IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-02-25 18:55:28 -06:00
Code Issues Packages Projects Releases Wiki Activity

Change the way has_keytab is determined, also check for password.

Browse Source 
We need an indicator to see if a keytab has been set on host and
service entries. We also need a way to know if a one-time password is
set on a host.

This adds an ACI that grants search on userPassword and
krbPrincipalKey so we can do an existence search on them. This way
we can tell if the attribute is set and create a fake attribute
accordingly.

When a userPassword is set on a host a keytab is generated against
that password so we always set has_keytab to False if a password
exists. This is fine because when keytab gets generated for the
host the password is removed (hence one-time).

This adds has_keytab/has_password to the user, host and service plugins.

ticket https://fedorahosted.org/freeipa/ticket/1538
This commit is contained in:
Rob Crittenden 2011-08-22 16:24:07 -04:00 committed by Martin Kosek
parent ae06f7b68e
commit be7de56e5d
16 changed files with 185 additions and 34 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
install/share/default-aci.ldif
View File

@ -79,3 +79,11 @@ dn: cn=sudo,$SUFFIX
changetype: modify changetype: modify
add: aci add: aci
aci: (targetattr = "*")(version 3.0; acl "No anonymous access to sudo"; deny (read,search,compare) userdn != "ldap:///all";) aci: (targetattr = "*")(version 3.0; acl "No anonymous access to sudo"; deny (read,search,compare) userdn != "ldap:///all";)
# This is used for the host/service one-time passwordn and keytab indirectors.
# We can do a query on a DN to see if an attribute exists.
dn: cn=accounts,$SUFFIX
changetype: modify
add: aci
aci: (targetattr="userPassword || krbPrincipalKey")(version 3.0; acl "Search existence of password and kerberos keys"; allow(search) userdn = "ldap:///all";)

4
install/updates/20-aci.update
View File

@ -2,3 +2,7 @@
dn: cn=ng,cn=alt,$SUFFIX dn: cn=ng,cn=alt,$SUFFIX
add:aci: '(targetfilter = "(objectClass=mepManagedEntry)")(targetattr = "*")(version 3.0; acl "Managed netgroups cannot be modified"; deny (write) userdn = "ldap:///all";)' add:aci: '(targetfilter = "(objectClass=mepManagedEntry)")(targetattr = "*")(version 3.0; acl "Managed netgroups cannot be modified"; deny (write) userdn = "ldap:///all";)'
# This is used for the host/service one-time passwordn and keytab indirectors.
# We can do a query on a DN to see if an attribute exists.
dn: cn=accounts,$SUFFIX
add:aci: (targetattr="userPassword || krbPrincipalKey")(version 3.0; acl "Search existence of password and kerberos keys"; allow(search) userdn = "ldap:///all";)

26
ipalib/plugins/baseldap.py
View File

@ -36,6 +36,12 @@ from ipalib.util import json_serialize
from ipalib.dn import * from ipalib.dn import *
global_output_params = ( global_output_params = (
Flag('has_keytab',
label=_('Keytab'),
),
Flag('has_password',
label=_('Password'),
),
Str('member', Str('member',
label=_('Failed members'), label=_('Failed members'),
), ),
@ -319,6 +325,7 @@ class LDAPObject(Object):
uuid_attribute = '' uuid_attribute = ''
attribute_members = {} attribute_members = {}
rdnattr = None rdnattr = None
password_attributes = []
# Can bind as this entry (has userPassword or krbPrincipalKey) # Can bind as this entry (has userPassword or krbPrincipalKey)
bindable = False bindable = False
relationships = { relationships = {
@ -407,6 +414,25 @@ class LDAPObject(Object):
) )
del entry_attrs[attr] del entry_attrs[attr]
def get_password_attributes(self, ldap, dn, entry_attrs):
"""
Search on the entry to determine if it has a password or
keytab set.
A tuple is used to determine which attribute is set
in entry_attrs. The value is set to True/False whether a
given password type is set.
"""
for (pwattr, attr) in self.password_attributes:
search_filter = '(%s=*)' % pwattr
try:
(entries, truncated) = ldap.find_entries(
search_filter, [pwattr], dn, ldap.SCOPE_BASE
)
entry_attrs[attr] = True
except errors.NotFound:
entry_attrs[attr] = False
def handle_not_found(self, *keys): def handle_not_found(self, *keys):
pkey = '' pkey = ''
if self.primary_key: if self.primary_key:

33
ipalib/plugins/host.py
View File

@ -162,9 +162,6 @@ def remove_fwd_ptr(ipaddr, host, domain, recordtype):
pass pass
host_output_params = ( host_output_params = (
Flag('has_keytab',
label=_('Keytab'),
),
Str('managedby_host', Str('managedby_host',
label='Managed by', label='Managed by',
), ),
@ -224,7 +221,7 @@ class host(LDAPObject):
default_attributes = [ default_attributes = [
'fqdn', 'description', 'l', 'nshostlocation', 'krbprincipalname', 'fqdn', 'description', 'l', 'nshostlocation', 'krbprincipalname',
'nshardwareplatform', 'nsosversion', 'usercertificate', 'memberof', 'nshardwareplatform', 'nsosversion', 'usercertificate', 'memberof',
'krblastpwdchange', 'managedby', 'memberindirect', 'memberofindirect', 'managedby', 'memberindirect', 'memberofindirect',
] ]
uuid_attribute = 'ipauniqueid' uuid_attribute = 'ipauniqueid'
attribute_members = { attribute_members = {
@ -242,6 +239,8 @@ class host(LDAPObject):
'managedby': ('Managed by', 'man_by_', 'not_man_by_'), 'managedby': ('Managed by', 'man_by_', 'not_man_by_'),
'managing': ('Managing', 'man_', 'not_man_'), 'managing': ('Managing', 'man_', 'not_man_'),
} }
password_attributes = [('userpassword', 'has_password'),
('krbprincipalkey', 'has_keytab')]
label = _('Hosts') label = _('Hosts')
label_singular = _('Host') label_singular = _('Host')
@ -466,6 +465,11 @@ class host_add(LDAPCreate):
if options.get('all', False): if options.get('all', False):
entry_attrs['managing'] = self.obj.get_managed_hosts(dn) entry_attrs['managing'] = self.obj.get_managed_hosts(dn)
self.obj.get_password_attributes(ldap, dn, entry_attrs)
if entry_attrs['has_password']:
# If an OTP is set there is no keytab, at least not one
# fetched anywhere.
entry_attrs['has_keytab'] = False
return dn return dn
@ -691,8 +695,13 @@ class host_find(LDAPSearch):
def post_callback(self, ldap, entries, truncated, *args, **options): def post_callback(self, ldap, entries, truncated, *args, **options):
for entry in entries: for entry in entries:
entry_attrs = entry[1] (dn, entry_attrs) = entry
set_certificate_attrs(entry_attrs) set_certificate_attrs(entry_attrs)
self.obj.get_password_attributes(ldap, dn, entry_attrs)
if entry_attrs['has_password']:
# If an OTP is set there is no keytab, at least not one
# fetched anywhere.
entry_attrs['has_keytab'] = False
if options.get('all', False): if options.get('all', False):
entry_attrs['managing'] = self.obj.get_managed_hosts(entry[0]) entry_attrs['managing'] = self.obj.get_managed_hosts(entry[0])
@ -714,11 +723,10 @@ class host_show(LDAPRetrieve):
member_attributes = ['managedby'] member_attributes = ['managedby']
def post_callback(self, ldap, dn, entry_attrs, *keys, **options): def post_callback(self, ldap, dn, entry_attrs, *keys, **options):
if 'krblastpwdchange' in entry_attrs: self.obj.get_password_attributes(ldap, dn, entry_attrs)
entry_attrs['has_keytab'] = True if entry_attrs['has_password']:
if not options.get('all', False): # If an OTP is set there is no keytab, at least not one
del entry_attrs['krblastpwdchange'] # fetched anywhere.
else:
entry_attrs['has_keytab'] = False entry_attrs['has_keytab'] = False
set_certificate_attrs(entry_attrs) set_certificate_attrs(entry_attrs)
@ -766,7 +774,7 @@ class host_disable(LDAPQuery):
dn = self.obj.get_dn(*keys, **options) dn = self.obj.get_dn(*keys, **options)
try: try:
(dn, entry_attrs) = ldap.get_entry(dn, ['krblastpwdchange', 'usercertificate']) (dn, entry_attrs) = ldap.get_entry(dn, ['usercertificate'])
except errors.NotFound: except errors.NotFound:
self.obj.handle_not_found(*keys) self.obj.handle_not_found(*keys)
@ -816,7 +824,8 @@ class host_disable(LDAPQuery):
ldap.update_entry(dn, {'usercertificate': None}) ldap.update_entry(dn, {'usercertificate': None})
done_work = True done_work = True
if 'krblastpwdchange' in entry_attrs: self.obj.get_password_attributes(ldap, dn, entry_attrs)
if entry_attrs['has_keytab']:
ldap.remove_principal_key(dn) ldap.remove_principal_key(dn)
done_work = True done_work = True

27
ipalib/plugins/service.py
View File

@ -83,9 +83,6 @@ from ipapython.ipautil import file_exists
output_params = ( output_params = (
Flag('has_keytab',
label=_('Keytab'),
),
Str('managedby_host', Str('managedby_host',
label='Managed by', label='Managed by',
), ),
@ -207,7 +204,7 @@ class service(LDAPObject):
'ipaservice', 'pkiuser' 'ipaservice', 'pkiuser'
] ]
search_attributes = ['krbprincipalname', 'managedby'] search_attributes = ['krbprincipalname', 'managedby']
default_attributes = ['krbprincipalname', 'usercertificate', 'managedby', 'krblastpwdchange'] default_attributes = ['krbprincipalname', 'usercertificate', 'managedby']
uuid_attribute = 'ipauniqueid' uuid_attribute = 'ipauniqueid'
attribute_members = { attribute_members = {
'managedby': ['host'], 'managedby': ['host'],
@ -216,6 +213,7 @@ class service(LDAPObject):
relationships = { relationships = {
'managedby': ('Managed by', 'man_by_', 'not_man_by_'), 'managedby': ('Managed by', 'man_by_', 'not_man_by_'),
} }
password_attributes = [('krbprincipalkey', 'has_keytab')]
label = _('Services') label = _('Services')
label_singular = _('Service') label_singular = _('Service')
@ -379,13 +377,8 @@ class service_find(LDAPSearch):
def post_callback(self, ldap, entries, truncated, *args, **options): def post_callback(self, ldap, entries, truncated, *args, **options):
for entry in entries: for entry in entries:
entry_attrs = entry[1] (dn, entry_attrs) = entry
if 'krblastpwdchange' in entry_attrs: self.obj.get_password_attributes(ldap, dn, entry_attrs)
entry_attrs['has_keytab'] = True
if not options.get('all', False):
del entry_attrs['krblastpwdchange']
else:
entry_attrs['has_keytab'] = False
set_certificate_attrs(entry_attrs) set_certificate_attrs(entry_attrs)
api.register(service_find) api.register(service_find)
@ -403,12 +396,7 @@ class service_show(LDAPRetrieve):
) )
def post_callback(self, ldap, dn, entry_attrs, *keys, **options): def post_callback(self, ldap, dn, entry_attrs, *keys, **options):
if 'krblastpwdchange' in entry_attrs: self.obj.get_password_attributes(ldap, dn, entry_attrs)
entry_attrs['has_keytab'] = True
if not options.get('all', False):
del entry_attrs['krblastpwdchange']
else:
entry_attrs['has_keytab'] = False
set_certificate_attrs(entry_attrs) set_certificate_attrs(entry_attrs)
@ -461,7 +449,7 @@ class service_disable(LDAPQuery):
ldap = self.obj.backend ldap = self.obj.backend
dn = self.obj.get_dn(*keys, **options) dn = self.obj.get_dn(*keys, **options)
(dn, entry_attrs) = ldap.get_entry(dn, ['krblastpwdchange', 'usercertificate']) (dn, entry_attrs) = ldap.get_entry(dn, ['usercertificate'])
# See if we do any work at all here and if not raise an exception # See if we do any work at all here and if not raise an exception
done_work = False done_work = False
@ -493,7 +481,8 @@ class service_disable(LDAPQuery):
ldap.update_entry(dn, {'usercertificate': None}) ldap.update_entry(dn, {'usercertificate': None})
done_work = True done_work = True
if 'krblastpwdchange' in entry_attrs: self.obj.get_password_attributes(ldap, dn, entry_attrs)
if entry_attrs['has_keytab']:
ldap.remove_principal_key(dn) ldap.remove_principal_key(dn)
done_work = True done_work = True

6
ipalib/plugins/user.py
View File

@ -113,6 +113,8 @@ class user(LDAPObject):
} }
rdnattr = 'uid' rdnattr = 'uid'
bindable = True bindable = True
password_attributes = [('userpassword', 'has_password'),
('krbprincipalkey', 'has_keytab')]
label = _('Users') label = _('Users')
label_singular = _('User') label_singular = _('User')
@ -407,6 +409,7 @@ class user_add(LDAPCreate):
newentry = wait_for_value(ldap, dn, 'objectclass', 'mepOriginEntry') newentry = wait_for_value(ldap, dn, 'objectclass', 'mepOriginEntry')
entry_from_entry(entry_attrs, newentry) entry_from_entry(entry_attrs, newentry)
self.obj.get_password_attributes(ldap, dn, entry_attrs)
return dn return dn
api.register(user_add) api.register(user_add)
@ -443,6 +446,7 @@ class user_mod(LDAPUpdate):
def post_callback(self, ldap, dn, entry_attrs, *keys, **options): def post_callback(self, ldap, dn, entry_attrs, *keys, **options):
convert_nsaccountlock(entry_attrs) convert_nsaccountlock(entry_attrs)
self.obj._convert_manager(entry_attrs, **options) self.obj._convert_manager(entry_attrs, **options)
self.obj.get_password_attributes(ldap, dn, entry_attrs)
return dn return dn
api.register(user_mod) api.register(user_mod)
@ -472,6 +476,7 @@ class user_find(LDAPSearch):
for entry in entries: for entry in entries:
(dn, attrs) = entry (dn, attrs) = entry
self.obj._convert_manager(attrs, **options) self.obj._convert_manager(attrs, **options)
self.obj.get_password_attributes(ldap, dn, attrs)
convert_nsaccountlock(attrs) convert_nsaccountlock(attrs)
msg_summary = ngettext( msg_summary = ngettext(
@ -488,6 +493,7 @@ class user_show(LDAPRetrieve):
def post_callback(self, ldap, dn, entry_attrs, *keys, **options): def post_callback(self, ldap, dn, entry_attrs, *keys, **options):
convert_nsaccountlock(entry_attrs) convert_nsaccountlock(entry_attrs)
self.obj._convert_manager(entry_attrs, **options) self.obj._convert_manager(entry_attrs, **options)
self.obj.get_password_attributes(ldap, dn, entry_attrs)
return dn return dn
api.register(user_show) api.register(user_show)

16
tests/test_xmlrpc/test_attr.py
View File

@ -69,6 +69,8 @@ class test_attr(Declarative):
dn=lambda x: DN(x) == \ dn=lambda x: DN(x) == \
DN(('uid','tuser1'),('cn','users'),('cn','accounts'), DN(('uid','tuser1'),('cn','users'),('cn','accounts'),
api.env.basedn), api.env.basedn),
has_keytab=False,
has_password=False,
), ),
), ),
), ),
@ -91,6 +93,8 @@ class test_attr(Declarative):
mail=[u'test@example.com'], mail=[u'test@example.com'],
memberof_group=[u'ipausers'], memberof_group=[u'ipausers'],
nsaccountlock=False, nsaccountlock=False,
has_keytab=False,
has_password=False,
), ),
summary=u'Modified user "tuser1"', summary=u'Modified user "tuser1"',
value=user1, value=user1,
@ -115,6 +119,8 @@ class test_attr(Declarative):
mail=[u'test@example.com', u'test2@example.com'], mail=[u'test@example.com', u'test2@example.com'],
memberof_group=[u'ipausers'], memberof_group=[u'ipausers'],
nsaccountlock=False, nsaccountlock=False,
has_keytab=False,
has_password=False,
), ),
summary=u'Modified user "tuser1"', summary=u'Modified user "tuser1"',
value=user1, value=user1,
@ -140,6 +146,8 @@ class test_attr(Declarative):
memberof_group=[u'ipausers'], memberof_group=[u'ipausers'],
telephonenumber=[u'410-555-1212', u'301-555-1212'], telephonenumber=[u'410-555-1212', u'301-555-1212'],
nsaccountlock=False, nsaccountlock=False,
has_keytab=False,
has_password=False,
), ),
summary=u'Modified user "tuser1"', summary=u'Modified user "tuser1"',
value=user1, value=user1,
@ -165,6 +173,8 @@ class test_attr(Declarative):
memberof_group=[u'ipausers'], memberof_group=[u'ipausers'],
telephonenumber=[u'301-555-1212'], telephonenumber=[u'301-555-1212'],
nsaccountlock=False, nsaccountlock=False,
has_keytab=False,
has_password=False,
), ),
summary=u'Modified user "tuser1"', summary=u'Modified user "tuser1"',
value=user1, value=user1,
@ -190,6 +200,8 @@ class test_attr(Declarative):
memberof_group=[u'ipausers'], memberof_group=[u'ipausers'],
telephonenumber=[u'301-555-1212', u'202-888-9833', u'703-555-1212'], telephonenumber=[u'301-555-1212', u'202-888-9833', u'703-555-1212'],
nsaccountlock=False, nsaccountlock=False,
has_keytab=False,
has_password=False,
), ),
summary=u'Modified user "tuser1"', summary=u'Modified user "tuser1"',
value=user1, value=user1,
@ -233,6 +245,8 @@ class test_attr(Declarative):
memberof_group=[u'ipausers'], memberof_group=[u'ipausers'],
telephonenumber=[u'301-555-1212', u'202-888-9833', u'703-555-1212'], telephonenumber=[u'301-555-1212', u'202-888-9833', u'703-555-1212'],
nsaccountlock=False, nsaccountlock=False,
has_keytab=False,
has_password=False,
), ),
summary=u'Modified user "tuser1"', summary=u'Modified user "tuser1"',
value=user1, value=user1,
@ -258,6 +272,8 @@ class test_attr(Declarative):
memberof_group=[u'ipausers'], memberof_group=[u'ipausers'],
telephonenumber=[u'301-555-1212', u'202-888-9833', u'703-555-1212'], telephonenumber=[u'301-555-1212', u'202-888-9833', u'703-555-1212'],
nsaccountlock=False, nsaccountlock=False,
has_keytab=False,
has_password=False,
), ),
summary=u'Modified user "tuser1"', summary=u'Modified user "tuser1"',
value=user1, value=user1,

4
tests/test_xmlrpc/test_group_plugin.py
View File

@ -637,6 +637,8 @@ class test_group(Declarative):
dn=lambda x: DN(x) == \ dn=lambda x: DN(x) == \
DN(('uid',user1),('cn','users'),('cn','accounts'), DN(('uid',user1),('cn','users'),('cn','accounts'),
api.env.basedn), api.env.basedn),
has_keytab=False,
has_password=False,
), ),
), ),
), ),
@ -753,6 +755,8 @@ class test_group(Declarative):
dn=lambda x: DN(x) == \ dn=lambda x: DN(x) == \
DN(('uid','tuser1'),('cn','users'),('cn','accounts'), DN(('uid','tuser1'),('cn','users'),('cn','accounts'),
api.env.basedn), api.env.basedn),
has_keytab=False,
has_password=False,
), ),
), ),
), ),

22
tests/test_xmlrpc/test_host_plugin.py
View File

@ -109,6 +109,8 @@ class test_host(Declarative):
objectclass=objectclasses.host, objectclass=objectclasses.host,
ipauniqueid=[fuzzy_uuid], ipauniqueid=[fuzzy_uuid],
managedby_host=[fqdn1], managedby_host=[fqdn1],
has_keytab=False,
has_password=False,
), ),
), ),
), ),
@ -140,6 +142,7 @@ class test_host(Declarative):
l=[u'Undisclosed location 1'], l=[u'Undisclosed location 1'],
krbprincipalname=[u'host/%s@%s' % (fqdn1, api.env.realm)], krbprincipalname=[u'host/%s@%s' % (fqdn1, api.env.realm)],
has_keytab=False, has_keytab=False,
has_password=False,
managedby_host=[fqdn1], managedby_host=[fqdn1],
), ),
), ),
@ -168,7 +171,8 @@ class test_host(Declarative):
managedby_host=[fqdn1], managedby_host=[fqdn1],
managing_host=[fqdn1], managing_host=[fqdn1],
ipauniqueid=[fuzzy_uuid], ipauniqueid=[fuzzy_uuid],
has_keytab=False has_keytab=False,
has_password=False,
), ),
), ),
), ),
@ -189,6 +193,8 @@ class test_host(Declarative):
l=[u'Undisclosed location 1'], l=[u'Undisclosed location 1'],
krbprincipalname=[u'host/%s@%s' % (fqdn1, api.env.realm)], krbprincipalname=[u'host/%s@%s' % (fqdn1, api.env.realm)],
managedby_host=[u'%s' % fqdn1], managedby_host=[u'%s' % fqdn1],
has_keytab=False,
has_password=False,
), ),
], ],
), ),
@ -219,6 +225,8 @@ class test_host(Declarative):
ipauniqueid=[fuzzy_uuid], ipauniqueid=[fuzzy_uuid],
managedby_host=[u'%s' % fqdn1], managedby_host=[u'%s' % fqdn1],
managing_host=[u'%s' % fqdn1], managing_host=[u'%s' % fqdn1],
has_keytab=False,
has_password=False,
), ),
], ],
), ),
@ -265,6 +273,7 @@ class test_host(Declarative):
l=[u'Undisclosed location 1'], l=[u'Undisclosed location 1'],
krbprincipalname=[u'host/%s@%s' % (fqdn1, api.env.realm)], krbprincipalname=[u'host/%s@%s' % (fqdn1, api.env.realm)],
has_keytab=False, has_keytab=False,
has_password=False,
managedby_host=[u'%s' % fqdn1], managedby_host=[u'%s' % fqdn1],
usercertificate=[base64.b64decode(servercert)], usercertificate=[base64.b64decode(servercert)],
valid_not_before=fuzzy_date, valid_not_before=fuzzy_date,
@ -300,6 +309,8 @@ class test_host(Declarative):
objectclass=objectclasses.host, objectclass=objectclasses.host,
ipauniqueid=[fuzzy_uuid], ipauniqueid=[fuzzy_uuid],
managedby_host=[u'%s' % fqdn3], managedby_host=[u'%s' % fqdn3],
has_keytab=False,
has_password=False,
), ),
), ),
), ),
@ -326,6 +337,8 @@ class test_host(Declarative):
objectclass=objectclasses.host, objectclass=objectclasses.host,
ipauniqueid=[fuzzy_uuid], ipauniqueid=[fuzzy_uuid],
managedby_host=[u'%s' % fqdn4], managedby_host=[u'%s' % fqdn4],
has_keytab=False,
has_password=False,
), ),
), ),
), ),
@ -369,6 +382,7 @@ class test_host(Declarative):
l=[u'Undisclosed location 2'], l=[u'Undisclosed location 2'],
krbprincipalname=[u'host/%s@%s' % (fqdn3, api.env.realm)], krbprincipalname=[u'host/%s@%s' % (fqdn3, api.env.realm)],
has_keytab=False, has_keytab=False,
has_password=False,
managedby_host=[u'%s' % fqdn3, u'%s' % fqdn1], managedby_host=[u'%s' % fqdn3, u'%s' % fqdn1],
), ),
), ),
@ -468,6 +482,8 @@ class test_host(Declarative):
objectclass=objectclasses.host, objectclass=objectclasses.host,
ipauniqueid=[fuzzy_uuid], ipauniqueid=[fuzzy_uuid],
managedby_host=[u'%s' % fqdn1], managedby_host=[u'%s' % fqdn1],
has_keytab=False,
has_password=False,
), ),
), ),
), ),
@ -479,7 +495,7 @@ class test_host(Declarative):
value=service1, value=service1,
summary=u'Added service "%s"' % service1, summary=u'Added service "%s"' % service1,
result=dict( result=dict(
dn=service1dn, dn=lambda x: DN(x) == service1dn,
krbprincipalname=[service1], krbprincipalname=[service1],
objectclass=objectclasses.service, objectclass=objectclasses.service,
managedby_host=[fqdn1], managedby_host=[fqdn1],
@ -539,6 +555,8 @@ class test_host(Declarative):
objectclass=objectclasses.host, objectclass=objectclasses.host,
ipauniqueid=[fuzzy_uuid], ipauniqueid=[fuzzy_uuid],
managedby_host=[u'%s' % fqdn2], managedby_host=[u'%s' % fqdn2],
has_keytab=False,
has_password=False,
), ),
), ),
), ),

2
tests/test_xmlrpc/test_hostgroup_plugin.py
View File

@ -121,6 +121,8 @@ class test_hostgroup(Declarative):
objectclass=objectclasses.host, objectclass=objectclasses.host,
ipauniqueid=[fuzzy_uuid], ipauniqueid=[fuzzy_uuid],
managedby_host=[fqdn1], managedby_host=[fqdn1],
has_keytab=False,
has_password=False,
), ),
), ),
), ),

2
tests/test_xmlrpc/test_krbtpolicy.py
View File

@ -116,6 +116,8 @@ class test_krbtpolicy(Declarative):
[DN(('cn',user1),('cn','groups'),('cn','accounts'), [DN(('cn',user1),('cn','groups'),('cn','accounts'),
api.env.basedn)], api.env.basedn)],
memberof_group=[u'ipausers'], memberof_group=[u'ipausers'],
has_keytab=False,
has_password=False,
dn=lambda x: DN(x) == \ dn=lambda x: DN(x) == \
DN(('uid',user1),('cn','users'),('cn','accounts'), DN(('uid',user1),('cn','users'),('cn','accounts'),
api.env.basedn) api.env.basedn)

11
tests/test_xmlrpc/test_nesting.py
View File

@ -186,6 +186,8 @@ class test_nesting(Declarative):
[DN(('cn',user1),('cn','groups'),('cn','accounts'), [DN(('cn',user1),('cn','groups'),('cn','accounts'),
api.env.basedn)], api.env.basedn)],
memberof_group=[u'ipausers'], memberof_group=[u'ipausers'],
has_keytab=False,
has_password=False,
dn=lambda x: DN(x) == \ dn=lambda x: DN(x) == \
DN(('uid',user1),('cn','users'),('cn','accounts'), DN(('uid',user1),('cn','users'),('cn','accounts'),
api.env.basedn) api.env.basedn)
@ -224,6 +226,8 @@ class test_nesting(Declarative):
[DN(('cn',user2),('cn','groups'),('cn','accounts'), [DN(('cn',user2),('cn','groups'),('cn','accounts'),
api.env.basedn)], api.env.basedn)],
memberof_group=[u'ipausers'], memberof_group=[u'ipausers'],
has_keytab=False,
has_password=False,
dn=lambda x: DN(x) == \ dn=lambda x: DN(x) == \
DN(('uid',user2),('cn','users'),('cn','accounts'), DN(('uid',user2),('cn','users'),('cn','accounts'),
api.env.basedn) api.env.basedn)
@ -262,6 +266,8 @@ class test_nesting(Declarative):
[DN(('cn',user3),('cn','groups'),('cn','accounts'), [DN(('cn',user3),('cn','groups'),('cn','accounts'),
api.env.basedn)], api.env.basedn)],
memberof_group=[u'ipausers'], memberof_group=[u'ipausers'],
has_keytab=False,
has_password=False,
dn=lambda x: DN(x) == \ dn=lambda x: DN(x) == \
DN(('uid',user3),('cn','users'),('cn','accounts'), DN(('uid',user3),('cn','users'),('cn','accounts'),
api.env.basedn) api.env.basedn)
@ -300,6 +306,8 @@ class test_nesting(Declarative):
[DN(('cn',user4),('cn','groups'),('cn','accounts'), [DN(('cn',user4),('cn','groups'),('cn','accounts'),
api.env.basedn)], api.env.basedn)],
memberof_group=[u'ipausers'], memberof_group=[u'ipausers'],
has_keytab=False,
has_password=False,
dn=lambda x: DN(x) == \ dn=lambda x: DN(x) == \
DN(('uid',user4),('cn','users'),('cn','accounts'), DN(('uid',user4),('cn','users'),('cn','accounts'),
api.env.basedn) api.env.basedn)
@ -676,6 +684,8 @@ class test_nesting(Declarative):
objectclass=objectclasses.host, objectclass=objectclasses.host,
ipauniqueid=[fuzzy_uuid], ipauniqueid=[fuzzy_uuid],
managedby_host=[fqdn1], managedby_host=[fqdn1],
has_keytab=False,
has_password=False,
), ),
), ),
), ),
@ -801,6 +811,7 @@ class test_nesting(Declarative):
l=[u'Undisclosed location 1'], l=[u'Undisclosed location 1'],
krbprincipalname=[u'host/%s@%s' % (fqdn1, api.env.realm)], krbprincipalname=[u'host/%s@%s' % (fqdn1, api.env.realm)],
has_keytab=False, has_keytab=False,
has_password=False,
managedby_host=[fqdn1], managedby_host=[fqdn1],
memberof_hostgroup = [u'testhostgroup2'], memberof_hostgroup = [u'testhostgroup2'],
memberofindirect_hostgroup = [u'testhostgroup1'], memberofindirect_hostgroup = [u'testhostgroup1'],

6
tests/test_xmlrpc/test_netgroup_plugin.py
View File

@ -168,6 +168,8 @@ class test_netgroup(Declarative):
objectclass=objectclasses.host, objectclass=objectclasses.host,
ipauniqueid=[fuzzy_uuid], ipauniqueid=[fuzzy_uuid],
managedby_host=[host1], managedby_host=[host1],
has_keytab=False,
has_password=False,
), ),
), ),
), ),
@ -225,6 +227,8 @@ class test_netgroup(Declarative):
[DN(('cn',user1),('cn','groups'),('cn','accounts'), [DN(('cn',user1),('cn','groups'),('cn','accounts'),
api.env.basedn)], api.env.basedn)],
memberof_group=[u'ipausers'], memberof_group=[u'ipausers'],
has_keytab=False,
has_password=False,
dn=lambda x: DN(x) == \ dn=lambda x: DN(x) == \
DN(('uid',user1),('cn','users'),('cn','accounts'), DN(('uid',user1),('cn','users'),('cn','accounts'),
api.env.basedn), api.env.basedn),
@ -262,6 +266,8 @@ class test_netgroup(Declarative):
[DN(('cn',user2),('cn','groups'),('cn','accounts'), [DN(('cn',user2),('cn','groups'),('cn','accounts'),
api.env.basedn)], api.env.basedn)],
memberof_group=[u'ipausers'], memberof_group=[u'ipausers'],
has_keytab=False,
has_password=False,
dn=lambda x: DN(x) == \ dn=lambda x: DN(x) == \
DN(('uid',user2),('cn','users'),('cn','accounts'), DN(('uid',user2),('cn','users'),('cn','accounts'),
api.env.basedn), api.env.basedn),

14
tests/test_xmlrpc/test_replace.py
View File

@ -73,6 +73,8 @@ class test_replace(Declarative):
[DN(('cn',user1),('cn','groups'),('cn','accounts'), [DN(('cn',user1),('cn','groups'),('cn','accounts'),
api.env.basedn)], api.env.basedn)],
memberof_group=[u'ipausers'], memberof_group=[u'ipausers'],
has_keytab=False,
has_password=False,
dn=lambda x: DN(x) == \ dn=lambda x: DN(x) == \
DN(('uid','tuser1'),('cn','users'),('cn','accounts'), DN(('uid','tuser1'),('cn','users'),('cn','accounts'),
api.env.basedn), api.env.basedn),
@ -98,6 +100,8 @@ class test_replace(Declarative):
mail=[u'test1@example.com', u'test3@example.com'], mail=[u'test1@example.com', u'test3@example.com'],
memberof_group=[u'ipausers'], memberof_group=[u'ipausers'],
nsaccountlock=False, nsaccountlock=False,
has_keytab=False,
has_password=False,
), ),
summary=u'Modified user "tuser1"', summary=u'Modified user "tuser1"',
value=user1, value=user1,
@ -122,6 +126,8 @@ class test_replace(Declarative):
mail=[u'test4@example.com'], mail=[u'test4@example.com'],
memberof_group=[u'ipausers'], memberof_group=[u'ipausers'],
nsaccountlock=False, nsaccountlock=False,
has_keytab=False,
has_password=False,
), ),
summary=u'Modified user "tuser1"', summary=u'Modified user "tuser1"',
value=user1, value=user1,
@ -146,6 +152,8 @@ class test_replace(Declarative):
mail=[u'test6@example.com', u'test7@example.com', u'test5@example.com'], mail=[u'test6@example.com', u'test7@example.com', u'test5@example.com'],
memberof_group=[u'ipausers'], memberof_group=[u'ipausers'],
nsaccountlock=False, nsaccountlock=False,
has_keytab=False,
has_password=False,
), ),
summary=u'Modified user "tuser1"', summary=u'Modified user "tuser1"',
value=user1, value=user1,
@ -169,6 +177,8 @@ class test_replace(Declarative):
gidnumber=[fuzzy_digits], gidnumber=[fuzzy_digits],
memberof_group=[u'ipausers'], memberof_group=[u'ipausers'],
nsaccountlock=False, nsaccountlock=False,
has_keytab=False,
has_password=False,
), ),
summary=u'Modified user "tuser1"', summary=u'Modified user "tuser1"',
value=user1, value=user1,
@ -193,6 +203,8 @@ class test_replace(Declarative):
initials=[u'ABC'], initials=[u'ABC'],
memberof_group=[u'ipausers'], memberof_group=[u'ipausers'],
nsaccountlock=False, nsaccountlock=False,
has_keytab=False,
has_password=False,
), ),
summary=u'Modified user "tuser1"', summary=u'Modified user "tuser1"',
value=user1, value=user1,
@ -216,6 +228,8 @@ class test_replace(Declarative):
gidnumber=[fuzzy_digits], gidnumber=[fuzzy_digits],
memberof_group=[u'ipausers'], memberof_group=[u'ipausers'],
nsaccountlock=False, nsaccountlock=False,
has_keytab=False,
has_password=False,
), ),
summary=u'Modified user "tuser1"', summary=u'Modified user "tuser1"',
value=user1, value=user1,

8
tests/test_xmlrpc/test_service_plugin.py
View File

@ -47,7 +47,7 @@ fd.close()
badservercert = 'MIICbzCCAdigAwIBAgICA/4wDQYJKoZIhvcNAQEFBQAwKTEnMCUGA1UEAxMeSVBBIFRlc3QgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XDTEwMDgwOTE1MDIyN1oXDTIwMDgwOTE1MDIyN1owKTEMMAoGA1UEChMDSVBBMRkwFwYDVQQDExBwdW1hLmdyZXlvYWsuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwYbfEOQPgGenPn9vt1JFKvWm/Je3y2tawGWA3LXDuqfFJyYtZ8ib3TcBUOnLk9WK5g2qCwHaNlei7bj8ggIfr5hegAVe10cun+wYErjnYo7hsHYd+57VZezeipWrXu+7NoNd4+c4A5lk4A/xJay9j3bYx2oOM8BEox4xWYoWge1ljPrc5JK46f0X7AGW4F2VhnKPnf8rwSuzI1U8VGjutyM9TWNy3m9KMWeScjyG/ggIpOjUDMV7HkJL0Di61lznR9jXubpiEC7gWGbTp84eGl/Nn9bgK1AwHfJ2lHwfoY4uiL7ge1gyP6EvuUlHoBzdb7pekiX28iePjW3iEG9IawIDAQABoyIwIDARBglghkgBhvhCAQEEBAMCBkAwCwYDVR0PBAQDAgUgMA0GCSqGSIb3DQEBBQUAA4GBACRESLemRV9BPxfEgbALuxH5oE8jQm8WZ3pm2pALbpDlAd9wQc3yVf6RtkfVthyDnM18bg7IhxKpd77/p3H8eCnS8w5MLVRda6ktUC6tGhFTS4QKAf0WyDGTcIgkXbeDw0OPAoNHivoXbIXIIRxlw/XgaSaMzJQDBG8iROsN4kCv' badservercert = 'MIICbzCCAdigAwIBAgICA/4wDQYJKoZIhvcNAQEFBQAwKTEnMCUGA1UEAxMeSVBBIFRlc3QgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XDTEwMDgwOTE1MDIyN1oXDTIwMDgwOTE1MDIyN1owKTEMMAoGA1UEChMDSVBBMRkwFwYDVQQDExBwdW1hLmdyZXlvYWsuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwYbfEOQPgGenPn9vt1JFKvWm/Je3y2tawGWA3LXDuqfFJyYtZ8ib3TcBUOnLk9WK5g2qCwHaNlei7bj8ggIfr5hegAVe10cun+wYErjnYo7hsHYd+57VZezeipWrXu+7NoNd4+c4A5lk4A/xJay9j3bYx2oOM8BEox4xWYoWge1ljPrc5JK46f0X7AGW4F2VhnKPnf8rwSuzI1U8VGjutyM9TWNy3m9KMWeScjyG/ggIpOjUDMV7HkJL0Di61lznR9jXubpiEC7gWGbTp84eGl/Nn9bgK1AwHfJ2lHwfoY4uiL7ge1gyP6EvuUlHoBzdb7pekiX28iePjW3iEG9IawIDAQABoyIwIDARBglghkgBhvhCAQEEBAMCBkAwCwYDVR0PBAQDAgUgMA0GCSqGSIb3DQEBBQUAA4GBACRESLemRV9BPxfEgbALuxH5oE8jQm8WZ3pm2pALbpDlAd9wQc3yVf6RtkfVthyDnM18bg7IhxKpd77/p3H8eCnS8w5MLVRda6ktUC6tGhFTS4QKAf0WyDGTcIgkXbeDw0OPAoNHivoXbIXIIRxlw/XgaSaMzJQDBG8iROsN4kCv'
class test_host(Declarative): class test_service(Declarative):
cleanup_commands = [ cleanup_commands = [
('host_del', [fqdn1], {}), ('host_del', [fqdn1], {}),
@ -99,6 +99,8 @@ class test_host(Declarative):
objectclass=objectclasses.host, objectclass=objectclasses.host,
ipauniqueid=[fuzzy_uuid], ipauniqueid=[fuzzy_uuid],
managedby_host=[u'%s' % fqdn1], managedby_host=[u'%s' % fqdn1],
has_keytab=False,
has_password=False,
), ),
), ),
), ),
@ -125,6 +127,8 @@ class test_host(Declarative):
objectclass=objectclasses.host, objectclass=objectclasses.host,
ipauniqueid=[fuzzy_uuid], ipauniqueid=[fuzzy_uuid],
managedby_host=[u'%s' % fqdn2], managedby_host=[u'%s' % fqdn2],
has_keytab=False,
has_password=False,
), ),
), ),
), ),
@ -151,6 +155,8 @@ class test_host(Declarative):
objectclass=objectclasses.host, objectclass=objectclasses.host,
ipauniqueid=[fuzzy_uuid], ipauniqueid=[fuzzy_uuid],
managedby_host=[u'%s' % fqdn3.lower()], managedby_host=[u'%s' % fqdn3.lower()],
has_keytab=False,
has_password=False,
), ),
), ),
), ),

30
tests/test_xmlrpc/test_user_plugin.py
View File

@ -104,6 +104,8 @@ class test_user(Declarative):
[DN(('cn',user1),('cn','groups'),('cn','accounts'), [DN(('cn',user1),('cn','groups'),('cn','accounts'),
api.env.basedn)], api.env.basedn)],
memberof_group=[u'ipausers'], memberof_group=[u'ipausers'],
has_keytab=False,
has_password=False,
dn=lambda x: DN(x) == \ dn=lambda x: DN(x) == \
DN(('uid','tuser1'),('cn','users'),('cn','accounts'), DN(('uid','tuser1'),('cn','users'),('cn','accounts'),
api.env.basedn), api.env.basedn),
@ -140,6 +142,8 @@ class test_user(Declarative):
gidnumber=[fuzzy_digits], gidnumber=[fuzzy_digits],
memberof_group=[u'ipausers'], memberof_group=[u'ipausers'],
nsaccountlock=False, nsaccountlock=False,
has_keytab=False,
has_password=False,
), ),
value=user1, value=user1,
summary=None, summary=None,
@ -178,6 +182,8 @@ class test_user(Declarative):
[DN(('cn','global_policy'),('cn',api.env.realm), [DN(('cn','global_policy'),('cn',api.env.realm),
('cn','kerberos'),api.env.basedn)], ('cn','kerberos'),api.env.basedn)],
'nsaccountlock': False, 'nsaccountlock': False,
'has_keytab': False,
'has_password': False,
'displayname': [u'Test User1'], 'displayname': [u'Test User1'],
'cn': [u'Test User1'], 'cn': [u'Test User1'],
'initials': [u'TU'], 'initials': [u'TU'],
@ -206,6 +212,8 @@ class test_user(Declarative):
sn=[u'User1'], sn=[u'User1'],
uid=[user1], uid=[user1],
nsaccountlock=False, nsaccountlock=False,
has_keytab=False,
has_password=False,
uidnumber=[fuzzy_digits], uidnumber=[fuzzy_digits],
gidnumber=[fuzzy_digits], gidnumber=[fuzzy_digits],
), ),
@ -233,6 +241,8 @@ class test_user(Declarative):
sn=[u'Administrator'], sn=[u'Administrator'],
uid=[u'admin'], uid=[u'admin'],
nsaccountlock=False, nsaccountlock=False,
has_keytab=True,
has_password=True,
uidnumber=[fuzzy_digits], uidnumber=[fuzzy_digits],
gidnumber=[fuzzy_digits], gidnumber=[fuzzy_digits],
), ),
@ -246,6 +256,8 @@ class test_user(Declarative):
sn=[u'User1'], sn=[u'User1'],
uid=[user1], uid=[user1],
nsaccountlock=False, nsaccountlock=False,
has_keytab=False,
has_password=False,
uidnumber=[fuzzy_digits], uidnumber=[fuzzy_digits],
gidnumber=[fuzzy_digits], gidnumber=[fuzzy_digits],
), ),
@ -273,6 +285,8 @@ class test_user(Declarative):
sn=[u'Administrator'], sn=[u'Administrator'],
uid=[u'admin'], uid=[u'admin'],
nsaccountlock=False, nsaccountlock=False,
has_keytab=True,
has_password=True,
uidnumber=[fuzzy_digits], uidnumber=[fuzzy_digits],
gidnumber=[fuzzy_digits], gidnumber=[fuzzy_digits],
), ),
@ -326,6 +340,8 @@ class test_user(Declarative):
gidnumber=[fuzzy_digits], gidnumber=[fuzzy_digits],
memberof_group=[u'ipausers'], memberof_group=[u'ipausers'],
nsaccountlock=False, nsaccountlock=False,
has_keytab=False,
has_password=False,
), ),
summary=u'Modified user "tuser1"', summary=u'Modified user "tuser1"',
value=user1, value=user1,
@ -359,6 +375,8 @@ class test_user(Declarative):
gidnumber=[fuzzy_digits], gidnumber=[fuzzy_digits],
memberof_group=[u'ipausers'], memberof_group=[u'ipausers'],
nsaccountlock=False, nsaccountlock=False,
has_keytab=False,
has_password=False,
), ),
summary=None, summary=None,
value=user1, value=user1,
@ -381,6 +399,8 @@ class test_user(Declarative):
gidnumber=[fuzzy_digits], gidnumber=[fuzzy_digits],
memberof_group=[u'ipausers'], memberof_group=[u'ipausers'],
nsaccountlock=False, nsaccountlock=False,
has_keytab=False,
has_password=False,
), ),
summary=u'Modified user "%s"' % user1, summary=u'Modified user "%s"' % user1,
value=user1, value=user1,
@ -409,6 +429,8 @@ class test_user(Declarative):
gidnumber=[fuzzy_digits], gidnumber=[fuzzy_digits],
memberof_group=[u'ipausers'], memberof_group=[u'ipausers'],
nsaccountlock=False, nsaccountlock=False,
has_keytab=False,
has_password=False,
), ),
summary=u'Modified user "%s"' % renameduser1, summary=u'Modified user "%s"' % renameduser1,
value=renameduser1, value=renameduser1,
@ -475,6 +497,8 @@ class test_user(Declarative):
[DN(('cn',user1),('cn','groups'),('cn','accounts'), [DN(('cn',user1),('cn','groups'),('cn','accounts'),
api.env.basedn)], api.env.basedn)],
memberof_group=[u'ipausers'], memberof_group=[u'ipausers'],
has_keytab=False,
has_password=False,
dn=lambda x: DN(x) == \ dn=lambda x: DN(x) == \
DN(('uid','tuser1'),('cn','users'),('cn','accounts'), DN(('uid','tuser1'),('cn','users'),('cn','accounts'),
api.env.basedn), api.env.basedn),
@ -513,6 +537,8 @@ class test_user(Declarative):
[DN(('cn',user2),('cn','groups'),('cn','accounts'), [DN(('cn',user2),('cn','groups'),('cn','accounts'),
api.env.basedn)], api.env.basedn)],
memberof_group=[u'ipausers'], memberof_group=[u'ipausers'],
has_keytab=False,
has_password=False,
dn=lambda x: DN(x) == \ dn=lambda x: DN(x) == \
DN(('uid','tuser2'),('cn','users'),('cn','accounts'), DN(('uid','tuser2'),('cn','users'),('cn','accounts'),
api.env.basedn), api.env.basedn),
@ -542,6 +568,8 @@ class test_user(Declarative):
gidnumber=[fuzzy_digits], gidnumber=[fuzzy_digits],
memberof_group=[u'ipausers'], memberof_group=[u'ipausers'],
nsaccountlock=False, nsaccountlock=False,
has_keytab=False,
has_password=False,
manager=[user1], manager=[user1],
), ),
summary=u'Modified user "%s"' % user2, summary=u'Modified user "%s"' % user2,
@ -655,6 +683,8 @@ class test_user(Declarative):
[DN(('cn',user1),('cn','groups'),('cn','accounts'), [DN(('cn',user1),('cn','groups'),('cn','accounts'),
api.env.basedn)], api.env.basedn)],
memberof_group=[u'ipausers'], memberof_group=[u'ipausers'],
has_keytab=False,
has_password=False,
dn=lambda x: DN(x) == \ dn=lambda x: DN(x) == \
DN(('uid','tuser1'),('cn','users'),('cn','accounts'), DN(('uid','tuser1'),('cn','users'),('cn','accounts'),
api.env.basedn), api.env.basedn),