
valid_name_len = (1,31)
valid_nastype_len = (1,31)
valid_ip_addr_len = (1,255)
valid_ip_addr_msg = '''\
IP address must be either a DNS name (letters,digits,dot,hyphen, beginning with
a letter),or a dotted octet followed by an optional mask (e.g 192.168.1.0/24)'''
valid_desc_msg = "Description must text string"
#------------------------------------------------------------------------------
class RadiusClient(Entity):
def __init2__(self):
pass
class RadiusProfile(Entity):
def __init2__(self):
pass
#------------------------------------------------------------------------------
def reverse_map_dict(src_dict):
reverse_dict = {}
for k,v in src_dict.items():
if reverse_dict.has_key(v):
raise ValueError("reverse_map_dict: collision on (%s) with values (%s),(%s)" % \
v, reverse_dict[v], src_dict[k])
reverse_dict[v] = k
return reverse_dict
#------------------------------------------------------------------------------
radius_client_ldap_attr_to_radius_attr = ipautil.CIDict({
'radiusClientIPAddress' : 'Client-IP-Address',
'radiusClientSecret' : 'Secret',
'radiusClientNASType' : 'NAS-Type',
'radiusClientShortName' : 'Name',
'description' : 'Description',
})
radius_client_attr_to_ldap_attr = reverse_map_dict(radius_client_ldap_attr_to_radius_attr)
#------------------------------------------------------------------------------
radius_profile_ldap_attr_to_radius_attr = ipautil.CIDict({
'uid' : 'UID',
'radiusArapFeatures' : 'Arap-Features',
'radiusArapSecurity' : 'Arap-Security',
'radiusArapZoneAccess' : 'Arap-Zone-Access',
'radiusAuthType' : 'Auth-Type',
'radiusCallbackId' : 'Callback-Id',
'radiusCallbackNumber' : 'Callback-Number',
'radiusCalledStationId' : 'Called-Station-Id',
'radiusCallingStationId' : 'Calling-Station-Id',
'radiusClass' : 'Class',
'radiusClientIPAddress' : 'Client-IP-Address',
'radiusExpiration' : 'Expiration',
'radiusFilterId' : 'Filter-Id',
'radiusFramedAppleTalkLink' : 'Framed-AppleTalk-Link',
'radiusFramedAppleTalkNetwork' : 'Framed-AppleTalk-Network',
'radiusFramedAppleTalkZone' : 'Framed-AppleTalk-Zone',
'radiusFramedCompression' : 'Framed-Compression',
'radiusFramedIPAddress' : 'Framed-IP-Address',
'radiusFramedIPNetmask' : 'Framed-IP-Netmask',
'radiusFramedIPXNetwork' : 'Framed-IPX-Network',
'radiusFramedMTU' : 'Framed-MTU',
'radiusFramedProtocol' : 'Framed-Protocol',
'radiusFramedRoute' : 'Framed-Route',
'radiusFramedRouting' : 'Framed-Routing',
'radiusGroupName' : 'Group-Name',
'radiusHint' : 'Hint',
'radiusHuntgroupName' : 'Huntgroup-Name',
'radiusIdleTimeout' : 'Idle-Timeout',
'radiusLoginIPHost' : 'Login-IP-Host',
'radiusLoginLATGroup' : 'Login-LAT-Group',
'radiusLoginLATNode' : 'Login-LAT-Node',
'radiusLoginLATPort' : 'Login-LAT-Port',
'radiusLoginLATService' : 'Login-LAT-Service',
'radiusLoginService' : 'Login-Service',
'radiusLoginTCPPort' : 'Login-TCP-Port',
'radiusLoginTime' : 'Login-Time',
'radiusNASIpAddress' : 'NAS-IP-Address',
'radiusPasswordRetry' : 'Password-Retry',
'radiusPortLimit' : 'Port-Limit',
'radiusProfileDn' : 'Profile-Dn',
'radiusPrompt' : 'Prompt',
'radiusProxyToRealm' : 'Proxy-To-Realm',
'radiusRealm' : 'Realm',
'radiusReplicateToRealm' : 'Replicate-To-Realm',
'radiusReplyMessage' : 'Reply-Message',
'radiusServiceType' : 'Service-Type',
'radiusSessionTimeout' : 'Session-Timeout',
'radiusSimultaneousUse' : 'Simultaneous-Use',
'radiusStripUserName' : 'Strip-User-Name',
'radiusTerminationAction' : 'Termination-Action',
'radiusTunnelAssignmentId' : 'Tunnel-Assignment-Id',
'radiusTunnelClientEndpoint' : 'Tunnel-Client-Endpoint',
'radiusTunnelMediumType' : 'Tunnel-Medium-Type',
'radiusTunnelPassword' : 'Tunnel-Password',
'radiusTunnelPreference' : 'Tunnel-Preference',
'radiusTunnelPrivateGroupId' : 'Tunnel-Private-Group-Id',
'radiusTunnelServerEndpoint' : 'Tunnel-Server-Endpoint',
'radiusTunnelType' : 'Tunnel-Type',
'radiusUserCategory' : 'User-Category',
'radiusVSA' : 'VSA',
})
radius_profile_attr_to_ldap_attr = reverse_map_dict(radius_profile_ldap_attr_to_radius_attr)
#------------------------------------------------------------------------------
clients_container = 'cn=clients,cn=radius'
def radius_clients_basedn(container, suffix):
if container is None: container = clients_container
return '%s,%s' % (container, suffix)
def radius_client_filter(ip_addr):
return "(&(radiusClientIPAddress=%s)(objectclass=radiusClientProfile))" % \
ldap.filter.escape_filter_chars(ip_addr)
def radius_client_dn(client, container, suffix):
if container is None: container = clients_container
return 'radiusClientIPAddress=%s,%s,%s' % (ldap.dn.escape_dn_chars(client), container, suffix)
# --
profiles_container = 'cn=profiles,cn=radius'
def radius_profiles_basedn(container, suffix):
if container is None: container = profiles_container
return '%s,%s' % (container, suffix)
def radius_profile_filter(uid):
return "(&(uid=%s)(objectclass=radiusprofile))" % \
ldap.filter.escape_filter_chars(uid)
def radius_profile_dn(uid, container, suffix):
if container is None: container = profiles_container
return 'uid=%s,%s,%s' % (ldap.dn.escape_dn_chars(uid), container, suffix)
#------------------------------------------------------------------------------
def get_ldap_attr_translations():
comment_re = re.compile('#.*$')
radius_attr_to_ldap_attr = {}
ldap_attr_to_radius_attr = {}
try:
f = open(LDAP_ATTR_MAP_FILEPATH)
for line in f.readlines():
line = comment_re.sub('', line).strip()
if not line: continue
attr_type, radius_attr, ldap_attr = line.split()
print 'type="%s" radius="%s" ldap="%s"' % (attr_type, radius_attr, ldap_attr)
radius_attr_to_ldap_attr[radius_attr] = {'ldap_attr':ldap_attr, 'attr_type':attr_type}
ldap_attr_to_radius_attr[ldap_attr] = {'radius_attr':radius_attr, 'attr_type':attr_type}
f.close()
except Exception, e:
logging.error('cold not read radius ldap attribute map file (%s): %s', LDAP_ATTR_MAP_FILEPATH, e)
pass # FIXME
#for k,v in radius_attr_to_ldap_attr.items():
# print '%s --> %s' % (k,v)
#for k,v in ldap_attr_to_radius_attr.items():
# print '%s --> %s' % (k,v)
def get_secret():
valid = False
while (not valid):
secret = getpass.getpass("Enter Secret: ")
confirm = getpass.getpass("Confirm Secret: ")
if (secret != confirm):
print "Secrets do not match"
continue
valid = True
return secret
#------------------------------------------------------------------------------
def valid_ip_addr(text):
# is it a dotted octet? If so there should be 4 integers seperated
# by a dot and each integer should be between 0 and 255
# there may be an optional mask preceded by a slash (e.g. 1.2.3.4/24)
match = dotted_octet_re.search(text)
if match:
# dotted octet notation
i = 1
while i <= 4:
octet = int(match.group(i))
if octet > 255: return False
i += 1
if match.group(5):
mask = int(match.group(6))
if mask <= 32:
return True
else:
return False
return True
else:
# DNS name, can contain letters, numbers, dot and hypen, must start with a letter
if dns_re.search(text): return True
return False
def validate_length(value, limits):
length = len(value)
if length < limits[0] or length > limits[1]:
return False
return True
def valid_length_msg(name, limits):
return "%s length must be at least %d and not more than %d" % (name, limits[0], limits[1])
def err_msg(variable, variable_name=None):
if variable_name is None: variable_name = 'value'
print "ERROR: %s = %s" % (variable_name, variable)
#------------------------------------------------------------------------------
def validate_ip_addr(ip_addr, variable_name=None):
if not validate_length(ip_addr, valid_ip_addr_len):
err_msg(ip_addr, variable_name)
print valid_length_msg('ip address', valid_ip_addr_len)
return False
if not valid_ip_addr(ip_addr):
err_msg(ip_addr, variable_name)
print valid_ip_addr_msg
return False
return True
def validate_secret(secret, variable_name=None):
if not validate_length(secret, valid_secret_len):
err_msg(secret, variable_name)
print valid_length_msg('secret', valid_secret_len)
return False
return True
def validate_name(name, variable_name=None):
if not validate_length(name, valid_name_len):
err_msg(name, variable_name)
print valid_length_msg('name', valid_name_len)
return False
return True
def validate_nastype(nastype, variable_name=None):
if not validate_length(nastype, valid_nastype_len):
err_msg(nastype, variable_name)
print valid_length_msg('NAS Type', valid_nastype_len)
return False
return True
def validate_desc(desc, variable_name=None):
if not ipavalidate.Plain(desc):
print valid_desc_msg
return False
return True
def validate(attribute, value):
if attribute == 'Client-IP-Address':
return validate_ip_addr(value, attribute)
if attribute == 'Secret':
return validate_secret(value, attribute)
if attribute == 'NAS-Type':
return validate_nastype(value, attribute)
if attribute == 'Name':
return validate_name(value, attribute)
if attribute == 'Description':
return validate_desc(value, attribute)
return True

2
ipaserver/install/dsinstance.py
View File

@ -383,8 +383,6 @@ class DsInstance(service.Service):
schema_dirname(self.serverid) + "60kerberos.ldif")
shutil.copyfile(ipautil.SHARE_DIR + "60samba.ldif",
schema_dirname(self.serverid) + "60samba.ldif")
shutil.copyfile(ipautil.SHARE_DIR + "60radius.ldif",
schema_dirname(self.serverid) + "60radius.ldif")
shutil.copyfile(ipautil.SHARE_DIR + "60ipaconfig.ldif",
schema_dirname(self.serverid) + "60ipaconfig.ldif")
shutil.copyfile(ipautil.SHARE_DIR + "60basev2.ldif",