freeipa/ipaserver/plugins/user.py
Christian Heimes 4911a3f055 Prevent local account takeover
It was found that if an account was created with a name corresponding to
an account local to a system, such as 'root', was created via IPA, such
account could access any enrolled machine with that account, and the local
system privileges. This also bypass the absence of explicit HBAC rules.

root principal alias
-------------------

The principal "root@REALM" is now a Kerberos principal alias for
"admin". This prevent user with "User Administrator" role or
"System: Add User" privilege to create an account with "root" principal
name.

Modified user permissions
-------------------------

Several user permissions no longer apply to admin users and filter on
posixaccount object class. This prevents user managers from modifying admin
acounts.

- System: Manage User Certificates
- System: Manage User Principals
- System: Manage User SSH Public Keys
- System: Modify Users
- System: Remove Users
- System: Unlock user

``System: Unlock User`` is restricted because the permission also allow a
user manager to lock an admin account. ``System: Modify Users`` is restricted
to prevent user managers from changing login shell or notification channels
(mail, mobile) of admin accounts.

New user permission
-------------------

- System: Change Admin User password

The new permission allows manipulation of admin user password fields. By
default only the ``PassSync Service`` privilege is allowed to modify
admin user password fields.

Modified group permissions
--------------------------

Group permissions are now restricted as well. Group admins can no longer
modify the admins group and are limited to groups with object class
``ipausergroup``.

- System: Modify Groups
- System: Remove Groups

The permission ``System: Modify Group Membership`` was already limited.

Notes
-----

Admin users are mostly unaffected by the new restrictions, except for
the fact that admins can no longer change krbPrincipalAlias of another
admin or manipulate password fields directly. Commands like ``ipa passwd
otheradmin`` still work, though. The ACI ``Admin can manage any entry``
allows admins to modify other entries and most attributes.

Managed permissions don't install ``obj.permission_filter_objectclasses``
when ``ipapermtargetfilter`` is set. Group and user objects now have a
``permission_filter_objectclasses_string`` attribute that is used
by new target filters.

Misc changes
------------

Also add new exception AlreadyContainsValueError. BaseLDAPAddAttribute
was raising a generic base class for LDAP execution errors.

Fixes: https://pagure.io/freeipa/issue/8326
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1810160
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2020-06-15 22:44:42 +03:00

1308 lines
51 KiB
Python

# Authors:
# Jason Gerard DeRose <jderose@redhat.com>
# Pavel Zuna <pzuna@redhat.com>
#
# Copyright (C) 2008 Red Hat
# see file 'COPYING' for use and warranty information
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
from __future__ import absolute_import
import logging
import time
from time import gmtime, strftime
import posixpath
import six
from ipalib import api
from ipalib import errors
from ipalib import Bool, Flag, Str
from .baseuser import (
baseuser,
baseuser_add,
baseuser_del,
baseuser_mod,
baseuser_find,
baseuser_show,
NO_UPG_MAGIC,
UPG_DEFINITION_DN,
baseuser_output_params,
validate_nsaccountlock,
convert_nsaccountlock,
fix_addressbook_permission_bindrule,
baseuser_add_manager,
baseuser_remove_manager,
baseuser_add_cert,
baseuser_remove_cert,
baseuser_add_principal,
baseuser_remove_principal,
baseuser_add_certmapdata,
baseuser_remove_certmapdata)
from .idviews import remove_ipaobject_overrides
from ipalib.plugable import Registry
from .baseldap import (
LDAPObject,
pkey_to_value,
LDAPCreate,
LDAPSearch,
LDAPQuery,
LDAPMultiQuery)
from . import baseldap
from ipalib.request import context
from ipalib import _, ngettext
from ipalib import output
from ipaplatform.paths import paths
from ipaplatform.constants import constants as platformconstants
from ipapython.dn import DN
from ipapython.ipaldap import LDAPClient
from ipapython.ipautil import ipa_generate_password, TMP_PWD_ENTROPY_BITS
from ipalib.capabilities import client_has_capability
from ipaserver.masters import get_masters
if six.PY3:
unicode = str
__doc__ = _("""
Users
Manage user entries. All users are POSIX users.
IPA supports a wide range of username formats, but you need to be aware of any
restrictions that may apply to your particular environment. For example,
usernames that start with a digit or usernames that exceed a certain length
may cause problems for some UNIX systems.
Use 'ipa config-mod' to change the username format allowed by IPA tools.
Disabling a user account prevents that user from obtaining new Kerberos
credentials. It does not invalidate any credentials that have already
been issued.
Password management is not a part of this module. For more information
about this topic please see: ipa help passwd
Account lockout on password failure happens per IPA master. The user-status
command can be used to identify which master the user is locked out on.
It is on that master the administrator must unlock the user.
EXAMPLES:
Add a new user:
ipa user-add --first=Tim --last=User --password tuser1
Find all users whose entries include the string "Tim":
ipa user-find Tim
Find all users with "Tim" as the first name:
ipa user-find --first=Tim
Disable a user account:
ipa user-disable tuser1
Enable a user account:
ipa user-enable tuser1
Delete a user:
ipa user-del tuser1
""")
logger = logging.getLogger(__name__)
register = Registry()
user_output_params = baseuser_output_params
MEMBEROF_ADMINS = "(memberOf={})".format(
DN('cn=admins', api.env.container_group, api.env.basedn)
)
NOT_MEMBEROF_ADMINS = '(!{})'.format(MEMBEROF_ADMINS)
def check_protected_member(user, protected_group_name=u'admins'):
'''
Ensure the last enabled member of a protected group cannot be deleted or
disabled by raising LastMemberError.
'''
# Get all users in the protected group
result = api.Command.user_find(in_group=protected_group_name)
# Build list of users in the protected group who are enabled
result = result['result']
enabled_users = [entry['uid'][0] for entry in result if not entry['nsaccountlock']]
# If the user is the last enabled user raise LastMemberError exception
if enabled_users == [user]:
raise errors.LastMemberError(key=user, label=_(u'group'),
container=protected_group_name)
@register()
class user(baseuser):
"""
User object.
"""
container_dn = baseuser.active_container_dn
label = _('Users')
label_singular = _('User')
object_name = _('user')
object_name_plural = _('users')
permission_filter_objectclasses_string = '(objectclass=posixaccount)'
managed_permissions = {
'System: Read User Standard Attributes': {
'replaces_global_anonymous_aci': True,
'ipapermbindruletype': 'anonymous',
'ipapermright': {'read', 'search', 'compare'},
'ipapermdefaultattr': {
'objectclass', 'cn', 'sn', 'description', 'title', 'uid',
'displayname', 'givenname', 'initials', 'manager', 'gecos',
'gidnumber', 'homedirectory', 'loginshell', 'uidnumber',
'ipantsecurityidentifier'
},
},
'System: Read User Addressbook Attributes': {
'replaces_global_anonymous_aci': True,
'ipapermbindruletype': 'all',
'ipapermright': {'read', 'search', 'compare'},
'ipapermdefaultattr': {
'seealso', 'telephonenumber',
'facsimiletelephonenumber', 'l', 'ou', 'st', 'postalcode', 'street',
'destinationindicator', 'internationalisdnnumber',
'physicaldeliveryofficename', 'postaladdress', 'postofficebox',
'preferreddeliverymethod', 'registeredaddress',
'teletexterminalidentifier', 'telexnumber', 'x121address',
'carlicense', 'departmentnumber', 'employeenumber',
'employeetype', 'preferredlanguage', 'mail', 'mobile', 'pager',
'audio', 'businesscategory', 'homephone', 'homepostaladdress',
'jpegphoto', 'labeleduri', 'o', 'photo', 'roomnumber',
'secretary', 'usercertificate',
'usersmimecertificate', 'x500uniqueidentifier',
'inetuserhttpurl', 'inetuserstatus',
'ipacertmapdata',
},
'fixup_function': fix_addressbook_permission_bindrule,
},
'System: Read User IPA Attributes': {
'replaces_global_anonymous_aci': True,
'ipapermbindruletype': 'all',
'ipapermright': {'read', 'search', 'compare'},
'ipapermdefaultattr': {
'ipauniqueid', 'ipasshpubkey', 'ipauserauthtype', 'userclass',
},
'fixup_function': fix_addressbook_permission_bindrule,
},
'System: Read User Kerberos Attributes': {
'replaces_global_anonymous_aci': True,
'ipapermbindruletype': 'all',
'ipapermright': {'read', 'search', 'compare'},
'ipapermdefaultattr': {
'krbprincipalname', 'krbcanonicalname', 'krbprincipalaliases',
'krbprincipalexpiration', 'krbpasswordexpiration',
'krblastpwdchange', 'nsaccountlock', 'krbprincipaltype',
},
},
'System: Read User Kerberos Login Attributes': {
'replaces_global_anonymous_aci': True,
'ipapermright': {'read', 'search', 'compare'},
'ipapermdefaultattr': {
'krblastsuccessfulauth', 'krblastfailedauth',
'krblastpwdchange', 'krblastadminunlock',
'krbloginfailedcount', 'krbpwdpolicyreference',
'krbticketpolicyreference', 'krbupenabled',
},
'default_privileges': {'User Administrators'},
},
'System: Read User Membership': {
'replaces_global_anonymous_aci': True,
'ipapermbindruletype': 'all',
'ipapermright': {'read', 'search', 'compare'},
'ipapermdefaultattr': {
'memberof',
},
},
'System: Read UPG Definition': {
# Required for adding users
'replaces_global_anonymous_aci': True,
'non_object': True,
'ipapermlocation': UPG_DEFINITION_DN,
'ipapermtarget': UPG_DEFINITION_DN,
'ipapermright': {'read', 'search', 'compare'},
'ipapermdefaultattr': {'*'},
'default_privileges': {'User Administrators'},
},
'System: Add Users': {
'ipapermright': {'add'},
'replaces': [
'(target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Add Users";allow (add) groupdn = "ldap:///cn=Add Users,cn=permissions,cn=pbac,$SUFFIX";)',
],
'default_privileges': {'User Administrators'},
},
'System: Add User to default group': {
'non_object': True,
'ipapermright': {'write'},
'ipapermlocation': DN(api.env.container_group, api.env.basedn),
'ipapermtarget': DN('cn=ipausers', api.env.container_group,
api.env.basedn),
'ipapermdefaultattr': {'member'},
'replaces': [
'(targetattr = "member")(target = "ldap:///cn=ipausers,cn=groups,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Add user to default group";allow (write) groupdn = "ldap:///cn=Add user to default group,cn=permissions,cn=pbac,$SUFFIX";)',
],
'default_privileges': {'User Administrators'},
},
'System: Change User password': {
'ipapermright': {'write'},
'ipapermtargetfilter': [
permission_filter_objectclasses_string,
NOT_MEMBEROF_ADMINS,
],
'ipapermdefaultattr': {
'krbprincipalkey', 'passwordhistory', 'sambalmpassword',
'sambantpassword', 'userpassword', 'krbpasswordexpiration'
},
'replaces': [
'(target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX")(targetattr = "userpassword || krbprincipalkey || sambalmpassword || sambantpassword || passwordhistory")(version 3.0;acl "permission:Change a user password";allow (write) groupdn = "ldap:///cn=Change a user password,cn=permissions,cn=pbac,$SUFFIX";)',
'(targetfilter = "(!(memberOf=cn=admins,cn=groups,cn=accounts,$SUFFIX))")(target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX")(targetattr = "userpassword || krbprincipalkey || sambalmpassword || sambantpassword || passwordhistory")(version 3.0;acl "permission:Change a user password";allow (write) groupdn = "ldap:///cn=Change a user password,cn=permissions,cn=pbac,$SUFFIX";)',
'(targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory")(version 3.0; acl "Windows PassSync service can write passwords"; allow (write) userdn="ldap:///uid=passsync,cn=sysaccounts,cn=etc,$SUFFIX";)',
],
'default_privileges': {
'User Administrators',
'Modify Users and Reset passwords',
'PassSync Service',
},
},
'System: Change Admin User password': {
'ipapermright': {'write'},
'ipapermtargetfilter': [
MEMBEROF_ADMINS,
],
'ipapermdefaultattr': {
'krbprincipalkey', 'passwordhistory', 'sambalmpassword',
'sambantpassword', 'userpassword', 'krbpasswordexpiration'
},
'default_privileges': {
'PassSync Service',
},
},
'System: Manage User SSH Public Keys': {
'ipapermright': {'write'},
'ipapermtargetfilter': [
permission_filter_objectclasses_string,
NOT_MEMBEROF_ADMINS,
],
'ipapermdefaultattr': {'ipasshpubkey'},
'replaces': [
'(targetattr = "ipasshpubkey")(target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Manage User SSH Public Keys";allow (write) groupdn = "ldap:///cn=Manage User SSH Public Keys,cn=permissions,cn=pbac,$SUFFIX";)',
],
'default_privileges': {'User Administrators'},
},
'System: Manage User Certificates': {
'ipapermright': {'write'},
'ipapermtargetfilter': [
permission_filter_objectclasses_string,
NOT_MEMBEROF_ADMINS,
],
'ipapermdefaultattr': {'usercertificate'},
'default_privileges': {
'User Administrators',
'Modify Users and Reset passwords',
},
},
'System: Manage User Principals': {
'ipapermright': {'write'},
'ipapermtargetfilter': [
permission_filter_objectclasses_string,
NOT_MEMBEROF_ADMINS,
],
'ipapermdefaultattr': {'krbprincipalname', 'krbcanonicalname'},
'default_privileges': {
'User Administrators',
'Modify Users and Reset passwords',
},
},
'System: Modify Users': {
'ipapermright': {'write'},
'ipapermtargetfilter': [
permission_filter_objectclasses_string,
NOT_MEMBEROF_ADMINS,
],
'ipapermdefaultattr': {
'businesscategory', 'carlicense', 'cn', 'departmentnumber',
'description', 'displayname', 'employeetype',
'employeenumber', 'facsimiletelephonenumber',
'gecos', 'givenname', 'homedirectory', 'homephone',
'inetuserhttpurl', 'initials', 'l', 'labeleduri', 'loginshell',
'manager', 'mail', 'mepmanagedentry', 'mobile', 'objectclass',
'ou', 'pager', 'postalcode', 'roomnumber', 'secretary',
'seealso', 'sn', 'st', 'street', 'telephonenumber', 'title',
'userclass', 'preferredlanguage'
},
'replaces': [
'(targetattr = "givenname || sn || cn || displayname || title || initials || loginshell || gecos || homephone || mobile || pager || facsimiletelephonenumber || telephonenumber || street || roomnumber || l || st || postalcode || manager || secretary || description || carlicense || labeleduri || inetuserhttpurl || seealso || employeetype || businesscategory || ou || mepmanagedentry || objectclass")(target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Modify Users";allow (write) groupdn = "ldap:///cn=Modify Users,cn=permissions,cn=pbac,$SUFFIX";)',
],
'default_privileges': {
'User Administrators',
'Modify Users and Reset passwords',
},
},
'System: Remove Users': {
'ipapermright': {'delete'},
'ipapermtargetfilter': [
permission_filter_objectclasses_string,
NOT_MEMBEROF_ADMINS,
],
'replaces': [
'(target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Remove Users";allow (delete) groupdn = "ldap:///cn=Remove Users,cn=permissions,cn=pbac,$SUFFIX";)',
],
'default_privileges': {'User Administrators'},
},
'System: Unlock User': {
'ipapermright': {'write'},
'ipapermtargetfilter': [
permission_filter_objectclasses_string,
NOT_MEMBEROF_ADMINS,
],
'ipapermdefaultattr': {
'krblastadminunlock', 'krbloginfailedcount', 'nsaccountlock',
},
'replaces': [
'(targetattr = "krbLastAdminUnlock || krbLoginFailedCount")(target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Unlock user accounts";allow (write) groupdn = "ldap:///cn=Unlock user accounts,cn=permissions,cn=pbac,$SUFFIX";)',
],
'default_privileges': {'User Administrators'},
},
'System: Read User Compat Tree': {
'non_object': True,
'ipapermbindruletype': 'anonymous',
'ipapermlocation': api.env.basedn,
'ipapermtarget': DN('cn=users', 'cn=compat', api.env.basedn),
'ipapermright': {'read', 'search', 'compare'},
'ipapermdefaultattr': {
'objectclass', 'uid', 'cn', 'gecos', 'gidnumber', 'uidnumber',
'homedirectory', 'loginshell',
},
},
'System: Read User Views Compat Tree': {
'non_object': True,
'ipapermbindruletype': 'anonymous',
'ipapermlocation': api.env.basedn,
'ipapermtarget': DN('cn=users', 'cn=*', 'cn=views', 'cn=compat', api.env.basedn),
'ipapermright': {'read', 'search', 'compare'},
'ipapermdefaultattr': {
'objectclass', 'uid', 'cn', 'gecos', 'gidnumber', 'uidnumber',
'homedirectory', 'loginshell',
},
},
'System: Read User NT Attributes': {
'ipapermbindruletype': 'permission',
'ipapermright': {'read', 'search', 'compare'},
'ipapermdefaultattr': {
'ntuserdomainid', 'ntuniqueid', 'ntuseracctexpires',
'ntusercodepage', 'ntuserdeleteaccount', 'ntuserlastlogoff',
'ntuserlastlogon',
},
'default_privileges': {'PassSync Service'},
},
'System: Manage User Certificate Mappings': {
'ipapermright': {'write'},
'ipapermdefaultattr': {'ipacertmapdata', 'objectclass'},
'default_privileges': {
'Certificate Identity Mapping Administrators'
},
},
}
takes_params = baseuser.takes_params + (
Bool('nsaccountlock?',
cli_name=('disabled'),
default=False,
label=_('Account disabled'),
),
Bool('preserved?',
label=_('Preserved user'),
default=False,
flags=['virtual_attribute', 'no_create', 'no_update'],
),
)
def get_delete_dn(self, *keys, **options):
active_dn = self.get_dn(*keys, **options)
return DN(active_dn[0], self.delete_container_dn, api.env.basedn)
def get_either_dn(self, *keys, **options):
'''
Returns the DN of a user
The user can be active (active container) or delete (delete container)
If the user does not exist, returns the Active user DN
'''
ldap = self.backend
# Check that this value is a Active user
try:
active_dn = self.get_dn(*keys, **options)
ldap.get_entry(active_dn, ['dn'])
# The Active user exists
dn = active_dn
except errors.NotFound:
# Check that this value is a Delete user
delete_dn = self.get_delete_dn(*keys, **options)
try:
ldap.get_entry(delete_dn, ['dn'])
# The Delete user exists
dn = delete_dn
except errors.NotFound:
# The user is neither Active/Delete -> returns that Active DN
dn = active_dn
return dn
def _normalize_manager(self, manager):
"""
Given a userid verify the user's existence and return the dn.
"""
return super(user, self).normalize_manager(manager, self.active_container_dn)
def get_preserved_attribute(self, entry, options):
if options.get('raw', False):
return
delete_container_dn = DN(self.delete_container_dn, api.env.basedn)
if entry.dn.endswith(delete_container_dn):
entry['preserved'] = True
elif options.get('all', False):
entry['preserved'] = False
@register()
class user_add(baseuser_add):
__doc__ = _('Add a new user.')
msg_summary = _('Added user "%(value)s"')
has_output_params = baseuser_add.has_output_params + user_output_params
takes_options = LDAPCreate.takes_options + (
Flag('noprivate',
cli_name='noprivate',
doc=_('Don\'t create user private group'),
),
)
def get_options(self):
for option in super(user_add, self).get_options():
if option.name == "nsaccountlock":
flags = set(option.flags)
flags.add("no_option")
option = option.clone(flags=flags)
yield option
def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options):
delete_dn = self.obj.get_delete_dn(*keys, **options)
try:
ldap.get_entry(delete_dn, [''])
except errors.NotFound:
pass
else:
raise self.obj.handle_duplicate_entry(*keys)
if not options.get('noprivate', False) and ldap.has_upg():
try:
# The Managed Entries plugin will allow a user to be created
# even if a group has a duplicate name. This would leave a user
# without a private group. Check for both the group and the user.
self.api.Object['group'].get_dn_if_exists(keys[-1])
try:
self.api.Command['user_show'](keys[-1])
self.obj.handle_duplicate_entry(*keys)
except errors.NotFound:
raise errors.ManagedGroupExistsError(group=keys[-1])
except errors.NotFound:
pass
else:
# we don't want an user private group to be created for this user
# add NO_UPG_MAGIC description attribute to let the DS plugin know
entry_attrs.setdefault('description', [])
entry_attrs['description'].append(NO_UPG_MAGIC)
entry_attrs.setdefault('uidnumber', baseldap.DNA_MAGIC)
if not client_has_capability(
options['version'], 'optional_uid_params'):
# https://fedorahosted.org/freeipa/ticket/2886
# Old clients say 999 (OLD_DNA_MAGIC) when they really mean
# "assign a value dynamically".
OLD_DNA_MAGIC = 999
if entry_attrs.get('uidnumber') == OLD_DNA_MAGIC:
entry_attrs['uidnumber'] = baseldap.DNA_MAGIC
if entry_attrs.get('gidnumber') == OLD_DNA_MAGIC:
entry_attrs['gidnumber'] = baseldap.DNA_MAGIC
validate_nsaccountlock(entry_attrs)
config = ldap.get_ipa_config()
if 'ipamaxusernamelength' in config:
if len(keys[-1]) > int(config.get('ipamaxusernamelength')[0]):
raise errors.ValidationError(
name=self.obj.primary_key.cli_name,
error=_('can be at most %(len)d characters') % dict(
len = int(config.get('ipamaxusernamelength')[0])
)
)
default_shell = config.get('ipadefaultloginshell',
[platformconstants.DEFAULT_SHELL])[0]
entry_attrs.setdefault('loginshell', default_shell)
# hack so we can request separate first and last name in CLI
full_name = '%s %s' % (entry_attrs['givenname'], entry_attrs['sn'])
entry_attrs.setdefault('cn', full_name)
if 'homedirectory' not in entry_attrs:
# get home's root directory from config
homes_root = config.get('ipahomesrootdir', [paths.HOME_DIR])[0]
# build user's home directory based on his uid
entry_attrs['homedirectory'] = posixpath.join(homes_root, keys[-1])
entry_attrs.setdefault('krbprincipalname', '%s@%s' % (entry_attrs['uid'], api.env.realm))
if entry_attrs.get('gidnumber') is None:
# gidNumber wasn't specified explicity, find out what it should be
if not options.get('noprivate', False) and ldap.has_upg():
# User Private Groups - uidNumber == gidNumber
entry_attrs['gidnumber'] = entry_attrs['uidnumber']
else:
# we're adding new users to a default group, get its gidNumber
# get default group name from config
def_primary_group = config.get('ipadefaultprimarygroup')
group_dn = self.api.Object['group'].get_dn(def_primary_group)
try:
group_attrs = ldap.get_entry(group_dn, ['gidnumber'])
except errors.NotFound:
error_msg = _('Default group for new users not found')
raise errors.NotFound(reason=error_msg)
if 'gidnumber' not in group_attrs:
error_msg = _('Default group for new users is not POSIX')
raise errors.NotFound(reason=error_msg)
entry_attrs['gidnumber'] = group_attrs['gidnumber']
if 'userpassword' not in entry_attrs and options.get('random'):
entry_attrs['userpassword'] = ipa_generate_password(
entropy_bits=TMP_PWD_ENTROPY_BITS)
# save the password so it can be displayed in post_callback
setattr(context, 'randompassword', entry_attrs['userpassword'])
if 'mail' in entry_attrs:
entry_attrs['mail'] = self.obj.normalize_and_validate_email(entry_attrs['mail'], config)
else:
# No e-mail passed in. If we have a default e-mail domain set
# then we'll add it automatically.
defaultdomain = config.get('ipadefaultemaildomain', [None])[0]
if defaultdomain:
entry_attrs['mail'] = self.obj.normalize_and_validate_email(keys[-1], config)
if 'manager' in entry_attrs:
entry_attrs['manager'] = self.obj.normalize_manager(entry_attrs['manager'], self.obj.active_container_dn)
if 'userclass' in entry_attrs and \
'ipauser' not in entry_attrs['objectclass']:
entry_attrs['objectclass'].append('ipauser')
if 'ipauserauthtype' in entry_attrs and \
'ipauserauthtypeclass' not in entry_attrs['objectclass']:
entry_attrs['objectclass'].append('ipauserauthtypeclass')
rcl = entry_attrs.get('ipatokenradiusconfiglink', None)
if rcl:
if 'ipatokenradiusproxyuser' not in entry_attrs['objectclass']:
entry_attrs['objectclass'].append('ipatokenradiusproxyuser')
answer = self.api.Object['radiusproxy'].get_dn_if_exists(rcl)
entry_attrs['ipatokenradiusconfiglink'] = answer
self.pre_common_callback(ldap, dn, entry_attrs, attrs_list, *keys,
**options)
return dn
def post_callback(self, ldap, dn, entry_attrs, *keys, **options):
assert isinstance(dn, DN)
config = ldap.get_ipa_config()
# add the user we just created into the default primary group
def_primary_group = config.get('ipadefaultprimarygroup')
group_dn = self.api.Object['group'].get_dn(def_primary_group)
# if the user is already a member of default primary group,
# do not raise error
# this can happen if automember rule or default group is set
try:
ldap.add_entry_to_group(dn, group_dn)
except errors.AlreadyGroupMember:
pass
# Fetch the entry again to update memberof, mep data, etc updated
# at the end of the transaction.
newentry = ldap.get_entry(dn, ['*'])
# delete description attribute NO_UPG_MAGIC if present
if (options.get('noprivate', False) or not ldap.has_upg()) and \
'description' in newentry and \
NO_UPG_MAGIC in newentry['description']:
newentry['description'].remove(NO_UPG_MAGIC)
ldap.update_entry(newentry)
entry_attrs.update(newentry)
if options.get('random', False):
try:
entry_attrs['randompassword'] = unicode(getattr(context, 'randompassword'))
except AttributeError:
# if both randompassword and userpassword options were used
pass
self.obj.get_preserved_attribute(entry_attrs, options)
self.post_common_callback(ldap, dn, entry_attrs, *keys, **options)
return dn
@register()
class user_del(baseuser_del):
__doc__ = _('Delete a user.')
msg_summary = _('Deleted user "%(value)s"')
takes_options = baseuser_del.takes_options + (
Bool('preserve?',
exclude='cli',
),
)
def _preserve_user(self, pkey, delete_container, **options):
assert isinstance(delete_container, DN)
dn = self.obj.get_either_dn(pkey, **options)
delete_dn = DN(dn[0], delete_container)
ldap = self.obj.backend
logger.debug("preserve move %s -> %s", dn, delete_dn)
if dn.endswith(delete_container):
raise errors.ExecutionError(
_('%s: user is already preserved' % pkey)
)
# Check that this value is a Active user
try:
original_entry_attrs = self._exc_wrapper(
pkey, options, ldap.get_entry)(dn, ['dn'])
except errors.NotFound:
raise self.obj.handle_not_found(pkey)
for callback in self.get_callbacks('pre'):
dn = callback(self, ldap, dn, pkey, **options)
assert isinstance(dn, DN)
# start to move the entry to Delete container
self._exc_wrapper(pkey, options, ldap.move_entry)(dn, delete_dn,
del_old=True)
# Then clear the credential attributes
attrs_to_clear = ['krbPrincipalKey', 'krbLastPwdChange',
'krbPasswordExpiration', 'userPassword']
entry_attrs = self._exc_wrapper(pkey, options, ldap.get_entry)(
delete_dn, attrs_to_clear)
clearedCredential = False
for attr in attrs_to_clear:
if attr.lower() in entry_attrs:
del entry_attrs[attr]
clearedCredential = True
if clearedCredential:
self._exc_wrapper(pkey, options, ldap.update_entry)(entry_attrs)
# Then restore some original entry attributes
attrs_to_restore = ['secretary', 'managedby', 'manager', 'ipauniqueid',
'uidnumber', 'gidnumber', 'passwordHistory']
entry_attrs = self._exc_wrapper(
pkey, options, ldap.get_entry)(delete_dn, attrs_to_restore)
restoreAttr = False
for attr in attrs_to_restore:
if ((attr.lower() in original_entry_attrs) and
not (attr.lower() in entry_attrs)):
restoreAttr = True
entry_attrs[attr.lower()] = original_entry_attrs[attr.lower()]
if restoreAttr:
self._exc_wrapper(pkey, options, ldap.update_entry)(entry_attrs)
def pre_callback(self, ldap, dn, *keys, **options):
dn = self.obj.get_either_dn(*keys, **options)
# For User life Cycle: user-del is a common plugin
# command to delete active user (active container) and
# delete user (delete container).
# If the target entry is a Delete entry, skip the orphaning/removal
# of OTP tokens.
check_protected_member(keys[-1])
if not options.get('preserve', False):
# Remove any ID overrides tied with this user
try:
remove_ipaobject_overrides(self.obj.backend, self.obj.api, dn)
except errors.NotFound:
raise self.obj.handle_not_found(*keys)
if dn.endswith(DN(self.obj.delete_container_dn, api.env.basedn)):
return dn
# Delete all tokens owned and managed by this user.
# Orphan all tokens owned but not managed by this user.
owner = self.api.Object.user.get_primary_key_from_dn(dn)
results = self.api.Command.otptoken_find(
ipatokenowner=owner, no_members=False)['result']
for token in results:
orphan = not [x for x in token.get('managedby_user', []) if x == owner]
token = self.api.Object.otptoken.get_primary_key_from_dn(token['dn'])
if orphan:
self.api.Command.otptoken_mod(token, ipatokenowner=None)
else:
self.api.Command.otptoken_del(token)
return dn
def execute(self, *keys, **options):
# We are going to permanent delete or the user is already in the delete container.
delete_container = DN(self.obj.delete_container_dn, self.api.env.basedn)
# The user to delete is active and there is no 'no_preserve' option
if options.get('preserve', False):
failed = []
preserved = []
for pkey in keys[-1]:
try:
self._preserve_user(pkey, delete_container, **options)
preserved.append(pkey_to_value(pkey, options))
except Exception:
if not options.get('continue', False):
raise
failed.append(pkey_to_value(pkey, options))
val = dict(result=dict(failed=failed), value=preserved)
return val
else:
return super(user_del, self).execute(*keys, **options)
@register()
class user_mod(baseuser_mod):
__doc__ = _('Modify a user.')
msg_summary = _('Modified user "%(value)s"')
has_output_params = baseuser_mod.has_output_params + user_output_params
def get_options(self):
for option in super(user_mod, self).get_options():
if option.name == "nsaccountlock":
flags = set(option.flags)
flags.add("no_option")
option = option.clone(flags=flags)
yield option
def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options):
dn = self.obj.get_either_dn(*keys, **options)
self.pre_common_callback(ldap, dn, entry_attrs, attrs_list, *keys,
**options)
validate_nsaccountlock(entry_attrs)
return dn
def post_callback(self, ldap, dn, entry_attrs, *keys, **options):
self.post_common_callback(ldap, dn, entry_attrs, *keys, **options)
self.obj.get_preserved_attribute(entry_attrs, options)
return dn
@register()
class user_find(baseuser_find):
__doc__ = _('Search for users.')
member_attributes = ['memberof']
has_output_params = baseuser_find.has_output_params + user_output_params
msg_summary = ngettext(
'%(count)d user matched', '%(count)d users matched', 0
)
takes_options = LDAPSearch.takes_options + (
Flag('whoami',
label=_('Self'),
doc=_('Display user record for current Kerberos principal'),
),
)
def pre_callback(self, ldap, filter, attrs_list, base_dn, scope, *keys, **options):
assert isinstance(base_dn, DN)
self.pre_common_callback(ldap, filter, attrs_list, base_dn, scope,
*keys, **options)
if options.get('whoami'):
return ("(&(objectclass=posixaccount)(krbprincipalname=%s))"%\
getattr(context, 'principal'), base_dn, scope)
preserved = options.get('preserved', False)
if preserved is None:
base_dn = self.api.env.basedn
scope = ldap.SCOPE_SUBTREE
elif preserved:
base_dn = DN(self.obj.delete_container_dn, self.api.env.basedn)
else:
base_dn = DN(self.obj.active_container_dn, self.api.env.basedn)
return (filter, base_dn, scope)
def post_callback(self, ldap, entries, truncated, *args, **options):
if options.get('pkey_only', False):
return truncated
if options.get('preserved', False) is None:
base_dns = (
DN(self.obj.active_container_dn, self.api.env.basedn),
DN(self.obj.delete_container_dn, self.api.env.basedn),
)
entries[:] = list(
e for e in entries if any(e.dn.endswith(bd) for bd in base_dns)
)
self.post_common_callback(ldap, entries, lockout=False, **options)
for entry in entries:
self.obj.get_preserved_attribute(entry, options)
return truncated
@register()
class user_show(baseuser_show):
__doc__ = _('Display information about a user.')
has_output_params = baseuser_show.has_output_params + user_output_params
takes_options = baseuser_show.takes_options + (
Str('out?',
doc=_('file to store certificate in'),
),
)
def pre_callback(self, ldap, dn, attrs_list, *keys, **options):
dn = self.obj.get_either_dn(*keys, **options)
self.pre_common_callback(ldap, dn, attrs_list, *keys, **options)
return dn
def post_callback(self, ldap, dn, entry_attrs, *keys, **options):
convert_nsaccountlock(entry_attrs)
self.post_common_callback(ldap, dn, entry_attrs, *keys, **options)
self.obj.get_preserved_attribute(entry_attrs, options)
return dn
@register()
class user_undel(LDAPQuery):
__doc__ = _('Undelete a delete user account.')
has_output = output.standard_value
msg_summary = _('Undeleted user account "%(value)s"')
def execute(self, *keys, **options):
ldap = self.obj.backend
# First check that the user exists and is a delete one
delete_dn = self.obj.get_either_dn(*keys, **options)
try:
self._exc_wrapper(keys, options, ldap.get_entry)(delete_dn)
except errors.NotFound:
raise self.obj.handle_not_found(*keys)
if delete_dn.endswith(DN(self.obj.active_container_dn,
api.env.basedn)):
raise errors.InvocationError(
message=_('user "%s" is already active') % keys[-1])
active_dn = DN(delete_dn[0], self.obj.active_container_dn, api.env.basedn)
# start to move the entry to the Active container
self._exc_wrapper(keys, options, ldap.move_entry)(delete_dn, active_dn, del_old=True)
# add the user we just undelete into the default primary group
config = ldap.get_ipa_config()
def_primary_group = config.get('ipadefaultprimarygroup')
group_dn = self.api.Object['group'].get_dn(def_primary_group)
# if the user is already a member of default primary group,
# do not raise error
# this can happen if automember rule or default group is set
try:
ldap.add_entry_to_group(active_dn, group_dn)
except errors.AlreadyGroupMember:
pass
return dict(
result=True,
value=pkey_to_value(keys[0], options),
)
@register()
class user_stage(LDAPMultiQuery):
__doc__ = _('Move deleted user into staged area')
has_output = output.standard_multi_delete
msg_summary = _('Staged user account "%(value)s"')
# when moving from preserved to stage, some attributes may be
# present in the preserved entry but cannot be provided to
# stageuser_add
# For instance: dn and uid are derived from LOGIN argument
# has_keytab, has_password, preserved are virtual attributes
# ipauniqueid, krbcanonicalname, sshpubkeyfp, krbextradata
# are automatically generated
# ipacertmapdata can only be provided with user_add_certmapdata
ignore_attrs = [u'dn', u'uid',
u'has_keytab', u'has_password', u'preserved',
u'ipauniqueid', u'krbcanonicalname',
u'sshpubkeyfp', u'krbextradata',
u'ipacertmapdata',
u'nsaccountlock']
def execute(self, *keys, **options):
def _build_setattr_arg(key, val):
if isinstance(val, bytes):
return u"{}={}".format(key, val.decode('UTF-8'))
else:
return u"{}={}".format(key, val)
staged = []
failed = []
for key in keys[-1]:
single_keys = keys[:-1] + (key,)
multi_keys = keys[:-1] + ((key,),)
user = self.api.Command.user_show(*single_keys, all=True)['result']
new_options = {}
for param in self.api.Command.stageuser_add.options():
try:
value = user[param.name]
except KeyError:
continue
if param.multivalue and not isinstance(value, (list, tuple)):
value = [value]
elif not param.multivalue and isinstance(value, (list, tuple)):
value = value[0]
new_options[param.name] = value
# Some attributes may not be accessible through the Command
# options and need to be added with --setattr
set_attr = []
for userkey in user.keys():
if userkey in new_options or userkey in self.ignore_attrs:
continue
value = user[userkey]
if isinstance(value, (list, tuple)):
for val in value:
set_attr.append(_build_setattr_arg(userkey, val))
else:
set_attr.append(_build_setattr_arg(userkey, val))
if set_attr:
new_options[u'setattr'] = set_attr
try:
self.api.Command.stageuser_add(*single_keys, **new_options)
# special handling for certmapdata
certmapdata = user.get(u'ipacertmapdata')
if certmapdata:
self.api.Command.stageuser_add_certmapdata(
*single_keys,
ipacertmapdata=certmapdata)
try:
self.api.Command.user_del(*multi_keys, preserve=False)
except errors.ExecutionError:
self.api.Command.stageuser_del(*multi_keys)
raise
except errors.ExecutionError:
if not options['continue']:
raise
failed.append(key)
else:
staged.append(key)
return dict(
result=dict(
failed=pkey_to_value(failed, options),
),
value=pkey_to_value(staged, options),
)
@register()
class user_disable(LDAPQuery):
__doc__ = _('Disable a user account.')
has_output = output.standard_value
msg_summary = _('Disabled user account "%(value)s"')
def execute(self, *keys, **options):
ldap = self.obj.backend
check_protected_member(keys[-1])
dn = self.obj.get_either_dn(*keys, **options)
ldap.deactivate_entry(dn)
return dict(
result=True,
value=pkey_to_value(keys[0], options),
)
@register()
class user_enable(LDAPQuery):
__doc__ = _('Enable a user account.')
has_output = output.standard_value
has_output_params = LDAPQuery.has_output_params + user_output_params
msg_summary = _('Enabled user account "%(value)s"')
def execute(self, *keys, **options):
ldap = self.obj.backend
dn = self.obj.get_either_dn(*keys, **options)
ldap.activate_entry(dn)
return dict(
result=True,
value=pkey_to_value(keys[0], options),
)
@register()
class user_unlock(LDAPQuery):
__doc__ = _("""
Unlock a user account
An account may become locked if the password is entered incorrectly too
many times within a specific time period as controlled by password
policy. A locked account is a temporary condition and may be unlocked by
an administrator.""")
has_output = output.standard_value
msg_summary = _('Unlocked account "%(value)s"')
def execute(self, *keys, **options):
dn = self.obj.get_either_dn(*keys, **options)
entry = self.obj.backend.get_entry(
dn, ['krbLastAdminUnlock', 'krbLoginFailedCount'])
entry['krbLastAdminUnlock'] = [strftime("%Y%m%d%H%M%SZ", gmtime())]
entry['krbLoginFailedCount'] = ['0']
self.obj.backend.update_entry(entry)
return dict(
result=True,
value=pkey_to_value(keys[0], options),
)
@register()
class userstatus(LDAPObject):
parent_object = 'user'
takes_params = (
Bool('preserved?',
label=_('Preserved user'),
flags={'virtual_attribute', 'no_create', 'no_update', 'no_search'},
),
Str('server',
label=_('Server'),
flags={'virtual_attribute', 'no_create', 'no_update', 'no_search'},
),
Str('krbloginfailedcount',
label=_('Failed logins'),
flags={'no_create', 'no_update', 'no_search'},
),
Str('krblastsuccessfulauth',
label=_('Last successful authentication'),
flags={'no_create', 'no_update', 'no_search'},
),
Str('krblastfailedauth',
label=_('Last failed authentication'),
flags={'no_create', 'no_update', 'no_search'},
),
Str('now',
label=_('Time now'),
flags={'virtual_attribute', 'no_create', 'no_update', 'no_search'},
),
)
@register()
class user_status(LDAPQuery):
__doc__ = _("""
Lockout status of a user account
An account may become locked if the password is entered incorrectly too
many times within a specific time period as controlled by password
policy. A locked account is a temporary condition and may be unlocked by
an administrator.
This connects to each IPA master and displays the lockout status on
each one.
To determine whether an account is locked on a given server you need
to compare the number of failed logins and the time of the last failure.
For an account to be locked it must exceed the maxfail failures within
the failinterval duration as specified in the password policy associated
with the user.
The failed login counter is modified only when a user attempts a log in
so it is possible that an account may appear locked but the last failed
login attempt is older than the lockouttime of the password policy. This
means that the user may attempt a login again. """)
obj_name = 'userstatus'
attr_name = 'find'
has_output = output.standard_list_of_entries
def get_args(self):
for arg in super(user_status, self).get_args():
if arg.name == 'useruid':
arg = arg.clone(cli_name='login')
yield arg
def execute(self, *keys, **options):
ldap = self.obj.backend
dn = self.api.Object.user.get_either_dn(*keys, **options)
attr_list = ['krbloginfailedcount', 'krblastsuccessfulauth', 'krblastfailedauth', 'nsaccountlock']
disabled = False
masters = get_masters(ldap)
entries = []
count = 0
for host in masters:
if host == api.env.host:
other_ldap = self.obj.backend
else:
try:
other_ldap = LDAPClient(ldap_uri='ldap://%s' % host)
other_ldap.gssapi_bind()
except Exception as e:
logger.error("user_status: Connecting to %s failed with "
"%s", host, str(e))
newresult = {'dn': dn}
newresult['server'] = _("%(host)s failed: %(error)s") % dict(host=host, error=str(e))
entries.append(newresult)
count += 1
continue
try:
entry = other_ldap.get_entry(dn, attr_list)
newresult = {'dn': dn}
for attr in ['krblastsuccessfulauth', 'krblastfailedauth']:
newresult[attr] = entry.get(attr, [u'N/A'])
newresult['krbloginfailedcount'] = entry.get('krbloginfailedcount', u'0')
if not options.get('raw', False):
for attr in ['krblastsuccessfulauth', 'krblastfailedauth']:
try:
if newresult[attr][0] == u'N/A':
continue
newtime = time.strptime(newresult[attr][0], '%Y%m%d%H%M%SZ')
newresult[attr][0] = unicode(time.strftime('%Y-%m-%dT%H:%M:%SZ', newtime))
except Exception as e:
logger.debug("time conversion failed with %s",
str(e))
newresult['server'] = host
if options.get('raw', False):
time_format = '%Y%m%d%H%M%SZ'
else:
time_format = '%Y-%m-%dT%H:%M:%SZ'
newresult['now'] = unicode(strftime(time_format, gmtime()))
convert_nsaccountlock(entry)
if 'nsaccountlock' in entry:
disabled = entry['nsaccountlock']
self.api.Object.user.get_preserved_attribute(entry, options)
entries.append(newresult)
count += 1
except errors.NotFound:
raise self.api.Object.user.handle_not_found(*keys)
except Exception as e:
logger.error("user_status: Retrieving status for %s failed "
"with %s", dn, str(e))
newresult = {'dn': dn}
newresult['server'] = _("%(host)s failed") % dict(host=host)
entries.append(newresult)
count += 1
if host != api.env.host:
other_ldap.close()
return dict(result=entries,
count=count,
truncated=False,
summary=unicode(_('Account disabled: %(disabled)s' %
dict(disabled=disabled))),
)
@register()
class user_add_cert(baseuser_add_cert):
__doc__ = _('Add one or more certificates to the user entry')
msg_summary = _('Added certificates to user "%(value)s"')
@register()
class user_remove_cert(baseuser_remove_cert):
__doc__ = _('Remove one or more certificates to the user entry')
msg_summary = _('Removed certificates from user "%(value)s"')
@register()
class user_add_certmapdata(baseuser_add_certmapdata):
__doc__ = _("Add one or more certificate mappings to the user entry.")
@register()
class user_remove_certmapdata(baseuser_remove_certmapdata):
__doc__ = _("Remove one or more certificate mappings from the user entry.")
@register()
class user_add_manager(baseuser_add_manager):
__doc__ = _("Add a manager to the user entry")
@register()
class user_remove_manager(baseuser_remove_manager):
__doc__ = _("Remove a manager to the user entry")
@register()
class user_add_principal(baseuser_add_principal):
__doc__ = _('Add new principal alias to the user entry')
msg_summary = _('Added new aliases to user "%(value)s"')
@register()
class user_remove_principal(baseuser_remove_principal):
__doc__ = _('Remove principal alias from the user entry')
msg_summary = _('Removed aliases from user "%(value)s"')