IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-02-25 18:55:28 -06:00
Code Issues Packages Projects Releases Wiki Activity
Files
b691850cc9718818893291bb813cc227a8daa3d9
freeipa/ipaserver/install/plugins/update_pwpolicy.py
Rob Crittenden b60d2d975d Add ipwpwdpolicy objectclass to all policies on upgrade 
ipapwdpolicy is the objectclass which defines the libpwquality
attributes. For older sytems it isn't strictly necessary (or
visible) but not having it included will result in policies
not being visible with pwpolicy-find.

https://pagure.io/freeipa/issue/8555

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2020-11-06 16:29:41 -05:00

81 lines
2.5 KiB
Python
Raw Blame History

#
# Copyright (C) 2020 FreeIPA Contributors see COPYING for license
#
import logging
from ipalib import Registry, errors
from ipalib import Updater
from ipapython.dn import DN
logger = logging.getLogger(__name__)
register = Registry()
@register()
class update_pwpolicy(Updater):
"""
Add new ipapwdpolicy objectclass to all password policies
Otherwise pwpolicy-find will not find them.
"""
def execute(self, **options):
ldap = self.api.Backend.ldap2
base_dn = DN(('cn', self.api.env.realm), ('cn', 'kerberos'),
self.api.env.basedn)
search_filter = (
"(&(objectClass=krbpwdpolicy)(!(objectclass=ipapwdpolicy)))"
)
while True:
# Run the search in loop to avoid issues when LDAP limits are hit
# during update
try:
(entries, truncated) = ldap.find_entries(
search_filter, ['objectclass'], base_dn, time_limit=0,
size_limit=0)
except errors.EmptyResult:
logger.debug("update_pwpolicy: no policies without "
"objectclass set")
return False, []
except errors.ExecutionError as e:
logger.error("update_pwpolicy: cannot retrieve list "
"of policies missing an objectclass: %s", e)
return False, []
logger.debug("update_pwpolicy: found %d "
"policies to update, truncated: %s",
len(entries), truncated)
error = False
for entry in entries:
entry['objectclass'].append('ipapwdpolicy')
try:
ldap.update_entry(entry)
except (errors.EmptyModlist, errors.NotFound):
pass
except errors.ExecutionError as e:
logger.debug("update_pwpolicy: cannot "
"update policy: %s", e)
error = True
if error:
# Exit loop to avoid infinite cycles
logger.error("update_pwpolicy: error(s) "
"detected during pwpolicy update")
return False, []
elif not truncated:
# All affected entries updated, exit the loop
logger.debug("update_pwpolicy: all policies updated")
return False, []
return False, []
Reference in New Issue View Git Blame Copy Permalink