IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-02-25 18:55:28 -06:00
Code Issues Packages Projects Releases Wiki Activity

Rely more on kerberos.

Browse Source 
Don't read ipa.conf to get the realm, the kerberos libs do that for you.
Use the krbPrincipalName to change passwords
Make it possible to specify the principal at user creation.
Mail is not a required attribute so far, don't require it.
This commit is contained in:
Simo Sorce
2007-10-01 17:33:16 -04:00
parent 5750ebdd83
commit cfac4acf9f
7 changed files with 111 additions and 88 deletions
Download Patch File Download Diff File Expand all files Collapse all files

55
ipa-admintools/ipa-adduser
View File

@@ -28,6 +28,7 @@ import ipa.config
import xmlrpclib
import kerberos
import krbV
import ldap
import getpass
@@ -51,8 +52,10 @@ def parse_options():
help="Set user's login shell to shell")
parser.add_option("-G", "--groups", dest="groups",
help="Add account to one or more groups (comma-separated)")
parser.add_option("-k", "--krb-principal", dest="principal",
help="Set user's Kerberos Principal Name")
parser.add_option("-M", "--mailAddress", dest="mail",
help="Set uesr's e-mail address")
help="Set user's e-mail address")
parser.add_option("--usage", action="store_true",
help="Program usage")
@@ -66,8 +69,9 @@ def main():
givenname = ""
lastname = ""
username = ""
principal = ""
password = ""
mail = ""
mail = ""
gecos = ""
directory = ""
shell = ""
@@ -100,7 +104,7 @@ def main():
cont = False
if not options.sn:
while (cont != True):
lastname = raw_input(" Last name: ")
lastname = raw_input("Last name: ")
if (ipavalidate.plain(lastname, notEmpty=True)):
print "Field is required and must be letters or '"
else:
@@ -140,18 +144,10 @@ def main():
else:
password = options.sn
cont = False
if not options.mail:
while (cont != True):
mail = raw_input("E-mail addr: ")
if (ipavalidate.email(mail)):
print "Field is required and must include a user and domain name"
else:
cont = True
else:
if options.mail:
mail = options.mail
if (ipavalidate.email(mail)):
print "E-mail is required and must include a user and domain name"
print "The email provided seem not a valid email."
return 1
# Ask the questions we don't normally force. We don't require answers
@@ -168,8 +164,10 @@ def main():
cont = False
if not options.directory:
while (cont != True):
directory = raw_input("home directory []: ")
if (ipavalidate.path(gecos, notEmpty=False)):
directory = raw_input("home directory [/home/"+username+"]: ")
if directory == "":
directory = "/home/"+username
if (ipavalidate.path(directory, notEmpty=False)):
print "Must be letters, numbers, spaces or '"
else:
cont = True
@@ -180,29 +178,26 @@ def main():
if len(shell) < 1:
shell = None
cont = True
cont = False
if not options.groups:
while (cont != True):
g = raw_input("Add to group [blank to exit]: ")
if len(g) < 1:
cont = True
else:
if (ipavalidate.path(g, notEmpty=False)):
print "Must be letters, numbers, spaces or '"
else:
groups = groups + "," + g
cont = True
else:
gecos = options.gecos
directory = options.directory
shell = options.shell
groups = options.groups
if options.principal:
principal = options.principal
else:
ctx = krbV.default_context()
principal = username + "@" + ctx.default_realm
user.setValue('givenname', givenname)
user.setValue('sn', lastname)
user.setValue('uid', username)
user.setValue('mail', mail)
user.setValue('krbprincipalname', principal)
if mail:
user.setValue('mail', mail)
if gecos:
user.setValue('gecos', gecos)
if directory:
@@ -231,7 +226,7 @@ def main():
# Set the User's password
if password is not None:
try:
client.modifyPassword(username, None, password)
client.modifyPassword(principal, None, password)
except ipa.ipaerror.IPAError, e:
print "User added but setting the password failed."
print "%s" % (e.message)

36
ipa-admintools/ipa-passwd
View File

@@ -44,12 +44,12 @@ def parse_options():
return options, args
def get_principal():
def get_principal(krbctx):
try:
ctx = krbV.default_context()
ccache = ctx.default_ccache()
ccache = krbctx.default_ccache()
cprinc = ccache.principal()
except krbV.Krb5Error, e:
#TODO: do a kinit
print "Unable to get kerberos principal: %s" % e[1]
return None
@@ -57,39 +57,47 @@ def get_principal():
def main():
match = False
username = None
principal = None
krbctx = krbV.default_context()
options, args = parse_options()
if len(args) == 2:
username = args[1]
else:
username = get_principal()
if username is None:
principal = get_principal(krbctx)
if principal is None:
return 1
u = username.split('@')
if len(u) > 1:
username = u[0]
if not principal:
u = username.split('@')
if len(u) > 2 or len(u) == 0:
print "Invalid user name (%s)" % username
if len(u) == 1:
principal = username+"@"+krbctx.default_realm
else:
principal = username
print "Changing password for %s" % username
print "Changing password for %s" % principal
while (match != True):
# No syntax checking of the password is required because that is done
# on the server side
password = getpass.getpass(" New Password: ")
confirm = getpass.getpass(" New Password (again): ")
confirm = getpass.getpass(" Confirm Password: ")
if (password != confirm):
print "Passwords do not match"
match = False
elif (len(password) < 1):
print "Password cannot be empty"
match = False
else:
match = True
if (len(password) < 1):
print "Password cannot be empty"
match = False
try:
client = ipaclient.IPAClient()
client.modifyPassword(username, None, password)
client.modifyPassword(principal, None, password)
except ipa.ipaerror.IPAError, e:
print "%s" % (e.message)
return 1