Enable group inactivation by using the Class of Service plugin.

This adds 2 new groups: activated and inactivated. If you, or a group you are a member of, is in inactivated then you are too. If you, or a group you are a member of, is in the activated group, then you are too. In a fight between activated and inactivated, activated wins. The DNs for doing this matching is case and white space sensitive. The goal is to never have to actually set nsAccountLock in a user directly but move them between these groups. We need to decide where in the CLI this will happen. Right it is split between ipa-deluser and ipa-usermod. To inactivate groups for now just add the group to inactivate or active.
2025-02-25 18:55:28 -06:00 · 2007-11-20 22:45:29 -05:00
parent 56d67b86e1
commit f42f1f44c8
15 changed files with 301 additions and 44 deletions
--- a/ipa-admintools/ipa-usermod
+++ b/ipa-admintools/ipa-usermod
@@ -32,7 +32,7 @@ import ldap
 import errno

 def usage():
-    print "ipa-usermod [-c|--gecos STRING] [-d|--directory STRING] [-f|--firstname STRING] [-l|--lastname STRING] [-s|--shell STRING] [--add attribute=value] [--del attribute] [--set attribute=value] user"
+    print "ipa-usermod [-a|--activate] [-c|--gecos STRING] [-d|--directory STRING] [-f|--firstname STRING] [-l|--lastname STRING] [-s|--shell STRING] [--add attribute=value] [--del attribute] [--set attribute=value] user"
    sys.exit(1)

 def set_add_usage(which):
@@ -40,6 +40,8 @@ def set_add_usage(which):

 def parse_options():
    parser = OptionParser()
+    parser.add_option("-a", "--activate", dest="activate", action="store_true",
+                      help="Activate the user")
    parser.add_option("-c", "--gecos", dest="gecos",
                      help="Set the GECOS field")
    parser.add_option("-d", "--directory", dest="directory",
@@ -111,7 +113,7 @@ def main():
        return 1

    # If any options are set we use just those. Otherwise ask for all of them.
-    if options.gn or options.sn or options.directory or options.gecos or options.mail or options.shell or options.addattr or options.delattr or options.setattr:
+    if options.gn or options.sn or options.directory or options.gecos or options.mail or options.shell or options.addattr or options.delattr or options.setattr or options.activate:
        givenname = options.gn
        lastname = options.sn
        gecos = options.gecos
@@ -236,8 +238,16 @@ def main():
                value = cvalue + [value]
            user.setValue(attr, value)

-
    try:
+        if options.activate:
+            try:
+                client.mark_user_active(user.getValues('uid'))
+                print "User activated successfully."
+            except ipa.ipaerror.exception_for(ipa.ipaerror.LDAP_EMPTY_MODLIST):
+                print "User is already marked active"
+                return 0
+            except:
+                raise
        client.update_user(user)
    except xmlrpclib.Fault, fault:
        if fault.faultCode == errno.ECONNREFUSED: